Re: [users@httpd] Apache Reverse Proxy SSL to TOMCAT no SSL

2021-06-01 Thread Yann Ylavic 
Hi,

On Tue, Jun 1, 2021 at 5:24 PM Carlos Castro  wrote:
>
> 
> 
[]
> ProxyRequests On

You probably should remove the above line (which is not in the non-SSL
virtual host by the way).

Regards;
Yann.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Apache Reverse Proxy SSL to TOMCAT no SSL

2021-06-01 Thread Carlos Castro 
Hi all ,

I am trying to configure a reverse proxy apache with certificate and redirect 
to a tomcat without certificate.
The first question is to know if this is possible?

I am doing this configuration



ServerAdmin siste...@x.com
ServerName clientes.xx.com
ServerAlias clientes.xl.com
DocumentRoot /var/www/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
ProxyPreserveHost On
ProxyPass /dpisaas-web  http://192.168.10.50:8080/dpisaas-web
ProxyPassReverse /dpisaas-web  http://192.168.10.50:8080/dpisaas-web





ServerAdmin siste...@x.com
ServerName clientes.xxx.com
ServerAlias clientes.xxx.com
SSLEngine on
SSLProxyEngine On
SSLCertificateFile /etc/ssl/xx.crt
SSLCertificateKeyFile /etc/ssl/x.com.key
SSLCertificateChainFile /etc/ssl/x-chain.crt
   DocumentRoot /var/www/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
ProxyRequests On
ProxyPreserveHost On
ProxyPass /dpisaas-web  http://192.168.10.50:8080/dpisaas-web
ProxyPassReverse /dpisaas-web http://192.168.10.50:8080/dpisaas-web
ProxyPassReverseCookiePath /dpisaas-web /dpisaas-web




the first configuration (NO SSL) works correctly.

The second configuration (once the apache is configured to listen on port 8085 
for SSL requests) does not give me an error, it recognizes the SSL certificate, 
but it leaves the screen blank, it does not load the TOMCAT app.

Have you had a similar situation? Something is missing in the configuration?
Many Thanks!!





   Saludos


La informaci?n contenida en esta comunicaci?n est? destinada ?nicamente al uso 
de la persona o entidad a la que va dirigida y a otras personas autorizadas a 
recibirla. Puede contener informaci?n confidencial o legalmente privilegiada. 
Si usted no es el destinatario previsto, se le notifica que cualquier 
divulgaci?n, copia, distribuci?n o acci?n en base al contenido de esta 
informaci?n est? estrictamente prohibida y puede ser ilegal. Si ha recibido 
esta comunicaci?n por error, le rogamos que nos lo notifique inmediatamente 
respondiendo a este correo electr?nico y que lo borre de su sistema. Cad It 
Espa?a no se responsabiliza de la correcta y completa transmisi?n de la 
informaci?n contenida en esta comunicaci?n ni de cualquier retraso en su 
recepci?n.

The information contained in this communication is intended solely for the use 
of the individual or entity to whom it is addressed and others authorized to 
receive it. It may contain confidential or legally privileged information. If 
you are not the intended recipient you are hereby notified that any disclosure, 
copying, distribution or taking any action in reliance on the contents of this 
information is strictly prohibited and may be unlawful. If you have received 
this communication in error, please notify us immediately by responding to this 
email and then delete it from your system. Cad It Spain is neither liable for 
the proper and complete transmission of the information contained in this 
communication nor for any delay in its receipt.

[http://www.cadit.es/arbol.jpg] Para conservar el ambiente, por favor no 
imprima este correo electr?nico a no ser que sea absolutamente esencial.

Re: [users@httpd] Is ServerLimit 256 in prefork mode somehow hardcoded?

2021-06-01 Thread Eric Covener 
On Tue, Jun 1, 2021 at 5:02 AM Alois Treindl  wrote:
>
> I am using Apache on RHEL 7 since along time.
> httpd-2.4.6-97.el7_9.x86_64
>
> I use it with mod_mpm_prefork module, the default on Redhat.
>
> I see, shortly after startup, messages in errorlog like
> AH00161: server reached MaxRequestWorkers setting, consider raising the 
> MaxRequestWorkers setting
>
> I have tried to do that
> 
> StartServers  20
> MinSpareServers   10
> MaxSpareServers   20
> ServerLimit   512
> MaxRequestWorkers 512
> MaxConnectionsPerChild  1
> 

Is your MPM a loadable module and loaded after this stanza?  ifModule
doesn't work in such a case.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Is ServerLimit 256 in prefork mode somehow hardcoded?

2021-06-01 Thread Marc Serra 
https://httpd.apache.org/docs/2.4/en/mod/mpm_common.html#serverlimit

There is a hard limit of ServerLimit 2 compiled into the server (for
the prefork MPM 20). This is intended to avoid nasty effects caused by
typos. To increase it even further past this limit, you will need to modify
the value of MAX_SERVER_LIMIT in the mpm source file and rebuild the server.

Missatge de Alois Treindl  del dia dt., 1 de juny 2021 a
les 11:02:

> I am using Apache on RHEL 7 since along time.
> httpd-2.4.6-97.el7_9.x86_64
>
> I use it with mod_mpm_prefork module, the default on Redhat.
>
> I see, shortly after startup, messages in errorlog like
> AH00161: server reached MaxRequestWorkers setting, consider raising the
> MaxRequestWorkers setting
>
> I have tried to do that
> 
> StartServers  20
> MinSpareServers   10
> MaxSpareServers   20
> ServerLimit   512
> MaxRequestWorkers 512
> MaxConnectionsPerChild  1
> 
>
> I also tried much higher values of ServerLimit and MaxRequestWorkers, like
> 6400 or 30'000
>
> It makes no difference, the error message appears.
>
> In server-status, I always see four lines of 64 servers, i.e. a total of
> 256 servers shown, like this:
>
> .R_R_RKCCC_C..R_RRRKRRCC.R_CCKRKRKC.KRKR_R.__RKCRRRK
> .KKRWRC_R_RCRRCKR_KRKKRRRKRC.C_RRRKR_C.K
> 
> 
>
> How can I get beyond these 256 servers?
>
> The machine has 64 cores, and 132 Gb RAM.
>
> I know that I can switch to mod_mpm_event, but before I go that way, I
> would like to know why I cannot more than 256 servers in prefork mode.
>
>
> - To
> unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional
> commands, e-mail: users-h...@httpd.apache.org



-- 
Marc Serra
Organització i Sistemes

-- 

Manxa 
1876, S.L. *
Ctra. 
Les Tries, 85. 17800 Olot (Girona)**Tel. 972 27 
45 30 Fax 972 27 45 32*


* Manxa Industrial | *Coneix
més aquí 




* Manxa Ferros | *Coneix
més aquí 




* Manxa Ferreteria i Parament de la Llar | 
*Coneix
més aquí 


**

-- 


El contingut d’aquest correu electrònic i els seus annexos és 
estrictament confidencial. En el cas que no siguis el destinatari i hagis 
rebut aquest missatge per error, preguem que ho comuniquis al remitent i 
procedeixis a la seva eliminació, sense difondre, emmagatzemar o copiar el 
seu contingut. Imprimeix aquest correu només si és necessari.

El contenido 
de este correo electrónico y sus anexos es estrictamente confidencial. En 
el caso de que no seas el destinatario y hayas recibido este mensaje por 
error, rogamos lo comuniques al remitente y procedas a su eliminación, sin 
difundir, almacenar o copiar su contenido. Imprimir este correo solo si es 
necesario.

The content of this email and its attachments is strictly 
confidential. If you are not the recipient and you have received this 
message by mistake, please notify the sender and proceed to its 
elimination, without spreading, storing or copying its content. Print this 
email only if necessary.

Le contenu de cet e-mail et de ses pièces jointes 
est strictement confidentiel. Dans le cas où vous n'êtes pas le 
destinataire et avez reçu ce message par erreur, veuillez en informer 
l'expéditeur et procéder à sa suppression, sans diffuser, stocker ou copier 
son contenu. Imprimez cet e-mail uniquement si nécessaire.

[users@httpd] Is ServerLimit 256 in prefork mode somehow hardcoded?

2021-06-01 Thread Alois Treindl 

  
  
I am using Apache on RHEL 7 since along
time.
httpd-2.4.6-97.el7_9.x86_64
  
I use it with mod_mpm_prefork module, the
default on Redhat.
I see, shortly after startup, messages in
errorlog like
AH00161: server reached MaxRequestWorkers setting, consider
raising the MaxRequestWorkers setting
I have tried to do that

    StartServers  20
    MinSpareServers   10
    MaxSpareServers   20
    ServerLimit   512
    MaxRequestWorkers 512
    MaxConnectionsPerChild  1

I also tried much higher values of
ServerLimit and MaxRequestWorkers, like 6400 or 30'000
It makes no difference, the error message
appears.
In server-status, I always see four lines
of 64 servers, i.e. a total of 256 servers shown, like this:
  
.R_R_RKCCC_C..R_RRRKRRCC.R_CCKRKRKC.KRKR_R.__RKCRRRK
.KKRWRC_R_RCRRCKR_KRKKRRRKRC.C_RRRKR_C.K



How can I get beyond these 256 servers?

The machine has 64 cores, and 132 Gb RAM.

I know that I can switch to mod_mpm_event,
but before I go that way, I would like to know why I cannot more
than 256 servers in prefork mode.

  
  


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] PreShared Key (PSK) possible? Configuration?

2021-06-01 Thread Garry Adkins 
Hi Daniel,

This is a really interesting idea, and might be worth pursuing if the
STUNNEL idea doesn't pan out.  Thanks for a great suggestion.

-G

On Mon, May 31, 2021 at 4:01 AM Daniel Ferradal 
wrote:

> Hello Garry,
>
> Thanks for explaining in depth the situation you are dealing and what
> you want to do. Full disclosure, I know nothing of PSK and never tried
> to use it, but having said this...
>
> If PSK setup is not a thing in Apache, have you considered Client
> Certificate Authentication instead? If I understood correctly Client
> Certificate Authentication also seems to match the needs you have, you
> can set clients with a certificate signed by a CA of your choice and
> set up that Apache to allow connections from clients which
> certificates are signed by said CA and maybe just others you specify.
>
> Regards
>
> El lun, 31 may 2021 a las 7:18, Garry Adkins ()
> escribió:
> >
> > >If these things don't have access to the Internet, what security
> concerns are
> > >you trying to address by using encryption at all?
> >
> > I'm going to answer these in reverse order, I think that will make more
> sense.
> >
> > >Maybe you could explain where the IoT devices are and where Apache is,
> in
> > >networking terms, so we can understand what communications you are
> trying to
> > >secure, and against what threats.
> >
> > The devices are very simple embedded controllers, and they're monitoring
> environmental factors, the exact things they monitor depends on how they're
> configured.
> > Here's one example, the unit has a temperature probe sensor for
> monitoring refrigerator temperatures. It sends temperature status readings
> every few minutes over wifi to Apache.  Apache then logs the data into a
> database.  The unit also can instantly send a message to Apache if the
> device being monitored gets outside of a predetermined range.
> > The unit also regularly requests configuration updates, which can change
> various internal parameters (how often to report, what is considered out of
> range, etc.).  This can also do an over-the-air update to download new
> firmware.
> >
> > Apache is installed on a dedicated computer with a private wifi network
> that houses the control scripts, update files, and database.  This machine
> is also not internet connected.  The machine can be queried to create
> reports on the data, and can reach out to a third machine (via wired lan)
> to send alerts if something goes out of range. It currently runs a version
> of Debian.
> >
> > The security concerns are two fold, one technical, one political.
> > Here's an example:
> > Say the unit is monitoring a refrigerator temperature in a pharmacy in a
> hospital.  If the temperature gets out of range, the drugs inside need to
> be discarded for patient safety.  The unit will alert before that threshold
> is reached, but the overall data is used for manufacturer compliance and
> legal protection.  Being able to produce reports and graphs of the
> refrigerator temperature eliminates a good bit of patient and legal risk.
> >
> > The technical issue is fairly straightforward. Using PSK, only devices
> that have the PSK can talk to Apache, giving a degree of validation that
> only verified devices can send data.  This is for data integrity purposes.
> Others cannot connect. In a large (physical size) organization, they can be
> configured to connect over the location's internal WiFi so WiFi encryption
> alone is not sufficient.
> >
> > The political issue is (imho) kind of pointless but very real.  Many
> organizations have little checklists that will eliminate you from competing
> for business.  Very often there will be a requirement like "All
> communication is encrypted using a minimum of TLS 1.2 or higher". If you
> can't pass that checkbox, you are disqualified.
> >
> > So the question is:
> > Can I configure Apache to use PSK (preferably TLS1.3 version of PSK) by
> sharing a key between the server and the client?
> >
> > I hope that makes it more clear.
> >
> > -Garry
> >
> >
> >
> >
> >
> > On Sun, May 30, 2021 at 3:57 AM Antony Stone <
> antony.st...@apache.open.source.it> wrote:
> >>
> >> On Sunday 30 May 2021 at 08:43:59, Garry Adkins wrote:
> >>
> >> > Hi,
> >> >
> >> > I'm new to the maling list, and was wondering if anyone used
> pre-shared
> >> > keys with Apache for encrypted connections?
> >>
> >> I don't know about PSK with Apache, but...
> >>
> >> > I'm working with some processor constrained IOT devices, and doing a
> full
> >> > TLS 1.3 setup is quite heavy.  These devices don't have access to the
> >> > internet, so updating certs becomes a problem too.
> >>
> >> If these things don't have access to the Internet, what security
> concerns are
> >> you trying to address by using encryption at all?
> >>
> >> Maybe you could explain where the IoT devices are and where Apache is,
> in
> >> networking terms, so we can understand what communications you are
> trying to
> >> secure, and against what threats.
> >>
> >>

Re: [users@httpd] PreShared Key (PSK) possible? Configuration?

2021-06-01 Thread Garry Adkins 
Thanks for all the help everyone!  I discovered Antony Stone's idea after I
sent the original email, but before I saw his response.  I think he's
right, and stunnel is the way to go.  It simplifies a lot of things and
provides the network security that I'm looking for.

Here's what I'm going to test:
1) Set apache to ONLY listen to loopback (127.0.0.1)
2) Set STUNNEL up with PSK (there is even a specific example for this in
the documentation), using TLS 1.3  (There's my checkbox checked!)
3) Set STUNNEL to forward input from port *:443 to 127.0.0.1:80, refuse
connections if bad PSK


Thanks for all the suggestions.

-Garry

On Mon, May 31, 2021 at 3:28 AM Antony Stone <
antony.st...@apache.open.source.it> wrote:

> On Monday 31 May 2021 at 07:17:52, Garry Adkins wrote:
>
> > > If these things don't have access to the Internet, what security
> concerns
> > > are you trying to address by using encryption at all?
> >
> > > Maybe you could explain where the IoT devices are and where Apache is,
> in
> > > networking terms, so we can understand what communications you are
> trying
> > > to secure, and against what threats.
> >
> > The devices are very simple embedded controllers, and they're monitoring
> > environmental factors, the exact things they monitor depends on how
> they're
> > configured.
>
> > Apache is installed on a dedicated computer with a private wifi network
> > that houses the control scripts, update files, and database.  This
> machine
> > is also not internet connected.  The machine can be queried to create
> > reports on the data, and can reach out to a third machine (via wired lan)
> > to send alerts if something goes out of range. It currently runs a
> version
> > of Debian.
>
> > The security concerns are two fold, one technical, one political.
>
> > The technical issue is fairly straightforward. Using PSK, only devices
> that
> > have the PSK can talk to Apache, giving a degree of validation that only
> > verified devices can send data.  This is for data integrity purposes.
> > Others cannot connect. In a large (physical size) organization, they can
> be
> > configured to connect over the location's internal WiFi so WiFi
> encryption
> > alone is not sufficient.
> >
> > The political issue is (imho) kind of pointless but very real.  Many
> > organizations have little checklists that will eliminate you from
> competing
> > for business.  Very often there will be a requirement like "All
> > communication is encrypted using a minimum of TLS 1.2 or higher". If you
> > can't pass that checkbox, you are disqualified.
> >
> > So the question is:
> > Can I configure Apache to use PSK (preferably TLS1.3 version of PSK) by
> > sharing a key between the server and the client?
>
> I can find no indication that Apache supports TLS / PSK.
>
> Provided your IoT devices can manage the client end, I would suggest you
> look
> into using https://www.stunnel.org/ on the Apache server, to provide TLS
> over
> the network, and plain HTTP internally on the server (localhost only)
> between
> stunnel and Apache.
>
>
> Antony.
>
> --
> Behind the counter a boy with a shaven head stared vacantly into space,
> a dozen spikes of microsoft protruding from the socket behind his ear.
>
>  - William Gibson, Neuromancer (1984)
>
>Please reply to the
> list;
>  please *don't* CC
> me.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

-- 
Garry Adkins

https://www.linkedin.com/in/garryadkins/
garryadk...@gmail.com
251-487-1803 (c)