[users@httpd] Re: MySQL authentication and SSL Config problem
After a bit more experimenting I found some additional information that may shed some light on this. I think this is actually a bug. I created another directory that uses AuthUserFile and that works as expected with SSL. Directory /var/www/html/backupmgr/ AuthType Basic AuthName Backup Manager Administration AuthUserFile /var/www/passwords Require valid-user /Directory It seems reasonable to assume this problem is specific to combining MySQL DBD authentication with SSL since both work independent of each other. I don't believe this is a configuration problem any more and will be submitted as a bug. On 12/2/2014 9:15 AM, Dennis Putnam wrote: I have a directory set up to do MySQL authentication. At the same time I want to encrypt pages in that directory. My config for that virtual host is: LoadModule dbd_module modules/mod_dbd.so LoadModule authn_dbd_module modules/mod_authn_dbd.so VirtualHost *:80 DocumentRoot /var/www/html ServerName myhost.mydomain.com ServerAdmin mailman-ow...@mydomain.com ErrorLog /var/log/httpd/myhost_error_log CustomLog /var/log/httpd/myhost_access_log combined # Force SSL for certain directories RewriteEngine Off RewriteLogLevel 0 RewriteLog /var/log/httpd/rewrite_log RewriteCond %{HTTPS} off [NC] RewriteRule ^/mailman(/.*)$ https://%{HTTP_HOST}/mailman$1 [R,L] RewriteRule ^/cufs(/.*)$ https://%{HTTP_HOST}/cufs$1 [R,L] IfModule mod_dbd.c DBDriver mysql DBDParams dbname=cufsalumni user=myuser pass=xxx DBDMin 1 DBDKeep 8 DBDMax 20 /IfModule Directory /var/www/html/cufs/cufsauth/ AuthName CUFS Alumni Login AuthType Basic require valid-user AuthBasicProvider dbd AuthDBDUserPWQuery SELECT pwd FROM cufsalumni.alumni WHERE us ername=%s /Directory /VirtualHost As long as I turn off the rewrite engine authentication works fine but the pages are obviously unencrypted. However, when I turn it on, authentication is bypassed and the loaded PHP page, rather than rendering, dumps a lot of $_SERVER variables which have little meaning and ends with the string Fatal: 1. That should mean something but I can't find what. If it matters, the encryption for the mailman directory works fine except it does its own authentication so the certificates would seem to be fine. The problem seems to be combining MySQL authentication with SSL. Here is the ssl.conf file: # # This is the Apache server configuration file providing SSL support. # It contains the configuration directives to instruct the server how to # serve pages over an https connection. For detailing information about these # directives see URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html # # Do NOT simply read the instructions in here without understanding # what they do. They're here only as hints or reminders. If you are unsure # consult the online docs. You have been warned. # LoadModule ssl_module modules/mod_ssl.so # # When we also provide SSL we have to listen to the # the HTTPS port in addition. # Listen 443 ## ## SSL Global Context ## ## All SSL configuration in this context applies both to ## the main server and all SSL-enabled virtual hosts. ## # Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. SSLPassPhraseDialog builtin # Inter-Process Session Cache: # Configure the SSL Session Cache: First the mechanism # to use and second the expiring timeout (in seconds). SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) SSLSessionCacheTimeout 300 # Semaphore: # Configure the path to the mutual exclusion semaphore the # SSL engine uses internally for inter-process synchronization. SSLMutex default # Pseudo Random Number Generator (PRNG): # Configure one or more sources to seed the PRNG of the # SSL library. The seed data should be of good random quality. # WARNING! On some platforms /dev/random blocks if not enough entropy # is available. This means you then cannot use the /dev/random device # because it would lead to very long connection times (as long as # it requires to make more entropy available). But usually those # platforms additionally provide a /dev/urandom device which doesn't # block. So, if available, use this one instead. Read the mod_ssl User # Manual for more details. SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin #SSLRandomSeed startup file:/dev/random 512 #SSLRandomSeed connect file:/dev/random 512 #SSLRandomSeed connect file:/dev/urandom 512 # # Use
[users@httpd] MySQL authentication and SSL Config problem
I have a directory set up to do MySQL authentication. At the same time I want to encrypt pages in that directory. My config for that virtual host is: LoadModule dbd_module modules/mod_dbd.so LoadModule authn_dbd_module modules/mod_authn_dbd.so VirtualHost *:80 DocumentRoot /var/www/html ServerName myhost.mydomain.com ServerAdmin mailman-ow...@mydomain.com ErrorLog /var/log/httpd/myhost_error_log CustomLog /var/log/httpd/myhost_access_log combined # Force SSL for certain directories RewriteEngine Off RewriteLogLevel 0 RewriteLog /var/log/httpd/rewrite_log RewriteCond %{HTTPS} off [NC] RewriteRule ^/mailman(/.*)$ https://%{HTTP_HOST}/mailman$1 [R,L] RewriteRule ^/cufs(/.*)$ https://%{HTTP_HOST}/cufs$1 [R,L] IfModule mod_dbd.c DBDriver mysql DBDParams dbname=cufsalumni user=myuser pass=xxx DBDMin 1 DBDKeep 8 DBDMax 20 /IfModule Directory /var/www/html/cufs/cufsauth/ AuthName CUFS Alumni Login AuthType Basic require valid-user AuthBasicProvider dbd AuthDBDUserPWQuery SELECT pwd FROM cufsalumni.alumni WHERE us ername=%s /Directory /VirtualHost As long as I turn off the rewrite engine authentication works fine but the pages are obviously unencrypted. However, when I turn it on, authentication is bypassed and the loaded PHP page, rather than rendering, dumps a lot of $_SERVER variables which have little meaning and ends with the string Fatal: 1. That should mean something but I can't find what. If it matters, the encryption for the mailman directory works fine except it does its own authentication so the certificates would seem to be fine. The problem seems to be combining MySQL authentication with SSL. Here is the ssl.conf file: # # This is the Apache server configuration file providing SSL support. # It contains the configuration directives to instruct the server how to # serve pages over an https connection. For detailing information about these # directives see URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html # # Do NOT simply read the instructions in here without understanding # what they do. They're here only as hints or reminders. If you are unsure # consult the online docs. You have been warned. # LoadModule ssl_module modules/mod_ssl.so # # When we also provide SSL we have to listen to the # the HTTPS port in addition. # Listen 443 ## ## SSL Global Context ## ## All SSL configuration in this context applies both to ## the main server and all SSL-enabled virtual hosts. ## # Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. SSLPassPhraseDialog builtin # Inter-Process Session Cache: # Configure the SSL Session Cache: First the mechanism # to use and second the expiring timeout (in seconds). SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) SSLSessionCacheTimeout 300 # Semaphore: # Configure the path to the mutual exclusion semaphore the # SSL engine uses internally for inter-process synchronization. SSLMutex default # Pseudo Random Number Generator (PRNG): # Configure one or more sources to seed the PRNG of the # SSL library. The seed data should be of good random quality. # WARNING! On some platforms /dev/random blocks if not enough entropy # is available. This means you then cannot use the /dev/random device # because it would lead to very long connection times (as long as # it requires to make more entropy available). But usually those # platforms additionally provide a /dev/urandom device which doesn't # block. So, if available, use this one instead. Read the mod_ssl User # Manual for more details. SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin #SSLRandomSeed startup file:/dev/random 512 #SSLRandomSeed connect file:/dev/random 512 #SSLRandomSeed connect file:/dev/urandom 512 # # Use SSLCryptoDevice to enable any supported hardware # accelerators. Use openssl engine -v to list supported # engine names. NOTE: If you enable an accelerator and the # server does not start, consult the error logs and ensure # your accelerator is functioning properly. # SSLCryptoDevice builtin #SSLCryptoDevice ubsec ## ## SSL Virtual Host Context ## VirtualHost _default_:443 # General setup for the virtual host, inherited from global configuration #DocumentRoot /var/www/html #ServerName www.example.com:443 # Use separate log files for the SSL virtual host; note that LogLevel # is not inherited from httpd.conf. ErrorLog /var/log/httpd/ssl_error_log TransferLog /var/log/httpd/ssl_access_log LogLevel warn # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # SSL Protocol
[users@httpd] Virtual Hosts and SSL Puzzler
I have 3 virtual hosts that for all I can see are configured identically other the the obviously needed differences. The same is true of the 3 crt files. VirtualHost *:443 ServerName public.mydomain.com DocumentRoot /var/www/html SSLEngine on SSLCertificateFile /etc/httpd/SSL/public.crt SSLCertificateKeyFile /etc/postfix/SSL/server.key /VirtualHost VirtualHost *:443 ServerName distrib.mydomain.com DocumentRoot /var/www/html/distrib SSLEngine on SSLCertificateFile /etc/httpd/SSL/distrib.crt SSLCertificateKeyFile /etc/postfix/SSL/server.key /VirtualHost VirtualHost *:443 ServerName mail.mydomain.com DocumentRoot /usr/local/squirrelmail/www SSLEngine on SSLCertificateFile /etc/httpd/SSL/mail.crt SSLCertificateKeyFile /etc/postfix/SSL/server.key /VirtualHost The problem is that 2 of them work perfectly and the lock shows up in the browser. With the third (public), I get a gray globe indicating partial encryption which does not prevent eavesdropping. I have no clue how to debug this or even where to look. Can someone point me in the right direction? Thanks. signature.asc Description: OpenPGP digital signature
Re: [users@httpd] Virtual Hosts and SSL Puzzler
On 10/22/2013 9:10 AM, Chris Gordon wrote: Sorry, brevity is not my strong point. Because I do not know what your certs look like as far as what domain(s) are considered CNs I'm going to guess it has something to do with the following... SSL wraps http and you need a cert to decrypt the data sent via SSL. If you have 3 virtual hosts and you are using Name Based Virtual Hosting how does the Apache web server know which cert to use to decrypt and read the header so it can properly route the data. The short answer per my understanding is that Apache has no clue and uses the default vhost's cert (the first one in the confi file) to read the SSL. If these were all the same domain such as tuna.foo.com, seabass.foo.com and marlin.foo.com you could get away with using the same *.foo.com wildcard cert. Here is a good doc with these work arounds: https://www.switch.ch/pki/meetings/2007-01/namebased_ssl_virtualhosts.pdf I'm guessing your problem is somewhere in this domain. I believe that Name Based Virtual Hosting is not the answer for you. Try IP Based: http://httpd.apache.org/docs/2.2/vhosts/ip-based.html or use a wildcard cert... Here is a warning about your config and a better explanation I presume: http://wiki.apache.org/httpd/NameBasedSSLVHosts I just ran into this. Silly me for not realizing that a Web Server that routes bases on headers would need to read the encrypted header to route it. Chicken-Egg problem. Chris --V Dennis Putnam d...@bellsouth.net 10/22/2013 8:26 AM I have 3 virtual hosts that for all I can see are configured identically other the the obviously needed differences. The same is true of the 3 crt files. VirtualHost *:443 ServerName public.mydomain.com DocumentRoot /var/www/html SSLEngine on SSLCertificateFile /etc/httpd/SSL/public.crt SSLCertificateKeyFile /etc/postfix/SSL/server.key /VirtualHost VirtualHost *:443 ServerName distrib.mydomain.com DocumentRoot /var/www/html/distrib SSLEngine on SSLCertificateFile /etc/httpd/SSL/distrib.crt SSLCertificateKeyFile /etc/postfix/SSL/server.key /VirtualHost VirtualHost *:443 ServerName mail.mydomain.com DocumentRoot /usr/local/squirrelmail/www SSLEngine on SSLCertificateFile /etc/httpd/SSL/mail.crt SSLCertificateKeyFile /etc/postfix/SSL/server.key /VirtualHost The problem is that 2 of them work perfectly and the lock shows up in the browser. With the third (public), I get a gray globe indicating partial encryption which does not prevent eavesdropping. I have no clue how to debug this or even where to look. Can someone point me in the right direction? Thanks. The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited. Thanks for the reply. Now I'm confused. Doesn't the SSLCertificate parameter for each VH say which cert to use? Why does it work for 2 of the VH's but not the 3rd? signature.asc Description: OpenPGP digital signature
Re: [users@httpd] Virtual Hosts and SSL Puzzler
On 10/22/2013 9:12 AM, Pete Houston wrote: On Tue, Oct 22, 2013 at 08:26:57AM -0400, Dennis Putnam wrote: I get a gray globe indicating partial encryption which does not prevent eavesdropping. I have no clue how to debug this or even where to look. Can someone point me in the right direction? Thanks. This is usually indicative of a page served over https which references some elements served over http (ie. unencrypted). These unencrypted elements are usually images, stylesheets, script files, etc. As such it is unrelated to your server configuration and is entirely down to the content. HTH, Pete Thanks. That might make more sense (at least to me). After more reading, I am not sure that I don't have SNI capable version of httpd already installed (how do I tell?). The pages that work are very simple but the one that doesn't is complex and has lots of graphics. If that is the case, why are they not encrypted like everything else (assuming they are not referenced on a different server)? signature.asc Description: OpenPGP digital signature
Re: [users@httpd] Virtual Hosts and SSL Puzzler
On 10/22/2013 9:44 AM, Yehuda Katz wrote: On Tue, Oct 22, 2013 at 9:39 AM, Dennis Putnam d...@bellsouth.net mailto:d...@bellsouth.net wrote: Thanks. That might make more sense (at least to me). After more reading, I am not sure that I don't have SNI capable version of httpd already installed (how do I tell?). The pages that work are very simple but the one that doesn't is complex and has lots of graphics. If that is the case, why are they not encrypted like everything else (assuming they are not referenced on a different server)? As I mentioned, if you don't have SNI, then you should see major warnings from the browser that something is wrong when you go to any site but the first one. As far as finding the offending image: Go to the page in your browser, right click on the page and choose view source (or a similar option). Then search in the source for http:// That should let you find which images are not secure. If the URLs are publicly accessible, post them here if you want someone to have a specific look (or email me privately if you don't want them to be public and I will try to have a look). - Y Ah ha! You hit it. There are references to social media on the page that use http (Facebook, LinkedIn and Twitter). Since they reference a different site will just changing it to https be sufficient or is there some other workaround? Thanks. signature.asc Description: OpenPGP digital signature
Re: [users@httpd] Virtual Hosts and SSL Puzzler
On 10/22/2013 10:03 AM, Yehuda Katz wrote: If the sites you are referencing allow you to access them over https, that will solve the problem. My prefered solution is to omit the http: altogether. If a url just starts with //example.com/rest/of/url http://example.com/rest/of/url, the browser will use the appropriate protocol automatically. - Y On Tue, Oct 22, 2013 at 9:59 AM, Dennis Putnam d...@bellsouth.net mailto:d...@bellsouth.net wrote: On 10/22/2013 9:44 AM, Yehuda Katz wrote: On Tue, Oct 22, 2013 at 9:39 AM, Dennis Putnam d...@bellsouth.net mailto:d...@bellsouth.net wrote: Thanks. That might make more sense (at least to me). After more reading, I am not sure that I don't have SNI capable version of httpd already installed (how do I tell?). The pages that work are very simple but the one that doesn't is complex and has lots of graphics. If that is the case, why are they not encrypted like everything else (assuming they are not referenced on a different server)? As I mentioned, if you don't have SNI, then you should see major warnings from the browser that something is wrong when you go to any site but the first one. As far as finding the offending image: Go to the page in your browser, right click on the page and choose view source (or a similar option). Then search in the source for http:// That should let you find which images are not secure. If the URLs are publicly accessible, post them here if you want someone to have a specific look (or email me privately if you don't want them to be public and I will try to have a look). - Y Ah ha! You hit it. There are references to social media on the page that use http (Facebook, LinkedIn and Twitter). Since they reference a different site will just changing it to https be sufficient or is there some other workaround? Thanks. Thanks. I'll give that a try. signature.asc Description: OpenPGP digital signature
Re: [users@httpd] Virtual Host Directory Permissions Problem
Thanks for the reply. I removed the 443 from that directive, since I'm using standard ports, I don't think I need to specify anything. I believe that may have been added automatically by Webmin at some point when I was messing with it. Here is the httpd -S output: VirtualHost configuration: wildcard NameVirtualHosts and _default_ servers: _default_:443 primary.localdomain (/etc/httpd/conf/vhosts.d/01_default_ssl_vhost.conf:13) *:*primary.mydomain.com (/etc/httpd/conf/httpd.conf:1116) *:*newvh.mydomain.com (/etc/httpd/conf/httpd.conf:1127) Syntax OK I don't see anything there that hints at the document root for the virtual hosts which is the crux of my problem. Howevwer, I did find an error in the httpd log that is obviously related. (13)Permission denied: /var/www/html/Scripts/Menu132/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable, referer: http://newvh.mydomain.com/ I don't see why there is a permissions problem with that subdirectory since it is not referenced in the page attempting to load. It must be because it is loading the index.html from the primary document root. Which it does successfully (that seems like a security issue to me) and which also does not reference that menu directory. On 3/13/2011 10:40 PM, Francois Gingras wrote: On Sun, Mar 13, 2011 at 4:59 PM, Hossy hossy-apa...@hossy.com wrote: 1. What are you typing to access it? 2. Try removing the :443 from your primary ServerName entry. I believe the port is defined inside the VirtualHost tag. -Original Message- From: Dennis Putnam [mailto:d...@bellsouth.net] Sent: Sunday, March 13, 2011 1:27 PM To: users@httpd.apache.org Subject: [users@httpd] Virtual Host Directory Permissions Problem I am setting up a new virtual host and am having trouble with the root directory. My new virtual host document root (/var/www/html/vhroot) is a child directory of my primary host root (/var/www/html). Is it legal to do that? When I try to access my new virtual host, I get the index from the primary document root. TIA. Here are my virtual host directives: Primary VirtualHost * DocumentRoot /var/www/html ServerName primary.mydomain.com:443 Directory /var/www/html allow from all Options +Indexes /Directory /VirtualHost New VH VirtualHost * DocumentRoot /var/www/html/vhroot ServerName newvh.mydomain.com Directory /var/www/html/vhroot allow from all Options +Indexes /Directory /VirtualHost - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org There are several issues with your vhosts: 1) Assuming you want those to work on any interface, use *:PORT instead of *. Port 80 is for HTTP, and 443 is for HTTPS, normally. 2) Let's see httpd -S or apache2ctl -S under debian to see the full extent of your virtual hosts configuration. Frank. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org signature.asc Description: OpenPGP digital signature
[users@httpd] FilesMatch Problem
Sometimes the config file seems like black magic and I am no magician. I have a password required for one of my directories but I need for a couple of files to be unprotected. The authorization works just fine but it also requires authorization for the FilesMatch files. Here is my config file for that directory: Directory /var/www/html/cufs AuthName x AuthType Basic AuthMySQLUser AuthMySQLPassword x AuthMySQLEnable on AuthMySQLPwEncryption scrambled AuthMySQLDB cufsalumni AuthMySQLUserTable alumni AuthMySQLNameField username AuthMySQLPasswordField pwdp require valid-user FilesMatch index.htm,cufslogin.html,cufsregister.php allow from all /FilesMatch /Directory Is there some directive I need to add to turn off authentication for these files? Thanks. signature.asc Description: OpenPGP digital signature
Re: [users@httpd] FilesMatch Problem
Thanks for the reply. I tried a few things and I guess I don't really understand where to use it. I can't use it in the directory outer directory block as that would give access to the entire thing. When I use it within the FilesMatch block it does something weird. It displays the page but still puts up the authentication window. I can cancel the window and go on but that doesn't help. On 3/14/2011 7:22 PM, Igor Cicimov wrote: http://wiki.apache.org/httpd/BypassAuthenticationOrAuthorizationRequirements Check the Satisfy directive. On Tue, Mar 15, 2011 at 10:17 AM, Dennis Putnam d...@bellsouth.net mailto:d...@bellsouth.net wrote: Sometimes the config file seems like black magic and I am no magician. I have a password required for one of my directories but I need for a couple of files to be unprotected. The authorization works just fine but it also requires authorization for the FilesMatch files. Here is my config file for that directory: Directory /var/www/html/cufs AuthName x AuthType Basic AuthMySQLUser AuthMySQLPassword x AuthMySQLEnable on AuthMySQLPwEncryption scrambled AuthMySQLDB cufsalumni AuthMySQLUserTable alumni AuthMySQLNameField username AuthMySQLPasswordField pwdp require valid-user FilesMatch index.htm,cufslogin.html,cufsregister.php allow from all /FilesMatch /Directory Is there some directive I need to add to turn off authentication for these files? Thanks. signature.asc Description: OpenPGP digital signature
Re: [users@httpd] FilesMatch Problem
Doh! I didn't. You were the first to notice that. They should be '|'. However, the result is the same. On 3/14/2011 10:37 PM, William A. Rowe Jr. wrote: On 3/14/2011 8:22 PM, Dennis Putnam wrote: Thanks for the reply. I tried a few things and I guess I don't really understand where to use it. I can't use it in the directory outer directory block as that would give access to the entire thing. When I use it within the FilesMatch block it does something weird. It displays the page but still puts up the authentication window. I can cancel the window and go on but that doesn't help. FilesMatch index.htm,cufslogin.html,cufsregister.php Why did you expect commas to work? - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org signature.asc Description: OpenPGP digital signature
[users@httpd] Virtual Host Directory Permissions Problem
I am setting up a new virtual host and am having trouble with the root directory. My new virtual host document root (/var/www/html/vhroot) is a child directory of my primary host root (/var/www/html). Is it legal to do that? When I try to access my new virtual host, I get the index from the primary document root. TIA. Here are my virtual host directives: Primary VirtualHost * DocumentRoot /var/www/html ServerName primary.mydomain.com:443 Directory /var/www/html allow from all Options +Indexes /Directory /VirtualHost New VH VirtualHost * DocumentRoot /var/www/html/vhroot ServerName newvh.mydomain.com Directory /var/www/html/vhroot allow from all Options +Indexes /Directory /VirtualHost signature.asc Description: OpenPGP digital signature