Re: [users@httpd] Automatically set Keep-Alive response header

[Christopher Schultz]

Eric,

On 8/4/21 18:35, Christopher Schultz wrote:

Eric,

On 8/4/21 14:14, Christopher Schultz wrote:

Eric,

On 8/4/21 13:18, Eric Covener wrote:

On Wed, Aug 4, 2021 at 12:59 PM Christopher Schultz
 wrote:


Reic,

On 8/4/21 11:17, Eric Covener wrote:

On Wed, Aug 4, 2021 at 11:08 AM Christopher Schultz
 wrote:


All,

Can httpd automatically set Keep-Alive response header based upon the
KeepAlive and other configuration settings?

Something like this:

HTTP/1.1 200 OK
Server: Apache/2
Date: Wed, 04 Aug 2021 15:00:00 GMT
Content-Length: 12345
Connection: keep-alive
Keep-Alive: timeout=5; max=100



I'm interested in httpd generating that last response-header for me.


httpd does generate this by default, matching your settings.  You will
even see the "max" tick down.


Hmm. I'm not seeing that. I'm using httpd 2.4.48 as provided by Amazon
Linux's yum repository.

$ wget -SO /dev/null https://my.site/

    HTTP/1.1 200 200
    Cache-Control: no-cache, no-store, must-revalidate
    Content-Type: text/html;charset=UTF-8
    Date: Wed, 04 Aug 2021 16:57:00 GMT
    Expires: 0
    Permissions-Policy: interest-cohort=()
    Pragma: no-cache
    Server: Apache/2
    Strict-Transport-Security: max-age=15552000
    X-Content-Type-Options: nosniff
    Content-Length: 10799
    Connection: keep-alive

I will note that it's going through Amazon's Elastic Load balancer, so
perhaps the header is being stripped.


This is probably it.  The Keep-Alive header is hop-by-hop since if you
have a proxy between you and the server, the "connection" being kept
alive isn't really the one you have access to.


Ack. I'll see if there's anything ELB does/doesn't do about this kind 
of thing. I know for sure that keep-alives are supported because we 
are using them for our pipelined API requests.


Yep, looks like ELB is removing that header. Making a direct request to 
httpd returns the expected header. Forcably adding it doesn't help.


In fact, forcible adding it with "Header set Keep-Alive 'whatever want'" 
results in httpd ignoring/replacing my header with the one which matches 
the actual configuration. :)


-chris

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Automatically set Keep-Alive response header

[Christopher Schultz]

Eric,

On 8/4/21 14:14, Christopher Schultz wrote:

Eric,

On 8/4/21 13:18, Eric Covener wrote:

On Wed, Aug 4, 2021 at 12:59 PM Christopher Schultz
 wrote:


Reic,

On 8/4/21 11:17, Eric Covener wrote:

On Wed, Aug 4, 2021 at 11:08 AM Christopher Schultz
 wrote:


All,

Can httpd automatically set Keep-Alive response header based upon the
KeepAlive and other configuration settings?

Something like this:

HTTP/1.1 200 OK
Server: Apache/2
Date: Wed, 04 Aug 2021 15:00:00 GMT
Content-Length: 12345
Connection: keep-alive
Keep-Alive: timeout=5; max=100



I'm interested in httpd generating that last response-header for me.


httpd does generate this by default, matching your settings.  You will
even see the "max" tick down.


Hmm. I'm not seeing that. I'm using httpd 2.4.48 as provided by Amazon
Linux's yum repository.

$ wget -SO /dev/null https://my.site/

    HTTP/1.1 200 200
    Cache-Control: no-cache, no-store, must-revalidate
    Content-Type: text/html;charset=UTF-8
    Date: Wed, 04 Aug 2021 16:57:00 GMT
    Expires: 0
    Permissions-Policy: interest-cohort=()
    Pragma: no-cache
    Server: Apache/2
    Strict-Transport-Security: max-age=15552000
    X-Content-Type-Options: nosniff
    Content-Length: 10799
    Connection: keep-alive

I will note that it's going through Amazon's Elastic Load balancer, so
perhaps the header is being stripped.


This is probably it.  The Keep-Alive header is hop-by-hop since if you
have a proxy between you and the server, the "connection" being kept
alive isn't really the one you have access to.


Ack. I'll see if there's anything ELB does/doesn't do about this kind of 
thing. I know for sure that keep-alives are supported because we are 
using them for our pipelined API requests.


Yep, looks like ELB is removing that header. Making a direct request to 
httpd returns the expected header. Forcably adding it doesn't help.


-chris

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Automatically set Keep-Alive response header

[Christopher Schultz]

Eric,

On 8/4/21 13:18, Eric Covener wrote:

On Wed, Aug 4, 2021 at 12:59 PM Christopher Schultz
 wrote:


Reic,

On 8/4/21 11:17, Eric Covener wrote:

On Wed, Aug 4, 2021 at 11:08 AM Christopher Schultz
 wrote:


All,

Can httpd automatically set Keep-Alive response header based upon the
KeepAlive and other configuration settings?

Something like this:

HTTP/1.1 200 OK
Server: Apache/2
Date: Wed, 04 Aug 2021 15:00:00 GMT
Content-Length: 12345
Connection: keep-alive
Keep-Alive: timeout=5; max=100



I'm interested in httpd generating that last response-header for me.


httpd does generate this by default, matching your settings.  You will
even see the "max" tick down.


Hmm. I'm not seeing that. I'm using httpd 2.4.48 as provided by Amazon
Linux's yum repository.

$ wget -SO /dev/null https://my.site/

HTTP/1.1 200 200
Cache-Control: no-cache, no-store, must-revalidate
Content-Type: text/html;charset=UTF-8
Date: Wed, 04 Aug 2021 16:57:00 GMT
Expires: 0
Permissions-Policy: interest-cohort=()
Pragma: no-cache
Server: Apache/2
Strict-Transport-Security: max-age=15552000
X-Content-Type-Options: nosniff
Content-Length: 10799
Connection: keep-alive

I will note that it's going through Amazon's Elastic Load balancer, so
perhaps the header is being stripped.


This is probably it.  The Keep-Alive header is hop-by-hop since if you
have a proxy between you and the server, the "connection" being kept
alive isn't really the one you have access to.


Ack. I'll see if there's anything ELB does/doesn't do about this kind of 
thing. I know for sure that keep-alives are supported because we are 
using them for our pipelined API requests.


Thanks,
-chris

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Automatically set Keep-Alive response header

[Christopher Schultz]

Reic,

On 8/4/21 11:17, Eric Covener wrote:

On Wed, Aug 4, 2021 at 11:08 AM Christopher Schultz
 wrote:


All,

Can httpd automatically set Keep-Alive response header based upon the
KeepAlive and other configuration settings?

Something like this:

HTTP/1.1 200 OK
Server: Apache/2
Date: Wed, 04 Aug 2021 15:00:00 GMT
Content-Length: 12345
Connection: keep-alive
Keep-Alive: timeout=5; max=100



I'm interested in httpd generating that last response-header for me.


httpd does generate this by default, matching your settings.  You will
even see the "max" tick down.


Hmm. I'm not seeing that. I'm using httpd 2.4.48 as provided by Amazon 
Linux's yum repository.


$ wget -SO /dev/null https://my.site/

  HTTP/1.1 200 200
  Cache-Control: no-cache, no-store, must-revalidate
  Content-Type: text/html;charset=UTF-8
  Date: Wed, 04 Aug 2021 16:57:00 GMT
  Expires: 0
  Permissions-Policy: interest-cohort=()
  Pragma: no-cache
  Server: Apache/2
  Strict-Transport-Security: max-age=15552000
  X-Content-Type-Options: nosniff
  Content-Length: 10799
  Connection: keep-alive

I will note that it's going through Amazon's Elastic Load balancer, so 
perhaps the header is being stripped.


The connection is also using mod_jk to proxy to an Apache Tomcat 
instance. Could the Keep-Alive header be suppressed due to that kind of 
proxying?


-chris

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Automatically set Keep-Alive response header

[Christopher Schultz]

All,

Can httpd automatically set Keep-Alive response header based upon the 
KeepAlive and other configuration settings?


Something like this:

HTTP/1.1 200 OK
Server: Apache/2
Date: Wed, 04 Aug 2021 15:00:00 GMT
Content-Length: 12345
Connection: keep-alive
Keep-Alive: timeout=5; max=100

I'm interested in httpd generating that last response-header for me.

I'm sure I could look at my config and set it manually like this:

  Header set Keep-Alive "timeout=5; max=100"

...but I was wondering if httpd can do that for me.

Thanks,
-chris

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Which proxy modules are required for proxying Websocket connections?

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

All,

If I want to allow HTTP connections to upgrade to WebSocket, which
mod_proxy modules do I need to enable and configure?

More specifically, do I need to enable+configure both mod_proxy_http
AND mod_proxy_wstunnel, or only mod_proxy_wstunnel?


  # Do I need these?
  BalancerMember http://node1/
  BalancerMember http://node2/

  # Or only these?
  BalancerMember ws://node1/
  BalancerMember ws://node2/

  # Or both?


ProxyPass /my-app/ balancer://my/app/

Is the answer any different if I don't expect all connections to be
upgraded from HTTP -> Websocket?

Thanks!
- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8HLy8ACgkQHPApP6U8
pFj9qhAAneq1hspxrenc4gjPyzYSB6rIiApR1gtz0ex6PP9RzQyqq2sqxIJhc9gJ
A0XPRnLAkkb8TjvyWxGDKKcPwbcjPuDMwIKbcudhpUU+azUEI0FN7bazFhgElmmJ
sHmxa54N54JwFEThyFiudUVUe4rbB/MUrY62q4X25JRy/o7TcNqsdnnNGoUo/K65
x0Xno/xqnTLcfHp8ZMw/q1pAB6gPgSHve1/UbULhjEwJ5yOQIJcWYU/81rtVjHtq
So5GiyPBfJJRh4nopbH+qiz2wRjj+vDj+TPYcWco5E4Qnc60QaTsYNuN8LD2+v0f
OnTvrqabUPvgM8P1wc8duYDH0X6EIJ1zVnV7H1XlZZUbVwekfFdqdOwtEi9Ovt59
uuGa7NT1mACHtym6ylWifSmxuYP7WaRHtGTBxqnI1hLrM52gJxv+BP01axIr3Dki
UmHfHhrWa8L83UaCjU2otvFvI0U7V+KhiCR0zp/3kdlv6RXWsFeTeQ5HMrDk88io
kj3pxARqpH6fGYFK1vC8FDRAoHGghhji1T+ffg4moaAIJV1I1ebNBwNUnMo+j35F
8/2KGIR6dVQVUml5AOdAL//c/99Ytaj8tl/X3wmCl0p1V38my5YcB/d//U0CTMJ/
CZxw0Dk4NaHB13ecKMsUgSinJv+LQbhTDw1iicDW/Fz+VaacKlQ=
=IYPR
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Using Balancer Manager for fun and profit

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

All,

I'm looking at moving from mod_jk to mod_proxy and I need to migrate
my tooling for things like scripted worker-management. My existing
tool for mod_jk is on GitHub[1] for those interested in what it can do.

Mostly, I'm interested in fetching and setting the status(es) of a
worker. With mod_jk, status is one of Active, Disabled, Stopped. The
difference between Disabled and Stopped is that requests for
sticky-sessions pointing to a Disabled will still be routed to the
Disabled worker while a Stopped worker will never receive a request.

By looking at a little of the mod_proxy_balancer code and poking at
the interface a little bit, I have drawn these conclusions. Can anyone
confirm that they are accurate?

1. Nonce is required for many operations (but not status-fetch?)
2. Nonce is only available once an initial GET has completed succesfully
  ... by sniffing the nonce from an href URL
3. You can get XML details for the balancers ... but only with a nonce
and an "xml" parameter
4. You can change any individual flag, eg. "draining", by making a
POST request which includes a w_status_[F]=0|1 parameter where [F] is
one of several flag characters (e.g. N for "draiNing") along with a
"b" (balancer) and "w" (worker) parameter. Unspecified flags and other
settings will be unaffected. The nonce is required for these operations.
5. The "draiN" status of mod_proxy_balancer workers is analagous to
the "disabled" status of mod_jk, and both "Disabled" and "Stopped" in
mod_proxy are roughly equivalent to "Disabled" state for mod_jk.

Does all that sound right?

Would it be possible to query the status with XML-output *without* a
nonce? And could the nonce be added to the XML output?

Thanks,
- -chris

[1]
https://github.com/ChristopherSchultz/apache-tomcat-stuff/tree/master/bi
n/mod_jk
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8DsxoACgkQHPApP6U8
pFiCiA//Yos4iP5FxpgMxW9FFtH+B0eDWkyoZiBbWzSnfLVwrF11Y1nnJHRDashH
RZxiqosqnce6g6CeSzIpCyNFoAVLXGc1MKgoS+kOBkw83KW+JMKVh4AhlLxu0PdT
zaG+uSvBNIIkJUivjyStOltCvNOHJnD7Q1Wj51GCSGFX75rMXK9aZfHu/ChxyRgT
AISFdiAzBKnZvkf1f3WRXJPgc0JRB+Vf3cq0c1jKKdAy6hMX/g0UdJZ05JH7NwcF
LPdwov/13rJMlrwxG/VegCsNaFQhh+v+uZ7mxNex/eoljzFVL6QTkOJoknFaDZBL
87+gavBbLqt4etmzp8VcJoQNW7Ol2PsRy95Mhscq/qHrwFKyqy5UP+XLU5q1No8N
qojoh63GOX47p7t1S1XF8SeOzbWLy2kPVnZD67/mPOJVtDMd5IJTQ0/TeSME9Q8p
n/zOjKQy+elRhZm5UMPOo2tm8iV8FlmMMnZ9JOlW1mDXAwRSdb5qQQ2i8Qpdlmq7
JWW4MrNoJJOz2JXMbkbp/yQCd2naU170oZsj0HgSjTuit6YjGGcjwlz009B+n8na
npWHZVWCqiSHr66cfQqeCpW/T7i/V0olp1huzMovgC9ipkUiWu2ZvCq8rgAIP0fz
hYAg4nBikS1dWPN3FEImgrysMPvrHQLx+/1i458G0QBwCun/r5k=
=AfYi
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: Copying environment variables

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

All,

On 6/30/20 12:42, Christopher Schultz wrote:
> Eric,
>
> On 6/30/20 11:47, Eric Covener wrote:
>>> Does it need direct-support from mod_proxy instead of trying
>>> to cobble the pieces together from BZ 64338 and other existing
>>> directives? My goal with 64388 was to write the smallest patch
>>> that could get the job done, but I'm not sure it's possible do
>>> to it in this way.
>
>> I think so.
>
>> The area you're editing runs in the middle of the mod_proxy
>> handler so nothing really has a chance to run between the time
>> the real var is set and when you need the 2nd var set.
>
> So it sounds like this should just be a feature of mod_proxy
> handled completely internally.
>
> Should it be an optional feature, or always enabled?
>
> I was thinking something like this:
>
> 1. mod_proxy_balancer sets BALANCER_WORKER_STATUS env var as in BZ
> 64338 2. mod_proxy_ajp copies BALANCER_WORKER_STATUS to
> request-attribute (that's a thing in AJP) and sends to origin
> server 3. mod_proxy_http copies BALANCER_WORKER_STATUS to
> X-Worker-Status (or similar) request header and sends to origin
> server 4. other mod_proxy_* modules do similar things as necessary
> (?)

I've updated my proposed patch in BZ 64388 which implements the above
(except #4).

Comments are appreciated. I'm trying to get mod_proxy and friends to
feature-parity with mod_jk.

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl77dHcACgkQHPApP6U8
pFhc2xAAhqNS4dvTAC6f8U8rqlxjOmY+Sq/svB9zHo4j2HDpAZqBgfE6kuZ3qmMk
+OCRWq7URI9CIik1mSwt/bbpHw1Zko3EZS1PKJdJIXmvBmAxI8eCTBJS/hqsk58t
PM2IXjDK4F0mHNkMKylJ7Qi7aXJ1QR/cNfQRgZnbzUL5HWqeiHKXpMfRuCvW9NRv
JDyl3O3T/Aox3HJeTTd2NSrSshmPUcsLr2J1X7mn7npgKx7896T7e91N9GGAmOSm
P+lqUKJgohvniMjJusimXv2vU43BJzu5IkKqSOl8obnnNc0tl2tmqcU2T8Ih5BiL
g2iwFcJQuewy7tkfaYPWquQuCpvuiOMTMqL7YBzAzukDG/gkPTAWgSrr1uVfCTjd
15c4biPCGmCuhSF41qpfM3yTuQAfxQdbjQKgI1ia8OWGalKIas+KWdsAvveF4JT2
5cuBHzBG3mWsuh2zKxZhHDEjCRTPnOY1sLnoU1tU3BNMAvLhPUn05MvPvVGNSROZ
qEn+WMr6u/wKod0O5GTRkLFhM8v9KtbZIeuc8SWP4WTodh7j3sU0HuzWb4fjlM2Y
A4l+u/Xk53jmeVfEtFSPntnFZPrED5G3Nrrhdsmo6B/fCcVeUv8xeu5aZyxI6jW0
uHzMqcE3NoWCRe9LIXgzqynDwguTlxHCMtudBbupEoD9w3xJnJM=
=9VBq
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: Copying environment variables

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Eric,

On 6/30/20 11:47, Eric Covener wrote:
>> Does it need direct-support from mod_proxy instead of trying to
>> cobble the pieces together from BZ 64338 and other existing
>> directives? My goal with 64388 was to write the smallest patch
>> that could get the job done, but I'm not sure it's possible do to
>> it in this way.
>
> I think so.
>
> The area you're editing runs in the middle of the mod_proxy handler
> so nothing really has a chance to run between the time the real var
> is set and when you need the 2nd var set.

So it sounds like this should just be a feature of mod_proxy handled
completely internally.

Should it be an optional feature, or always enabled?

I was thinking something like this:

1. mod_proxy_balancer sets BALANCER_WORKER_STATUS env var as in BZ 64338
2. mod_proxy_ajp copies BALANCER_WORKER_STATUS to request-attribute
(that's a thing in AJP) and sends to origin server
3. mod_proxy_http copies BALANCER_WORKER_STATUS to X-Worker-Status (or
similar) request header and sends to origin server
4. other mod_proxy_* modules do similar things as necessary (?)

WDYT?

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl77a4IACgkQHPApP6U8
pFjMtxAAmnjEprfG9hBm/odPVt8DlajoZfFeiVBlD/zHGM6s072OiZQaxoWki2m2
Pr49FkGdmJbmt+u+09DLWfRswRptH1O3R9BP1qq490g1TONSsfgvJfLScEGWf5e1
79XW8v7UTlPTkDnZZEH40yLCYyO8XFsGjegrPDUpSUaWihnt7V1VrZnXjQlYIXi5
kRoY8o+71eYymB2kVMFRH5DtaE3YDZcNK24gAL5gJfZRDaB9lRUR9CCo77mGGpGC
xfMXJCj7dwImn6iqkOB89pROk9fH3sQ223O1hqd88HtEvcWD16vx4bEWRl+FyGVJ
1VfbIRdORfV1bApez5HdZl3r89zmVjsfRW5KipwNPjLgwGxjHbtV98f9hw0cthPq
Yq7n4QTQBWpnUHOLuE5y//RDF6Z/p2W8yXevXwgnM0euIkjoWaYRNdVf045C7VjH
FCwZZxL+PxXWza+3enZR34QJpf0sDWF4FuFPoOa0dlcUKiz3AqgOpO9Ac+C7qY8r
P+4NmqqTpMzC2XTDv0NWj/63n+5Rl7huDuFWqwB+PwsgO3mcdwRZVgI+DNu+9d3Z
FmnAzxBkuhartrDfM4rI4RAUiNnOT4c05qEGTeg9vkFh2pXVjtsyyBAcVei1ZcAv
L5vcRTrPAGCA2H1JzZK939DzFqvdpr1I7w+9rH4OGL0BDG+sLKw=
=FjRe
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: Copying environment variables

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

All,

On 6/30/20 11:20, Christopher Schultz wrote:
> All,
>
> Is it possible to "copy" an environment variable to another name?
> Something like this:
>
> SetEnv foo "bar" SetEnv baz ${foo}e
>
> Now, "baz" has value "bar".
>
> It doesn't appear to work as written above, but the documentation
> doesn't actually suggest you can do that kind of thing.
>
> I have an environment variable whose value I need to copy into
> another name. What are my options for doing that kind of thing?

Actually, this is probably a very important clarification, so let me
explain exactly what I'm trying to do.

I'm working on BZ 64338 [1] which adds a new environment variable to
mod_proxy_balancer: BALANCER_PROXY_STATUS.

I'd like to forward that value over to Tomcat using mod_proxy_ajp.
mod_proxy_ajp will automatically forward any environment variable
called AJP_* across the wire to Tomcat. So I was hoping to do
something like this:

SetEnv AJP_BALANCER_WORKER_STATUS %{BALANCER_WORKER_STATUS}e

That doesn't work -- I get a literal ${BALANCER_WORKER_STATUS}e as my
value in Tomcat, so I tried this as well:

RewriteRule .* -
[E=AJP_BALANCER_WORKER_STATUS:%{ENV:BALANCER_WORKER_STATUS}]

This doesn't seem to send anything over, and Tomcat sees nothing.

I also tried this, since eventually I won't be using mod_proxy_ajp but
mod_proxy_http:

RequestHeader set test_ajp_balancer_worker_status
%{BALANCER_WORKER_STATUS}e

I can see the HTTP header on the Tomcat side, but its value is null.

I've put the BALANCER_WORKER_STATUS environment variable into the
access-log and I can see that it's got a value ("1"), so I'm guessing
that the environment variable is established in mod_proxy_balancer so
late in the process that neither RewriteRule nor RquestHeader have a
chance to see a real value, there.

I have altered my code to set both BALANCER_WORKER_STATUS *and*
AJP_BALANCER_WORKER_STATUS and there I can see the value being
sent-over the wire to Tomcat.

The primary use-case for this BALANCER_WORKER_STATUS value is to send
over the wire to the origin server, so what's the best thing for me to
do, here? For mod_proxy_ajp I can either have mod_proxy_balancer set
the AJP_ environment variable (or I suppose mod_proxy_ajp could *copy*
that variable, or use its value as-is which would probably be better),
but how should mod_proxy_http handle this? HTTP headers are really the
only way to communicate this kind of information to the back-end
server and "RequestHeader" isn't able to pick this up.

Does it need direct-support from mod_proxy instead of trying to cobble
the pieces together from BZ 64338 and other existing directives? My
goal with 64388 was to write the smallest patch that could get the job
done, but I'm not sure it's possible do to it in this way.

Thanks,
- -chris

[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=64338
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl77XQQACgkQHPApP6U8
pFhcphAAy34KXHNi0gUberEHoS0ZAl4czwTddTpWDTuUtVZUtxP5EEoZVgrXNOmv
U6TlNMnjoY2Ea43/gpbblDLbgpaAndqwU0QOW8sQlRvs8an0Kz19Y670GPHPvhXL
xnnVr992CbBDaUhLxxZVMLPZzCte7pScimk65KTa9ZF2a6Chp6FhTtgZDH4OVrP/
vRRhxLcFv1m3WGL1MiUKpqwgLg+GoXN5pl4yWX+nyZLHvOoKDn7FxENw64FSG0nE
AEgzNNCrYOGFzjPqqEhk+oc+4E0kjODGjtN0F5S30n+Fr/q1YUi6RYK8iaArFHit
lEv/bfQZCIyZojqTfzdSQZISmbdgIambRULEAq5nFgzSYaZFWCSGmzECoKHa1Lj/
g1lIch4+E2rlEapvjmcRiWfXjY27VzadboeVEEHcDpR/M2E+H5LW0AJnWeK7EoSx
u+Q34qVIkdkzmW4N4ZcuWST0PFRwZ+yp6j2LE+O8rKuQlJJKsNPxUBApFYtCfXZg
8/27EQIpeP94+CzphmLd3LYcn8Ipot82HIQYGnQ4Gis6fJ/vjOHG0SjEBnxQQPhq
vaF19uw3ITBwitcF3ZG1P0iHd6OYx5M7Luicj2zXrwcaYfhP26hoKqAMtyYdE9/C
GW8JcCkDi29uEb3E7kzMiLvXf5MBSleDikAIGNJbsByLdmFbcME=
=t3xJ
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Copying environment variables

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

All,

Is it possible to "copy" an environment variable to another name?
Something like this:

SetEnv foo "bar"
SetEnv baz ${foo}e

Now, "baz" has value "bar".

It doesn't appear to work as written above, but the documentation
doesn't actually suggest you can do that kind of thing.

I have an environment variable whose value I need to copy into another
name. What are my options for doing that kind of thing?

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl77WEYACgkQHPApP6U8
pFhXgRAAvZe+AuQ2Vzhhz2r6arJ/rvjFoVuuvQj4TsZIsOtRR20Us0Lai21G+I3J
gVezJdJtUhAHQvR8unWSlcvLVpm0oqLo+AHkPtwJb4SvesH6X8B560TvTs9YKgFO
eFkr4c1kf35q3vpdWL7odA8KFPz5K2BMP9gUWO8eCJfh4uaraq9j/HYoI+fiCQRj
OADcfvhIJv3J2np9nBiS6dYnx0U2/3rq+x4NREodhBLlymxmNUJ3vyqllVdqa7AJ
SFR7Xp8IUX5OnGiS43Wxftlcj0XJD5Or1VQlano9Cz360aLq+Qel34bzYFJjHw/W
J4Zg764KvRWDD/QpZs9KxadGfnPf5slVzrN+u9E1sLHv+p/Fj95f+JSCtqXSM3Ks
l/AZp/cpW2RSDepySf6RVOMYUMnAs9a4YuPJaEruq9Qc2Ydt62PWj7pJ9dLSK0Qz
SEesldpWQuXrTdE1/G6b+TWKlf8gHkCAitd6NjqN6ZWAPqS4mXdCjTCSA3I9nl9O
l6EPEOP+4axDhou0BllQmoiKA6vW79IVTms5Ixxya5B6Z6hOc3wMvuPSuPoHoOjj
jZgjfA7EUCy+Nhm2cLIoDlB6TME/1GLgeM2rIhIQPKVY+1vq+Y8tqaD43sYiMM1J
W/xapLI6ygKRlKShXPBoSlu3NvVu9Kj3hIHgxyth6IKAmDtuBMM=
=NKRA
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Reverse Proxy Configuration

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

John,

On 5/24/19 07:19, John Welsby wrote:
> Hi everyone, I am looking for some help configuring Apache Web
> Server as a reverse proxy.
> 
> A little background: I have a Debian 9 (stretch) server at my
> home, running Nextcloud on Apache2. I have a static IP from my ISP,
> and a domain I own is pointed to it. I have forwarded ports 80 and
> 443 on my router to the LAN IP of my Debian server. Everything is
> configured and working, and I can access my Nextcloud instance at
> https://mydomain.com 
> 
> What I would like – and tell me if I'm barking up the wrong tree
> here – is a secure way of accessing different services on my home
> network from the internet. According to the material I have found,
> a reverse proxy is a good way of doing this.
> 
> Put simply, I would like to be able to access my Nextcloud server
> at https://nextcloud.mydomain.com 
> and the ability to add other services (on the same or different
> machines), such as https://email.mydomain.com
>  or https://bittorrent.mydomain.com
> 
> 
> Can someone help me with the configuration required to do this?
> Also, does it defeat the purpose if the reverse proxy and the
> services I want to access are on the same machine?
> 
> I have checked the documentation at 
> https://httpd.apache.org/docs/2.4/vhosts/examples.html and there is
> a brief section on using virtual_host and mod_proxy together, but
> not enough detail for me to create my own configs.
> 
> Here is my current Nextcloud configuration:
> 
> 
>   DocumentRoot
> /var/www/nextcloud CustomLog /var/log/apache2/nc-access.log
> combined ErrorLog  /var/log/apache2/nc-error.log SSLEngine on 
> #SSLCertificateFile  /etc/ssl/certs/ssl-cert-snakeoil.pem 
> SSLCertificateFile /home/john/ssl/certificate.crt 
> #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key 
> SSLCertificateKeyFile /home/john/ssl/private.key  mod_rewrite.c> RewriteEngine On #RewriteBase / RewriteCond
> %{HTTP_HOST} ^www\.(.*)$ [NC] RewriteRule ^(.*)$ https://%1/$1
> [R=301,L]/var/www/nextcloud/> Options +FollowSymlinks AllowOverride All 
>  Dav off  LimitRequestBody 0 
> SSLRenegBufferSize 10486000  
> 
> 
> Any help is much appreciated.

It isn't clear whether you need proxying at all. What are the other
"services' and where are they running? For example if you are running
your email service from httpd, then you don't need a proxy, just s
VirtualHost will get the job done.

Proxying local services is a completely legitimate use-case.

In general, using mod_proxy is the way to go for proxying HTTP(S).
Have a look at the documentation for mod_proxy which can do both
forward- and reverse-proxying using a number of protocols. You are
probably interested in mod_proxy_http which proxys (you guessed it)
HTTP. mod_proxy is a kind of "parent module" which also requires that
you enable a protocol-specific module as well, so you'd need to enable
both mod_proxy *and* mod_proxy_http for example.

Most mod_proxy configurations start with something simple like this:


  ServerName email.mydomain.com

  SSLEngine on
  (Other TLS configuration)

  ProxyPass / http://localhost:/
  ProxyPassReverse / http://localhost:/


The above would be appropriate if your email were hosted locally (to
the httpd server) over cleartext HTTP on port . If it's elsewhere
on your network, then:

  ProxyPass / http://ip-or-local-hostname:port/
  ProxyPassReverse / http://ip-or-local-hostname:port/

If you want to use HTTPS on your local network segment (which I would
highly recommend), then you'll need to use https:// URLs and probably
configure some certificate trust using e.g. directives like
SSLProxyCACertificateFile in mod_ssl.

To get DNS working, you'll need to register email.mydomain.com,
nextcloud.mydomain.com, bittorrent.mydomain.com, etc. all as pointing
to the IP address of your router (probably) and then port-forward from
the router to the main http reverse-proxy, as you have things, now.
Remember to set a ServerName for each of your VirtualHosts and the
appropriate TLS key and certificate material for each one.

Hope that helps,
- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlzslxkACgkQHPApP6U8
pFie+w/+LUfg82VVb3XTmVAEE+3PoSjhrjnF7k5LCUc5t9pvChu31GXbpntSm9Dj
LQXz+4rgLmofByq9pjANFAPYc9yeybBhqIlOZiQUzE5jWbTZElMpD9EcW1Og55j9
WuhSF1UjqJ33qYV/kmrW+UFGWKGV0gB84Zh2yC2UgyV6dWw9HM+rnarjkt6yy/eR
CgGPKMQjSBt2L3vnDe5d/pKaMAM6s4hQnBOuvW3WgT0rWFRrgd/XZhpIp9xV+0It
AzC3v7lXoUhqQBsKaY0ibOYctQSLd9paldYiJ8Z8NU6O9XGs7yL8zaq1CaX1qK46
DXKVL0tDMrvInwi3mx2vvTTKCj9L/wjZOTpM64sfoax3CbPRGMRmMumZZiwMl2Eh
yuepTmk+1yvyebnuKbJKjEbpmVB1FrWjQrfSbgFGYnRWS6HLLDdDPfjeP344y/GM
M3Ic7eoaHwCRhbXmkVQHPY/s+IHsKAUnwSz1tc/QfX3xOoxRxMzD9kuZ6X0Zh9s1
d+0apa2XBjmiDZMXYGTqCwRUEit3goV2u0XE0xZC2J4PoN

[users@httpd] Problem with mod_authnz_ldap w/ldaps?

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

All,

I've been using mod_authnz_ldap for a while with OpenLDAP over TLS and
things have been going fairly well. This weekend, however, I had 3
servers stop working (returning HTTP 500 responses) for pages which
were protected with HTTP Basic auth + mod_authnz_ldap. Two of them
were unavailable while the third one was working, and then the third
one stopped working as well.

I checked everything: connectivity was okay (checked with openssl),
certs were okay (also checked with openssl), and I even installed
OpenLDAP-clients on the server to check to see if 'ldapsearch' worked
(it did).

After several "graceful" restarts, nothing was working. On a
particularly low-activity server, I ran "/etc/init.d/httpd restart"
and the page came right back up with no errors.

Here's what I think has happened.

First, we are using Let's Encrypt for not only our httpd server
certificates but also for the OpenLDAP server.

Second, our most recent certificate for the LDAP server has a "not
before" date of "Oct 28 09:47:18 2018 GMT". That's very likely to be
roughly the time all of this started becoming a problem.

Note: We are using "LDAPVerifyServerCert Off" though that it a vestige
of having self-signed certificates before moving to Let's Encrypt. So
the certificate chain itself shouldn't be a problem.

Third, the two servers that stopped working (roughly) at the same time
have a system clock tracking UTC. Before restarting httpd on the
second of the two servers, I grabbed the date-of-last restart -- that
is, the timestamp of the oldest httpd process on the box:

USER   PID %CPU %MEMVSZ   RSS TTY  STAT START   TIME COMMAND
root 15973  0.1  0.6 415204 24060 ?Ss   Oct22  12:29
/usr/sbin/http

So only graceful restarts have occurred since Oct 22... before the
certificate was re-issued.

Fourth, we use logrotate and the latest logrotation on the
initially-broken servers (using log-file timestamps) shows Oct 28
03:51 UTC.

For the server that *wasn't* suffering until later, we have:
tz: America/New_York (/etc/timezone... /etc/localtime says UTC)
logrotate @ Oct 28 03:33 UCT

logrotate performs "/sbin/service httpd reload" which I believe
performs a "graceful" reload of httpd.

These things don't entirely line-up... I was thinking I'd find that
logrotate on one server ran on a several-hour delay from the other two
and that would explain why one server was working while the others
weren't, but it appears that logrotate ran roughly at the same time on
all of the servers (at least, within a 30 minutes or so).

Is anyone aware of any issues with mod_authnz_ldap caching TLS
certificates or anything like that? I literally changed nothing on the
LDAP server side or the httpd server side, but an httpd "restart"
fixed this problem while no number of "graceful" reloads seemed to
improve things.

Thanks,
- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvXC3wACgkQHPApP6U8
pFh/cRAAq10ZkYWnI5Rzjrmx93DCRxRajo/XXmFC/9LeJEylCtLslmUd7oBqTSBn
ikV56lWRIoGjVUVG3rGRConQzV76gbokai5q39a3Pf4mcQ2a20pec34aHtNNf7gE
j4YFmSqWnAhZ6NHVAQZg4zLxV4JCS/OrVbU9jlgevZhXhaOFI5cwiCz51HyPE1z6
OPqeXz91P4AJvIH7hd5tXHmIVRopjOhJID15gGkzlNIRNrB00OMGFcTQbcUhzLj+
jClAdsbMCYnjuKRvTUnNVwTTBujj9G6wPBgvt0egdk15UhUDRyJnVciNYF85VgeX
66WrMB0GiPDepNTABWSj1gDd5pNaXd7gun2Lhbn3X7oAvawlYAAvsglvXbJedIzA
y4gJgxn2zd9PU3F2Wf58j/zmMv7YQijcPT4yI+yWTwfYNx+QlcCVboxusY/i8YNE
iN8lUFqh6kwICJazyLXpxNW6gMNoEEW9BRpaEC2doF1pxNk6LmI8ZdN5d24TMyj3
xTMje7jiNA7moYxx2wUR081IpyJezHzTvtmrKfnWz1szI5uYadott0eRq+i6JGw+
7fb3OmA++MJUeB+uM5/O1QndR5zQ8B9XJ4cVTqaZLdG2CIiPJp4T6+D7qWpyWnEi
Qbb0WxFauNFgsN417qrnEjjXLFAdeFJwq81sv4UTtaP3Yfhla74=
=MvMp
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Expiring DAV file locks with mod_dav

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

All,

It's been 2 years with no response. Does anyone know how to read
and/or modify a DAVLock file? I have files that have been locked for
months. Is my only recourse to delete the entire DAVLock file?

Thanks,
- -chris

On 2/12/16 10:52 AM, Christopher Schultz wrote:
> All,
> 
> Ping. Any ideas?
> 
> Thanks, -chris
> 
> On 2/5/16 4:04 PM, Christopher Schultz wrote:
>> All,
> 
>> I've been searching for a bit and mostly people are having the 
>> opposite problem I'm having: they are having file locks expire
>> too early .
> 
>> I have a lock on a file on the DAV that looks like it's no longer
>>  valid, but LibreOffice Writer won't open a document on by WebDAV
>>  server because it says it's locked by another user (and names
>> the user).
> 
>> Are there any tools to investigate and/or tweak the locks held
>> by mod_da v?
> 
>> I tried "dbmmanage DAVLocks view" just to see if anything would 
>> work, and it dumped-out some stuff, but didn't look like
>> dbmmanage could really interpret the DAVLocks file.
> 
>> Any ideas? I'm sure that rm DAVLocks && /etc/init.d/apache2 
>> restart" would do the trick, but I'd like to keep any other 
>> legitimate file locks in place if possible.
> 
>> Thanks, -chris
> 
>> -
>
>> 
> 
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
> 
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlrfOBEACgkQHPApP6U8
pFjsEg/+Imj31ODnmjvd+DhpUDYNfvCFUpgHJ589legwUK5pK6Xeyb2teLms02wo
zzdP560Wt2sXHja6lzKbup7cYBn2Rkvbhrd7PJ80xF45wUeInyBfF1J6HhLIRTAK
n9Z5+Onu5/fEO5KeeKHEdHXCgYxRIIXKZ6X4BPqJ1avnPUKxNhda9QE9gqmxttGy
lGW/qq67POvb2PDzXZ4LjRFeUE/8Z3D2i7sy5HO4mmn7eNcr1iCnwbqW0JaoaqEj
s7GJsxjwx//hmxrmfmrRYTbk0HP27lDbNzRW0nTqn5cNffQ/WNTF/+SoFM3K/t8E
vjXzEKmmv64f/rGFNdj95+36ayIN9q5pabamg57sAjV4K8CVsdbM7oa+CK6JlVdu
xYbPxiu0fTiSxgXyp2VYwTKODTf37MrUO9xrHox7dsoZI7MWh/JQZEsHmJ4M8cZF
+gUgYIZdwWBoBEz21vZ56EXeXFH35QG24EN6XhFcxGeCYrvdH3rRLRmKzufGP6yR
rOm17k7Q+ZadpdNZD36cwQnvOepXwd+qdamZg8Zw7IedjonTQwxQgVqcBZ2EYyYP
Fgkgj++0aawOcSEk87jLArhrO3Z1uSKMWLURhgQgeui/UZWMM/rCHmUtyduEACSM
osRRZV8czBeJz4Q3hmqMcHhqZisN82bi4i+AwUXFdPao8Q1rNek=
=6MHE
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] DH^H^H EC parameter selection on httpd 2.2

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

All,

On 3/30/17 4:32 PM, Christopher Schultz wrote:
> All,
> 
> I'm running httpd 2.2.31 on Amazon Linux, and the docs for 
> SSLCertificateFile say:
> 
> " Beginning with version 2.2.30, mod_ssl makes use of standardized
> DH parameters with prime lengths of 2048, 3072, 4096, 6144 and 8192
> bits (from RFC 3526), and hands them out to clients based on the
> length of the certificate's RSA/DSA key. "
> 
> I have a 4096-bit RSA key and yet I'm not getting a 100% on SSL
> Labs' SSL testing tool. That suggests that the DH parameter
> strength is less than what I was expecting: 4096-bit (or
> equivalent).
> 
> How does httpd determine which DH primes to use based upon the RSA 
> key? The server's key is 4096-bit, but the issuer's key (in the
> chain) is 2048-bit. Is that the reason SSL Test is not giving me
> full marks?
> 
> I'm trying to create a 4096-bit parameters file (to attach to the
> RSA key chain), but it's taking a while so I figured I'd ask in the
> meantime .

I added my 4096-bit DH parameters to the end of my cert file, like this:

- -BEGIN CERTIFICATE-
[my RSA certificate]
- -END CERTIFICATE-
- -BEGIN DH PARAMETERS-
[my DH parameters data]
- -END DH PARAMETERS-

and restarted httpd.

When running SSL Labs' test, it tells me the following:

cipher / key-exch / strength / forward-security
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH secp256r1 (eq.
3072 bits RSA)   FS
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH secp256r1 (eq.
3072 bits RSA)   FS
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 4096 bits   FS
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)   DH 4096 bits   FS

So it looks like the DH parameters are okay, but the EC RSA-bit-equiv
is only 3072.

Does this mean that I'd need to create an ecparam file to raise that
RSA-bit-equiv even higher?

Thanks,
- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJY3m0pAAoJEBzwKT+lPKRY+yEP/RoJD/UK7DtWRsklRqf7dnkK
b1ISfV7+tbJokQ+i+gnBHeU+IXA70DLU0y5bjd82zEXfBJ4rwk0yhDXr2110PVjE
reZz8C37NfXXCNXWJiSAfOOyEYJBzXQ8/hsrcbRTcDnetWvsXwZ09OIn7q/IDRvP
94W5LjtZM9FW0Obtcgrn2P/nQSPKIJlHAdZFgwVZkart1snRwAklQQ2kwX29Knyt
h/ZZ1i5B31euZRrQsbTIYKkpCrfALi1eRQvmgGuW+Myjlj3M+Cr7Hw9uR73qKCAW
4cNrue+8DmYSDHwjAHbfcxqcEEJvgkfgBU3SuRdWrud/zwWlYhI2HxfGwoONK4Vo
wGljRAcen3X8jebnkXj3v4QhToGmESFU2vBnxXpmDjo0pxMhSk2OzAYXdSTBtLL9
BjlrObQM5WAvyX0PjBAji+fD1Iz690jCbGJWqHfOeNIAlkDbVtjZE8fiNK0k57K8
dSjzLWDjDOAgC/rPc5SeFCAewcqcBDVAObfITKrm77c2hqHH6jOjWdNiZj/2Xg5d
6FUTC6VLlk/VULf8xK0WL27RaqwvOcExbrnbed4oLB+wmIw1uD47LFFAz9dmL+J4
RppIcIBcnXPvuaeXbZ227gkO/2ShSgPzH1oZm09UORMdbZw+Xwm8Gks/PcHQujMD
UG8+nS4yiXV0VLkqMs2e
=NUwP
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] DH parameter selection on httpd 2.2

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

All,

I'm running httpd 2.2.31 on Amazon Linux, and the docs for
SSLCertificateFile say:

"
Beginning with version 2.2.30, mod_ssl makes use of standardized DH
parameters with prime lengths of 2048, 3072, 4096, 6144 and 8192 bits
(from RFC 3526), and hands them out to clients based on the length of
the certificate's RSA/DSA key.
"

I have a 4096-bit RSA key and yet I'm not getting a 100% on SSL Labs'
SSL testing tool. That suggests that the DH parameter strength is less
than what I was expecting: 4096-bit (or equivalent).

How does httpd determine which DH primes to use based upon the RSA
key? The server's key is 4096-bit, but the issuer's key (in the chain)
is 2048-bit. Is that the reason SSL Test is not giving me full marks?

I'm trying to create a 4096-bit parameters file (to attach to the RSA
key chain), but it's taking a while so I figured I'd ask in the meantime
.

Thanks!

- -chris

PS I'll see some of you in Miami!
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJY3WteAAoJEBzwKT+lPKRYn7oP/izQu232bxrNNvtjtrYT/u7B
fRgWALYU1S+Subp8gv809DB5nzcYyk5wjc+O8dqBzNFUjONfkAHKRrkTTaWQeqL2
u6bungrbmKmn1H/j547ZLDTI0CjE1ZeFyr/8NBGmJSf9MdVpCjaDZeptelnX63+z
Hd/jIdV3NV49KrWw0Pb7tuLH/SzoJ6y8M+tPJW7i4PO3e4lrPUDI8BTtB+8EUD+Y
exbFAXu/V8fzm/hLvR3cm/G85GkhwSIn91rTrBM10bHtIx6x+tCShC5lhXyWUSxV
rRZ7KsDAy6t2RO5PNyAUMvPq3h3y79AWsGAsATgiOpZH5P+4ChU4J/7JMV2XN2/6
aK7dM3VZXwYVmE4auRZPhA/D2YY9OOLDXPv7dsRcOM5Rehe29FgzVuFGIDFgEbS0
p88MB5pZwxllkCeIgEd+hIP42lp3/Gbz0kaJh/lZCiBuIHUovKO12llszhOnczBk
WMPLzWkewzQB4iEFbyldemNpHQvtK/jyigVNwUjVLfl7w+Fs2l4h0A1CFCYxZ9nh
s9EG53gHUwvz3+PQKr2nJkOev44SQiZAY77FLgTn9QoG7jPTU460BXO2IxG/qbSA
EkK4nvBFRWFSMQwu2RLzjlTKidFR7LDaBbIJ1Lk1cmEd7vnUQiFL1o3/Fg7SBgin
BpP3j8DlPtdHDI9BB+sy
=13zU
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Processes starts

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hement,

On 2/15/17 6:05 AM, Hemant Chaudhary wrote:
> When I am stating my httpd-2.4.23 servers, sometime 6 process id's
> or sometimes 7 process id's are generated. Can I edit how many
> process id's I want to start.

Yes.

> I am assuming 1 process id is of root and remaining 5 of its
> thread. Please help to know why this is happening and where it is
> stated how much to open?

Which MPM are you using?

> Second doubt is I want to check process id's in access_log, I am
> editing %P for process id in format, I am getting correct value. I
> want to use %{format}P.
> 
> I tried with this but this is not working, please helpp how to get
> pid,tid,hextid using %{format}P.

What exactly did you try? I would have guessed:

LogFormat "... $P,%{tid}P,%{hextid}P ..." my_format

Remember to apply your LogFormat to the type of logger you want e.g.

CustomLog "access_log" my_format

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYp1daAAoJEBzwKT+lPKRYuJsQAMDX852vDqIV9hFl8UKI82gy
I8O1ks/sdZiR7+gVlhzFR9elCx67Hi472XYSvlnRUs+uSRGCvBXzpUzG5liBzqO9
tdtRd/ayBqTc2pK7sH1Xsn8YcwZ1wGz3aM/VDa6ahWyqYpo6+AIOAC82e7dXqNuJ
aYm8z5yQiCkxwoR1oqHfUX3Vn+w2cdgf3N0P8J2jtIWPO8Gy/Yn6/CYHQhnR0P61
yKsq/4Z1ycb3UQDziJv48z1yZ8C41goZ8GtJlSDHlYh4MACswk39DfxVTVV7MYE8
7Y/NVzKPUMDaDC9VWgocyfVXqJ1m9Ogff/1seKpblcyla96sjymfEn+jH4bH+PuX
jj9kZsSExIH6SFc4evmYTQZ1Oy1aSaWVD9LmU8aSICu+7LFji7JH9eRMmsfBLzMC
xxEQln2nY9dIYp09O6j4ox6r4qKmCXNRczVnB3mTbvUb2cM3k9Y4CAhirjWyq3Vn
1K4BIwZ04Lt8Wuw8bqp+5eJXl+QHno/IvVEf6Tc+9yFLrLv7KfnB4SndDhiNAyZc
FJKIFf2stOos+m6LAOjUri4G5ePLsuJYHlyiRUZA08hNitwhRDw1VBOlBg7tpHn9
AmhXD4aH0XibN8S5y+LJiRF1LGUiiEak25BHPAxAbza71ZAuF39sdG35qrpZ5NRW
D0nxcpKYCUaDze903UY1
=rcuy
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] proxypass does'nt seem to work on apache 2.4.25

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Stéphane,

On 2/17/17 11:06 AM, Stéphane Laurencelle wrote:
> i try to implment the proxypass and proxypassreverse in apache 2.4
> vhost file on oel 6.8 to redirect does to tomcat apps web page but
> nothing seem to work like in apache 2.2.x
> 
> is there some new stuff i need to configure to make it works !
> 
> hope you can help me on this !

Please post your configuration. Just the ProxyPass/ProxyPassReverse
lines and the related VirtualHost wrapper will be sufficient from
httpd.conf. From Tomcat, please post your  configuration
(minus any secrets).

Also, please post the URL you are using to hit the proxy server (httpd).

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYp1WsAAoJEBzwKT+lPKRYx1wP/1Ht4Kz4BMKKedONEyCRefrQ
rz+tQMBWoM4zIaWFVFzCefwTHfppX47jPcgq7IZYq9TIfWrwQRW6BGjCxZw9LSdJ
43qLuUstvwz8qZgDzzAC+AaL3L5cHdRVOMhRmpInS5uFK04AdhbeVRyO7iIjkITw
cAkGDNgFyr8WWJpX6glD2igJrZADOrNS0xQG9LP4d0iUMM0uxUHLAVNiir6HGuDG
htplms/wNHOlMgZ/DzyGBKF6aWHsBe1r9T2KC5VFGsLFphJEJfVUUqFGloJVENyt
QiG9Np+FcBK3CrL5EBZZbger2vAx5ODs6i3ug8sI4Lfxat1aMkHY1DfYOQd4rqZJ
TY7yO8TuCkM/ZjCfN1O8n5oIRAa0ThP7jkmwgF3dPsfCu8qpNRymDFJi0/Vq5LaR
IMhyOoYEabgrknFg9ohFBlqKDvGZsjDtCXexe9y/VEF7Gh+e4SdQ30sbihXZ+lub
dw4BVcO7aezsF6TS5t5ARb34IMVsfp6U/giTllczKn42aKB9qdEC1FmhHKaOJ5r2
MqNZlzYzNzAIuXZ0cCom/GJL4Lzeskql+cLGrSjt7yNxn9YMfHYJYXaVm17EdfBH
Un2neVTc8u5786+mm8u9SGRWRojiuNnt4hzL9RwycJa7AGwvx7nfJcC3neHTYvvZ
iu2V/ivMNpBks8sozJk9
=Tarw
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] apache 2.4.10 sslv3 not offering when tls is enabled

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Daniel,

On 2/9/17 4:53 PM, Daniel wrote:
> Try manually:
> 
> SSLProtocol SSLv3 TLSv1 TLSv1.1 TLSv1.2

And, please, for the love of god, add these, too:

SSLHonorServerOrder On
SSLCipherSuite TLSv1.2:TLSv1.1:TLSv1:SSLv3

This will cause "better" ciphers to be preferred over the lesser ones.
Don't forget to eliminate the insecure ones like EXPORT, MD5, DES,
RC4, etc.

A typical cipher string I might use looks like this:

SSLCipherSuite
!aNULL:!eNULL:!EXPORT:!DSS:!DES:!SSLv2:!RC4:ECDHE:ECDH:DHE:AES256-GCM-SH
A384:AES128-GCM-SHA256:HIGH

- -chris

> 2017-02-09 17:30 GMT+01:00 Sven Crul  >:
> 
> Hi,
> 
> 
> I switch to debian with apache 2.4.10 where I need sslv3 for 
> backwards compatibility with some OLD clients
> 
> I use openssl 1.0.1t (latest stable for debian)
> 
> 
> with the settings  "sslprotocol all" in  ssl.conf sslv3 is not
> offered
> 
> with the setting "sslprotocol sslv3" in ssl.conf it works but 
> unfortunately without tls (I need TLS also)
> 
> 
> I must be the only one who has this problem because can't find 
> anything about it anywhere, and I tried about anything there is
> 
> 
> sslprotocol all +sslv3 ... etc nothing works
> 
> 
> Anybody has an idea
> 
> 
> THX!
> 
> Sven
> 
> 
> 
> 
> 
> 
> -- *Daniel Ferradal* IT Specialist
> 
> emaildferradal at gmail.com  linkedin
> es.linkedin.com/in/danielferradal 
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYnOoCAAoJEBzwKT+lPKRYgnkP/jHquyBGVH2uYKcF6Pzyn7Uw
LduZ+8eVqnSC5OsI7s6HBZrqxJthIb2c5Ns+w/rR8ga4o86bzWd+Shr+lwI41UXJ
gEjJDUyQYN5/1YMwlc+w/MFyqgWIaJTdJEhC1kgBMzQzNt53og13tMT7z93rvMsE
NZC1Gb0ANYx68d4/QC/J1Qoh3H0PkqLniHuV6GOuM7zeu9i5IcLQDW4WX7yXcG63
2VsTKwcPdQ1uH3t3i5c3+bbtvWsfMn0bj5Z8SaYInpLWX1swIBLh9b2+dzD5+A2Q
wLgSdIqgZhbkSyqFvq8oqXiaKQ6oxXVXfEJ6bivTkQNbyflR64eqqWXSRsc/RxfK
GJnalLogEM3iP2L7BUAE7Ok3r8xP4Drxy8JaVSLYNm+0BboSP80MZ0YPiIKcniZF
lkyQwyqOWX+OO1Eo0Z6SOTRoRMbymIPvgV+34aVp4admwNtfUN/2F+dPn+7xExHW
Y5oA7j9qBEYXJg63AHY3R//tGm/rtnDlHPt8bxCw5tWrR6HFgoqabyR5MhSYpfED
g8ReWrkd+Ygr10++hw2wwHf9Qwq9jHa2WYhGQyT5HiTIm+ui1X5gD19p9rpyCfcn
ARZ+NgoBHjFGNg0gLu1m3mwDDElnr9/kQE+KRdoVnICm18i3vO4CXzZLUC3moPRR
43zsMR858V8ZOZThX0s7
=/YOD
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Configuring redirects httpd behind a TLS-terminating proxy

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Konstantin,

On 1/24/17 3:53 AM, Konstantin Kolinko wrote:
> 2017-01-24 1:07 GMT+03:00 Christopher Schultz
> :
>> 
>> I've got an EC2 instance behind a load balancer where TLS is
>> being terminated. I've arranged for two separate httpd (2.4.25) 
>> VirtualHosts: one for the secure connections (proxied from the
>> lb) and another for the non-secure connections.
>> 
>> I have a Redirect directive that isn't behaving as I'd like it to
>> behave :
>> 
>> RedirectMatch permanent ^/$/site/
>> 
>> I have the same redirect in both VirtualHosts. The redirect
>> itself works, but it doesn't preserve the secure-protocol when
>> I'm using the secure VirtualHost.
>> 
> []
>> 
>> I'm expecting httpd to redirect a request from 
>> "https://www.example.com/"; to "https://www.example.com/site/";
>> but instead I'm getting redirected to
>> "http://www.example.com/site/";.
>> 
>> Can anyone see anything wrong with my configuration? Or do I have
>> a misunderstanding of how RedirectMatch will built its relative
>> URLs?
> 
> If that VirtualHost is accessed only by your lb, you should look
> at ServerName directive. It can include a scheme.

Interesting. It looks like that's exactly what I'm looking for. I just
did a quick test and it looks like that will solve my problem quite well
.

Alexandru, I was hoping to avoid using mod_proxy unless necessary, but
thanks for the suggestion.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYkjYSAAoJEBzwKT+lPKRYIpMQAIO1fUAIzXoniBecYhJ7CWGl
ZOaE3gsi9UPxtitDpoQU+BXrzDugcvmXNpIxUveQsQ4ZaqUOiot0QUXn80tne757
MwWx020G+Th6iFnaB4P7weSbJM1hRwXmXbUmA0vLXlScf8f9KdC0LqGYHqspOtCv
xdWrC3x66g/qLhxRmeseCU0tCjsrnben7CGwtzESsmqkB1XSAXSLID2hs/auakot
47+2J+tomGmP+HvGJ1yw5ClArGbmXF/geG3DH8QVEkviX3hX0nIVltoCYpAQtnYX
U8m6jhbtoqFk21qoSKcYVTY9Zk8Olb01hPs2KW7KCERHw4+7c0zhMu2FQ1RurHBC
2sDEe/OklHoeP9BExtxYGEqZcOHLpsOcoofM4wZGhTX+Wu41/HdJJDVKojz9E0C4
83S5IVmoIRBxr5QcfoW65To5WdYzRC0mlZN8Vae87M1kjfJAMQ2caN6brSLkDy7B
VRdX1GVS5a+sczyG0ska/zgflMV0mOyTtQHp3+tXy/HU18IoovUN4oxcuORtif1J
knmRVqjEDUcxh4TvuhjouHpsNg5DivaSFgwf43l2mwQPqldmmtKBoRMNVZjrBnhQ
d9zpEwMPwpkdUcHsgVWZe466u7dK+b5bQN336LJAtRFrb6KhVfrILoO1K2bvGb7L
eo4o+u7iJvNmgeN56l32
=7E9Q
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Configuring redirects httpd behind a TLS-terminating proxy

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

All,

I've got an EC2 instance behind a load balancer where TLS is being
terminated. I've arranged for two separate httpd (2.4.25)
VirtualHosts: one for the secure connections (proxied from the lb) and
another for the non-secure connections.

I have a Redirect directive that isn't behaving as I'd like it to behave
:

RedirectMatch permanent ^/$/site/

I have the same redirect in both VirtualHosts. The redirect itself
works, but it doesn't preserve the secure-protocol when I'm using the
secure VirtualHost.

I have this directives to attempt to set the HTTPS environment variable:

# Handle ELB requests; maintain client information
SetEnvIf X-Forwarded-Proto "https" HTTPS=On
SetEnvIf X-Forwarded-Port "(.*)" JK_LOCAL_PORT=$1

I can confirm that ELB is in fact sending the "X-Forwarded-Proto:
https" header to my httpd instance.

I can also see that the HTTPS environment variable is in fact being
set to "On" when I make a request.

I'm expecting httpd to redirect a request from
"https://www.example.com/"; to "https://www.example.com/site/"; but
instead I'm getting redirected to "http://www.example.com/site/";.

Can anyone see anything wrong with my configuration? Or do I have a
misunderstanding of how RedirectMatch will built its relative URLs?
I'd expect the redirects to be protocol-relative, but even though
HTTPS=On, the request from the LB is actually using HTTP and not
HTTPS. Am I not able to override the protocol by setting the HTTPS
environment variable?

Do I have to build an absolute redirect using other environment variable
s?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYhn6RAAoJEBzwKT+lPKRYPGgQAJxY2qq2wAxhzV21iQJFz/qz
vviFasPk17/ezD7ZGM1yHuxOrTrZRglvIRUXrRB3MWBX55fX11NsryxfKNigxOpw
TXtmJQNAScvXZfGdSVkVNcSNHN6FWKE+QRNhtPNhVoyxWP1fUdc00bzFCX3PDvoo
+8ASJJDV+0Qy5O0IlVv4B1uBnfzhVaxBgi2UYzGF8jyrbgUXHUA9R14FtXN6DNqw
Q4UKBXD6W5wS1zPYep9oHs0aqQIycvAXTFB20dwfaZ/Qft/wED2ACNOg60hRtQ3x
tP57zjEQqxzHKPHsTYaM4k6so69lIL9uoNUBgN1Q/Eqyl+ufF13y2EasjL4Y2Svz
qUFzyP85xFHTxnR8QvAYvmL4jqrf2ynZWnKHLDoVs1y9BOb0Iv4/8EWqcaIOG4QF
MlUxoSY32Z/BA3oxkE3pTzzqeyjZTY3ITMtdNDFMWFoDa3iTDBFNjfcUOYJSuaZx
7Q9A7NYtMpTFvTxVpQmz+PFkVpDqmF/xxHO/B9LaPcjTCWqqYU+m5/GTugW/pcoH
LVKfiPEbAYkjmOIR/+BE2x2YU4PglTIrzKfB2MlyHq/3qU3/SNvL+qM0xs6V1tdN
OtLx83lrEKecuqiH3A6zGPpcKqzdCGCMJxbg/jq5QJXMLs3/sSYyo15EjUEQYfjZ
Wn+RdQYSpwcWQ8eoLQVF
=mJ4i
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Copyright notices in httpd source files

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Jim,

On 12/29/16 9:38 AM, Jim Jagielski wrote:
> I didn't know you guys were working on it. Cool. I had been working
> the donation angle for awhile and finally got approval so wanted to
> get it in quick! :)

Daniel's efforts were focused on a patch to mod_remoteip which IMO
seems more natural (though I'm largely ignorant of how anything
"should" be done within httpd, so take my opinion with zero gravity of
course) rather than a separate module.

I'll join the dev@ list where we could probably continue this
discussion with a better audience.

Thanks,
- -chris

>> On Dec 29, 2016, at 3:56 AM, Nick Kew  wrote:
>> 
>> Cc: dev list.  Looks like a catch?
>> 
>> On Wed, 2016-12-28 at 17:44 -0500, Christopher Schultz wrote:
>>> All,
>>> 
>>> Is it common to have a copyright notice in httpd C source
>>> files?
>> 
>> Not common, but neither is it unusual.  I'd expect it to mean 
>> someone else copyrighted it before contributing it to apache.
>> 
>>> [ mod_proxy_protocol.c ] Copyright 2014 Cloudzilla Inc.
>> 
>> If that's in our svn, it should probably have another line 
>> asserting Apache copyright alongside that one.  As in, for
>> instance, mod_proxy_html.
>> 
>> -- Nick Kew
>> 
> 
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYZeQGAAoJEBzwKT+lPKRY90QP/jnoTj/LlmUV0YveVpyX13jZ
ysxx1HJarxMM6ePOVh/6KCkgwWYGe6SH0MyFrxUwrmH4BkZkXors3u/TJZFfWR9P
kru1Z9c+9doPWGPAXZZz/cQrHU6dvDFp8LIs4uPXlb+p2DrsHizGZnZxta9ckqa/
lTdHgUbcpVP1e8YV2S8bBi5SuV3tmf97IN5GV7wi/G9EtQlcFWQ7NH+dYDs62TlU
emr9Xo2hAGfVhaYKZ9wHcLgjuVXRhHnl1UM7YpiReSvsNwpX+a+kLEf7B3iYdE1t
fk80HCWHmmcOe21nOIyU/OsyUVyVd2be64aH6gzrnh5yxIayb3ZSB8+eyk1O+aoR
LA8fVAJgiDonj7JS/d7DSHkImIK5PIvD6voDMCQ2Rf0DSf6DlFGKC96yKUbIUC5O
5MGym7n+j6WxaiUHReBZaAeW/gcwnzr7xqe+PRXBmBQmlJrVPmdpM6nNjyxOn6Bn
ylw9pmO99lC+qUO01rY/duHhMrQY+SDnCxyGx1xdAYK7ASSAw7gtUU3Zfvoe27zo
XT33d8XsBTXsMFDeOBLz9Nws2qnHQQ4BOSV8+s7sio1IVeV2F32T9RPEIu7J/TCN
WZsWBy7NS2BvGVjezgOGMhVZnl81Y+HsPrU7ZCKmIKEpkJGMWnopmtUhMrs9X7Yv
+bo4j01/FrMGpNna4RCI
=RuJT
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Copyright notices in httpd source files

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Nick,

On 12/29/16 3:56 AM, Nick Kew wrote:
> Cc: dev list.  Looks like a catch?

(my reply might be bounced from the dev@ list... I don't think I'm
subscribed)

> On Wed, 2016-12-28 at 17:44 -0500, Christopher Schultz wrote:
>> All,
>> 
>> Is it common to have a copyright notice in httpd C source files?
> 
> Not common, but neither is it unusual.  I'd expect it to mean 
> someone else copyrighted it before contributing it to apache.
> 
>> [ mod_proxy_protocol.c ] Copyright 2014 Cloudzilla Inc.
> 
> If that's in our svn, it should probably have another line 
> asserting Apache copyright alongside that one.  As in, for
> instance, mod_proxy_html.

Yep, this is ASF svn. That's why I included the link in my original post
:

https://svn.apache.org/viewvc/httpd/httpd/trunk/modules/filters/mod_prox
y_protocol.c?view=markup&pathrev=1776076

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYZeM4AAoJEBzwKT+lPKRYpN4P/30FjhTLL1iMSVRETFzQkBsC
T+7e8+0NejwaqSoAqWpX/VbIawgyGFtsqgFjqOzGkp8Oy3FSnWpCFfG3IVR/4DCW
dEe+/LWU5f+B0T1dJyDL2DOCxnHQPiyPc3AYGF+NUtIvKEys8m7zO8hTQ0Dz5TFB
k4GFt69aP+MJnKAQAx8T1Gilwbu5vUZWmxu80rbl85FixYiW3iTSPHzApQ53ZSdx
mUUHYoV9wv0fwm1+Udj6SHQRkVDBmzwddeTdqEa9mukdf6zc+8R4pcx8K0YLxuMP
iduKLbXCxpy2oi28UpqqD8/5JD9adNBc3aYUpm0b/7ceJpr05wkFtZfh7OerULwr
nYqxaZtogrdMPzV3fgOvz2S136uqDd0qSFOyvV7Qy8i/87Yr+kkk1GDaVcenhM1m
z6+0iV9ftm5F4QbivheaKsJJEut4urfiVBnUha1l+BveWO+IOR047U/gdP7gfvcP
RrCqaYLSclCP0UtlBAa0RWlZSsa4HS3/m+YyJ/dm4pDbjY6kyWAkA8w4+GOJhQLf
MJ//TKbZ9LGNo4ueye+pRN1H4OFuJqTI1c4LdOsXqOW62IhATUIU8/DNCxKrlkTL
pGp2C+5qUDQGj/yotEdyI9oDshm3ZDgPAplMQcl2itVyKgKYVrjmHfgLectRNAKf
m+W8ul5tp4Dp0N0vJSU1
=Uymx
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Copyright notices in httpd source files

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

All,

Is it common to have a copyright notice in httpd C source files?

Jim committed a donation of code for HAProxy's PROXY protocol in
r1776076 and later. (Thanks, by the way: I've been hoping to get this
in 2.4 for a while so consider me a big (karma-less) +1 for back-port
of this module).

The C source
https://svn.apache.org/viewvc/httpd/httpd/trunk/modules/filters/mod_prox
y_protocol.c?view=markup&pathrev=1776076
file contains this copyright claim:

Copyright 2014 Cloudzilla Inc.

I haven't pulled the source to see if other such claims exist in other
source files, but I have never noticed a copyright claim in other ASF
projects.

Is this a simple oversight or should the copyright notice remain?

Thanks,
- -chris

PS Special thanks to Dan Ruggeri who was working on this independently
of the donation with me, and who missed his own commit of virtually
the same code by a few hours.
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYZEBhAAoJEBzwKT+lPKRYMTQQALHTwsO8Xba/UtAxKoh7lwhj
Uwh/J61NR21okbb+1Kl3I3kCXAqBs61gKkEAvVZYCVIPkO6tSFW/zSlVWsebC0GD
erM9BLAk8UHfD5gEI3i6JwP+umbYleLQJOcbGbLObG6sOfsdKHcMQJ3jl2mNCFCJ
QozZQy4BQBjCw9GA5n9QJBVA04vYBAG4IKCgD6UqtrKp+9AJzfNv0fjkAHx+X6Jo
Ec5YtRsvO7hj6341C3UxgBpw/+rPZxXWeJVvVekVfsFzjxvJGpnJQV/Yx3iGvaGn
uwdnLXLAgNFs82N/ip9GZNbv12jPFzUvu7WxXG9PXHZ5z9oL2y4s1m95RsVLPATn
zViFxZkGTF4h1rdqix2MNN7/q/hQmY6XsOo1fSlSAYhAMFQ1g43EMecLud3dCECw
ypjVVJO+T29JArCzyJb5skOr2lSdcf9ZYAhnStgHmRUw/bvwDhcMaCjsdqFdaUSD
fIqMdp7gAJ3/fou/AdARERxhR7UNDp7sNJcCpOo/hoHoJ8QSy5b7CBUGG3uemdjH
JBPYtYVilbvif7/EV9AAWwsKO/JX4smqctHrU2ZG/JHt0f4pQ+QxaTkys+jblXdu
83ROK+0DlX9KXcIOSBQ/SWqj/3UoPIgVxXgnf8RKztMuUUdFrPScWYpKFPpoeXPF
5+VNuOdIkoX+MalGusox
=wMXF
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Fine Tuning Apache 2.4 on AWS EC2 t2.medium Instance

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Tony,

On 10/1/16 4:36 PM, Tony DiLoreto wrote:
> All,
> 
> I'm at my wits end trying to simply run Apache 2.4 on my Amazon
> EC2 server. There are dozens of stackoverflow and websites, but
> the suggestions do not seem to work on my instance.
> 
> *Hardware*
> 
> * Amazon EC2 Instance * t2.medium (2 VCPUs, 4GB RAM, 1GB Swap
> added)
> 
> *Software*
> 
> * Base Amazon Unix distro * Apache 2.4, PHP 5 (no mysql) via
> Amazon instructions:
> http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/install-LAMP.html
>
>  Shortly after installation, I'm finding the serve grinds to a
> halt. Apache eats 95% of total memory, to the point where I cannot
> run base unix commands like 'ls'. Looking for recommendations on:
> 
> * which modules I can safely disable (those that few very users
> need) * _exact_ values for maxConnectionsPerChild,
> maxRequestWorkers, etc.
> 
> That leaves me with 1GB free for the operating system. My
> Wordpress website will not be serving more than 10k
> pageviews/month, and never more than 20 at any given moment.
> 
> Any recommendations?? Thanks in advance!

Weird, httpd takes up 95% of RAM? What modules do you have enabled?
Does it eat all that RAM if you don't make any requests? Which MPM are
you using?

What if you disable mod_php and temporarily disable Wordpress? Does it
behave nicely, then?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJX8CO3AAoJEBzwKT+lPKRYh3sQAMHZLeDqI/F80Ksdi1z+BrOf
ZZ6t2regMseG5cTUtNFIJMb5LmOy56JjvxPZXmu4o9kyRPqSs3he3bxwBI4aAHWR
gVQBxWonqFkwsBEpr4u3q30nZN8LchZGPXTQcw7+/SLbP7EBaFnTiEhPPEwj374H
XFEyTkh0tv3Hd4q85W8OwgcENHm8IyTA8FuqhUr0xtVsfxhA6xvqcrz34rdYoYW5
FlHQclK7t2pqsSWjRJh6fnFwrS8u8xEtsFfRWhinkNAJpOCch4vnKOgSWeBF3zH+
tuNiGbP3FX+Ge85WZFLY68xCUSPOWPPPl8du7BSsAX2f2JLyBjtt12435qPE2tez
b1hHMrrkQZGyWFzxl4GR5kkH9Qp/nTkqFLBCPcFzH7DHHJJJC4NyYPTff8PRDFrT
Xw5BIkghiT7+d1hPLiUyaGrsu9leZUVIozXT3KvgPIsQiIff6gZovj2QEgM6QZT8
qhEkHjj41RZksNHJ41BxLiZIqclkXlbWdfIBUtzeRYWEZG/FCwLbzH+B1mfj0nJn
hqGC0J8lZs3d2l/Ws/sNu9xz5qGv/ZcKSynToZXq8Pb/zorjSJGqOS13BTeh0Dz2
PsDBkcPQ4jymVU/Vt668q3Jm7TI3Ip0cigKxzBhA9cUJebuIv9YI98zBnuPRh5RE
E62pt8xp0IX25O3M0GxX
=dWd7
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Showing exact filesize in bytes instead of shortform in directory listing

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Cie,

On 9/30/16 5:59 AM, Cie wrote:
> In Apache server 2.4, when activating the IndexOptions
> +FancyIndexing in the httpd.conf, the directory listing shows the
> file size of a file like in the following example:
> 
> exported_file.pdf 2.1M
> 
> The file size display is accumulated to Kilobytes (K) or Megabyte
> (M). The exact file size is 2176555 bytes, but instead "2.1M" is
> shown.
> 
> Is there a way to configure Apache server to show the exact file
> size in bytes in the directory listing? I had a look into the
> Apache documentation of [mod_autoindex]
> http://httpd.apache.org/docs/2.4/mod/mod_autoindex.html but have
> not found anything suitable.
> 
> Background: I want to mirror the directory with lftp, and lftp can
> not read the given filesize correctly out of the index. So lftp has
> to make HEAD requests to get the file size for each file. The
> additional HEAD requests would be not necessary if the index
> returns the exact file size.
> 
> Thank you very much and kind regards

It sounds like this is a good candidate for a web service which
returns exactly the information you need and no more. For example, if
you were to return the list of files and their file sizes as a CSV or
something simpler than an HTML document, you would be able to do it
even more easily.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJX7m7hAAoJEBzwKT+lPKRYjKQP/j3V6tkCYgcvpb4NTcJ3NkZm
TImeJAtJ8tUBFgAho9pWBUSyV43SSnR6ZI4Qv6bAEYyvcJyJPW85O0trpqvCxcKU
EIPBKr/dnTp8OCHcnz/7ZiL17mDPuzNwTart7GUlYHDN++W7PP3JgZuJ6awkVNyN
pmlHrSqLmaQOLlJ52w2PqPrqmCs8tz3VoTtkpMxTlGjvqaFHD83f2zKD/IYJDNpq
k6TpsOkVEzHPEYJNuC9Kp6acxRURVjLFZWdEHM4sKSmYTIo465KW71XJpeEr4g96
2uBIAs/GRZO0OLgY5yfH2b0SvYbrof+j4KF6CaabtI1ZSZIvwFhLIQmK7wNr4FU1
uYCPrauEi8vUsFGhC7E1/YJfHj/8cpfTgrHXGtBdGoMq1iOv/DL3filIIVwf0Li8
Kcj8Vc0uR8hm2lQqrWasfw3grCmoXR2Sykk8pxY4FghlWB2VrnO8FNyaE4u/pXrw
3nv/KvCICxIRKDwCM4GiaKCtG4NIkl5pU1XBhgZmA7x/Zg6gJ8yidPscxO5YiVqT
XUudc4h5DCpVXvCkkcIX+b47Ec7ZTclpx5YDS7C0Gq+fBVwMmDnMNCLriE1pEObN
ubRJeTgzGubfp40wJqztJv8aqXyGMqF/AXDnOD6cy1yj5NU3RFp3GYPKsCuDJJ1o
Kr4m8DImijTsPMnO5110
=1iUT
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] problem compiling apache

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Pavol,

On 9/20/16 3:07 PM, Pavol Eisenberg wrote:
> Hello
> 
> After I've tried to upgrade my openssl 1.0.2 (ubuntu default) to
> Openssl 1.1.0 I cannot compile apache with ssl anymore.I also
> reverse to openssl 1.0.2 but the problem still remain.
> 
> Can someone point me how to fix this to have working ssl with
> apache ?
> 
> Here is my current compile output :
> 
> 
> /usr/share/apr-1.0/build/libtool --silent --mode=link 
> x86_64-linux-gnu-gcc  -pthread   -L/usr/local/lib -lssl -lcrypto
> \ -o ab  ab.lo   /usr/lib/x86_64-linux-gnu/libaprutil-1.la 
>  /usr/lib/x86_64-linux-gnu/libapr-1.la 
>  -lm ab.o: In function `main': 
> ab.c:(.text+0x62a8): undefined reference to `SSLv2_client_method' 
> ab.c:(.text+0x653c): undefined reference to `CRYPTO_malloc_init' 
> collect2: error: ld returned 1 exit status Makefile:73: recipe for
> target 'ab' failed make[2]: *** [ab] Error 1
> 
> many thanks for help

httpd source version?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJX4Yr8AAoJEBzwKT+lPKRYn/kQAIctRZy+WykFxc2oGVFzHyWu
PYFHp2zYlex0RornTV7SbAtvNAn9c6OajUHxHVpOT4Hg4V42VqA/SwvxlTzUPYIm
QuUqml3/uEi/ue0mn/ziCCcfs8jm94H4Wz9jakHD2Mw/TzpiFyhGu1XfXoqNgpxd
vALzIyejcwhHCoXIpjZe4ivCUZZ5WIIqnGLoiOcOOkprvT2TsSLlRyTXhbMOjWpt
tm+FmtoFPiFo721Jp+R5/S/S/7+zhaqfzKXYGqnhfBboEhFhugZF1qbdHP9sflCF
p5sOe22s+IiuIuQ1sIZFVtrG0WCGjdY82UB6NEs3+S7CQXBz0D1JAr7xkIZzQhWm
c1fN8mQEO/VzMNysvWyk3NlVUmkPTxX/8dETkxjCb6VWRnr5s/DPw1HFoh5Ps27e
oCHi95sLDXMheUMjCWJ4OyWh/95JU8fCjfOytdyddhFnPHVamANWS6CPVPtModMU
JJSfyBRKVURtN2pemAEq8tBg8prBH1VnLKCehb+yDBU/8yDuCqpBm3xAHciDjMoH
WMqHs8BfMbB0QKAKOpSGjbBvfyW0TTUqEJPzTuSJYTvYdwcOt22rlyBW81qw7nZk
IoyByEk90lfiiElNaBuhI95lFTU+ZejzekJQz+Ro0ZMS3pP29NLjdfxqMNOAG4fI
XbgGozBpggqp/Jx/OJbj
=/B6C
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache losing its connection from Tomcat in few minutes

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

James,

On 9/4/16 5:16 AM, Dr James Smith wrote:
> You don't give enough information about the setup to solve any of
> your problems really.
> 
> Are the apache/tomcat/cms on the same box or different
> 
> We have seen big problems with mod_jk when there are firewalls
> involved (so much so we don't use it any more but use mod_proxy
> instead) - connections are severed by the firewall - you need to
> look up "tcp keep alive" settings for your connections - but even
> then that doesn't help - mod_jk doesn't handle this situation
> well... (ditto nginx, mod_fcgi etc none of them really handle any
> form of flakyness when it comes to network well)

I've been using mod_jk for quite a few years (both with and without
firewalls) and never had any problems. The trick is that you have you
have configure it correctly, just like you'd have to
properly-configure mod_proxy as well.

mod_jk uses a permanent-connection to the backend, and you have to
arrange to have those connections re-established if they drop. You
want to pair the connection_pool_timeout in mod_jk (in sec) with the
connectionTimeout in Tomcat (in ms) to make sure that both sides of
the channel will hang up the phone after an appropriate interval. Use
of CPING/CPONG can help ensure that the connection hasn't been dropped
by the firewall.

I suspect that Jayaram's problem is either a mismatched pair of
connection_pool_timeout/connectionTimeout settings, or a value that is
less than the idle-timeout on the firewall.

Hope that helps,
- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXztjUAAoJEBzwKT+lPKRY8MwP/jA123QoWtrYgUSKoOF/8qy/
WPa32ZFhcM3zdpmT5+Im6z7yt7m/v8jGYugd1/hvCWFX2VSuqOAIdGxxwI2OC2eq
KRWvOgS0PgIwVWvzt7qPp5wILXcmWq0u9OuaXEpgVjKS7AZjPBcsbgi/54n65zkn
Ac3lRvSgodZzmNGR6sO+FoUgUF9QnVcXcYJhVJVEb7kzFRSfN32XsIGzB9Z4Q2I9
+WN1F57qcWQrWwsq0Sth+7+E8SnLEhcTuCqultun4tC8Klhh9D63FKMd5L1kgDfZ
cxqvxNwxcJUiRzrPjnBd7x9+R3GJ4chUgfq4a8DCXQntkochJEOtgsjOszqjAsl9
3vY3SwDeenzMpd0fwJ8aAhOShWDUSx3BoqV5PmfbrVCNGGA4BH0GIk6kqF37sh6p
lBGgW/DjBV8Qk0P4vkk7ieuzv/czMDcuCRgGAAdlHImu/Z9PaWGhckqy0o+35hRj
TtCoTlzHPyeAGFaqpD7kkUnHqbduv9QokhLE7xgRGUtaqk0/u0xCpNex208sR2oG
WIzBJbfgu5JeSzPXstNGZtvkNEZl+Y5NAvGcAM/2hhmjR405nilfyrSRl6XkH5Te
j2Vn4sRfpMxFe6gwe8KOqVHLaRVJk06GNhUUPrF6haATV2sDEC4B7kTCQYSXt2Oe
pWHH9rRs5IKKKRu7yeDK
=z0xI
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] questions about IPv6 and SSL

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Andreas,

On 8/31/16 6:05 PM, Andreas Meyer wrote:
> Christopher Schultz  schrieb am
> 31.08.16 um 17:28:04 Uhr:
> 
>>> A few days ago I added IPv6-connectivity to the web server and 
>>> changed the Listen-directives and the VitrualHost to also
>>> listen to the IPv6-Address on port 443.
>> 
>> Please post your "Listen" and "VirtualHost" directive lines from
>> your config file.
> 
> This is the part of listen.conf:
> 
> Listen 127.0.0.1:80 Listen 37.120.166.21:80 Listen
> 46.38.231.143:80 Listen [2a03:4000:6:4123::1]:80
> 
>   IfModule mod_ssl.c>

Missing < in the previous line. Typo or copy/paste error?

> Listen 127.0.0.1:443 Listen 37.120.166.21:443 Listen
> 46.38.231.143:443 Listen [2a03:4000:6:4123::1]:443
> 
>   
> 
> and in the VirtualHost I just added
> 
> 
> 
> RewriteCond %{HTTPS} off RewriteRule ^(.*)$
> https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
> 
> and in the sslvhost  [2a03:4000:6:4123::1]:443>

This plus the above are likely to be confusing: you have separate
VirtualHosts bound to the same interface with no port specification.

Try this:


   ...


   ...


Note that you haven't specified a VirtualHost for localhost and
whatever 46.38.231.143 is.

Which interface are you using for testing?

Do any of the ports work? Does httpd even start up?

> tried also with a separate 
> 
>>> There is a redirect from http to https. The website is not 
>>> reachable anymore, not certificates are found.
>> 
>> Those are two different problems:
>> 
>> 1. Certificates are not found
> 
> The certificate are there. If I disable the IPV6 things, they are
> found.

Woah, what?

When you say "disable IPv6", what do you mean? How are you changing
your configuration?

>> 2. Web site is not reachable
>> 
>> One may cause the other.
>> 
>> What error message to you get, and where?
> 
> The thing is, I didn't notice the website is not reachable 'cause
> my testings with my IPv6 connection showed no errors.

That statement is confusing to me. Can you clarify it?

> ping from outside:
> 
> andreas@workstation:/> ping6 2a03:4000:6:4123::1 PING
> 2a03:4000:6:4123::1(2a03:4000:6:4123::1) 56 data bytes 64 bytes
> from 2a03:4000:6:4123::1: icmp_seq=1 ttl=58 time=33.2 ms 64 bytes
> from 2a03:4000:6:4123::1: icmp_seq=2 ttl=58 time=33.1 ms 64 bytes
> from 2a03:4000:6:4123::1: icmp_seq=3 ttl=58 time=30.9 ms ^C
> 
> People then reported the site is not reachable, for instance:
> 
> Firefox-Fehlermeldung: Ein Fehler ist während einer Verbindung mit
> www.bitcorner.de aufgetreten. SSL hat einen Eintrag erhalten, der
> die maximal erlaubte Länge überschritten hat. Fehlercode: 
> SSL_ERROR_RX_RECORD_TOO_LONG
> 
> Curl: error (35): error:140770FC:SSL
> routines:SSL23_GET_SERVER_HELLO:unknown protocol]

That usually happens when you (correctly) disable SSLv3 and someone
tries to use an SSLv3 handshake with your site. That doesn't
necessarily mean that your site is misconfigured.

> Wget: wget "https://www.bitcorner.de/bshop/products.csv"; 
> --2016-08-31 15:21:12--
> https://www.bitcorner.de/bshop/products.csv Resolving
> www.bitcorner.de (www.bitcorner.de)... 37.120.166.21, 
> 2a03:4000:6:4123::1 Connecting to www.bitcorner.de
> (www.bitcorner.de)|37.120.166.21|:443... connected. GnuTLS: An
> unexpected TLS packet was received. Unable to establish SSL
> connection.

How about this:

$ openssl s_client -tls1 -connect www.bitcorner.de:443

Here's what I get when I try SSLv3:

$ openssl s_client -ssl3 -connect www.bitcorner.de:443
CONNECTED(0003)
5966:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenS
SL098-59.60.1/src/ssl/s3_pkt.c:1145:SSL
alert number 40
5966:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenS
SL098-59.60.1/src/ssl/s3_pkt.c:566:

Using TLSv1, I get better results:

$ openssl s_client -tls1 -connect www.bitcorner.de:443
CONNECTED(0003)
depth=1 /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:0
- ---
Certificate chain
 0 s:/CN=bitcorner.de
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
- ---
[...]
- ---
SSL handshake has read 4652 bytes and written 682 bytes
- ---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session

Re: [users@httpd] questions about IPv6 and SSL

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Andreas,

On 8/31/16 10:56 AM, Andreas Meyer wrote:
> Just subscribed to this list because people reported my web server
> is not reachable anymore.
> 
> A few days ago I added IPv6-connectivity to the web server and
> changed the Listen-directives and the VitrualHost to also listen to
> the IPv6-Address on port 443.

Please post your "Listen" and "VirtualHost" directive lines from your
config file.

> There is a redirect from http to https. The website is not
> reachable anymore, not certificates are found.

Those are two different problems:

 1. Certificates are not found
 2. Web site is not reachable

One may cause the other.

What error message to you get, and where?

> Is a fix possible and how? Every hint welcome!

You can definitely fix this. httpd definitely works with IPv6, SSL,
and redirects. :)

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXx0vkAAoJEBzwKT+lPKRYxJgQAKCz6QYLtllqD/3Fp/KBxquY
236u1XRtC64qy4THr3TpZNVyUQs8+ODYzF2zRhoW3gvp6U4OkBPZ+t4ErM8hM1Ru
YX47rDIk9uqGMvVCliraydcbkpSzGuXQoWkcx0pJHWLgEYLFH9TQakRjlBGXxFqS
L1RqrBg7nyhV7PJ/WbUvzD1m1LJ6tK6yoalFg2T3CaEGuJRO1jiSJ9L7famk5RrN
RX/Q/LH6eHqlXeVzYC7GjIZQTm12+83HhjadX3M9BtloM988F+buOiz1jR28ZgmO
OXWqFEfKATffwZUUNfDDBcAR12ACgz1xsXc9u609LsF7DLBkPUh60xfYWl/ayAQn
bSKzHejVxVI6sTK6kIL9BVjaG/JjBV/kFednSvKCbYZEGsHVEDuDeXpmqYsiMumU
xO2fw3OEz303DNzkFrn2wCuow5ZEBKHNfj1RYptiMigFQwRvLSZRI/FnnDlhXFaI
j3e3POwrjuk4mX9cyirscea91Is3R7+h+epAn7KP756w1/R34VtKWfwc5FmH/4TC
/gkRO4PkPbUr6Wx6T4wQZHyZbgGIiLsyEWNZe0DXAmZHpZ9fV4nKQw621V8he356
PU/bLF1KwDKWLyJTZWa9/hu9KLDtNVUD503QFGSDVBwyooZ9N4zcmxkHJV/Gi0se
MGVnWK+0kzzzxQgdUSkU
=wL8A
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] 32 bit - httpd-2.2.31 Binary distribution for linux

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Manjusha,

On 8/30/16 4:09 AM, Gole, Manjusha (Manjusha) wrote:
> Does anyone has a 32 bit - httpd-2.2.31 Binary distribution for
> linux? Can anyone share instructions to build one?

Most Linux distributions have httpd available through the package
manager. What are you running and why doesn't the existing package
meet your needs?

httpd is fairly easy to build on Linux. Do you have a
compiler/toolchain already installed?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXxZBTAAoJEBzwKT+lPKRY0IcP/0btM1+l9L8ronFpFLJXWq8w
TMrPJwGi8gu/upeaJDRDtltZik0dYK2sry9hxJpdIfl3UEO3sRNfjvVYfshH1O0U
9ttenEi6wM2VHy1ABbndEfbJ08Hy1DxiTIMfP5kdhrJ2x7grtIAhoVxsBYQkG8bS
G/ubqv43dxZqD7Chof19+PvIhcC39MYXBoJ4wQPqiivBOWyVIwVQ4rlqIsbIkQK2
CDa7mfBJ7+dMcyO8Qt9Oq41z8t5wIFciVxfMsxXSwYVcogFJCpnM8v9p/iHacXFv
AYBpOA7aMthU0Z/e/zTlFdSlFpZ7kaxVN3lrFP37Px+g3dQQGrplS/XDwppj6Cf1
vgkyoI9GPFxisMJ4pnOEseWYlx24XGS+tvQHQQaA0cbgVebNMCucdW9UsQhpRBAW
4CYMwIgEcqrJyxqiVZbXdxTU5CWctcIu4ESwdS7Pdd0S2fI+32u1EEzOAS3XfDRi
D1FEPPbVfoZ9l2j/SJpMjDmF5XB9heBVoLNlTXINa6ojvfNx8+gndYQ8s7fHwesc
MaOJfV7FT8I0PgIjBKLOQE0Tt3/PDwbVrhhfK5SMVLL/vl7v7OcomNdW/pffuiKL
p0pUoYS8qJO7k8pOcyFsPVqdHPu1kcdrY9GcOgOXJWxwBUP+7X0+trvy1LvTAevX
0maulPZbZ+pU3bXo7d/I
=P5T1
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] httpd session timeout

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Roger,

On 8/24/16 9:53 AM, Roger Paanini wrote:
> Chris, I am testing it by logging into the website using basic 
> authentication and then waiting for the time out duration and try
> to access the page again. I am expecting to be challenged for
> credentials again when I tried to access the page after the
> timeout. But I am never challenged after the timeout - ever after
> several hours beyond the timeout value.

You are misunderstanding the nature of HTTP BASIC authentication.

If the server sends a 403 response, your browser will show an
authentication dialog (username/password) and then provide those
credentials to the server with a follow-up request for the same
resource. For subsequent requests, those same credentials will be sent
with no end-date. HTTP BASIC has no provision for "session expiration"
as a part of the spec (that's why it's called "BASIC").

If you want to *really* expire the session and request a new
authentication challenge, you'll need to do it yourself. For example:
when authentication succeeds, place a token in the session that says
"last authenticated request". But before you do that, check the
session to see when the last authenticated request actually was. If it
was more than e.g. 60 seconds ago, *you* need to respond with an HTTP
403 response. httpd is not going to do this for you.

> But I see the following messages in my log file... I suspect my
> session modules are not configured correctly?

I'm sure your session modules are configured correctly. You just
misunderstand what the protocol (and httpd) can do for you, and what
you will have to do yourself.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXvb1IAAoJEBzwKT+lPKRYu9wQAMCaHmD1G4xNoUgClAJffnlf
kbhRF1hpjCmmGuOHqa19hbbttj0JuadNsFugAuRc0eSpJ0DUe/zlGZuX/YqitZLU
uiVCQVtXQ8nScmC/9WQjkSCB6NHJRXtUINItReu87NEGaWNUDeglyIHCerWK/zw/
yIUykBTT6qsxGL/i14W7ijL8GM9oN37jdlK+Bpakp8jMYChkbduYJVL3X70DxgyD
+oA7hzkq7Gjrmoj8BwJY1OhPnTELj22YTe6mr3KqephTmMN6LC9PWRzeLFgIN0ad
DBFnFKoMJxSAobvpoG40xeFIGWZAnNVmzHDJbHGllvgeD6X6i3ojH29U9kMSFutL
TOy8tBVCJQDe0e2LxXUbW5Imc1j4bXfMIkqBB3EVJB8oU8Fi9yygvcKCpy6WZkFp
n/q6uh3nu9jqHGQfyFviRmS0iEGMxoPSbKnnEzITOR7LPRUYaitiNPPbjie37ySi
kl/w4/1EzWzDd2HQf1wXd0b/UD+ach5S0KjgDVoTiESuc35EJCe2+bPYavoVtOZu
egYhEBIsc0ffcs3cz8cY3/66djGsKVtsJNHuXOnxAw/WTs2gFKSwOr3C0ARp4MBY
Zc1WPx7UqnYVDrG7bLDxvPKJsK/clD9Av++192dgB6M+VOmYepWFFaUYkfvScnsP
0S/3bmTlc6HKfTcldyNK
=ZqEH
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] httpd session timeout

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Roger,

On 8/23/16 4:26 PM, Roger Paanini wrote:
> Folks, I have tried to configure httpd with session timeout but it
> does not seem to work. My httpd.conf has the following:
> 
> Session on SessionMaxAge 1 AuthType Basic ***
> 
> I was trying to put a timeout value of 1 sec just to test. This is
> not working. Am I missing something?
> 
> Thanks for any pointers on this.

How are you testing it? What did you expect? What happened if it
wasn't what you expected?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXvLIwAAoJEBzwKT+lPKRYWnAP/Ax2yBWc8laAbRC3jKTA7TlI
3Y5kfIrJi8tiNfzga/PXUWR82b6KmjMbXD5VKlD98YFFJhOjlMF8JSqV1MQIX1Lu
v9mfjkasfwhapPGtlksecNzJEA2KtSS+sLZfg5m1gPmv9R8sH5A6aFICmwVs87b8
DcZK/e/4STGvzGs6hGwQGaSgDDT3H4UFZqrLPCHx/jK85wNDkIZ+rHodzsLXjD9Y
/St2ER0bCWr090v0s/sKqKP28g7WrXBCiqh/MpCnIJ70B798GEmGI3sXnepFKSWV
1IzsK8J8KAufGY24XCgRMXad1TshaftnPiTIGmZ6pPesyq8sc4Rr8FN/Mo7xvR3Z
eSZYCJd639Ir76MHikCjVhgRzWphh82PN+9wf9hA7snk0yt+uFEsrcxTlURdErbB
0XWW7lKSor7R+OksK9HmL3izhEyNymXiOryRy5wBa2emlCajCoczy8XYy9CffkNq
OM81k343CdbdjLO5Z7AUdTIbnZjx5zGS9r6nVcf5uyg5j70ZuOyE1P6zft94KR4S
b6R2UMWUJ9aku7tzwP1cSox3DRSnhAI6VPXuwYiJYAZo6+kSTLCs0gW3Jb1q5nWj
1IF2lsGvZIqH0yqxZ49rgvYSnkCdp+pp3ZVFHfDED9LBD4B90tRzlQFI4QF0w5YV
TLNlGhmIB+eqb5dW9LnK
=9Yn+
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] authnz_ldap with fallback to file

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Eric,

On 8/21/16 1:42 PM, Eric Covener wrote:
> On Sun, Aug 21, 2016 at 1:40 PM, Christopher Schultz 
>  wrote:
>> Is there any way to combine these two authentication mechanisms
>> (ldap, file) such that I can require an ldap-group for the LDAP
>> users and a valid-user ONLY FROM THE FILE?
> 
> You could put all the flat-file users in a authz_groupfile group
> and check that with Require.

I've never looked at authz_groupfile. I'll have a look at that.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXvK9wAAoJEBzwKT+lPKRY1QkP+QHn9vcFfY138nMeGZSaM6aO
p/1k8CNlZYe6zIKC6h9TapPGmsJi/o1Qd1z3fl9T92gcyRiF+WrQIEPudJGH+qna
RwJPPJ6TUCKOMIWAzKK8fYICK5/qbbJFuceDz604yXPi+Hp5/2BtgGBp6vDicCud
0NjhI0J/iRq04PE+tksKd8QsKeuwl/btldTw03jV6slPGvw8VoO8rthUGFCltO/7
kVNaQFv7WvkfOt8J6byhRz4M8eso5cLXY8MGMffBNQTtGh7gallM2bx27K7Hw70O
YkqoyukyKg0isfRZD5aIB5xviGREc7/a0ipcUsnQc/D7OkSTnIMxyft64hd90dGM
WxovEQgrNvE9E2S2M+HDNWhm5kMitIfxnsk4r7uRK3p7rh5K6VUn6HSlNBOluIT3
4iB2ZkxaiMGeYZg18TLOiCC3kOxKhqqdKlpPBXe0hMDSmA39xR6N865Je26b5ieb
UC3cuS4xboBb9h8tqhSF8MvCqkjhunwIqVOLU0/X0Xi8FV8tsMt16GeFGW2ds9Pt
eJ3cZI+vF2gt7EeI5AS51YU7Xo0e0fr/WsIqc/i6g3D+8/ysTDQj8A5dBh9wJuuZ
hR5Tpnhe0FGTsCUbZVw6gySX2dbLG0y13dKBO0W89s2EXHWZIeYhN58emfpPr4uJ
h7gfYv6kNjENJgudq8oY
=MKMe
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] authnz_ldap with fallback to file

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

All,

(Running Apache 2.2.22 with Debian patches)

I've got some services that use LDAP for authentication. One specific
service is our Nagios monitor. When the LDAP service is down, we get
notifications that (duh) it's down, but because Nagios uses LDAP for
authentication, we can't login to the monitoring console to ACK the erro
r.

So I'd like to set up a fall-back for one or two users to allow them
to do this kind of thing for this specific circumstance.

This is what I have right now for LDAP auth:

AuthType Basic
AuthBasicProvider ldap
Require ldap-group cn=nagios,ou=groups,dc=my-dc

At first, I was thinking of modifying the above to something like this:

AuthType Basic
AuthBasicProvider ldap file
Require ldap-group cn=nagios,ou=groups,dc=my-dc
Require valid-user
## Multiple REQUIREs will allow any matching criterion

The problem with the above is that ldap-group will require a group
only from ldap, but valid-user would allow ANY USER from the LDAP
server, so I would no longer be able to get my LDAP group requirement
to apply.

Is there any way to combine these two authentication mechanisms (ldap,
file) such that I can require an ldap-group for the LDAP users and a
valid-user ONLY FROM THE FILE?

I'm fairly confident that I could do this with a backup LDAP server
(even on localhost with only a few users ... or a complete backup if I
wanted) but that's a lot of infrastructure to set up for what I was
hoping could be a quick-and-dirty fall-back solution.

Any ideas?

Thanks,
- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXued+AAoJEBzwKT+lPKRYQ4YP/RInLuiAgmh9vNcTJtLMOg/H
HbGYJ2+3wnzNJVVIanSDHdBwMM9xTGfRU20whKV2pXOuQI1VTBbVnv+liDOcmse6
lUOpYJyr8QB/mkx+Je77ICJnemd+TZiHJwnGHJPplJxT2jQXOlFMv9b+tBql9fNd
tPiTjKlN5wiWEJEvKnWpPmeGnqys9ZP6pOnUAPtWU8HDPyEiof0cgtwikwx4b6Gx
+RYuP+qNa60UcKq1hY0trqLR+9GTSmsdsx5LUXFNwXAZoqy5ltLis+/RFsz5ZIvw
03deeqhLR2xYUaekcKecnJ6Zk5M5beGt7elEpwG+YqKxLNXlmjOoNGpYllh5sSIq
1yLjwayjyyIcjnOguN3S7qZl3Ybaw3Oh0lOxSH4Jmx4LjgOGlFcZc1JqO7YwtF2C
RMvOUuH8830ZGFEZEC1Xb466+KUc/3xuj7I3uRA2Vkjf8htA0pX7xp3ZUrb8RGkx
t+3rg1cwn/wk5UC8nZUybhzDrbgbv2dJoobC4ZkUTVfhyGKI4aluwuCBYoPYjzlc
76EHk3NF3vlyCrx8uoeWHH2ElN8kbt9n4jH5zP3WuvBPRx7Bn1EDNLysFGHUjAur
WDfPzfg12iFg8bX9pR6AEweZVsGkmpXBd6kO0FgnC2imVtitCvHpGjYqMsUDxnj7
bL9Uu5ui7jPOpE0i+6gu
=HHir
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How to restart apache after reboot on ubuntu 16.04?

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256



On 8/17/16 4:12 PM, Dr James Smith wrote:
> It may be possible to write your own auto-renewal script
> relatively easily for LetsEncrypt. I have done for Apache as (a) I
> don't use the standard paths and setup, (b) I wish to use HPKP on
> my servers for additional security and "Lets Encrypt" auto scripts
> generate a new key each time which breaks this (the signature
> changes and is unpredictable) - so my script generates a lets
> encrypt request with the appropriate key (either the same OR the
> backup key I've already generated) I now have a relatively simple
> script which reads my config file and generates keys accordingly if
> required (the only thing it doesn't do is restart the server for
> the new certificates to be read) but it does inform me this is
> happening. It shouldn't be to difficult for nginx to do similar

It might be nice to provide a patch to certbot for that kind of thing.
Others would certainly appreciate it.

- -chris

> On 17/08/2016 20:23, R wrote:
>> It seemed like the auto-renewal process for ssl from LetsEncrypt
>> is not supported yet for nginx, at least according to this
>> article on its publication date:
>> 
>> https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-
with-let-s-encrypt-on-ubuntu-16-04
>>
>>
>> 
My needs are really simple and I wanted to go with whichever would be
>> simpler to setup.
>> 
>> On Wed, Aug 17, 2016 at 2:50 PM, Dr James Smith
>> mailto:j...@sanger.ac.uk>> wrote:
>> 
>> Depends on your backends - nginx is good if it is serving 
>> primarily static files and or proxying back to quick responding 
>> backends. It seems to be less well suited to slower/heavier 
>> backends. Apache always seems to work - slower mind you - but 
>> always seems to work... So if reliability is your requirement
>> then nginx may be a problem!
>> 
>> 
>> 
>> On 17/08/2016 19:41, Erik Dobák wrote:
>> 
>> why did not you use nginx anyway? should be faster and modern. 
>> did not have the chance to try that yet myself. still using
>> apache everywhere.
>> 
>> On 17 August 2016 at 03:18, R > > wrote:
>> 
>> Ugh sorry, I had a test installation of nginx on the machine,
>> which was not fully removed after doing "apt-get remove". Looks
>> like it would still start up somehow. After I purged nginx, then
>> apache2 started ok after reboot.
>> 
>> Thanks
>> 
>> On Tue, Aug 16, 2016 at 8:57 PM, R > > wrote:
>> 
>> Hi, this is everything from cat /var/log/apache2/error.log:
>> 
>> [Mon Aug 15 13:42:17.138117 2016] [mpm_event:notice] [pid
>> 26081:tid 139773925775232] AH00489: Apache/2.4.18 (Ubuntu) 
>> configured -- resuming normal operations [Mon Aug 15
>> 13:42:17.138282 2016] [core:notice] [pid 26081:tid 
>> 139773925775232] AH00094: Command line: '/usr/sbin/apache2' [Mon
>> Aug 15 14:55:14.003814 2016] [mpm_event:notice] [pid 26081:tid 
>> 139773925775232] AH00493: SIGUSR1 received.  Doing graceful
>> restart AH00112: Warning: DocumentRoot 
>> [/var/lib/letsencrypt/tls_sni_01_page/] does not exist AH00558:
>> apache2: Could not reliably determine the server's fully 
>> qualified domain name, using 127.0.1.1. Set the 'ServerName'
>> directive globally to suppress this message [Mon Aug 15
>> 14:55:14.054552 2016] [ssl:warn] [pid 26081:tid 139773925775232]
>> AH01906:x:0 server certificate is a CA certificate 
>> (BasicConstraints: CA == TRUE !?) [Mon Aug 15 14:55:14.054736
>> 2016] [mpm_event:notice] [pid 26081:tid 139773925775232] AH00489:
>> Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g-fips configured -- resuming
>> normal operations [Mon Aug 15 14:55:14.054747 2016] [core:notice]
>> [pid 26081:tid 139773925775232] AH00094: Command line: 
>> '/usr/sbin/apache2' [Mon Aug 15 14:55:20.854353 2016
>> ] [mpm_event:notice] [pid 26081:tid 
>> 139773925775232] AH00493: SIGUSR1 received.  Doing graceful
>> restart AH00558: apache2: Could not reliably determine the 
>> server's fully qualified domain name, using 127.0.1.1. Set the 
>> 'ServerName' directive globally to suppress this message [Mon Aug
>> 15 14:55:20.865056 2016] [mpm_event:notice] [pid 26081:tid 
>> 139773925775232] AH00489: Apache/2.4.18 (Ubuntu) configured --
>> resuming normal operations [Mon Aug 15 14:55:20.865076 2016]
>> [core:notice] [pid 26081:tid 139773925775232] AH00094: Command
>> line: '/usr/sbin/apache2' [Mon Aug 15 14:55:23.807722 2016
>> ] [mpm_event:notice] [pid 26081:tid 
>> 139773925775232] AH00493: SIGUSR1 received.  Doing graceful
>> restart AH00558: apache2: Could not reliably determine the 
>> server's fully qualified domain name, using 127.0.1.1. Set the 
>> 'ServerName' directive globally to suppress this message [Mon Aug
>> 15 14:55:23.840209 2016] [mpm_event:notice] [pid 26081:tid 
>> 139773925775232] AH00489: Apache/2.4.18 (Ubuntu) 
>> OpenSSL/1.0.2g-fips configured -- resuming normal operations [Mon
>> Aug 15 14:55:23.840217 2016] [core:notice] [pid 26081:tid 
>> 139773925

Re: [users@httpd] HTTPD asking for password after power failure

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

All,

On 8/11/16 11:10 PM, Marat Khalili wrote:
> From what I saw, this behavior of /dev/random is totally normal on
> an idle Linux system.

There seems to be some confusion about /dev/random on Linux systems.
Yes, the behavior described here is normal: when the system comes up,
there is very little entropy available on /dev/random. /dev/random
needs random events to occur in order to provide that entropy, and
those events are things like I/O interrupt timings, etc.

IIRC, Linux relies on the keyboard to generate lots of those events
and, on a server, the keyboard by definition doesn't get used. So
other events are required to fill that entropy pool. So, after a
reboot, the entropy pool is "shallow".

/dev/random is supposed to be a source of high-quality randomness
/dev/urandom is supposed to be a source of low-quality randomness

> Just do not ever use /dev/random.

The choice of which to use is up to you, but remember that low-quality
randomness gets you low-quality crypto keys. But to say that one
should "not ever use /dev/random" is really bad advice.

- -chris

[1] https://en.wikipedia.org/wiki//dev/random#Linux

> --
> 
> With Best Regards, Marat Khalili
> 
> On July 30, 2016 6:04:42 AM GMT+03:00, Nick Williams 
>  wrote:
> 
> It took me a while to get back to this (it’s not a
> mission-critical server, but I have hit a point where I really do
> need to get it working again).
> 
> `apachectl restart` hung for many, many minutes without any input, 
> and I eventually quit it. I ran it again with `strace -Ff
> apachectl restart`. Towards the end it had read all of the vhost
> config files and opened up the request and error logs configured in
> them, and it read the media types config file:
> 
> [pid 22537] read(35, "# This file maps Internet media "..., 4096) =
> 4096
> 
> But after that is where things got weird:
> 
> [pid 22537] mmap(NULL, 8192, PROT_READ|PROT_WRITE, 
> MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f73aff27000 [pid 22537]
> open("/dev/random", O_RDONLY|O_CLOEXEC) = 35 [pid 22537] read(35, "
> p$\242\33\241", 1024) = 6 [pid 22537] read(35,
> "\205\31\345\274A\336", 1018) = 6 [pid 22537] read(35,
> "\335\16\7\370\343\311", 1012) = 6 [pid 22537] read(35,
> "\265\362\20}F\234", 1006) = 6 [pid 22537] read(35,
> "\223}\\\0+\242", 1000) = 6 [pid 22537] read(35,
> 
> Each `read` line there took about a full minute. It’s spending 
> FOREVER reading from /dev/random. That led me to try to read from 
> /dev/random, and it is only generating a byte every few seconds. I 
> don’t know why, but /dev/random appears to be borked on this
> machine.
> 
> I changed ssl-global.conf to use /dev/urandom instead of 
> /dev/random, and it started right up in a matter of seconds.
> 
> I know this is now off-topic, but does anyone know why /dev/random 
> would suddenly be gathering almost no entropy? I have never had
> this problem on this system before.
> 
> Thanks,
> 
> Nick
> 
>> On Jul 16, 2016, at 9:56 PM, Frank Gingras > > wrote:
>> 
>> Try to use apachectl restart instead to bypass your init
>> scripts. The latter are likely to hide actual errors that would
>> appear on STDERR.
>> 
>> If apachectl restart still gives you that error, perhaps your 
>> distro mangled it as well. Then, I would use strace with httpd
>> -X to get the complete picture.
>> 
>> On Sat, Jul 16, 2016 at 6:47 AM, Nicholas Williams 
>> > > wrote:
>> 
>> I have a server running OpenSUSE 42.1 with stock Apache HTTPD 2
>> installed from the package manager. It has been running without
>> issue for well over a year. We've restarted the service and the
>> server since then without issue. The service always starts  on
>> its own when the server boots.
>> 
>> Last night we had a power failure. The sever came up fine. All 
>> services, including MySQL, started fine. No obvious issues appear
>> anywhere. But HTTPD didn't start automatically. So I logged in to
>> the server to investigate and try to start it.
>> 
>> `service apache2 status` said FAILED with no details. 
>> `/var/log/apache2/error_log` showed nothing since the day before
>> the power failure.
>> 
>> `service apache2 start` hung for about 2 minutes, and then said
>> FAILED with no details. `/var/log/apache2/error_log` still showed
>> nothing since the day before the power failure. There was nothing
>> in the system log since my log-in to the server.
>> 
>> So I tried `strace -Ff service apache2 start`. The only thing I
>> see suspicious is it calls open on 
>> `/run/systemd/ask-password-block`. It appears it times out after
>> never receiving a password. But I have no idea why it would do
>> that. None of my SSL certificates have passphrases, and I've
>> always been able to start HTTPD without a password.
>> 
>> I'm at a loss here. Any suggestions?
>> 
>> Thanks,
>> 
>> Nick 
>> -
>>
>> 
To unsubscribe, 

Re: [users@httpd] Is it possible to set different protocol for particular User-Agent?

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Daniel,

On 8/3/16 4:55 AM, Daniel wrote:
> No, by the time the user agent or any actual http data gets to be
> seen the protocol/cipher and complete ssl connection has already
> been stablished.
> 
> 2016-08-02 23:26 GMT+02:00 ghost  >:
> 
> Hello there,
> 
> I was trying to show a notice page to IE6 users since my site 
> doesn't support SSLv3 anymore. And the problem is how to enable 
> SSLv3 only for IE otherwise the IE6 users won't be able to see the
> page.
> 
> I found some tricks about '' in the documentation, which 
> allows me to set different protocol and cipher suites for
> particular URL. I wonder if there is a method to set the protocol
> for particular UA?
> 
> Thanks, ghost

There *is* a way to do this.. kind of. I did it long ago when we were
thinking about changing our protocol support, etc. I no longer have
the configuration, so I'll explain what we did:

1. Configure mod_ssl for the lowest protocol/ciphers you will support
2. Use  and/or  to change the TLS protocol
requirements for truly sensitive communication
3. Use mod_rewrite to check for certain protocols / ciphers and
redirect to a "protocol support is being dropped" page
4. Set a cookie when the user ACKs the protocol support change

It's messy, but it works.

The real solution is to simply disable SSLv3 since everybody has done
it already. MSIE6 can just die.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXqf2XAAoJEBzwKT+lPKRYfiYP/3/2pY4U3V4YFCEkpY/N7VjP
uTO7PWb8f7GvNW7X0BT0RMkq1bhdw1N8lV6xWfouMgOAjwPYoHjLMHOyDFIdJUu/
5CA77bt7k4tijXHqJE3eINY4MJZ6Z/4XC41UYeSDTJBXdVFnEW/H2kOBC8yIWaQm
vQrDp5a8TEWCQ3UMU5UiBlT2X/7qAd0GK6KUW4z+PC09u/packXspZ+cfs+O7h7I
JDK8rRflIqVL1jELVRrqbj6js8jTgONV9PN7ArEGrWdiZG7ARaXM5C+BO6LN1zqf
qlW7tBRL6OksFaBreA4plhgCQOZjyGNb+LgXB/3xWF0Qb5fx+02Fzwdc14Cf4Im7
yIMYPAhSq+Myt9i5dFl5dustsYk39Gy9ro0gRulsXhPcrqiip6ldCHahN3sn1R03
u+HRIFIMYySmr+SKkdZK+JQ7Y/Qvtyw0RCkLReidwLhKqTkf9F3gVVcmQUqYLk7g
E3UiXsioy9TMiywbE8RSKC+8E+L0OG4kv5s4EHZ11F8ja38cDqrGdXOFt1L6yk/S
T801Oh4uMfJalpfTrlDUeOINB4G27G621tfZHBpjE42vO2Hle0BV2tmp9WzPDjwz
6sFCfKmn/cDT3vCiegxlsE2XtiADRPexHdoEzWm9m8ZoQGVW65ip0RkNUFcjmf2q
KQZGC5YToFII1lj5wE49
=UN7o
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Location location location

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Eric,

On 7/18/16 2:12 PM, Eric Covener wrote:
> On Mon, Jul 18, 2016 at 2:10 PM, Christopher Schultz 
>  wrote:
>> I believe by putting the exception-Location first in the
>> configuration file, I should be able to trump the general
>> configuration affecting the "/" URL-space, right?
> 
> 
> Matching location sections get merged together in the order they 
> appear.  Meaning the 2nd is applied on top of the 1st.
> 
> For authorization, the default is to replace.  Meaning your
> override should be 2nd.
> 
> You might have some addl complexity by using the compat module for 
> Order here. I would avoid it!

I tried:


 Require ldap-group



 Require all granted


... and I'm still getting 401 responses. :(

(In fact I tried it before posting, 'cause I didn't want to make an
idiot of myself for not trying an obvious alternative!).

Hmm... it seems I'm running Apache 2.2.22 with whatever Debian has
back-ported to it (I assumed it was 2.4, since we have that deployed
nearly everywhere these days). Does that change the incantation I need
to replace the "Require" directive in the .well-known Location?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXjR/QAAoJEBzwKT+lPKRYaeUP/RF6emHi2DgT97xRDp7xoXb3
fNU+PrluzhjIGuqnYCGnpvcQ18fVa75R6qLITyH/hCquJKCNR9qZ+I3AQr//HH5O
FWVHcZxS0is1yxugG6Dl+hghIAPKfCd7gbPDoJnirGQoxQwTFnvdPcOyYUK16X1N
KerTDq0LGJTASWGFxO/eifvrtcHy84aCjQSQtfqBboJpoOBzf57cZVEW4hU0e0jl
vghsxSjyo7hWhCRQI3zyj34nnKjznVHOObNM9DKQXTBcHrR+L3UFx5nhHN6GwrdP
KbNCngPWYLHd0Vh2+WR7URzQ2ehO89jEvd9y0RwZbeBnU8DFLEAoWZJEFo0/kfTf
ZEdvtkC9OEeEHldSIwNri68QSKoDGoYuGVtlT2kaPbCoqcpYq5xYoME/GHl067DX
7vARHZtUjOvFVAZxGxRdI2LWe/Nh1ZaErG8f1OlWTCv7vnr11vOFfdQi8zYydW/l
L//4SqZ4ZJxgBTp4qMaLQArRtio03sA7YTIM0h/m8qdL7F2beSn8IE6PmDEVrwak
Pm6P3Z9asp/hGtlrLw9V/+mIjH8vQD9IonJh+ewM3ea7xI3/qNGHcx6Q1Llhd6I+
mPWGrBMyftrINPKdspdoRFvWWH3up5d3tmFbA5dGDoRPqjg51SSkioFjfkIuJGx6
B2h41PDPlLYcY8sP7xyV
=O9+B
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Location location location

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

All,

I have a long-standing configuration for a private server where all
users must authenticate against our LDAP server. Something like this:


  AuthType Basic
  Require ldap-group mygroup


I'm trying to use certbot to get a TLS certificate for this domain
from Let's Encrypt, and I'm having trouble getting LE access to the
server: I keep getting "401 Authentication Required" responses.

I changed the configuration to the following:


  Order allow,deny
  Allow from all
  Require all granted


  AuthType Basic
  Require ldap-group mygroup


And restarted. My LDAP stuff still works, but I can't access the
"/.well-known/" URL space without authenticating.

I don't have any other authentication-related items in this VirtualHost.

I believe by putting the exception-Location first in the configuration
file, I should be able to trump the general configuration affecting
the "/" URL-space, right?

Thanks,
- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXjRuEAAoJEBzwKT+lPKRYDZYQAJcvDQ+hmK36CEBA9jdDnBwY
p1SG/6dhB/dA6aUrn2O8BLKBnyQKZKeNvm4M4U0tDyxpgvbjivsvW38ZpQjfyi4s
BnJJtaBB1NRVC+/NGGy2iry47cRTRXjibY+CCpL6zKp4R1G0DcustjA8xS6k3PRd
7GTaViUJaHQ53tDT2lJRHhhG6QGunyUtzUBvF4+LaM2rGW0AOk7UrHreNeMibfNc
1k7LDlM6Y2m7k9GoKGy1sN0mpFIzC64xEsEunGN6Qk8OzCdUeOJShCm/T7Ka3rvE
uZp5LT5foqXLxJ56HiBqNyHo44s0KHuu5LX9CiPLInwyWNFKE2gxcTbKfyfZG5L6
ZBZbGYCqoptTO9nNDxa1uJ87UwfLseEf5YcbP+GAORmrllfi6o8dLgm1umN/KETK
auRqyrCFy+yTc6j24SRdqAB9p25RVm5FFsrRZcyIOlUos4hPnYhl5PZOs04qik0a
6LXbTTFvc8zBLSDUbZS0rSN/czvfc6R1kovvBZ9RfE6q4asg/ftAelTOF3Gef/TQ
JEE4zuBOTP/M1V6wXdjKMx0CZ4yL9GTJFHz5jMFEWXSwgzTuazAgN0q1PE2pk+94
sI/eDMJ1U3DnT8R/1ueYcPkEJF6yH7+z/HmOubx9/gSBZyWlGYUEu3CMxhqh0xIh
k96615lXGbZ1c3qCY9tG
=1Zj1
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] find IP and PORT in use by Apache

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mahmood,

On 6/21/16 5:43 PM, Christopher Schultz wrote:
> Mahmood,
> 
> On 6/21/16 2:54 PM, Mahmood N wrote:
>> You know, the problem is that compute nodes in Rocks
>> distribution use Apache web server to locate the install image.
>> Currently, the compute node, says Unable to retrieve 
>> http://10.10.10.1/install/rocks-dist/x86_64/images/install.img 
>> <http://10.10.10.1/install/rocks-dist/x86_64/images/install.img>
> 
>> The guys on Rocks mailing list suggested that
> 
> 
> 
>> the root of webserver tree is: /var/www/html the install 
>> subdirectory is soft-linked to /export/rocks/install if the 
>> webserver can't find the install.img, then your distro is likely
>>  corrupted. To fix that problem: # cd /export/rocks/install;
>> rocks create distro If you have somehow changed the configuration
>> of the webserver on your frontend, you need to figure out what
>> was changed.
> 
> 
> 
>> However, the soft link is present
> 
>> root@cluster:~# ls -l /var/www/html/ total 36 lrwxrwxrwx  1 root 
>> root   30 Apr 29  2014 blast -> /opt/bio/ncbi/network/wwwblast 
>> drwxr-xr-x  2 root root 4096 May  2 15:46 download drwxr-xr-x 17 
>> root root 4096 Apr 29  2014 ganglia drwxr-xr-x  4 root root 4096 
>> Apr 29  2014 gromacs drwxr-xr-x  2 root root 4096 Apr 29  2014 
>> images -rw-r--r--  1 root root0 May  1 14:28 index.h
>> lrwxrwxrwx 1 root root   21 Apr 29  2014 install ->
>> /export/rocks/install drwxr-xr-x  2 root root 4096 Apr 29  2014
>> misc drwxr-xr-x  9 root root 4096 Apr 29  2014 phpsysinfo
>> -rw-r--r--  1 root root0 Apr 29  2014 robots.txt drwxr-xr-x
>> 14 root root 4096 Apr 29  2014 roll-documentation drwxr-xr-x  3
>> root root 4096 Apr 29  2014 rss drwxr-xr-x 24 root root 4096 Jun
>> 1 03:09 tripwire
> 
>> root@cluster:~# ls -l /export/rocks/install total 20 drwxr-xr-x
>> 3 root root 4096 Apr 29  2014 contrib drwxr-xr-x  3 root root
>> 4096 Apr 29  2014 rocks-dist drwxr-xr-x 17 root root 4096 Apr 29
>> 2014 rolls drwxr-xr-x  2 root root 4096 Apr 29  2014 sbin
>> drwxr-xr-x  3 root root 4096 Apr 29  2014 site-profiles
> 
> 
> 
>> The front end (the head node) has not been rebooted for more
>> than 2 months, and I have some how configured the httpd for some
>> tests!
> 
>> Now I see that something went wrong.
> 
>> Do you have any idea?
> 
> $ ls -l /var/www/html/install/rocks-dist/x86_64/images/install.img
> 
> If there is a file there, check:
> 
> 1. Directory read-permissions for all directories in the above
> path (ensure that the httpd user/group can execute)
> 
> 2. Symlinks are allowed in /var/www/html (this will be an
> "Options" directive in httpd.conf)

Also, log files are good things to look at.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXabc1AAoJEBzwKT+lPKRYnpAP/R3/kGwyZVdG1uRANEHJ3oyH
ef4RlGAtqwxA6o/whFlF5SDoHSod+MoRQbJDL1uopm3bNUg0jpzzELNFV9/IK598
MmVScQg4xhvGT9Z/hf0PYr+1Ytbz7lu8xQp9rLxjZn5W8jHbcYuhA8oZTB7ws2vD
lzyZAi952G37bzBknz5FKNgf9ztzDGAkypB4kiiAzEXXwuUy36F2RZNX9Tm0cQ7Z
MV/m94Ezx2FDdHwowtJfvvSYvy/knxNT8cVyzZ9kmFOteUM7MlUBJBZCAqvxZCk1
hhV7V8qbIjC/A9J87Ir+Kg8yia+FuJ0KTxMa50OGn8kJL3J3c9sR/JcCeAKlMilv
LiyZjWf1cCbyRG1vTNC7xdtJ0Pl+wnZdp8u5XsKjA5luqI1JKLeufGmaOK+UaZOd
2OHZWaGIiYLg+1UTt7TUVj7BVsQ/W1lSEAeaxXp7gpmC3M9C1IE4jhD1lkARDV9H
Gfvf/aNxHDVYo9vPI0jrudan4TWjTdcVGmFnAQ2RQ+HW4xggwfu+jzLN2J9vXK18
4axBcoSJ1hr4k7ABXGKHiwToifW/Qd75i2kYRDh9AzXYzu1KkABSRkoQqYXfj7sg
baI4XUJRedldHSh1HynDc7LSBa2joPboDsXuKjVXkKBRWWgu7VWey901auy3NQGe
alqDWj+lqmnLhU5799oN
=MgJp
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] find IP and PORT in use by Apache

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mahmood,

On 6/21/16 2:54 PM, Mahmood N wrote:
> You know, the problem is that compute nodes in Rocks distribution
> use Apache web server to locate the install image. Currently, the
> compute node, says Unable to retrieve 
> http://10.10.10.1/install/rocks-dist/x86_64/images/install.img 
> 
> 
> The guys on Rocks mailing list suggested that
> 
> 
> 
> the root of webserver tree is: /var/www/html the install
> subdirectory is soft-linked to /export/rocks/install if the
> webserver can't find the install.img, then your distro is likely 
> corrupted. To fix that problem: # cd /export/rocks/install; rocks
> create distro If you have somehow changed the configuration of the
> webserver on your frontend, you need to figure out what was
> changed.
> 
> 
> 
> However, the soft link is present
> 
> root@cluster:~# ls -l /var/www/html/ total 36 lrwxrwxrwx  1 root
> root   30 Apr 29  2014 blast -> /opt/bio/ncbi/network/wwwblast 
> drwxr-xr-x  2 root root 4096 May  2 15:46 download drwxr-xr-x 17
> root root 4096 Apr 29  2014 ganglia drwxr-xr-x  4 root root 4096
> Apr 29  2014 gromacs drwxr-xr-x  2 root root 4096 Apr 29  2014
> images -rw-r--r--  1 root root0 May  1 14:28 index.h lrwxrwxrwx
> 1 root root   21 Apr 29  2014 install -> /export/rocks/install 
> drwxr-xr-x  2 root root 4096 Apr 29  2014 misc drwxr-xr-x  9 root
> root 4096 Apr 29  2014 phpsysinfo -rw-r--r--  1 root root0 Apr
> 29  2014 robots.txt drwxr-xr-x 14 root root 4096 Apr 29  2014
> roll-documentation drwxr-xr-x  3 root root 4096 Apr 29  2014 rss 
> drwxr-xr-x 24 root root 4096 Jun  1 03:09 tripwire
> 
> root@cluster:~# ls -l /export/rocks/install total 20 drwxr-xr-x  3
> root root 4096 Apr 29  2014 contrib drwxr-xr-x  3 root root 4096
> Apr 29  2014 rocks-dist drwxr-xr-x 17 root root 4096 Apr 29  2014
> rolls drwxr-xr-x  2 root root 4096 Apr 29  2014 sbin drwxr-xr-x  3
> root root 4096 Apr 29  2014 site-profiles
> 
> 
> 
> The front end (the head node) has not been rebooted for more than
> 2 months, and I have some how configured the httpd for some tests!
> 
> Now I see that something went wrong.
> 
> Do you have any idea?

$ ls -l /var/www/html/install/rocks-dist/x86_64/images/install.img

If there is a file there, check:

1. Directory read-permissions for all directories in the above path
(ensure that the httpd user/group can execute)

2. Symlinks are allowed in /var/www/html (this will be an "Options"
directive in httpd.conf)

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXabUZAAoJEBzwKT+lPKRYIHoP/jeLeM+/Su0rOD8QzclHtJVl
nuAryFKjTyo3JtcemNhfJ3u8/htRxyJJYfuBSt0qbStKr/pTl8r2E7fS5SjAM9A6
+/sndQaFcWXpRkikr1y8Axax30V8iXp6oml0zp0Y5ztGQTHe9mZqRwY9bXcB5Uar
8H1GZGUC17EoqAD9qKeCuDYMOIddukweNFKQnyv0oOFHjzOyfpiF9rJ9aeHXVi03
/BwRirVypackvs1qah+fqcswg9qsjQ66mel+H1DjMTzBf8sk0ZISHNO64dd57BIq
RJS/oJiTf82aS7UCJAUkB7QG8pBc3b2wTbkXQNYLevM9KDt88c2bYUPqP9HNxsTb
eIRPIVqqOlgKuAJhI1zGDalnCEGXuXPm2HEhSaoBXw6gaBTzIbTi3YGLGTJDY6+x
DrM37Iz/iiqRohiH2YJG4yZ9/poqc7LcGqDhfaRoIDTFadjDJ0JsHDJ7rWyxSwko
DkXkIkqnmGM5Wl9Q7SmhsNEq7walwmH2BwiGA7K0XhlguRajep8MvtyAyJWsPR4l
NbuFlN92gdjtMHU+7WHqT53gFnSaq5Bs475W/WprXlBUOpNlLvW2fdF1ChuYzFLu
h3w2QSyoBWYxw3iFnEOTyJHGe1Dt2csWvb4KbhrgDKHf+bEg3plIJC8dHlBsKK+5
SBuf4PdMQqjQhV3Tql/1
=d0RY
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] find IP and PORT in use by Apache

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mahmood,

On 6/21/16 2:45 PM, Mahmood N wrote:
>> tcp 0 0 0.0.0.0:5666 0.0.0.0:* LISTEN 28122/xinetd Shows the
>> port, 5666, the PID, 28122, and the program name, xinetd
> So, you still don't know what is the IP address (network
> interface)? I mean eth0, eth1 and ...
> 
> Mine is different!
> 
> root@cluster:~# netstat -pat | grep httpd tcp0  0
> *:ulistproc *:* LISTEN  3940/httpd tcp
> 0  0 *:https *:* LISTEN
> 3940/httpd

It helps if you don't grep-out the header line that tells you what the
fields mean:

$ sudo netstat -pat | grep '\(^Proto\|httpd\)'
Proto Recv-Q Send-Q Local Address   Foreign Address
  State   PID/Program name
tcp0  0 *:http  *:*
  LISTEN  1362/httpd
tcp0  0 *:81*:*
  LISTEN  1362/httpd
tcp0  0 *:https *:*
  LISTEN  1362/httpd

The fourth column tells you the local address, and the "*" means "all
interfaces".

If you use the "-n" switch, you'll get:

tcp0  0 :::80   :::*
  LISTEN  1362/httpd
tcp0  0 :::81   :::*
  LISTEN  1362/httpd
tcp0  0 :::443  :::*
  LISTEN  1362/httpd

So you can see the IP address is "::" (IPv6 "unspecified address")
which means the same thing.

>> The only directive that causes Apache to listen on a network
>> interface is "Listen".
> 
> As I said, that section is commented. So, there should be a default
> ethX and port.

The default interface is always "all interfaces". IF you want to
listen on a specific interface, then do:

Listen 172.20.54.10:80

https://httpd.apache.org/docs/current/mod/mpm_common.html#listen

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXaY5AAAoJEBzwKT+lPKRY3Z8QAJrvzXMBShddQxhIGcfRoWf0
kRHTCT1MF8tDK8xClJQzq/gDXO2Zcvdc6HGWU5Kdx+3si0RLlHi9bOpZL/jzJBuu
Bu3QtveAfEeoh+BIZuIrgLK5QLVRkE+jZGXK82xeDdFQSHAMVz078JysDJha1rCK
AnPf28NMJ4SJaKv1j1ai/8rzFNYO5/uYWQdfcl1job07Je0msdbcfPAw+aG4FV+z
Y1XFzhhFn0nAXZvLSMB+IQYiQHpsE7Mre7LKXlkpi/M4930pBauWjaFiPULgVTHu
dqJxLyTUsw3eCZ+56dcWz2bqh6sOUrk16rUezG0WCZW3piOgS98AG29s7aBuzm2X
n1FAteifWHaHULw28neX49cfpqQlYOvt97nFUaBqH1wcVpIprXA3sldzwe7BYz6S
SpyeRziG7slQD5y68t+Zo2/spJbu/jnIptywGAJyinvhcq/RvsuXo0vHHPwPzIAW
E65qqHNN1BFinlkRQWN1SbJ14xQO/EziPa/RN9qmlhz8tMweSQrpb2iHG/tIij2R
1V6umfjGYZQth5POcI8QaCnx+yMMP1gCh4HXp2wxVUDLgw1GN40PSqPGdezjaWfr
Zj3jif53qvN1Qj57SEETWF3x1Qfff68Un1GM+t8nsEicfnhBcUYePmN+DCHxCNsh
5LixcYjFtA3KfmimkJi7
=N1l5
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] find IP and PORT in use by Apache

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mahmood,

On 6/21/16 2:29 PM, Mahmood N wrote:
> How can I find which IP:PORT Apache web server is monitoring? There
> are some network commands (netstat -pat), but they show the TCP
> port in use. The machine has multiple network interfaces and the
> |Listen| section in |httpd.conf| is commented. So, one of the is
> used by default and I don't know which one is set as default.

netstat will show the interface in use as well as the port number.

> Any idea to find that? The linux is Cenos-6.1 running rocks.

The only directive that causes Apache to listen on a network interface
is "Listen".

Remember that "Include" can be used to include other configuration
files, so if you are searching only httpd.conf, you may need to look
in other files as well.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXaYlsAAoJEBzwKT+lPKRYHPMQAJlXoJsitHD46+DHSzl1sHrQ
HzLY/K3nkA8xPfZU9rwhvxUXsXDjsoLPSx+egGkJzu+DMJQVVRzJBtPNdxc46ERO
/YgJGAJzLgAZ0Z/HZQO/TBRcuQltH0xYidbsPezCJyH7le7Voih2N20E3jrqqXIZ
ZYlc6HhqhRZ3lV3GZBqlM3PNtf5gzadxCIpBiMQeSH/Rrhaq6y3J3a+O7RfqwIlO
rit5GWYDd5P3GIFgo7nrr3quKXl8qyVB/Zq1cfZzVOWLR2JKIp2QhqOK/Q5eWIvg
pqex2ztpMVJdCM8hVT3B6kcx4Zkfo2gvg/UjTW2QLsMJos6L83GO5w7/bWagYc6Y
Y3MJp2R3aqHS/kRieVVN+Bn6c5VF8cIBS1tQvEaZXM/elG2IALY01PxJrYatE5QO
+AegdtizKyqk22p2weCYL08MJXH6GR6XzSlWuQmwxvFCeDcK2GtFqUfy8MvE7Ak+
rn5ejV7pFJ+ywhaj3JmYogefckvS4Tr+4HqgIHhJsLkszMFWdWCeMKTWILhNBnVL
7FzcvBXsg/ryOS9LS8WAawnYSHQJK3a3G5+ADDRFJtsFJ4nRDYJlI8gi6YfVYh0y
IFXzn1WT/2UEl2yRJ87L7hTMFF8mftFBH5JGlWPR5MrJeEcMiMisoR8hBLJqUBv2
OLXp5MWIyoj38sSZQ7JG
=COPy
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] LetsEncrypt.org with Virtual Hosting

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Filipe,

On 6/14/16 3:15 PM, Filipe Cifali wrote:
> Your are probably hitting the wrong cert file, check with:
> 
> |openssl s_client -connect example.info:443
> |
> 
> You can also try to disable the first SSL and check if you hit the
> right one after.

You may have to do this:

$ openssl s_client -connect ip_addr:443 -servername 'example.info'

This will allow you to connect to a local test machine and still tell
the server that you are trying to connect to example.info.

Rich,

Why are you using example.info instead of your actual domain name?

- -chris

> On Tue, Jun 14, 2016 at 4:08 PM,  > wrote:
> 
> For some time, I have been hosting about 10 sites unencrypted.
> But since people other than just myself will be using my
> squirrelmail, I decided to encrypt my server.  I had delayed it
> simply because keys are too expensive to buy, but now I learned
> about LetsEncrypt.org and have been working in that direction.
> 
> So far, I moved two websites over to this server, example.com 
>  and example.info .  My 
> first test of the LetsEncrypt software was of the form of:
> 
> # letsencrypt-auto -apache -d example.com 
> 
> but I ran into a caveat with www.example.com 
>  not being accepted.  I decided to re-run 
> with the other domain included as well, so I did the remaining
> three combinations:
> 
> #letsencrypt-auto -apache -d www.example.com 
>  -d example.info  -d 
> www.example.info 
> 
> The conf files for the sites are fairly straight-forward in my 
> mind.  There are four of them:
> 
> #/etc/apache2/sites-available/80-example.com
>    
> ServerAdmin webmaster@localhost DocumentRoot
> /var/www/example.com/public_html/ 
>  ErrorLog
> ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log
> combined ServerName example.com  ServerAlias
> www.example.com   
> 
> 
> #/etc/apache2/sites-available/443-example.com
>    
> ServerAdmin webmas...@example.com  
> DocumentRoot /var/www/example.com/public_html/ 
>  ErrorLog
> ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log
> combined SSLCertificateFile
> /etc/letsencrypt/live/example.com/fullchain.pem 
>  SSLCertificateKeyFile
> /etc/letsencrypt/live/example.com/privkey.pem 
>  Include
> /etc/letsencrypt/options-ssl-apache.conf ServerName example.com
>  ServerAlias www.example.com
>   
> 
> #/etc/apache2/sites-available/80-example.info
>    
> ServerAdmin webmaster@localhost DocumentRoot
> /var/www/example.info/public_html/ 
>  ErrorLog
> ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log
> combined ServerName example.info  ServerAlias
> www.example.info   
> 
> 
> #/etc/apache2/sites-available/443-example.info
>    
> ServerAdmin webmas...@example.info  
> DocumentRoot /var/www/example.info/public_html/ 
>  ErrorLog
> ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log
> combined SSLCertificateFile
> /etc/letsencrypt/live/example.com/fullchain.pem 
>  SSLCertificateKeyFile
> /etc/letsencrypt/live/example.com/privkey.pem 
>  Include
> /etc/letsencrypt/options-ssl-apache.conf ServerName example.info
>  ServerAlias www.example.info
>  
> 
> Notice that SSLCertificateFile and SSLCertificateKeyFile are the 
> same for both of the domains, because they use the same key of 
> example.com .  The website, example.com 
>  works perfectly fine.  But example.info 
>  has serious problems (On the order of 
> NET::ERR_CERT_COMMON_NAME_INVALID).  Who has an idea on how to fix 
> this?  I can't experiment too much because I'm limited to 5 keys
> per week so learning this myself is a very slow-track process.
> 
> There are a number of HOWTO documents out there, but there is very 
> wide variance in their steps that I have little confidence in
> them, but have chosen one and decided to try at it.  Once I get
> this established, I promise to write a blog article explaining the 
> procedure a little bit better
> 
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>  For additional
>

Re: [users@httpd] SVN checkout of latest official Apache release

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Mike,

On 6/8/16 12:10 PM, Mike Rumph wrote:
> 
> On 6/7/2016 5:54 PM, Balcos, Michael wrote:
>> 
>> Hi Mike,
>> 
>> 
>> 
>> Thank you for the reply. I believe that I’ll have to write a
>> script in order to know what is the latest official release of
>> Apache 2.2 under 
>> https://svn.apache.org/repos/asf/httpd/httpd/tags , and then do a
>> svn checkout on the said release. I need to automatically get the
>> latest official release of Apache 2.2 (and 2.4). I will proceed
>> to write the script with the information you’ve given. Thanks
>> again. J
>> 
>> 
>> 
> Hello Michael,
> 
> Forgot to mention the obvious. The easiest way to know the latest
> official release version numbers is from the Apache HTTP Server
> project home page:  http://httpd.apache.org/

I think Michael was hoping for an "always current" URL he could hit, lik
e:

$ svn co https://svn.apache.org/repos/asf/httpd/httpd/tags/2.2.x-latest

A redirect that sent that to
https://svn.apache.org/repos/asf/httpd/httpd/tags/2.2.31 would be kind
of nice.

That would allow an automated script to always pull the latest
version, rather than having to screen-scrape the project home page.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAldZ0mAACgkQ9CaO5/Lv0PAELgCfZ5G7u0jpheEUihuMu6RNabtV
1ooAoLxx0f3+lprDn4rlD+6c0d2lV3f4
=G3Dd
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Secured connection between Apache Httpd and Tomcat over AJP protocol

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Mohanavelu,

On 5/25/16 10:16 AM, Mohanavelu Subramanian wrote:
> Hi All,
> 
> Good Morning.
> 
> I have Httpd process and Tomcat instances both running on 2
> different machines. The communication between them happens through
> AJP protocol (mod_jk) which doesnt support encryption. But we are
> using some features of mod_jk like automatic passing of security
> information like SSL certificate to tomcat which inturn is accessed
> in our application, validated and verified.
> 
> Now, we have requirement to make the communication between them as
> Secured. Since AJP doesnt support encryption, I came to know that
> we need to use SSH, IPSec. But I could not find any proper document
> to configure SSH or IPSec for AJP. Could please share if you any.
> 
> I have considered mod_proxy_http as well for supporting security
> which is easy to configure as well. But as I mentioned above we are
> already making use mod_jk features. Again it will require more
> efforts to migrate from mod_jk to mod_proxy_http.

https://wiki.apache.org/tomcat/AJP%20with%20stunnel

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAldFywUACgkQ9CaO5/Lv0PD+HgCfRLwHwEDFFPXcWUhHNUQw/E6o
BH0An2M8pvWl/RNK+K3dNOJRQSDoTgtC
=INoF
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache mod_dav alternatives?

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Bjoern,

On 5/21/16 5:08 PM, Bjoern Voigt wrote:
> I am using Apache as a web and proxy server, but I am unhappy with 
> Apache as a WebDAV file server.
> 
> I am missing a good file permission or ACL configuration in Apache
> mod_dav.
> 
> My wishlist:
> 
> * "good/flexible" permission control (important) * stable and
> secure (important) * Apache >= 2.4 based or an Apache alternative
> (important) * permission control delegable to some users (nice to
> have) * compatibility with Samba and local users (nice to have)
> 
> The Apache path-based access control with directives like
> 
>   
> require user user1 
> 
>  require group allusers  
> 
> 
> is inflexible, even in small user groups.
> 
> Do you know good alternatives? (Please do not suggest Apache < 2.4
> alternatives. Some good projects have stopped development and are
> incompatible with Apache 2.4. Apache alternatives are welcome
> too.)

mod_dav + mod_auth_ldap + LDAP server?

We use this internally and have scripts to take a somewhat simple
permission-configuration (e.g. /foo can be read by group foo and
writable by group foowriters) and produce httpd.conf-style files with
, , etc. directives for those rules.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXQlAzAAoJEBzwKT+lPKRY13gP/jP9doBi2ca0jN5ShWbKd59K
+zCbf40wPn/HPnE7WbxN+TmzMtlYeQBSeDuj9YkRHGATMfMoVgJ94CK1uWLtXmBL
/2HWfgZcB/CBDJsj4rYr5rD1DT2Z+GZZtHsXLnC+ySokCw0zSetTAz9LxWxtPv9z
VpL2/W2GM3THLYk47hAUQnLV8puHTtHGPubugHWDW3lPhY8FJjfS/PFMNktSKLz5
O4Ysxe1nk9JwxHx4WU4W/FoboH7wT8Rrph3lRejabpRXdqFhm6z2caK/a8lTysOe
FzevFLtFAI6Jqafrnew4moGBaK5LTPIerYB+vzjyhBk/Drbq87TI0IWXK2dBe3Ug
gYWb2OekFcGN8rOu5/f9aIiLhJkArM5zK7d4wHaVYZuWmu4aWKngbwu5/lq8g5au
oWOu+r7s2rsvAJg7jWjOJkHNPFvsjwjpX8N68borcK6ke2Ojw805gj29KDrQLq9k
Yt8koS6CMhUXLaMlqB+v9bYkBErUH1jW4LryQW8jXSagN0I+hOLRZT3xB5exWmfC
PvwKVQFhU8N9NFS6/csjMZHSmVa/i3Q8rQDldWT54CqUIFeq7X3W5s5T3KJtHnkx
ntL1HiO6AdiEABmdBZDZ2eJbMiNmhLDWnALvQ2ZAd5mwb/a1TZlJR08odtwds4gg
pYaFHWZpvjF1LtIan4Do
=UNgs
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] One page hanging entire server

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

D'arcy,

On 5/9/16 2:16 PM, D'Arcy J.M. Cain wrote:
> This weekend at various times my server was brought down.  I saw
> one process using over 99% of the CPU.  No pages could be served
> while this was going on.  I found the culprit.  It was a Wordpress
> site and the script was wp-cron.php.  I stopped it by adding a line
> to wp-config.php as
> http://geektnt.com/how-to-solve-wp-cron-php-high-cpu-usage.html
> and other sites suggested.
> 
> However, I am still confused how this one process was able to block
> all other pages.  I have MaxClients set to 100 and 15 other cores
> that they can be run on.  Why didn't my server continue to serve
> requests?

What kind of response were you getting from your server when you
connected with another client? Timeout? 503? 500?

If you tried to hit another WordPress page, it probably ALSO called
wp-cron.php which tried to hit the db to check for outstanding tasks,
and that call probably got blocked by a db record or table lock.

I'm guessing this is really a question for the WordPress community.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlcw8msACgkQ9CaO5/Lv0PDhdwCfZQg66WfTk++WjLTsEBYMrnrD
QVEAnipEMAPXxPhYRlz5/zYzJ8iueHYd
=hyjH
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Not able to make .so file during install apache-2.4.18

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hemant,

On 4/12/16 6:40 AM, Yann Ylavic wrote:
> Hello Hemant,
> 
> On Tue, Apr 12, 2016 at 10:58 AM, Hemant Chaudhary 
>  wrote:
>> While installing apache-2.4.18 on Non Stop HP,  I am not able to
>> create .so file(shared file) which is required in httpd.conf. It
>> is creating  '.a ' file in modules but not ' .so ' . Please help
>> me through this.
> 
> Did you compile Apache httpd by yourself? If so, which "./configure
> ..." command line was used?

If you can't remember, your full "configure" command should be stored
in a file called "config.nice" in the same directory as the
"configure" script.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlcM/Z0ACgkQ9CaO5/Lv0PDDYwCePHpxUG3yzITHRuMpYWAJytFM
c9oAnjpIRZe3w668omOxWBFKTuykarnJ
=UZh5
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: AW: [users@httpd] How to test my self-compiled Apache (overall and specifically LDAP)

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Daniel,

On 4/12/16 3:16 AM, Poggenpohl, Daniel wrote:
> can you point me to possible scenarios where mod_ldap would be 
> necessary?

If you want to use any of these directives in your httpd
configuration, then mod_ldap will be necessary:
http://httpd.apache.org/docs/2.4/mod/mod_ldap.html
http://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html

Basically, if you want to use httpd for authentication over LDAP.

> The docs say "websites relying on backend connections to LDAP 
> servers." I can't quite grasp it. Would it only be useful if I
> don't use any LDAP libraries in my website code?

I think that is more negatives than you had intended to use in there.

The only time you need LDAP-related modules in httpd if if you want to
use LDAP-related directives. If you use LDAP through PHP, it's
completely irrelevant: PHP contains its own LDAP support.

So if you only need LDAP support within PHP itself, you can ignore all
the LDAP-related modules for httpd.

> Do you know of example websites using this?

Using what?

> Oh, and did I understand it right that authnz-ldap is for basic
> HTTP authentication using an LDAP server?

The answer to that question is insanely easy to find:
http://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html

- -chris

> -Ursprüngliche Nachricht- Von: Christopher Schultz
> [mailto:ch...@christopherschultz.net] Gesendet: Montag, 11. April
> 2016 19:45 An: users@httpd.apache.org Betreff: Re: [users@httpd]
> How to test my self-compiled Apache (overall and specifically
> LDAP)
> 
> Daniel,
> 
> On 4/11/16 12:11 PM, Poggenpohl, Daniel wrote:
>> Hello everyone,
> 
>> now that I have a self-compiled httpd, I of course would like to 
>> test its features, or rather if all features are working right
>> when it is running. Is there a way to test my build in general?
> 
>> One specific thing that I want to test is LDAP. I know that a 
>> combination of system LDAP and system SSL works in my case, but
>> I also know that when I use a self-compiled LDAP, something
>> isn't working right. I can do an ldapsearch on the command line,
>> I can build a PHP file and use the PHP cli and it works, but when
>> I make requests over http that end in the use of LDAP functions, 
>> something's not right. So how do I test my httpd LDAP
>> functionality isolated?
> 
>> My httpd build has --enable-authnz-ldap, --with-ldap, 
>> --with-ldap-include and --with-ldap-lib configured. I also don't 
>> really know - if I even need the authnz plugin (doing no basic 
>> authentication if I'm right) - what possible values the
>> --with-ldap switch can get and what it does (I know it is for
>> apr) - why the --with-ldap switch doesn't work like other
>> switches (e.g. --with-ssl=/path/to/ssl) - if I even need ldap
>> support in apache if I only use ldap in php scripts
> 
> If you are only using LDAP in PHP scripts, then you don't need to 
> compile LDAP into httpd at all.
> 
> -chris
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlcM/WIACgkQ9CaO5/Lv0PAwwQCfZuTrD7nUXmVTk7cktxWrsg81
/x4An1a18AKnlLWPvU8Pbf/ffmRlU5i/
=qkWm
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How to test my self-compiled Apache (overall and specifically LDAP)

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Daniel,

On 4/11/16 12:11 PM, Poggenpohl, Daniel wrote:
> Hello everyone,
> 
> now that I have a self-compiled httpd, I of course would like to
> test its features, or rather if all features are working right when
> it is running. Is there a way to test my build in general?
> 
> One specific thing that I want to test is LDAP. I know that a
> combination of system LDAP and system SSL works in my case, but I
> also know that when I use a self-compiled LDAP, something isn't
> working right. I can do an ldapsearch on the command line, I can
> build a PHP file and use the PHP cli and it works, but when I make
> requests over http that end in the use of LDAP functions,
> something's not right. So how do I test my httpd LDAP functionality
> isolated?
> 
> My httpd build has --enable-authnz-ldap, --with-ldap,
> --with-ldap-include and --with-ldap-lib configured. I also don't
> really know - if I even need the authnz plugin (doing no basic
> authentication if I'm right) - what possible values the --with-ldap
> switch can get and what it does (I know it is for apr) - why the
> --with-ldap switch doesn't work like other switches (e.g.
> --with-ssl=/path/to/ssl) - if I even need ldap support in apache if
> I only use ldap in php scripts

If you are only using LDAP in PHP scripts, then you don't need to
compile LDAP into httpd at all.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlcL4psACgkQ9CaO5/Lv0PDOLgCgqrVJ2WcP2losW5XCTe0ZgrO4
DycAoITYkTBZ+YtQG6JQRWG/mtB86M66
=paaN
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] url forwarding

[Christopher Schultz]

K,

On 4/8/16 5:02 PM, K R wrote:
> The source url has "  &popular=HOT-TOPIC
> <http://myhost.com/index?page=content&topic=TVAR&popular=HOT-TOPIC> "
> 
>  http://myhost.com/index?page=content&topic=TVAR&popular=HOT-TOPIC
> 
> how do i remove "  &popular=HOT-TOPIC
> <http://myhost.com/index?page=content&topic=TVAR&popular=HOT-TOPIC> "
>  on the redirect 

You can use mod_rewrite to do just about anything. You can even mutate
the URL such that you don't even need to redirect the request.

Hope that helps,
-chris

> On Fri, Apr 8, 2016 at 11:57 AM, Christopher Schultz
> mailto:ch...@christopherschultz.net>> wrote:
> 
> K,
> 
> On 4/8/16 2:35 PM, K R wrote:
>> I have a need to setup a redirect  for around 3000 pages which are
>> in below format
> 
>> http://myhost.com/index?page=content&topic=TVAR&popular=HOT-TOPIC
>> --> http://myhost.com/index?page=content&topic=TVAR
> 
>> and here TVAR can be  any string  (   we have now around 500
>> different key e.g ALW , CAW,NYN,FLN )
> 
>> Is there a way to  do get this done on apache .
> 
> Those URLs look the same to me if you ignore the "popular" URL
> parameter. There is no mapping required at all. What am I missing?
> 
> -chris
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> <mailto:users-unsubscr...@httpd.apache.org>
> For additional commands, e-mail: users-h...@httpd.apache.org
> <mailto:users-h...@httpd.apache.org>
> 
> 

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] url forwarding

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

K,

On 4/8/16 2:35 PM, K R wrote:
> I have a need to setup a redirect  for around 3000 pages which are
> in below format
> 
> http://myhost.com/index?page=content&topic=TVAR&popular=HOT-TOPIC
> --> http://myhost.com/index?page=content&topic=TVAR
> 
> and here TVAR can be  any string  (   we have now around 500
> different key e.g ALW , CAW,NYN,FLN )
> 
> Is there a way to  do get this done on apache .

Those URLs look the same to me if you ignore the "popular" URL
parameter. There is no mapping required at all. What am I missing?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlcH/zIACgkQ9CaO5/Lv0PB9rwCfVaR/veYSJ+W3toRy/v/r83VQ
L0EAoJI0eK+3IToK/IphXWeC1R5ltU6i
=kttx
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Self-compiled httpd and OpenSSL: Trying to start httpd without using LD_LIBRARY_PATH

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Rainer,

On 4/8/16 11:30 AM, Rainer Jung wrote:
> Am 08.04.2016 um 10:41 schrieb Rainer Canavan:
>> On Fri, Apr 8, 2016 at 12:31 AM, Yann Ylavic
>>  wrote:
>>> On Thu, Apr 7, 2016 at 5:21 PM, Poggenpohl, Daniel 
>>>  wrote:
 
 LDFLAGS="-L$OPENSSLDIR/lib -R $OPENSSLDIR/lib"
>>> 
>>> I don't know which compiler you are using, but gcc's -R is not
>>> working correctly (on Linux at least), whereas
>>> "-Wl,-rpath,$OPENSSLDIR/lib" is...
>> 
>> -R used to work for us on Solaris with gcc to compile/link/run
>> our own httpd / php / curl / openssl stack. However, I'm not sure
>> which linker we used to use. If ldd claims it's picking up the
>> correct libraries, I'd assume it should work at runtime as well.
>> In case there's any doubt, lsof may show which libraries are
>> actually used.
> 
> ... and you can check the result of the "-R" or "-Wl,-rpath"
> compilation using "elfdump":
> 
> elfdump -d /path/to/modules/mod_ssl.so
> 
> will show you exactly, what NEEDED library names the linker has put
> into mod_ssl.so and also the RPATH and RUNPATH setting it has
> written to that shared object.
> 
> You can use that command on any shared object or binary (PHP libs
> etc.). I typically use it on Solaris Sparc, but I expect it to work
> as-is on Solaris x86. On Linux the info is available via "objdump
> -p".

I'm speaking from a position of ignorance, here, but can a dynamic
library modify the main process's search path? If only mod_ssl is
compiled with the static-path to OpenSSL but httpd is not (and it's
not clear to me that httpd is missing this static-path), surely the
loadable module isn't modifying the process's library load-path, is it?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlcH1fgACgkQ9CaO5/Lv0PDj/ACgikEWnZYxThJD5o1qqFwUkeUk
SiIAoLSZk/T16ua3Qkywx8yrX1IXapgt
=b0pp
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: AW: [users@httpd] Self-compiled httpd and OpenSSL: Trying to start httpd without using LD_LIBRARY_PATH

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Daniel,

On 4/7/16 2:52 PM, Poggenpohl, Daniel wrote:
> my setup is: I have a Moodle installation I need to run. So I need
> Apache, PHP, OpenSSL, iconv, mbstring, curl, zip, etc. . The plan
> is to have a relatively new PHP (5.6.20) and stay "new" with Apache
> and OpenSSL.
> 
> [snip]
> 
> This all didn't happen when I compiled OpenSSL 1.0.2g with SSLv2 
> support, by the way (we deactivated SSLv2 in our Apache anyway,
> and SSLLabs says we're in the clear regarding to Drown). With SSLv2
> support, PHP's configure finished without a real warning. And I
> could build it as well. So I frowned and accepted SSLv2 support for
> the moment.

Okay, so:

1. Things just don't seem to work if you compile without SSLv2
2. You don't actually need it, so it's disabled everywhere

That's fine. It would be good to find out *why* SSLv2 support is
required for everything to build/run properly, but it's not an
anormous concern just to have it in the binary.

> By the way, you didn't quote my CPPFLAGS and LDFLAGS that I set. 
> Using LDFLAGS, or rather -R I understand that I can set the
> runtime search path when linking the library. When I "ldd -s
> httpd", no SSL library is necessary there. And "ldd -s
> modules/mod_ssl.so" tells me it finds the locally installed 1.0.2g
> version. So I still don't understand why I need to set
> LD_LIBRARY_PATH when the linker finds what I want.

Hmm. I'm not familiar enough with the httpd build process to know what
the exact implications of using -R are.

> Yes, I want to avoid using LD_LIBRARY_PATH, because I read about 
> methods (like using -R) that could tell libraries where they
> should look first and LD_LIBRARY_PATH seems to be a kind of last
> resort.

If -R is supposed to work, then by all means use -R. Just be aware
that if you need to upgrade OpenSSL, you either need to use a
version-independent installation path (e.g. /usr/local/openssl/current
- -- I'd recommend a symlink for this purpose), or you'll need to
recompile httpd (mod_ssl, really).

Someone else will have to comment on why -R might not be having the
intended effect.

> Notes: - Yes, OpenSSL is compiled as a shared library. - Ideally, I
> would use /latest links combined with -R to avoid recompiling.

:)

> - Do I understand the following right? -I tells the compiler where
> to look for headers during compile time. -L tells the compiler
> where to find libraries to use in linking during the build. -R
> tells the Linker where to search for libraries during runtime.

Precisely.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlcGwEcACgkQ9CaO5/Lv0PBSVwCgwaYwPlK5IjWi9l+5Qo5hk4XE
1w8AoI2JmTc9VdnK/kkwoaU/cVVRtkrA
=phx0
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Self-compiled httpd and OpenSSL: Trying to start httpd without using LD_LIBRARY_PATH

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Daniel,

On 4/7/16 11:21 AM, Poggenpohl, Daniel wrote:
> I'm working with Solaris 11.3 32Bit.
> 
> I've compiled and installed OpenSSL 1.0.2g with SSLv2 support
> (yeah, I know, but I can't get my setup to work without it) using:

You need to fix that ... right now. When you say "my setup won't work
without it", what do you mean?

Please tell me you accidentally typed "SSLv2" instead of "SSLv3", and
meant "SSLv3".

> My system has OpenSSL 1.0.1q pre-installed.

Okay.

> I've compiled Apache HTTPD 2.4.18 with the following options: cd
> /basedir/installers/httpd-2.4.18 OPENSSLDIR=/basedir/openssl/1.0.2g
> \ PKG_CONFIG_PATH=$OPENSSLDIR/lib/pkgconfig:$PKG_CONFIG_PATH \ ; \ 
> ./configure --prefix=/basedir/apache2/2.4.18 \ --enable-rewrite
> --enable-so --enable-dav --enable-deflate \ --enable-authnz-ldap
> --enable-ldap --with-ldap \ --enable-ssl --with-ssl=$OPENSSLDIR \

Okay.

> When I export LD_LIBRARY_PATH in envvars using the OPENSSLDIR/lib, 
> apache via PHPInfo finds 1.0.2g. When I don't use LD_LIBRARY_PATH, 
> the system 1.0.1q is used.
> 
> Can I do something about this? Or is this effect because of PHP?

That's totally expected. When you compiled httpd, the
- --with-ssl=$OPENSSLDIR really only chose the library header files to
use for the compilation. Since OpenSSL is (likely) compiled as a
shared-library, the linking is actually done at runtime instead of
compile-time.

LD_LIBRARY_PATH is how dynamic linking actually locates the libraries
that will be used at runtime. Your httpd build information is not
retained, and you need to set up the environment to get what you want.

Is there a particular problem with setting LD_LIBRARY_PATH, or did you
just want to know if you could avoid it?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlcGoN0ACgkQ9CaO5/Lv0PBWUACcCTt4QOC9+nuxGqRUi1m5vI76
AC4An1vY4posMmjV5ODqG58xYNZi4DYL
=s0+x
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Load balancing based on header value

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Niranjan,

On 3/30/16 3:02 PM, Niranjan Rao wrote:
> I am using AJP to connect to tomcat.
> 
> Entry in the config file looks like
> 
>  BalancerMember ajp://myserver:8009
> route=node2 ProxySet lbmethod=bytraffic ProxySet
> stickysession=JSESSIONID 
> 
> Hope this answers your question.

Okay, so you are using mod_proxy_ajp.

I'm not sure how to do it in mod_proxy_ajp, but mod_jk allows the
request to override the worker to be used. I believe if you set the
JK_WORKER_NAME environment variable (for mod_jk only) that worker name
will be used. You can use whatever means in httpd to set that variable
such as mod_rewrite, etc.

I would imagine that there is a similar facility in mod_proxy_ajp.

- -chris

> On 3/30/16 2:15 PM, Niranjan Rao wrote:
 Greetings,
 
 My first post to this mailing list.
 
 I have apache2 load balancing working perfectly based on
 session affinity. Traffic does get directed properly to
 appropriate tomcat server.
 
 We are trying to use same servers to serve some REST API
 calls. These calls don't have a session, however tomcat
 honouring the request does maintain some state and we would
 like to redirect the traffic to same tomcat based on some
 header value.
 
 Tried searching and reading documents from apache web site,
 but have not figured it out yet.
 
 Can I load balance based on header value? It seems to be
 doable, but could not find any example or how-to.
> Which module are you using to proxy httpd -> Tomcat?
> 
> -chris
>> 
>> -
>>
>> 
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>> 
> 
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlb8LhYACgkQ9CaO5/Lv0PAA1ACcC9BuizMCiIORYNyCgeQ9Vt+5
CeMAn3qo01HeRt9VRbKBVy1QXZrEL6y/
=ffky
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Load balancing based on header value

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Niranjan,

On 3/30/16 2:15 PM, Niranjan Rao wrote:
> Greetings,
> 
> My first post to this mailing list.
> 
> I have apache2 load balancing working perfectly based on session 
> affinity. Traffic does get directed properly to appropriate tomcat
> server.
> 
> We are trying to use same servers to serve some REST API calls.
> These calls don't have a session, however tomcat honouring the
> request does maintain some state and we would like to redirect the
> traffic to same tomcat based on some header value.
> 
> Tried searching and reading documents from apache web site, but
> have not figured it out yet.
> 
> Can I load balance based on header value? It seems to be doable,
> but could not find any example or how-to.

Which module are you using to proxy httpd -> Tomcat?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlb8H+0ACgkQ9CaO5/Lv0PC5EACgusxMWIhLosqqSi2GTgS/wCCE
1bgAnilhfPcRq1iZkLRibCHsKuZfkuFF
=vb8S
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache permissions stabs new Linux user in face with icepick. Suggestions?

[Christopher Schultz]

Eric,

On 3/9/16 8:44 PM, Eric Covener wrote:
> On Wed, Mar 9, 2016 at 8:40 PM, Francis Roy  
> wrote:
>>  drwxr-x--- username
> 
> 
> If you want to serve out of your home directory, it needs to be
> executable by "other".

Or group-owned by whatever group httpd runs under.

No ownership was previously posted, so it's tough to tell how the
permissions will be applied.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache virus scanning

[Christopher Schultz]

John,

On 3/9/16 10:21 AM, Rose, John B wrote:
> What about if your web sites allow for uploading files? Would you not want
> to scan those on upload before they got on your filesystem?

Sure, it would be nice to have the file scanned during upload, but I'm
guessing that the AV can't give an opinion on a file until it's been
completely-uploaded. In that case, do you really want to buffer the
whole file in memory to scan it?

I think the file is going to make it -- at least in part -- to the disk
either way, unless you have other controls in place such as upload-size
limits where you can make a good bet that in-memory scanning can be done
without bringing-down your server.

Anyhow, I don't have any particular experience with mod_clamav or
anything like that. Certainly I wouldn't rely upon it solely, since
there are other ways files can make it onto your server(s). But it
probably couldn't hurt.

Things I'd be worried about are which requests will be scanned by the
AV? Will every single GET/POST/etc. be scanned? That might cause a
significant impact on your response times. Also, the aforementioned
buffering -- does the file have to remain in memory to be scanned, or
will it be streamed to a disk somewhere first? You don't want AV-scans
to bust your memory cap.

-chris

> On 3/9/16 9:49 AM, "Christopher Schultz" 
> wrote:
> 
>> John,
>>
>> On 3/8/16 6:02 PM, Rose, John B wrote:
>>> I am interested in both
>>>
>>> Thanks
>>>
>>> Sent from my iPad
>>>
>>>> On Mar 8, 2016, at 3:27 PM, Christopher Schultz
>>>>  wrote:
>>>>
>>> John
>>>
>>>>>> On 3/8/16 2:43 PM, Rose, John B wrote:
>>>>>> Looking for comments on mod_clamav, and any other alternative
>>>>>> antivirus software for Apache on linux
>>>
>>> Are you trying to protect your clients or your servers?
>>
>> I would imagine that running any AV software that monitors the
>> filesystem for changes would be sufficient. Why do you think you need an
>> httpd module for this?
>>
>> -chris
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>>
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache virus scanning

[Christopher Schultz]

John,

On 3/8/16 6:02 PM, Rose, John B wrote:
> I am interested in both
> 
> Thanks
> 
> Sent from my iPad
> 
>> On Mar 8, 2016, at 3:27 PM, Christopher Schultz 
>>  wrote:
>>
> John
> 
>>>> On 3/8/16 2:43 PM, Rose, John B wrote:
>>>> Looking for comments on mod_clamav, and any other alternative
>>>> antivirus software for Apache on linux
> 
> Are you trying to protect your clients or your servers?

I would imagine that running any AV software that monitors the
filesystem for changes would be sufficient. Why do you think you need an
httpd module for this?

-chris

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache virus scanning

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

John

On 3/8/16 2:43 PM, Rose, John B wrote:
> Looking for comments on mod_clamav, and any other alternative
> antivirus software for Apache on linux

Are you trying to protect your clients or your servers?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlbfNWYACgkQ9CaO5/Lv0PCtKACfUSwfFmm3iAXMmljzRhwaw6NZ
yj0Anjxz5oIgdOm6hiV0LOs4jr3n5uLK
=8ynF
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] apache 2.4, APR and online prefix

[Christopher Schultz]

Raf,

On 2/24/16 4:41 AM, Raf Roger wrote:
> Hi
> 
> i'm trying to create a LAMP stack that allow user to synchronize LAMP
> stack files and webapps among several computers.
> 
> Instead of reinstalling everything identically on each computer, they
> could just synchronize the stack and voila.
> 
> for such purpose i need to make each element of the stack independent of
> the OS, so to have it as a "brick"
> 
> therefore i would like to know if there is a version of httpd 2.4 usable
> for such purpose. In fact when i'm compiling apache 2.4 it request APR
> and APR-UTIL but those 2 APRs should be delivered with the stacks or are
> they only needed during apache2 compiling ?

Sounds like you are looking for something like Docker/Puppet/Chef (et
al) that can build a whole operating environment for you from the OS up
to whatever else you need (support packages, etc.). Don't reinvent the
wheel: I recommend you go find out what already exists before you do
this on your own.

I think this is a solved problem.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Howto accept only one connection

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Oliver,

On 2/19/16 10:11 AM, Oliver Graute wrote:
> On 19/02/16, Aurélien Terrestris wrote:
>> Hello,
>> 
>> I'm not sure we can accept only one connection at a given time. I
>> tested with the "prefork MPM", and I only achieve 1 concurrent
>> request being processed at a given time and all others requests
>> are buffered (ListenBackLog doesn't seem to work on my server).
>> Once the 1st request has been processed, the other ones are
>> processed one after the other.
>> 
>> If running on a Linux, maybe should you configure the iptables to
>> limit connections to 1 for the httpd port. Behind a F5
>> loadbalancer, there is the Connection Limit parameter on the
>> virtual server which can be set.
>> 
>> 
>> my httpd conf :
>> 
>> ./configure .  --with-mpm=prefork
>> 
>>  StartServers 1 
>> MinSpareServers  1 MaxSpareServers  0 
>> MaxRequestWorkers1 MaxConnectionsPerChild   0 
>> ListenBacklog1 ServerLimit  1 
>> 
> 
> thx for this proposal, i will try it this way...

I'm kind of curious why you are using Apache httpd if you just want a
single connection to be available. Anyone can write a
single-connection HTTP service in about two pages of higher-level
source code (e.g. Python, Java, C#, maybe even Perl). This is a bit
like using a Saturn V rocket to launch a weather balloon.

For a single connection, make sure that you disable keepalive -- or at
least set the keep alive timeout to something small, like 1 second.
Otherwise, you'll DOS yourself quite easily. I would also set the TCP
backlog to something small. Maybe as little as 1 (or 0, if that
doesn't actually mean "backlog until we run out of memory").

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlbHMyAACgkQ9CaO5/Lv0PCRigCfTmzndG7agsZ9EmwM0sJTLMV9
ccAAoLD/DvkLbrsZhNnQMRXDQGRU+KOR
=NC4e
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Howto accept only one connection

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Oliver,

On 2/18/16 8:31 AM, Oliver Graute wrote:
> is it possible to configure Apache 2.4 to accept only one
> connection at time on port 443? is this something I can configure
> for my Virtual Hosts?

For testing, or for long-term behavior?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlbF29MACgkQ9CaO5/Lv0PB2PwCgkd54Vg7BsGiQwRISsCMIiQSt
J50AniH+Xv5kRfRYtiEgSNOxkmC+JsgL
=9/u8
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] image display error with stock icon

[Christopher Schultz]

Douglas,

On 2/14/16 9:44 PM, Douglas W. Goodall wrote:
> I have written a very simple pair of cgi scripts in python that display
> a toggle switch either
> in the up position, or in the down position. When you click on the
> switch, it toggles between
> the two and switches between the images appropriately. At least that is
> what it is supposed
> to do.
> 
> The problem presented itself as the switch always being in the down
> position, no matter
> how I toggled and switched between the cgi scripts.
> 
> Here is the down
> and here is the up.
> 
> I checked in the browser debugger and the cgi scripts were trying to
> send the proper images.
> I tried the in the Mac OS X based Safari and Chrome and had identical
> results.
> 
> When I eventually gave up and used different switch images, the problem
> went away, so it
> is my best guess that there is something pathological about the binary
> contents of the images
> making the Web Server send a cached version of the down switch image
> instead of the up
> switch image that is needed.

If the URL of the switch image the same in both cases (e.g.
/images/switch_state.cgi)?

If so, you may be dealing with browser caching. Use the usual cadre of
response headers to instruct the client not to cache the response.

If not, then the problem may still be a cached image, possibly from a
time where the URL pointed to the wrong image.

Using Chrome's dev tools, you can see exactly what the client HTTP
request and server HTTP response look like. That may help find out
what's going on.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Expiring DAV file locks with mod_dav

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

All,

Ping. Any ideas?

Thanks,
- -chris

On 2/5/16 4:04 PM, Christopher Schultz wrote:
> All,
> 
> I've been searching for a bit and mostly people are having the 
> opposite problem I'm having: they are having file locks expire too
> early .
> 
> I have a lock on a file on the DAV that looks like it's no longer 
> valid, but LibreOffice Writer won't open a document on by WebDAV 
> server because it says it's locked by another user (and names the
> user).
> 
> Are there any tools to investigate and/or tweak the locks held by
> mod_da v?
> 
> I tried "dbmmanage DAVLocks view" just to see if anything would
> work, and it dumped-out some stuff, but didn't look like dbmmanage
> could really interpret the DAVLocks file.
> 
> Any ideas? I'm sure that rm DAVLocks && /etc/init.d/apache2
> restart" would do the trick, but I'd like to keep any other
> legitimate file locks in place if possible.
> 
> Thanks, -chris
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAla9/74ACgkQ9CaO5/Lv0PDn2ACeMZKPb8SwWNyhOFlXCM0EGTPs
heQAn2mtzV1nkzx+HJADvqH78kZZ+pT3
=eArQ
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Proxy logging

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

All,

I'm using mod_proxy_http as a reverse-proxy to another origin server.
It seems that httpd doesn't record access logs for stuff going over to
the proxy.

Is there a way to write an access log for requests handles by
mod_proxy? Or is the best practice to aggregate the logs from the
origin server and the reverse proxy? (In this case, I have complete
control over both servers).

Apache httpd 2.4 everywhere.

Thanks,
- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAla996gACgkQ9CaO5/Lv0PAa3gCgoWy/cmwz8srKD6vSTnsvY/rI
J/EAoLYf9qpR8BWOKEXEjTC3wHDE73FI
=p44+
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How to build Apache with FIPS mode capable?

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Yann,

On 2/10/16 6:11 PM, Yann Ylavic wrote:
> Hi,
> 
> On Wed, Feb 10, 2016 at 11:14 PM, Christopher Schultz 
>  wrote:
>> 
>> To those down and dirty with httpd: is there a reason not to 
>> UNCONDITIONALLY build against OpenSSL's FIPS_mode_set? If the
>> library doesn't support FIPS mode, it will complain about it and
>> refuse to enter FIPS mode. The httpd code already handles this
>> in mobules/ssl/ssl_engine_init.c:
>> 
>>> #ifdef HAVE_FIPS if(sc->fips) { if (!FIPS_mode()) { if 
>>> (FIPS_mode_set(1)) { ap_log_error(APLOG_MARK, APLOG_NOTICE, 0,
>>> s, APLOGNO(01884) "Operating in SSL FIPS mode"); } else { 
>>> ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01885)
>>> "FIPS mode failed"); ssl_log_ssl_error(SSLLOG_MARK,
>>> APLOG_EMERG, s); return ssl_die(s); } } } else {
>>> ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01886) "SSL
>>> FIPS mode disabled"); } #endif
>> 
>> I don't see a compelling reason to have all the #ifdef HAVE_FIPS 
>> conditionals all over the place.
> 
> OPENSSL_FIPS is something defined by OpenSSL when FIPS has been
> ./config-ured. Apache httpd should be run against an OpenSSL
> version ABI-compatible with the one it was compiled with, whereas
> FIPS vs non-FIPS OpenSSLs are possibly not ABI-compatible...

That's the thing: I believe they *are* ABI-compatible, since OpenSSL
doesn't seem to conditionally-compile any of the declarations of its
functions... specifically FIPS_mode_set.

I haven't actually done any testing to confirm that they are
ABI-compatible, though.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAla8wT4ACgkQ9CaO5/Lv0PB24QCbBRiNzR3lqUTURsXfUyJhng7a
zo8AoLKYueo8xTiH4JnTpmj0CTDRy7eG
=dhQl
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How to build Apache with FIPS mode capable?

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Rich,

On 2/10/16 1:12 PM, cloud force wrote:
> I added the "SSLFIPS on" option to the httpd.conf as suggested in
> the ssl_mod doc, and I got the following error:
> 
> * Starting web server apache2
> 
> 
> Syntax error on line 1 of /etc/apache2/httpd.conf:
> 
> SSLFIPS invalid, rebuild httpd and openssl compiled for FIPS
> 
> Action 'start' failed.
> 
> The Apache error log may have more information.

It looks like httpd *must* be built against a FIPS-capable library.

- From modules/ssl/ssl_engine_config.c:692:

> #ifdef HAVE_FIPS if ((sc->fips != UNSET) && (sc->fips !=
> (BOOL)(flag ? TRUE : FALSE))) return "Conflicting SSLFIPS options,
> cannot be both On and Off"; sc->fips = flag ? TRUE : FALSE; #else 
> if (flag) return "SSLFIPS invalid, rebuild httpd and openssl
> compiled for FIPS"; #endif
> 
> return NULL; }

So you think you really do have to re-build. But the only thing that
needs to be defined is OPENSSL_FIPS. From modules/ssl/ssl_private.h:126:

> #if defined(OPENSSL_FIPS) #define HAVE_FIPS #endif

So if you grab the source and simply do:

$ CFLAGS=-DOPENSSL_FIPS ./configure [other opts]
$ make

That ought to get you a FIPS-capable httpd.

To those down and dirty with httpd: is there a reason not to
UNCONDITIONALLY build against OpenSSL's FIPS_mode_set? If the library
doesn't support FIPS mode, it will complain about it and refuse to
enter FIPS mode. The httpd code already handles this in
mobules/ssl/ssl_engine_init.c:

> #ifdef HAVE_FIPS if(sc->fips) { if (!FIPS_mode()) { if
> (FIPS_mode_set(1)) { ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s,
> APLOGNO(01884) "Operating in SSL FIPS mode"); } else { 
> ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01885) "FIPS
> mode failed"); ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); 
> return ssl_die(s); } } } else { ap_log_error(APLOG_MARK,
> APLOG_DEBUG, 0, s, APLOGNO(01886) "SSL FIPS mode disabled"); } 
> #endif

I don't see a compelling reason to have all the #ifdef HAVE_FIPS
conditionals all over the place.

Hope that helps,
- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAla7tjQACgkQ9CaO5/Lv0PDtUgCfT9JC4pOt0WdZWe3XsFRtQgWa
f+AAmwQY+A5KmdTEzwR47/aEK3b/xchg
=WaCl
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How to build Apache with FIPS mode capable?

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Rich,

On 2/10/16 11:24 AM, cloud force wrote:
> Hi Chris,
> 
> Please see my comments below.
> 
> Thanks, Rich
> 
> On Wed, Feb 10, 2016 at 7:20 AM, Christopher Schultz 
>  <mailto:ch...@christopherschultz.net>> wrote:
> 
> Rich,
> 
> On 2/9/16 6:21 PM, cloud force wrote:
>> On Tue, Feb 9, 2016 at 2:59 PM, Christopher Schultz 
>> > <mailto:ch...@christopherschultz.net> 
>> <mailto:ch...@christopherschultz.net
>> <mailto:ch...@christopherschultz.net>>>
> wrote:
> 
>> Rich,
> 
>> On 2/9/16 4:09 PM, cloud force wrote:
>>> Yes I do have* *some regulatory requirement to use FIPS and I 
>>> have built the FIPS capable OpenSSL lib.
> 
>> Where is that library located on the disk?
> 
>>> [Rich] The new libcrypto.so located in the same directory 
>>> /lib/x86_64-linux-gnu/
> 
> 
> 
>>> I tried to add the "SSLFIPS on" parameter to the httpd.conf 
>>> config file as suggested in the ssl_mod manual page, but the 
>>> httpd failed to start with errors which seemed to due to the
>>> fact that my apache server was not compiled against an SSL
>>> library which support the FIPS_mode flag.
> 
>> Maybe you are getting the system-provided OpenSSL library and
>> not the one you custom-built.
> 
>>> I need helps with guidance of how to compile apache server
>>> with FIPS capable OpenSSL lib so that the Apache server can be 
>>> operating under the OpenSSL FIPS mode.
> 
>> Recompiling httpd is never needed to switch-out a shared
>> library. You just need to fix the way the OS loads things.
> 
>>> [Rich] How do I do that?
> 
> That depends upon the answers to your various questions.
> 
>> What OS? What version of that OS? Architecture, etc.?
> 
>>> [Rich] Ubuntu Linux 64 bit (version 12.04)
> 
> 
>> How did you install httpd?
> 
>>> [Rich] Httpd is packaged by Ubuntu as a package called
>>> apache2, and I installed the apache2 package.
> 
> Good. Keep that package as it is.
> 
>> How did you install OpenSSL (originally)?
> 
>>> [Rich] OpenSSL is also packaged by Ubuntu as a package. I 
>>> installed the original Ubuntu openssl package.
> 
> Okay. And that package is still installed and not broken?
> 
>> Did you build the FIPS-capable OpenSSL library yourself or did
>> you get it from some other source?
> 
>>> [Rich] I downloaded the FIPS modules source and built it with
>>> the stock openssl library, and then installed the newly rebuild
>>> FIPS capable openssl library. I was able to verify by using the
>>> FIPS capable openssl lib, running the openssl command to
>>> generate a MD5 checksum failed due to it's an non-approved FIPS
>>> algorithm.
> 
> Okay, good. IIRC, the "openssl" CLI is statically-linked so that
> will always work as long as you use the full path to the
> FIPS-capable openssl binary. Getting another program to load using
> the FIPS-capable library takes a bit of work.
> 
>> Where is the FIPS-capable OpenSSL library on the disk?
> 
>>> [Rich] The .so files are mostly under the directory 
>>> /lib/x86_64-linux-gnu/
> 
> Isn't that where the Ubuntu-packages libraries are as well?
> 
>> [Rich] Yes, basically my newly built FIPS capable OpenSSL lib
>> files replaced the original Ubuntu installed ones.
> 
> 
> 
> What does this command show?
> 
> $ dpkg -L libssl1.0.0
> 
> (This will still work if you have OpenSSL 1.0.1.)
> 
> Where *exactly* are the FIPS-capable libraries you built? There
> should be several .so files produced by the build. What are they
> and where did you put them?
> 
>> How do you launch httpd?
> 
>>> [Rich] Ubuntu uses upstart script to launch service like httpd.
>>> I just ran the upstart script (service apache2 start) to start
>>> the httpd.
> 
> Ultimately, this is going to involve you adjusting the
> LD_LIBRARY_PATH environment variable to point to the place where
> your FIPS-capable OpenSSL libraries are. But if you put them into
> the existing library search path, you may have broken both your
> original OpenSSL installation, plus the FIPS-capable libraries as
> well.
> 
>> [Rich] My understanding is, if I replace the Ubuntu installed
>> OpenSSL lib files with the FIPS capable version built by myself,
>> as long as the application which uses openssl (e.g. Apache
>> server) doesn't explicitly invoke FIPS_mode_set() API to enable
>> FIPS mode, they will work pretty

Re: [users@httpd] How to build Apache with FIPS mode capable?

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Rich,

On 2/9/16 6:21 PM, cloud force wrote:
> On Tue, Feb 9, 2016 at 2:59 PM, Christopher Schultz 
>  <mailto:ch...@christopherschultz.net>> wrote:
> 
> Rich,
> 
> On 2/9/16 4:09 PM, cloud force wrote:
>> Yes I do have* *some regulatory requirement to use FIPS and I
>> have built the FIPS capable OpenSSL lib.
> 
> Where is that library located on the disk?
> 
>> [Rich] The new libcrypto.so located in the same directory 
>> /lib/x86_64-linux-gnu/
> 
> 
> 
>> I tried to add the "SSLFIPS on" parameter to the httpd.conf
>> config file as suggested in the ssl_mod manual page, but the
>> httpd failed to start with errors which seemed to due to the fact
>> that my apache server was not compiled against an SSL library
>> which support the FIPS_mode flag.
> 
> Maybe you are getting the system-provided OpenSSL library and not
> the one you custom-built.
> 
>> I need helps with guidance of how to compile apache server with 
>> FIPS capable OpenSSL lib so that the Apache server can be
>> operating under the OpenSSL FIPS mode.
> 
> Recompiling httpd is never needed to switch-out a shared library.
> You just need to fix the way the OS loads things.
> 
>> [Rich] How do I do that?

That depends upon the answers to your various questions.

> What OS? What version of that OS? Architecture, etc.?
> 
>> [Rich] Ubuntu Linux 64 bit (version 12.04)
> 
> 
> How did you install httpd?
> 
>> [Rich] Httpd is packaged by Ubuntu as a package called apache2,
>> and I installed the apache2 package.

Good. Keep that package as it is.

> How did you install OpenSSL (originally)?
> 
>> [Rich] OpenSSL is also packaged by Ubuntu as a package. I
>> installed the original Ubuntu openssl package.

Okay. And that package is still installed and not broken?

> Did you build the FIPS-capable OpenSSL library yourself or did you
> get it from some other source?
> 
>> [Rich] I downloaded the FIPS modules source and built it with the
>> stock openssl library, and then installed the newly rebuild FIPS
>> capable openssl library. I was able to verify by using the FIPS
>> capable openssl lib, running the openssl command to generate a
>> MD5 checksum failed due to it's an non-approved FIPS algorithm.

Okay, good. IIRC, the "openssl" CLI is statically-linked so that will
always work as long as you use the full path to the FIPS-capable
openssl binary. Getting another program to load using the FIPS-capable
library takes a bit of work.

> Where is the FIPS-capable OpenSSL library on the disk?
> 
>> [Rich] The .so files are mostly under the directory
>> /lib/x86_64-linux-gnu/

Isn't that where the Ubuntu-packages libraries are as well?

What does this command show?

$ dpkg -L libssl1.0.0

(This will still work if you have OpenSSL 1.0.1.)

Where *exactly* are the FIPS-capable libraries you built? There should
be several .so files produced by the build. What are they and where
did you put them?

> How do you launch httpd?
> 
>> [Rich] Ubuntu uses upstart script to launch service like httpd. I
>> just ran the upstart script (service apache2 start) to start the
>> httpd.

Ultimately, this is going to involve you adjusting the LD_LIBRARY_PATH
environment variable to point to the place where your FIPS-capable
OpenSSL libraries are. But if you put them into the existing library
search path, you may have broken both your original OpenSSL
installation, plus the FIPS-capable libraries as well.

It would be best to keep the FIPS-capable libraries somewhere out of
the way where you won't confuse them with the package-installed ones.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAla7VSQACgkQ9CaO5/Lv0PDqQACbBdzt3ek8ywxxUFgjhb8YXhf7
1gAAnRRHqsNIEuOmd6OFjewx3M7UWZsa
=JqxL
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How to build Apache with FIPS mode capable?

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Rich,

On 2/9/16 4:09 PM, cloud force wrote:
> Yes I do have* *some regulatory requirement to use FIPS and I have
> built the FIPS capable OpenSSL lib.

Where is that library located on the disk?

> I tried to add the "SSLFIPS on" parameter to the httpd.conf config
> file as suggested in the ssl_mod manual page, but the httpd failed
> to start with errors which seemed to due to the fact that my apache
> server was not compiled against an SSL library which support the
> FIPS_mode flag.

Maybe you are getting the system-provided OpenSSL library and not the
one you custom-built.

> I need helps with guidance of how to compile apache server with
> FIPS capable OpenSSL lib so that the Apache server can be operating
> under the OpenSSL FIPS mode.

Recompiling httpd is never needed to switch-out a shared library. You
just need to fix the way the OS loads things.

What OS? What version of that OS? Architecture, etc.?
How did you install httpd?
How did you install OpenSSL (originally)?
Did you build the FIPS-capable OpenSSL library yourself or did you get
it from some other source?
Where is the FIPS-capable OpenSSL library on the disk?
How do you launch httpd?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAla6b0oACgkQ9CaO5/Lv0PD3wACfWaxX8PA8dhUajcJiHoar12ck
1NoAniETHeQizkhiRLtie+M2RCxuKFAz
=HJr7
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How to build Apache with FIPS mode capable?

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Rich,

On 2/8/16 3:25 PM, cloud force wrote:
> Hi All:
> 
> From the mod_ssl doc, it mentioned: "If httpd was compiled against
> an SSL library which did not support the FIPS_mode flag, |SSLFIPS
> on| will fail."
> 
> How do I compile apache (version 2.2) with FIPS capable OpenSSL
> library?

It's not Apache httpd that needs to be compiled for FIPS, it's
OpenSSL. So if you have a FIPS-capable OpenSSL library, you should be
okay.

Building a FIPS-capable OpenSSL is possible, but requires some steps
on top of the usual OpenSSL build process:

http://openssl.org/docs/fips.html

Unless you have some regulatory requirement to use FIPS, I wouldn't
bother with the whole mess. FIPS does two things: (1) validates the
library on startup to ensure it hasn't been tampered with (which I
suppose is good) and (2) mandates a specific set of hashes, ciphers,
etc. (bad). The reason #2 is bad is because the set of ciphers
required by FIPS includes known weak ciphers, and probably also
contains unknown weak ciphers, too.

AFAICR, FIPS also will not allow you to use additional ciphers on top
of the FIPS requirements, so you aren't allowed to use the latest and
greatest ciphers recommended by security experts.

(Finally, it's unclear whether or not it's actually possible to
produce a FIPS-compliant implementation *at all*, so the whole thing
is a farce, anyway.)

So, unless you have a specific and unyielding requirement to use a
FIPS-compliant library, save your time and just configure your
non-FIPS-compliant server in a sane way and you'll be fine.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAla57nUACgkQ9CaO5/Lv0PAyTwCeLBOwi8VV9W5vngMc01ae62vC
O6wAnjglbjMq8S3+ZEyU1jch6wH4d7HW
=NJnj
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Expiring DAV file locks with mod_dav

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

All,

I've been searching for a bit and mostly people are having the
opposite problem I'm having: they are having file locks expire too early
.

I have a lock on a file on the DAV that looks like it's no longer
valid, but LibreOffice Writer won't open a document on by WebDAV
server because it says it's locked by another user (and names the user).

Are there any tools to investigate and/or tweak the locks held by mod_da
v?

I tried "dbmmanage DAVLocks view" just to see if anything would work,
and it dumped-out some stuff, but didn't look like dbmmanage could
really interpret the DAVLocks file.

Any ideas? I'm sure that rm DAVLocks && /etc/init.d/apache2 restart"
would do the trick, but I'd like to keep any other legitimate file
locks in place if possible.

Thanks,
- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAla1DmcACgkQ9CaO5/Lv0PCb+ACeOBG1u46NmKgcdHbAuLKdy3Zd
0G4An0DoNbY/Ls6XthD0WBrQOm02DZct
=XmY4
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] proper MPM and mod_php

[Christopher Schultz]

Eric,

On 1/7/16 5:47 PM, Eric Covener wrote:
> On Thu, Jan 7, 2016 at 4:51 PM, Rose, John B  wrote:
>> Is using "event" MPM and mod_php ok, or should "prefork" always be used with
>> mod_php?
> 
> The conventional wisdom is prefork-only if you must use mod_php.

I was just looking at this yesterday on my Amazon Linux VM, and the
package-managed config for mod_php looks like this:


  LoadModule php5_module modules/libphp-5.5.so



  LoadModule php5_module modules/libphp-zts-5.5.so


So it looks like there is a module that has been built with an eye
toward thread-safety. That module may be available in John's environment
as well.

Thanks,
-chris

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] ProxyPass + Redirect

[Christopher Schultz]

Yann,

On 12/17/15 3:51 AM, Yann Ylavic wrote:
> On Thu, Dec 17, 2015 at 8:14 AM, Marat Khalili  wrote:
>> Crude, but what about:
>>
>> ProxyPassMatch "^/foo/(.+)$" "http://localhost:8009/foo/$1";
> 
> or (along the lines):
> ProxyPassMatch ^/foo/((?!index\.html$).+)$ http://localhost:8009/foo/$1

I was able to solve the problem in this way, which is basically the same
thing you have above:

ProxyPassMatch ^/foo/index.html$ !
ProxyPassMatch ^/foo(/)?$ !

RedirectMatch ^/foo/index.html$ /foo/someplace_specific.html
RedirectMatch ^/foo/$ /foo/someplace_specific.html

It's pretty clear that I should probably combine each of these pairs of
directives into single ones, since they will likely perform better. I'm
not sure if PCRE is smart enough to understand that ^whatever$ can be
optimized to straight-equals to avoid the overhead of the whole regular
expression engine.

If anyone knows the answer to that, it would be nice to know. In the
meantime, regular expressions have come to the rescue.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Uneven load distribution in Tomcat application servers proxy balanced in front end Apache httpd web server

[Christopher Schultz]

Gaurav,

On 12/22/15 11:26 AM, Gaurav Kumar wrote:
> I am using 6 Apache httpd 2.2.15 which are forwarding requests to the
> Tomcat application servers (version: 7.0.41). Using mod_proxy, all the
> application servers are balanced with proxy balancers. Below is the
> similar configuration of apache httpd.conf:
> 
> |##Proxy Balancers for use by all Virtual Hosts  balancer://FrontEnd> BalancerMember ajp://APP01.abcd.com:8009
>  route=APP01 timeout=120 ttl=600
> keepalive=On BalancerMember ajp:// APP02.abcd.com:8009
>  route=APP02 timeout=120 ttl=600
> keepalive=On BalancerMember ajp:// APP03.abcd.com:8009
>  route=APP03 timeout=120 ttl=600
> keepalive=On BalancerMember ajp:// APP04.abcd.com:8009
>  route=APP04 timeout=120 ttl=600
> keepalive=On BalancerMember ajp:// APP05.abcd.com:8009
>  route=APP05 timeout=120 ttl=600
> keepalive=On BalancerMember ajp:// APP06.abcd.com:8009
>  route=APP06 timeout=120 ttl=600
> keepalive=On BalancerMember ajp:// APP07.abcd.com:8009
>  route=APP07 timeout=120 ttl=600
> keepalive=On BalancerMember ajp:// APP08.abcd.com:8009
>  route=APP08 timeout=120 ttl=600
> keepalive=On BalancerMember ajp:// APP09.abcd.com:8009
>  route=APP09 timeout=120 ttl=600
> keepalive=On BalancerMember ajp:// APP10.abcd.com:8009
>  route=APP10 timeout=120 ttl=600
> keepalive=On BalancerMember ajp:// APP11.abcd.com:8009
>  route=APP11 timeout=120 ttl=600
> keepalive=On BalancerMember ajp:// APP12.abcd.com:8009
>  route=APP12 timeout=120 ttl=600
> keepalive=On BalancerMember ajp:// APP13.abcd.com:8009
>  route=APP13 timeout=120 ttl=600
> keepalive=On BalancerMember ajp:// APP14.abcd.com:8009
>  route=APP14 timeout=120 ttl=600
> keepalive=On BalancerMember ajp:// APP15.abcd.com:8009
>  route=APP15 timeout=120 ttl=600
> keepalive=On BalancerMember ajp:// APP16.abcd.com:8009
>  route=APP16 timeout=120 ttl=600
> keepalive=On BalancerMember ajp:// APP21.abcd.com:8009
>  route=APP21 timeout=120 ttl=600
> keepalive=On BalancerMember ajp:// APP22.abcd.com:8009
>  route=APP22 timeout=120 ttl=600
> keepalive=On BalancerMember ajp:// APP23.abcd.com:8009
>  route=APP23 timeout=120 ttl=600
> keepalive=On BalancerMember ajp:// APP24.abcd.com:8009
>  route=APP24 timeout=120 ttl=600
> keepalive=On BalancerMember ajp://APP25.abcd.com:8009
>  route=APP25 timeout=120 ttl=600
> keepalive=On BalancerMember ajp:// APP26.abcd.com:8009
>  route=APP26 timeout=120 ttl=600
> keepalive=On BalancerMember ajp:// APP27.abcd.com:8009
>  route=APP27 timeout=120 ttl=600
> keepalive=On BalancerMember ajp:// APP28.abcd.com:8009
>  route=APP28 timeout=120 ttl=600
> keepalive=On ProxySet stickysession=JSESSIONID  |
> 
> I am facing the uneven load distribution issue among the application
> servers when I check it from the Apache webserver balancer-manager.
> Infact, the top 13 app servers (app01 to app13, assume batch1) are
> getting almost equal load and the remaining app servers (app14 to app16
> and app21 to app28, assume batch2) are getting equal load. The batch1
> app servers have almost 3 times more load than the batch2 app servers.
> 
> I also tried to diagnose if any network issue might be causing the
> problem. So, tried the traceroute command for the diagnosis and found
> almost similar patterns with 30 hops for both the batch servers (batch1
> as well as batch2).
> 
> I am unable to figure out, what the issue is? Can anyone please help me
> out. Any help, really appreciated.

Remember that users can keep their session identifiers longer than their
session actually lasts. The load-balancer doesn't keep a mapping of
session ids to app servers.. instead, it uses a node-hint in the session
id like 8927418392BACBD3298.workerName and uses that for routing.

If you have a user who logs-in and is assigned to a node, then continues
using their browsers without restarting it for a month, they will always
go to the same server unless their session cookies are being destroyed
*and* then you redirect them to be re-balanced before another session is
created.

This might just be a natural "clumping" of sessions to various servers.
If you watch it over time, does it settle-down over time, or does it
appear that the nodes are becoming more and more segregated?

-chris

-
To unsubscribe, e-mail: users-unsubscr...@httpd.

Re: [users@httpd] ProxyPass + Redirect

[Christopher Schultz]

Bill,

On 12/16/15 5:45 PM, William A Rowe Jr wrote:
> On Wed, Dec 16, 2015 at 4:34 PM, Christopher Schultz
> mailto:ch...@christopherschultz.net>> wrote:
> 
> 
>RedirectMatch ^/foo(/)?$ /foo/someplace_specific.html
>RedirectMatch ^/foo/index.html$ /foo/someplace_specific.html
>ProxyPass /foo/index.html !
>ProxyPass /foo/ http://localhost:8009/foo/
>ProxyPassReverse /foo/ http://localhost:8009/foo/
> 
> Unfortunately, this doesn't seem to be working for me: a request for
> /foo/index.html gives me a 404 error *and a JSESSIONID from Tomcat*, so
> I'm fairly certain that the request is being proxied.
> 
> 
> I thought this was order-sensitive, try reversing the two ProxyPass
> statements. 

I actually had the "ProxyPass !" last, and when it didn't work as I
expected, then I re-read the docs which say that ProxyPass has
first-match-wins semantics. So no joy there. :(

Also, this is never going to work:

  ProxyPass /foo/ !
  ProxyPass /foo/ http://localhost:8009/foo/

So I need a plan for the exact string "/foo/" without shooting-out the
knees of the rest of the proxy configuration.

Any ideas?

-chris

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] ProxyPass + Redirect

[Christopher Schultz]

All,

I've got a reverse-proxy in front of Tomcat that I'd like to configure.
When using mod_jk, we have a configuration like this:

   RedirectMatch ^/foo(/)?$ /foo/someplace_specific.html
   RedirectMatch ^/foo/index.html$ /foo/someplace_specific.html
   JkMount /foo/*.do myWorker

This works swimmingly.

Now, we have an environment where we need to use mod_proxy instead, so
we have tried this:

   RedirectMatch ^/foo(/)?$ /foo/someplace_specific.html
   RedirectMatch ^/foo/index.html$ /foo/someplace_specific.html

   ProxyPass /foo/ http://localhost:8009/foo/
   ProxyPassReverse /foo/ http://localhost:8009/foo/

(There may be typos in there, but I typed it from memory and sanitized
it at the same time. Don't worry too much about that; the order and gist
is correct.)

Sharp-eyed readers will note that ProxyPass will take precedence over
the RedirectMatch directive. No problem, we can just un-proxy that
special path:

   RedirectMatch ^/foo(/)?$ /foo/someplace_specific.html
   RedirectMatch ^/foo/index.html$ /foo/someplace_specific.html
   ProxyPass /foo/index.html !
   ProxyPass /foo/ http://localhost:8009/foo/
   ProxyPassReverse /foo/ http://localhost:8009/foo/

Unfortunately, this doesn't seem to be working for me: a request for
/foo/index.html gives me a 404 error *and a JSESSIONID from Tomcat*, so
I'm fairly certain that the request is being proxied.

I'm certain that I have some small error in my configuration for the
index.html case, but I think I'm up against a wall when it comes to the
/foo/ case: the RedirectMatch looks for ^/foo(/)?$ which is necessarily
the "root" of the virtual-directory being proxied... so I'm going to
need to tell mod_proxy to turn-off proxying for a specific URL.

I know that using mod_rewrite, we can use the [P] flag to send things
through mod_proxy. Is there a do-not-proxy flag for mod_rewrite that I
can use? Or do I have to change from using ProxyPass to using
RewriteRule with [P] for everything instead? I'd prefer a solution that
doesn't involve mod_rewrite if I can get away with it.

Thanks,
-chris

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Is there a shell environment variable to direct httpd to a httpd.conf ?

[Christopher Schultz]

Gary,

On 11/20/15 4:44 PM, Gary M wrote:
> I'm in a unique configuration dilemma where I need to place the location
> of httpd.conf in a "soft" location. eg the shell environment variable.
> 
> I did look and cannot find the answer.
> 
> The question: "is there a shell environment variable read by httpd
> pointing to the conf file ? "
> 
> This is windows,, I have another solution for linux and solaris.

Can you do:

C:\> \path\to\bin\httpd -f %HTTPD_DOT_CONF%

?

-chris

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Redirect[Match] behind load-balancer switching protocols

[Christopher Schultz]

All,

The docs for the Redirect directive state that a slash-prefixed
replacement URL (relative) will use the current request's scheme and
hostname to build the redirect URL.

RedirectMatch doesn't say specifically, but what I'm observing is that:

RedirectMatch permanent ^/$ /foo/

... when requesting https://hostname/, I get a redirect to
http://hostname/foo/ <-- note the protocol switch from https to http.

I'm running httpd 2.4.16 on Linux.

This is an httpd instance which is sitting behind a load-balancer, so
httpd isn't terminating SSL itself. The lb is providing the various
X-Forwarded-* headers, and I have this configuration as well:

SetEnvIf X-Forwarded-Proto "https" HTTPS=On

Is there another environment variable or other setting that I need to
use in order to override httpd's protocol-detection?

Thanks,
-chris

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How to force browsers doesn't use cache

[Christopher Schultz]

Pete,

On 11/16/15 3:52 PM, Pete Houston wrote:
> On Mon, Nov 16, 2015 at 06:19:37PM -0200, Ronaldo Luiz de Carvalho wrote:
>> There are a way to setting apache in a way to force the users site browsers
>> doesn't use their cache?
> 
> You can use the Header directive to set the appropriate value of the
> Cache-Control header.
> 
> http://httpd.apache.org/docs/2.4/mod/mod_headers.html#header
> http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9

+1

Plus the "Pragma" header for ancient clients, if you want.

This is how we do it:

Header set Cache-Control "no-cache, no-store, must-revalidate"
Header set Pragma "no-cache"
Header set Expires 0

Make sure you don't overdo this... if you have .css, .js files, etc.
that *should* be cached, don't let this apply to them.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] php.conf and PHP-FPM

[Christopher Schultz]

John,

On 11/13/15 2:53 PM, Rose, John B wrote:
> Let me rephrase my question.
> 
> I understand the .conf file names can be anything.
> 
> I may should have asked it this way, do the settings such as  ...
> 
> 
> SetHandler application/x-httpd-php
> 
> 
> 
> 
> AddType text/html .php
> 
> Etc,
> 
> ...typically in the file named php.conf, matter if you do not have mod_php
> loaded and are only using PHP-FPM?
> 
> What PHP related setting would you possibly put in php.conf if you are
> only using PHP-FPM?
> 
> In other words, by using PHP-FPM, and using ProxyPassMatch, none of those
> things are used. Right?
> 
> Except "DirectoryIndex"
> 
> Comment: It seems the default/uncommented placement of "DirectoryIndex
> index.php" in php.conf would undesirably/unexpectedly replace
> "DirectoryIndex index.html index.php etc." in the main body of your
> httpd.conf file. If you "Include" conf.d late in your httpd.conf file.

If you place  ...  around your PHP-related
configurations, then you can safely leave your php.conf file in place
even when mod_php is disabled. In that case, the configuration within
the IfModule structure will be ignored when mod_php is not loaded.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] modifying Location header

[Christopher Schultz]

Hleb,

On 10/30/15 10:24 AM, Hleb Valoshka wrote:
> On 10/29/15, John Iliffe  wrote:
>>> Is it possible to modify Location using mod_headers? I want to replace
>>> http:// with https:// but Header edit http://(.*) https://$1 does not
>>> work, neither with always. unset and set don't work as well, only add
>>> works.
>>>
>>
>> Why not this?
>>
>> 
>>ServerName www.example.com
>> #   DocumentRoot /httpdpages
>>Redirect permanent / https://www.example.com/
>> 
> 
> Because vhost :80 is common for http and https: actual endpoint is
> loadbalancer, apache is backend with a lot of redirects.

Consider using a separate  for your HTTPS traffic, like this:

lb:80  --> httpd:80
lb:443 --> httpd:81

httpd:81 is not encrypted, but it's configured to behave as if it is.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] require valid-user with ldap

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Marc,

On 11/27/14 2:42 AM, Tobias Adolph wrote:
> do you have an other authorization modules (like mod_shib for 
> shibboleth-authentication)?
> 
> We had an issue concerning require valid-user, too. I guess that if
> several authorization handlers are active "require valid-user" 
> directives asks each of them for approval. At least mod_shib shows 
> this behaviour. The fact that if you give the specific user (which 
> determines the specific authorization authority) or a 
> require-directive specific to an authorization module supports
> this assumption.

I have LDAP working without file-based fallback, but I'm using
"Require ldap-group" instead of "Require [somethingelse]".

Our configuration is so old I can't remember if I actually fought
httpd's configuration and settled for ldap-group or if I just never
tried anything else (like Require valid-user).

- -chris

> Am 24.11.2014 um 12:13 schrieb Marc Patermann:
>> Hi,
>> 
>> I using the following .htaccess
>> 
>> AuthBasicProvider ldap file AuthType Basic
>> AuthzLDAPAuthoritative off Authname "..." AuthUserFile
>> /srv/www/.htusers-mf AuthLDAPURL 
>> "ldap://ldapserver/ou=humans,ou=foo,c=de?mail??(mail=*@ofd-*.foo.de)"
>>
>>
> 
PROPFIND OPTIONS GET>
>> #Require ldap-group 
>> ou=Benutzer-Opst,ou=gruppen,ou=humans,ou=foo,c=de #Require user 
>> k1-st-01 Require valid-user  ...
>> 
>> The "require valid-user" does not work for ldap users. I get the 
>> following message in error_log:
>> 
>> /var/log/apache2/error_log:[Thu Nov 21 09:40:48 2014] [error] 
>> [client 10.49.64.85] access to /documents/ failed, reason: user 
>> 'u...@foo.de' does not meet 'require'ments for user/valid-user
>> to be allowed access
>> 
>> Apache is version 2.2.10
>> 
>> If I set it to "require ldap-user u...@foo.de" or "require 
>> ldap-group ..." it is all fine, so the ldap part does it's 
>> thing.
>> 
>> 
>> Marc
>> 
>> -
>>
>>
To
>> 
unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>> 
> 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUdysVAAoJEBzwKT+lPKRYC3sQAJlnnU7z1KK4i1UaaBNGO16k
iNleVv8OXNg5OZo04/O8ZNtF9OBXIWiqqsN8hP4Oepfcvs1e2JgZpshHUN9KUkUS
o+8FwbAIpbgFPgFZkd7XsEb4aZAZQEW0OAylbIb8ur0C4/Q3bEOazf/a3BUJB6x8
00OVSQBzN46/o9PReYh7mB0sOXCMVHZbZy3LJ2iOJvWJonm6iGuPwifT7JdakVYr
yZP1zbuR86GPhTd6IjoV3qxS0+gMThu5ziIJ1IkGbUpkekBxrOt0Ra0bmN3NNHxU
SJdsa4FCMergjUvlfDWqgPwBC0atD9nU6lEOS11+uvloHQofd7Y3CNu7q6m5c+S6
xnweNUMEctBhQpQgNzuMgByHB8j6/lqQjezOt6aZ/dhGVWQZ3h6Eeo0bA73B0sLp
AXh31udkfj4QLrSJGNXSOOfQqZ8jLxvmaAmXvDXovUVPkD8+WbAojOSTGgUAyX4W
QoaC/UPE8FTuVheFzYI3CZDwuk7o6Pa1b9ojPF6vheC9xCp4U8FED7KCp0PnnOpm
h58Wn6Tie7CPF8xzleGAF1axRBEJZDTq0IDoCnihCxyaT+AlFU6XAcv+WHf5bLFC
H8lwg1luY6wgslyIUfhM5LsFeuU9RPYJfsTyZrR+iEEuq7u+rESQrXctXTsCSVKT
mSaQ2dYgw+r8AASOYR3O
=Vj2e
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Cannot get certificate chain to work.

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

dE,

On 10/10/14 6:30 AM, dE wrote:
> On 10/09/14 23:47, Christopher Schultz wrote: De,
> 
> On 10/7/14 11:27 PM, dE wrote:
>>>> $ openssl x509 -noout -in server.pem -text Certificate:
>>>> Data: Version: 1 (0x0) Serial Number: 13192573755114198537 
>>>> (0xb7156feedab91609) Signature Algorithm:
>>>> sha1WithRSAEncryption Issuer: C=AU, ST=Some-State,
>>>> O=intermediate, CN=intermediate Validity Not Before: Oct  7
>>>> 08:43:42 2014 GMT Not After : Oct  2 08:43:42 2015 GMT
>>>> Subject: C=AU, ST=Some-State, O=server, OU=IT, CN=server
>>>> Subject Public Key Info: Public Key Algorithm: rsaEncryption
>>>> Public-Key: (1024 bit)
> 1024-bit keys?
> 
> Perhaps the browsers are smart enough not to trust those.
> 
>>>> $ openssl x509 -noout -in intermediate.pem -text
>>>> Certificate: Data: Version: 1 (0x0) Serial Number:
>>>> 11894061023072807904 (0xa510317ba912ebe0) Signature
>>>> Algorithm: sha1WithRSAEncryption Issuer: C=AU, ST=Some-State,
>>>> O=issuer, OU=signing, CN=issuer Validity Not Before: Oct  7
>>>> 08:42:05 2014 GMT Not After : Oct  2 08:42:05 2015 GMT
>>>> Subject: C=AU, ST=Some-State, O=intermediate, CN=intermediate
>>>> Subject Public Key Info: Public Key Algorithm: rsaEncryption
>>>> Public-Key: (1024 bit)
> Hmm.
> 
>>>> $ openssl x509 -noout -in issuer.pem -text Certificate:
>>>> Data: Version: 1 (0x0) Serial Number: 18284349327322698662 
>>>> (0xfdbf0ed6ac38d3a6) Signature Algorithm:
>>>> sha1WithRSAEncryption Issuer: C=AU, ST=Some-State, O=issuer,
>>>> OU=signing, CN=issuer Validity Not Before: Oct  7 08:40:29
>>>> 2014 GMT Not After : Oct  7 08:40:29 2015 GMT Subject: C=AU,
>>>> ST=Some-State, O=issuer, OU=signing, CN=issuer Subject Public
>>>> Key Info: Public Key Algorithm: rsaEncryption Public-Key:
>>>> (1024 bit)
> Maybe try again with 2048-bit keys or better?
> 
> -chris
>> 
>> -
>>
>> 
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>> 
> 
> Yeah, I'll try 4096. That's the standard. But it did work when
> only intermediate.pem was sent by the server and issuer.pem was
> installed in the browser.

You might want to check using SSL Labs' server scanner. It will tell
you exactly what the server is sending, whether they are in the right
order, at what level they are trusted, and give you advice about how
to improve the configuration.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUN991AAoJEBzwKT+lPKRY9hYQAJ7tNxFSnI6KtRk2XdjCceQI
tT6HFp3dxUk+JPffjAmJGamYGhMD5E11IsqLa+GT25u+ULsRfoV7ovVcOiQtvC1E
HdKpDxeN4VUVzESRWPeBE+SdATRwpu2fJsSQ9bLfFS6Mw9Cj0GJMp9wRRWAhxz+/
TyIhxRsTruc6Y8e2r+/M+p/QaO49/FknJpISb9m/xoKqaVg6eiMxfnDBJeJ63p0T
u7j2wOuQDvZlW7nSRUnp4M/Z3NbIwdJAlxDnZ4d9S8tvTLESQaJpoFxhsutOdK/X
82pIPbsoZeP5CvBuZ/f3iISrVqEkYh9uJCawj+tdniYrrsXnOKL5diE2SMrzXmXD
ecL+YhNedFzQp+MHVtNgHtK/ZEc35/HmnEp9qDQP3O9KmEh8y4m/qFchRP1a5EzL
KYhS7VpV1cagmvh6vg1+3GoJcGSshdKEgQYSYQnK6KuaD+A/EZvio1eeXvdF/EWx
2M/8PsEi13vpf5Ev5RmfDF8ma6yO7QhXAzTCcFpGNqRD4J1mjkUxCtfkG+JydlQc
TbDRpVFmKeo5NTZAIoIZ8br2F9RMSdV8prVOytt0Yfd+cpFZyCTr+bfq9U+rkS1p
REuUrQvWGMlOPvr35KHXqjKmu78K0bxCapGqmzxrx2LRcHb5tnkM9CLSVvjTnfWI
9Xufi+4JpiEBBO43tmSX
=seHs
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Cannot get certificate chain to work.

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

De,

On 10/7/14 11:27 PM, dE wrote:
> $ openssl x509 -noout -in server.pem -text Certificate: Data: 
> Version: 1 (0x0) Serial Number: 13192573755114198537 
> (0xb7156feedab91609) Signature Algorithm: sha1WithRSAEncryption 
> Issuer: C=AU, ST=Some-State, O=intermediate, CN=intermediate 
> Validity Not Before: Oct  7 08:43:42 2014 GMT Not After : Oct  2 
> 08:43:42 2015 GMT Subject: C=AU, ST=Some-State, O=server, OU=IT, 
> CN=server Subject Public Key Info: Public Key Algorithm: 
> rsaEncryption Public-Key: (1024 bit)

1024-bit keys?

Perhaps the browsers are smart enough not to trust those.

> $ openssl x509 -noout -in intermediate.pem -text Certificate:
> Data: Version: 1 (0x0) Serial Number: 11894061023072807904 
> (0xa510317ba912ebe0) Signature Algorithm: sha1WithRSAEncryption 
> Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer 
> Validity Not Before: Oct  7 08:42:05 2014 GMT Not After : Oct  2 
> 08:42:05 2015 GMT Subject: C=AU, ST=Some-State, O=intermediate, 
> CN=intermediate Subject Public Key Info: Public Key Algorithm: 
> rsaEncryption Public-Key: (1024 bit)

Hmm.

> $ openssl x509 -noout -in issuer.pem -text Certificate: Data: 
> Version: 1 (0x0) Serial Number: 18284349327322698662 
> (0xfdbf0ed6ac38d3a6) Signature Algorithm: sha1WithRSAEncryption 
> Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer 
> Validity Not Before: Oct  7 08:40:29 2014 GMT Not After : Oct  7 
> 08:40:29 2015 GMT Subject: C=AU, ST=Some-State, O=issuer, 
> OU=signing, CN=issuer Subject Public Key Info: Public Key 
> Algorithm: rsaEncryption Public-Key: (1024 bit)

Maybe try again with 2048-bit keys or better?

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUNtE+AAoJEBzwKT+lPKRY+s8QALlighVIWTi27FSczUKYSPmN
dlH6Ltz01C8jthaKNSA1jR3tUzx3lVqvnHbTTX0V6Y/n/rBT9E4/ZUSqND6MLBNE
4nwP2kG3EStCNSk2rt0Xv7iGdzIzi5zLftPfnlzzZoqBZdUc36qKDjzJVeMq79L7
YyamixmrFN9mPI1V5FcazYIKKOU9p5Ok9g+9OPBWi6SOKilwGE9F8maU75Ale1ys
N+pPjUj84RukGK7uWPKqmrC/GewhGaUABaaAUFkPcxIPha3asPzWam5Zxp/MTW41
RDOGUImLaonI4F25BGxJIb7hQlBX8pN6TWtFoEAf0srP0k4M9zLB1G9+cWbgEdiv
O67F99WZdb2PP6MJp3RMrvhnv4W46AA2cByWEuMo40zY3Et//zhkW1AO/VfkzFrD
syGTBGQIBHGaRVfrJMs40rgatwPb5FwaPu8Us7HtStblZ7clqXAXJtLLp63N1pip
+VocquaX7A0VcibiQ+YY89+pIYwulvonXCnQ9YUTfVR4bTDQs3T8BFjoekOTyByW
M2mVgjNLpZmJ5KjtLbm7mKOVde3qip48TSIJXg2STq6+P3+sUbRGLc8l2kl4WOK0
8oQ5dnOMi/hsO4W2+MExiKWSfrP/DDyMIG6AS2/7KZP0pdWoEn5bmNl19yNKzW/f
XoaM5WiTbUDSdux9TEvS
=KBTz
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] httpd 2.2 and 2.4; 500 errors with no logs at all

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

All,

Bump. Any ideas what might be causing this?

Thanks,
- -chris

On 10/5/14 10:53 AM, Christopher Schultz wrote:
> All,
> 
> On 10/5/14 10:23 AM, Christopher Schultz wrote:
>> All,
> 
>> On 10/5/14 10:01 AM, Christopher Schultz wrote:
>>> All,
> 
>>> Over the past week, I've had 4 separate httpd servers running 
>>> 2.2 and 2.4 start failing with the generic "Internal Server 
>>> Error" page and a 500 response.
> 
>>> The only logs generated are the access log, which of course 
>>> indicates a 500-response. So, no error logs, no syslogs, no 
>>> nothing.
> 
>>> We have a couple of redirects configured using something like 
>>> "RedirectMatch 301 "^/$" https://hostname/"; and these are 
>>> processed and I get a 302 response which redirects to another 
>>> page that fails.
> 
>>> All of the pages that are failing are using HTTP Basic 
>>> authentication with an LDAPS authentication module 
>>> (mod_authz_ldap) to a remote server. Other httpd instances are 
>>> currently successfully authenticating against this LDAP server,
>>> so the LDAP server itself doesn't appear to be a problem.
> 
>>> In the other cases, an httpd restart has fixed the problem. 
>>> Triggering a config reload (/etc/init.d/httpd reload on my 
>>> RHEL-compatible VM) will allow the configuration to reload and 
>>> does not change the situation with the errors (i.e. the errors 
>>> still occur).
> 
>>> I was able to reconfigure the VirtualHost to /not/ require
>>> LDAP authentication and then I was able to access my pages as 
>>> expected. So, I'm fairly sure that the problem is with the
>>> LDAP authentication module.
> 
>>> I now have another case that is failing and I have the 
>>> opportunity to inspect it in its failing state. Can you anyone 
>>> suggest a way to instrument the still-running, still-failing 
>>> httpd instance to figure out what the problem is?
> 
>>> This particular server has the following configuration as 
>>> reported by apachtctl -V:
> 
>>> Server version: Apache/2.2.29 (Unix) Server built:   Sep 15 
>>> 2014 19:41:45 Server's Module Magic Number: 20051115:36 Server 
>>> loaded: APR 1.5.0, APR-Util 1.4.1 Compiled using: APR 1.5.0, 
>>> APR-Util 1.4.1 Architecture:   32-bit Server MPM: Prefork 
>>> threaded: no forked: yes (variable process count)
> 
>>> Looking at a process list, I can see 8 processes. If I go to
>>> my browser and mash the RELOAD button, the browser reports a
>>> 500 response each time, and when I go back and check the
>>> process list, all the pids are the same, so the child processes
>>> are not crashing and failing to log errors before the die or 
>>> anything like that.
> 
>> I might have a lead on this ... the TLS certificate used by the 
>> LDAP server has expired. But, I have some httpd servers that are 
>> happily using it for authentication (likely due to the server 
>> restart of each one I've had to do).
> 
>> Any idea how I might be able to test this hypothesis? I'd prefer 
>> to nail this down and call the problem solved (by issuing a new 
>> certificate) rather than mask the real error if there is another 
>> one.
> 
> I updated the TLS certificate being used for the LDAP server and it
> appears to have had no effect on whats going on: I'm still getting
> 500 errors with no details in any logs. :(
> 
> Any suggestions?
> 
> -chris
> 
> -
>
>
To
> 
unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUNtEuAAoJEBzwKT+lPKRYGiMP/1yLrWa+0JNQviwXwisRJwrC
hcdN2YfLdjOodV5wl7T2wduxKwcK31fEA5DVmArufORibGfYfM7gWV/7xApr0jQx
XYVG2wUjBJdWwanwEYADeArxRdswtXuppVONHpzBYgO+FNhObU1tG1n1NltuLwjP
CCZpkj5ULVqaz+ZYB+lbNHuHmRhfFt7+2NTKviEb/huO3DpYLhLyXoSc6EQrBTh4
5IzwyAUBF2tVrZF7Z4QQATn4MqO4MxFJXawLxI+/EZlXKtETs+EW8Qe1k3xPPXJO
yNJb3qOjlQOuAoy59fw1t4njHcflqVZKcvtdUHXAB4VGdUUB3rL93gTr+1RMenjy
y1m0RN6spSY2AZ9ABeB2d3tapiywEHyIitaqoiTgE5hGVvEv+UohkFTH/Ym/VHMB
bEQGT+ifEMhwtdM91DvdAzrYuPr/+d3jxcFpqLL5i6aSMUwbbgHNA8m8r3rivb9F
bAMUFAoJnZtoQD5e1EPEqcD4haTxC43b/Z/Q9w5Yp9jFeL28vtRXBPVxvehCkh6q
BWfqYrTVb/sx2VZiGaGrRIOqbSz4C8K2zxL82TktRQraG4H05jloFgAY2fR9mMqe
v7L38Hq+5Bim5qDLTkH25tWLup7tG53vMWg0UVH29c6CWIEscAnZuPqs5MUAoZKS
ldIDlMDqYq1x44Byf3mc
=myfR
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How is this possible? Apache sends HSTS on a non valid cert but user can proceed, on compatible browser

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256



On 10/6/14 5:52 PM, Scott (firstclasswatches.co.uk) wrote:
> Hello,
> 
> Not strictly a httpd specific issue but nevertheless, 
> Chrome/Firefox should ignore the header because it is not
> delivered with a valid certificate and thus there is no way of
> knowing if it was actually issued by the website.

Spec says in this exact case, the TLS connection should be refused:
http://tools.ietf.org/html/rfc6797#section-11.3

> You should get the expected result if you first respond with an 
> HSTS header in a valid TLS request and then /future/ requests 
> should be prevented from proceeding if there is a certificate 
> error.
> 
> This is why HSTS are being preloaded for major websites as that 
> would to cover the first request. For your average website there 
> isn't currently a solution to this.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUNtEzAAoJEBzwKT+lPKRYqfAQAIauntEj79ba/p69JD6qBjKZ
mt9XCUj7EEI3sWaQsGcOWVHuFh4y/udvYqdPPDb5I3T5y7uUAkrZw+6e++EvJqU1
1oD6ELwaAoiwkz/J7RgS7ecIqBAFJHm2GkQ8wrfo5MmQDrrpU33SIa8N2kqtxqfK
P+Hoou6vfvCQZHteXKDrwx9iRoZxQnlY532zt6yPWxx1Xza3unkXZHkB04g9b+Fp
iCd1Tk8whQ5S712GDA2WZr1Dgvx4SoHgWhEPd6lG9ez/2As1OabG7aGqfSnSo6lT
o/gz3+I27tpU0837ZuvPWsYJ85uTnonFz+qkol1hT49WOM3wd0PnAWAmHRhEqo9p
q76EMhqyAwoSd7L9fgh9FwnvJr+wmhvoYDxzcGzI3jCvv6BaN72dbsBZEpRy1qSj
1RNHlY2MxBNPdxf9SJqQIgkVXzMGLw/4sTxZWA73R3MtYqvmHe1YlDHTvPFfvUVU
Wv+kpXPgFC+7VDa7tzeSnI6SNCU+CB1hrZdBmsoRhWYb5p8oE6msSgTwPB6G19gD
hDfTTGhl8WrVkgCyYgrPLV51CsNX8yueL1LYpJRjsG9OCii5pjzGBcjJ5ri3PsRx
zbFB2SPA0hD68Iyp2R0qEfKpRpK/kXwVv/V2xVB7F9zrVcBTQHXzWzLEc99OxDHG
3GIKbzBqmNUECA+qZOyq
=MX2I
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] httpd 2.2 and 2.4; 500 errors with no logs at all

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

All,

On 10/5/14 10:23 AM, Christopher Schultz wrote:
> All,
> 
> On 10/5/14 10:01 AM, Christopher Schultz wrote:
>> All,
> 
>> Over the past week, I've had 4 separate httpd servers running 2.2
>>  and 2.4 start failing with the generic "Internal Server Error"
>> page and a 500 response.
> 
>> The only logs generated are the access log, which of course 
>> indicates a 500-response. So, no error logs, no syslogs, no 
>> nothing.
> 
>> We have a couple of redirects configured using something like 
>> "RedirectMatch 301 "^/$" https://hostname/"; and these are 
>> processed and I get a 302 response which redirects to another
>> page that fails.
> 
>> All of the pages that are failing are using HTTP Basic 
>> authentication with an LDAPS authentication module
>> (mod_authz_ldap) to a remote server. Other httpd instances are
>> currently successfully authenticating against this LDAP server,
>> so the LDAP server itself doesn't appear to be a problem.
> 
>> In the other cases, an httpd restart has fixed the problem. 
>> Triggering a config reload (/etc/init.d/httpd reload on my 
>> RHEL-compatible VM) will allow the configuration to reload and
>> does not change the situation with the errors (i.e. the errors
>> still occur).
> 
>> I was able to reconfigure the VirtualHost to /not/ require LDAP 
>> authentication and then I was able to access my pages as
>> expected. So, I'm fairly sure that the problem is with the LDAP 
>> authentication module.
> 
>> I now have another case that is failing and I have the
>> opportunity to inspect it in its failing state. Can you anyone
>> suggest a way to instrument the still-running, still-failing
>> httpd instance to figure out what the problem is?
> 
>> This particular server has the following configuration as
>> reported by apachtctl -V:
> 
>> Server version: Apache/2.2.29 (Unix) Server built:   Sep 15 2014
>>  19:41:45 Server's Module Magic Number: 20051115:36 Server
>> loaded: APR 1.5.0, APR-Util 1.4.1 Compiled using: APR 1.5.0,
>> APR-Util 1.4.1 Architecture:   32-bit Server MPM: Prefork
>> threaded: no forked: yes (variable process count)
> 
>> Looking at a process list, I can see 8 processes. If I go to my 
>> browser and mash the RELOAD button, the browser reports a 500 
>> response each time, and when I go back and check the process
>> list, all the pids are the same, so the child processes are not
>> crashing and failing to log errors before the die or anything
>> like that.
> 
> I might have a lead on this ... the TLS certificate used by the
> LDAP server has expired. But, I have some httpd servers that are
> happily using it for authentication (likely due to the server
> restart of each one I've had to do).
> 
> Any idea how I might be able to test this hypothesis? I'd prefer
> to nail this down and call the problem solved (by issuing a new 
> certificate) rather than mask the real error if there is another
> one.

I updated the TLS certificate being used for the LDAP server and it
appears to have had no effect on whats going on: I'm still getting 500
errors with no details in any logs. :(

Any suggestions?

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUMVtXAAoJEBzwKT+lPKRY/o8QAJ9HXA+AE2nFZz5BVJWj6IRK
tyIudhUcK/SDDq3T6eELxqkaF8AlHuOGlN5ugbCfJ/+GkUBydD2fD2ofsVvIHpiP
q9La4yy029XmhvXmrX4+ncyRY9hKh7BJEak2inUZIOksnNlK9NF14PfnySoH+3jr
tkPdi+QMo30d5N25GcWsm8iIGaOuv9dXGz8p7v71TpSTN7PGSC+6mgZWrlSFu0aa
4QKehO/c2lidU5Eqhw1LsIVJ5wQ8SktX4TwNfqCvaXP3w0zjsIxsvrfPA6qQqM85
cBhGBmf3PLoIxFwu0So3PHr9uEbHvcD0MI6Hbst7mN7kHGypCiQCT+IrhvuGhYHN
3sOYWxJxGkBTyg5bpvlvaWX5jt8lfQP+T1ahFgvqTyn+b/77vAoksOXvN/AOvuuD
kAsmaKUtKshsTfEYCjUu8FzjKHxoM8EJt00EKaPAgTOcmlS1J1aLgmRSnclY5pLH
rxTjhxhW3gOcvVa3J/9ZDOt7K6fX5TI6fLXDG3XiPKa0Fug08SINlB26NB6iA9LX
dwGKDxEPpEyqAPdS9Aof1GfqmNr3NVv5sFJ2gJ2wj1Gy5009MLuM4pXktkRHBjPo
yOoQx+BRJfCAfV7Z7ErrNgFqUEsnqgrNMVFFL09zLJd6DPh/8VYKhAIqs6rmEP7s
oVAQ0S4vm0Mic8H/AmHc
=VAwN
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] httpd 2.2 and 2.4; 500 errors with no logs at all

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

All,

On 10/5/14 10:01 AM, Christopher Schultz wrote:
> All,
> 
> Over the past week, I've had 4 separate httpd servers running 2.2 
> and 2.4 start failing with the generic "Internal Server Error" page
> and a 500 response.
> 
> The only logs generated are the access log, which of course 
> indicates a 500-response. So, no error logs, no syslogs, no 
> nothing.
> 
> We have a couple of redirects configured using something like 
> "RedirectMatch 301 "^/$" https://hostname/"; and these are
> processed and I get a 302 response which redirects to another page
> that fails.
> 
> All of the pages that are failing are using HTTP Basic 
> authentication with an LDAPS authentication module (mod_authz_ldap)
> to a remote server. Other httpd instances are currently
> successfully authenticating against this LDAP server, so the LDAP
> server itself doesn't appear to be a problem.
> 
> In the other cases, an httpd restart has fixed the problem. 
> Triggering a config reload (/etc/init.d/httpd reload on my 
> RHEL-compatible VM) will allow the configuration to reload and does
> not change the situation with the errors (i.e. the errors still
> occur).
> 
> I was able to reconfigure the VirtualHost to /not/ require LDAP 
> authentication and then I was able to access my pages as expected.
>  So, I'm fairly sure that the problem is with the LDAP 
> authentication module.
> 
> I now have another case that is failing and I have the opportunity
>  to inspect it in its failing state. Can you anyone suggest a way
> to instrument the still-running, still-failing httpd instance to 
> figure out what the problem is?
> 
> This particular server has the following configuration as reported
>  by apachtctl -V:
> 
> Server version: Apache/2.2.29 (Unix) Server built:   Sep 15 2014 
> 19:41:45 Server's Module Magic Number: 20051115:36 Server loaded: 
> APR 1.5.0, APR-Util 1.4.1 Compiled using: APR 1.5.0, APR-Util
> 1.4.1 Architecture:   32-bit Server MPM: Prefork threaded: no
> forked: yes (variable process count)
> 
> Looking at a process list, I can see 8 processes. If I go to my 
> browser and mash the RELOAD button, the browser reports a 500 
> response each time, and when I go back and check the process list,
>  all the pids are the same, so the child processes are not crashing
>  and failing to log errors before the die or anything like that.

I might have a lead on this ... the TLS certificate used by the LDAP
server has expired. But, I have some httpd servers that are happily
using it for authentication (likely due to the server restart of each
one I've had to do).

Any idea how I might be able to test this hypothesis? I'd prefer to
nail this down and call the problem solved (by issuing a new
certificate) rather than mask the real error if there is another one.

Thanks,
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUMVRnAAoJEBzwKT+lPKRY3QMQAIImsJ6IgR1nZGknWAemViSs
Yl0E0nA4Yi1c2+Po/AJrMQyZhplpqZY0p7jToCuzYw2DzFfURuHKIdsphm1ZdbK1
6vmCslwb+ao0VpTRGnKsVaQDik7ZoIX5rF8MvXWZLOZmgnOATMu0eu17SVOJoVxZ
hGCy2QAEoIBHBtuJoo2XdAWYlYzJkw5zI0Nkg1yNIhjXQioloZkMBHct/yljBg5q
3IwXbJWDMGhPEjpK2Rr6WZF1Ur4K35rUJre4ZAFwRY1Ej70CRDJachMXjW1Hjet8
to2BsY0Y8XJs7PbXACg7T0zqV5LoSpB8GDrD8t7gSjqJgHJ+l9mKR+DeCPSnNtR4
cRDcIxDaxz5DKvaUkXnfj3G33iSO0QiTyOZj4i26bb4N/Sx2v7IZ5t3vCEVTb13J
wksQU9mFuzCx7vemw8G+HPTDitIPQc51gljEik6uxodJYuhLKWWGOEWcOMUbqSU6
LToJtyYMBNNQ1SIRzQzn/w7JuXuzAhbQWc1uZvKE8FY2mfyENOj1ppf8MXUCXHTB
svw+jEqgAbgjA2yAX9WHqJCmbmUUMq75yuoS2n0R4kU8vf3YBZPigM/nJmjbz21o
6n5FdVq2Gt9KrSMd3T2sGjZ3ZDlOLO1/kE3j4Ibv9atT88HnGtADOA4O8ZsNJGw5
PCB/2dToPLU3psHGwvnn
=DDRJ
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] httpd 2.2 and 2.4; 500 errors with no logs at all

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

All,

Over the past week, I've had 4 separate httpd servers running 2.2 and
2.4 start failing with the generic "Internal Server Error" page and a
500 response.

The only logs generated are the access log, which of course indicates
a 500-response. So, no error logs, no syslogs, no nothing.

We have a couple of redirects configured using something like
"RedirectMatch 301 "^/$" https://hostname/"; and these are processed
and I get a 302 response which redirects to another page that fails.

All of the pages that are failing are using HTTP Basic authentication
with an LDAPS authentication module (mod_authz_ldap) to a remote
server. Other httpd instances are currently successfully
authenticating against this LDAP server, so the LDAP server itself
doesn't appear to be a problem.

In the other cases, an httpd restart has fixed the problem. Triggering
a config reload (/etc/init.d/httpd reload on my RHEL-compatible VM)
will allow the configuration to reload and does not change the
situation with the errors (i.e. the errors still occur).

I was able to reconfigure the VirtualHost to /not/ require LDAP
authentication and then I was able to access my pages as expected. So,
I'm fairly sure that the problem is with the LDAP authentication module.

I now have another case that is failing and I have the opportunity to
inspect it in its failing state. Can you anyone suggest a way to
instrument the still-running, still-failing httpd instance to figure
out what the problem is?

This particular server has the following configuration as reported by
apachtctl -V:

Server version: Apache/2.2.29 (Unix)
Server built:   Sep 15 2014 19:41:45
Server's Module Magic Number: 20051115:36
Server loaded:  APR 1.5.0, APR-Util 1.4.1
Compiled using: APR 1.5.0, APR-Util 1.4.1
Architecture:   32-bit
Server MPM: Prefork
  threaded: no
forked: yes (variable process count)

Looking at a process list, I can see 8 processes. If I go to my
browser and mash the RELOAD button, the browser reports a 500 response
each time, and when I go back and check the process list, all the pids
are the same, so the child processes are not crashing and failing to
log errors before the die or anything like that.

Thanks in advance,
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUMU9FAAoJEBzwKT+lPKRYCwoQAIJo8PuPGL7pWtFXeAUaZPjb
+kLOTi9BB2qmoDS0/ggnVt3CQo5cHE3SSwRn1wAMTsSzMLMedgW8TdO92jRZz3VR
CQogOeq91/0du9EsmoQIVEf2hevlW9AfLwYTtEPmYDQXU4Ucwc12e7L24a20crjF
PTrewtleyb183cbjqkH95xNBRmezadFsR18BTqHmK97wVrM2mmSJuh1C0L1NFVpD
xxyd4wlXXB3RXEu3bttD9vjgVoVtCcMHgv1q2N8Df77Nftls1/WnLm+mrzMAFhxl
zg81pTxflyz72b9leslwF8eo0/I2kwyMxXDDkdTFXgCl3dwz04MV/w+6LlnWt1D/
xo5j/LITLnuKD10KKGcQpolEABKcr8ObvOYnFIBXFxwsB+XoHFYooVm2AIaID+Wa
WFWlFKBMUdEypAgAm3lpsIluvf2EzF5m6eyYr7GqxN294Jo763H7AR7tY9h86tF9
cq4d1rpH+l0LYS1aA+qwLeKB6LXHYEZM6E5XIydxluz5CreJJ4sIrJMIeESXF4lm
Z5WQvTVGT6P9C7BvgbB+/RjMa4B5DHoXc/y2uVv2KAKpjbV0YP9HYEldRGx3RwyU
evYkbyGMeOb51eATuI4T61LbbAlVk1uuBJsOXY6+9JN3UTMSqwce4DOM1jo+r69G
k08PUIBgcCQWFWjOaE3t
=mQaP
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] mod_remoteip not setting client's ip with AWS ELB

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mike,

On 10/2/14 2:27 PM, Mike Rumph wrote:
> On 10/2/2014 11:07 AM, Christopher Schultz wrote:
>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
>> 
>> Mike,
>> 
>> Okay, using %a works when using mod_remoteip. AWS Linux uses %h 
>> by default for its httpd.conf definition of "combined" log 
>> format, so I've changed that and I'm getting the logging I 
>> desire.
>> 
>> I'll try to replicate the behavior in httpd 2.2 without 
>> mod_remoteip we well.
>> 
>> Thanks, - -chris
>> 
> Hello Christopher,
> 
> It looks like my replies got a little out of sync with yours.
> 
> In Apache httpd 2.4 with mod_remoteip enabled and correctly 
> configured, the %a field will contain the true original client IP 
> address. Otherwise, the %a field will contain the IP address of
> the most immediate remote host.

That's what I'm seeing. Thanks! (The last piece was changing %h -> %a
in my log formats. I can't seem to find any ErrorLogFormat defined in
my configuration, and there is no documentation for the "default"
format so I can't really verify that I have an acceptable
ErrorLogFormat. I'm having trouble getting an error bad enough to log
:) In httpd 2.2, a 404 counted as an error and so it's easy to test to
see what IP address gets logged.

> For 2.2, the contents of the X-* headers is probably the only way 
> to get the true client IP address. From I can tell, in your 
> configuration there is only one proxy between the client and the 
> destination server, so your X-Forwarded-For headers would probably 
> only contain a single value. But one thing to keep in mind is that 
> the X-Forwarded-For header could contain a list of IP addresses.

Yup. I have done the best I think I can for httpd 2.2, like this:

# Handle ELB requests; maintain client information
SetEnvIf X-Forwarded-Proto "https" HTTPS=On
SetEnvIf X-Forwarded-For "(.*)" REMOTE_ADDR=$1 JK_REMOTE_ADDR=$1
SetEnvIf X-Forwarded-Port "(.*)" JK_LOCAL_PORT=$1
# Only allow requests directly from the load-balancer

  Order deny,allow
  Deny from all
  Allow from 10.0.0.0/8

# The following line has been split over multiple lines.
# httpd doesn't support this; it's for email readability only
SetEnvIf X-Forwarded-For \
"^.*?(\d{1,3}+\.\d{1,3}+\.\d{1,3}+\.\d{1,3}+)" \
XFFCLIENTIP=$1
LogFormat "... %{XFFCLIENTIP}e ..." format-name
CustomLog access_log format-name

This will right me the right-most IP address from X-Forwarded-For
which, in my case, ought to be the client's actual IP address or some
outside proxy. I haven't yet played-around with setting that header
from my client to see what happens at the ELB stage. I suspect they
will adhere to the spec and /add/ the client's IP to whatever was
there. If they don't, it's okay with me: I'll end up observing the
same IP address I would have in the past because I've been ignoring
any X-Forwarded-For headers thus far.

Thanks for the help,
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJULcF8AAoJEBzwKT+lPKRYrh4QAMLfxMp+u/zTItzbvsqdRZIg
R+yk7gcFxZK5aK6hFZaO4OdFOGmKh9epCAZQnn8rDABtg9DoXBuHDQj5VdCAhsFt
Kps7t0DjAK9Vyqjb/QtsLMR9K1qLqVHyRrgrLmzmLoiWaBpPZMCzqscp7T5ihlTS
9qVRKghioLtzaVP/7hoCBVm4G86W8ZZuwcPQqrmNM6qj6+QnA0uKSWmIGtZBqFKn
iIiR/JDP87nzQ5qe+UejZE5rQgnGGIm8R/9hT+VSgD/boDsdTXJTitxkxlK4GwqJ
QvOEfWrupsva3jp1OG10RCCqC9+1kMqbvZHII6r93CsxgW44dQyhNIYbGGkBF0f+
7f4+GXFagofDVdUumQGtUrHDO4nwT4ECTQy0UdUscWL4rziQjzxC1zTeYhGvLQP1
jJKRiNv1W9Yjb7uGMgYxLkEHu8u2fZNVEuKorlWl/UM6dN0n5wFPceCDeRGY83we
A5IMpYM+5fiZ4uI4L80/CcjpcKSMDMzqirLMbuADjZpifQympbi2MP6/npDaYg+Y
Xj9PHJdX1CL7/2UM281gY9+A96OSf6WLnjfyBzOn0UZhrXJtokraCeEiiyxfw280
0bOYUt4vGWsGH2qkTjIxBNAMfmFsEPlJKuy415q+aa5JDFoRx5+Q7DD72T6oVpd9
t9hG2gYvVUYxMC+O2TUA
=j6ZX
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] mod_remoteip not setting client's ip with AWS ELB

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mike,

On 10/2/14 1:18 PM, Mike Rumph wrote:
> It just occurred to me that you might be referring to the first
> field (%h) in your log records. This is going to be the remote
> hostname. So this is showing the IP address of your immediate
> proxy. If you want to see the true original client IP address (as
> calculated by mod_remoteip), you should add the %a field to your
> LogFormat directive. -
> http://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats

Okay, using %a works when using mod_remoteip. AWS Linux uses %h by
default for its httpd.conf definition of "combined" log format, so
I've changed that and I'm getting the logging I desire.

I'll try to replicate the behavior in httpd 2.2 without mod_remoteip
we well.

Thanks,
- -chris

> On 10/2/2014 9:04 AM, Mike Rumph wrote:
>> Hello Christopher,
>> 
>> Since you are running 2.4.10, you have the latest mod_remoteip
>> fixes. But I think the problem is in the directives that you are
>> using:
>> 
>> RemoteIPHeader X-Forwarded-For #RemoteIPTrustedProxy 10.0.0.0/8
>> 
>> 
>> If you only use the RemoteIPHeader directive, then the default is
>> to treat all proxies as external trusted proxies. Having
>> RemoteIPTrustedProxy set for all your proxies would have the same
>> effect.
>> 
>> I assume by your 10.0.0.0/8 mask that this matches your proxy
>> addresses. But 10.0.0.0/8 is a mask for internal IP addresses. So
>> your proxies will not be accepted as external proxies. And your
>> true client ip address will not be used.
>> 
>> Try the following directives instead:
>> 
>> RemoteIPHeader X-Forwarded-For RemoteIPInternalProxy 10.0.0.0/8
>> 
>> Let us know if this works for you.
>> 
>> Thanks,
>> 
>> Mike Rumph
>> 
>> On 10/2/2014 6:46 AM, Christopher Schultz wrote:
>>> Mike,
>>> 
>>> On 10/1/14 5:40 PM, Mike Rumph wrote:
>>>> What version of Apache httpd are you running?
>>> Thanks for the reply. We are running 2.4 and 2.2 on various
>>> servers, but I'm starting with this one:
>>> 
>>> Server version: Apache/2.4.10 (Amazon) Server built:   Jul 30
>>> 2014 23:57:28
>>> 
>>> This is the httpd package that Amazon bundles with its Amazon
>>> Linux. If possible, I'd prefer to continue to use their
>>> packages.
>>> 
>>>> There have been some mod_remoteip fixes in recent 2.4.x
>>>> releases.
>>>> 
>>>> You could also try setting up some LogFormat directives as in
>>>> bug 55635 to get more information on this. -
>>>> https://issues.apache.org/bugzilla/show_bug.cgi?id=55635#c1
>>> I'll modify my log format and post what I get under various 
>>> circumstances.
>>> 
>>> FWIW, I currently have no "Allow" or "Deny" directives in
>>> effect. I was planing eventually to say "Allow from 10/8" or
>>> something equivalent to only allow connections to this virtual
>>> host from the load-balancer. If that's not going to work, it's
>>> easily done at the OS or firewall level.
>>> 
>>> Thanks, -chris
>>> 
>>>> On 10/1/2014 11:00 AM, Christopher Schultz wrote:
>>>>> All,
>>>>> 
>>>>> I'm trying to get httpd working behind an AWS ELB but still
>>>>> using the remote client's information whenever possible.
>>>>> 
>>>>> ELB provides the X-Forwarded-For, X-Forwarded-Port, and 
>>>>> X-Forwarded-Proto HTTP headers. My configuration looks like
>>>>> this:
>>>>> 
>>>>> RemoteIPHeader X-Forwarded-For #RemoteIPTrustedProxy
>>>>> 10.0.0.0/8
>>>>> 
>>>>> (I commented-out the RemoteIPTrustedProxy line to see if
>>>>> that was the problem, and it does not appear to have
>>>>> changed the behavior).
>>>>> 
>>>>> My true client IP address is 71.178.xxx.yyy and I'm making
>>>>> a request through the load balancer. I'm using PHP's
>>>>> "phpinfo()" to dump everything about the request. I can see
>>>>> that the X-Forwarded-For header has been /removed/ from the
>>>>> request (which mod_remoteip says will happen), but I'm
>>>>> still getting the ELB's IP address in my access logs:
>>>>> 
>>>>> 10.32.xxx.yyy - - [01/Oct/2014:17:59:27 +] 

Re: [users@httpd] mod_remoteip not setting client's ip with AWS ELB

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mike,

On 10/2/14 1:18 PM, Mike Rumph wrote:
> It just occurred to me that you might be referring to the first
> field (%h) in your log records.

Precisely.

> This is going to be the remote hostname. So this is showing the IP
> address of your immediate proxy.

That's what I'm observing.

> If you want to see the true original client IP address (as
> calculated by mod_remoteip), you should add the %a field to your
> LogFormat directive. -
> http://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats

Okay, it looked like that's what I should add. I just wanted some
confirmation that %a was correct even with mod_remoteip. For httpd
2.2, would I just use "%{X-Forwarded-For}i" since mod_remoteip is not
available?

Lol, just found this write-up. I'll be reading the whole thing about
now:
http://knowledgevoid.com/blog/2012/01/13/logging-the-correct-ip-address-using-apache-2-2-x-and-amazons-elastic-load-balancer/

Thanks,
- -chris

> On 10/2/2014 9:04 AM, Mike Rumph wrote:
>> Hello Christopher,
>> 
>> Since you are running 2.4.10, you have the latest mod_remoteip
>> fixes. But I think the problem is in the directives that you are
>> using:
>> 
>> RemoteIPHeader X-Forwarded-For #RemoteIPTrustedProxy 10.0.0.0/8
>> 
>> 
>> If you only use the RemoteIPHeader directive, then the default is
>> to treat all proxies as external trusted proxies. Having
>> RemoteIPTrustedProxy set for all your proxies would have the same
>> effect.
>> 
>> I assume by your 10.0.0.0/8 mask that this matches your proxy
>> addresses. But 10.0.0.0/8 is a mask for internal IP addresses. So
>> your proxies will not be accepted as external proxies. And your
>> true client ip address will not be used.
>> 
>> Try the following directives instead:
>> 
>> RemoteIPHeader X-Forwarded-For RemoteIPInternalProxy 10.0.0.0/8
>> 
>> Let us know if this works for you.
>> 
>> Thanks,
>> 
>> Mike Rumph
>> 
>> On 10/2/2014 6:46 AM, Christopher Schultz wrote:
>>> Mike,
>>> 
>>> On 10/1/14 5:40 PM, Mike Rumph wrote:
>>>> What version of Apache httpd are you running?
>>> Thanks for the reply. We are running 2.4 and 2.2 on various
>>> servers, but I'm starting with this one:
>>> 
>>> Server version: Apache/2.4.10 (Amazon) Server built:   Jul 30
>>> 2014 23:57:28
>>> 
>>> This is the httpd package that Amazon bundles with its Amazon
>>> Linux. If possible, I'd prefer to continue to use their
>>> packages.
>>> 
>>>> There have been some mod_remoteip fixes in recent 2.4.x
>>>> releases.
>>>> 
>>>> You could also try setting up some LogFormat directives as in
>>>> bug 55635 to get more information on this. -
>>>> https://issues.apache.org/bugzilla/show_bug.cgi?id=55635#c1
>>> I'll modify my log format and post what I get under various 
>>> circumstances.
>>> 
>>> FWIW, I currently have no "Allow" or "Deny" directives in
>>> effect. I was planing eventually to say "Allow from 10/8" or
>>> something equivalent to only allow connections to this virtual
>>> host from the load-balancer. If that's not going to work, it's
>>> easily done at the OS or firewall level.
>>> 
>>> Thanks, -chris
>>> 
>>>> On 10/1/2014 11:00 AM, Christopher Schultz wrote:
>>>>> All,
>>>>> 
>>>>> I'm trying to get httpd working behind an AWS ELB but still
>>>>> using the remote client's information whenever possible.
>>>>> 
>>>>> ELB provides the X-Forwarded-For, X-Forwarded-Port, and 
>>>>> X-Forwarded-Proto HTTP headers. My configuration looks like
>>>>> this:
>>>>> 
>>>>> RemoteIPHeader X-Forwarded-For #RemoteIPTrustedProxy
>>>>> 10.0.0.0/8
>>>>> 
>>>>> (I commented-out the RemoteIPTrustedProxy line to see if
>>>>> that was the problem, and it does not appear to have
>>>>> changed the behavior).
>>>>> 
>>>>> My true client IP address is 71.178.xxx.yyy and I'm making
>>>>> a request through the load balancer. I'm using PHP's
>>>>> "phpinfo()" to dump everything about the request. I can see
>>>>> that the X-Forwarded-For header has been /removed/ from the
>>>>> request (which mod_remoteip says will

Re: [users@httpd] mod_remoteip not setting client's ip with AWS ELB

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mike,

On 10/2/14 12:37 PM, Christopher Schultz wrote:
> With my above configuration, I got a line in my (your) access log
> that looks like this:
> 
> 10.32.219.77 71.178.180.80 10.32.219.77 xf="-" - - 
> [02/Oct/2014:16:33:39 +] "GET" "GET /tools/info.php HTTP/1.1&"
> "&" 200 74249 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9;
> rv:32.0) Gecko/20100101 Firefox/32.0" pid=25180 tid=2846788416
> time_ms=10079
> 
> The log format for that is: "%h %a %{c}a xf=\"%{X-Forwarded-For}i\"
> %l %u %t \"%m\" \"%r&\" \"%q&\" %>s %b \"%{Referer}i\"
> \"%{User-Agent}i\" pid=%{pid}P tid=%{tid}P time_ms=%D"
> 
> I'll change the RemoteIPTrustedProxy to RemoteIPInternalProxy and 
> enable it and see what happens.

With this configuration:

  RemoteIPHeader X-Forwarded-Form
  RemoteIPInternalProxy 10.0.0.0/8

I get this access log:

10.64.51.235 71.178.180.80 10.64.51.235 xf="-" - -
[02/Oct/2014:16:38:51 +] "GET" "GET /tools/info.php HTTP/1.1&" "&"
200 74692 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0)
Gecko/20100101 Firefox/32.0" pid=25339 tid=3014642496 time_ms=14507

In both cases, logging a standard %h for remote IP gives me the
address of the load-balancer. Is that to be expected?

I'm hooking this up to Apache Tomcat on the back-end, and it seems
that Tomcat thinks the "REMOTE_ADDR" for the client is my actual IP
address and not that of the lb/proxy.

Am I just not using the right access log format when under a proxied
configuration?

For Apache 2.2, it looks like mod_remoteip is not an option. I was
considering using a configuration similar to this to get the same effect:

SetEnvIf X-Forwarded-Proto "https" HTTPS=On
SetEnvIf X-Forwarded-For "(.*)" REMOTE_ADDR=$1
SetEnvIf X-Forwarded-Port "(.*)" SERVER_PORT=$1

Is that an appropriate comparable configuration? I'd probably have to
replace "%h" with "%{X-Forwarded-For}i" in the combined log format.
Should I be doing that even when mod_remoteip is in use as well?

Thanks,
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJULYOXAAoJEBzwKT+lPKRYC2wP/2Jm9mn/jGdxjarEDkp2EU+E
UIGUSLMHA3JDn3wY1DklXSfQMowpLFIwEgaeqiT+pXu+Y/VByBXKRRF9AT6Dps6m
XHIxbS2WU/3q1/DSt+C0JXSIZ7DtRAOm04SMSVscKKdOW44SXQ5U8e2K+ivfEBGy
1xycVLEy8Hb0oAKiOkY+Xe5U6++So5fzshDVo/6x68xaGZQTyy6hiFbPIRGU42nK
xIbEaQJY12Oc09J5JN3y7tetejMVjWrOJ47cnmubBK5EwkwK45ekFKzc1uKHKhzC
ZIq8ebmstTfGwpRQdc1LPDe3dyPElanEJu3VMuxWvEo9iSjBwd0JHmTIb26XNeco
nlo5VasGVlaNZOjgCDb8bVykGtxgw6308zMH+5zsycGLN6H0g50UMUhcqM3RcjYf
IG9PquMEx2uLc068wsj92/K7XSNj5nLLRNdDC+I8i1GTJbuyIBWrXsic9AYGDow6
/8krLuBdkMcSAep6FiQdelcLzjU39Ve0hQDzsa/kbpyGf5YoMG4hzOw/ZXRrmIwF
SHgg2lbhP4cyNg9AOANftCxSZFUsKafLdlOsUHtk0oJOi5AQvUr9CkELiyU/lksv
nb9gs/uwXrUvv6+b/uJ023W1WOz87p5r6u7Woy0EjdqtiVPCI5ZYODl9OUgvdADa
epLeLUo2wujvmwHKi+Db
=mysF
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] mod_remoteip not setting client's ip with AWS ELB

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mike,

On 10/2/14 12:04 PM, Mike Rumph wrote:
> Since you are running 2.4.10, you have the latest mod_remoteip
> fixes. But I think the problem is in the directives that you are
> using:
> 
> RemoteIPHeader X-Forwarded-For #RemoteIPTrustedProxy 10.0.0.0/8
> 
> 
> If you only use the RemoteIPHeader directive, then the default is
> to treat all proxies as external trusted proxies.

Correct. I'm okay with that for the moment. Uncommenting the second
directive didn't change anything.

> Having RemoteIPTrustedProxy set for all your proxies would have the
> same effect.

That's what I'll eventually end up with.

> I assume by your 10.0.0.0/8 mask that this matches your proxy
> addresses. But 10.0.0.0/8 is a mask for internal IP addresses. So
> your proxies will not be accepted as external proxies. And your
> true client ip address will not be used.

Hmm. Maybe I have things mixed up in my head, then.

The AWS ELB will have an address 10.something and so will my actual
server running httpd.

> Try the following directives instead:
> 
> RemoteIPHeader X-Forwarded-For RemoteIPInternalProxy 10.0.0.0/8
> 
> Let us know if this works for you.

I'll try that. With my above configuration, I got a line in my (your)
access log that looks like this:

10.32.219.77 71.178.180.80 10.32.219.77 xf="-" - -
[02/Oct/2014:16:33:39 +] "GET" "GET /tools/info.php HTTP/1.1&" "&"
200 74249 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0)
Gecko/20100101 Firefox/32.0" pid=25180 tid=2846788416 time_ms=10079

The log format for that is:
"%h %a %{c}a xf=\"%{X-Forwarded-For}i\" %l %u %t \"%m\" \"%r&\"
\"%q&\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" pid=%{pid}P
tid=%{tid}P time_ms=%D"

I'll change the RemoteIPTrustedProxy to RemoteIPInternalProxy and
enable it and see what happens.

I think I may have been confused by the fact that the X-Forwarded-For
header was being removed... I assumed that meant that mod_remoteip was
trusting the IP address and actually using it.

Thanks,
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJULX8/AAoJEBzwKT+lPKRYodwQALnN6a4eateTmFMUh5pBFFjy
IcgaNzLEVy8hbXZbitiSq5Hr1B/lQDDf5IYE80smW2njk9Y5nzFfifJ/c3Bv979b
67rkEg5EznreaKLKGQhGuLlY2jBtoNUGiiuPyBnbPF9ML+6C02Md7VKCxEcGcjLm
9l7yCy1e0QPd4g9wdyuFFfaSt7P83VLw8/D/GqJNlt2AbSD2iusTmZ+zGe8GCA8x
q/wFGm+/fGWhrD46oZCYUMUVpcqsSbu/ybaUZqXRmOYWsdH+NT5gK0RxwG+plUuF
Qy2kc6Ld0Pka79+lh4wrUhNYXgadw82tis+Q7A+zm2/wsqjyzb224XSdC1Aubcd8
U+ERcUn7ynI1lflOQyMvmIR0f+492Okgu/Teek4HeUz4pFQE6ftJ4Hiffhkhlv4A
ld/Uq6u9IDpp/BuEs5I73Z5XtY0Dw4kiA41jihKFoo8ap2FHfRJAHVsMobdwpSS5
xwU3Pd4ETCU8dM0tr6QwT0rsi0ugXIEwzB8U4wKszUEv6TDPhnbuudl6OIIFpfi3
2E6dZGXTIDrzbji3bECF/KKu/BgzFRrnkuyOmUAV2j+lMxPPHzRL9kk5QDTrTa/+
NKcPugDB8MG4DM0+boeMZijQ3rLQxYTdA7nmn1cezJ9bOnkKinlfBCiWOZIuXLSq
r64y5KxPAkBGsXXjmOxQ
=eLSS
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] mod_remoteip not setting client's ip with AWS ELB

[Christopher Schultz]

Mike,

On 10/1/14 5:40 PM, Mike Rumph wrote:
> What version of Apache httpd are you running?

Thanks for the reply. We are running 2.4 and 2.2 on various servers, but
I'm starting with this one:

Server version: Apache/2.4.10 (Amazon)
Server built:   Jul 30 2014 23:57:28

This is the httpd package that Amazon bundles with its Amazon Linux. If
possible, I'd prefer to continue to use their packages.

> There have been some mod_remoteip fixes in recent 2.4.x releases.
> 
> You could also try setting up some LogFormat directives as in bug 55635
> to get more information on this.
> - https://issues.apache.org/bugzilla/show_bug.cgi?id=55635#c1

I'll modify my log format and post what I get under various circumstances.

FWIW, I currently have no "Allow" or "Deny" directives in effect. I was
planing eventually to say "Allow from 10/8" or something equivalent to
only allow connections to this virtual host from the load-balancer. If
that's not going to work, it's easily done at the OS or firewall level.

Thanks,
-chris

> On 10/1/2014 11:00 AM, Christopher Schultz wrote:
>> All,
>>
>> I'm trying to get httpd working behind an AWS ELB but still using the
>> remote client's information whenever possible.
>>
>> ELB provides the X-Forwarded-For, X-Forwarded-Port, and
>> X-Forwarded-Proto HTTP headers. My configuration looks like this:
>>
>>  RemoteIPHeader X-Forwarded-For
>>  #RemoteIPTrustedProxy 10.0.0.0/8
>>
>> (I commented-out the RemoteIPTrustedProxy line to see if that was the
>> problem, and it does not appear to have changed the behavior).
>>
>> My true client IP address is 71.178.xxx.yyy and I'm making a request
>> through the load balancer. I'm using PHP's "phpinfo()" to dump
>> everything about the request. I can see that the X-Forwarded-For header
>> has been /removed/ from the request (which mod_remoteip says will
>> happen), but I'm still getting the ELB's IP address in my access logs:
>>
>> 10.32.xxx.yyy - - [01/Oct/2014:17:59:27 +] "GET /info.php HTTP/1.1"
>> 200 72810 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0)
>> Gecko/20100101 Firefox/32.0"
>>
>> I have definitely restarted httpd and mod_remoteip is definitely enabled
>> (no errors on start, X-Forwarded-For header is being removed from the
>> headers).
>>
>> Am I missing something in my configuration?
>>
>> Thanks,
>> -chris
>>
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 



signature.asc
Description: OpenPGP digital signature