[users@httpd] What search permissions are missing from where?

2020-04-25 Thread Jeffrey Walton 
Hi Everyone,

I'm trying to configure a test server on CentOS 7. I'm catching this
error in error_log:

[Sun Apr 26 00:02:13.215014 2020] [core:error] [pid 14840]
(13)Permission denied: [client 172.16.5.26:41746] AH00035: access to
/index.html denied (filesystem path '/var/www/html/index.html')
because search permissions are missing on a component of the path

That message is pretty useless given the number of questions sprayed
across the web citing it.

As far as I can tell, the search permissions are present. Apache has
access to the file:

# ls -Al /var
...
drwxr-xr-x.  4 root apache   33 Apr 26 00:00 www
# ls -Al /var/www/
...
drwxr-xr-x. 2 root apache 24 Apr 21 11:20 html
# ls -Al /var/www/html
-rw-r--r--. 1 root apache 104 Apr 21 11:20 index.html

How do I find out what search permissions are mission from which
directory or directories?

Thanks in advance.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] What is a request for dash ("-")?

2020-04-25 Thread Jeffrey Walton 
Hi Everyone,

My apologies for this lame question. I'm having trouble searching for it.

What is this request I see in the logs:

  186.222.62.229 - - [25/Apr/2020:21:35:18 -0400] "-" 408 -
  186.222.62.229 - - [25/Apr/2020:21:35:18 -0400] "-" 408 -

The reason I ask is, we have a MediaWiki attached to Apache. It gets
quite a bit of spam attempts. If it is not a legitimate request, then
I'd like to ban the host. I suspect it is some kind of probe, but I'd
like to know for sure before I take action.

Thanks in advance.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache 2.4.33 on OpenSuSE LEAP 15.1 sends zero-byte images

2020-04-25 Thread David T-G 
Julien, et al --

...and then Julien Etter said...
% 
% Hi David,
% Try EnableSendFile Off in apache conf, this doesn't seem to be
% supported by opensuse.

YIPPEE!  That worked; thanks!!!

I suppose I should go and google, but I'll take the easy route in case
anyone happens to want to point me to why that's a problem.  Weird ...


Thanks again & have a great weekend :-)

:-D
-- 
David T-G
See http://justpickone.org/davidtg/email/
See http://justpickone.org/davidtg/tofu.txt


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Only allow reverse proxy traffic with mod_remoteip

2020-04-25 Thread baptx 
It worked when using Require in a location, thanks!


On Sat, 25 Apr 2020 at 13:41, Yann Ylavic  wrote:

> On Sat, Apr 25, 2020 at 1:24 PM baptx  wrote:
> >
> > @Yann: About your last reply suggesting Require expr "%{REMOTE_ADDR} !=
> %{CONN_REMOTE_ADDR}":
> > I want to restrict access on some virtualhosts only because I want to
> use some domain names without Cloudflare.
> > It looks like your previous solution with mod_rewrite is better in my
> case, since Require does not work in virtualhosts (I got the error:
> "Require not allowed in  context").
>
> Ah yes, correct, it should be enclosed in a location like:
>
> 
>   ...
>   RemoteIP...
>   
> Require expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}"
>   
>   ...
> 
>
> >>>
> >>> Thanks Yann, it worked.
>
> Great!
>
> Regards,
> Yann.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] Only allow reverse proxy traffic with mod_remoteip

2020-04-25 Thread Yann Ylavic 
On Sat, Apr 25, 2020 at 1:24 PM baptx  wrote:
>
> @Yann: About your last reply suggesting Require expr "%{REMOTE_ADDR} != 
> %{CONN_REMOTE_ADDR}":
> I want to restrict access on some virtualhosts only because I want to use 
> some domain names without Cloudflare.
> It looks like your previous solution with mod_rewrite is better in my case, 
> since Require does not work in virtualhosts (I got the error: "Require not 
> allowed in  context").

Ah yes, correct, it should be enclosed in a location like:


  ...
  RemoteIP...
  
Require expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}"
  
  ...


>>>
>>> Thanks Yann, it worked.

Great!

Regards,
Yann.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Only allow reverse proxy traffic with mod_remoteip

2020-04-25 Thread baptx 
@Yann: About your last reply suggesting Require expr "%{REMOTE_ADDR} !=
%{CONN_REMOTE_ADDR}":
I want to restrict access on some virtualhosts only because I want to use
some domain names without Cloudflare.
It looks like your previous solution with mod_rewrite is better in my case,
since Require does not work in virtualhosts (I got the error: "Require not
allowed in  context").


On Sat, 25 Apr 2020 at 13:10, baptx  wrote:

> I meant == instead of != like you corrected.
>
>
> On Sat, 25 Apr 2020 at 13:08, baptx  wrote:
>
>> Thanks Yann, it worked.
>>
>> I used RemoteIPTrustedProxy instead of RemoteIPTrustedProxyList in
>> /etc/apache2/conf-available/remoteip.conf (from Cloudflare example:
>> https://support.cloudflare.com/hc/en-us/articles/360029696071-Restoring-original-visitor-IPs-Option-2-Installing-mod-remoteip-with-Apache#12345680
>> ).
>> Then I just had to add this in the virtualhosts that I want to protect:
>> RewriteEngine on
>> RewriteCond expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}"
>> RewriteRule ^ - [F]
>>
>> I tested the bypass like that in case someone is interested (the 4
>> commands should return a 403 Forbidden error):
>> curl http://1.2.3.4 -H "Host: correct.tld"
>> curl http://1.2.3.4 -H "Host: wrong.tld"
>> curl -k https://1.2.3.4 -H "Host: correct.tld"
>> curl -k https://1.2.3.4 -H "Host: wrong.tld"
>> Where 1.2.3.4 should be replaced by your server IP address and
>> correct.tld should be replaced by a correct domain name used by your server.
>> The commands try to bypass the reverse proxy both for HTTP and HTTPS.
>> They also try to guess if a domain name is used by the server, by sending a
>> correct and wrong Host header.
>> To prevent someone from finding which domain name is used by your IP
>> address by looking at the 403 Forbidden error page, the virtualhost used by
>> the IP address should not use the same 403 Forbidden error page as the
>> domain name.
>>
>> Baptiste
>>
>>
>> On Sat, 25 Apr 2020 at 00:24, Yann Ylavic  wrote:
>>
>>> On Sat, Apr 25, 2020 at 12:17 AM Yann Ylavic 
>>> wrote:
>>> >
>>> > Hi,
>>> >
>>> > On Fri, Apr 24, 2020 at 10:49 PM bapt x  wrote:
>>> > >
>>> > > Is there a way to have the same functionality as the directive
>>> DenyAllButCloudflare from mod_cloudflare when using mod_remoteip?
>>> > > I would like to block access to users who try to bypass Cloudflare
>>> reverse proxy (e.g. accessing my web server directly by guessing the IP
>>> address). It looks like iptables is not a solution since I still want to
>>> host some websites without Cloudflare.
>>> >
>>> > I did not try, but possibly a mix of mod_remoteip and mod_rewrite like
>>> this:
>>> >
>>> >   RemoteIPHeader CF-Connecting-IP
>>> >   RemoteIPTrustedProxyList /path/to/proxies.list
>>> >   RewriteEngine on
>>> >   RewriteCond expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}"
>>>
>>> Err, this should be:
>>> RewriteCond expr "%{REMOTE_ADDR} == %{CONN_REMOTE_ADDR}"
>>> because mod_remoteip will change REMOTE_ADDR (to the value of the
>>> header) only if CONN_REMOTE_ADDR (the proxy) is trusted, so if both
>>> are equal it means that CONN_REMOTE_ADDR is not a trusted proxy..
>>>
>>> >   RewriteRule ^ - [F]
>>> >
>>> > With "proxies.list" containing the same list as mod_cloudflare's ([1]).
>>> >
>>> > Hth,
>>> > Yann.
>>> >
>>> > [1]
>>> https://github.com/cloudflare/mod_cloudflare/blob/master/mod_cloudflare.c#L44
>>>
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>>> For additional commands, e-mail: users-h...@httpd.apache.org
>>>
>>>

Re: [users@httpd] Only allow reverse proxy traffic with mod_remoteip

2020-04-25 Thread baptx 
I meant == instead of != like you corrected.


On Sat, 25 Apr 2020 at 13:08, baptx  wrote:

> Thanks Yann, it worked.
>
> I used RemoteIPTrustedProxy instead of RemoteIPTrustedProxyList in
> /etc/apache2/conf-available/remoteip.conf (from Cloudflare example:
> https://support.cloudflare.com/hc/en-us/articles/360029696071-Restoring-original-visitor-IPs-Option-2-Installing-mod-remoteip-with-Apache#12345680
> ).
> Then I just had to add this in the virtualhosts that I want to protect:
> RewriteEngine on
> RewriteCond expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}"
> RewriteRule ^ - [F]
>
> I tested the bypass like that in case someone is interested (the 4
> commands should return a 403 Forbidden error):
> curl http://1.2.3.4 -H "Host: correct.tld"
> curl http://1.2.3.4 -H "Host: wrong.tld"
> curl -k https://1.2.3.4 -H "Host: correct.tld"
> curl -k https://1.2.3.4 -H "Host: wrong.tld"
> Where 1.2.3.4 should be replaced by your server IP address and correct.tld
> should be replaced by a correct domain name used by your server.
> The commands try to bypass the reverse proxy both for HTTP and HTTPS. They
> also try to guess if a domain name is used by the server, by sending a
> correct and wrong Host header.
> To prevent someone from finding which domain name is used by your IP
> address by looking at the 403 Forbidden error page, the virtualhost used by
> the IP address should not use the same 403 Forbidden error page as the
> domain name.
>
> Baptiste
>
>
> On Sat, 25 Apr 2020 at 00:24, Yann Ylavic  wrote:
>
>> On Sat, Apr 25, 2020 at 12:17 AM Yann Ylavic 
>> wrote:
>> >
>> > Hi,
>> >
>> > On Fri, Apr 24, 2020 at 10:49 PM bapt x  wrote:
>> > >
>> > > Is there a way to have the same functionality as the directive
>> DenyAllButCloudflare from mod_cloudflare when using mod_remoteip?
>> > > I would like to block access to users who try to bypass Cloudflare
>> reverse proxy (e.g. accessing my web server directly by guessing the IP
>> address). It looks like iptables is not a solution since I still want to
>> host some websites without Cloudflare.
>> >
>> > I did not try, but possibly a mix of mod_remoteip and mod_rewrite like
>> this:
>> >
>> >   RemoteIPHeader CF-Connecting-IP
>> >   RemoteIPTrustedProxyList /path/to/proxies.list
>> >   RewriteEngine on
>> >   RewriteCond expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}"
>>
>> Err, this should be:
>> RewriteCond expr "%{REMOTE_ADDR} == %{CONN_REMOTE_ADDR}"
>> because mod_remoteip will change REMOTE_ADDR (to the value of the
>> header) only if CONN_REMOTE_ADDR (the proxy) is trusted, so if both
>> are equal it means that CONN_REMOTE_ADDR is not a trusted proxy..
>>
>> >   RewriteRule ^ - [F]
>> >
>> > With "proxies.list" containing the same list as mod_cloudflare's ([1]).
>> >
>> > Hth,
>> > Yann.
>> >
>> > [1]
>> https://github.com/cloudflare/mod_cloudflare/blob/master/mod_cloudflare.c#L44
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>>
>>

Re: [users@httpd] Only allow reverse proxy traffic with mod_remoteip

2020-04-25 Thread baptx 
Thanks Yann, it worked.

I used RemoteIPTrustedProxy instead of RemoteIPTrustedProxyList in
/etc/apache2/conf-available/remoteip.conf (from Cloudflare example:
https://support.cloudflare.com/hc/en-us/articles/360029696071-Restoring-original-visitor-IPs-Option-2-Installing-mod-remoteip-with-Apache#12345680
).
Then I just had to add this in the virtualhosts that I want to protect:
RewriteEngine on
RewriteCond expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}"
RewriteRule ^ - [F]

I tested the bypass like that in case someone is interested (the 4 commands
should return a 403 Forbidden error):
curl http://1.2.3.4 -H "Host: correct.tld"
curl http://1.2.3.4 -H "Host: wrong.tld"
curl -k https://1.2.3.4 -H "Host: correct.tld"
curl -k https://1.2.3.4 -H "Host: wrong.tld"
Where 1.2.3.4 should be replaced by your server IP address and correct.tld
should be replaced by a correct domain name used by your server.
The commands try to bypass the reverse proxy both for HTTP and HTTPS. They
also try to guess if a domain name is used by the server, by sending a
correct and wrong Host header.
To prevent someone from finding which domain name is used by your IP
address by looking at the 403 Forbidden error page, the virtualhost used by
the IP address should not use the same 403 Forbidden error page as the
domain name.

Baptiste


On Sat, 25 Apr 2020 at 00:24, Yann Ylavic  wrote:

> On Sat, Apr 25, 2020 at 12:17 AM Yann Ylavic  wrote:
> >
> > Hi,
> >
> > On Fri, Apr 24, 2020 at 10:49 PM bapt x  wrote:
> > >
> > > Is there a way to have the same functionality as the directive
> DenyAllButCloudflare from mod_cloudflare when using mod_remoteip?
> > > I would like to block access to users who try to bypass Cloudflare
> reverse proxy (e.g. accessing my web server directly by guessing the IP
> address). It looks like iptables is not a solution since I still want to
> host some websites without Cloudflare.
> >
> > I did not try, but possibly a mix of mod_remoteip and mod_rewrite like
> this:
> >
> >   RemoteIPHeader CF-Connecting-IP
> >   RemoteIPTrustedProxyList /path/to/proxies.list
> >   RewriteEngine on
> >   RewriteCond expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}"
>
> Err, this should be:
> RewriteCond expr "%{REMOTE_ADDR} == %{CONN_REMOTE_ADDR}"
> because mod_remoteip will change REMOTE_ADDR (to the value of the
> header) only if CONN_REMOTE_ADDR (the proxy) is trusted, so if both
> are equal it means that CONN_REMOTE_ADDR is not a trusted proxy..
>
> >   RewriteRule ^ - [F]
> >
> > With "proxies.list" containing the same list as mod_cloudflare's ([1]).
> >
> > Hth,
> > Yann.
> >
> > [1]
> https://github.com/cloudflare/mod_cloudflare/blob/master/mod_cloudflare.c#L44
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] Only allow reverse proxy traffic with mod_remoteip

2020-04-25 Thread Yann Ylavic 
On Sat, Apr 25, 2020 at 12:24 AM Yann Ylavic  wrote:
>
> On Sat, Apr 25, 2020 at 12:17 AM Yann Ylavic  wrote:
> >
> > Hi,
> >
> > On Fri, Apr 24, 2020 at 10:49 PM bapt x  wrote:
> > >
> > > Is there a way to have the same functionality as the directive 
> > > DenyAllButCloudflare from mod_cloudflare when using mod_remoteip?
> > > I would like to block access to users who try to bypass Cloudflare 
> > > reverse proxy (e.g. accessing my web server directly by guessing the IP 
> > > address). It looks like iptables is not a solution since I still want to 
> > > host some websites without Cloudflare.
> >
> > I did not try, but possibly a mix of mod_remoteip and mod_rewrite like this:
> >
> >   RemoteIPHeader CF-Connecting-IP
> >   RemoteIPTrustedProxyList /path/to/proxies.list
> >   RewriteEngine on
> >   RewriteCond expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}"
>
> Err, this should be:
> RewriteCond expr "%{REMOTE_ADDR} == %{CONN_REMOTE_ADDR}"
> because mod_remoteip will change REMOTE_ADDR (to the value of the
> header) only if CONN_REMOTE_ADDR (the proxy) is trusted, so if both
> are equal it means that CONN_REMOTE_ADDR is not a trusted proxy..
>
> >   RewriteRule ^ - [F]
> >
> > With "proxies.list" containing the same list as mod_cloudflare's ([1]).

Actually, if this works, a simpler way to do it (with the core
authorization mechanism) is:
   RemoteIPHeader CF-Connecting-IP
   RemoteIPTrustedProxyList /path/to/proxies.list
   Require expr "%{REMOTE_ADDR} != %{CONN_REMOTE_ADDR}"

> >
> > Hth,
> > Yann.
> >
> > [1] 
> > https://github.com/cloudflare/mod_cloudflare/blob/master/mod_cloudflare.c#L44

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache 2.4.33 on OpenSuSE LEAP 15.1 sends zero-byte images

2020-04-25 Thread Julien Etter 
Hi David,
Try EnableSendFile Off in apache conf, this doesn't seem to be supported by 
opensuse.

Sent from Outlook Mobile


From: David T-G 
Sent: Saturday, April 25, 2020 3:27:22 AM
To: users@httpd.apache.org 
Subject: [users@httpd] Apache 2.4.33 on OpenSuSE LEAP 15.1 sends zero-byte 
images

Hi, all --

I've pulled my hair out enough; it's time to ask for help!  I am building
an OpenSuSE LEAP 15.1 server and have installed Apache2 2.4.33, PHP,
Perl, ImageMagick, and more.  My PHP software successfully reads images
in the filesystem and generates thumbnails and displays its index page,
by which I gather that my vhost definition is correct.

However, the server does not send me images.  Whether trying to display
on an HTML page with an IMG tag or just pointing directly to

  http://example.com/path/to/image.jpg

in the URL bar, I get nothing.  [Oh, and I have +Indexes set and can get
an index of the directory and click on the image and ALSO get nothing.]
Pulling the image with wget gives me a

  Connection closed at byte 0. Retrying.

error a few times before dying.  My access log shows the request (just
once, despite the retries), and there is no error log entry.

I'm sure stumped!  Where should I start digging and what can I send to
help troubleshooting?  I've run out of things to try.


Thanks and have a great weekend

:-D
--
David T-G
See http://justpickone.org/davidtg/email/
See http://justpickone.org/davidtg/tofu.txt


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org