Re: [users@httpd] [httpd2.4.57]Possible conflicts between VHosts with SSL and LimitRequestLine
Great thanks for your quick answer. If I understand well setting LimitRequestLine 10240 in name based virtualhost ? So what is your recommendation. Anyway, thanks for the time already spent on this. Regards Florent THOMAS ☎ +33 972 457 755 ✉ [ mailto:florent.tho...@mind-and-go.com | florent.tho...@mind-and-go.com ] Mind & Go 14, Rue Pierre Cartelet | 66000 PERPIGNAN [ https://mind-and-go.com/ | ] [ https://www.facebook.com/Mind-And-Go-296462057466508/ ] [ https://twitter.com/MindAndGo | ] [ https://www.linkedin.com/company/mind-and-go | ] De: "Eric Covener" À: "users" Envoyé: Dimanche 21 Janvier 2024 14:48:03 Objet: Re: [users@httpd] [httpd2.4.57]Possible conflicts between VHosts with SSL and LimitRequestLine The hostname, normally in the Host header, is not read until after the request line. So it cannot be effectively set in name based vhosts. The manual already warns about it On Sun, Jan 21, 2024, 9:26 AM Florent Thomas wrote: Hi everyone, I'm running : Server version: Apache/2.4.57 (Debian) Server built: 2023-04-13T03:26:51 Server's Module Magic Number: 20120211:127 Server loaded: APR 1.7.2, APR-UTIL 1.6.3, PCRE 10.42 2022-12-11 Compiled using: APR 1.7.2, APR-UTIL 1.6.3, PCRE 10.42 2022-12-11 Architecture: 64-bit Server MPM: event threaded: yes (fixed thread count) forked: yes (variable process count) Server compiled with -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_PROC_PTHREAD_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D DYNAMIC_MODULE_LIMIT=256 -D HTTPD_ROOT="/etc/apache2" -D SUEXEC_BIN="/usr/lib/apache2/suexec" -D DEFAULT_PIDLOG="/var/run/apache2.pid" -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" -D DEFAULT_ERRORLOG="logs/error_log" -D AP_TYPES_CONFIG_FILE="mime.types" -D SERVER_CONFIG_FILE="apache2.conf" I've been struggling for almost 2 weeks on this weird issue. I have multiple vhosts working perfectly either in http and httpS with let's encrypt. Yet for one vhost we need to set limitrequestline to a higher value. I'm familiar with the procedure and I changed the value in the vhost. Sadly it didn't worked as expected. After searching in any place, enabling/disabling securities, modules etc... I found another conf conflicting with mine. The ssl.conf vhost placed in conf-enabled is causing troubles. However its content is not really complicated : LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so Listen 443 ServerName publicdomainname.tld SSLEngine on SSLCertificateFile "/etc/ssl/certs/apache-httpd.crt" SSLCertificateKeyFile "/etc/ssl/private/apache-httpd.key" My other vhost is as follows : ServerName otherdomain.tld .../... RequestHeader set X-Forwarded-Proto "https" .../ LimitRequestLine 10240 .../... Include /etc/letsencrypt/options-ssl-apache.conf When both are enabled, the LimitRequestLine is not considered when reaching htps://otherdomain.tld . When I comment the Vhost in ssl.conf everything works fine. Is there any "permeability" between vhosts ? is there any precedence that could cause this vhost to be considered as the "master" of some options? Could anyone lead me to wha I am doing wrong? Sorry if I'm not clear, any question and/or feedback would be appreciated. Regards, Florent THOMAS
[users@httpd] [httpd2.4.57]Possible conflicts between VHosts with SSL and LimitRequestLine
Hi everyone, I'm running : Server version: Apache/2.4.57 (Debian) Server built: 2023-04-13T03:26:51 Server's Module Magic Number: 20120211:127 Server loaded: APR 1.7.2, APR-UTIL 1.6.3, PCRE 10.42 2022-12-11 Compiled using: APR 1.7.2, APR-UTIL 1.6.3, PCRE 10.42 2022-12-11 Architecture: 64-bit Server MPM: event threaded: yes (fixed thread count) forked: yes (variable process count) Server compiled with -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_PROC_PTHREAD_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D DYNAMIC_MODULE_LIMIT=256 -D HTTPD_ROOT="/etc/apache2" -D SUEXEC_BIN="/usr/lib/apache2/suexec" -D DEFAULT_PIDLOG="/var/run/apache2.pid" -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" -D DEFAULT_ERRORLOG="logs/error_log" -D AP_TYPES_CONFIG_FILE="mime.types" -D SERVER_CONFIG_FILE="apache2.conf" I've been struggling for almost 2 weeks on this weird issue. I have multiple vhosts working perfectly either in http and httpS with let's encrypt. Yet for one vhost we need to set limitrequestline to a higher value. I'm familiar with the procedure and I changed the value in the vhost. Sadly it didn't worked as expected. After searching in any place, enabling/disabling securities, modules etc... I found another conf conflicting with mine. The ssl.conf vhost placed in conf-enabled is causing troubles. However its content is not really complicated : LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so Listen 443 ServerName publicdomainname.tld SSLEngine on SSLCertificateFile "/etc/ssl/certs/apache-httpd.crt" SSLCertificateKeyFile "/etc/ssl/private/apache-httpd.key" My other vhost is as follows : ServerName otherdomain.tld .../... RequestHeader set X-Forwarded-Proto "https" .../ LimitRequestLine 10240 .../... Include /etc/letsencrypt/options-ssl-apache.conf When both are enabled, the LimitRequestLine is not considered when reaching htps://otherdomain.tld . When I comment the Vhost in ssl.conf everything works fine. Is there any "permeability" between vhosts ? is there any precedence that could cause this vhost to be considered as the "master" of some options? Could anyone lead me to wha I am doing wrong? Sorry if I'm not clear, any question and/or feedback would be appreciated. Regards, Florent THOMAS
[users@httpd] proxying websocket and httpd in same VHOST
Hi everyone, I've browsed many ressources and read many thread of the mailing list. Looks like I'm not alone to have this issue and that documentation is not really clear. So I'm running this release of apache : httpd -v Server version: Apache/2.4.53 (Rocky Linux) Server built: Apr 28 2023 00:00:00 Here are the loaded modules : core_module (static) so_module (static) http_module (static) access_compat_module (shared) actions_module (shared) alias_module (shared) allowmethods_module (shared) auth_basic_module (shared) auth_digest_module (shared) authn_anon_module (shared) authn_core_module (shared) authn_dbd_module (shared) authn_dbm_module (shared) authn_file_module (shared) authn_socache_module (shared) authz_core_module (shared) authz_dbd_module (shared) authz_dbm_module (shared) authz_groupfile_module (shared) authz_host_module (shared) authz_owner_module (shared) authz_user_module (shared) autoindex_module (shared) cache_module (shared) cache_disk_module (shared) cache_socache_module (shared) data_module (shared) dbd_module (shared) deflate_module (shared) dir_module (shared) dumpio_module (shared) echo_module (shared) env_module (shared) expires_module (shared) ext_filter_module (shared) filter_module (shared) headers_module (shared) include_module (shared) info_module (shared) log_config_module (shared) logio_module (shared) macro_module (shared) mime_magic_module (shared) mime_module (shared) negotiation_module (shared) remoteip_module (shared) reqtimeout_module (shared) request_module (shared) rewrite_module (shared) setenvif_module (shared) slotmem_plain_module (shared) slotmem_shm_module (shared) socache_dbm_module (shared) socache_memcache_module (shared) socache_redis_module (shared) socache_shmcb_module (shared) status_module (shared) substitute_module (shared) suexec_module (shared) unique_id_module (shared) unixd_module (shared) userdir_module (shared) version_module (shared) vhost_alias_module (shared) watchdog_module (shared) brotli_module (shared) dav_module (shared) dav_fs_module (shared) dav_lock_module (shared) lua_module (shared) mpm_event_module (shared) proxy_module (shared) lbmethod_bybusyness_module (shared) lbmethod_byrequests_module (shared) lbmethod_bytraffic_module (shared) lbmethod_heartbeat_module (shared) proxy_ajp_module (shared) proxy_balancer_module (shared) proxy_connect_module (shared) proxy_express_module (shared) proxy_fcgi_module (shared) proxy_fdpass_module (shared) proxy_ftp_module (shared) proxy_http_module (shared) proxy_hcheck_module (shared) proxy_scgi_module (shared) proxy_uwsgi_module (shared) systemd_module (shared) cgid_module (shared) I'm deploying an apache RP in front of an Odoo provinding http classic on 8069 port and websocket on :8072/websocket/ port I read the example https://httpd.apache.org/docs/2.4/en/mod/mod_proxy.html#examples and https://httpd.apache.org/docs/2.4/en/mod/mod_proxy.html#wsupgrade and I tried first this setup : ProxyPreserveHost On ProxyRequests Off ProxyPass "/websocket/" "http://127.0.0.1:8072/websocket/"; upgrade=websocket ProxyPass / http://127.0.0.1:8069/ ProxyPassReverse / http://127.0.0.1:8069/ This fist try didn't succeed,so I tried this one ProxyPreserveHost On ProxyRequests Off ProxyPass "/websocket/" "ws://127.0.0.1:8072/websocket/" ProxyPass / http://127.0.0.1:8069/ ProxyPassReverse / http://127.0.0.1:8069/ without more success the backend still returning 400 on websocket url any ideas , proposal, debug procedure will be appreciated. Tanks in adavance for the time spent reading this thread. regards Florent THOMAS - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
