[EMAIL PROTECTED] Different users for different vhosts
Hello, is it possible to assign each vhost a own process (or a process pool) with a distinct user? So that a apache process can not abused (with PHP for example) for accessing other users data? If it is not possible with processes can it be achieved with threads? If not, why not? Thanks, florian - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Different users for different vhosts
Am Donnerstag, 22. Juni 2006 22:56 schrieb Rainer Sokoll: > On Thu, Jun 22, 2006 at 10:26:45PM +0200, Florian Lindner wrote: > > Hello, > > is it possible to assign each vhost a own process (or a process pool) > > with a distinct user? So that a apache process can not abused (with PHP > > for example) for accessing other users data? > > I don't think so. > > > If not, why not? > > --8<-- > ~ >man fork > [...] > NAME > fork, fork1, forkall - create a new process > [...] > DESCRIPTION > The fork(), fork1(), and forkall() functions create a new > process. The address space of the new process (child pro- > cess) is an exact copy of the address space of the calling > process (parent process). The child process inherits the > following attributes from the parent process: > >o real user ID, real group ID, effective user ID, effec- > tive group ID > --8<-- That is not an explanation. Since the apache process is lunched as root (so it can bind port 80 e.g.) it can fork different processes and change the uid/gid of these processes. Florian - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] Which user to run?
Hello, in the default configurations I know apache runs as a dedicated users (e.g. www). This user has no login shell set thus it is impossible to login as this user and it usually has no home dir set either. With my setup I have an (human) user hat has a login shell and homedir. This users manages the data in the Document Root via SSH. The problem that occurs within that setup is that files created by apache are owned by user www thus read only to the human who manages these files. What is best way to cope with this problem? Thanks, Florian - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] mod_suPHP: set php_admin options
Hello, I'm using mod_suphp. When using just mod_php I can set options in the virtual host config like that: php_admin_value sendmail_path How can this be done when using mod_suphp? Thanks, Florian - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] SSL Proxy
Hello,
I have an SSL certificate of www.example.org. Now I want to proxy
another domain (which is a v-host on the same server) through the
beforementioned SSL domain.
My first try was: (in the doc root .htaccess)
RewriteCond %{HTTP_HOST} ^.*ssl\.example\.org$
RewriteRule ^(.*)$ http://target.com/$1 [L,P]
This works but the certificate is not valid for ssl.example.org only
for www. thus the browser raise an error.
Second try: (in a sub dir named proxy .htaccess)
RewriteRule ^(.*)$ http://target.com/$1 [P,L]
There raises the problem that the application on target.com perfoms an
redirection to /foo/bar/ (mind the first slash) with proxy that makes
example.org/foo/bar/ which raises an 404. example.org/proxy/foo/bar/
would be fine.
How can I get around these problems?
Thanks,
Florian
-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: [us...@httpd] SSL Proxy
Am 05.11.2008 um 02:23 schrieb Eric Covener: On Tue, Nov 4, 2008 at 1:02 PM, Florian Lindner <[EMAIL PROTECTED]> wrote: RewriteRule ^(.*)$ http://target.com/$1 [P,L] There raises the problem that the application on target.com perfoms an redirection to /foo/bar/ (mind the first slash) with proxy that makes example.org/foo/bar/ which raises an 404. example.org/proxy/foo/ bar/ would be fine. ProxyPassReverse? Hello, I tried that: ProxyRequests Off Order deny,allow Allow from all ProxyPass /ssl-proxy http://netz-hi.cardio-control.de/ ProxyPassReverse /ssl-proxy http://netz-hi.cardio-control.de/ at https://www.cardio-control.de/ssl-proxy but it still redirects to a page relative to root. Thanks, Florian - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] Templated config for vhost
Hello, is is possible to define a template for a vhost config entry and use this template in other entries. For example I have the template: ServerName $SERVER_NAME ServerAlias *.$SERVER_NAME $MORE_ALIASES DocumentRoot /home/$DIR/http/pub CustomLog /home/$DIR/http/log/access.log combined ErrorLog /home/$DIR/http/log/error.log php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f [EMAIL PROTECTED]" php_admin_value open_basedir "/home/$DIR/http" now a config use this template $SERVER_NAME xgm.de $DIR xgmde $MORE_ALIASES someotherdomain.tld Can I do something like this? Thanks, Florian - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Templated config for vhost
Am Donnerstag, 14. Dezember 2006 19:22 schrieb Joshua Slive: > On 12/13/06, Florian Lindner <[EMAIL PROTECTED]> wrote: > > Hello, > > is is possible to define a template for a vhost config entry and use this > > template in other entries. > > For example I have the template: > > > > > > ServerName $SERVER_NAME > > ServerAlias *.$SERVER_NAME $MORE_ALIASES > > DocumentRoot /home/$DIR/http/pub > > CustomLog /home/$DIR/http/log/access.log combined > > ErrorLog /home/$DIR/http/log/error.log > > php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f > > [EMAIL PROTECTED]" > > php_admin_value open_basedir "/home/$DIR/http" > > > > > > now a config use this template > > > > > > $SERVER_NAME xgm.de > > $DIR xgmde > > $MORE_ALIASES someotherdomain.tld > > > > > > Can I do something like this? > > Yes, there are various modules available from > http://modules.apache.org/ that allow you to do stuff like this. But > I'd recommend simply pre-processing your config file with > m4/perl/python/whatever. Hello, thanks for the reply! Can you name some of these preprocessors? Thanks, Florian - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] Status of per-user MPMs
Hello, what is the status of MPMs that can assign each vhost a userID and execute request for this vhosts as this user? Are there any MPMs (from apache or 3rd party) available that are stable for (very low load) systems with PHP? (Apache 2) Thanks, Florian - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[users@httpd] SSL-Proxy
Hello, since only SSL on the default vhost is possible I want to create a proxy for the other vhosts: ServerName centershock.net SSLEngine On SSLCertificateFile /etc/apache2/conf/ssl/server.crt SSLCertificateKeyFile /etc/apache2/conf/ssl/server.key Order deny,allow Allow from all ProxyPass /ssl/xgm.de http://xgm.de ProxyPassReverse /ssl/xgm.de http://xgm.de So the URL https://centershock.net/ssl/xgm.de/ should be the same like http://xgm.de only over SSL. But this seem to be not correct. I get a 403 error (not allowed) What is wrong? Thanks, Florian - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[users@httpd] Re: SSL-Proxy
Am Sonntag, 22. Mai 2005 10:19 schrieb Joost de Heer: > > > > ServerName centershock.net > > > > SSLEngine On > > SSLCertificateFile /etc/apache2/conf/ssl/server.crt > > SSLCertificateKeyFile /etc/apache2/conf/ssl/server.key > > > > > > Order deny,allow > > Allow from all > > > > > > ProxyPass /ssl/xgm.de http://xgm.de > > ProxyPassReverse /ssl/xgm.de http://xgm.de > > > > > > So the URL https://centershock.net/ssl/xgm.de/ should be the same like > > http://xgm.de only over SSL. > > > > But this seem to be not correct. I get a 403 error (not allowed) > > doesn't need to be used for Reverse Proxies. You should remove it. I have Order deny,allow Allow from all removed > Does http://xgm.de work? I guess you've added a 'deny to all' to it to > avoid people reaching it directly. But this also forbids the reverse proxy > to reach it. Allow the IP address of the reverse proxy to reach that > vhost. http://xgm.de ist public available. (go ahead and check it out). The xgm.de ist pointing on the same machine and the vhost is running on the same machine. Thanks, Florian - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[users@httpd] Limit Traffic for specific files
Hello, how can I limit the traffic which certain files generate in a certain time. For example: I don't want downloading of the file xyz.iso to generate more traffic that 10 GB per month? I'm using Apache 2. Thanks, Florian - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[us...@httpd] Problem setting up SSL Proxy
Hello!
I want to set up an local ssl proxy. I have an certificate for
*.centershock.net and want domains like xgm.de to be accessible with SSL.
System is Debian Lenny
I added an rewrite entry to my SSL virtual host:
RewriteEngine On
RewriteLog /var/log/apache2/sslproxy.log
RewriteLogLevel 6
RewriteMap domains txt:/etc/apache2/sslproxy.map
RewriteCond %{HTTP_HOST} ^(.*-.*)\..*\..* [NC]
RewriteRule ^(.+)$ http://${domains:%1}$1 [P,L]
The sslproxy.map:
xgm-de xgm.de
mod_rewrite, proxy and proxy_http are active. mod_proxy permissions from
proxy.conf
ProxyRequests On
AddDefaultCharset off
Order deny,allow
Deny from all
Allow from centershock.net
Now I expect that I can access http://xgm.de/forum/ from
https://xgm.centershock.net/forum/ but all I get is a 403 error everywhere.
The RewriteLog looks fine:
138.246.2.7 - - [06/Aug/2010:21:14:40 +0200] [xgm-
de.centershock.net/sid#bde8a0][rid#eb54f8/initial] (2) init rewrite engine
with requested uri /forum
138.246.2.7 - - [06/Aug/2010:21:14:40 +0200] [xgm-
de.centershock.net/sid#bde8a0][rid#eb54f8/initial] (3) applying pattern '^(.
+)$' to uri '/forum'
138.246.2.7 - - [06/Aug/2010:21:14:40 +0200] [xgm-
de.centershock.net/sid#bde8a0][rid#eb54f8/initial] (4) RewriteCond:
input='xgm-de.centershock.net' pattern='^(.*-.*)\..*\..*' [NC] => matched
138.246.2.7 - - [06/Aug/2010:21:14:40 +0200] [xgm-
de.centershock.net/sid#bde8a0][rid#eb54f8/initial] (6) cache lookup FAILED,
forcing new map lookup
138.246.2.7 - - [06/Aug/2010:21:14:40 +0200] [xgm-
de.centershock.net/sid#bde8a0][rid#eb54f8/initial] (5) map lookup OK:
map=domains[txt] key=xgm-de -> val=xgm.de
138.246.2.7 - - [06/Aug/2010:21:14:40 +0200] [xgm-
de.centershock.net/sid#bde8a0][rid#eb54f8/initial] (2) rewrite '/forum' ->
'http://xgm.de/forum'
138.246.2.7 - - [06/Aug/2010:21:14:40 +0200] [xgm-
de.centershock.net/sid#bde8a0][rid#eb54f8/initial] (2) forcing proxy-
throughput with http://xgm.de/forum
138.246.2.7 - - [06/Aug/2010:21:14:40 +0200] [xgm-
de.centershock.net/sid#bde8a0][rid#eb54f8/initial] (1) go-ahead with proxy
request proxy:http://xgm.de/forum [OK]
Can anyone tell me what's wrong?
Thanks,
Florian
-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Problem setting up SSL Proxy
Am Freitag 06 August 2010, 21:48:15 schrieb Joost de Heer:
> On 08/06/2010 09:16 PM, Florian Lindner wrote:
> > Hello!
> >
> > I want to set up an local ssl proxy. I have an certificate for
> > *.centershock.net and want domains like xgm.de to be accessible with SSL.
>
> You do realise that only the connection to the reverse proxy is encrypted?
> The connection from the proxy to the source server is still unencrypted.
Yes. Both hosts are always on the same machine and have the same IP.
> > I added an rewrite entry to my SSL virtual host:
> > RewriteEngine On
> > RewriteLog /var/log/apache2/sslproxy.log
> > RewriteLogLevel 6
> >
> > RewriteMap domains txt:/etc/apache2/sslproxy.map
> >
> > RewriteCond %{HTTP_HOST} ^(.*-.*)\..*\..* [NC]
> > RewriteRule ^(.+)$ http://${domains:%1}$1 [P,L]
> >
> > The sslproxy.map:
> > xgm-de xgm.de
>
> Looks fine
>
> > ProxyRequests On
>
> You have a reverse proxy, don't turn proxyrequests on.
Ok, I set it to Off.
>
> >
> >
> > AddDefaultCharset off
> > Order deny,allow
> > Deny from all
> > Allow from centershock.net
> >
> >
>
> Does the IP address of the client have a PTR record?
Yes, points to shiva.centershock.net
> > Now I expect that I can access http://xgm.de/forum/ from
> > https://xgm.centershock.net/forum/ but all I get is a 403 error
> > everywhere.
>
> > The RewriteLog looks fine:
> And what does the errorlog say?
Ok, it is a permissions problem: client denied by server configuration:
Setting "Allow from all" makes it work. Clearly not an permanent option, is
it?
The proxy should work for any request from any client that matches the rules.
Thanks,
Florian
-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Make Apache react more graceful to SSL errors
Hello, in my server configuration users can place their own SSL certificate in predefined directories. A daily cron script detects them, updates the apache config and restarts the server. However, if there is a problem with the certificate or key file, the apache refused to work altogether. Is it possible to make apache disable only the problematic vhost instead of refusing to start? Thanks, Florian - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Make Apache react more graceful to SSL errors
Hello, Am Sonntag, 1. Mai 2016, 14:28:42 CEST schrieb Dr James Smith: > Agree with Michael, > > My start/stop scripts all now do a configtest before trying to > stop/start apache - this way I never have no service if something goes > wrong! What is deem problematic with this approach, is that I do a configuration change and after putting the change into place I see that it fails by using configtest. Then I need to do a rollback of my configuration. I'm having very simple script to build my config, right now there is no backup or alike before the configuration. But is seems there is no other possibility and I need to implement some kind of rollback. Florian > I do have a forcestop which will stop an apache if the config is wrong - > as a last resort! > > James > > On 01/05/2016 14:27, Michael A. Peters wrote: > > On 05/01/2016 06:19 AM, Florian Lindner wrote: > >> Hello, > >> > >> in my server configuration users can place their own SSL certificate in > >> predefined directories. A daily cron script detects them, updates the > >> apache > >> config and restarts the server. > >> > >> However, if there is a problem with the certificate or key file, the > >> apache > >> refused to work altogether. > >> > >> Is it possible to make apache disable only the problematic vhost > >> instead of > >> refusing to start? > > > > What you probably need to do is validate the certificates before > > updating the apache configuration file. The TLS library (e.g. openssl) > > probably can do that, though I'm not familiar with the specific > > argument you would need. > > > > Apache also has a check that can test whether or not apache will > > successfully start, that you can run before restarting the server. > > > > apachectl configtest > > > > I believe is the command. > > > > I'm not sure it tests all the TLS certs but if it doesn't, it is a bug > > in my mind. > > > > > > - > > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > > For additional commands, e-mail: users-h...@httpd.apache.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] How to proxy web server?
Hello, Apache 2.4 on Debian Testing, mpm_itk I have the Discourse web forum running in a docker container. The container's webserver is bount to localhost:2080. The forum should be reachable at either forum.csc-stuttgart.org or csc-stuttgart.org/forum. Possibility A: ServerName forum.csc-stuttgart.org AssignUserID csc-stuttgart csc-stuttgart ProxyPreserveHost On ProxyPass"/" "http://localhost:2080/"; ProxyPassReverse "/" "http://localhost:2080/"; DocumentRoot /home/csc-stuttgart/csc-stuttgart.org/pub [...] That works fine, beside on little problem. I want to use Let's Encrypt SSL certificates on that which require a path forum.csc-stuttgart.org/.well-known to be writable from the file system. How can I take just one path out of the Proxy? Wrap the ProxyPass/Reverse in a with a PCRE that match everything except .well-known? Haven't tested it yet. Any better solution? Possibility B: ServerName csc-stuttgart.org ServerAlias *.csc-stuttgart.org AssignUserID csc-stuttgart csc-stuttgart DocumentRoot /home/csc-stuttgart/csc-stuttgart.org/pub [...] LogLevel debug ProxyPass http://localhost:2080/ ProxyPassReverse http://localhost:2080/ Seems to not trigger on csc-stuttgart.org/forum, tried and and . ProxyPass "/forum" http://localhost:2080/ ProxyPassReverse "/forum" http://localhost:2080/ Seems to do the trick, but the Reverse does not seem to work. Error Log says [proxy:debug] mod_proxy.c(1228): [client 129.69.213.139:55350] AH01143: Running scheme http handler (attempt 0) [proxy:debug] proxy_util.c(2156): AH00942: HTTP: has acquired connection for (localhost) [proxy:debug] proxy_util.c(2209): [client 129.69.213.139:55350] AH00944: connecting http://localhost:2080/ to localhost:2080 [proxy:debug] proxy_util.c(2418): [client 129.69.213.139:55350] AH00947: connected / to localhost:2080 [proxy:debug] proxy_util.c(2884): AH02824: HTTP: connection established with [::1]:2080 (localhost) [proxy:debug] proxy_util.c(3051): AH00962: HTTP: connection complete to [::1]:2080 (localhost) [proxy:debug] proxy_util.c(2171): AH00943: http: has released connection for (localhost) [core:info][ client 129.69.213.139:55350] AH00128: File does not exist: /home/csc-stuttgart/csc-stuttgart.org/pub/login The webserver hat localhost:2080 redirected to /login/ which does not seem to rewritten by ProxyPassReverse to forum/login accordingly. Thanks for any ideas! Florian - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Re: How to proxy web server?
Am 15.05.2017 um 17:05 schrieb Florian Lindner: > Hello, > > Apache 2.4 on Debian Testing, mpm_itk > > I have the Discourse web forum running in a docker container. The container's > webserver is bount to localhost:2080. The > forum should be reachable at either forum.csc-stuttgart.org or > csc-stuttgart.org/forum. > > Possibility A: > > > ServerName forum.csc-stuttgart.org > AssignUserID csc-stuttgart csc-stuttgart > ProxyPreserveHost On > ProxyPass"/" "http://localhost:2080/"; > ProxyPassReverse "/" "http://localhost:2080/"; > DocumentRoot /home/csc-stuttgart/csc-stuttgart.org/pub > [...] > > > That works fine, beside on little problem. I want to use Let's Encrypt SSL > certificates on that which require a path > forum.csc-stuttgart.org/.well-known to be writable from the file system. > How can I take just one path out of the Proxy? > > Wrap the ProxyPass/Reverse in a with a PCRE that match > everything except .well-known? Haven't tested it > yet. Any better solution? Ok, I was able to achieve it using: ServerName forum.csc-stuttgart.org AssignUserID csc-stuttgart csc-stuttgart Redirect permanent / https://forum.csc-stuttgart.org/ DocumentRoot /home/csc-stuttgart/csc-stuttgart.org/pub CustomLog /home/csc-stuttgart/csc-stuttgart.org/log/access.log combined ErrorLog /home/csc-stuttgart/csc-stuttgart.org/log/error.log ServerName forum.csc-stuttgart.org AssignUserID csc-stuttgart csc-stuttgart ProxyPreserveHost On ProxyPass"/" "http://localhost:2080/"; ProxyPassReverse "/" "http://localhost:2080/"; DocumentRoot /home/csc-stuttgart/csc-stuttgart.org/pub CustomLog /home/csc-stuttgart/csc-stuttgart.org/log/access.log combined ErrorLog /home/csc-stuttgart/csc-stuttgart.org/log/error.log SSLEngine On SSLCertificateFile /home/csc-stuttgart/csc-stuttgart.org/ssl/forum.csc-stuttgart.org.cert SSLCertificateKeyFile /home/csc-stuttgart/csc-stuttgart.org/ssl/forum.csc-stuttgart.org.key - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
