Re: [users@httpd] Flexible Worker Configuration for Dynamic Shared Object (DSO) Deployment

2024-04-27 Thread Daniel Ferradal Márquez 

On 18/04/2024 16:50, Sarkar Tarun Kumar (ETAS-SEC/XPC-Bo1) wrote:

Hello,
...

My requirement is treating one of the services, specifically Service4, 
differently.


Apache should only spawn a single instance of Service4 and refrain from 
terminating the process until Apache server restarts.


Meanwhile, the remaining three services should continue behaving as 
before, initially spawning five instances and adjusting based on load.


My question is whether it is feasible to achieve this mixed treatment 
within a single Apache server through configuration changes.

>...

Only achievable with two different service instances, as in an Apache Farm.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] RewriteMap and patterns

2024-03-15 Thread Daniel Ferradal Márquez 

On 12/03/2024 20:45, Dave Wreski wrote:



If I understood correctly you want the resulting path to be loaded by 
your php-fpm backend.


Do you have a fallbackresource, such as:
"FallbackResource /index.php" or similar?

If not, then you may want to add it.


Yes, that's correct, I'm using php-fpm. I don't currently have a 
fallbackresource. I'll add it, if necessary, but I'd also like to 
identify the actual source reason why it's happening in the first place. 
How do I troubleshoot this further?


Thanks,
Dave






What I would do is RewriteRule with just [L] tag for internal 
redirection or [R,L] if you don't mind the redirection to be external.


Since I haven't seen the whole configuration my guess is you don't have 
the proper handler defined for the resulting url and that's why you get 
a 404, and in those cases a is when fallbackresource is ideal, to hand 
those requests to where they must end.


Generally when I use passthrough [PT] is because the end url will be 
dealt with the appropiate handler, but you don't seem to have a rule for 
the destination to be handled in php, so how come you expect anything 
else other than a 404?


That is briefly what I would do:

First make the proper redirections:

  RewriteEngine on
  RewriteMap lsv2ids "txt:/etc/httpd/conf.d/linuxsecurity-lsv2ids.map"
  RewriteRule "/content/view/(.*)" "${lsv2ids:$1}" [R,L]

Define the fallback for requests not ending in PHP but for which I hand 
the php handler to deal them.

  FallbackResource /index.php

Define the handler for php file requests

  SetHandler "proxy:unix:/run/php-fpm/linuxsecurity.sock|fcgi://localhost"


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Question Error apache

2023-11-09 Thread Daniel Ferradal 
El lun, 6 nov 2023 a las 12:05, Nacho Herrerías ()
escribió:

> I have a problem with Apache. Now and then i get an alert from my SIEM,
> telling me this: auditd: process ended abnormally type=ANOM_ABEND
> msg=audit(1699052664.898:938628): auid=4294967295 uid=1001 gid=1002
> ses=4294967295 pid=32043 comm="httpd" exe="/usr/sbin/httpd" sig=7 res=1
> AUID="unset" UID="censored" GID="censored"
>
> The thing is that Apache (2.4.58) is working fine, and its been working
> the all time, what can I do to stop getting this error from Apache?
>


If Apache HTTPD shows nothing in its error.log, then your SIEM is not
functioning correctly.

-- 
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat

Re: [users@httpd] Apache 2.4 Balancer still sends requests to the server with status "Init Err"

2023-11-03 Thread Daniel Ferradal 
El vie, 3 nov 2023 a las 9:36,  escribió:

>
>
> Now when the first server is in "bad condition" (192.168.1.40:8443 is
> available, but the server does not respond), Apache waits 10 s and than it
> sends 502 error to client, instead of using the second server. What is
> wrong? Thanks in advance.
>
>
timeout is making it wait 10 seconds to see if server responds in that time
because it is taking long to answer but has accepted the connection, if you
want to make it wait less, adjust it.

AFAIK, httpd does not send the request to the other balancer member until
the first has failed, so at least you will get one failure for 30 seconds
and a wait of 10 every time httpd retries a backend that is failing.

Someone may correct me though, but I haven't managed with your setup,
perhaps reaching this point you can try with mod_proxy_hcheck. Although
timeouts are tricky.

-- 
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat

Re: [users@httpd] Apache 2.4 Balancer still sends requests to the server with status "Init Err"

2023-11-01 Thread Daniel Ferradal 
El mié, 1 nov 2023 a las 8:32,  escribió:

> Hello everybody.
>
> I use Apache 2.4.37 on Red Hat as balancer for two Tomcat servers. We have
> this configuration of balancer:
> 
> BalancerMember https://192.168.1.40:8443 route=TOMCAT_SRV1 timeout=60
> ping=1ms
> BalancerMember https://192.168.1.50:8443 route=TOMCAT_SRV2 timeout=60
> ping=500ms
> ProxySet stickysession=JSESSIONID|jsessionid
> ProxySet lbmethod=byrequests
> ProxySet nofailover=off
> 
> For testing reasons, I have reduced the ping value to 1 ms for one server.
>
> During test calls Load Balancer Manager shows server status "Init Err" and
> Apache error log shows these errors:
> [Tue Oct 31 17:01:38.075395 2023] [proxy_http:error] [pid 151375:tid
> 140535126157056] (70007)The timeout specified has expired: [client
> xxx.xxx.xxx.xxx:33855] AH01102: error reading status line from remote
> server 192.168.1.40:8443, referer: https://xy
> [Tue Oct 31 17:01:38.075453 2023] [proxy:error] [pid 151375:tid
> 140535126157056] [client xxx.xxx.xxx.xxx:33855] AH00898: Timeout on
> 100-Continue returned by /tomcat, referer: https://xy
>
> But I can still see requests from Apache in the request log of the server
> 192.168.1.40. How do I configure the load balancer to stop sending requests
> to the server 192.168.1.40 for a defined period of time after detecting the
> "Init Err" status and only send them to the other server in the cluster?
> Thank you very much in advance for your help.
>
>
"failontimeout" by default is off, you may want to turn it on for your
testing purposes.


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat

Re: [users@httpd] Is it true that Nginx is faster, more secure and better than Apache?

2023-09-30 Thread Daniel Ferradal 
>
>> Why are they trollish? I am curious to learn more.
>>
>>
Perhaps because you asked the same question in 2021, you got a very
constructive response and still you are asking the same thing two years
later...

-- 
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat

Re: [users@httpd] Inquiry about apache httpd compile option

2023-09-20 Thread Daniel Ferradal 
El mié, 20 sept 2023 a las 9:03, (대학원생) 양성현 (컴퓨터공학과) ()
escribió:

> I appreciate you for your response.
>
> I understand that some ./configure flags can affect the httpd executable.
>
> May I know some examples which ./configure flag affects the httpd
> executable?
> --
> *보낸 사람:* Eric Covener 
> *보낸 날짜:* 2023년 9월 19일 화요일 오전 1:39
> *받는 사람:* users@httpd.apache.org 
> *제목:* Re: [users@httpd] Inquiry about apache httpd compile option
>
> > Does apache httpd binary depend on the compile options?
>
> It may, but a change to a ./configure flag will not necessarily affect
> the httpd executable.
>
>
>
What you need to understand is that httpd is quite modular and most
configure options (just run ./configure --help to see the available
options) will probably just impact the modules that end up being compiled
along with httpd.

So check the output of ./configure --help and test different options
according to your needs and test in a non system path (at least at first
until you get to know what you are doing), that is:

 ./configure --prefix=/home/your-user/httpd-test ..

-- 
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat

Re: [users@httpd] How do I choose the best settings for the Apache Server?

2023-09-15 Thread Daniel Ferradal 
El vie, 15 sept 2023 a las 13:36, Daniel Ferradal ()
escribió:

>
> When I probably recommended  MaxSpareThreads == to MaxRequestWorkers was
> due to Apache httpd with third party modules not restarting gracefully,
> that along to MaxConnectionsPerChild 0 would prevent HTTPD from trying to
> restart them.
>
> I meant httpd server child processes not restarting gracefully

-- 
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat

Re: [users@httpd] How do I choose the best settings for the Apache Server?

2023-09-15 Thread Daniel Ferradal 
El vie, 15 sept 2023 a las 12:38, Mike Dewhirst ()
escribió:

>
> # After reading
> https://www.liquidweb.com/kb/apache-performance-tuning-apache-mpm-modules/
> 
> ServerLimit 32
> StartServers16
> MinSpareThreads 400
> #MaxSpareThreads 250 increase == MaxRequestWorkers
> dferra...@apache.org
> MaxSpareThreads 800
> ThreadLimit 64
> ThreadsPerChild 50
> AsyncRequestWorkerFactor2
> MaxRequestWorkers   800
> MaxConnectionsPerChild  0
> 
>
>
>
>
When I probably recommended  MaxSpareThreads == to MaxRequestWorkers was
due to Apache httpd with third party modules not restarting gracefully,
that along to MaxConnectionsPerChild 0 would prevent HTTPD from trying to
restart them.

Where did you get this?

Also I keep wondering why people assign so many processes, StartServers 16?
In a threaded mpm?

Why not just assign just 2 or even 4, and assign 100, 200 worker threads
each?

-- 
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat

Re: [users@httpd] Error log output specification

2023-09-06 Thread Daniel Ferradal 
El jue, 24 ago 2023 a las 10:29, 芹澤 由梨 () escribió:

>
> I am using Apache HTTP Server 2.4.46 on Windows Server 2016.
>
> I would like to check the specifications for the message
> "AH00326: Server ran out of threads to serve requests. Consider raising
> the ThreadsPerChild setting".
>
> ・If this state continues, will it be output periodically?
>
> ・If the situation is temporarily resolved and the threshold is exceeded
> again, will it be re-output each time?
>
> Thank you.
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
In my experience from a certain version is that the error does not repeat
at all, at least for a long period of time. Lost track of which version
exactly and where in the changelog is mentioned.

-- 
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat

Re: [users@httpd] loading shop.example.com in www.test.com/shop/

2023-08-20 Thread Daniel Ferradal 
El vie, 4 ago 2023 a las 15:19, Marc () escribió:

>
>  29 
>  30 ProxyPass"https://shop.example.com/;
>  31 ProxyPassReverse "https://shop.example.com/;
>  32
>  33 Options +Indexes +ExecCGI +FollowSymLinks -MultiViews
>  34 Order Allow,Deny
>  35 Allow from all
>  36 
>  37
>
> Home page loads fine however, I have static urls in html pages to
> https://shop.example.com/ is it possible to have those rewriten to /
> relative urls?
>

You can rewrite anything yes, but the simpler you configure it the better
in the long run.

On another note, you should not still be using Order/Allow/Deny directives,
those are deprecated.

About the whole thing:

I would just create two virtualhosts with their
appropriate documentroots and configurations in virtualhost, that would be
the simplest, less painful, more straightforward way to do it generally.


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat

Re: [users@httpd] Enable two way SSL on Apache httpd web server.

2023-08-18 Thread Daniel Ferradal 
El vie, 18 ago 2023 a las 3:24, Kaushal Shriyan ()
escribió:

> Hi,
>
> I am running Apache httpd version: Apache/2.4.57 on CentOS Linux
> release 7.9.2009 (Core). Is there a way to enable two way SSL on Apache web
> server?
>
> # httpd -v
> Server version: Apache/2.4.57 (IUS)
> Server built:   Apr  7 2023 14:49:47
> # cat /etc/redhat-release
> CentOS Linux release 7.9.2009 (Core)
> #
>
> Please guide me. Thanks in Advance.
>
> Best Regards,
>
> Kaushal
>

Hello,

It is quite simple.

You just need basically two directives:

SSLVerifyClient require
and
SSLCACertificateFile /path/to/list-of-cas.crt

In this second directives you just need to add the root CA/s of the CA that
signs your client certificates.


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat

Re: [users@httpd] allow general access after 1 auth

2023-08-13 Thread Daniel Ferradal 
El dom, 13 ago 2023 14:45, Will Fatherley  escribió:

>
>
>>  No, that doesn't satisfy the following:
>>
>> > If someone authenticates on https://www.example.com/webapp, the url is
>> available for everyone.
>
>
>> Could the complicating allow directive sequence be placed in an if/else
> type of scope that uses some elements of the deciding session?


But why are you using deprecated Order, Allow,Deny directives , use
Require, still if I understand correctly what you want to do is not part of
the http scope, but more something related to programming.

>

Re: [users@httpd] loading shop.example.com in www.test.com/shop/

2023-08-04 Thread Daniel Ferradal 
El jue, 3 ago 2023 a las 22:33, Marc () escribió:

> I was wondering if it is even possible to publish an existing shop hosted
> on the subdomain shop.example.com and show it as a 'folder' in
> www.test.com/shop. Will I have problems with browsers (cookies?). I don't
> want to resolve this on the file system because both have different
> uid/gids on files.
>


You can just Alias /shop/ /path/to/documentrootof/shop.example.com/

 From the http server side, there are a few ways to do it, Alias, internal
redirects, reverse proxy.

As per "cookies" that's another thing entirely related to the application
not the http server itself.

If you need you can try to tweak them with the help of mod_headers module
or perhaps reverse proxy from one place to another and try to tweak with
mod_proxy directives ProxyPassReverseCookieDomain and
PRoxyPassReverseCookiePath. What it is for sure is you have low chances of
getting away without paying close attention to the behaviour from your
application.


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat

Re: [users@httpd] Need help with correlating HTTP request with a database call

2023-07-30 Thread Daniel Ferradal 
El mar, 4 jul 2023 a las 20:00, Antony Stone (<
antony.st...@apache.open.source.it>) escribió:

> On Tuesday 04 July 2023 at 18:52:10, Sudesh Gowda J wrote:
>
> > I'm currently working on a project where Apache server is being used
> with a
> > database. I need to find out which HTTP request maps to which database
> call
> > without modifying the server code(eg., Logs).


Perhaps this is the best way.

Surely you could identify those requests with some specific request header
and the best way to get those is to print them in the logs, as you can
print any request header that comes with the request.

In any case you don't have to change your actual log, CustomLog can be
defined several times with different formats if needed and you will get a
different log from each CustomLog directive (just make sure to change the
name of the log).
So you can have your usual log and add another format and log to capture
those you want to focus related to the database you mention.

Cheers

-- 
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat

Re: [users@httpd] Cannot authenticate (after six years)

2023-07-26 Thread Daniel Ferradal 
 httpd.conf attached. See line 169. (httpd service is running.)
>>>  If I enter the following url it should bring up a login box: 
>>> http://172.18.0.20/~hoff (It no longer does.)
>>>  Error_log: [Thu Jul 20 21:39:57.913337 2023] [core:error] [pid 3460:tid 
>>> 3522] (13)Permission denied: [client 172.18.0.97:54422] AH00035: access to 
>>> /~hoff/index.html denied (filesystem path 
>>> '/home/hoff/public_html/index.html') because search permissions are missing 
>>> on a component of the path
>>>
>> AH00035: access to /~hoff/index.html denied (filesystem path
'/home/hoff/public_html/index.html') because search permissions are missing
on a component of the path

-

Perhaps /home has different permissions that do not allow apache
user travel to  /home/hoff/public_html/index.htmlor perhaps your umask
is more restrictive generating directories.




-- 
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat

Re: [users@httpd] Re: Apache2 certificate authentication

2023-07-25 Thread Daniel Ferradal 
>> [Mon Jul 10 03:20:37.629596 2023] [ssl:error] [pid 2410] [client
>> 192.168.0.5:64817] AH10158: cannot perform post-handshake authentication
>> [Mon Jul 10 03:20:37.629633 2023] [ssl:error] [pid 2410] SSL Library
>> Error: error:0A000117:SSL routines::extension not received
>>
>
This has nothing to do with your certificates, but with TLS protocol.

This is TLSv1.3 no doubt, you just have to go to "about:config" in firefox
and enable post-handshake authentication and that's why apache is telling
you that the extension is not being received as in firefox not sending it.
(look for handshake keyword).

When a directory configuration is different from general TLS configuration,
such as when requiring a certificate in a subdirectory, a renegotiation
occurs.

Being TLSv1.3, browsers such as Firefox have it disabled by default. If
your apache server only allows TLSv1.2 you won't have this issue. As per
the reason why browsers are doing this, can't remember it exactly what it
is, a google search should shed some light I guess.

-- 
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat

Re: [users@httpd] RewriteRule and priorities

2023-07-25 Thread Daniel Ferradal 
El lun, 17 jul 2023 a las 12:09, Konstantin Kolinko ()
escribió:

> пн, 17 июл. 2023 г. в 05:24, Dave Wreski  .invalid>:
> >
> > Hi,
> >
> > I have a rewriterule like:
> >
> > RewriteRule ^/blog/(.*) /resources/blog/$1 [L,R=301]
> >
> > but I also have several instances where there are exceptions. In other
> words, I have an article at /blog/ that I want to be redirected to some
> place other than /resources/blog. How can I do this?
> >
>
>

I would start by defining exceptions first like Konstantino says, but I
would also try to avoid greedy expressions like (.*) which match absolutely
everything and tend to complicate things in the long run.

You can also try to use negative lookahead expressions which are used to
define exceptions like the ones you seem to describe, example:
/blog/(?!whatever_you_want_to_exclude)(.+)  /resources/blog/$1 [L,R=301]
(not negative lookahead group is not captured therefore it generates no
variable value.

When dealing with regular expressions a site or somewhere where to test
them is ideal too, I fancy debuggex.com in PCRE mode for example.

-- 
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat

Re: [users@httpd] Double or chained proxy with mod_proxy

2023-06-27 Thread Daniel Ferradal 
El jue, 8 jun 2023 a las 19:28, Charlie Calhoun
() escribió:

>
> I have a reverse proxy set up and working correctly for an internal
> website. I have now been asked to create another proxy to connect to the
> reverse proxy (and ultimately the internal website). The second proxy does
> not have direct network access to the internal website, but it does have
> network access to the reverse proxy. Its function is to provide access to
> that internal website for parts of our network that don't have access to
> the reverse proxy or the internal website.
>
> I have tried setting the second proxy as a reverse proxy pointing to the
> original reverse proxy, but this gave "Bad Request" errors. Then I tried
> setting it as a forward proxy, then started playing with ProxyRemote and
> NoProxy, but nothing seems to work. I expect that when I go to
> "secondproxy.local.domain:listenport", it should return the internal
> website, just like what happens when I go to
> "originalreverseproxy.local.domain:listenport"
>
> Is this possible? What do I need to do to achieve this?
>
>
>
Probably you are mixing protocols, like reverse proxy responds to https and
you have set up connection as http or similar, that is one of the most
simple cases of "bad request", or maybe missing "SSLProxyEngine on"
directive when backend you are proxying to uses SSL/TLS.

In any case if you don't show your configuration and error logs it is hard
to tell for sure.

>

-- 
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat

Re: [users@httpd] Re: [EXTERNAL] Re: [users@httpd] OCSP Stapling Configuration Setup

2023-04-18 Thread Daniel Ferradal 
El lun, 17 abr 2023 a las 21:19, Quintin Ash () escribió:

> Yes I have that as well
> SSLVerifyClient require
> SSLVerifyDepth 10
>
> I also have FIPS enabled (not sure if that matters).
>
>
>
>>
Well, it should be working if everything is in the right place.

Increase debug level to trace7 and check the mod_ssl traces to see what is
really going on.

You can do this with LogLevel ssl:trace7

It is a good practice to share the configuration you have within its own
context, you can see what you really have, we can't. As in, you could have
SSLVerifyClient require in a path and the request going for another and
then that directive having no effect, etc.

Also turn "SSLOCSPOverrideResponder off" for these tests.


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat

Re: [users@httpd] OCSP Stapling Configuration Setup

2023-04-17 Thread Daniel Ferradal 
El lun, 17 abr 2023 a las 17:29, Quintin Ash () escribió:

> Hello,
>
>
> I am working with OCSP and SSL Stapling and I want to know if this case is
> working as expected.
>
>
> I am trying to connect to Apache and I have a certificate that is revoked
> from the OCSP server. The OCSP server is responding as Revoked, but the
> connection is not getting rejected. This is a case where I would suspect
> that the connection should be rejected because the certificate is revoked,
> but it is not happening.
>
>
> Does anyone have experience with OCSP and SSL Stapling and is this
> configured correctly?
>
>
> Configuration:
>
> Apache 2.4.57
>
> OpenSSL 3.0.8
>
>
> SSLOCSPEnable on
>
> SSLOCSPDefaultResponder http://x.x.x.x:41233
>
> SSLOCSPOverrideResponder on
>
>
> Logs:
>
> [Thu Apr 13 10:42:14.734750 2023] [ssl:debug] [pid 1812:tid
> 139698106267200] ssl_util_ocsp.c(97): [client x.x.x.x:60742] AH01973:
> connecting to OCSP responder ‘x.x.x.x:41233'
>
> [Thu Apr 13 10:42:14.734815 2023] [ssl:debug] [pid 1812:tid
> 139698106267200] ssl_util_ocsp.c(125): [client x.x.x.x:60742] AH01975:
> sending request to OCSP responder
>
> [Thu Apr 13 10:42:14.739728 2023] [ssl:debug] [pid 1812:tid
> 139698106267200] ssl_util_ocsp.c(235): [client x.x.x.x:60742] AH01981: OCSP
> response header: Content-type: application/ocsp-response
>
> [Thu Apr 13 10:42:14.739751 2023] [ssl:debug] [pid 1812:tid
> 139698106267200] ssl_util_ocsp.c(235): [client x.x.x.x:60742] AH01981: OCSP
> response header: Content-Length: 2273
>
> [Thu Apr 13 10:42:14.739756 2023] [ssl:debug] [pid 1812:tid
> 139698106267200] ssl_util_ocsp.c(283): [client x.x.x.x:60742] AH01987: OCSP
> response: got 2273 bytes, 2273 total
>
> [Thu Apr 13 10:42:14.741198 2023] [ssl:debug] [pid 1812:tid
> 139698106267200] ssl_util_stapling.c(575): AH01942:
> stapling_renew_response: query response received
>
> [Thu Apr 13 10:42:14.741644 2023] [ssl:error] [pid 1812:tid
> 139698106267200] AH02969: stapling_check_response: response has certificate
> status revoked (reason: n/a) for serial number xxxx
>
> ——
>
>
>
>


In the information you provide you are at least missing the Location with:

SSLVerifyclient require

Do you have that?


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat

Re: [users@httpd] old gen workers sticking around post 2.4.49

2023-04-12 Thread Daniel Ferradal 
I'd say much better to move to mpm_event and and php-fpm, ridding httpd of
PHP module and it's quirks in the process.

El mar, 11 abr 2023 23:24,  escribió:

> I wrote:
> > I'll try to reproduce the problem without mod_php.
> and:
> > Using "dehydrated -c -x" to drive my testing, I've hit the 7-day rate
> limit at
> > Let's Encrypt, so I'll have to come back to this.
>
> I can reproduce the problem pretty easily with mod_php loaded. Unloaded, I
> have
> been unable to reproduce it. I'll abandon that combination.
>
> Given that this is a low-traffic server, I think my next step will be
> migrate to
> prefork MPM, and if I run into performance issues, the step after that is
> php-fpm. Does that plan make sense?
>
> Cheers! Edward
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
>
>

Re: [users@httpd] SSL_CLIENT_CERT sent empty.

2023-04-08 Thread Daniel Ferradal 
Hello,

For mod_ssl it is *%{SSL_CLIENT_CERT}x*

El mar, 4 abr 2023 a las 13:55, Juan Francisco Jiménez Pérez (<
jf.jimenezpe...@mnemo.com>) escribió:

> Hi!
>
> I have configured my apache server to request client certificates for
> authentication for a specific location match.
> This is how it is configured:
>
>
> * *
>
> *SSLOptions +ExportCertData +StdEnvVar*
> *SSLVerifyClient optional_no_ca*
>
>
> * Header always set  SSL-CLIENT-CERT "%{SSL_CLIENT_CERT}e"*
>
>
>
>
> * *
>
> Many times I have found that the value of the *SSL-CLIENT-CERT ,*after
> selecting a certificate,  returns an empty or a null string.
>
> Why is this happening if we are using valid certificates?
> Are there any log files where I can find the cause of this error?
>
> Thank you.
> Best regards
>
> Juan Francisco Jiménez Pérez
>
> Analista
>
> Área | MNEMO
> + 34 663 99 04 81
> jf.jimenezpe...@mnemo.com
> www.mnemo.com
> Cardenal Marcelo Spínola 14, 5ª planta, 28016 Madrid
> <https://www.mnemo.com/>
> [image: linkedin] <https://www.linkedin.com/company/mnemo/>
> [image: linkedin] <https://twitter.com/_Mnemo>
> [image: Instagram] <https://www.instagram.com/mnemo_ciber/>
> [image: Youtube] <https://www.youtube.com/user/GrupoMNEMO>
>


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat

Re: [users@httpd] Compile with different version of ssl

2023-03-29 Thread Daniel Ferradal 
Make sure their libs are in use by the system in the session where you
want to compile httpd to use them.

That is,

export LD_LIBRARY_PATH="/path/to/openssl-1.1.1t/lib"

prior to the configure and make steps.

El mié, 29 mar 2023 a las 18:38, Chris me () escribió:
>
> Hi, I am trying to compile with --with-ssl=../openssl-1.1.1t, but it is being 
> ignored. How do I get this to work?



-- 
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache2 fails to listen on open port

2022-12-15 Thread Daniel Ferradal 
What does the apache error log say (not systemd)?

Also, am I seeing right? you specified "Listen localhost:4443 ssl;"
with a semicolon at the end?

Also specify it with ips , don't use names with Listen directive.

El vie, 16 dic 2022 a las 1:45, John Iliffe () escribió:
>
> Try
>
> systenctl httpd stop,
>
> then when ps -ef | grep httpd shows that httpd is gone
>
> systemctl httpd start
>
> to give the system time to release all the resources.
>
> John
> ==
> On Thu, 2022-12-15 at 17:28 -0700, Dan Nessett wrote:
> > Thanks for the info. However, I don’t believe any of the problems suggested 
> > in
> > the wiki apply.
> >
> > 1. The output from both lsof and netstat -plant indicate no other process is
> > using port 4443 either before or after apache2 is started
> >
> > 2. There does not seem to be conflicting Listen commands in the apache 
> > sites-
> > available files.
> >
> > 3. The Listen in 000-default.conf is: Listen localhost:4443 ssl; and the
> > Virtual Host entry is:  ServerName
> > coop.mountolive.com:4443 … localhost and coop.mountolive.com are both valid
> > values as is port 4443.
> >
> > 4. I believe systemctl status apache2.service starts apache2 as root
> >
> > 5. SELinux is not active, i.e.,
> >
> >   semanage port -l|grep http
> >   Command 'semanage' not found, but can be installed with:
> >   sudo apt install policycoreutils-python-utils
> >
> > I have attached output from the terminal commands that tests these 
> > hypotheses
> > to this message, as it is fairly long and including it in the body of the
> > message might make it hard to analyze.
> >
> > By the way, the apache2 version is: Server version: Apache/2.4.29 (Ubuntu)
> > Server built:   2022-06-23T12:51:37
> >
> > > On Dec 15, 2022, at 4:12 PM, Frank Gingras  wrote:
> > >
> > > Consider our wiki article for this:
> > >
> > > https://cwiki.apache.org/confluence/display/HTTPD/CouldNotBindToAddress
> > >
> > > >
> > > > -
> > > > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > > > For additional commands, e-mail: users-h...@httpd.apache.org
> > > >
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Bug? LDAPRetryDelay from mod_ldap uses the wrong unit

2022-12-02 Thread Daniel Ferradal 
Hello,

Please bring this up in the dev mailing list.

El vie, 18 nov 2022 a las 11:06, Stephen Blott ()
escribió:

> Hi,
>
> I'm not sure what to do with this.  Help would be appreciated.
>
> It's an apparent bug in mod_ldap relating to the LDAPRetryDelay option:
>https://httpd.apache.org/docs/2.4/mod/mod_ldap.html#ldapretrydelay
>
> Issue:
>   LDAP configuration option LDAPRetryDelay...
>
>   The Documentation suggests that the unit is seconds:
> https://httpd.apache.org/docs/2.4/mod/mod_ldap.html#ldapretrydelay
>
>   The code suggests that the unit is microseconds (see code chase, below).
>
> Effect:
>   Apache sometimes issues a burst of almost simultaneous LDAP search/bind
>   requests.
>
>   (In my organisation, this is "catastrophic" since, if the password is
>incorrect, it appears as N failed login attempts, and the account is
>instantly blocked (after just a single attempt). In practice,
>I've observed N in the region of 5 to 7.)
>
> Configuration option:
>
>   LDAPRetryDelay 5   (for example)
>
>   This sets the retry delay for LDAP connections.
>
>   In the code, this ends up here...
>
> In util_ldap_set_retry_delay (util_ldap.c:2859):
>
>   st->retry_delay = timeout;
>
>   Note... no unit conversion takes place; the code just checks that it's
>   a non-negative integer and notes the value for later.
>
> The delay is implemented in httpd/modules/ldap/util_ldap.c:668:
>
>   apr_sleep(st->retry_delay);
>
>   Note... we still appear to have the raw value from the configuration
>   file (nominally in seconds).
>
> If you search the code, you will find that apr_sleep() is *almost always*
> called like this:
>
>   apr_sleep(apr_time_from_sec())
>
>   That is, the unit expected is whatever is returned by
> apr_time_from_sec().
>
> In APR, apr_time_from_sec() is defined like this (apr/include/apr_time.h):
>
>   /** number of microseconds per second */
>   #define APR_USEC_PER_SEC APR_TIME_C(100)
>
>   .
>   .
>   .
>
>   /** @return seconds as an apr_time_t */
>   #define apr_time_from_sec(sec) ((apr_time_t)(sec) * APR_USEC_PER_SEC)
>
>   So, the result of apr_time_from_sec is in microseconds.
>
> It looks like the documentation is in seconds, but the implementation is
> in microseconds.
>
> Is my analysis correct?
>
> What do I do next?
>
> Thanks for reading.
>
> Steve
> --
>   Stephen Blott
>   Students... contact me on Slack: https://slack.computing.dcu.ie/
>   Staff... contact me on Slack: https://dcucommunity.slack.com/
>   Vanity Zoom room: https://dcu-ie.zoom.us/my/smblott
>   Rm: L1.02
>   School of Computing
>   Dublin City University, Glasnevin, Dublin, Ireland
>
>
>
> *Séanadh Ríomhphoist/Email DisclaimerTá an ríomhphost seo agus aon chomhad a 
> sheoltar leis faoi rún agus is lena úsáid ag an seolaí agus sin amháin é. Is 
> féidir tuilleadh a léamh anseo.  
> <https://sites.google.com/view/seanadh-riomhphoist>This e-mail and any files 
> transmitted with it are confidential and are intended solely for use by the 
> addressee. Read more here. 
> <https://sites.google.com/view/dcu-email-disclaimer>*
>
>
>
> <https://www.facebook.com/DCU/> <https://twitter.com/DCU>
> <https://www.linkedin.com/company/dublin-city-university>
> <https://www.instagram.com/dublincityuniversity/?hl=en>
> <https://www.youtube.com/user/DublinCityUniversity>
>


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat

Re: [users@httpd] mod proxy hcheck not observing timeout value

2022-12-02 Thread Daniel Ferradal 
Hello,

Perhaps the dev list is a more appropriate place to bring this up. Cheers

El mar, 22 nov 2022 a las 9:39, Codeweavers ()
escribió:

> Hey Daniel,
>
> Would you be able to advise how I might push to get this change into
> 2.4.55? Or if there is someone I should be asking?
>
> Kind regards
>
> Ben
>
> On Fri, 18 Nov 2022 at 08:56, Codeweavers 
> wrote:
>
>> Hi Daniel,
>>
>> We initially had trouble as this patch seems from our testing to require
>> the timeout value set on the BalancerMember line of the configuration,
>> which to us was not immediately obvious (many parts of the configuration
>> seem to take a timeout that from the documents seem like it would
>> represent the same setting), though looking at the code that is patched and
>> the documentation I can see that the BalancerMember lines do represent
>> workers which I presume corresponds with the worker object code looks to be
>> pulling the value from.
>>
>> Kind regards
>>
>> Ben
>>
>> On Thu, 17 Nov 2022 at 18:35, Daniel Ferradal 
>> wrote:
>>
>>> Hello,
>>>
>>> I initially reported this in April 2021 and @Yann Ylavic quickly made a
>>> patch out of it. I am not sure why it didn't make it.
>>>
>>> You can see the conversation here for reference:
>>>
>>> https://httpd.markmail.org/message/xteh3uw53inl25gx?q=mod_proxy_hcheck+response+timeout%3F
>>>
>>> I also agree it is a good patch and although I initially had issues with
>>> it it was probably due to some problem on my part.
>>>
>>> Your confirmation may be good enough to validate it and propose it for
>>> next release perhaps?
>>>
>>> Thanks for bringing this back.
>>>
>>> Cheers
>>>
>>>
>>>
>>> El jue, 17 nov 2022 a las 17:26, Benjamin Davis (<
>>> benjaminda...@codeweavers.net>) escribió:
>>>
>>>> Hey All,
>>>>
>>>> we have apache2 2.4.54 setup as a load balancer for our IIS backend
>>>> servers. We would like to be able to carry out health checks using
>>>> mod_proxy_hcheck and check that the backend server is serving a webpage. We
>>>> have successfully set this up however in the event that a health check
>>>> request to the backend hangs, apache never reaches a timeout and therefore
>>>> the healthcheck doesn't fail.
>>>>
>>>> We have found a commit
>>>> https://github.com/apache/httpd/commit/ab2b9dbfb74049ad207a91c45971948127dde893
>>>>  that
>>>> fixes this issue, we have verified this by building apache with this change
>>>> applied and confirmed that when a timeout is provided in the apache
>>>> balancer configuration, specifically on the BalancerMember line, the
>>>> healthcheck(s) will timeout and put the backend into a failed state.
>>>>
>>>> This code is not in the latest apache release, does anyone have any
>>>> idea if this will be part of a future release? Or can advise regarding this
>>>> issue.
>>>>
>>>> Many thanks
>>>>
>>>> Ben
>>>>
>>>> --
>>>>
>>>> Ben Davis
>>>>
>>>> Infrastructure Engineer
>>>>
>>>>
>>>> Website: www.codeweavers.net
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Barn 4, Dunston Business Village, ST18 9AB. Registered in England and
>>>> Wales
>>>>
>>>> No. 04092394 VAT registration no. 974 9705 63
>>>>
>>>>
>>>>
>>>
>>> --
>>> Daniel Ferradal
>>> HTTPD Project
>>> #httpd help at Libera.Chat
>>>
>>
>
>

-- 
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat

Re: [users@httpd] Error AH03490: scoreboard is full, not at MaxRequestWorkers.Increase ServerLimit

2022-11-28 Thread Daniel Ferradal 
Hello,

In case something hogs the workers, until you figure out what and solve it:

MaxConnectionsPerChild 0 # inifinite connections per child so apache
does not try to gracefully shut them down.
MaxSpareThreads = MaxRequestWorkers

Never do a graceful restart.

This is what I had to do in production with certain older version of
apache in which mod_weblogic would cause the same behaviour you
describe

Cheers

El lun, 28 nov 2022 a las 5:28, Mike Dewhirst
() escribió:
>
> On 28/11/2022 12:09 pm, Mike Dewhirst wrote:
>
> On 26/11/2022 11:41 am, Mike Dewhirst wrote:
>
> On 24/11/2022 6:48 pm, Daniel Ferradal wrote:
>
> Some script is probably hogging the workers and not letting them close so if 
> you must, just restart, but judging by the amount of traffic you seem to have 
> at the time I would truncate in logrotate and not restart or reload the 
> server at all.
>
>
> I run a Python script on the production machine to delete the entire site 
> (including directory structure) then redeploy everything from the repo 
> whenever anything changes.
>
> On the basis that Apache (mod-wsgi) only reads the files once on reload, if 
> they also had the dead finger of my script or perhaps the Python interpreter 
> hanging on, that may well have "hogged" the workers.
>
> That script now restarts Apache instead of reload.
>
> I have now adjusted the logrotate script to avoid reload/restart logging 
> status as follows:
>
> /var/log/apache2/*.log {
> daily
> missingok
> rotate 14
> compress
> delaycompress
> notifempty
> copytruncate
> sharedscripts
> prerotate
> if [ -d /etc/logrotate.d/httpd-prerotate ]; then
> run-parts /etc/logrotate.d/httpd-prerotate
> fi
> endscript
> postrotate
> if pgrep -f ^/usr/sbin/apache2 > /dev/null; then
> invoke-rc.d apache2 status 2>&1 | logger -t apache2.logrotate
> fi
> endscript
> }
>
>
> ... and left the mpm-event settings as follows:
>
> 
> ServerLimit 32 # Thanks Eric 
> Covener
> StartServers16
> MinSpareThreads 400
> MaxSpareThreads 250
> ThreadLimit 64
> ThreadsPerChild 50
> AsyncRequestWorkerFactor2
> MaxRequestWorkers   800
> MaxConnectionsPerChild  0
> 
>
> I restarted the entire machine
>
> Next logrotate is 00:00 UTC -- I'll report tomorrow.
>
>
> Zero bytes in the error log since Saturday when I sent the above email.
>
> That covers the period with copytruncate in the Apache logrotate conf.
>
> I haven't updated the site so no restarts from me.
>
> I'll adjust the deployment script back to reload instead of restart before my 
> next deployment and report back.
>
>
> Errors recommence as follows:
>
> ... not an error but the reload after a deployment script run...
>
> [Mon Nov 28 01:17:06.605572 2022] [mpm_event:notice] [pid 920:tid 
> 140638735415168] AH00493: SIGUSR1 received.  Doing graceful restart
> [Mon Nov 28 01:17:06.699315 2022] [mpm_event:notice] [pid 920:tid 
> 140638735415168] AH00489: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 mod_wsgi/4.9.0 
> Python/3.10 configured -- resuming normal operations
> [Mon Nov 28 01:17:06.699345 2022] [core:notice] [pid 920:tid 140638735415168] 
> AH00094: Command line: '/usr/sbin/apache2'
>
> ... lengthy period ensues with no errors followed by another deployment 
> reload ...
>
> [Mon Nov 28 03:16:44.368563 2022] [mpm_event:notice] [pid 920:tid 
> 140638735415168] AH00493: SIGUSR1 received.  Doing graceful restart
> [Mon Nov 28 03:16:44.502990 2022] [mpm_event:notice] [pid 920:tid 
> 140638735415168] AH00489: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 mod_wsgi/4.9.0 
> Python/3.10 configured -- resuming normal operations
> [Mon Nov 28 03:16:44.503027 2022] [core:notice] [pid 920:tid 140638735415168] 
> AH00094: Command line: '/usr/sbin/apache2'
>
> ... another deployment script reload after a period with no errors ...
>
> [Mon Nov 28 04:08:02.215591 2022] [mpm_event:notice] [pid 920:tid 
> 140638735415168] AH00493: SIGUSR1 received.  Doing graceful restart
> [Mon Nov 28 04:08:02.319672 2022] [mpm_event:notice] [pid 920:tid 
> 140638735415168] AH00489: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 mod_wsgi/4.9.0 
> Python/3.10 configured -- resuming normal operations
> [Mon Nov 28 04:08:02.319713 2022] [core:notice] [pid 920:tid 140638735415168] 
> AH00094: Command line: '/usr/sbin/apache2'
>
> ... but two seconds later ...
>
> [Mon Nov 28 04:08:04.324587 2022] [mpm_event:error] [pid 920:tid

Re: [users@httpd] Error AH03490: scoreboard is full, not at MaxRequestWorkers.Increase ServerLimit

2022-11-23 Thread Daniel Ferradal 
Some script is probably hogging the workers and not letting them close so
if you must, just restart, but judging by the amount of traffic you seem to
have at the time I would truncate in logrotate and not restart or reload
the server at all.

El jue, 24 nov 2022 2:38, Mike Dewhirst  escribió:

> On 24/11/2022 12:13 pm, Eric Covener wrote:
>
> Should I adjust /etc/logrotate.d/apache2 to restart instead of reload?
>
> How many entries for Apache logs are there, and how frequently do they
> rotate in logrotated?
>
>
> There are three Apache website logs and they rotate daily. Here is the
> script
>
> # /etc/logrotate.d/apache2
>
> /var/log/apache2/*.log {
> daily
> missingok
> rotate 14
> compress
> delaycompress
> notifempty
> create 0660 root adm
> sharedscripts
> prerotate
> if [ -d /etc/logrotate.d/httpd-prerotate ]; then
> run-parts /etc/logrotate.d/httpd-prerotate
> fi
> endscript
> postrotate
> if pgrep -f ^/usr/sbin/apache2 > /dev/null; then
> invoke-rc.d apache2 reload 2>&1 | logger -t apache2.logrotate
> fi
> endscript
> }
>
> # /etc/cron.daily/apache2
>
> #!/bin/sh
>
> # run htcacheclean if set to 'cron' mode
>
> set -e
> set -u
>
> type htcacheclean > /dev/null 2>&1 || exit 0
> [ -e /etc/default/apache-htcacheclean ] || exit 0
>
>
> # edit /etc/default/apache-htcacheclean to change this
> HTCACHECLEAN_MODE=daemon
> HTCACHECLEAN_RUN=auto
> HTCACHECLEAN_SIZE=300M
> HTCACHECLEAN_PATH=/var/cache/apache2/mod_cache_disk
> HTCACHECLEAN_OPTIONS=""
>
> . /etc/default/apache-htcacheclean
>
> [ "$HTCACHECLEAN_MODE" = "cron" ] || exit 0
>
> htcacheclean ${HTCACHECLEAN_OPTIONS}\
> -p${HTCACHECLEAN_PATH}\
> -l${HTCACHECLEAN_SIZE}
>
>
>
> I think there's a trick to batch them if there's very many. But it
> sounds like it's constantly doing rotation.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
>
> --
> Signed email is an absolute defence against phishing. This email has
> been signed with my private key. If you import my public key you can
> automatically decrypt my signature and be sure it came from me. Just
> ask and I'll send it to you. Your email software can handle signing.
>
>

Re: [users@httpd] OCSP Stapling Logs with mod_md

2022-11-17 Thread Daniel Ferradal 
Isn't OCSP and everything related to it directly related to mod_ssl?

When you say it was not in the error log, do you mean LogLevel
ssl:trace7 or which configuration did you have to try and get logs
about this?

El vie, 9 sept 2022 a las 9:15,  escribió:
>
> Hi everyone,
>
>
>
> We recently had issues renewing OCSP information with mod_md for Certificates 
> not managed by mod_md. The issue was not related to mod_md and there was no 
> interruption since the OCSP information is cached.
>
>
>
> While analyzing the issue, we noticed that even at high log levels some 
> information was not being logged in the Apache error log but only in mod_md’s 
> own job.json.
>
>
>
> Note that while it contains valuable information, job.json is complicated to 
> forward to centralized log servers because of its format.
>
>
>
> Is there any way to have these entries logged in the error log as well?
>
>
>
> Also, could the information in job.json be accessed over /md-status even when 
> there are no mod_md-managed certificates (currently the response only 
> contains the mod_md version string)?
>
>
>
> Thanks!
>
> Simon



-- 
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] mod proxy hcheck not observing timeout value

2022-11-17 Thread Daniel Ferradal 
Hello,

I initially reported this in April 2021 and @Yann Ylavic quickly made a
patch out of it. I am not sure why it didn't make it.

You can see the conversation here for reference:
https://httpd.markmail.org/message/xteh3uw53inl25gx?q=mod_proxy_hcheck+response+timeout%3F

I also agree it is a good patch and although I initially had issues with it
it was probably due to some problem on my part.

Your confirmation may be good enough to validate it and propose it for next
release perhaps?

Thanks for bringing this back.

Cheers



El jue, 17 nov 2022 a las 17:26, Benjamin Davis (<
benjaminda...@codeweavers.net>) escribió:

> Hey All,
>
> we have apache2 2.4.54 setup as a load balancer for our IIS backend
> servers. We would like to be able to carry out health checks using
> mod_proxy_hcheck and check that the backend server is serving a webpage. We
> have successfully set this up however in the event that a health check
> request to the backend hangs, apache never reaches a timeout and therefore
> the healthcheck doesn't fail.
>
> We have found a commit
> https://github.com/apache/httpd/commit/ab2b9dbfb74049ad207a91c45971948127dde893
>  that
> fixes this issue, we have verified this by building apache with this change
> applied and confirmed that when a timeout is provided in the apache
> balancer configuration, specifically on the BalancerMember line, the
> healthcheck(s) will timeout and put the backend into a failed state.
>
> This code is not in the latest apache release, does anyone have any idea
> if this will be part of a future release? Or can advise regarding this
> issue.
>
> Many thanks
>
> Ben
>
> --
>
> Ben Davis
>
> Infrastructure Engineer
>
>
> Website: www.codeweavers.net
>
>
>
>
>
> Barn 4, Dunston Business Village, ST18 9AB. Registered in England and
> Wales
>
> No. 04092394 VAT registration no. 974 9705 63
>
>
>

-- 
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat

Re: [users@httpd] firefox shows default site page

2022-11-11 Thread Daniel Ferradal 
Allow me to step aside from your question for a moment, I believe if
you don't get the basics right you should just stop, this is very
important:

Directory directive specifies a directory in your filesystem, ***do
not ever allow anything in /***, even less the execution of cgi
scripts.

You are also mixing authz 2.2 directives with 2.4 directives.

And also allowing .htaccess files to be used throughout your whole
operative system.

Briefly it is a compendium of ill advice.

In your server config context you should define at least these:


Options None
AllowOverride none
Require all denied


and inside your virtualhost:

DocumentRoot /var/www/snappy

   #Options "add whatever options you do need, do not add random options .."
Require all granted


and then configure other directories or whatever you need for service.
But these above are the basics.

About including AllowOverride directive, only do if you want non-admin
users to setup specific directories configuration, set it up where it
is really needed (NOT EVER system wide), most times using .htaccess
will just complicate your life otherwise.

El vie, 11 nov 2022 a las 10:08,  escribió:
>
> Hello,
>
> I have this hostname: mail.openmbox.net
> when access it as http, it will be rewrited to https (rewrite and certs setup 
> by certbot automatically).
>
> this works fine in chrome browser.
>
> but when I access http://mail.openmbox.net in firefox, it will show the 
> default site.
>
> That's to say,
>
> http://mail.openmbox.net/ works correctly on chrome (show the correct site 
> and rewrite to https).
> but it shows the default site (ubuntu default html) on firefox as you can 
> test it as well.
>
> I am totally confused. can you help?
>
> Thanks.
>
> Additional info:
>
> The version:
> # apache2 -v
> Server version: Apache/2.4.41 (Ubuntu)
> Server built:   2022-06-14T13:30:55
>
> The config:
> 
>
> ServerAdmin webmaster@localhost
> ServerName mail.openmbox.net
> DocumentRoot /var/www/snappy
>
>
> ErrorLog ${APACHE_LOG_DIR}/error.log
> CustomLog ${APACHE_LOG_DIR}/access.log combined
>
>   
> Options +Indexes +FollowSymLinks +ExecCGI
> AllowOverride All
> Order deny,allow
> Allow from all
> Require all granted
>   
>
>   
>  Require all denied
>   
>
> RewriteEngine on
> RewriteCond %{SERVER_NAME} =mail.openmbox.net
> RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
> 
>
> ---------
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Questionable URL being sent to our server

2022-11-01 Thread Daniel Ferradal 
When you have a server in a public network it will receive all sorts
of odd attempts and random useless connections, paying attention to
each and every one of them will just drive you nuts.

If you are really concerned, add IPS, Firewall, etc to your DMZ. But
going round and round over a few odd requests is practically futile.

El mar, 1 nov 2022 a las 18:33, Darryl Philip Baker
() escribió:
>
> While they do bother me, but I can’t just block a random cloud address the 
> source IP is probably dynamic so who know when any of them will be assigned 
> to something legit. I just wanted to be sure that there wasn’t a real 
> vulnerability they were trying to exploit. Obviously you can’t DDoS with a 
> single request but if they are just going for a DoS it has been possible to 
> do to some applications in the past with a small number of requests over 
> time. These request are appearing on all the nodes in the cluster. Since 
> nothing is mishandling the requests I will just monitor for any changes.
>
>
>
> Darryl Baker, GSEC, GCLD  (he/him/his)
>
> Sr. System Administrator
>
> Distributed Application Platform Services
>
> Northwestern University
>
> 4th Floor
>
> 2020 Ridge Avenue
>
> Evanston, IL  60208-0801
>
> darryl.ba...@northwestern.edu
>
> (847) 467-6674
>
>
>
> From: Frank Gingras 
> Reply-To: Apache httpd Users 
> Date: Tuesday, November 1, 2022 at 12:11 PM
> To: Apache httpd Users 
> Subject: Re: [users@httpd] Questionable URL being sent to our server
>
>
>
> I would not attribute this to a "DoS", as you can't really DoS httpd with a 
> single request. It looks like plain URL encoding.
>
>
>
> If those log entries bother you, firewall their IP range(s).
>
>
>
> On Tue, 1 Nov 2022 at 11:13, Darryl Philip Baker 
>  wrote:
>
> They are mostly using GET but there were a couple of HEAD requests. The 
> requests are coming from cloud accounts on Google and Amazon. They are using 
> several variations of the URL most get 404 errors, which is responded with by 
> a custom 404 page, this is the only one that is getting a 400 error.
>
>
>
> Darryl Baker, GSEC, GCLD  (he/him/his)
>
> Sr. System Administrator
>
> Distributed Application Platform Services
>
> Northwestern University
>
> 4th Floor
>
> 2020 Ridge Avenue
>
> Evanston, IL  60208-0801
>
> darryl.ba...@northwestern.edu
>
> (847) 467-6674
>
>
>
> From: Frank Gingras 
> Reply-To: Apache httpd Users 
> Date: Tuesday, November 1, 2022 at 9:32 AM
> To: Apache httpd Users 
> Subject: Re: [users@httpd] Questionable URL being sent to our server
>
>
>
> What is the HTTP method you see in the logs?
>
>
>
> Either way, they may trying to use your server as an open proxy, and failing 
> to do so.
>
>
>
>
>
> On Tue, 1 Nov 2022 at 10:27, Darryl Philip Baker 
>  wrote:
>
> We are getting a poorly formed URL being requested from our servers. Apache 
> is returning a 400 error but I am wondering if someone is try to exploit an 
> issue with some version of some web server out there. Maybe a Dos attack or 
> worse. Anyone have a clue what is being attempted?
>
>
>
> Sketchy URL: 
> https://www.northwestern.edu/accounting-scrvices/Annual%252ORepothtm
>
>
>
> Darryl Baker, GSEC, GCLD  (he/him/his)
>
> Sr. System Administrator
>
> Distributed Application Platform Services
>
> Northwestern University
>
> 4th Floor
>
> 2020 Ridge Avenue
>
> Evanston, IL  60208-0801
>
> darryl.ba...@northwestern.edu
>
> (847) 467-6674



-- 
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Tuning TLS of reverse proxy

2022-10-15 Thread Daniel Ferradal 
El jue, 6 oct 2022 a las 19:06, Will Fatherley
() escribió:
>
> Hi all,
>
> Please let me know if this is not suitable for the user distribution list—
>
> There is an interesting question on stack overflow regarding reverse proxy 
> handling of TLS protocol whereby the user is interested in having httpd (the 
> reverse proxy) tunnel incoming requests to a specific TLS implementation 
> (1.2) so that the resource server behind it (a Tomcat instance) doesn’t have 
> to alter its configuration. I’ve actually never seen a use of mod_ssl for 
> this, so if anybody wants to share on this thread or on SO a sequence of 
> directives that handle this, it would be nice to see and also solve a user’s 
> existing problem. The question is here:
> https://stackoverflow.com/q/73948261/14927325
>
> Best,
> Will

The question has a quite convoluted configuration but it all boils
down to Apache can specify which protocol and cipher it uses to
contact a backend server like in this case the Tomcat. The case, not
mentioned in the question, is, what version of Java does this tomcat
use?
Once you know that it would be easier to guess what the tomcat will
support, you just set SSLProxyProtocol or SSLProxyCipherSuite
directives accordingly then.



-- 
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache PHP-FPM Integration with mod_proxy_fcgi and multiple Users

2022-10-15 Thread Daniel Ferradal 
El vie, 7 oct 2022 a las 12:11, Patrik Peng
() escribió:
>
> On 06.10.22 16:03, Frank Gingras wrote:
> > The only solution is to remove the FileInfo override, and merge all
> > the changes in your vhost. Users should not be allowed to override the
> > vhost configuration.
> >
> > Yes, that means they also cannot add their own mod_rewrite recipes,
> > but that is a good thing.
>
> Thanks for the quick responses.
>
> I'm sorry, I may be misunderstanding but doesn't that break all kinds of
> CMS applications?
> WordPress contains rewrite rules in it's default htaccess file or also a
> simple nextcloud installation contains e.g. "SetEnvIfNoCase" which both
> will stop working.
>

It may be tedious work but it does not break anything if you integrate
them in virtualhost. It pays off to do things right, although it may
take some more time.


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] NameVirtualHost fails

2022-07-07 Thread Daniel Ferradal 
Yes,  and that config is a good compendium of bad advice and deprecated
directives.

El mié, 6 jul 2022 14:28, Frank Gingras  escribió:

> Paul,
>
> Not sure how your example helps with the OP issue at all.
>
> On Wed, 6 Jul 2022 at 06:40, Paul Kudla (SCOM.CA Internet Services Inc.) <
> p...@scom.ca> wrote:
>
>>
>> this is how my ssl, vhosts, redirects are setup maybe this will help
>>
>> note any ssl website name MUST equal a valid certificate or you will get
>> a cert mismatch error !!
>>
>> granted there are several cert authorities (free ssl etc) i have found
>> its just easier to get a resale account (lots of providers opensrs,
>> certigo, thwarte etc etc) and pay the 10.00 per cert.
>>
>> cert would be ok for www.xxx.com xnd xxx.com (aka you typically only
>> need one certificate per site.)
>>
>> not pushing any provider, just saying letsencrypt etc does not always
>> work reliabily or speed issues
>>
>>
>>
>> 
>> ServerName bedrockconstruction.ca
>> ServerAlias bedrockconstruction.ca
>> ServerAlias www.bedrockconstruction.ca
>> Redirect permanent / https://bedrockconstruction.ca/
>> 
>>
>> 
>> ServerName bedrockconstruction.ca
>> ServerAlias bedrockconstruction.ca
>> ServerAlias www.bedrockconstruction.ca
>> DocumentRoot /www/bedrockconstruction.ca
>>
>> SSLEngine on
>> SSLProtocol all
>> SSLCertificateFile
>> /www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.crt
>> SSLCertificateKeyFile
>> /www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.key
>> SSLCertificateChainFile
>> /www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.chain
>>
>>
>> SuexecUserGroup www www
>>
>> 
>> 
>> Order Deny,Allow
>> Deny from All
>> 
>> 
>>
>> 
>> php_admin_value open_basedir /www/bedrockconstruction.ca:/var/log/
>> 
>>
>> 
>> php_admin_value sys_temp_dir /www/bedrockconstruction.ca/tmp/
>> 
>>
>> 
>> php_admin_value session.save_path /www/bedrockconstruction.ca/tmp/
>> 
>>
>> 
>> php_admin_value soap.wsdl_cache_dir /www/bedrockconstruction.ca/tmp/
>> 
>>
>> 
>> php_admin_value upload_tmp_dir /www/bedrockconstruction.ca/tmp
>> 
>>
>> 
>> AllowOverride All
>> php_value session.save_path "/www/bedrockconstruction.ca/"
>> 
>>
>> 
>>
>>
>>
>> Happy Wednesday !!!
>> Thanks - paul
>>
>> Paul Kudla
>>
>>
>> Scom.ca Internet Services 
>> 004-1009 Byron Street South
>> Whitby, Ontario - Canada
>> L1N 4S3
>>
>> Toronto 416.642.7266
>> Main 1.866.411.7266
>> Fax 1.888.892.7266
>> Email p...@scom.ca
>>
>> On 7/5/2022 5:38 PM, scom...@httpd.apache.org wrote:
>> > I've tried several variations but basically the error message is that
>> > the certificate and the key for example2.com
>> >  don't match. I thought I had set up the
>> > certificate with the proper keys so something must be screwed up  with
>> > the certificate. I'm working on that.
>> >
>> > Jack
>> >
>> >> On 2 Jul 2022, at 1:21, Frank Gingras > >> > wrote:
>> >>
>> >> What does the error log say, exactly? Note that TLS failures can be
>> >> almost silent in the logs, so if a single vhost causes the startup
>> >> error, then check the certificate.
>> >>
>> >> On Fri, 1 Jul 2022 at 17:24, jnil...@jala.com
>> >>  mailto:jnil...@jala.com>>
>>
>> >> wrote:
>> >>
>> >> Here's an example version of my vhosts.conf file:
>> >>
>> >> # http redirect
>> >> 
>> >>  ServerName central.com 
>> >>  ServerAlias www.example1.com 
>> >> *.example1.com 
>> >>  Redirect / https://www.example1.com/ 
>> >>  ErrorLog /var/log/apache2/example1.com
>> >> -error80_log
>> >>  CustomLog /var/log/apache2/example1.com
>> >> -access80_log combined
>> >> 
>> >>
>> >> 
>> >>  ServerName example2.com 
>> >>  ServerAlias www.example2.com 
>> >> *.example2.com 
>> >>  Redirect / https://www.example2.com/ 
>> >>  ErrorLog /var/log/apache2/example2.com
>> >> -error80_log
>> >>  CustomLog /var/log/apache2/example2.com
>> >> -access80_log combined
>> >> 
>> >>
>> >> # https version
>> >> 
>> >>  ServerAdmin webmas...@central.com 
>> >>  ServerName example1.com 
>> >>  ServerAlias www.example1.com 
>> >> *.example1.com 
>> >>  DocumentRoot "/home/data/hqwww/htdocs"
>> >>  SSLEngine on
>> >>  SSLProtocol all -SSLv2
>> >>  SSLCertificateFile /etc/apache2/ssl.crt/example.crt
>> >>  SSLCertificateKeyFile /etc/apache2/ssl.key/www.example1.com.key
>> >> 
>> >>  SSLCertificateChainFile /etc/apache2/ssl.crt/example1.ca
>> >> -bundle
>> >>

Re: [users@httpd] Slow web site response..PHP-8/CSS/Apache/

2022-06-23 Thread Daniel Ferradal 
you need to share the basics of your configuration and incoming hits for
people to get an idea of what you really have or could be the problem.

The way you describe it sounds like you have the typical quick to deploy
but slow to scale combo: httpd with prefork mpm + mod_php plugin loaded.

httpd with mpm_prefork + mod_php
SLOW: prefork uses processes as workers, spawning processes costs much more
cpu than threads and prefork is a multiprocess model. In this setup ideally
you have to "pre-spawn" lots of children processes to serve the amount of
concurrent you expect. For each new hit over the defined amount of
preloaded processes, httpd has to spawn a new one (if there are spare ones
defined) and this costs much cpu.

httpd with mpm_event -> php-fpm
FAST: event uses threads as workers which are much faster to spawn since
they require less cpu. You can have thousands of worker threads with a few
processes, example: 5 process * 1000 threads each = 5000 workers (5000
workers would sound crazy with prefork, but not with event). With this
setup every request to a php file should be "proxied" with mod_proxy_fcgi
to PHP-FPM, and there you would more clearly see if apache has a problem or
it is the php backend. (PHP-FPM).

I suggest you visit the official httpd wiki :

https://cwiki.apache.org/confluence/display/httpd/PHP-FPM#PHPFPM-High-performancePHPonapachehttpd2.4.xusingmod_proxy_fcgiandphp-fpm
.

And the official docs about mod_proxy_fcgi in the httpd site:
https://httpd.apache.org/docs/2.4/mod/mod_proxy_fcgi.html

El jue, 23 jun 2022 a las 15:45, KK CHN () escribió:

> List,
>
> I am facing a slow response for a hosted PHP8 web site..   It takes 30
> seconds to load the website fully .  The application and database(
> postgresql ) both are separately running on two Virtual Machines in
> OpenStack cloud.  in two 10.184.x.221  and 10.184.y.221 networks
> respectively.
>
>
>
> When I  used tools like  GTMetrix and Webpagetest.org   it says   there
> are render  blocking resources
>
> Resources are blocking the first paint of your page. Consider delivering
> critical JS/CSS inline and deferring all non-critical JS/styles.
> Learn how to improve this
> <https://gtmetrix.com/eliminate-render-blocking-resources.html>
>
> Resources that *may* be contributing to render-blocking include:
> URL Transfer Size Download Time
>  xxx.mysite.com/css/bootstrap.min.css   152KB 6.6s
> xxx.mysite.com/css/style.css 14.2KB 5.9s
> xxx.mysite.com/css/font/font.css  3.33KB  5.7s
>
> here this bootstrap.css, which take  TTFB  6 seconds   and full loading of
> the website taking almost extra 24 seconds total  30 seconds to render it..
>
> https://pastebin.mozilla.org/SX3Cyhpg
>
>
> The GTmetrix.com site also  show  this  issue also
>
> The Critical Request Chains below show you what resources are loaded with
> a high priority. Consider reducing the length of chains, reducing the
> download size of resources, or deferring the download of unnecessary
> resources to improve page load.
> Learn how to improve this
> <https://gtmetrix.com/avoid-chaining-critical-requests.html>
>
> Maximum critical path latency: *24.9s*
>
>
>
> How can I overcome this issue   ?  Is this a  VM performance issue or PHP
> issue ?/Apache issue ?or PHP applicaiton to Database  backend
> connection issue..
>
> Excuse me if this an off topic post to httpd list. Hope a lot of people
> might have their experience to share how to trouble shoot or what may the
> root cause making this site response too slow.
>
> Kindly shed some light here.  Any hints where to start most welcome..
>
> Any more data needed pls let me know ..I can share .
>
> Thanks in advance,
> Krish.
>


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat

Re: [users@httpd] Issue with Apache 2.4.51 hanging

2021-10-26 Thread Daniel Ferradal 
I think we are deviating a bit offtopic here. but still just a little note:

mpm_prefork is not problematic, what is problematic is when people do
not size httpd with mpm_prefork to deal with the amount of incoming
requests they receive.

processes are more expensive to generate than threads and on very busy
servers with prefork one must  "pre-spawn" lots of processes
beforehand to avoid delays and make sure there are enough spare
servers waiting to deal with load spikes.

-

The matter here is, when you load mod_php and burden httpd with third
party libraries and force it to use a non-threaded mpm, it is hard to
differentiate when httpd is being problematic and when the third party
libraries are causing the issue.

Op here mentions he has updated httpd but not php module and thus
assumes httpd is at fault because "nothing else has changed" yet in
the debugging what I mostly see is zend_execute_scripts () which
belong to php.

Cheers,

El mar, 26 oct 2021 a las 16:26, Ruben Safir () escribió:
>
> mpm_prefork has been problematic, FWIW
>
>
> On Tue, Oct 26, 2021 at 11:17:31AM +0100, Patrick Verdon wrote:
> > Hi Daniel,
> >
> > Thanks for the feedback.
> >
> > Unfortunately that's not really an option for us, as it's a major
> > architecture change, and is only something we would consider as a
> > last resort.
> >
> > Using mod_php works well for us and our configuration/application has not
> > changed in years - the crashes started very specifically when we upgraded
> > to Apache 2.4.48 from 2.4.46.
> >
> > From what I can see, mod_php is still used widely and I assume it is
> > therefore still a supported module?
> >
> > I'd be grateful for any other suggestions on how to get to the bottom of
> > the issue.
> >
> > Thanks.
> >
> > Patrick
> >
> > *--*
> >
> > *Patrick Verdon  |  Founder*
> > Web: www.youreko.com
> > Mobile: +44 (0)7809 296438
> > Skype: patrick_verdon
> >
> > This entire communication is sent on behalf of
> > Youreko Ltd and is strictly confidential to and
> > for the sole use of the intended addressee.
> >
> > Registered in England - 7448349
> >
> >
> >
> > On Tue, 26 Oct 2021 at 09:56, Daniel Ferradal  wrote:
> >
> > > Hello,
> > >
> > > Seems it is related to third party php module being loaded in Apache
> > > HTTPD, no?
> > >
> > > It would be awesome if you can move your php files to be dealt with
> > > php-fpm instead and from apache just proxy to php-fpm.. and see if
> > > your Apache server would ever hang again (if you do it you could even use
> > > mpm_event instead of prefork to have http/2 working).
> > >
> > > Cheers
> > >
> > > El vie, 22 oct 2021 a las 18:16, Patrick Verdon (<
> > > patrick.ver...@youreko.com>) escribi??:
> > >
> > >> Hi Yann,
> > >>
> > >> I finally managed to provoke the crash - there were 6 core dumps, I
> > >> followed your instructions and have pasted the gdb output below for each
> > >> one.
> > >>
> > >> Let me know if this sheds any light on the problem.
> > >>
> > >> Thanks.
> > >>
> > >> Patrick
> > >>
> > >> --
> > >>
> > >> *# gdb /usr/sbin/httpd /tmp/core.1221*
> > >> Thread 2 (Thread 0x7f5876bff840 (LWP 1221)):
> > >> #0  0x7f587518e687 in kill () from /lib64/libc.so.6
> > >> #1  
> > >> #2  0x7f5861def0d8 in ?? () from /lib64/libgcc_s.so.1
> > >> #3  0x7f5861deffd9 in _Unwind_Backtrace () from /lib64/libgcc_s.so.1
> > >> #4  0x7f587526cbf6 in backtrace () from /lib64/libc.so.6
> > >> #5  0x7f58751d0fb4 in __libc_message () from /lib64/libc.so.6
> > >> #6  0x7f58751d8854 in malloc_consolidate () from /lib64/libc.so.6
> > >> #7  0x7f58751d923e in _int_free () from /lib64/libc.so.6
> > >> #8  0x7f5875963ded in apr_allocator_destroy () from
> > >> /usr/lib64/libapr-1.so.0
> > >> #9  0x7f586c276477 in ?? () from 
> > >> /etc/httpd/modules/mod_mpm_prefork.so
> > >> #10 0x7f586c2764cb in ?? () from 
> > >> /etc/httpd/modules/mod_mpm_prefork.so
> > >> #11 
> > >> #12 0x7f587524bcfd in poll () from /lib64/libc.so.6
> > >> #13 0x7f5868086682 in ?? () from /etc/httpd/modules/libphp-7.0.so
> > >> #14 0x7f5867f8fb8b in ?? () from /etc/httpd/modules/libphp-7.0.so
> > >> #15 0x0

Re: [users@httpd] Issue with Apache 2.4.51 hanging

2021-10-26 Thread Daniel Ferradal 
:53:47.990781 2021] [core:notice] [pid 2620] AH00052:
>>>>>>> child pid 2741 exit signal Segmentation fault (11)
>>>>>>> *** Error in `/usr/sbin/httpd': corrupted size vs. prev_size:
>>>>>>> 0x557f94567e4f ***
>>>>>>> [Sun Oct 17 15:53:48.056539 2021] [core:notice] [pid 2620] AH00052:
>>>>>>> child pid 3019 exit signal Aborted (6)
>>>>>>> [Sun Oct 17 15:53:48.056584 2021] [core:notice] [pid 2620] AH00052:
>>>>>>> child pid 2707 exit signal Segmentation fault (11)
>>>>>>> [Sun Oct 17 15:53:48.056599 2021] [core:notice] [pid 2620] AH00052:
>>>>>>> child pid 2727 exit signal Aborted (6)
>>>>>>> [Sun Oct 17 15:53:48.056667 2021] [mpm_prefork:notice] [pid 2620]
>>>>>>> AH00169: caught SIGTERM, shutting down
>>>>>>> [Sun Oct 17 15:53:48.151770 2021] [suexec:notice] [pid 3575]
>>>>>>> AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
>>>>>>> [Sun Oct 17 15:53:48.180621 2021] [http2:warn] [pid 3581] AH10034:
>>>>>>> The mpm module (prefork.c) is not supported by mod_http2. The mpm
>>>>>>> determines how things are processed in your server. HTTP/2 has more 
>>>>>>> demands
>>>>>>> in this regard and the currently selected mpm will just not do. This is 
>>>>>>> an
>>>>>>> advisory warning. Your server will continue to work, but the HTTP/2
>>>>>>> protocol will be inactive.
>>>>>>> [Sun Oct 17 15:53:48.181146 2021] [lbmethod_heartbeat:notice] [pid
>>>>>>> 3581] AH02282: No slotmem from mod_heartmonitor
>>>>>>> [Sun Oct 17 15:53:48.243891 2021] [mpm_prefork:notice] [pid 3581]
>>>>>>> AH00163: Apache/2.4.51 (Amazon) OpenSSL/1.0.2k-fips configured -- 
>>>>>>> resuming
>>>>>>> normal operations
>>>>>>> [Sun Oct 17 15:53:48.243923 2021] [core:notice] [pid 3581] AH00094:
>>>>>>> Command line: '/usr/sbin/httpd'
>>>>>>> [Sun Oct 17 15:53:49.244527 2021] [mpm_prefork:error] [pid 3581]
>>>>>>> AH00161: server reached MaxRequestWorkers setting, consider raising the
>>>>>>> MaxRequestWorkers setting
>>>>>>>
>>>>>>> # httpd -V
>>>>>>> Server version: Apache/2.4.51 (Amazon)
>>>>>>> Server built:   Oct  8 2021 19:30:47
>>>>>>> Server's Module Magic Number: 20120211:118
>>>>>>> Server loaded:  APR 1.6.3, APR-UTIL 1.5.4
>>>>>>> Compiled using: APR 1.6.3, APR-UTIL 1.5.4
>>>>>>> Architecture:   64-bit
>>>>>>> Server MPM: prefork
>>>>>>>   threaded: no
>>>>>>> forked: yes (variable process count)
>>>>>>> Server compiled with
>>>>>>>  -D APR_HAS_SENDFILE
>>>>>>>  -D APR_HAS_MMAP
>>>>>>>  -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
>>>>>>>  -D APR_USE_SYSVSEM_SERIALIZE
>>>>>>>  -D APR_USE_PTHREAD_SERIALIZE
>>>>>>>  -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
>>>>>>>  -D APR_HAS_OTHER_CHILD
>>>>>>>  -D AP_HAVE_RELIABLE_PIPED_LOGS
>>>>>>>  -D DYNAMIC_MODULE_LIMIT=256
>>>>>>>  -D HTTPD_ROOT="/etc/httpd"
>>>>>>>  -D SUEXEC_BIN="/usr/sbin/suexec"
>>>>>>>  -D DEFAULT_PIDLOG="/var/run/httpd/httpd.pid"
>>>>>>>  -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
>>>>>>>  -D DEFAULT_ERRORLOG="logs/error_log"
>>>>>>>  -D AP_TYPES_CONFIG_FILE="conf/mime.types"
>>>>>>>  -D SERVER_CONFIG_FILE="conf/httpd.conf"
>>>>>>>
>>>>>>> # httpd -M
>>>>>>> Loaded Modules:
>>>>>>>  core_module (static)
>>>>>>>  so_module (static)
>>>>>>>  http_module (static)
>>>>>>>  access_compat_module (shared)
>>>>>>>  actions_module (shared)
>>>>>>>  alias_module (shared)
>>>>>>>  allowmethods_module (shared)
>>>>>>>  auth_basic_module (shared)
>>>>>>>  auth_digest_module (shared)
>>>>>>>  authn_anon_module (shared)
>>>>>>>  authn_core_module (shared)
>>>>>>>  authn_dbd_module (shared)
>>>>>>>  authn_dbm_module (shared)
>>>>>>>  authn_file_module (shared)
>>>>>>>  authn_socache_module (shared)
>>>>>>>  authz_core_module (shared)
>>>>>>>  authz_dbd_module (shared)
>>>>>>>  authz_dbm_module (shared)
>>>>>>>  authz_groupfile_module (shared)
>>>>>>>  authz_host_module (shared)
>>>>>>>  authz_owner_module (shared)
>>>>>>>  authz_user_module (shared)
>>>>>>>  autoindex_module (shared)
>>>>>>>  cache_module (shared)
>>>>>>>  cache_disk_module (shared)
>>>>>>>  cache_socache_module (shared)
>>>>>>>  data_module (shared)
>>>>>>>  dbd_module (shared)
>>>>>>>  deflate_module (shared)
>>>>>>>  dir_module (shared)
>>>>>>>  dumpio_module (shared)
>>>>>>>  echo_module (shared)
>>>>>>>  env_module (shared)
>>>>>>>  expires_module (shared)
>>>>>>>  ext_filter_module (shared)
>>>>>>>  filter_module (shared)
>>>>>>>  headers_module (shared)
>>>>>>>  http2_module (shared)
>>>>>>>  include_module (shared)
>>>>>>>  info_module (shared)
>>>>>>>  log_config_module (shared)
>>>>>>>  logio_module (shared)
>>>>>>>  macro_module (shared)
>>>>>>>  mime_magic_module (shared)
>>>>>>>  mime_module (shared)
>>>>>>>  negotiation_module (shared)
>>>>>>>  remoteip_module (shared)
>>>>>>>  reqtimeout_module (shared)
>>>>>>>  request_module (shared)
>>>>>>>  rewrite_module (shared)
>>>>>>>  setenvif_module (shared)
>>>>>>>  slotmem_plain_module (shared)
>>>>>>>  slotmem_shm_module (shared)
>>>>>>>  socache_dbm_module (shared)
>>>>>>>  socache_memcache_module (shared)
>>>>>>>  socache_shmcb_module (shared)
>>>>>>>  status_module (shared)
>>>>>>>  substitute_module (shared)
>>>>>>>  suexec_module (shared)
>>>>>>>  unixd_module (shared)
>>>>>>>  userdir_module (shared)
>>>>>>>  version_module (shared)
>>>>>>>  vhost_alias_module (shared)
>>>>>>>  watchdog_module (shared)
>>>>>>>  dav_module (shared)
>>>>>>>  dav_fs_module (shared)
>>>>>>>  dav_lock_module (shared)
>>>>>>>  lua_module (shared)
>>>>>>>  mpm_prefork_module (shared)
>>>>>>>  proxy_module (shared)
>>>>>>>  lbmethod_bybusyness_module (shared)
>>>>>>>  lbmethod_byrequests_module (shared)
>>>>>>>  lbmethod_bytraffic_module (shared)
>>>>>>>  lbmethod_heartbeat_module (shared)
>>>>>>>  proxy_ajp_module (shared)
>>>>>>>  proxy_balancer_module (shared)
>>>>>>>  proxy_connect_module (shared)
>>>>>>>  proxy_express_module (shared)
>>>>>>>  proxy_fcgi_module (shared)
>>>>>>>  proxy_fdpass_module (shared)
>>>>>>>  proxy_ftp_module (shared)
>>>>>>>  proxy_http_module (shared)
>>>>>>>  proxy_hcheck_module (shared)
>>>>>>>  proxy_scgi_module (shared)
>>>>>>>  proxy_uwsgi_module (shared)
>>>>>>>  proxy_wstunnel_module (shared)
>>>>>>>  ssl_module (shared)
>>>>>>>  cgi_module (shared)
>>>>>>>  php7_module (shared)
>>>>>>>
>>>>>>> # yum list | grep mod_
>>>>>>> lighttpd-mod_authn_gssapi.x86_64 1.4.53-1.36.amzn1
>>>>>>> amzn-updates
>>>>>>> lighttpd-mod_authn_mysql.x86_64  1.4.53-1.36.amzn1
>>>>>>> amzn-updates
>>>>>>> lighttpd-mod_authn_pam.x86_641.4.53-1.36.amzn1
>>>>>>> amzn-updates
>>>>>>> lighttpd-mod_geoip.x86_641.4.53-1.36.amzn1
>>>>>>> amzn-updates
>>>>>>> lighttpd-mod_mysql_vhost.x86_64  1.4.53-1.36.amzn1
>>>>>>> amzn-updates
>>>>>>> mod_auth_kerb.x86_64 5.4-10.9.amzn1
>>>>>>>  amzn-main
>>>>>>> mod_auth_mellon.x86_64   0.13.1-1.6.amzn1
>>>>>>>  amzn-updates
>>>>>>> mod_auth_mysql.x86_641:3.0.0-18.10.amzn1
>>>>>>> amzn-main
>>>>>>> mod_auth_pgsql.x86_642.0.3-10.1.5.amzn1
>>>>>>>  amzn-main
>>>>>>> mod_authz_ldap.x86_640.26-16.8.amzn1
>>>>>>> amzn-main
>>>>>>> mod_dav_svn.x86_64   1.9.7-1.54.amzn1
>>>>>>>  amzn-main
>>>>>>> mod_fcgid.x86_64 2.3.9-1.6.amzn1
>>>>>>> amzn-main
>>>>>>> mod_geoip.x86_64 1.2.7-1.2.amzn1
>>>>>>> amzn-main
>>>>>>> mod_nss.x86_64   1.0.10-1.13.amzn1
>>>>>>> amzn-main
>>>>>>> mod_perl.x86_64  2.0.7-7.28.amzn1
>>>>>>>  amzn-updates
>>>>>>> mod_perl-devel.x86_642.0.7-7.28.amzn1
>>>>>>>  amzn-updates
>>>>>>> mod_proxy_html.x86_643.1.2-7.3.amzn1
>>>>>>> amzn-main
>>>>>>> mod_python26.x86_64  3.3.1-17.20.amzn1
>>>>>>> amzn-main
>>>>>>> mod_python27.x86_64  3.3.1-17.20.amzn1
>>>>>>> amzn-main
>>>>>>> mod_security.x86_64  2.8.0-5.27.amzn1
>>>>>>>  amzn-main
>>>>>>> mod_security_crs.noarch  2.2.8-2.5.amzn1
>>>>>>> amzn-main
>>>>>>> mod_security_crs-extras.noarch   2.2.8-2.5.amzn1
>>>>>>> amzn-main
>>>>>>> mod_ssl.x86_64   1:2.2.34-1.16.amzn1
>>>>>>> amzn-main
>>>>>>> mod_wsgi-python26.x86_64 3.2-6.12.amzn1
>>>>>>>  amzn-updates
>>>>>>> mod_wsgi-python27.x86_64 3.2-6.12.amzn1
>>>>>>>  amzn-updates
>>>>>>>
>>>>>>> *--*
>>>>>>>
>>>>>>> *Patrick Verdon  |  Founder*
>>>>>>> Web: www.youreko.com
>>>>>>> Mobile: +44 (0)7809 296438
>>>>>>> Skype: patrick_verdon
>>>>>>>
>>>>>>> This entire communication is sent on behalf of
>>>>>>> Youreko Ltd and is strictly confidential to and
>>>>>>> for the sole use of the intended addressee.
>>>>>>>
>>>>>>> Registered in England - 7448349
>>>>>>>
>>>>>>>
>>>>>>

-- 
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat

Re: [users@httpd] Re: Is it possible to override ... ?

2021-10-21 Thread Daniel Ferradal 
Hello,


I would never recommend to use  , you should use  instead for all the applications in the weblogic server, which
are all probably deployed in a specific context rather than /.

If for any reason one is too lazy to care or still want to exclude
some content from being proxied to the weblogic the weblogic plugin
includes the directive:

WLExcludePathOrMimeType

You should play with it.

Cheers

El jue, 21 oct 2021 a las 8:03, ohaya () escribió:
>
> I haven't figured out how to get rid of the Forbidden problem, but I've found 
> a kind of workaround to get the Apache to send a response... Since accessing 
> the /foo was causing a Forbidden (403) error, I added an ErrorDocument:
>
> =
> ErrorDocument 403 "This is the response message that I want"
> Alias "/foo" "/apps/products/apache/instances/apache_oam/foo"
>
> 
> .
> .
> .
> 
> =
>
> That does cause the browser to get a response message, but I KNOW it is a 
> real hack, and also NOT GOOD, because I think that with the ErrorDocument, 
> that means every time a user gets a 403 error, they are going to see that 
> "This is the response message that I want" response message :(!!
>
> So far to try to avoid the Forbidden error, I've tried adding:
>
> 
> Require all granted
> <.Directory>
>
> But I still get the Forbidden error.
>
> If anyone knows how I cat avoid the Forbidden error (so I wouldn't need the 
> ErrorDocument), please help?
>
> Thanks,
> Jim
>
> On Wednesday, October 20, 2021, 03:40:53 PM EDT, ohaya  
> wrote:
>
>
> Hi,
>
> We are using Apache 2.4.48.  This Apache is primarily acting as a proxy, and 
> we use the WebLogic Plugin for Apache to connect from the Apache to a 
> WebLogic server/backend.
>
> In the Apache ssl.conf, we have a , and in that , 
> they have a :
>
> 
> .
> .
> .
> 
>   WLSRequest On
>   SetHandler weblogic-handler
>   WebLogicCluster xxx.foo.com:14101
>   WLCookieName OAM_JSESSIONID
>   SecureProxy ON
>   WLSSLWallet ".../wallet"
>   Debug OFF
>   WLLogFile "/logs/oam_location.out"
> 
>
> .
> .
> .
> 
>
> Because of the , this Apache is not able to serve local content 
> (e.g., html, etc.), but I have a requirement to be able to serve a single 
> HTML page from this Apache.
>
> Unfortunately, they want to keep that  in the ssl.conf, so I am 
> trying to figure out how I might be able to configure the Apache so that it 
> can serve that HTML page that I am needing?
>
> I have tried to add an Alias in front of the , i.e.:
>
> ===
> Alias "/foo" "/apps/products/apache/instances/apache_oam/foo"
>
> 
> .
> .
> .
> 
> ===
>
> But I am getting a Forbidden response.  Also sometimes the browser seems to 
> "loop", adding "/index.html" to the end of the URL in the address bar.
>
> So I was wondering:  Is there a way to accomplish what I am trying to do, 
> without disturbing the ??
>
> Thanks,
> Jim
>


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Stupid question on mod_header

2021-10-06 Thread Daniel Ferradal 
Probably because the header is being added later in a different sub-context.

That is, at the time apache sets the header for virtual host there is no
other header of the same name defined, so there is nothing to eliminate and
set instead, but then the path for the reverse proxy to tomcat is being
evaluated later.

I would suppose setting it in the specific location for the path that leads
to tomcat things would be different.

In any case try and see.

Regards.

El mié., 6 oct. 2021 12:09, Martin Knoblauch  escribió:

> Hi,
>
>  sorry for asking this likely stupid question. This is with Apache HTTPD
> 2.4.48.
>
> I want to change the value of the X-Frame-Options response header from
> DENY to SAMEORIGIN. The header is apparently set by Tomcat 9.0.53.
>
> Naively, because the mod_header documentation says "The response header is
> set, replacing any previous header with this name. The value may be a
> format string.", I added a single
>
> Header always set X-Frame-Options SAMEORIGIN
>
> to the VirtualHost section of the httpd configuration. To my surprise my
> browser (FF and Chrome) has two headers now, one with DENY, one with
> SAMEORIGIN. And falls back to DENY :-(
>
> When I add an unset before the set, it works
>
> Header unset X-Frame-Options
> Header always set X-Frame-Options SAMEORIGIN
>
> Is my understanding of the mod_header documentation wrong, or do I miss
> somethiong subtle?
>
> Cheers
> Martin
> --
> --
> Martin Knoblauch
> email: k n o b i AT knobisoft DOT de
> www: http://www.knobisoft.de
>

Re: [users@httpd] Browsers appear to be ignoring 401 responses with WWW-Authenticate

2021-10-04 Thread Daniel Ferradal 
nection,content-ty
> >  \r\n
> >  [HTTP response 1/1]
> >  [Time since request: 0.009877000 seconds]
> >  [Request in frame: 141]
> >  [Request URI: 
> > http://192.168.0.103:8080/http://centos-apache3.whatever.com:/oamprotectedtarget/index.html]
> >  File Data: 381 bytes
> >
> > In this case, the Javascript page is loaded from a different machine than 
> > the one that is hosting the page, centos-apache1.whatever.com, and you can 
> > see, the 401/response has the CORS-response headers that should allow the 
> > browser to process the response?
> >
> > In this type of scenario, is there some other restriction that would 
> > prevent or cause the browser to not popup the login window, even though the 
> > requests and responses appear to be all right?
> >
> > Sorry about my description of this problem, but this scenario is 
> > complicated to explain :(...
> >
> > Thanks in advance!!
> >
> > Jim
>
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Avoiding host header exploit in apache

2021-08-27 Thread Daniel Ferradal 
Define servername with the ip if necessary and do not use RewriteRules
which use %{HTTP_HOST} variable, specify your ip/host manually in the
rewrite.

El vie, 27 ago 2021 a las 10:42, alchemist vk
() escribió:
>
> Hi All,
>  I am running Apache 2.4.46 and below is the problem statement.
>  system IP: 10.10.10.10
>  Client IP: 10.10.10.20
>
> When I make a request like curl -vk 'https://10.10.10.10' -H "Host: 
> badsite.com", its redirecting to "https://badsite.com/start.html;, instead of 
> redirecting to "https://10.101.10.10/start.html;.
> Server is not configured with any domain names, so I cant use ServerName and 
> UseCanonicalName directives to address the issue properly.
>
> Pls help me, how to check the Host header to listening address and take 
> corrective action.
>
>


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Bug in mod_proxy_balancer or just a bad configuration?

2021-06-17 Thread Daniel Ferradal 
Alright, now I know why this sounded familiar.

I had a similar case to yours a while ago, I searched for it and
luckily found it, what I realized at that time is the Header directive
applies generally, so it is not constrained by the proxy tags (not
sure if this is intended or the examples of use case in the docs are
just place there inside the Proxy tags for homogeneous reasons, I
believe the latter is the case) but IIRC I realized both cookies of
the two balancers I defined were being applied at the same time, which
ended up messing the sticky sessions.

So what I did is place the "Header add Set-Cookie..." statements
inside their own Location

So in the fashion of your last example should solve your issues:


Header add Set-Cookie "RZROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/"
env=BALANCER_ROUTE_CHANGED



Header add Set-Cookie "RZ2ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/"
env=BALANCER_ROUTE_CHANGED


Hope this helps.

El jue, 17 jun 2021 a las 0:01, Nick Folino () escribió:
>
> Any thoughts on this before I post a bug report?
>
> On Tue, Jun 15, 2021 at 9:07 PM Nick Folino  wrote:
>>
>> So I changed the config to eliminate the order question:
>>
>> 
>> Header add Set-Cookie "RZROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" 
>> env=BALANCER_ROUTE_CHANGED
>> BalancerMember http://www.google.com route=01
>> BalancerMember http://www.yahoo.com route=02
>> ProxySet stickysession=RZROUTEID
>> 
>> 
>> Header add Set-Cookie "RZ2ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" 
>> env=BALANCER_ROUTE_CHANGED
>> BalancerMember http://www.fox.com route=03
>> BalancerMember http://www.cnn.com route=04
>> ProxySet stickysession=RZ2ROUTEID
>> 
>>
>> ProxyPass "/goog"  "balancer://rz/"
>> ProxyPassReverse "/goog"  "balancer://rz/"
>> ProxyPass "/good"  "balancer://rz2/"
>> ProxyPassReverse "/good"  "balancer://rz2/"
>>
>> going to http://myserver/goog redirects to the Google page and a set-cookie 
>> RZROUTEID=.01
>> going to http://myserver/good redirects to Fox and a set-cookie 
>> RZ2ROUTEID=.03 and a second set-cookie for RZROUTEID=.03
>>
>> going back to http://myserver/goog redirects to Yahoo and dets a set-cookie 
>> RZROUTEID=.02
>>
>> Nick
>>
>> On Tue, Jun 15, 2021 at 7:57 PM Nick Folino  wrote:
>>>
>>> I thought that too, but if the rz proxypass was catching all traffic for 
>>> rz2, then I wouldn't expect any traffic to get to rz2.
>>> But traffic does go to rz2 and all of that works, except it resets the rz 
>>> route cookie.
>>>
>>> On Tue, Jun 15, 2021 at 3:27 PM Daniel Ferradal  
>>> wrote:
>>>>
>>>> If I am looking at it correctly the order of the ProxyPass directives you 
>>>> defined is not the correct one, /sz defined first would be overriding 
>>>> /sz2. So sz2 should be defined first.
>>>>
>>>> Perhaps that's why you are getting wrong values ? (Browser cache or 
>>>> similar?)
>>>>
>>>> El mar., 15 jun. 2021 19:00, Nick Folino  escribió:
>>>>>
>>>>> I ran into an interesting situation with cookies being reset in balancers.
>>>>> I couldn't find any documentation on whether numbers are allowed in 
>>>>> balancer names.
>>>>>
>>>>> I have this config:
>>>>>
>>>>>
>>>>>   Header add Set-Cookie "RZROUTEID=.%{BALANCER_WORKER_ROUTE}e; 
>>>>> path=/" env=BALANCER_ROUTE_CHANGED
>>>>>   BalancerMember ajp://server1 route=01
>>>>>   BalancerMember ajp://server2 route=02
>>>>>   ProxySet stickysession=RZROUTEID
>>>>>
>>>>>
>>>>>
>>>>>   Header add Set-Cookie "RZ2ROUTEID=.%{BALANCER_WORKER_ROUTE}e; 
>>>>> path=/" env=BALANCER_ROUTE_CHANGED
>>>>>   BalancerMember ajp://server3 route=03
>>>>>   BalancerMember ajp://server4 route=04
>>>>>   ProxySet stickysession=RZ2ROUTEID
>>>>>
>>>>>
>>>>> ProxyPass /rz balancer://rz/rz
>>>>> ProxyPass /rz2 balancer://rz2/rz2
>>>>>
>>>>>
>>>>> All works as expected when going to http://myhost/rz
>>>>> I get the RZROUTEID cookie set to 01 or 02 on first hit and it stays set.
>>>>>
>>>>> If I then go to http://myhost/rz2 I get the RZ2ROUTEID set to 03 or 04 
>>>>> but also another cookie set for RZROUTE with the same value as the 
>>>>> RZ2ROUTEID cookie.
>>>>>
>>>>> This causes an issue when going back to /rz as the RZROUTEID cookie is 
>>>>> now invalid and gets reset based on the balancing rules.
>>>>>
>>>>> I solved the problem by renaming the rz2 balancer to a new name with a 
>>>>> digit.
>>>>> Is this by design that digits cause problems in balancer names?  or is 
>>>>> this a bug?
>>>>>
>>>>> Nick
>>>>>


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Bug in mod_proxy_balancer or just a bad configuration?

2021-06-15 Thread Daniel Ferradal 
If I am looking at it correctly the order of the ProxyPass directives you
defined is not the correct one, /sz defined first would be overriding /sz2.
So sz2 should be defined first.

Perhaps that's why you are getting wrong values ? (Browser cache or
similar?)

El mar., 15 jun. 2021 19:00, Nick Folino  escribió:

> I ran into an interesting situation with cookies being reset in balancers.
> I couldn't find any documentation on whether numbers are allowed in
> balancer names.
>
> I have this config:
>
>
>   Header add Set-Cookie "RZROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/"
> env=BALANCER_ROUTE_CHANGED
>   BalancerMember ajp://server1 route=01
>   BalancerMember ajp://server2 route=02
>   ProxySet stickysession=RZROUTEID
>
>
>
>   Header add Set-Cookie "RZ2ROUTEID=.%{BALANCER_WORKER_ROUTE}e;
> path=/" env=BALANCER_ROUTE_CHANGED
>   BalancerMember ajp://server3 route=03
>   BalancerMember ajp://server4 route=04
>   ProxySet stickysession=RZ2ROUTEID
>
>
> ProxyPass /rz balancer://rz/rz
> ProxyPass /rz2 balancer://rz2/rz2
>
>
> All works as expected when going to http://myhost/rz
> I get the RZROUTEID cookie set to 01 or 02 on first hit and it stays set.
>
> If I then go to http://myhost/rz2 I get the RZ2ROUTEID set to 03 or 04
> but also another cookie set for RZROUTE with the same value as the
> RZ2ROUTEID cookie.
>
> This causes an issue when going back to /rz as the RZROUTEID cookie is now
> invalid and gets reset based on the balancing rules.
>
> I solved the problem by renaming the rz2 balancer to a new name with a
> digit.
> Is this by design that digits cause problems in balancer names?  or is
> this a bug?
>
> Nick
>
>

Re: [users@httpd] [External] Re: [users@httpd] Struggling with "decryption failed or bad record mac" error

2021-06-14 Thread Daniel Ferradal 
Hello,

Perhaps you could try specifying only RSA ciphers just as a test. Most
times I have found issues with old clients, specially java 1.6 ones
and older they have issues with all sorts of Diffie Hellman exchanges.

On another note, openssl 1.0.2 is EOL , perhaps you should try to
compile 1.1.1 and compile 2.4.46 against it first.

Cheers

El jue, 10 jun 2021 a las 18:31, Piemonti, Matteo
() escribió:
>
> Hi,
> the only TLS available is TLS 1.2 and only 4 ciphers are configured:
>
> # TLS 1.2 (suites in server-preferred order)
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
>
> But the problem is randomic even with the same cipher used 
> (TLS_DHE_RSA_WITH_AES_256_GCM_SHA384)
>
> The certificate is from an official CA and it is configured on apache with 
> Server cert, Intermediate and key. SSLLabs doesn't show any problem on it.
>
>
> Thank you
>
> Matteo
>
> -Original Message-
> From: Ran Mozes 
> Sent: giovedì 10 giugno 2021 11:16
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] [External] Re: [users@httpd] Struggling with 
> "decryption failed or bad record mac" error
>
> Hi Matteo,
>
> sounds like various issues could be the root cause. Maybe a negotiation issue 
> on the TLS version and/or the Ciphers used?
> Another option, the error "SSL3_GET_RECORD:decryption failed or bad record 
> mac“ could also imply that something is wrong with the certificates being 
> used.
>
> HTH,
> Ran
>
> > Am 09.06.2021 um 10:06 schrieb Piemonti, Matteo 
> > :
> >
> > Hi,
> >   has someone any suggestion about this topic?
> >
> >
> > Thanks
> > Matteo
> >
> > -Original Message-
> > From: Piemonti, Matteo
> > Sent: lunedì 24 maggio 2021 09:56
> > To: users@httpd.apache.org
> > Subject: RE: [External] Re: [users@httpd] Struggling with "decryption
> > failed or bad record mac" error
> >
> > Hi,
> >   in my first message you can find many informations...
> > The only TLS available is TLS 1.2 and the openssl version is OpenSSL 
> > 1.0.2k-fips (the last one of RedHat 7.9), we have this random problem only 
> > from a customer that is using .net. In my opinion it should be a client 
> > problem but hard to demonstrate.
> > Which specific directives do you want to see of httpd-ssl.conf?
> >
> >
> > Matteo
> >
> > -Original Message-
> > From: Daniel Ferradal 
> > Sent: domenica 23 maggio 2021 20:49
> > To:  
> > Subject: [External] Re: [users@httpd] Struggling with "decryption
> > failed or bad record mac" error
> >
> > This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly with 
> > links and attachments.
> >
> > Hello,
> >
> > Perhaps you may provide more info. Like the openssl version you are using, 
> > your SSL related directives in your server, the openssl version or SSL 
> > version of the client, the protocol the client is trying to use.
> >
> > Also, is this happening with all clients? just one?
> >
> > Can you reproduce it with "openssl s_client -connect" command? or even 
> > curl? etc.
> >
> > El vie, 21 may 2021 a las 12:25, Piemonti, Matteo
> > () escribió:
> >>
> >> Hi,
> >>
> >>  we’re having a weird error on Apache httpd server that I 
> >> can’t understand how to troubleshoot it and not clear to me if it is an 
> >> our problem (apache http server) or a problem of the caller.
> >>
> >>
> >>
> >> We have actually this configuration:
> >>
> >>
> >>
> >> Server version: Apache/2.4.46 (Unix)
> >>
> >> Server built:   May 13 2021 05:46:31
> >>
> >> Server's Module Magic Number: 20120211:93
> >>
> >> Server loaded:  APR 1.6.5, APR-UTIL 1.6.1
> >>
> >> Compiled using: APR 1.6.5, APR-UTIL 1.6.1
> >>
> >> Architecture:   64-bit
> >>
> >> Server MPM: event
> >>
> >>  threaded: yes (fixed thread count)
> >>
> >>forked: yes (variable process count)
> >>
> >> Server compiled with
> >>
> >> -D APR_HAS_SENDFILE
> >>
> >> -D APR_HAS_MMAP
> >>
> >> -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
> >>
> >> -D APR_USE_SYSVSEM_SERIALIZE
> >>
> >> -D APR_USE_PTHREAD_SERIALIZE
> >>
&

Re: [users@httpd] PreShared Key (PSK) possible? Configuration?

2021-05-31 Thread Daniel Ferradal 
;> Antony.
>>
>> --
>> "If I've told you once, I've told you a million times - stop exaggerating!"
>>
>>Please reply to the list;
>>      please *don't* CC 
>> me.
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>>
>
>
> --
> Garry Adkins
> 
> https://www.linkedin.com/in/garryadkins/
> garryadk...@gmail.com
> 251-487-1803 (c)
>


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Poor Load Balancer performance

2021-05-27 Thread Daniel Ferradal 
 if you have thousands of connections you need to have more servers and
then a balancer will help spreading the load (not increasing performance)
among all the servers, or add bigger figures to your mpm settings in your
single server (if the hardware will be able to cope with it).

If you have thousand of connections and just 800 workers, then it is
logical that it clogs.

Supposing 800 connections would be enough for peaks if you want no clogging
with prefork because load is quite variable it is better to specify a
higher minspareservers value (more workers readily available, not have to
be spawned, less cpu usage because less processes have to be spawned).

I would try to go for event asap though, much better to have to spawn 8
processes with 100 threads than 800 processes.

El jue, 27 may 2021 a las 13:35, Marc Serra () escribió:

> Thank's Eric, I understand.
>
> But if configuring a load balancer I'm adding another hop with reducing
> the performance, seems that is not the best way to improve this
> performance, correct?
>
> As I explained before, it's only a test setup before move to a real
> environment.
>
> Now I have a single server (8 cores, 32GB RAM with prefork) and the
> following apache tunning. In some moments, I have thousands of concurrent
> connections that collapse the server and I thought the best way to fix this
> was by setting up a load balancer. Isn't it?
>
> ServerLimit 800
> StartServers 10
> MinSpareServers 200
> MaxSpareServers 400
> MaxRequestsWorkers 800
> MaxConnectionsPerChild 1
>
> Missatge de Eric Covener  del dia dj., 27 de maig 2021
> a les 13:15:
>
>> On Thu, May 27, 2021 at 7:06 AM Marc Serra  wrote:
>> > I has inverted the results! I'm sorry!
>>
>> I see -- I think this is a case where you aren't taxing either backend
>> and you've just added another hop.
>> This is probably especially true when testing static files.
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>>
>>
>
> --
> Marc Serra
> Organització i Sistemes
>
>
>
> *Manxa 1876, S.L. Ctra. Les Tries, 85. 17800 Olot (Girona)*
> *Tel. 972 27 45 30 Fax 972 27 45 32*
>
> * Manxa Industrial | *Coneix més aquí <http://www.manxaindustrial.com>
>
> * Manxa Ferros | *Coneix més aquí <http://www.manxaferros.com/>
>
> * Manxa Ferreteria i Parament de la Llar | *Coneix més aquí
> <https://www.manxabricolatge.com>
>
>
> El contingut d’aquest correu electrònic i els seus annexos és estrictament
> confidencial. En el cas que no siguis el destinatari i hagis rebut aquest
> missatge per error, preguem que ho comuniquis al remitent i procedeixis a
> la seva eliminació, sense difondre, emmagatzemar o copiar el seu contingut.
> Imprimeix aquest correu només si és necessari.
>
> El contenido de este correo electrónico y sus anexos es estrictamente
> confidencial. En el caso de que no seas el destinatario y hayas recibido
> este mensaje por error, rogamos lo comuniques al remitente y procedas a su
> eliminación, sin difundir, almacenar o copiar su contenido. Imprimir este
> correo solo si es necesario.
>
> The content of this email and its attachments is strictly confidential. If
> you are not the recipient and you have received this message by mistake,
> please notify the sender and proceed to its elimination, without spreading,
> storing or copying its content. Print this email only if necessary.
>
> Le contenu de cet e-mail et de ses pièces jointes est strictement
> confidentiel. Dans le cas où vous n'êtes pas le destinataire et avez reçu
> ce message par erreur, veuillez en informer l'expéditeur et procéder à sa
> suppression, sans diffuser, stocker ou copier son contenu. Imprimez cet
> e-mail uniquement si nécessaire.
>


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat

Re: [users@httpd] Struggling with "decryption failed or bad record mac" error

2021-05-23 Thread Daniel Ferradal 
12 17:52:04.138639 2021] [ssl:trace4] [pid 10532:tid 
> 140112100849408] ssl_engine_io.c(2214): [client ip:port] OpenSSL: write 7/7 
> bytes to BIO#7f6e20011d50 [mem: 7f6e20004950]
>
> [Wed May 12 17:52:04.138669 2021] [core:trace6] [pid 10532:tid 
> 140112100849408] core_filters.c(525): [client ip:port] will flush because of 
> FLUSH bucket
>
> [Wed May 12 17:52:04.138676 2021] [ssl:trace3] [pid 10532:tid 
> 140112100849408] ssl_engine_kernel.c(2202): [client ip:port] OpenSSL: Write: 
> error
>
> [Wed May 12 17:52:04.138680 2021] [ssl:trace3] [pid 10532:tid 
> 140112100849408] ssl_engine_kernel.c(2221): [client ip:port] OpenSSL: Exit: 
> error in error
>
> [Wed May 12 17:52:04.138690 2021] [ssl:info] [pid 10532:tid 140112100849408] 
> [client ip:port] AH02008: SSL library error 1 in handshake (server 
> server:port)
>
> [Wed May 12 17:52:04.138711 2021] [ssl:info] [pid 10532:tid 140112100849408] 
> SSL Library Error: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption 
> failed or bad record mac
>
> [Wed May 12 17:52:04.138720 2021] [ssl:info] [pid 10532:tid 140112100849408] 
> [client ip:port] AH01998: Connection closed to child 448 with abortive 
> shutdown (server server:port)
>
>
>
>
>
> Thank you
>
>
>
> Matteo Piemonti
>
>
> 
>
> This message is for the designated recipient only and may contain privileged, 
> proprietary, or otherwise confidential information. If you have received it 
> in error, please notify the sender immediately and delete the original. Any 
> other use of the e-mail by you is prohibited. Where allowed by local law, 
> electronic communications with Accenture and its affiliates, including e-mail 
> and instant messaging (including content), may be scanned by our systems for 
> the purposes of information security and assessment of internal compliance 
> with Accenture policy. Your privacy is important to us. Accenture uses your 
> personal data only in compliance with data protection laws. For further 
> information on how Accenture processes your personal data, please see our 
> privacy statement at https://www.accenture.com/us-en/privacy-policy.
> __
>
> www.accenture.com



-- 
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Public viewing when it should be private

2021-05-20 Thread Daniel Ferradal 
Hello,

Depends entirely on how you implement that SSO auth you mention. For
example, I have experience with a SSO implementation that allows you
to do what you specify with apache through a third party module, but
you are not specifying which is the SSO implementation or what it can
do, so we can only guess.

.htaccess has nothing to do with authentication so I guess that's out
of the question. .htaccess is just used to allow non-admins configure
directory directives.


El jue, 20 may 2021 a las 6:47, Michael D. () escribió:
>
> Hello user group.
>
> I maintain a website that authenticates users through an internal 
> single-sign-on app.
>
> I have a documentation page that is publically viewable but I only want it 
> viewable after authentication. I've looked into .htaccess but I don't want a 
> separate login process for users to view documentation. I want them to be 
> able to login through our internal SSO and automatically have access to those 
> documents that are currently stored on the web server.
>
> Is this possible to do through Apache or should these static documentation 
> pages be put on our app servers and then served up for authenticated users?
>
> I'm not finding a way to avoid a second authentication process just to view 
> documentation that is private info for only authorized users
>
> (Fyi we have thousands of users that need access to this documentation.)



-- 
Daniel Ferradal
HTTPD Project
#httpd help at Freenode

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Connect to a node instead of a cluster

2021-05-17 Thread Daniel Ferradal 
Yes, you need to use a different "source" path for the new directives,
destination path can be different but otherwise, how can apache tell when
to serve which?

El lun., 17 may. 2021 20:08,  escribió:

> I do have this setup
>
> ProxyPass /confluence balancer://confluencedc/confluence
> ProxyPassReverse /confluence balancer://confluencedc/confluence
>
> To access confluence node it needs to hit /confluence and that is already
> taken by the above config and maps to the context path.
>
> I am not sure if I have a second context path /adminpath and if I can I
> suppose I will need to map it to same real dir?
>
> Thanks,
> Asif
>
>
> On Mon, May 17, 2021 at 1:39 PM Daniel Ferradal 
> wrote:
>
>> Define a ProxyPass directive with a unique path pointing to one of the
>> node you want to use
>>
>> Hint
>> ProyPass /adminpath/ http://server1/admin/
>>
>>
>> El lun., 17 may. 2021 19:03,  escribió:
>>
>>> Hi All,
>>>
>>> I have a load balancer setup like below
>>>
>>> 
>>> BalancerMember http://msts1acnf001:8098 route=1
>>> BalancerMember http://msts1bcnf002:8098 route=2
>>> BalancerMember http://msts1ccnf003:8098 route=3
>>> ProxySet stickysession=ROUTEID
>>> 
>>>
>>> And each node running tomcat and has a context path setup
>>>
>>> >> reloadable="false" useHttpOnly="true">
>>>
>>> How do I configure it to access a node instead of the cluster? I do need
>>> the cluster for users, but for admin sometimes need to access a node to
>>> check its UI status.
>>>
>>> Thanks,
>>> Asif
>>>
>>>
>>>
>>> --
>>> Asif Iqbal
>>> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
>>> A: Because it messes up the order in which people normally read text.
>>> Q: Why is top-posting such a bad thing?
>>>
>>>
>
> --
> Asif Iqbal
> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
>
>

Re: [users@httpd] Connect to a node instead of a cluster

2021-05-17 Thread Daniel Ferradal 
Define a ProxyPass directive with a unique path pointing to one of the node
you want to use

Hint
ProyPass /adminpath/ http://server1/admin/


El lun., 17 may. 2021 19:03,  escribió:

> Hi All,
>
> I have a load balancer setup like below
>
> 
> BalancerMember http://msts1acnf001:8098 route=1
> BalancerMember http://msts1bcnf002:8098 route=2
> BalancerMember http://msts1ccnf003:8098 route=3
> ProxySet stickysession=ROUTEID
> 
>
> And each node running tomcat and has a context path setup
>
>  reloadable="false" useHttpOnly="true">
>
> How do I configure it to access a node instead of the cluster? I do need
> the cluster for users, but for admin sometimes need to access a node to
> check its UI status.
>
> Thanks,
> Asif
>
>
>
> --
> Asif Iqbal
> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
>
>

Re: [users@httpd] Why so much difference in memory used per process in apache2 between two different systems

2021-05-17 Thread Daniel Ferradal 
shared)
>  fcgid_module (shared)
>  filter_module (shared)
>  headers_module (shared)
>  include_module (shared)
>  mime_module (shared)
>  mpm_event_module (shared)
>  negotiation_module (shared)
>  proxy_module (shared)
>  proxy_balancer_module (shared)
>  proxy_fcgi_module (shared)
>  proxy_http_module (shared)
>  remoteip_module (shared)
>  reqtimeout_module (shared)
>  rewrite_module (shared)
>  security2_module (shared)
>  setenvif_module (shared)
>  slotmem_shm_module (shared)
>  socache_shmcb_module (shared)
>  ssl_module (shared)
>  status_module (shared)
>  suexec_module (shared)
>  unique_id_module (shared)
>  userdir_module (shared)
>
>
> I already changed MPM mode from Event to Prefork on Server2, with the same
> results.
>
> What else can I check to understand this difference?
>
> Thank's!
>
>
>
> *Manxa 1876, S.L. Ctra. Les Tries, 85. 17800 Olot (Girona)*
> *Tel. 972 27 45 30 Fax 972 27 45 32*
>
> * Manxa Industrial | *Coneix més aquí <http://www.manxaindustrial.com>
>
> * Manxa Ferros | *Coneix més aquí <http://www.manxaferros.com/>
>
> * Manxa Ferreteria i Parament de la Llar | *Coneix més aquí
> <https://www.manxabricolatge.com>
>
>
> El contingut d’aquest correu electrònic i els seus annexos és estrictament
> confidencial. En el cas que no siguis el destinatari i hagis rebut aquest
> missatge per error, preguem que ho comuniquis al remitent i procedeixis a
> la seva eliminació, sense difondre, emmagatzemar o copiar el seu contingut.
> Imprimeix aquest correu només si és necessari.
>
> El contenido de este correo electrónico y sus anexos es estrictamente
> confidencial. En el caso de que no seas el destinatario y hayas recibido
> este mensaje por error, rogamos lo comuniques al remitente y procedas a su
> eliminación, sin difundir, almacenar o copiar su contenido. Imprimir este
> correo solo si es necesario.
>
> The content of this email and its attachments is strictly confidential. If
> you are not the recipient and you have received this message by mistake,
> please notify the sender and proceed to its elimination, without spreading,
> storing or copying its content. Print this email only if necessary.
>
> Le contenu de cet e-mail et de ses pièces jointes est strictement
> confidentiel. Dans le cas où vous n'êtes pas le destinataire et avez reçu
> ce message par erreur, veuillez en informer l'expéditeur et procéder à sa
> suppression, sans diffuser, stocker ou copier son contenu. Imprimez cet
> e-mail uniquement si nécessaire.
>


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Freenode

Re: [users@httpd] Is proxy to proxy improving the security?

2021-05-15 Thread Daniel Ferradal 
The weakest link is always the application at the end of the chain. Reverse
proxying is basically handing down the request to another server, so what
really matters IMHO is what you expose of the  application to the upper
layers and what those who access it can do with it. Considering the
application will also be on an internal network and interprets what the
client is sending, that's where you should worry most.

So, dealing with reverse proxies as long as you don't "proxy everything" (
as in all paths ) and you just let through the absolute minimum in data and
methods for the application to work I don't think the reverse proxy is of
much concern.

El sáb., 15 may. 2021 17:48, Jim Albert  escribió:

> On 5/15/2021 10:21 AM, Jason Long wrote:
> > Hello,
> > Is proxy to proxy improving the security? For example:
> >
> > The Internet --> Reverse Proxy Server --> Reverse Proxy Server --> Web
> Site
> >
>
> It really depends on what functions your proxies are performing. For
> example, are the reverse proxies simply load balancers or do they also
> serve as a WAF (Web Application Firewall)? A combination of both
> services on the same reverse proxy is a common implementation often
> offered commercially. Weeding out malicious requests falls on on the
> reverse proxy WAF while the backend web servers are free to spend their
> resources on legitimate requests.
>
> I think part of the answer is for security don't completely rely on your
> reverse proxy to keep  out all malicious activity. It should do a good
> job. None the less you still want your backend free of vulnerabilities
> like XSS and SQLi.
>
> I think you'd have to define more of the purpose of multiple reverse
> proxies.
>
> Jim
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] Professional Product

2021-04-30 Thread Daniel Ferradal 
There will always be ungrateful people, even to the point of being
childish, Why pay attention? They just do it to themselves, and we all
know what will happen next.

El vie, 30 abr 2021 a las 18:28, John () escribió:
>
> As a longtime Apache user who has had innumerable questions answered
> promptly by members of this list I have been watching this person and
> wondering how anyone could be so obtuse.
>
> IMO he has been treated more than fairly and some of the people
> supplying answers have gone far beyond what one would normally expect
> for free list support.
>
> Keeping in mind that this is free software I wonder how how anyone
> could reasonably quantify Back Button's response as appropriate or
> correct.
>
> Please keep it up Apache supporters; your patience is appreciated by
> the majority of us!  And we don't swear and blame you when we can't
> come to grips with reality!
>
> Regards,
>
> John
> ===
> On Fri, 2021-04-30 at 16:12 +, dana whitelow wrote:
> > Hey  fcuk wits!
> >
> > click this link  https://openliberty.io/guides/
> >
> > for the firs time in your life  you will see a ROFESSIONAL PRODUCT.
> > cherish the experience
> > because you are not going to get it here at apache.org.
> >
> > I took one look at the  apache product and I staright way bought
> > this book
> > https://www.amazon.co.uk/WildFly-Administration-Guide-Francesco-Marchioni/dp/8894038920
> >
> > Best Regards
> >
> > back.button@aol.
> >
> >
> > danawhite...@aol.com
>
>
> ---------
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Freenode

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] mod_proxy_hcheck response timeout?

2021-04-27 Thread Daniel Ferradal 
Sorry for the inconvenience in the test but, now Im looking and now it
seems to be working as expected ** head scratch here **

The client that is testing this also confirms it is working.

I have been checking the logs from 11:20 to 12:30 and I see entries
going to the second worker, but since then.. I just checked.. nothing,
zero to the second worker. (I had previously stop|started apache and
the module is even loaded from some other path to make sure I don't
confuse one for the other...)



El mar, 27 abr 2021 a las 12:55, Daniel Ferradal
() escribió:
>
> Wow Yann,
>
> Thanks so much for taking the time.
>
> --Correction:
> When I said:
>
> >Is my approach correct? As with most initial approaches to a specific
> > scenario, this may very well be the case, which other approach do you
> > suggest?
>
> I really meant "Is my approach incorrect?" Trying to mean It is
> logical to assume things wrongly at first approach to a subject.
>
> -
>
> I applied the patch and I'm already testing it.
>
> In a given configuration like:
> BalancerMember http://ip1:7009/ hcmethod=GET hcuri=/ping hcpasses=1
> hcfails=1 hcinterval=5 timeout=5 retry=30
> BalancerMember http://ip2:7009/ hcmethod=GET hcuri=/ping hcpasses=1
> hcfails=1 hcinterval=5 timeout=5 retry=30
>
> --
>
> The backend ip2:7009 always takes 6 seconds to reply to /ping uri for
> testing purposes.
>
> $ time curl -vk "http://ip2:7009/sites/ping;
> ...
> < HTTP/1.1 200 OK
> ...
> * Connection #0 to host ip2 left intact
> * Closing connection #0
> {"response":{"name":"testAlive.owcs","time":6.006}}
> real0m6.057s
> user0m0.007s
> sys 0m0.002s
>
>
> With the patch applied I seem to see mod_health_hcheck saying that it
> is disabling the worker ip2 "sometimes" but not constantly, in a lapse
> of about 1 hour I've seen the message just 8 times:
>
> [Tue Apr 27 11:12:38.396687 2021] [proxy_hcheck:info] [pid 28713:tid
> 140079122761472] AH03303: Health check DISABLING http://ip2:port/
>
> Since the backend ip2 is configured to respond in 6 seconds all the
> times to that /ping URI (not the rest of normal uri). So
> mod_proxy_hcheck should be disabling this worker constantly. Am I
> correct?
>
> If you need more information or some specific logging do not hesitate to ask.
>
> Cheers
>
>
>
>
>
> El lun, 26 abr 2021 a las 22:51, Yann Ylavic () 
> escribió:
> >
> > Hi Daniel,
> >
> > On Thu, Apr 22, 2021 at 12:21 PM Daniel Ferradal  
> > wrote:
> > >
> > > Is my approach correct? As with most initial approaches to a specific
> > > scenario, this may very well be the case, which other approach do you
> > > suggest?
> >
> > I think that it's missing in the code but can't think of a workaround.
> > Does the attached patch working for you?
> >
> > Regards;
> > Yann.
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org
>
>
>
> --
> Daniel Ferradal
> HTTPD Project
> #httpd help at Freenode



-- 
Daniel Ferradal
HTTPD Project
#httpd help at Freenode

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] mod_proxy_hcheck response timeout?

2021-04-27 Thread Daniel Ferradal 
Wow Yann,

Thanks so much for taking the time.

--Correction:
When I said:

>Is my approach correct? As with most initial approaches to a specific
> scenario, this may very well be the case, which other approach do you
> suggest?

I really meant "Is my approach incorrect?" Trying to mean It is
logical to assume things wrongly at first approach to a subject.

-

I applied the patch and I'm already testing it.

In a given configuration like:
BalancerMember http://ip1:7009/ hcmethod=GET hcuri=/ping hcpasses=1
hcfails=1 hcinterval=5 timeout=5 retry=30
BalancerMember http://ip2:7009/ hcmethod=GET hcuri=/ping hcpasses=1
hcfails=1 hcinterval=5 timeout=5 retry=30

--

The backend ip2:7009 always takes 6 seconds to reply to /ping uri for
testing purposes.

$ time curl -vk "http://ip2:7009/sites/ping;
...
< HTTP/1.1 200 OK
...
* Connection #0 to host ip2 left intact
* Closing connection #0
{"response":{"name":"testAlive.owcs","time":6.006}}
real0m6.057s
user0m0.007s
sys 0m0.002s


With the patch applied I seem to see mod_health_hcheck saying that it
is disabling the worker ip2 "sometimes" but not constantly, in a lapse
of about 1 hour I've seen the message just 8 times:

[Tue Apr 27 11:12:38.396687 2021] [proxy_hcheck:info] [pid 28713:tid
140079122761472] AH03303: Health check DISABLING http://ip2:port/

Since the backend ip2 is configured to respond in 6 seconds all the
times to that /ping URI (not the rest of normal uri). So
mod_proxy_hcheck should be disabling this worker constantly. Am I
correct?

If you need more information or some specific logging do not hesitate to ask.

Cheers





El lun, 26 abr 2021 a las 22:51, Yann Ylavic () escribió:
>
> Hi Daniel,
>
> On Thu, Apr 22, 2021 at 12:21 PM Daniel Ferradal  wrote:
> >
> > Is my approach correct? As with most initial approaches to a specific
> > scenario, this may very well be the case, which other approach do you
> > suggest?
>
> I think that it's missing in the code but can't think of a workaround.
> Does the attached patch working for you?
>
> Regards;
> Yann.
>
> -----
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org



--
Daniel Ferradal
HTTPD Project
#httpd help at Freenode

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] mod_proxy_hcheck response timeout?

2021-04-26 Thread Daniel Ferradal 
Ahh, thanks now I understand. I appreciate your feedback.

El lun, 26 abr 2021 a las 17:48, Suvendu Sekhar Mondal
() escribió:
>
> Hello Daniel,
>
> On Mon, Apr 26, 2021 at 7:02 PM Daniel Ferradal  wrote:
> >
> > Thanks for answering
> >
> > Can you please elaborate on this?
> >
> >
> What I did was, I changed the code of the page a bit so that it throws
> an exception(in my case of type Java) after waiting for some time. In
> the real world it could be something like this:
>
> 1. Apache hits that page during health check
> 2. That page has the code which does the "real" health check of the
> target application - it could be like invoking another URL or
> something else which tells you about your app's health
> 3. After invoking that URL, it waits for x amount of time for the
> response to come before giving up. This is the alternate timeout.
> 4. If it gets a response from that URL call within x amount of time -
> then we can say that the worker is healthy, else I am throwing an
> exception which will send back HTTP 500
> 5. As Apache health check is getting 500 back, it fails that worker's
> health check
>
> During my POC, that's the only way I was able to alternatively
> simulate a health check timeout failure.
>
> Thanks!
> Suvendu
>
> > > What I found is that if I can generate an exception(say
> > > timeoutexception) after waiting for some time then the health check is
> > > failing properly and marking the worker as down. This could be the
> > > alternative option until the health check module is enhanced.
> >
> >
> > --
> > Daniel Ferradal
> > HTTPD Project
> > #httpd help at Freenode
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org
> >
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Freenode

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] mod_proxy_hcheck response timeout?

2021-04-26 Thread Daniel Ferradal 
Thanks for answering

Can you please elaborate on this?


> What I found is that if I can generate an exception(say
> timeoutexception) after waiting for some time then the health check is
> failing properly and marking the worker as down. This could be the
> alternative option until the health check module is enhanced.


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Freenode

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] mod_proxy_hcheck response timeout?

2021-04-22 Thread Daniel Ferradal 
Hello,

I'm trying to examine a case in which we want a balancer member to be
set on fail if it can't responde in specific time to the hcheck
request

This example configuration:


# example member 1
BalancerMember http://ip:port/ hcmethod=HEAD hcuri=/ping hcpasses=1
hcfails=1 hcinterval=5 timeout=5 retry=30

# more realistic example member 2 and others
BalancerMember http://ip:port/ hcmethod=HEAD hcuri=/ping hcpasses=1
hcfails=1 hcinterval=5 timeout=60 retry=30

BalancerMember http://ip:port/ hcmethod=HEAD hcuri=/ping hcpasses=1
hcfails=1 hcinterval=5 timeout=60 retry=30

BalancerMember http://ip:port/ hcmethod=HEAD hcuri=/ping hcpasses=1
hcfails=1 hcinterval=5 timeout=60 retry=30

BalancerMember http://ip:port/ hcmethod=HEAD hcuri=/ping hcpasses=1
hcfails=1 hcinterval=5 timeout=60 retry=30


ProxyPass /app balancer://appbalancer/app failontimeout=on

Let's assume the backend server 1 takes more than 5 seconds for the
/ping  I would want to be set on fail and the Apache httpd server use
the other balancermember, if there are more members in the balancer,
for httpd to choose those other members which respond to the ping in a
timely fashion, but in my tests, if /ping reply goes above 5 seconds,
mod_proxy_hcheck is still saying it is ok.

Is my approach correct? As with most initial approaches to a specific
scenario, this may very well be the case... still bear with me.

Right now if the backend responds to the /ping in for example, 6
seconds, it is not being marked on fail, so as I understand any normal
request which lasts more than 5 seconds will, I don´t need hcheck for
that but this is just an example, there may be other more real
scenarios like the other members I have defined

for example  Balancermember 2 we set timeout 60 seconds, app takes up
to 30-40 seconds to reply to specific requests  but suppose we have
plenty of balancer members and may want to disable the member when it
degrades the /ping reply to more than 10 seconds because that means it
is getting degraded.

Is it possible to set a timeout for hchecks to set a member as failed?

Is my approach correct? As with most initial approaches to a specific
scenario, this may very well be the case, which other approach do you
suggest?

I check there is a change coming to mod_proxy_hcheck,
https://svn.apache.org/viewvc?view=revision=1887119, not sure
if it applies to my case as it does not seem to mention response
timeout, rather than checks piling up.


Thanks in advance



-- 
Daniel Ferradal
HTTPD Project
#httpd help at Freenode

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Random 500 errors

2021-04-20 Thread Daniel Ferradal 
If rewriterules cause the error you would get the log in the httpd
error log too. Possibly what you mention, php or whatever backend..

El mar, 20 abr 2021 a las 19:01, Dave Wreski
() escribió:
>
>
>
> On 4/20/21 12:41 PM, Daniel Ferradal wrote:
> > We can just speculate here to those questions. Rule of thumb if not
> > showing in httpd error log, not httpd error.
>
> Thanks so much for your help. Would that include any RewriteRule entries?
>
> Of course just speculation, but that would lead me more towards
> PHP/Joomla and possibly cloudflare as a source?
>
> Thanks,
> Dave
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Freenode

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Random 500 errors

2021-04-20 Thread Daniel Ferradal 
We can just speculate here to those questions. Rule of thumb if not
showing in httpd error log, not httpd error.

El mar, 20 abr 2021 a las 15:59, Dave Wreski
() escribió:
>
>
>
> On 4/20/21 8:54 AM, Daniel Ferradal wrote:
> > That's the key then, you are probably reverse proxying somewhere and
> > the 500 errors comes from there and not from Apache. Apache always
> > logs HTTP 500 status code in error log.
> >
> > Even more, the headers you pasted have no Server: Apache and there are
> > many other headers that tell us you are not dealing with simple static
> > content but a dynamic content generator of some sort. It pays off to
> > double check where those requests are being routed to.
>
> We're using cloudflare, but the issues seem to persist even when
> disabling their cache. Perhaps it's still being proxied, even though
> it's not being cached, and causing these errors?
>
> Would it explain why the same page doesn't always produce the error, or
> why not all pages produce a 500 error?
>
> Thanks,
> Dave
>
> >
> > El mar, 20 abr 2021 a las 14:49, Dave Wreski
> > () escribió:
> >>
> >>
> >>> If the error comes from apache itself you should have an error log
> >>> entry, what does it say?
> >>
> >> I don't have any error log entries, only the 500 error response in the
> >> access log.
> >>
> >> 72.70.38.104 - - [19/Apr/2021:21:38:56 -0400] "GET
> >> /advisories/debian/debian-dsa-2944-1-gnutls26-security-update HTTP/1.1"
> >> 500 12704 "-" "Mozilla/5.0 (compatible; bingbot/2.0;
> >> +http://www.bing.com/bingbot.htm)" 2/2408334 915/21235/12704
> >>
> >> Thanks,
> >> Dave
> >>
> >>>
> >>>
> >>> El mar., 20 abr. 2021 4:03, Dave Wreski
> >>>  escribió:
> >>>
> >>>  Hi,
> >>>
> >>>  I have an apache-2.4.46 system on fedora33 and having weird 500 
> >>> errors
> >>>  that I can't explain.
> >>>
> >>>  72.70.38.104 - - [19/Apr/2021:21:38:56 -0400] "GET
> >>>  /advisories/debian/debian-dsa-2944-1-gnutls26-security-update 
> >>> HTTP/1.1"
> >>>  500 12704 "-" "Mozilla/5.0 (compatible; bingbot/2.0;
> >>>  +http://www.bing.com/bingbot.htm <http://www.bing.com/bingbot.htm>)"
> >>>  2/2408334 915/21235/12704
> >>>
> >>>  Going to this page directly loads the page just fine.
> >>>
> >>>  I've also just started to notice the following entries in
> >>>  /var/log/httpd/modsec_audit.log:
> >>>
> >>>  --47be4126-F--
> >>>  HTTP/1.1 500 Internal Server Error
> >>>  X-LiteSpeed-Purge: *
> >>>  Cache-Control: no-cache
> >>>  Pragma: no-cache
> >>>  Set-Cookie:
> >>>  5eae87e0f12142efcb88fb03b93e82b2=qil7ieh6m1tcnrj8dn0vkfc4s5;
> >>>  path=/; secure; HttpOnly
> >>>  Set-Cookie: ct_timestamp=1618882240; path=/
> >>>  Set-Cookie:
> >>>  ct_prev_referer=https%3A%2F%2Flinuxsecurity.com%2Fcontact-us; path=/
> >>>  Set-Cookie:
> >>>  
> >>> ct_cookies_test=%7B%22cookies_names%22%3A%5B%22ct_timestamp%22%2C%22ct_prev_referer%22%5D%2C%22check_value%22%3A%22d4c4a7a2546fbe6
> >>>  12cba4c38dc2c8949%22%7D; path=/
> >>>  Strict-Transport-Security: max-age=15768000
> >>>  X-XSS-Protection: 1; mode=block
> >>>  X-Content-Type-Options: nosniff
> >>>  Vary: User-Agent
> >>>  Cache-Control: public
> >>>  Connection: close
> >>>  Transfer-Encoding: chunked
> >>>  Content-Type: text/html; charset=UTF-8
> >>>
> >>>  What does this mean? Is this just reporting the error or something
> >>>  related to mod_sec causing the error?
> >>>
> >>>  Thanks,
> >>>  Dave
> >>>
> >>>
> >>>
> >>>  -
> >>>  To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> >>>  <mailto:users-unsubscr...@httpd.apache.org>
> >>>  For additional commands, e-mail: users-h...@httpd.apache.org
> >>>  <mailto:users-h...@httpd.apache.org>
> >>>
> >>
> >> -
> >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> >> For additional commands, e-mail: users-h...@httpd.apache.org
> >>
> >
> >
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Freenode

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] SSLCipherSuite DEFAULT

2021-04-20 Thread Daniel Ferradal 
Have you tried the mozzilla ssl generator, it generally is quite good:

For intermediate Security allowing TLSv1.2 for example:
https://ssl-config.mozilla.org/#server=apache=2.4.41=intermediate=1.1.1d=5.6

El mar, 20 abr 2021 a las 17:46, Jim Albert () escribió:
>
> On 4/20/2021 9:48 AM, @lbutlr wrote:
> > If I define SSLCipherSuite DEFAULT will apache show the ciphers that are 
> > defined by openSSL and will be used?
> >
> > Is this the best way to go, or should I specifically list TLSv1.2 and 
> > TLS1.3?
> >
> > The complete list of ciphers that openssl supports numbers 60 and still
> includes some 14 TLSv1 ciphers like PSK-AES128-CBC-SHA256, among others.
> >
> > Trying to search on recommendations comes up with a lot of "use these 
> > settings to allow IE 6.0" which is of literally no. interest to me at all.
> >
> > This is what I am looking at using:
> >
> > Protocols h2 h2c http/1.1
> > SSLCipherSuite DEFAULT
> > SSLProtocol all -TLSv1.1 -TLSv1 -SSLv2 -SSLv3
> >
> > But I may relent on TLSv1/1.1 after checking logs.
> >
> > I think that if I set SSLCipherSuite DEFAULT and SSLProtocol to not allow 
> > the older TLS and SSL that will provide ciphers and security that are 
> > supported by current browsers and if I allow TLSv1 it should support old 
> > browsers going back more than a decade, yes?
> >
>
> Per https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslciphersuite
> Setting SSLCipherSuite to DEFAULT is dependent on OpenSSL version.
>
> I believe running 'openssl ciphers' will list your openssl
> installation's default cipher list which I am assuming is what
> SSLCipherSuite set to DEFAULT would use, but I'm guessing. You'd have to
> confirm that.
>
> I've always referenced https://wiki.mozilla.org/Security/Server_Side_TLS
> as a decent starting point. Intermediate is usually a pretty good
> starting point for a public web server. Then watching for any
> cipher-based vulnerabilities that are announced or reported by any
> vulnerability testing you might have performed.
>
> https://www.ssllabs.com/ssltest/
> is a pretty nice site to check on your httpd SSL configs.
>
> Jim
>
>
>
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Freenode

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Logging issue

2021-04-20 Thread Daniel Ferradal 
I'm intrigued but maybe it was said but I missed it.

You say you can´t do: "aaa.bbb.ccc.ddd/app1, aaa.bbb.ccc.ddd/app2¨

Well, you can, but in the same virtualhost, and you can even point to
multiple fpm pools for each

Did you try something like this? :


Servername ip # no paths here just the ip
Documentroot /path/to/docroot



  SetHandler  "proxy:unix:/path/to/app1.sock|fcgi://localhost/"
  # or SetHandler  "proxy:fcgi://localhost:9000"





  SetHandler  "proxy:unix:/path/to/app2.sock|fcgi://localhost/"
  # or SetHandler  "proxy:fcgi://localhost:9001"


...


Or you really need two separate virtualhosts to ease the choice for
the user just define different ports for each virtualhost and the
corresponding Listen directives.

El dom, 18 abr 2021 a las 2:14, H () escribió:
>
> On 04/17/2021 06:09 PM, Eric Covener wrote:
> >> Yes, I (believe) I understand and find many examples how to configure 
> >> virtual name hosts when you have a domain name. BUT, I have yet to find 
> >> any examples where this works with /one/ single IP address rather than a 
> >> domain name.
> > This is because it's not applicable. The feature you're trying to use
> > allows the server to respond two different ways to two different
> > hostnames.
> > Without two or more hostnames it is meaningless.
> >
> >> The former pertains to defining various virtual hosts such as 
> >> site1.thisismydomain.com, site2.thisismydomain.com where the domain name 
> >> is the same.
> >>
> >> However, my current setup does not have a domain name associated with it, 
> >> only an IP address. Thus the virtual hosts I am trying to work would be 
> >> site1.aaa.bbb.ccc.ddd and site2.aaa.bbb.ccc.ddd where the IP address is 
> >> the same.
> > The configurations for these virtual hosts would only be used if the
> > client requests http://site1.aaa.bbb.ccc.ddd/* which will never
> > happen.
> >
> >> Note that the sites are on an external server and accessed remotely, not 
> >> on a local computer, and need to be accessed by multiple computers.
> >>
> >> Is this perhaps not possible??
> > Try the obscure ServerPath directive if you can't arrange for 2
> > hostnames to resolve to your IP address.
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org
> >
> Here is my current understanding after bloodying my forehead:
>
> My ultimate goal is to be able to run different php apps each potentially 
> requiring its unique php version using php-fpm. I would also like so separate 
> access and error logs by app, ie app1-access.log, app2-access.log etc.
>
> My original expectation was to call them through the same IP address followed 
> by the directory of the app, ie aaa.bbb.ccc.ddd/app1, aaa.bbb.ccc.ddd/app2 
> etc. This does not work.
>
> My understanding is now that:
>
> - To use unique php versions would require separating the apps into 
> individual VirtualHosts directives. Each VirtualHost directive can then call 
> its unique php-fpm handler.
>
> - I now understand this cannot be done using just an IP address in the 
> VirtualHost directive followed by app1, app2 etc. A domain name must be used.
>
> - There are workarounds which however do /not/ allow for different 
> VirtualHost directives which my objective would requires, such as using 
> ProxyPass, ProxyPass and Alias. Thus not a useable workaround.
>
> Therefore, it seems I need to pivot and use a common domain name instead of 
> IP address:
>
> - Create multiple VirtualHost directives where the ServerName would be 
> app1.domain.com, app2.domain.com. These can then be mapped to different 
> directory trees.
>
> - This should allow for using a different php-fpm handler in each VirtualHost 
> directive.
>
> Hopefully I made myself understandable but is my understanding correct?
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Freenode

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Random 500 errors

2021-04-20 Thread Daniel Ferradal 
That's the key then, you are probably reverse proxying somewhere and
the 500 errors comes from there and not from Apache. Apache always
logs HTTP 500 status code in error log.

Even more, the headers you pasted have no Server: Apache and there are
many other headers that tell us you are not dealing with simple static
content but a dynamic content generator of some sort. It pays off to
double check where those requests are being routed to.

El mar, 20 abr 2021 a las 14:49, Dave Wreski
() escribió:
>
>
> > If the error comes from apache itself you should have an error log
> > entry, what does it say?
>
> I don't have any error log entries, only the 500 error response in the
> access log.
>
> 72.70.38.104 - - [19/Apr/2021:21:38:56 -0400] "GET
> /advisories/debian/debian-dsa-2944-1-gnutls26-security-update HTTP/1.1"
> 500 12704 "-" "Mozilla/5.0 (compatible; bingbot/2.0;
> +http://www.bing.com/bingbot.htm)" 2/2408334 915/21235/12704
>
> Thanks,
> Dave
>
> >
> >
> > El mar., 20 abr. 2021 4:03, Dave Wreski
> >  escribió:
> >
> > Hi,
> >
> > I have an apache-2.4.46 system on fedora33 and having weird 500 errors
> > that I can't explain.
> >
> > 72.70.38.104 - - [19/Apr/2021:21:38:56 -0400] "GET
> > /advisories/debian/debian-dsa-2944-1-gnutls26-security-update HTTP/1.1"
> > 500 12704 "-" "Mozilla/5.0 (compatible; bingbot/2.0;
> > +http://www.bing.com/bingbot.htm <http://www.bing.com/bingbot.htm>)"
> > 2/2408334 915/21235/12704
> >
> > Going to this page directly loads the page just fine.
> >
> > I've also just started to notice the following entries in
> > /var/log/httpd/modsec_audit.log:
> >
> > --47be4126-F--
> > HTTP/1.1 500 Internal Server Error
> > X-LiteSpeed-Purge: *
> > Cache-Control: no-cache
> > Pragma: no-cache
> > Set-Cookie:
> > 5eae87e0f12142efcb88fb03b93e82b2=qil7ieh6m1tcnrj8dn0vkfc4s5;
> > path=/; secure; HttpOnly
> > Set-Cookie: ct_timestamp=1618882240; path=/
> > Set-Cookie:
> > ct_prev_referer=https%3A%2F%2Flinuxsecurity.com%2Fcontact-us; path=/
> > Set-Cookie:
> > 
> > ct_cookies_test=%7B%22cookies_names%22%3A%5B%22ct_timestamp%22%2C%22ct_prev_referer%22%5D%2C%22check_value%22%3A%22d4c4a7a2546fbe6
> > 12cba4c38dc2c8949%22%7D; path=/
> > Strict-Transport-Security: max-age=15768000
> > X-XSS-Protection: 1; mode=block
> > X-Content-Type-Options: nosniff
> > Vary: User-Agent
> > Cache-Control: public
> > Connection: close
> > Transfer-Encoding: chunked
> > Content-Type: text/html; charset=UTF-8
> >
> > What does this mean? Is this just reporting the error or something
> > related to mod_sec causing the error?
> >
> > Thanks,
> > Dave
> >
> >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > <mailto:users-unsubscr...@httpd.apache.org>
> > For additional commands, e-mail: users-h...@httpd.apache.org
> > <mailto:users-h...@httpd.apache.org>
> >
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Freenode

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] config is silently ignored

2021-04-20 Thread Daniel Ferradal 
Generally I would never define virtualhosts with , I
think it is better and more straightforward to specify everything,
specially when starting to admin your first apache servers. For
example purposes, let's say I would define them like these in a more
straightforward way:

Listen 80
Listen 443


ServerName whatever.example.com
Redirect / https://whatever.example.com/
CustomLog logs/whatevever.example.com.log common



ServerName whatever.example.com
CustomLog logs/whatevever.example.com-ssl.log combined
..
.
.



ServerName somethingelse.example.com
CustomLog logs/somethingelse.example.com.log common

Redirect / https://somethingelse.example.com/



ServerName somethingelse.example.com
CustomLog logs/somethingelse.example.com-ssl.log combined
.
.
.


I think this way it is quite hard to get lost.
There are more brief setups you can go for but for a couple of domains
it pays off to go like this,  I would recommend you to define
everything clearly to know where everything is going instead of trying
to take shortcuts.

Also make sure to restart between chances gracefully or with a restart.

And for testing use a client which does not cache contents, aka, "curl
-Ik https://whatever.example.com/;

A sidenote:
Also, about the files you mention, take into account that for apache,
config files do not mean much when interpreting the configuration, but
context/sections and order in which directives have been defined
really do, most times you mention different config files people in
this list may not pay too much attention to their names because of it.
Debian and other distros tend to convolute config files making it look
like a difficult mess for newcomers, when for small configurations
sometimes with few virtualhosts it may pay off to go smaller or even
single file.

El mar, 20 abr 2021 a las 14:29, Adrian
() escribió:
>
> Thanks again Daniel
>
> I've added a ServerName line to the top level vhost with the name of my
> server.  No change.
>
> Yes, there are two files in sites-enabled, 000-default and 000-ssl.  I
> suspect that's the cause of the problem.
>
> I'd thought that 000-ssl only had SSL-related things and had assumed
> that the other settings defaulted to the values in 000-default, but
> maybe not.  I see that both versions contain a DocumentRoot.
>
> So that raises the question that if only one of these is being used,
> and it's the SSL one using port 443, how do I configure the change to
> work for port 80 requests?  Do I have to add the same lines to both?
>
> Though in practice my http:// URLs are being redirected to https://
> somehow, so I can't tell how a port 80 request would behave.
>
> Thanks
> Adrian
>
> On Tue, 20 Apr 2021 13:38:08 +0200
> Daniel Ferradal  wrote:
>
> > Hello,
> >
> > This says you have two virtualhosts pointing to the same name, so only
> > the first one will be used:
> >
> > (/etc/apache2/sites-enabled/000-default.conf:46) *:443
> > is a NameVirtualHost default server www.example.org
> > (/etc/apache2/sites-enabled/000-ssl:2) port 443 namevhost
> > www.example.org
> >
> > But still that virtualhost you just pasted has no servername, so that
> > one may be very well catching everything.
> >
> > These things can be quite easy to see if you are still in doubt.
> > Define a specific access log for each virtualhost with different file
> > names, check where you land.
> >
> > When defining several virtualhosts define a unique servername for each
> > always. Remember first match wins.
> >
> > El mar, 20 abr 2021 a las 12:35, Adrian
> > () escribió:
> > >
> > > Thanks Daniel.
> > >
> > > I had one redundant .htaccess file in the vhost domain, now removed.
> > > Restarted and no change.
> > >
> > > Results of apachectl -S below:
> > >
> > > apachectl -S
> > > [Tue Apr 20 11:22:05.839049 2021] [so:warn] [pid 2744] AH01574:
> > > module ssl_module is already loaded, skipping VirtualHost
> > > configuration: *:*is a NameVirtualHost
> > >  default server myserver.io
> > > (/etc/apache2/sites-enabled/000-default.conf:1) port * namevhost
> > > myserver.io (/etc/apache2/sites-enabled/000-default.conf:1) port *
> > > namevhost www.example.org
> > > (/etc/apache2/sites-enabled/000-default.conf:46) *:443
> > > is a NameVirtualHost default server www.example.org
> > > (/etc/apache2/sites-enabled/000-ssl:2) port 443 namevhost
> > > www.example.org (/etc/apache2/sites-enabled/000-ssl:2) ServerRoot:
> > > "/etc/apache2" Main DocumentRoot: "/var/www/html" Main ErrorLog:
> > > "/var/log/apache2/error.log" Mutex mpm-accept: using

Re: [users@httpd] config is silently ignored

2021-04-20 Thread Daniel Ferradal 
Hello,

This says you have two virtualhosts pointing to the same name, so only
the first one will be used:

(/etc/apache2/sites-enabled/000-default.conf:46) *:443
is a NameVirtualHost default server www.example.org
(/etc/apache2/sites-enabled/000-ssl:2) port 443 namevhost
www.example.org

But still that virtualhost you just pasted has no servername, so that
one may be very well catching everything.

These things can be quite easy to see if you are still in doubt.
Define a specific access log for each virtualhost with different file
names, check where you land.

When defining several virtualhosts define a unique servername for each
always. Remember first match wins.

El mar, 20 abr 2021 a las 12:35, Adrian
() escribió:
>
> Thanks Daniel.
>
> I had one redundant .htaccess file in the vhost domain, now removed.
> Restarted and no change.
>
> Results of apachectl -S below:
>
> apachectl -S
> [Tue Apr 20 11:22:05.839049 2021] [so:warn] [pid 2744] AH01574: module
> ssl_module is already loaded, skipping VirtualHost configuration:
> *:*is a NameVirtualHost
>  default server myserver.io
> (/etc/apache2/sites-enabled/000-default.conf:1) port * namevhost
> myserver.io (/etc/apache2/sites-enabled/000-default.conf:1) port *
> namevhost www.example.org
> (/etc/apache2/sites-enabled/000-default.conf:46) *:443
> is a NameVirtualHost default server www.example.org
> (/etc/apache2/sites-enabled/000-ssl:2) port 443 namevhost
> www.example.org (/etc/apache2/sites-enabled/000-ssl:2) ServerRoot:
> "/etc/apache2" Main DocumentRoot: "/var/www/html" Main ErrorLog:
> "/var/log/apache2/error.log" Mutex mpm-accept: using_defaults
> Mutex watchdog-callback: using_defaults
> Mutex rewrite-map: using_defaults
> Mutex ssl-stapling-refresh: using_defaults
> Mutex ssl-stapling: using_defaults
> Mutex proxy: using_defaults
> Mutex ssl-cache: using_defaults
> Mutex default: dir="/var/lock/apache2" mechanism=fcntl
> PidFile: "/var/run/apache2.pid"
> Define: DUMP_VHOSTS
> Define: DUMP_RUN_CFG
> User: name="www-data" id=33
> Group: name="www-data" id=33
>
> There is a top-level vhost which maps "http://myserver.io; to the
> top-level docroot, though oddly it doesn't seem to see the files
> there.  Here is the content.  Below this is the vhost I originally
> listed, and below that another vhost which maps a different domain to a
> different docroot.
>
>   ServerAdmin webmaster@localhost
>
> DocumentRoot /var/www/
> 
> Options FollowSymLinks
> AllowOverride All
> 
> 
> Options Indexes FollowSymLinks MultiViews
> AllowOverride All
> Require all granted
> # This directive allows us to have apache2's default
> start page # in /apache2-default/, but still have / go to the right
> place # RedirectMatch ^/$ /apache2-default/
> 
>
> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
>
> 
> AllowOverride None
> Options ExecCGI MultiViews SymLinksIfOwnerMatch
> Require all granted
> 
>
> ErrorLog /var/log/apache2/error.log
>
> # Possible values include: debug, info, notice, warn, error,
> # crit, alert, emerg.
> LogLevel warn
>
> LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
> \"%{User-agent}i\"" combined
> CustomLog /var/log/apache2/access.log combined ServerSignature
> On
>
> Alias /doc/ "/usr/share/doc/"
> 
> Options Indexes MultiViews FollowSymLinks
> AllowOverride None
> Require local
> 
> 
>
> There's nothing in apache2.conf that looks suspicious to me but I can
> list it if it helps.
>
> Adrian
>
> On Tue, 20 Apr 2021 12:10:09 +0200
> Daniel Ferradal  wrote:
>
> > Check "apachectl -S" output in case there is some other virtualhost
> > there getting the requests.
> >
> > That virtualhost as it is should deny access, if it is not, then there
> > is something missing in what you show. Not sure if it may be another
> > virtualhost or another virtualhost and .htaccess, etc.
> >
> > El mar, 20 abr 2021 a las 12:01, Adrian
> > () escribió:
> > >
> > > using Apache/2.4.38 (Debian)
> > > with Debian-style split config.
> > >
> > > Here are the relevant bits of a vhost.  This is
> > > in /etc/apache2/sites-enabled/000-default.
> > >
> > > 
> > > ServerName www.example.org
> > > Docu

Re: [users@httpd] config is silently ignored

2021-04-20 Thread Daniel Ferradal 
Check "apachectl -S" output in case there is some other virtualhost
there getting the requests.

That virtualhost as it is should deny access, if it is not, then there
is something missing in what you show. Not sure if it may be another
virtualhost or another virtualhost and .htaccess, etc.

El mar, 20 abr 2021 a las 12:01, Adrian
() escribió:
>
> using Apache/2.4.38 (Debian)
> with Debian-style split config.
>
> Here are the relevant bits of a vhost.  This is
> in /etc/apache2/sites-enabled/000-default.
>
> 
> ServerName www.example.org
> DocumentRoot /var/www/example
> CustomLog /var/log/apache2/example/access.log combined
>
> 
># DISABLE THE ENTIRE DOCROOT
>Require all denied
> 
> 
>
> I restarted Apache and browsed a page that isn't in cache.  It loaded
> as normal.
>
> My real question is that basic file auth is also ignored, but I thought
> I'd start simple.
>
> Things that might be related, to rule them out:
>   ${APACHE_LOCK_DIR} and ${APACHE_RUN_DIR} are not defined.
>
>   I have the compatibility module loaded, as I migrated from 2.2, but as
>   far as I can see I have no remaining 2.2 syntax in my config.
>
> Let me know what else you may need and I'll provide it.
>
> Thanks
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Freenode

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Random 500 errors

2021-04-19 Thread Daniel Ferradal 
Hello,

If the error comes from apache itself you should have an error log entry,
what does it say?


El mar., 20 abr. 2021 4:03, Dave Wreski 
escribió:

> Hi,
>
> I have an apache-2.4.46 system on fedora33 and having weird 500 errors
> that I can't explain.
>
> 72.70.38.104 - - [19/Apr/2021:21:38:56 -0400] "GET
> /advisories/debian/debian-dsa-2944-1-gnutls26-security-update HTTP/1.1"
> 500 12704 "-" "Mozilla/5.0 (compatible; bingbot/2.0;
> +http://www.bing.com/bingbot.htm)" 2/2408334 915/21235/12704
>
> Going to this page directly loads the page just fine.
>
> I've also just started to notice the following entries in
> /var/log/httpd/modsec_audit.log:
>
> --47be4126-F--
> HTTP/1.1 500 Internal Server Error
> X-LiteSpeed-Purge: *
> Cache-Control: no-cache
> Pragma: no-cache
> Set-Cookie: 5eae87e0f12142efcb88fb03b93e82b2=qil7ieh6m1tcnrj8dn0vkfc4s5;
> path=/; secure; HttpOnly
> Set-Cookie: ct_timestamp=1618882240; path=/
> Set-Cookie:
> ct_prev_referer=https%3A%2F%2Flinuxsecurity.com%2Fcontact-us; path=/
> Set-Cookie:
>
> ct_cookies_test=%7B%22cookies_names%22%3A%5B%22ct_timestamp%22%2C%22ct_prev_referer%22%5D%2C%22check_value%22%3A%22d4c4a7a2546fbe6
> 12cba4c38dc2c8949%22%7D; path=/
> Strict-Transport-Security: max-age=15768000
> X-XSS-Protection: 1; mode=block
> X-Content-Type-Options: nosniff
> Vary: User-Agent
> Cache-Control: public
> Connection: close
> Transfer-Encoding: chunked
> Content-Type: text/html; charset=UTF-8
>
> What does this mean? Is this just reporting the error or something
> related to mod_sec causing the error?
>
> Thanks,
> Dave
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] Logging issue

2021-04-17 Thread Daniel Ferradal 
ctly, the next step is to load php-fpm to be able to use
> different php versions for some of the sites. However, until I have the
> logging working as intended I am not working on that...
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
> Well, if my problem is so easily solved, perhaps you can tell me what I am 
> doing wrong? That would solve two issues, I no longer have to post questions 
> on this topic and you could show that you are helpful and knowledgable... 
> Obviously I have consulted other sources, including the documentation.
>
> This is a user support list, is it not? And, you can always ignore posts... 
> Perhaps i misremember, but was not your previous post a suggestion to switch 
> to MAMP??
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>


--
Daniel Ferradal
HTTPD Project
#httpd help at Freenode

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] apache error 500 weirdness

2021-04-12 Thread Daniel Ferradal 
The first thing I would do is to check If you have an error message in
apache log. If not, that may solely be a php issue and probably this
is not the right list to help debug that. But first things first.

El lun, 12 abr 2021 a las 3:40, Dave Wreski
() escribió:
>
> Hi,
>
> I have an apache-2.4.46 system with php-7.4.16 on fedora33 site using 
> cloudflare, although I'm not sure if it's related. This is an entry from our 
> logs from a cloudflare IP:
>
> 172.68.34.214 - - [11/Apr/2021:21:22:11 -0400] "GET 
> /advisories/gentoo/gentoo-glsa-200903-10-irrlicht-user-assisted-execution-of-arbitrary-code
>  HTTP/1.1" 500 120453475 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) 
> AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.1 Safari/605.1.15 
> (Applebot/0.1; +http://www.apple.com/go/applebot)" 7/7095876 
> 1030/121467178/120453475 H:HTTP/1.1 
> U:/advisories/gentoo/gentoo-glsa-200903-10-irrlicht-user-assisted-execution-of-arbitrary-code
>  ls443 s:500 V:linuxsecurity.com v:linuxsecurity.com
>
> The full URL for that entry is:
> https://linuxsecurity.com/advisories/fedora/fedora-32-subversion-2021-16e51e39a6-20-34-36?rss
>
> This page does not produce a 500 error when I go to it manually.
>
> The LogFormat for this entry is as such:
>
>   LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" 
> %T/%D %I/%O/%B H:%H U:%U ls443 s:%>s V:%V v:%v" timing
>
> The %b in the entry above appears to be 121 megabytes. How is that possible? 
> How can I debug this? I have display_errors = On in my PHP settings and have 
> debugging enabled for php-fpm but no errors are being reported.
>
> Thanks,
> Dave
>
>


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Freenode

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Running php 7.0 and 7.2 for different websites with apache

2021-04-09 Thread Daniel Ferradal 
No, specifically pruning everything you don´t need.

That list of modules is not normal, and there is probably lots of
configuration associated with them you are not using either. If I were
you I would end up with a quite simple config with only the modules I
really need.


El vie, 9 abr 2021 a las 18:10, H () escribió:
>
> On 04/09/2021 11:48 AM, Daniel Ferradal wrote:
> > That´s probably it. You still have php7_module, and are probably
> > pointing to it somewhere in your config. For the looks of it you need
> > a serious and thorough cleanup of your configuration that you haven´t
> > done yet.
> >
> > Like we told you earlier, get rid of that module.
> >
> > As for your question:
> > You just need mod_proxy and mod_proxy_fcgi to reverse proxy requests
> > to php-fpm, that´s it, you are reverse proxying requests for php files
> > to another service, and php-fpm will interpret those and return the
> > dynamic content to apache.
> > PHP libs have nothing to do in your Apache if you are using/want to
> > use php-fpm, which is a good path imo. So no, no php modules of any
> > kind in apache, apache will not do any more interpretation of php
> > code.
> >
> > Also let me take the liberty to tell you that you could take the
> > chance and clean that horrendous list of modules you will never use.
> >
> > Ideally you should just load those modules you use, no more no less.
> >
> > Ideally you will use mpm_event too, not mpm_prefork, but I don´t want
> > to distract you too much, focus on ridding everything php but the
> > mod_proxy mod_proxy_fcgi and the directives we mentioned earlier.
> >
> >
> > Cheers
> >
> >
> >
> > El vie, 9 abr 2021 a las 17:36, H () escribió:
> >> On 04/09/2021 06:03 AM, Daniel Ferradal wrote:
> >>> Looks correct yes. But still lots of things you are not showing could be 
> >>> wrong.
> >>>
> >>> To solve issues you have to go one thing at a time, you know for sure
> >>> apache is pointing to different ports, if you disabled mod_php. Now
> >>> you must make sure the fpm pools are correct, both versions listening
> >>> to each port, that you disabled all mod_php stuff, etc. things we
> >>> can't see because you don't show, so it is quite hard to hand-guide
> >>> you with just small bits of info.
> >>>
> >>> El vie, 9 abr 2021 a las 3:26, H () escribió:
> >>>> On 04/08/2021 08:57 PM, Daniel Ferradal wrote:
> >>>>> There is no such thing as default php version for a site.
> >>>>>
> >>>>> You have to make sure you have really two different instances of
> >>>>> php-fpm running for the different php versions you want to use.
> >>>>>
> >>>>> Chances are you have the same php-fpm service with two pools, so both
> >>>>> may be with the same version.
> >>>>>
> >>>>> Apache doesn't care what you do from now on, since it is just reverse
> >>>>> proxying requests to the selected servers. So it is up to you and your
> >>>>> php-fpm config and how you start them now.
> >>>>>
> >>>>> El vie, 9 abr 2021 a las 1:55, H () escribió:
> >>>>>> On 04/08/2021 07:34 PM, H wrote:
> >>>>>>> On 04/08/2021 06:05 PM, Daniel Ferradal wrote:
> >>>>>>>> Hello,
> >>>>>>>>
> >>>>>>>> What you must remove is all scriptalias, addhandler/action 
> >>>>>>>> directives.
> >>>>>>>> So I'd say with a directive for each virtualhost you mentioned you
> >>>>>>>> have you just would need (and of course disable mod_php module):
> >>>>>>>>
> >>>>>>>> In one for one version pointing to 9002 port:
> >>>>>>>> 
> >>>>>>>> SetHandler  "proxy:fcgi://localhost:9002"
> >>>>>>>> 
> >>>>>>>>
> >>>>>>>> In the other virtualhost you  want to have pointing to 9003:
> >>>>>>>> 
> >>>>>>>> SetHandler  "proxy:fcgi://localhost:9003"
> >>>>>>>> 
> >>>>>>>>
> >>>>>>>> Apache is really much more simple and easier than many examples out
> >>>>>>>> there try to show.
> >>>>>>>>

Re: [users@httpd] Running php 7.0 and 7.2 for different websites with apache

2021-04-09 Thread Daniel Ferradal 
That´s probably it. You still have php7_module, and are probably
pointing to it somewhere in your config. For the looks of it you need
a serious and thorough cleanup of your configuration that you haven´t
done yet.

Like we told you earlier, get rid of that module.

As for your question:
You just need mod_proxy and mod_proxy_fcgi to reverse proxy requests
to php-fpm, that´s it, you are reverse proxying requests for php files
to another service, and php-fpm will interpret those and return the
dynamic content to apache.
PHP libs have nothing to do in your Apache if you are using/want to
use php-fpm, which is a good path imo. So no, no php modules of any
kind in apache, apache will not do any more interpretation of php
code.

Also let me take the liberty to tell you that you could take the
chance and clean that horrendous list of modules you will never use.

Ideally you should just load those modules you use, no more no less.

Ideally you will use mpm_event too, not mpm_prefork, but I don´t want
to distract you too much, focus on ridding everything php but the
mod_proxy mod_proxy_fcgi and the directives we mentioned earlier.


Cheers



El vie, 9 abr 2021 a las 17:36, H () escribió:
>
> On 04/09/2021 06:03 AM, Daniel Ferradal wrote:
> > Looks correct yes. But still lots of things you are not showing could be 
> > wrong.
> >
> > To solve issues you have to go one thing at a time, you know for sure
> > apache is pointing to different ports, if you disabled mod_php. Now
> > you must make sure the fpm pools are correct, both versions listening
> > to each port, that you disabled all mod_php stuff, etc. things we
> > can't see because you don't show, so it is quite hard to hand-guide
> > you with just small bits of info.
> >
> > El vie, 9 abr 2021 a las 3:26, H () escribió:
> >> On 04/08/2021 08:57 PM, Daniel Ferradal wrote:
> >>> There is no such thing as default php version for a site.
> >>>
> >>> You have to make sure you have really two different instances of
> >>> php-fpm running for the different php versions you want to use.
> >>>
> >>> Chances are you have the same php-fpm service with two pools, so both
> >>> may be with the same version.
> >>>
> >>> Apache doesn't care what you do from now on, since it is just reverse
> >>> proxying requests to the selected servers. So it is up to you and your
> >>> php-fpm config and how you start them now.
> >>>
> >>> El vie, 9 abr 2021 a las 1:55, H () escribió:
> >>>> On 04/08/2021 07:34 PM, H wrote:
> >>>>> On 04/08/2021 06:05 PM, Daniel Ferradal wrote:
> >>>>>> Hello,
> >>>>>>
> >>>>>> What you must remove is all scriptalias, addhandler/action directives.
> >>>>>> So I'd say with a directive for each virtualhost you mentioned you
> >>>>>> have you just would need (and of course disable mod_php module):
> >>>>>>
> >>>>>> In one for one version pointing to 9002 port:
> >>>>>> 
> >>>>>> SetHandler  "proxy:fcgi://localhost:9002"
> >>>>>> 
> >>>>>>
> >>>>>> In the other virtualhost you  want to have pointing to 9003:
> >>>>>> 
> >>>>>> SetHandler  "proxy:fcgi://localhost:9003"
> >>>>>> 
> >>>>>>
> >>>>>> Apache is really much more simple and easier than many examples out
> >>>>>> there try to show.
> >>>>>>
> >>>>>> El jue, 8 abr 2021 a las 23:54, H () escribió:
> >>>>>>> On 04/08/2021 05:06 PM, Daniel Ferradal wrote:
> >>>>>>>> Hello,
> >>>>>>>>
> >>>>>>>> You mention PHP is set to listen to different tcp ports, yet the
> >>>>>>>> config you show from apache points to a unix socket with
> >>>>>>>> mod_proxy_fcgi
> >>>>>>>>
> >>>>>>>> Also worth mentioning you don't need php7_module at all when pointing
> >>>>>>>> to FPM with mod_proxy_fcgi, so I would just unload that module asap 
> >>>>>>>> in
> >>>>>>>> case you have some other config lying around taking precedence and
> >>>>>>>> causing the problems you mention.
> >>>>>>>>
> >>>>>>>> Cheers
> >>>>>>>>
> >>&g

Re: [users@httpd] Running php 7.0 and 7.2 for different websites with apache

2021-04-09 Thread Daniel Ferradal 
Looks correct yes. But still lots of things you are not showing could be wrong.

To solve issues you have to go one thing at a time, you know for sure
apache is pointing to different ports, if you disabled mod_php. Now
you must make sure the fpm pools are correct, both versions listening
to each port, that you disabled all mod_php stuff, etc. things we
can't see because you don't show, so it is quite hard to hand-guide
you with just small bits of info.

El vie, 9 abr 2021 a las 3:26, H () escribió:
>
> On 04/08/2021 08:57 PM, Daniel Ferradal wrote:
> > There is no such thing as default php version for a site.
> >
> > You have to make sure you have really two different instances of
> > php-fpm running for the different php versions you want to use.
> >
> > Chances are you have the same php-fpm service with two pools, so both
> > may be with the same version.
> >
> > Apache doesn't care what you do from now on, since it is just reverse
> > proxying requests to the selected servers. So it is up to you and your
> > php-fpm config and how you start them now.
> >
> > El vie, 9 abr 2021 a las 1:55, H () escribió:
> >> On 04/08/2021 07:34 PM, H wrote:
> >>> On 04/08/2021 06:05 PM, Daniel Ferradal wrote:
> >>>> Hello,
> >>>>
> >>>> What you must remove is all scriptalias, addhandler/action directives.
> >>>> So I'd say with a directive for each virtualhost you mentioned you
> >>>> have you just would need (and of course disable mod_php module):
> >>>>
> >>>> In one for one version pointing to 9002 port:
> >>>> 
> >>>> SetHandler  "proxy:fcgi://localhost:9002"
> >>>> 
> >>>>
> >>>> In the other virtualhost you  want to have pointing to 9003:
> >>>> 
> >>>> SetHandler  "proxy:fcgi://localhost:9003"
> >>>> 
> >>>>
> >>>> Apache is really much more simple and easier than many examples out
> >>>> there try to show.
> >>>>
> >>>> El jue, 8 abr 2021 a las 23:54, H () escribió:
> >>>>> On 04/08/2021 05:06 PM, Daniel Ferradal wrote:
> >>>>>> Hello,
> >>>>>>
> >>>>>> You mention PHP is set to listen to different tcp ports, yet the
> >>>>>> config you show from apache points to a unix socket with
> >>>>>> mod_proxy_fcgi
> >>>>>>
> >>>>>> Also worth mentioning you don't need php7_module at all when pointing
> >>>>>> to FPM with mod_proxy_fcgi, so I would just unload that module asap in
> >>>>>> case you have some other config lying around taking precedence and
> >>>>>> causing the problems you mention.
> >>>>>>
> >>>>>> Cheers
> >>>>>>
> >>>>>> El jue, 8 abr 2021 a las 22:40, H () escribió:
> >>>>>>> Using CentOS 7 and need to run two different versions of php for the 
> >>>>>>> websites, php 7.0 and 7.2. The set up is x.x.x.x/site1 and 
> >>>>>>> x.x.x.x/site2 and I am using php-fm for both php versions configuring 
> >>>>>>> port 9002 for php 7.0 and 9003 for php 7.2.
> >>>>>>>
> >>>>>>> I have a conf file for each site (this is site 1 which is supposed to 
> >>>>>>> run php 7.0) and called site1.conf, similar to:
> >>>>>>>
> >>>>>>> 
> >>>>>>> ServerAdmin xxx
> >>>>>>> ServerName x.x.x.x/site1
> >>>>>>> DocumentRoot /var/www/html/
> >>>>>>> DirectoryIndex info.php
> >>>>>>> ErrorLog /var/log/httpd/site1-error.log
> >>>>>>> CustomLog /var/log/httpd/site1-access.log combined
> >>>>>>>
> >>>>>>> 
> >>>>>>> 
> >>>>>>> SetHandler 
> >>>>>>> "proxy:unix:/var/opt/rh/rh-php70/run/php-fpm/www.sock|fcgi://localhost"
> >>>>>>> 
> >>>>>>> 
> >>>>>>> 
> >>>>>>>
> >>>>>>> The other site is identical and supposed to run php 7.2 so the file 
> >>>>>>> obviously uses site2 instead of site1 and php72 ins

Re: [users@httpd] Running php 7.0 and 7.2 for different websites with apache

2021-04-08 Thread Daniel Ferradal 
There is no such thing as default php version for a site.

You have to make sure you have really two different instances of
php-fpm running for the different php versions you want to use.

Chances are you have the same php-fpm service with two pools, so both
may be with the same version.

Apache doesn't care what you do from now on, since it is just reverse
proxying requests to the selected servers. So it is up to you and your
php-fpm config and how you start them now.

El vie, 9 abr 2021 a las 1:55, H () escribió:
>
> On 04/08/2021 07:34 PM, H wrote:
> > On 04/08/2021 06:05 PM, Daniel Ferradal wrote:
> >> Hello,
> >>
> >> What you must remove is all scriptalias, addhandler/action directives.
> >> So I'd say with a directive for each virtualhost you mentioned you
> >> have you just would need (and of course disable mod_php module):
> >>
> >> In one for one version pointing to 9002 port:
> >> 
> >> SetHandler  "proxy:fcgi://localhost:9002"
> >> 
> >>
> >> In the other virtualhost you  want to have pointing to 9003:
> >> 
> >> SetHandler  "proxy:fcgi://localhost:9003"
> >> 
> >>
> >> Apache is really much more simple and easier than many examples out
> >> there try to show.
> >>
> >> El jue, 8 abr 2021 a las 23:54, H () escribió:
> >>> On 04/08/2021 05:06 PM, Daniel Ferradal wrote:
> >>>> Hello,
> >>>>
> >>>> You mention PHP is set to listen to different tcp ports, yet the
> >>>> config you show from apache points to a unix socket with
> >>>> mod_proxy_fcgi
> >>>>
> >>>> Also worth mentioning you don't need php7_module at all when pointing
> >>>> to FPM with mod_proxy_fcgi, so I would just unload that module asap in
> >>>> case you have some other config lying around taking precedence and
> >>>> causing the problems you mention.
> >>>>
> >>>> Cheers
> >>>>
> >>>> El jue, 8 abr 2021 a las 22:40, H () escribió:
> >>>>> Using CentOS 7 and need to run two different versions of php for the 
> >>>>> websites, php 7.0 and 7.2. The set up is x.x.x.x/site1 and 
> >>>>> x.x.x.x/site2 and I am using php-fm for both php versions configuring 
> >>>>> port 9002 for php 7.0 and 9003 for php 7.2.
> >>>>>
> >>>>> I have a conf file for each site (this is site 1 which is supposed to 
> >>>>> run php 7.0) and called site1.conf, similar to:
> >>>>>
> >>>>> 
> >>>>> ServerAdmin xxx
> >>>>> ServerName x.x.x.x/site1
> >>>>> DocumentRoot /var/www/html/
> >>>>> DirectoryIndex info.php
> >>>>> ErrorLog /var/log/httpd/site1-error.log
> >>>>> CustomLog /var/log/httpd/site1-access.log combined
> >>>>>
> >>>>> 
> >>>>> 
> >>>>> SetHandler 
> >>>>> "proxy:unix:/var/opt/rh/rh-php70/run/php-fpm/www.sock|fcgi://localhost"
> >>>>> 
> >>>>> 
> >>>>> 
> >>>>>
> >>>>> The other site is identical and supposed to run php 7.2 so the file 
> >>>>> obviously uses site2 instead of site1 and php72 instead of php70.
> >>>>>
> >>>>> I have installed both php versions and can successfully switch between 
> >>>>> them on the commandline but have run into problem getting apache to use 
> >>>>> both. I consulted 
> >>>>> https://www.digitalocean.com/community/tutorials/how-to-run-multiple-php-versions-on-one-server-using-apache-and-php-fpm-on-centos-7
> >>>>>  but apachectl configtest complains that "module php7_module is already 
> >>>>> loaded, skipping". I can successfully get the websites to use the same 
> >>>>> php version, either 7.0 or 7.2.
> >>>>>
> >>>>> I must have missed some configuration step and would appreciate any 
> >>>>> pointers.
> >>>>>
> >>>>> Thank you.
> >>>>>
> >>>>>
> >>>>> -
> >>>>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> >>>>> F

Re: [users@httpd] Running php 7.0 and 7.2 for different websites with apache

2021-04-08 Thread Daniel Ferradal 
Hello,

What you must remove is all scriptalias, addhandler/action directives.
So I'd say with a directive for each virtualhost you mentioned you
have you just would need (and of course disable mod_php module):

In one for one version pointing to 9002 port:

SetHandler  "proxy:fcgi://localhost:9002"


In the other virtualhost you  want to have pointing to 9003:

SetHandler  "proxy:fcgi://localhost:9003"


Apache is really much more simple and easier than many examples out
there try to show.

El jue, 8 abr 2021 a las 23:54, H () escribió:
>
> On 04/08/2021 05:06 PM, Daniel Ferradal wrote:
> > Hello,
> >
> > You mention PHP is set to listen to different tcp ports, yet the
> > config you show from apache points to a unix socket with
> > mod_proxy_fcgi
> >
> > Also worth mentioning you don't need php7_module at all when pointing
> > to FPM with mod_proxy_fcgi, so I would just unload that module asap in
> > case you have some other config lying around taking precedence and
> > causing the problems you mention.
> >
> > Cheers
> >
> > El jue, 8 abr 2021 a las 22:40, H () escribió:
> >> Using CentOS 7 and need to run two different versions of php for the 
> >> websites, php 7.0 and 7.2. The set up is x.x.x.x/site1 and x.x.x.x/site2 
> >> and I am using php-fm for both php versions configuring port 9002 for php 
> >> 7.0 and 9003 for php 7.2.
> >>
> >> I have a conf file for each site (this is site 1 which is supposed to run 
> >> php 7.0) and called site1.conf, similar to:
> >>
> >> 
> >> ServerAdmin xxx
> >> ServerName x.x.x.x/site1
> >> DocumentRoot /var/www/html/
> >> DirectoryIndex info.php
> >> ErrorLog /var/log/httpd/site1-error.log
> >> CustomLog /var/log/httpd/site1-access.log combined
> >>
> >> 
> >> 
> >> SetHandler 
> >> "proxy:unix:/var/opt/rh/rh-php70/run/php-fpm/www.sock|fcgi://localhost"
> >> 
> >> 
> >> 
> >>
> >> The other site is identical and supposed to run php 7.2 so the file 
> >> obviously uses site2 instead of site1 and php72 instead of php70.
> >>
> >> I have installed both php versions and can successfully switch between 
> >> them on the commandline but have run into problem getting apache to use 
> >> both. I consulted 
> >> https://www.digitalocean.com/community/tutorials/how-to-run-multiple-php-versions-on-one-server-using-apache-and-php-fpm-on-centos-7
> >>  but apachectl configtest complains that "module php7_module is already 
> >> loaded, skipping". I can successfully get the websites to use the same php 
> >> version, either 7.0 or 7.2.
> >>
> >> I must have missed some configuration step and would appreciate any 
> >> pointers.
> >>
> >> Thank you.
> >>
> >>
> >> -
> >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> >> For additional commands, e-mail: users-h...@httpd.apache.org
> >>
> >
> Thank you for your quick reply. I am sort of dabbling with apache and am not 
> 100% sure what I need to change but would the following change to the above 
> conf file be what you are telling me?
>
>  SetHandler "proxy:fcgi://localhost:9002
>  ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
>  AddHandler php70-fcgi .php
>  Action php70-fcgi /cgi-bin/php70.fcgi
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Freenode

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Running php 7.0 and 7.2 for different websites with apache

2021-04-08 Thread Daniel Ferradal 
Hello,

You mention PHP is set to listen to different tcp ports, yet the
config you show from apache points to a unix socket with
mod_proxy_fcgi

Also worth mentioning you don't need php7_module at all when pointing
to FPM with mod_proxy_fcgi, so I would just unload that module asap in
case you have some other config lying around taking precedence and
causing the problems you mention.

Cheers

El jue, 8 abr 2021 a las 22:40, H () escribió:
>
> Using CentOS 7 and need to run two different versions of php for the 
> websites, php 7.0 and 7.2. The set up is x.x.x.x/site1 and x.x.x.x/site2 and 
> I am using php-fm for both php versions configuring port 9002 for php 7.0 and 
> 9003 for php 7.2.
>
> I have a conf file for each site (this is site 1 which is supposed to run php 
> 7.0) and called site1.conf, similar to:
>
> 
> ServerAdmin xxx
> ServerName x.x.x.x/site1
> DocumentRoot /var/www/html/
> DirectoryIndex info.php
> ErrorLog /var/log/httpd/site1-error.log
> CustomLog /var/log/httpd/site1-access.log combined
>
> 
> 
> SetHandler 
> "proxy:unix:/var/opt/rh/rh-php70/run/php-fpm/www.sock|fcgi://localhost"
> 
> 
> 
>
> The other site is identical and supposed to run php 7.2 so the file obviously 
> uses site2 instead of site1 and php72 instead of php70.
>
> I have installed both php versions and can successfully switch between them 
> on the commandline but have run into problem getting apache to use both. I 
> consulted 
> https://www.digitalocean.com/community/tutorials/how-to-run-multiple-php-versions-on-one-server-using-apache-and-php-fpm-on-centos-7
>  but apachectl configtest complains that "module php7_module is already 
> loaded, skipping". I can successfully get the websites to use the same php 
> version, either 7.0 or 7.2.
>
> I must have missed some configuration step and would appreciate any pointers.
>
> Thank you.
>
>
> -----
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Freenode

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Wordpress | user:group setting

2021-04-04 Thread Daniel Ferradal 
Even better:

Set it to root:root, change them when you need to update and set them
back to root:root when finished.

Whenever possible, don´t give any kind of permissions other than read.

El sáb, 3 abr 2021 a las 12:43, Jos Chrispijn
() escribió:
>
> Dear list,
> Can you tell me how I should indentify my user:group setting for my personal 
> website?
> Currently I own my website as www:www (for Wordpress auto-update sake).
> Would it be more safe to set this to www:me ?
>
> Thanks, Jos



-- 
Daniel Ferradal
HTTPD Project
#httpd help at Freenode

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache 2.4.37 graceful restart causes error “scoreboard is full, not at MaxRequestWorkers.Increase ServerLimit.”

2021-03-30 Thread Daniel Ferradal 
I may be adding noise, but it is worth checking if you are using third
party modules and which ones.

I don't know which version of Apache worked around issues with some
cases of  third party "misbehaving" modules, which would make workers
be gracefully closing for ever and that would also lead to graceful
restart leaving the servers without available workers.

If I were you I would first check the list of modules and with
mod_status the state of workers before issuing a graceful.

Cheers

El mar, 30 mar 2021 a las 2:49, Eric Covener () escribió:
>
> > Are graceful restarts with the Event MPM known to be problematic?
>
> Not especially. Not much different from worker. Ultimately if requests
> are hung, gracefully exiting processes can hang around a long time and
> take up space needed by processes running after the restart.
>
> What are your current MPM settings and how busy is your server during
> rotation? If ServerLimit is above MaxClients/ThreadsPerChild the extra
> scoreboard space is what allows the old generation of processes to
> gracefully exit while a new generation spins up.
>
> Does your logrotate script restart multiple times in succession for
> many log files?
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Freenode

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] time based not working

2021-03-19 Thread Daniel Ferradal 
We replied to him in irc, I think he is past that but hasn't updated his
findings here.

Suggestions were check rewritelog, consider not using OR

El vie., 19 mar. 2021 14:35, Rich Bowen  escribió:

>
>
> On 3/18/21 3:06 AM, Jens Kallup wrote:
> > Hello,
> > how can I time based open times?
> > The script below seems not work.
> > All pages are the same.
> >
> >  RewriteEngine On
> >  LogLevel warn rewrite:trace3
>
> What does the trace log say when you make the request?
>
> >
> >  # -
> >  # compress file(.ext) on server side, beofre delivery  ...
> >  # on MS-Windows; you should have the GNU-Tools installed !
> >  # -
> >  RewriteCond %{HTTP:Accept-encoding} gzip
> >  RewriteCond %{REQUEST_FILENAME}\.gz -s
> >  RewriteRule ^(.*)\.(css|js|txt) $1\.$2\.gz [QSA]
> >
> >  # -
> >  # shortners ...
> >  # -
> >  Alias "/pub""${APACHE_WEB}/443/pub"
> >  Alias "/edu""${APACHE_WEB}/443/edu"
> >
> >  # store variable values with dummy rewrite rules
> >  RewriteRule . - [E=req_scheme:%{REQUEST_SCHEME}]
> >  RewriteRule . - [E=http_host:%{HTTP_HOST}]
> >  RewriteRule . - [E=req_uri:%{REQUEST_URI}]
> >
> >  # -
> >  # out of office time rule ...
> >  # from 07:00 - 20:00
> >  # -
> >  RewriteCond %{TIME_HOUR} >=09 [OR]
> >  RewriteCond %{TIME_HOUR} <=10
> >  RewriteRule /pub/.* - [E=HTTP_OFFICE_HEADER:1]
> >  RewriteRule /pub/.* - [E=HTTP_OFFICE_HEADER:0]
> >  RewriteRule ^$ /pub/.* [R=301,L]
> >
> >
> > In PHP:
> >
> >  >  $office = $_SERVER['HTTP_OFFICE_HEADER'];
> >  $status = 0;
> >
> >  if (strcmp($office,"0") == 0)
> >  $status = 0; else
> >  $status = 1;
> > ?>
> >
> > Jens
> >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org
> >
>
> --
> Rich Bowen - rbo...@rcbowen.com
> @rbowen
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] Apache Reverse Proxy for more than one website.

2021-03-16 Thread Daniel Ferradal 
Try and let us know your results.

El mar, 16 mar 2021 a las 21:23, Jason Long
() escribió:
>
> Thanks.
> Thus, I can one .conf file under the "/etc/httpd/conf.d/" directory with some 
> servers. For example,
>
> #Server 1
> 
> ProxyPreserveHost On
> ProxyPass / http://192.168.1.4/
> ProxyPassReverse / http://192.168.1.4/
> 
>
> #Server 2
> 
> ProxyPreserveHost On
> ProxyPass / http://192.168.1./
> ProxyPassReverse / http://192.168.1.5/
> 
>
>
>
>
> Am I right?
>
>
> On Tuesday, March 16, 2021, 10:01:27 PM GMT+3:30, Antony Stone 
>  wrote:
>
>
>
>
>
> On Tuesday 16 March 2021 at 19:16:56, Jason Long wrote:
>
> > Hello,
> > For a website, I created a reverse proxy config file under the
> > "/etc/httpd/conf.d/" directory as below:
> >
> > 
> >ProxyPreserveHost On
> >ProxyPass / http://192.168.1.4/
> >ProxyPassReverse / http://192.168.1.4/
> > 
> >
> > If I have other servers, then I must create a config file for each of them
> > or I just need to add my servers IP addresses to the above file?
>
> You can put all your configurations into one file, that is not a problem.
>
> You will need a completely separate  section for each machine you
> want to act as a reverse proxy for.
>
> Finally, I trust you realise that you cannot use  with more
> than one back-end server - there needs to be a way to distinguish which
> incoming requests are to be passed to server A and which ones to server B etc
> (in other words, you have to change the * to something which identifies what
> you want to reverse proxy to where).
>
>
> Antony.
>
> --
> In Heaven, the beer is Belgian, the chefs are Italian, the supermarkets are
> British, the mechanics are German, the lovers are French, the entertainment is
> American, and everything is organised by the Swiss.
>
> In Hell, the beer is American, the chefs are British, the supermarkets are
> German, the mechanics are French, the lovers are Swiss, the entertainment is
> Belgian, and everything is organised by the Italians.
>
>   Please reply to the list;
> please *don't* CC me.
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Freenode

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] The number of child processes is less than MinSpareThreads.

2021-03-14 Thread Daniel Ferradal 
If anyone reads this thread, let's hope they do not interpret those
figures as a valid configuration for a threaded mpm aside from one
used to test a specific behaviour.

El vie, 12 mar 2021 a las 3:54, Eric Covener () escribió:
>
> On Thu, Mar 11, 2021 at 9:29 PM motoda.hiron...@fujitsu.com
>  wrote:
> >
> > In the following environment where multiple Listen directives are defined, 
> > the number of child processes may temporarily fall below MinSpareThreads 
> > after 6 requests are received at the same time and HTTP request processing 
> > is completed.
> > Is this a bug or a specification?
> >
> > OS : Red Hat Enterprise Linux Server
> > MPM: worker
> >
> > httpd.conf:
> > 
> > Listen 80
> > Listen 8080
> >
> > ServerLimit 50
> > StartServers 5
> > MinSpareThreads  5
> > MaxSpareThreads 10
> > ThreadsPerChild  1
> > MaxRequestWorkers   50
> > MaxConnectionsPerChild   0
> > 
>
> This is working as designed, the server checks only once per second to
> see if processes need to be started or killed based on the current
> idle threads.
>
> -----
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Freenode

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Expected behavior for "If-Modified-Since: " and CGI generated content?

2021-03-14 Thread Daniel Ferradal 
Hello,

Perhaps you want the server or the cgi software to respond with
headers specific to tell the client the content should not be cached
in any way for that type of responses.

Headers like:
Cache-Control: no-cache, no-store
Pragma: no-cache
Expires: 0

Those are the ones I recall, there may be others.

El mar, 9 mar 2021 a las 23:48, Heiko Schlittermann
() escribió:
>
> Hi,
>
> I've a resource generated by a CGI script (the result changes, it
> depends on the X-Forwarded-For header). Now the server receives requests
> for this resource.
>
> The requests have set the "If-Modified-Since" header
> to the current timestamp. The server now *always* responds with "Not
> Modified".  I understand that this is basically right, since the
> resource can't be modified in an infinite small amount of time.
>
> But how can I (the CGI script) convince the server, to evaluate the
> "Expires: 0" header (or maybe another one) and ignore the
> If-Modified-Since?
>
>
> There is a workaround, a can delete the If-Modified-Since header before
> processing the request, but that seems to be a workaround only. I think,
> the producer of the variable content should have a way to tell the
> server *Please do not respond with 304 for my content".
>
> I checked the source of modules/http/protocol_http.c, it seems to be
> there already for at least 7 years, so I believe, it's mature.
>
> Setting the "Last-Modified" header in the CGI script to a date in the
> future doesn't work, as Apache seems to cap it to the current date.
>
> Best regards from Dresden/Germany
> Viele Grüße aus Dresden
> Heiko Schlittermann
> --
>  SCHLITTERMANN.de  internet & unix support -
>  Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
>  gnupg encrypted messages are welcome --- key ID: F69376CE -



-- 
Daniel Ferradal
HTTPD Project
#httpd help at Freenode

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache Reverse Proxy and Load Balancer.

2021-03-14 Thread Daniel Ferradal 
Perhaps you are looking to configure orchestration of some kind in
your infrastructure, but that is probably offtopic here.

El jue, 11 mar 2021 a las 20:29, Jason Long
() escribió:
>
> Hello,
> I configured my Apache Reverse Proxy as a Load Balancer to handle Back-End 
> servers. When a Back-End server stopped, then another one provide service.
> How can I do it with Reverse Proxy server itself? When a Reverse Proxy 
> stopped, then another Reverse Proxy provides services?
>
> Thank you.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Freenode

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Distribution of workers between processes and threads

2021-03-14 Thread Daniel Ferradal 
Hello,

It is important to consider:
* the processor
* the modules you have loaded in apache
* the mpm you are using (hopefully mpm_event).
* the type of load. (static, or dynamic, small files, big files,
proxying, is there cache, etc?).

With a more or less actual server processor, perhaps 12 cores for 300
paralell requests is overkill and maybe even counterproductive.

I would start by setting 3 processes, 100 threads each and benchmark
it. Once you get a figure you could try the same number of processes
more threads each and the opposite, more processes less threads, and
benchmark your findings, always with the same scenarios to try getting
a clear picture.

El vie, 12 mar 2021 a las 14:36, Nick Gearls () escribió:
>
> Hi everybody.
> I have a question about the distribution of workers between processes
> and threads.
>
> Let's say that I have a 12 core machine and that I want to server up to
> 300 parallel requests.
> I have the choice between, for instance, 10 processes with 30 threads or
> 30 processes with 10 threads.
> Am I right with the following logic:
> I keep 2 cores for the OS (machine dedicated to httpd), so I have 10
> cores for httpd.
> Optimal use is one process per core, so 10 processes.
> I need to use all CPUs, and multiple processes per CPU will consume more
> resource, correct?
>
> Thanks
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Freenode

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: httpd[803535]:

2021-03-14 Thread Daniel Ferradal 
To rule out a bug I would try without the Include first, all
directives in the directory tag and see if you get some different
error.

El dom, 14 mar 2021 a las 17:23, Jason Long
() escribió:
>
> Yes:
>
> 
> Options -Indexes
> AllowOverride All
> Require all granted
> Include conf.d/tor-ip.conf
> 
>
>
>
>
>
>
> On Sunday, March 14, 2021, 07:04:15 PM GMT+3:30, Christophe JAILLET 
>  wrote:
>
>
>
>
>
> Le 14/03/2021 à 14:59, Jason Long a écrit :
>
> > Hello,
> > I want to block Tor IP addresses and I downloaded a list of Tor IP 
> > addresses and put it as a "tor-ip.conf" file under the "/etc/httpd/conf.d/" 
> > directory. Then edited my Virtual Host configuration file as below:
> >
> > 
> > Options -Indexes
> > AllowOverride All
> > Require all granted
> > Include conf.d/tor-ip.conf
> > 
> >
> > The "tor-ip.conf" file content is:
> >
> > 
> > Require all granted
> > Require not ip "IP"
> > Require not ip "IP"
> > Require not ip "IP"
> > ...
> > 
> >
> > When I restarted my Apache service, then it shows me below error:
> >
> > Status: "Reading configuration..."
> >
> > Mar 14 17:16:12 mywebsite systemd[1]: Starting The Apache HTTP Server...
> > Mar 14 17:16:12 mywebsite httpd[803535]: [Sun Mar 14 17:16:12.662030 2021] 
> > [so:warn] [pid 803535:tid 132707859921216]>
> > Mar 14 17:16:12 mywebsite httpd[803535]: AH00526: Syntax error on line 1 of 
> > /etc/httpd/conf.d/tor-ip.conf:
> > Mar 14 17:16:12 mywebsite httpd[803535]:  > Mar 14 17:16:12 mywebsite systemd[1]: httpd.service: Main process exited, 
> > code=exited, status=1/FAILURE
> > Mar 14 17:16:12 mywebsite systemd[1]: httpd.service: Failed with result 
> > 'exit-code'.
> > Mar 14 17:16:12 mywebsite systemd[1]: Failed to start The Apache HTTP 
> > Server.
> >
> >
> > What is the correct syntax?
> >
> > Thank you.
>
> >
>
> How are loaded your conf files?
>
> Something like:
> Include conf.d/*.conf
> somewhere?
>
> CJ
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Freenode

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] HTTPD Proxy Errors

2021-03-11 Thread Daniel Ferradal 
Hello,

It may also help to know the entry from access.log, to know exactly
when it was timed out and to see the method of the request, (GET,
POST?).

El mar, 5 ene 2021 a las 23:28, Herb Burnswell
() escribió:
>
> All,
>
> We are running HTTPD as a proxy to a backend Tomcat application.
>
> OS = RHEL 7.7
>
> HTTPD:
> Server version: Apache/2.4.34 (Red Hat)
> Server built:   Apr  3 2019 12:07:34
> Server's Module Magic Number: 20120211:79
> Server loaded:  APR 1.4.8, APR-UTIL 1.5.2
> Compiled using: APR 1.4.8, APR-UTIL 1.5.2
> Architecture:   64-bit
> Server MPM: event
>   threaded: yes (fixed thread count)
> forked: yes (variable process count)
> Server compiled with
>  -D APR_HAS_SENDFILE
>  -D APR_HAS_MMAP
>  -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
>  -D APR_USE_SYSVSEM_SERIALIZE
>  -D APR_USE_PTHREAD_SERIALIZE
>  -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
>  -D APR_HAS_OTHER_CHILD
>  -D AP_HAVE_RELIABLE_PIPED_LOGS
>  -D DYNAMIC_MODULE_LIMIT=256
>  -D HTTPD_ROOT="/opt/rh/httpd24/root/etc/httpd"
>  -D SUEXEC_BIN="/opt/rh/httpd24/root/usr/sbin/suexec"
>  -D DEFAULT_PIDLOG="/opt/rh/httpd24/root/var/run/httpd/httpd.pid"
>  -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
>  -D DEFAULT_ERRORLOG="logs/error_log"
>  -D AP_TYPES_CONFIG_FILE="conf/mime.types"
>  -D SERVER_CONFIG_FILE="conf/httpd.conf"
>
> Tomcat:
> Server version: Apache Tomcat/8.5.40
> Server built:   Apr 10 2019 14:31:19 UTC
> Server number:  8.5.40.0
> OS Name:Linux
> OS Version: 3.10.0-693.el7.x86_64
> Architecture:   amd64
> JVM Version:1.8.0_162-b12
> JVM Vendor: Oracle Corporation
>
> What we are seeing on the proxy side are 2 'proxy errors' (scrubbed):
>
> [Tue Jan 05 12:07:19.664861 2021] [proxy:error] [pid 74638:tid 
> 140600384845568] [client 10.10.100.10:64959] AH00898: Error reading from 
> remote server returned by /path/to/uri
>
> [Tue Jan 05 12:07:19.664745 2021] [proxy_http:error] [pid 74638:tid 
> 140600384845568] (70007)The timeout specified has expired: [client 
> 10.10.100.10:64959] AH01102: error reading status line from remote server 
> node1.example.com:8002
>
> The client listed in these (10.10.100.10) is actually an A10 that is handling 
> the VIP for the URL.
>
> The configurations we have set on the proxy are:
>
> 
>
> BalancerMember https://node1.example.com:8002 route=node1 
> keepalive=On ping=3 ttl=90 timeout=60
> BalancerMember https://node2.example.com:8002 route=node2 
> keepalive=On ping=3 ttl=90 timeout=60
> ProxySet lbmethod=bybusyness
>
> 
>
> On the Tomcat side we have:
>
> 
> keepAliveTimeout="9"
> connectionTimeout="6"
> 
>
> My understanding is that the "ttl" on the HTTPD side corresponds to the 
> "keepAliveTimeout" on the Tomcat side and the "timeout" on the HTTPD side 
> corresponds to the "connectionTimeout" on the Tomcat side.
>
> I am looking for some guidance into how we can successfully pinpoint where 
> the issue lies.  Is it the fact that the application is simply not responding 
> to the request in the allotted configured settings?  We can certainly test 
> that option but being a PRD environment we'll need to schedule the process.  
> Therefore, I'd like to get some thoughts on what we can do to pinpoint 
> exactly what is going on here.
>
> Thanks in advance,
>
> HB
>



-- 
Daniel Ferradal
HTTPD Project
#httpd help at Freenode

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] some questions to mod_rewrite

2021-01-02 Thread Daniel Ferradal 
To find out if they are reasonable I would ask the nextcloud guys.

They may be placeholder directives in case you are using certain
plugin of theirs or similar.

Cheers

El jue, 17 dic 2020 a las 19:36, Lentes, Bernd
() escribió:
>
>
>
> - On Dec 17, 2020, at 5:19 PM, Daniel Ferradal dferra...@apache.org wrote:
>
> > Hey Bernd,
> >
> > I remember my first head scratches with regex, they can be so
> > confusing and difficult to understand.
> >
> > Although I remember preciously the day https://regexone.com/ opened my
> > eyes. It just took me 45 minutes to understand the basics of it.
> >
> > I dearly recommend you to do the same and visit the site, once you
> > grasp it, regex will be tones of times easier to deal with.
> >
> > Cheers
> >
>
> Hi Daniel,
>
> my problems are more the understanding of RewriteRule in vhost- or 
> per-directory context.
> I try to understand how rewriting works in a up-to-date Nextcloud.
>
> This is the scenario:
>
> root@nc-mcd:~# ll /var/www/nextcloud
> total 116
> drwxr-x--- 1 www-data www-data   396 Dec  9 20:33 ./
> drwxr-xr-x 1 root root90 Dec 14 19:01 ../
> drwxr-x--- 1 www-data www-data   778 Dec  9 20:33 3rdparty/
> drwxr-x--- 1 www-data www-data  1154 Dec 14 22:20 apps/
> -rw-r- 1 www-data www-data 17234 Dec  9 20:30 AUTHORS
> drwxr-x--- 1 www-data www-data72 Dec 14 19:08 config/
> -rw-r- 1 www-data www-data  3893 Dec  9 20:30 console.php
> -rw-r- 1 www-data www-data 34520 Dec  9 20:30 COPYING
> drwxr-x--- 1 www-data www-data   458 Dec  9 20:33 core/
> -rw-r- 1 www-data www-data  5083 Dec  9 20:30 cron.php
> -rw-r- 1 www-data www-data  4450 Dec 14 19:08 .htaccess  <==
> -rw-r- 1 www-data www-data   156 Dec  9 20:30 index.html
> -rw-r- 1 www-data www-data  2960 Dec  9 20:30 index.php
> drwxr-x--- 1 www-data www-data   126 Dec  9 20:30 lib/
> -rw-r- 1 www-data www-data   283 Dec  9 20:30 occ
> drwxr-x--- 1 www-data www-data18 Dec  9 20:30 ocm-provider/
> drwxr-x--- 1 www-data www-data50 Dec  9 20:30 ocs/
> drwxr-x--- 1 www-data www-data18 Dec  9 20:30 ocs-provider/
> -rw-r- 1 www-data www-data  3102 Dec  9 20:30 public.php
> -rw-r- 1 www-data www-data  5332 Dec  9 20:30 remote.php
> drwxr-x--- 1 www-data www-data   158 Dec  9 20:30 resources/
> -rw-r- 1 www-data www-data26 Dec  9 20:30 robots.txt
> -rw-r- 1 www-data www-data  2379 Dec  9 20:30 status.php
> drwxr-x--- 1 www-data www-data26 Dec  9 20:30 themes/
> drwxr-x--- 1 www-data www-data42 Dec  9 20:31 updater/
> -rw-r- 1 www-data www-data   101 Dec  9 20:30 .user.ini
> -rw-r- 1 www-data www-data   362 Dec  9 20:33 version.php
>
> There is a .htaccess in the folder.
> So per-directory context. Now from the official apache documentation:
>
> What is matched ?
>  ...
> "In per-directory context (Directory and .htaccess), the Pattern is matched 
> against only a partial path, for example a request of "/app1/index.html" may 
> result in comparison against "app1/index.html" or "index.html" depending on 
> where the RewriteRule is defined.
> The directory path where the rule is defined is stripped from the currently 
> mapped filesystem path before comparison (up to and including a trailing 
> slash)."
>
> So in this case this would mean, as the .htaccess file is in 
> /var/www/nextcloud/, this path (/var/www/nextcloud/) is stripped before 
> comparing.
>
> "The net result of this per-directory prefix stripping is that rules in this 
> context only match against => the portion of the currently mapped 
> FILESYSTEM PATH "below" <=== where the rule is defined.
> I understand it that way that a request of /somepath/somefile, which mapps 
> maybe via an alias to /var/www/nextcloud/ looks now IN THE FILESYSTEM for 
> somepath/somefile below /var/www/nextcloud/
> That's my understanding and afters hours of fighting with rewrite i was happy 
> and proud to get it. But ...
>
> Here are the some rewriterules from that .htaccess:
>
>   RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L]
>   RewriteRule ^\.well-known/host-meta\.json 
> /public.php?service=host-meta-json [QSA,L]
>   RewriteRule ^\.well-known/webfinger /public.php?service=webfinger [QSA,L]
>   RewriteRule ^\.well-known/nodeinfo /public.php?service=nodeinfo [QSA,L]
>   RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
>   RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
>   RewriteRule ^remote/(.*) remote.php [QSA,L]
>   RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
>   RewriteCond %{REQUEST_URI} 
> !

Re: [users@httpd] some questions to mod_rewrite

2020-12-17 Thread Daniel Ferradal 
Hey Bernd,

I remember my first head scratches with regex, they can be so
confusing and difficult to understand.

Although I remember preciously the day https://regexone.com/ opened my
eyes. It just took me 45 minutes to understand the basics of it.

I dearly recommend you to do the same and visit the site, once you
grasp it, regex will be tones of times easier to deal with.

Cheers

El mar, 15 dic 2020 a las 17:42, Lentes, Bernd
() escribió:
>
>
> - On Dec 11, 2020, at 4:13 PM, Eric Covener cove...@gmail.com wrote:
>
> > On Fri, Dec 11, 2020 at 10:06 AM Lentes, Bernd
> >  wrote:
> >>
> >> - On Dec 9, 2020, at 6:02 PM, Eric Covener cove...@gmail.com wrote:
> >>
> >> Hi Eric,
> >>
> >> thanks for your answer.
> >> Now i'm struggling with RewriteRule
> >> ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
> >>
> >> Most is clear. The content of the parentheses () like build, tests .. is
> >> or-conjuncted by the pipe |,
> >> so only one of the patterns must appear.
> >> But what is ?: ?
> >
> > It makes the () "non-capturing" meaning if you had other () sequences
> > this or-conjunction would not eat up $1.
> > In the case above it is unnecessary since there is no other capture.
> >
> >> The question mark normally is a repeater for the prior character. But 
> >> there is
> >> no one.
> >> And wherefore is the colon ?
> >
> > It's a special case when following "(". It allows the
> > matching/capturing to be customized a few different ways (man
> > pcresyntax has a concise list of the flags that follow "(?")
> >
> >> I gave https://perldoc.perl.org/perlre#Metacharacters a chance. It seems 
> >> the ?:
> >> says that a match for (build|tests|config|lib|3rdparty|templates)
> >> can't be used as a backreference. Right ? Where is the purpose of that ?
> >
> > yes, just to avoid eating up $1. But some people do it out of habit
> > when they use () just to group "|".
> >
> >
> >> in my error_log with setting "LogLevel info rewrite:trace2":
> >> [Fri Dec 11 15:44:50.666869 2020] [rewrite:trace1] [pid 3408]
> >> mod_rewrite.c(483): [client 146.107.126.166:57329] 146.107.126.166 - -
> >> [nc-mcd.helmholtz-muenchen.de/sid#7f9158e4f700][rid#7f9155a2a0a0/initial]
> >> [perdir /var/www/nextcloud/] pass through /var/www/nextcloud/
> >>
> >> What is sid and rid ?
> >
> > server (vhost) id and request id i believe. Usually not so useful.
> > The /initial meant it's not a "subrequest" (a way apache modules
> > sometimes make an internal request related to the real request to
> > probe for things)
> >
>
> Hi,
>
> some more questions:
>
> 1. What is if a rule matched and a substitution occured ? When there are 
> following rules, they are compared with the substitution, right ?
> 2. What is if a rule matched and a substitution occured ? Does Apache 
> continues with the next rule or does it start from scratch with the first 
> rule again ?
> 3. Let's assume we have a vhost with a conf file, and in the documentroot of 
> the vhost a .htaccess file. In both files are RewriteRules.
>   In which order are they processed ?
>
>
> Bernd
> Helmholtz Zentrum München
>
> Helmholtz Zentrum Muenchen
> Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
> Ingolstaedter Landstr. 1
> 85764 Neuherberg
> www.helmholtz-muenchen.de
> Aufsichtsratsvorsitzende: MinDir.in Prof. Dr. Veronika von Messling
> Geschaeftsfuehrung: Prof. Dr. med. Dr. h.c. Matthias Tschoep, Kerstin Guenther
> Registergericht: Amtsgericht Muenchen HRB 6466
> USt-IdNr: DE 129521671
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Freenode

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Alternative to Let's Encrypt?

2020-12-17 Thread Daniel Ferradal 
Not sure what you mean by snap.

If you refer to not using let's encrypt certbot you can use mod_md:
http://httpd.apache.org/docs/2.4/mod/mod_md.html

Otherwise I don't know of any alternative to let's encrypt service
with similar characteristics.

El jue, 17 dic 2020 a las 16:48, Daniel Armando Rodriguez
() escribió:
>
> Is there any?
> Asking because don't want to use snap.



-- 
Daniel Ferradal
HTTPD Project
#httpd help at Freenode

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Ratelimiting Apache File Upload Speed

2020-12-17 Thread Daniel Ferradal 
Check if this suits your needs. It is pretty straight forward.

http://httpd.apache.org/docs/2.4/mod/mod_ratelimit.html

El lun, 14 dic 2020 a las 16:20, Gryzli Bugbear
() escribió:
>
> Hi guys,
>
> Is there a way to limit/ratelimit the upload speed to Apache ?
>
> I'm searching for a way to ratelimit the upload speed per IP address, or
> even better per IP , per Location.
>
> Regards,
>
> --
> -- Gryzli
>
> https://gryzli.info
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Freenode

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] virtual host DocumentRoot being ignored

2020-12-13 Thread Daniel Ferradal 
check "apachectl -S" output to make sure what virtualhosts you are really using.

El dom, 13 dic 2020 a las 15:20, Richard B. Pyne () escribió:
>
> Hi Lucien,
>
> Yes. that is the case. It is /etc/httpd/conf.d
>
> The last line of the main config file /etc/httpd/conf/httpd.conf file is
>
> IncludeOptional conf.d/*.conf
>
>
> On 12/13/2020 5:38 AM, Lucien Gentis wrote:
> > Hello Richard,
> >
> > I don't know how CentOs configures httpd, but I suppose You have a main
> > config file which includes all config files contained in
> > /etc/httpd/conf.d ; is it the case ?
> >
> > Le 13/12/2020 à 13:26, Richard B. Pyne a écrit :
> >> I know this has been asked numerous time, and I have read hours worth
> >> of post and guides with no success. I set up a new server running
> >> Apache 2.4.6 on CentOS 7.9 a while back with only one virtual host.
> >> The original vhost still works, but the second one ignores the host name.
> >>
> >> I have two virtual host conf files in /etc/httpd/conf.d
> >>
> >> example1.com.conf
> >>
> >> 
> >>   ServerName example1.com
> >>   ServerAlias www.example1.com
> >>   DocumentRoot /var/www/t/example1.com/public_html
> >>   ServerAdmin webmas...@example.com
> >>   CustomLog /var/www/t/example1.com/access_log combined
> >>   ErrorLog /var/www/t/example1.com/error_log
> >>
> >>   
> >> Options -Indexes +FollowSymlinks
> >> AllowOverride All
> >> Require all granted
> >>   
> >>
> >> 
> >>
> >>
> >> example2.com.conf
> >>
> >> 
> >>   ServerName example2.com
> >>   ServerAlias www.example2.com
> >>   DocumentRoot /var/www/t/example2.com/public_html
> >>   ServerAdmin webmas...@example.com
> >>   CustomLog /var/www/t/example2.com/access_log combined
> >>   ErrorLog /var/www/t/example2.com/error_log
> >>
> >>   
> >> Options -Indexes +FollowSymlinks
> >> AllowOverride All
> >> Require all granted
> >>   
> >>
> >> 
> >>
> >> I enabled ForensicLog and the log shows the correct Host: values,
> >> httpd -S shows all of the conf files and ServerNames, but regardless,
> >> all requests are being served from the /var/www/html default
> >> DocumentRoot.
> >>
> >> Any help will be greatly appreciated.
> >>
> >> Thanks,
> >> --Richard
> >>
> >> -----
> >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> >> For additional commands, e-mail: users-h...@httpd.apache.org
> >>
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org
> >
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Freenode

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Questions to SSLciphersuite

2020-11-28 Thread Daniel Ferradal 
supported ciphers and protocols depend on the openssl version you are
using, which, if my eyes do not deceive me, you haven't mentioned.

Perhaps you should check that first before changing cipher/protocol
parameters in httpd.

"openssl ciphers -v 'ALL'" should do, if the openssl version in your
path is the same your httpd is using and was compiled with.

El vie, 27 nov 2020 a las 16:35, Lentes, Bernd
() escribió:
>
> Dear all,
>
> in 20 years administrating linux hosts i always avoided it successfully to 
> change the SSlCipherSuite, hoping the default from Suse or Ubuntu would be 
> fine and secure.
> But now i'm in the situation that i have to touch it for the first time, and 
> afraid of opening a big door because of wrong configuration.
> I have an elder software (ServersAlive) which monitors our services.
> Among others it need to check two Ubuntu 20.04 hosts, one with Apache  2.4.41.
> The software does not check the https URL and complains in the log "SSL 
> handshake failed".
> The webserver log says:
> [Fri Nov 27 16:00:05.526738 2020] [ssl:info] [pid 1330] [client 
> 146.107.25.174:61102] AH02008: SSL library error 1 in handshake (server 
> nc-mcd.helmholtz-muenchen.de:443)
> [Fri Nov 27 16:00:05.526784 2020] [ssl:info] [pid 1330] SSL Library Error: 
> error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported 
> protocol
>
> I think this is related to the SSL configuration of Apache and the fact that 
> the software is a bit outdated.
> I read http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite.
>
> SSLCipherSiute is currently:
>
> SSLCipherSuite HIGH:!aNULL
> That means that all ciphers using Triple-DES are allowed, without all ciphers 
> using no authentication. Right?
>
> SSLHonorCipherOrder off
> OK ?
>
> SSLProtocol all -SSLv3
> That means all protocols are allowed but not SSLv3. Right ?
>
> I canged it to SSLProtocol all +SSLv3 +TLSv1, but then apache refused to 
> restart, complaining SSLv3 is not supported by OpenSSL.
> I changed it to SSLProtocol all +TLSv1, but my software still says the host 
> is down, resulting in the apache log:
> [Fri Nov 27 16:28:15.143448 2020] [ssl:info] [pid 2703] [client 
> 146.107.25.174:61953] AH02008: SSL library error 1 in handshake (server 
> nc-mcd.helmholtz-muenchen.de:443)
> [Fri Nov 27 16:28:15.143500 2020] [ssl:info] [pid 2703] SSL Library Error: 
> error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported 
> protocol
> [Fri Nov 27 16:28:15.143524 2020] [ssl:info] [pid 2703] [client 
> 146.107.25.174:61953] AH01998: Connection closed to child 3 with abortive 
> shutdown (server nc-mcd.helmholtz-muenchen.de:443)
>
> What can i do ?
>
> Bernd
>
>
>
>
>
>
>
> --
>
> Bernd Lentes
> Head of Systemadministration
> Institute for Metabolism and Cell Death (MCD)
> Building 25 - office 122
> HelmholtzZentrum München
> bernd.len...@helmholtz-muenchen.de
> phone: +49 89 3187 1241
> phone: +49 89 3187 3827
> fax: +49 89 3187 2294
> http://www.helmholtz-muenchen.de/mcd
> Helmholtz Zentrum München
>
> Helmholtz Zentrum Muenchen
> Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
> Ingolstaedter Landstr. 1
> 85764 Neuherberg
> www.helmholtz-muenchen.de
> Aufsichtsratsvorsitzende: MinDir.in Prof. Dr. Veronika von Messling
> Geschaeftsfuehrung: Prof. Dr. med. Dr. h.c. Matthias Tschoep, Kerstin Guenther
> Registergericht: Amtsgericht Muenchen HRB 6466
> USt-IdNr: DE 129521671
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Freenode

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Disable directory indexing for a specific directory.

2020-11-28 Thread Daniel Ferradal 
 
> >>>
> >>> Some of my WordPress directories are browsable and when I open the URLs, 
> >>> then the content of the directories displayed:
> >>>
> >>> https://example.net/wp-content/plugins/email-subscribers/
> >>> https://example.net/wp-content/plugins/contact-form-7/
> >>>
> >>> How can I disable the directory indexing for those directories? I added 
> >>> below lines to my Virtual Host config file, but not worked:
> >>>
> >>> 
> >>>Options -Indexes
> >>> 
> >>> 
> >>>Options -Indexes
> >>> 
> >>>
> >>> Thank you.
> >>>
> >>> -
> >>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> >>> For additional commands, e-mail: users-h...@httpd.apache.org
> >>> -
> >>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> >>> For additional commands, e-mail: users-h...@httpd.apache.org
>
> >>>
> >> -
> >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> >> For additional commands, e-mail: users-h...@httpd.apache.org
> >>
> >>
> >> -
> >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> >> For additional commands, e-mail: users-h...@httpd.apache.org
> >>
> > -
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org
> >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org
> >
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Freenode

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Configuring KeepAliveTimeout to individual URIs

2020-10-13 Thread Daniel Ferradal 
Perhaps you want to adjust timeout for that backend?

For example if you are proxying to a backend that takes about 100
seconds for /path/

ProxyPass /path/ https://backend/path/ timeout=120

El mié., 7 oct. 2020 a las 14:41, alchemist vk
() escribió:
>
> Hi Eric,
> I agree with you.. "keepalive timeout is n/a in the middle of a response".
>
> WR
> A
>
> On Wed, Oct 7, 2020 at 5:58 PM Eric Covener  wrote:
>>
>> On Wed, Oct 7, 2020 at 7:54 AM alchemist vk  wrote:
>> >
>> > Hi Eric,
>> >  Thanks for response..
>> >  To give more info, I have an URI where GET on this needs lot of 
>> > processing from backend to process, populate and  frame the response and 
>> > then rendering the same.
>> > So what is happening is, by having KeepAliveTimeout as 60, processing and 
>> > framing of this response taking more than 60 and hence apache returns 503.
>> > As a trial, Increased the KeepAliveTimeout to 300 and its working fine 
>> > always.
>>
>> as politely as possible: I would be shocked if your final observation
>> was not wrong.  The keepalive timeout is n/a in the middle of a
>> response.
>>
>> -----
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>>


-- 
Daniel

-- 
Daniel Ferradal
HTTPD Project
#httpd help at Freenode

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] CentOS 8 / Apache 2.4.37 / Optimzing

2020-10-13 Thread Daniel Ferradal 
Hello,

Prefork was just needed if you are loading a module which is not
thread safe, so do not use it if you are proxying to php-fpm.

mpm_event is probably the best MPM you can use, it is optimized for
threading and quoting the docs it has  "dedicated listener thread for
each process to handle both the Listening sockets, all sockets that
are in a Keep Alive state, sockets where the handler and protocol
filters have done their work and the ones where the only remaining
thing to do is send the data to the client", so the idea is to have a
small number of children (processes) and a big number of threads
(workers which depend on the children processes).

So, to give you an idea, if you have 4 processors in your CPU and you
expect a max load of 300 concurrent users with some cushion, you
could, for example, have 4 children with 100 workers each.

Example:
StartServers 1
ServerLimit 4
MinSpareThreads 100
MaxSpareThreads 250
ThreadsPerChild 100
ThreadLimit 100
MaxRequestWorkers 400
MaxConnectionsPerChild 1000

El vie., 2 oct. 2020 a las 17:08, Devin Acosta
() escribió:
>
>
> Dear Users,
>
> So I have a fresh installation of CentOS 8 running Apache 2.4.37, and PHP 
> running with PHP-FPM. I notice that out of the box it comes configured 
> running with MPM: event as the default. I know in CentOS 7 All the instances 
> were configured with prefork. I have Googled for what information I can try 
> to find out about if I have a rather High Volume Wordpress/PHP website that I 
> need to host what I should do to optimize the configuration?
>
> Should I continue to stay with Event? Do I need to raise any default settings 
> either for the mpm_event module, or even with php-fpm? I would like to 
> optimize for Speed and also to take load off the web server as much as 
> possible.
>
> Any suggestions?
>
> Thanks a lot.
>
> Devin Acosta



-- 
Daniel

-- 
Daniel Ferradal
HTTPD Project
#httpd help at Freenode

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] To Gzip or not? [EXT]

2020-10-12 Thread Daniel Ferradal 
Can you please STOP breaking threads by adding the [EXT] thing to the
title, it is getting quite annoying.

El sáb., 10 oct. 2020 a las 23:14, James Smith () escribió:
>
> There are two sorts of compression - TLS and HTTP.
>
> It is recommended not to compress the TLS traffic (as CRIME can then be used 
> to guess cookies etc) - compresses the whole response.
> But compressing HTTP traffic is OK - unless there is some secret stored in 
> the body of the HTML page {it only compresses the HTML of the page}
>
>
> -Original Message-
> From: Antony Stone 
> Sent: 10 October 2020 21:01
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] To Gzip or not? [EXT]
>
> On Saturday 10 October 2020 at 20:23:46, Tom Browder wrote:
>
> > I've been looking at ways to speed up my web services using
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__webpagetest.org
> > =DwICbA=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo=oH2yp0ge1ecj4o
> > DX0XM7vQ=wVQFv3p3IiMCFYbxf3xWL1HmlN3ZkoCLaTAM8DZEBss=tshPsEQ7bksjr
> > YsoZ14lId3gKNLPIe14r5lCkak7ujU=  for analysis. One thing I've been
> > reading about is using mod_deflate to compress certain files but keep
> > seeing the warnings
>
> Which warnings?  Where?
>
> > about using compression with https due to certain known threats.
>
> What threats?
>
> > In my searches so far I've not found anything saying that threat has
> > been mitigated. Does anyone here use compression with TLS or have any
> > current advice about the issue?
>
> Can you point us at any document about what this "issue" is, so that we know 
> what "threat" you're concerned about?
>
>
> Antony.
>
> --
> Was ist braun, liegt ins Gras, und raucht?
> Ein Kaminchen...
>
>Please reply to the list;
>  please *don't* CC me.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
>
> --
>  The Wellcome Sanger Institute is operated by Genome Research
>  Limited, a charity registered in England with number 1021457 and a
>  company registered in England with number 2742969, whose registered
>  office is 215 Euston Road, London, NW1 2BE.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>


-- 
Daniel

-- 
Daniel Ferradal
HTTPD Project
#httpd help at Freenode

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] SAMEORIGIN and multiple ALLOWFROM X-Frame-Options

2020-10-12 Thread Daniel Ferradal 
Probably you should drop using X-Frame-Options in favour of the more
compatible and up to date  "Access-Control-Allow-Origin" header:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin

And for extra fine grained permissions then CSP (although keeping an
eye on browser compatibility for the different parameters is advised):

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

El lun., 12 oct. 2020 a las 23:31, Herb Burnswell
() escribió:
>
> Hi,
>
> I have been using the following successfully in HTTPD config for some time:
>
> Header always set X-Frame-Options SAMEORIGIN
>
> The SAMEORIGIN is required for our use but now I am getting a request to 
> allow X-Frame-Options to include specific URL's, say:
>
> https://example1.com
> https://example2.com
>
> In researching a bit, I found this suggesting this format:
>
> Header always set X-Frame-Options SAMEORIGIN
> Header always append X-Frame-Options "ALLOW-FROM https://example1.com/;
> Header always append X-Frame-Options "ALLOW-FROM https://example2.com/;
>
> However, when I tested it the response is:
>
> example.com refused to connect
>
> Is this the proper way to set up this need (SAMEORIGIN and multiple URL 
> allows)?  Are there any concerns with this type of configuration?
>
> Any guidance is appreciated.
>
> TIA,
>
> HB



-- 
Daniel

-- 
Daniel Ferradal
HTTPD Project
#httpd help at Freenode

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Make apache2 (httpd) portable under Linux

2020-02-03 Thread Daniel Ferradal 
Hello,

Tha's not exactly true. You specify a default path absolute path, but
you can override these values with config on startup easily.

If you want to "install" apache without a default path or a relative
one, I don't think that can be done.

El lun., 3 feb. 2020 a las 15:30, Raf Roger () escribió:
>
> Bonjour Lucien,
>
> I already read and understood what you wrote as this is the basic steps i 
> already read before.
> In fact my goal is to do something like XAMPP for linux but with the 
> following differences:
> - no root permissions needed
> - no installation needed, just to unzip the completed stack (apache, php, 
> mysal) and to use a simple script to run/start stack servers.
> - users could unzip in whatever directory he wants, it will run normally. No 
> need to unzip in a particular directory like /opt/lamp or /home/webserver... 
> Basically it could be unzip in /$HOME/webserver or in /home/server/ or in 
> /home/username/web/server-stack. Anyway the structure of directories in this 
> folder will be always the same e.g.:
>  /apache
> / php
> / mysql
> ...
>
> in the step you wrote, by compiling and making install, it force any use to 
> have it in 1 and only 1 directory as XAMPP does...and this is something i do 
> not want as the final purpose is to move it on usb stick or in some 
> directory in any other linux computer and to run website as demo e.g.
>
> naybe it's clearer now how i was planning this stuff.
>
> thx.
>
> Alain
>
> On Sat, Feb 1, 2020 at 1:05 PM Lucien Gentis  
> wrote:
>>
>> Hello Raf,
>>
>> Le 31/01/2020 à 22:16, Raf Roger a écrit :
>>
>> Hi,
>>
>> I work on web development using several computers (laptop, desktop) and i do 
>> not have always access to internet.
>>
>> While i was under Windows i had a portable LAMP server and it was great as i 
>> was just able to sync it once online, to have it on other computers.
>>
>> I would like to do the same under Ubuntu 19.10 and i'm looking for 
>> information how to do it.
>> My first step would be to have apache2 (httpd) not depending on root 
>> permissions, but also running from any directory where the binaries are 
>> stored...
>>
>> See http://httpd.apache.org/docs/2.4/invoking.html
>>
>>
>> so if binary is set to /home/alain/webserver/apache or 
>> /home/$user/webserver/apache it should be able to run with configuration 
>> file, just by launching httpd start or something like that.
>>
>> however i'm lost with the source code while i compile it with --PREFIX and 
>> other option.
>>
>> Can someone help me to understand it better ?
>>
>> Once you have uncompressed the httpd tarball, you go to the root of the 
>> source tree then execute following command , for example:
>>
>> ./configure --prefix=/usr/local/httpd-2.4.41
>>
>> where /usr/local/httpd-2.4.41 is the root of the installation directory 
>> which will contain bin, doc, share, include,... directories.
>>
>> if there's no error, you execute then
>>
>> make
>>
>> to build httpd, then
>>
>> sudo make install
>>
>> to install it /usr/local/httpd-2.4.41
>>
>> Other configure options can be found via command :
>>
>> ./configure --help
>>
>> thx
>>
>> --
>> Alain
>>
>
>
> --
> Alain
> ---
> Kubuntu 17.10
> MySQL 5.6.x
> Apache 2.4.25 / OpenSSL 1.0.2j
> Tomcat 7.17
> PHP 7.1.x



-- 
Daniel Ferradal
HTTPD Project
#httpd help at Freenode

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] SSL certificate update failed - httpd-2.4.6-90.el7

2020-01-07 Thread Daniel Ferradal 
Hello,

1º the way to verify is the openssl commands we mentioned earlier.
2º no, you clearly do not have that in the server that reports those
warnings, or if you do, that virtualhost is alright and the problem is the
other virtualhosts that report the warning, like:
amdc2webl06.dmz.local:443  <--- and all those that report warnings, clearly
dmz.local does not match *.amnetgroup.com

I can suggest you check all virtualhosts configured, there is a command you
can use that will yell you the virtualhosts configured:
"apachectl -S"

El mar., 7 ene. 2020 a las 14:38, Sac Isilia ()
escribió:

> Hi Daniel ,
>
> That makes sense. I will needing help as I have very less knowledge of
> Apache and instead messing things up please help me in below queries.
>
> "you probably are using the public name but the certs you are really using
> are local names or the opposite" - How to verify this on the Linux.
> "mismatches between "ServerName" directive and the CN in the certificate
> are different" - ServerName is www.amnetgroup.com and CN is *.
> amnetgroup.com and it works perfectly for the existing certificate
> without adding the Alias directive.
>
> make clients connecting ignore the name mismatches  - How to do that for
> Chrome
>
> Regards
> Sachin Kumar
>
>
>
> On Tue, Jan 7, 2020 at 6:58 PM Daniel Ferradal 
> wrote:
>
>> Hello,
>>
>> The key to your certificate issues lies in the warning messages like this
>> one:
>>
>> AH01909: RSA certificate configured for amdc2webl06.dmz.local:443 does
>> NOT include an ID which matches the server name.
>>
>> So you probably are using the public name but the certs you are really
>> using are local names or the opposite, either case there are name
>> mismatches between "ServerName" directive and the CN in the certificate are
>> different, that's all there is to it.
>>
>> Having said that, it is not an issue that blocks the usage of SSL, just
>> that clients connecting to SSL will complain about it, like I mentioned
>> earlier.
>>
>> So you have to options, either you fix the name mismatches by configuring
>> the appropiate ServerName or installing the appropiate certificates for
>> those names, or make clients connecting ignore the name mismatches, either
>> way SSL is functional.
>>
>> Picture this as if I am trying to talk to you and you identify with a
>> name I don't recognize or that is clearly not the one I am using to address
>> you in the frst place, I can still talk to you, or I can refuse to talk to
>> you due to mistrust, either way, we have the ability to talk (we can
>> perfectly have SSL encrypted connection) to each other and nothing else
>> than a "trust" issue may prevent us from doing so.
>>
>> El mar., 7 ene. 2020 a las 14:12, Sac Isilia (<
>> udaypratap.sing...@gmail.com>) escribió:
>>
>>> Hi Daniel,
>>>
>>> If we want to disable this Proxy setting in httpd - how will we do that
>>> ? I can see below logs in the file . If the SSL settings is all correct
>>> then I think we can try to disable the Proxy setting that you mentioned but
>>> I don't know how to do that.
>>>
>>> [root@amdc2webl06 logs]# tail -f ssl_error_log
>>> [Tue Jan 07 02:50:38.254032 2020] [autoindex:error] [pid 23200] [client
>>> 10.19.79.68:53112] AH01276: Cannot serve directory /var/www/html/: No
>>> matching DirectoryIndex (index.html,index.php,index.php) found, and
>>> server-generated directory index forbidden by Options directive
>>> [Tue Jan 07 02:50:39.716018 2020] [autoindex:error] [pid 23199] [client
>>> 10.19.79.68:53788] AH01276: Cannot serve directory /var/www/html/: No
>>> matching DirectoryIndex (index.html,index.php,index.php) found, and
>>> server-generated directory index forbidden by Options directive
>>> [Tue Jan 07 02:50:39.932384 2020] [autoindex:error] [pid 23216] [client
>>> 10.19.79.68:53908] AH01276: Cannot serve directory /var/www/html/: No
>>> matching DirectoryIndex (index.html,index.php,index.php) found, and
>>> server-generated directory index forbidden by Options directive
>>> [Tue Jan 07 02:50:40.544248 2020] [autoindex:error] [pid 33866] [client
>>> 10.19.79.68:54156] AH01276: Cannot serve directory /var/www/html/: No
>>> matching DirectoryIndex (index.html,index.php,index.php) found, and
>>> server-generated directory index forbidden by Options directive
>>> [Tue Jan 07 07:59:13.246960 2020] [ssl:warn] [pid 5054] AH01909: RSA
>>> certificate configured for amdc2webl06.dmz.local:443 does NOT include an

  1   2   >