Re: [users@httpd] Unable to set ciphers string with space separated in apache
Hi William, Sorry for late response.. I appreciate your response. Small clarification: You meant to say, with space as delimiter, httpd parses will consider space separated tokens as each individual httpd directives? With Regards, Venkatesh On Mon, Aug 27, 2018 at 7:03 PM, William A Rowe Jr wrote: > A good argument for following httpd documented convention. > > If you want to continue exploring, you would want to quote the cipher > string, since httpd would take apart unquotes, space separated tokens as > different httpd directive arguments, and you surely don't want that. > > On Sat, Aug 25, 2018, 20:05 alchemist vk wrote: > >> Hi All, >> >> openssl standard says " The cipher list consists of one or more *cipher >> strings* separated by colons. Commas or spaces are also acceptable >> separators but colons are normally used". But apache says "directive >> uses a *colon-separated* *cipher-spec* string consisting of OpenSSL >> cipher specifications to configure the Cipher Suite the client is permitted >> to negotiate in the SSL handshake phase" in https://httpd.apache.org/ >> docs/2.4/mod/mod_ssl.html. >> >> >> So, when I configured apache by separating cipher string with spaces, >> cipher string has no affect. But when cipher string is configured with >> colons, cipher string has effect. >> >> >> So, please provide clarification, is there any limitation why we can’t >> configure cipher string by using space as delimiter in apache. >> >> >> PS: I am using 2.4 apache version in Linux OS. >> >> With Regards, >> Venkatesh >> >
Re: [users@httpd] Testing for apache open relaying
On 09/05/2018 05:18 PM, Ruben Safir wrote: On 9/5/18 4:47 PM, Robert Moskowitz wrote: There is a way with open proxies to PUT content that goes out on port 25. but that doesn't turn Apache into a mail server Not a mailserver, put a way for spammers to get their spam out. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Testing for apache open relaying
On 9/5/18 4:47 PM, Robert Moskowitz wrote: > There is a way with open proxies to PUT content that goes out on port 25. but that doesn't turn Apache into a mail server -- So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 http://www.mrbrklyn.com DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 http://www.nylxs.com - Leadership Development in Free Software http://www2.mrbrklyn.com/resources - Unpublished Archive http://www.coinhangout.com - coins! http://www.brooklyn-living.com Being so tracked is for FARM ANIMALS and and extermination camps, but incompatible with living as a free human being. -RI Safir 2013 - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Testing for apache open relaying
There is a way with open proxies to PUT content that goes out on port
25. Or so I seem to recall. The memory cells are at least a year old,
and may be corrupted.
On 09/05/2018 04:32 PM, Ruben Safir wrote:
How do you think Apache will relay mail? Apache has nothing to do with
email.
On 9/5/18 11:58 AM, Robert Moskowitz wrote:
My mail server is being blocked by barracuda and spamexperts.
I have tested my mail port via mxtoolbox.com and I came out clean and no
relaying.
So I suspect my apache server as a proxy relay.
Is there a similar site to mxtoolbox that will test apache for improper
relaying?
thanks
I thought I had it blocked for this:
# cat 01-allow.conf
Options Indexes FollowSymLinks
AllowOverride None
Order deny,allow
allow from 192.168.96.0/255.255.255.0
allow from 50.253.254.0/255.255.255.240
deny from all
# more roundcubemail.conf
ServerName webmail.htt-consult.com
ServerAlias webmail
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
ExpiresDefault "access plus 10 years"
AddOutputFilterByType DEFLATE text/html text/plain text/xml
php_admin_flag session.cookie_secure "1"
# Round Cube Webmail is a browser-based multilingual IMAP client
#
ServerName webmail.htt-consult.com
ServerAlias webmail
SSLEngine On
SSLCertificateFile /etc/pki/tls/certs/webmail.htt-consult.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/webmail.htt-consult.com.key
DocumentRoot /usr/share/roundcubemail
# Alias /roundcubemail /usr/share/roundcubemail
# Alias /webmail /usr/share/roundcubemail
Order Deny,Allow
Allow from all
php_admin_flag session.cookie_secure "1"
# Round Cube Webmail is a browser-based multilingual IMAP client
#
ServerName web2mail.htt-consult.com
ServerAlias web2mail
SSLEngine On
SSLCertificateFile /etc/pki/tls/certs/webmail.htt-consult.com.crt
SSLCertificateKeyFile
/etc/pki/tls/private/webmail.htt-consult.com.key
DocumentRoot /usr/share/roundcubemail
Order Deny,Allow
Allow from all
php_admin_flag session.cookie_secure "1"
=
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Testing for apache open relaying
How do you think Apache will relay mail? Apache has nothing to do with
email.
On 9/5/18 11:58 AM, Robert Moskowitz wrote:
> My mail server is being blocked by barracuda and spamexperts.
>
> I have tested my mail port via mxtoolbox.com and I came out clean and no
> relaying.
>
> So I suspect my apache server as a proxy relay.
>
> Is there a similar site to mxtoolbox that will test apache for improper
> relaying?
>
> thanks
>
> I thought I had it blocked for this:
>
> # cat 01-allow.conf
>
> Options Indexes FollowSymLinks
> AllowOverride None
> Order deny,allow
> allow from 192.168.96.0/255.255.255.0
> allow from 50.253.254.0/255.255.255.240
> deny from all
>
>
> # more roundcubemail.conf
>
>
> ServerName webmail.htt-consult.com
> ServerAlias webmail
>
> RewriteEngine On
> RewriteCond %{SERVER_PORT} !^443$
> RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
> ExpiresDefault "access plus 10 years"
> AddOutputFilterByType DEFLATE text/html text/plain text/xml
> php_admin_flag session.cookie_secure "1"
>
>
>
>
>
>
>
> # Round Cube Webmail is a browser-based multilingual IMAP client
> #
>
> ServerName webmail.htt-consult.com
> ServerAlias webmail
>
> SSLEngine On
> SSLCertificateFile /etc/pki/tls/certs/webmail.htt-consult.com.crt
> SSLCertificateKeyFile /etc/pki/tls/private/webmail.htt-consult.com.key
>
> DocumentRoot /usr/share/roundcubemail
>
> # Alias /roundcubemail /usr/share/roundcubemail
> # Alias /webmail /usr/share/roundcubemail
>
>
> Order Deny,Allow
> Allow from all
> php_admin_flag session.cookie_secure "1"
>
>
>
>
>
>
> # Round Cube Webmail is a browser-based multilingual IMAP client
> #
>
> ServerName web2mail.htt-consult.com
> ServerAlias web2mail
>
> SSLEngine On
> SSLCertificateFile /etc/pki/tls/certs/webmail.htt-consult.com.crt
> SSLCertificateKeyFile
> /etc/pki/tls/private/webmail.htt-consult.com.key
>
> DocumentRoot /usr/share/roundcubemail
>
>
> Order Deny,Allow
> Allow from all
> php_admin_flag session.cookie_secure "1"
>
>
>
>
>
> =
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
--
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com
DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com
Being so tracked is for FARM ANIMALS and and extermination camps,
but incompatible with living as a free human being. -RI Safir 2013
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Testing for apache open relaying
My mail server is being blocked by barracuda and spamexperts.
I have tested my mail port via mxtoolbox.com and I came out clean and no
relaying.
So I suspect my apache server as a proxy relay.
Is there a similar site to mxtoolbox that will test apache for improper
relaying?
thanks
I thought I had it blocked for this:
# cat 01-allow.conf
Options Indexes FollowSymLinks
AllowOverride None
Order deny,allow
allow from 192.168.96.0/255.255.255.0
allow from 50.253.254.0/255.255.255.240
deny from all
# more roundcubemail.conf
ServerName webmail.htt-consult.com
ServerAlias webmail
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
ExpiresDefault "access plus 10 years"
AddOutputFilterByType DEFLATE text/html text/plain text/xml
php_admin_flag session.cookie_secure "1"
# Round Cube Webmail is a browser-based multilingual IMAP client
#
ServerName webmail.htt-consult.com
ServerAlias webmail
SSLEngine On
SSLCertificateFile /etc/pki/tls/certs/webmail.htt-consult.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/webmail.htt-consult.com.key
DocumentRoot /usr/share/roundcubemail
# Alias /roundcubemail /usr/share/roundcubemail
# Alias /webmail /usr/share/roundcubemail
Order Deny,Allow
Allow from all
php_admin_flag session.cookie_secure "1"
# Round Cube Webmail is a browser-based multilingual IMAP client
#
ServerName web2mail.htt-consult.com
ServerAlias web2mail
SSLEngine On
SSLCertificateFile /etc/pki/tls/certs/webmail.htt-consult.com.crt
SSLCertificateKeyFile
/etc/pki/tls/private/webmail.htt-consult.com.key
DocumentRoot /usr/share/roundcubemail
Order Deny,Allow
Allow from all
php_admin_flag session.cookie_secure "1"
=
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Reverse Proxy trouble with mod_substitute
The proxy response input is dechunked as it is retrieved from the back end.
Any chunking to the client is introduced by httpd after filtering.
It may be that the request deflate and inflate filters have comingled a
zlib stream context?
On Tue, Sep 4, 2018, 12:43 Maarten Boekhold wrote:
> Hi,
>
> But I did try to inflate/rewrite/deflate in my first email... It just
> didn't work. I suspect something failed because the data was chunked...
>
> Maarten
>
> On September 4, 2018 20:20:18 "Gillis J. de Nijs"
> wrote:
>
>> Yes, it is. You can't rewrite something that's gzipped, so you'd have to
>> unzip it first, or - like you did - never have it gzipped in the first
>> place.
>>
>> See also http://www.apachetutor.org/admin/reverseproxies where there's a
>> full reverse proxy scenario configured and explained. It uses the same
>> technique you did, and alternatively suggests you can deflate, rewrite,
>> inflate, if you so desire.
>>
>> Regards,
>> Gillis
>>
>> On Tue, Sep 4, 2018 at 3:19 PM, Maarten Boekhold
>> wrote:
>>
>>> Hi all,
>>>
>>> I decided to force HTTPD to remove the Accept-Encoding: gzip, deflate
>>> from the request, using:
>>>
>>> RequestHeader unset Accept-Encoding
>>>
>>> Now the response is properly processed by HTTPD. So it's likely an issue
>>> with one or both of:
>>>
>>> Content-Encoding: gzip
>>> Transfer-Encoding: chunked
>>>
>>> Is this a known limitation?
>>>
>>> Regards, Maarten
>>>
>>>
>>>
>>> On 09/04/2018 11:53 AM, Maarten Boekhold wrote:
>>>
Hi all,
Apache HTTPD 2.4.34 on Windows 10 downloaded from Apache Haus.
I'm trying to move a corporate application behind a reverse proxy. In
the process, I need to move the path this application is published on,
eg:
/webapp1 --> /suite/webapp1
"webapp1" contains a specific JSP that returns an HTML page with a lot
of JavaScript inside, which hardcodes an absolute path "/service1". I
need to move that one as well to under the external "/suite/service1"
path.
The GET /webapp1/the.jsp request has the following headers:
GET /webapp1/the.jsp HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg,
application/x-ms-application, application/xaml+xml,
application/x-ms-xbap, */*
Referer:
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0;
WOW64; Trident/7.0; Touch; .NET4.0C; .NET4.0E; Tablet PC 2.0)
Accept-Encoding: gzip, deflate
Host:
Connection: Keep-Alive
Cookie: JSESSIONID=24B3D3B40235B8E889A5F019081AAB41
The response (non-proxied) has the following headers
HTTP/1.1 200
Strict-Transport-Security: max-age=31536000;includeSubDomains
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Content-Encoding: gzip
Vary: Accept-Encoding
Date: Tue, 04 Sep 2018 06:52:12 GMT
Server:
I've set up the following in httpd.conf:
FilterDeclare INFLATE_HTML CONTENT_SET
FilterProvider INFLATE_HTML INFLATE "%{CONTENT_TYPE} =~
m|^text/html|"
FilterProtocol INFLATE_HTML change=yes
FilterTrace INFLATE_HTML 1
FilterDeclare DEFLATE_HTML
FilterProvider DEFLATE_HTML DEFLATE "%{CONTENT_TYPE} =~
m|^text/html|"
FilterProtocol DEFLATE_HTML change=yes
FilterTrace DEFLATE_HTML 1
FilterDeclare SUBST_HTML
FilterProvider SUBST_HTML SUBSTITUTE "%{CONTENT_TYPE} =~
m|^text/html|"
FilterTrace SUBST_HTML 1
FilterChain +INFLATE_HTML +SUBST_HTML +DEFLATE_HTML
ProxyPass ${internal}/webapp1/the.jsp
ProxyPassReverse ${internal}/webapp1/the.jsp
Substitute s|/service1|/suite/service1|n
This doesn't work. I can see the request being forwarded to the internal
application server, which executes successfully and responds with 200,
but something inside HTTPD doesn't work, and it ends up at the browser
with a 504 and no data (looking at this with Fiddler).
The HTTPD error.log file contains:
[Tue Sep 04 10:24:41.036087 2018] [proxy:trace1] [pid 452:tid 1352]
mod_proxy.c(766): [client 192.168.1.12:50120] AH03464: URI path
'/suite/webapp1/the.jsp' matches proxy handler
'proxy:https://internal/webapp1/the.jsp', referer:
[Tue Sep 04 10:24:41.036087 2018] [proxy:trace2] [pid 452:tid 1352]
proxy_util.c(2106): [client 192.168.1.12:50120] https: found worker
for /webapp1/the.jsp, referer:
[Tue Sep 04 10:24:41.036087 2018] [proxy:debug] [pid 452:tid 1352]
mod_proxy.c(1246): [client 192.168.1.12:50120] AH01143: Running scheme
h
