Re: [users@httpd] Cannot write to the web directory

2021-03-19 Thread Frank Gingras 
This is an extremely bad idea. You should never write to the docroot from
your application. Write outside the docroot instead, and use group write
permissions.

On Thu, 18 Mar 2021 at 20:15, Tatsuki Makino 
wrote:

> I'm not sure, but FreeBSD happens to be different from Linux, so please
> change the directory group to www as well.
> Permissions of 700, 750, 755, 770 or 775 should be sufficient.
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] Cannot write to the web directory

2021-03-19 Thread Rich Bowen 




On 3/18/21 4:18 PM, Paul wrote:

Would like to upload a file to have wordpress functionality working or be able 
to upload a file. User permissions are set at 777 owner is www, os is freebsd, 
the freebsd mailing list claims it’s not their issue but tried to assert 
assistance nevertheless. What can I do so I can upload a file via httpd is 
there something in the configuration directory?


In addition to angel's advice (never, ever, set anything to 777) the 
next question is, what does the error log say?


The error log will tell you why it failed. Or, possibly since it's 
wordpress, your php error log (if php is logging somewhere else, for 
example, if you're running php-fpm).


--Rich

--
Rich Bowen - rbo...@rcbowen.com
@rbowen

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] time based not working

2021-03-19 Thread Rich Bowen 




On 3/18/21 3:06 AM, Jens Kallup wrote:

Hello,
how can I time based open times?
The script below seems not work.
All pages are the same.

     RewriteEngine On
     LogLevel warn rewrite:trace3


What does the trace log say when you make the request?



     # -
     # compress file(.ext) on server side, beofre delivery  ...
     # on MS-Windows; you should have the GNU-Tools installed !
     # -
     RewriteCond %{HTTP:Accept-encoding} gzip
     RewriteCond %{REQUEST_FILENAME}\.gz -s
     RewriteRule ^(.*)\.(css|js|txt) $1\.$2\.gz [QSA]

     # -
     # shortners ...
     # -
     Alias "/pub"    "${APACHE_WEB}/443/pub"
     Alias "/edu"    "${APACHE_WEB}/443/edu"

     # store variable values with dummy rewrite rules
     RewriteRule . - [E=req_scheme:%{REQUEST_SCHEME}]
     RewriteRule . - [E=http_host:%{HTTP_HOST}]
     RewriteRule . - [E=req_uri:%{REQUEST_URI}]

     # -
     # out of office time rule ...
     # from 07:00 - 20:00
     # -
     RewriteCond %{TIME_HOUR} >=09 [OR]
     RewriteCond %{TIME_HOUR} <=10
     RewriteRule /pub/.* - [E=HTTP_OFFICE_HEADER:1]
     RewriteRule /pub/.* - [E=HTTP_OFFICE_HEADER:0]
     RewriteRule ^$ /pub/.* [R=301,L]


In PHP:



Jens


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



--
Rich Bowen - rbo...@rcbowen.com
@rbowen

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] time based not working

2021-03-19 Thread Daniel Ferradal 
We replied to him in irc, I think he is past that but hasn't updated his
findings here.

Suggestions were check rewritelog, consider not using OR

El vie., 19 mar. 2021 14:35, Rich Bowen  escribió:

>
>
> On 3/18/21 3:06 AM, Jens Kallup wrote:
> > Hello,
> > how can I time based open times?
> > The script below seems not work.
> > All pages are the same.
> >
> >  RewriteEngine On
> >  LogLevel warn rewrite:trace3
>
> What does the trace log say when you make the request?
>
> >
> >  # -
> >  # compress file(.ext) on server side, beofre delivery  ...
> >  # on MS-Windows; you should have the GNU-Tools installed !
> >  # -
> >  RewriteCond %{HTTP:Accept-encoding} gzip
> >  RewriteCond %{REQUEST_FILENAME}\.gz -s
> >  RewriteRule ^(.*)\.(css|js|txt) $1\.$2\.gz [QSA]
> >
> >  # -
> >  # shortners ...
> >  # -
> >  Alias "/pub""${APACHE_WEB}/443/pub"
> >  Alias "/edu""${APACHE_WEB}/443/edu"
> >
> >  # store variable values with dummy rewrite rules
> >  RewriteRule . - [E=req_scheme:%{REQUEST_SCHEME}]
> >  RewriteRule . - [E=http_host:%{HTTP_HOST}]
> >  RewriteRule . - [E=req_uri:%{REQUEST_URI}]
> >
> >  # -
> >  # out of office time rule ...
> >  # from 07:00 - 20:00
> >  # -
> >  RewriteCond %{TIME_HOUR} >=09 [OR]
> >  RewriteCond %{TIME_HOUR} <=10
> >  RewriteRule /pub/.* - [E=HTTP_OFFICE_HEADER:1]
> >  RewriteRule /pub/.* - [E=HTTP_OFFICE_HEADER:0]
> >  RewriteRule ^$ /pub/.* [R=301,L]
> >
> >
> > In PHP:
> >
> >  >  $office = $_SERVER['HTTP_OFFICE_HEADER'];
> >  $status = 0;
> >
> >  if (strcmp($office,"0") == 0)
> >  $status = 0; else
> >  $status = 1;
> > ?>
> >
> > Jens
> >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org
> >
>
> --
> Rich Bowen - rbo...@rcbowen.com
> @rbowen
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] Cannot write to the web directory

2021-03-19 Thread Paul 
Ok , thanks , it doesn’t appear to be a permissions issue. I will check the php 
and the apache configuration.

Envoyé de mon iPad

> Le 19 mars 2021 à 08:37, Frank Gingras  a écrit :
> 
> 
> This is an extremely bad idea. You should never write to the docroot from 
> your application. Write outside the docroot instead, and use group write 
> permissions.
> 
>> On Thu, 18 Mar 2021 at 20:15, Tatsuki Makino  
>> wrote:
>> I'm not sure, but FreeBSD happens to be different from Linux, so please 
>> change the directory group to www as well.
>> Permissions of 700, 750, 755, 770 or 775 should be sufficient.
>> 
>> 
>> -
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>>

[users@httpd] v2.4.6 strange bug

2021-03-19 Thread Gabriele Bulfon 
Hi,
 
we have experienced problems on a CentOS7 with apache 2.4.6, APR 1.4.8, 
APR-UTIL 1.5.2.
 
Apache is doing proxypass to a tomcat webapp, including websocket, through 
these directives:
 
ProxyPass /webtop/push ws://127.0.0.1:58080/webtop/push
ProxyPassReverse /webtop/push ws://127.0.0.1:58080/webtop/push
ProxyPass /webtop http://127.0.0.1:58080/webtop timeout=180
ProxyPassReverse /webtop http://127.0.0.1:58080/webtop
 
The tomcat webapp logs informations about user access using the request header 
x-forwarded-for that proxypass adds.
Everything is fine at first access, IP of the user is correctly logged.
 
What happens is that when the user logs our, the webapp first closes the 
websocket then logs the user out closing the session and redirecting to login: 
here something goes wrong and from then on, during the same all tcp session 
running the N next http requests, x-forwarded-for is missing, so if the user 
logs in again, the logged IP is 127.0.0.1 because x-forwarded-for is missing, 
and it will be coming back when a new tcp session is started, later on.
We could verify via wireshark dump that the last request having x-forwarded-for 
is the websocket close request, then nothing from logout to login and some 
other 10-20 requests.
 
Because this is not happening on other systems with newer versions of httpd, we 
tried on a test CentOS7 to upgrade apache using a non official repository, and 
verified that in this case everything was working fine.
 
So, the problem is that we have many systems running CentOS7 with that apache 
version, and we can upgrade only agains the official repository, which is not 
deliverying any new version at the moment.
So I was hoping for someone to suggest any other possible solution to this 
problem, maybe changing some configuration or anything else.
 
Thanks a lot for your help,
Gabriele
 
 
Sonicle S.r.l. : http://www.sonicle.com
Music: http://www.gabrielebulfon.com
eXoplanets : https://gabrielebulfon.bandcamp.com/album/exoplanets
 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: Cannot write to the web directory

2021-03-19 Thread John David 

On 19/03/2021 13:45, Paul wrote:
Ok , thanks , it doesn’t appear to be a permissions issue. I will 
check the php and the apache configuration.



php has file size upload limit.�The default is 2 Mb so this might be the 
problem for you.





-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Cannot write to the web directory

2021-03-19 Thread Scott A. Wozny 
One thing I didn't see mentioned in the replies is if the DAC on the folder is 
set to world writable (and I agree with all the responses that say this is a 
terrible idea) but it still LOOKS like a permissions issue (access denied or 
other unexplained failures) did you check if MAC (SELuinux, AppArmor) was 
getting in the way?

HTH,

Scott


From: Paul 
Sent: March 19, 2021 9:45 AM
To: users@httpd.apache.org 
Subject: Re: [users@httpd] Cannot write to the web directory

Ok , thanks , it doesn’t appear to be a permissions issue. I will check the php 
and the apache configuration.

Envoyé de mon iPad

Le 19 mars 2021 à 08:37, Frank Gingras  a écrit :


This is an extremely bad idea. You should never write to the docroot from your 
application. Write outside the docroot instead, and use group write permissions.

On Thu, 18 Mar 2021 at 20:15, Tatsuki Makino 
mailto:tatsuki_mak...@hotmail.com>> wrote:
I'm not sure, but FreeBSD happens to be different from Linux, so please change 
the directory group to www as well.
Permissions of 700, 750, 755, 770 or 775 should be sufficient.


-
To unsubscribe, e-mail: 
users-unsubscr...@httpd.apache.org
For additional commands, e-mail: 
users-h...@httpd.apache.org

Re: [users@httpd] Cannot write to the web directory

2021-03-19 Thread Paul 
No I was able to set the limit higher. 

https://heskia.club/phptest.php If you check this page you can see that the 
upload is limited to 40 mb . 

I edited the php.ini file.

Now I don’t know if that helps but I think it worked at one time. Not sure when 
or what changed. I tried disabling the firewall to see. I still cannot get it 
to work. I checked the settings in /usr/local/etc/php/php-fpm.d , restarted 
Apache. I installed fcgi and added something to httpd. I tried permissions I 
made www also group user. 

Envoyé de mon iPhone

> Le 19 mars 2021 à 14:26, Scott A. Wozny  a écrit :
> 
> 
> One thing I didn't see mentioned in the replies is if the DAC on the folder 
> is set to world writable (and I agree with all the responses that say this is 
> a terrible idea) but it still LOOKS like a permissions issue (access denied 
> or other unexplained failures) did you check if MAC (SELuinux, AppArmor) was 
> getting in the way?
> 
> HTH,
> 
> Scott
> 
> From: Paul 
> Sent: March 19, 2021 9:45 AM
> To: users@httpd.apache.org 
> Subject: Re: [users@httpd] Cannot write to the web directory
>  
> Ok , thanks , it doesn’t appear to be a permissions issue. I will check the 
> php and the apache configuration.
> 
> Envoyé de mon iPad
> 
>>> Le 19 mars 2021 à 08:37, Frank Gingras  a écrit :
>>> 
>> 
>> This is an extremely bad idea. You should never write to the docroot from 
>> your application. Write outside the docroot instead, and use group write 
>> permissions.
>> 
>> On Thu, 18 Mar 2021 at 20:15, Tatsuki Makino  
>> wrote:
>> I'm not sure, but FreeBSD happens to be different from Linux, so please 
>> change the directory group to www as well.
>> Permissions of 700, 750, 755, 770 or 775 should be sufficient.
>> 
>> 
>> -
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>>

[users@httpd] brotli with Apache and PHP-FPM - possible?

2021-03-19 Thread Tomasz Chmielewski 
I've tried enabling brotli with Apache on Ubuntu 20.04 (running Apache 
2.4.41). Brotli works, but not for content generated with PHP.


It works for HTML files:

$ curl -v -H "Accept-Encoding: gzip, deflate, br" 
https://server.tld/pp.html 2>&1 | grep content-encoding

< content-encoding: br

But does not work if it's PHP - in this case, the content is compressed 
with "gzip":


$ curl -v -H "Accept-Encoding: gzip, deflate, br" 
https://server.tld/pp.php 2>&1 | grep content-encoding

< content-encoding: gzip

Curiously, it does work with PHP if I specify "br" as the only value in 
"Accept-Encoding" (browsers however use "gzip, deflate, br"):


$ curl -v -H "Accept-Encoding: br" https://server.tld/pp.php 2>&1 | grep 
content-encoding

< content-encoding: br

So, what is the problem here?


I've enabled brotli by running:

a2enmod brotli

and adding the following part to the vhost (followed by apache restart):

AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml 
text/css text/javascript application/x-javascript application/javascript 
application/json application/x-font-ttf application/vnd.ms-fontobject 
image/x-icon



Tomasz Chmielewski

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Cannot write to the web directory

2021-03-19 Thread Tatsuki Makino 
Frank Gingras wrote on 2021/03/19 21:36:
> This is an extremely bad idea. You should never write to the docroot from
> your application. Write outside the docroot instead, and use group write
> permissions.

Isn't root the owner of docroot?
When the user of an application is the owner, he should be free to do anything.
If you don't want users of the application to be free to do so, change the 
owner/groups separately and don't give them permission.
If we don't understand that we can barricade ourselves in with just that, we 
will need an extra security system. like SEx.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Cannot write to the web directory

2021-03-19 Thread Frank Gingras 
It has nothing to do with being "free to do anything".

This is about basic security, and the principle of least privileges.

On Fri, 19 Mar 2021 at 19:33, Tatsuki Makino 
wrote:

> Frank Gingras wrote on 2021/03/19 21:36:
> > This is an extremely bad idea. You should never write to the docroot from
> > your application. Write outside the docroot instead, and use group write
> > permissions.
>
> Isn't root the owner of docroot?
> When the user of an application is the owner, he should be free to do
> anything.
> If you don't want users of the application to be free to do so, change the
> owner/groups separately and don't give them permission.
> If we don't understand that we can barricade ourselves in with just that,
> we will need an extra security system. like SEx.
>
>

Re: [users@httpd] Cannot write to the web directory

2021-03-19 Thread Tatsuki Makino 
Frank Gingras wrote on 2021/03/20 09:46:
> It has nothing to do with being "free to do anything".
> 
> This is about basic security, and the principle of least privileges.

However, a directory with permissions of 0755 (rwxr-xr-x) on FreeBSD behaves 
the same as a Linux directory with permissions of perhaps 2755 (rwxr-sr-x).
I want to deal with the problem of unrelated groups propagating as owners, not 
basic security or least privilege.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org