Re: [users@httpd] Apache static compile
On Sat, Apr 8, 2023 at 11:22 PM Chris me wrote: > > Right. Is there an option to compile Apache using a non-standard location for > dynamic libs? IE instead of /usr/lib it could use /usr/lib/custom > > I was not able to find anything other than using an ELF patcher to try and > change the paths directly in the httpd binary file, but not sure how that > would turn out. Those are usually configured during link time, i.e. via LDFLAGS. It's not entirely clear what you want, and the are at least a dozen rules how the various options interact, so I'd recommend you check the man page for your system's runtime linker (probably man ld). Normally, you'l just pass -Wl,-rpath,/your/lib/search/path, but maybe you want to mess with DT_RUNPATH, DT_RPATH or SEARCH_DIR. Rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] SetEnvIf and exceptions
Hi, On 4/10/23 11:48 PM, Tatsuki Makino wrote: Dave Wreski wrote on 2023/04/11 10:54: SetEnvIf user-agent "(?i:TurnitinBot)" stayout=1 SetEnvIf Request_URI "^linuxsecurity_features\.*$" !stayout I have done it in the past, too. It was like allowing another level of conditions to be attached to Allow and Deny, depending on the condition that defines the variable and the condition that undefines the variable, right? :) This is no longer needed, so change the name to something that makes sense. Yes, the "deny" was removed long ago. That is not the problem now. I also previously neglected to post the "" qualifier around the "deny from env=stayout" which would only load it for apache-2.2 systems. SetEnvIf user-agent "(?i:TurnitinBot)" SOMENAME1 SetEnvIf Request_URI "^linuxsecurity_features\.*$" SOMENAME2 And let it meet all the requirements. Require all granted Require not env SOMENAME1 Require env SOMENAME2 This had the effect of blocking elements on every page (and the page itself, I think) on the site with 403s and "AH01630: client denied by server configuration:" entries in the error log. Is it possible there's something else going on here? SetEnvIf Request_URI "^linuxsecurity_features\.*$" rssfeeds SetEnvIf user-agent "(?i:TurnitinBot)" stayout Require all granted Require not env stayout Require env rssfeeds RewriteRule linuxsecurity_features\.*$ - [L] Thanks, Dave
Re: [users@httpd] SetEnvIf and exceptions
On Tue, Apr 11, 2023 at 9:29 AM Dave Wreski wrote: > > Hi, > > On 4/10/23 11:48 PM, Tatsuki Makino wrote: > > Dave Wreski wrote on 2023/04/11 10:54: > > SetEnvIf user-agent "(?i:TurnitinBot)" stayout=1 > SetEnvIf Request_URI "^linuxsecurity_features\.*$" !stayout > > I have done it in the past, too. > It was like allowing another level of conditions to be attached to Allow and > Deny, depending on the condition that defines the variable and the condition > that undefines the variable, right? :) > This is no longer needed, so change the name to something that makes sense. > > Yes, the "deny" was removed long ago. That is not the problem now. I also > previously neglected to post the "" qualifier > around the "deny from env=stayout" which would only load it for apache-2.2 > systems. > > SetEnvIf user-agent "(?i:TurnitinBot)" SOMENAME1 > SetEnvIf Request_URI "^linuxsecurity_features\.*$" SOMENAME2 > > And let it meet all the requirements. > > > Require all granted > Require not env SOMENAME1 > Require env SOMENAME2 > > > This had the effect of blocking elements on every page (and the page itself, > I think) on the site with 403s and "AH01630: client denied by server > configuration:" entries in the error log. > > Is it possible there's something else going on here? > > SetEnvIf Request_URI "^linuxsecurity_features\.*$" rssfeeds Can't anchor to ^. Unlike rewrite in htaccess, this will always compare against the actual requested URL. Not the weird remainder of the URL. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] SetEnvIf and exceptions
Hi, SetEnvIf user-agent "(?i:TurnitinBot)" SOMENAME1 SetEnvIf Request_URI "^linuxsecurity_features\.*$" SOMENAME2 And let it meet all the requirements. Require all granted Require not env SOMENAME1 Require env SOMENAME2 This had the effect of blocking elements on every page (and the page itself, I think) on the site with 403s and "AH01630: client denied by server configuration:" entries in the error log. Is it possible there's something else going on here? SetEnvIf Request_URI "^linuxsecurity_features\.*$" rssfeeds Can't anchor to ^. Unlike rewrite in htaccess, this will always compare against the actual requested URL. Not the weird remainder of the URL. There's something more going on than just an errant caret. Once the "Require env SOMENAME2" is included, as above, it immediately starts to 403 every page on the site. It's like each Require above is being considered independently, or that it somehow supersedes the previous Require. With the last Require commented out, it works as expected (blocking all bots listed in the SetEnvIf), with the exception that it also restricts libwww access to the RSS feeds. dave
Re: [users@httpd] SetEnvIf and exceptions
On Tue, Apr 11, 2023 at 10:49 AM Dave Wreski wrote: > Hi, > > SetEnvIf user-agent "(?i:TurnitinBot)" SOMENAME1 > SetEnvIf Request_URI "^linuxsecurity_features\.*$" SOMENAME2 > > And let it meet all the requirements. > > > Require all granted > Require not env SOMENAME1 > Require env SOMENAME2 > > > This had the effect of blocking elements on every page (and the page itself, > I think) on the site with 403s and "AH01630: client denied by server > configuration:" entries in the error log. > > Is it possible there's something else going on here? > > SetEnvIf Request_URI "^linuxsecurity_features\.*$" rssfeeds > > Can't anchor to ^. Unlike rewrite in htaccess, this will always > compare against the actual requested URL. Not the weird remainder of > the URL. > > There's something more going on than just an errant caret. > > Once the "Require env SOMENAME2" is included, as above, it immediately > starts to 403 every page on the site. It's like each Require above is being > considered independently, or that it somehow supersedes the previous > Require. > > With the last Require commented out, it works as expected (blocking all > bots listed in the SetEnvIf), with the exception that it also restricts > libwww access to the RSS feeds. > I don't follow the full intended logic, but if SOMENAME2 is required for access but can never be set due to the regex, I don't think there is necessarily something more to it. -- Eric Covener cove...@gmail.com
Re: [users@httpd] SetEnvIf and exceptions
Hi, SetEnvIf user-agent "(?i:TurnitinBot)" SOMENAME1 SetEnvIf Request_URI "^linuxsecurity_features\.*$" SOMENAME2 And let it meet all the requirements. Require all granted Require not env SOMENAME1 Require env SOMENAME2 This had the effect of blocking elements on every page (and the page itself, I think) on the site with 403s and "AH01630: client denied by server configuration:" entries in the error log. Is it possible there's something else going on here? SetEnvIf Request_URI "^linuxsecurity_features\.*$" rssfeeds Can't anchor to ^. Unlike rewrite in htaccess, this will always compare against the actual requested URL. Not the weird remainder of the URL. There's something more going on than just an errant caret. Once the "Require env SOMENAME2" is included, as above, it immediately starts to 403 every page on the site. It's like each Require above is being considered independently, or that it somehow supersedes the previous Require. With the last Require commented out, it works as expected (blocking all bots listed in the SetEnvIf), with the exception that it also restricts libwww access to the RSS feeds. I don't follow the full intended logic, but if SOMENAME2 is required for access but can never be set due to the regex, I don't think there is necessarily something more to it. In case I wasn't clear, simply removing the caret was not enough to make this work. The "Require env SOMENAME2" was enough to begin blocking every page on the site with a 403, not just the RSS feeds or the bots, but every legitimate request. I'm going to do more research on RequireAll, but isn't that essentially saying AND? Require all AND Require not env SOMENAME1 AND Require env SOMENAME2? How can that ever match? I suppose that also means it wouldn't be RequireAny because it would always match the Require all. dave
Re: [users@httpd] old gen workers sticking around post 2.4.49
I wrote: > I'll try to reproduce the problem without mod_php. and: > Using "dehydrated -c -x" to drive my testing, I've hit the 7-day rate limit at > Let's Encrypt, so I'll have to come back to this. I can reproduce the problem pretty easily with mod_php loaded. Unloaded, I have been unable to reproduce it. I'll abandon that combination. Given that this is a low-traffic server, I think my next step will be migrate to prefork MPM, and if I run into performance issues, the step after that is php-fpm. Does that plan make sense? Cheers! Edward - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [users@httpd] Apache static compile
Basically I am trying to run a later version of apache that supports the newer TLS alongside a much older version. I know it is better to upgrade the server, etc. but that is not an option for the legacy server. I basically need a completely stand alone version of httpd so I don’t have to worry about upgrading the server libs and current openssl version. -Original Message- From: Rainer Canavan Sent: Tuesday, April 11, 2023 3:41 AM To: users@httpd.apache.org Subject: Re: [users@httpd] Apache static compile On Sat, Apr 8, 2023 at 11:22 PM Chris me wrote: > > Right. Is there an option to compile Apache using a non-standard > location for dynamic libs? IE instead of /usr/lib it could use > /usr/lib/custom > > I was not able to find anything other than using an ELF patcher to try and > change the paths directly in the httpd binary file, but not sure how that > would turn out. Those are usually configured during link time, i.e. via LDFLAGS. It's not entirely clear what you want, and the are at least a dozen rules how the various options interact, so I'd recommend you check the man page for your system's runtime linker (probably man ld). Normally, you'l just pass -Wl,-rpath,/your/lib/search/path, but maybe you want to mess with DT_RUNPATH, DT_RPATH or SEARCH_DIR. Rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] SetEnvIf and exceptions
Dave Wreski wrote on 2023/04/12 01:39: > In case I wasn't clear, simply removing the caret was not enough to make this > work. The "Require env SOMENAME2" was enough to begin blocking every page on > the site with a 403, not just the RSS feeds or the bots, but every legitimate > request. > > I'm going to do more research on RequireAll, but isn't that essentially > saying AND? Require all AND Require not env SOMENAME1 AND Require env > SOMENAME2? How can that ever match? > > I suppose that also means it wouldn't be RequireAny because it would always > match the Require all. The purpose of this is to include related keywords, and I wrote it without understanding the logic required for actual operation. There might be a funny reversal going on somewhere. Is this correct? :) Require all granted Require not env IS_BOT Require env IS_RSS Regards. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] old gen workers sticking around post 2.4.49
I'd say much better to move to mpm_event and and php-fpm, ridding httpd of PHP module and it's quirks in the process. El mar, 11 abr 2023 23:24, escribió: > I wrote: > > I'll try to reproduce the problem without mod_php. > and: > > Using "dehydrated -c -x" to drive my testing, I've hit the 7-day rate > limit at > > Let's Encrypt, so I'll have to come back to this. > > I can reproduce the problem pretty easily with mod_php loaded. Unloaded, I > have > been unable to reproduce it. I'll abandon that combination. > > Given that this is a low-traffic server, I think my next step will be > migrate to > prefork MPM, and if I run into performance issues, the step after that is > php-fpm. Does that plan make sense? > > Cheers! Edward > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > > >
