[EMAIL PROTECTED] Problem with configs
Apache httpd users mailing list, I have just joined this mailing list, but a Google indicates that this topic has not come up before. If I am wrong, I apologize, and ask for a pointer. I understand that the argument to the Proxy directive is supposed to be a shell-style wildcard (rather than a simple prefix match), as the argument to the ProxyMatch directive is supposed to be a Perl-style regular expression. I assume that these directives are evaluated in the order in which they appear in the configuration file. Both of these are reinforced by comments in the book "Pro Apache". The first is mentioned in passing, but only prefix matching is shown in examples in all other documentation. The second is not mentioned anywhere else. Given this, I asked folks on a machine which is temporarily inaccessible to me to enter a configuration including a virtual host much like the following. I'm afraid that domains and IP addresses have been changed to protect the innocent. ;-) And much that might otherwise obscure has been stripped away. ServerName proxy.example.com ErrorLog logs/proxy_error ProxyRequests On ProxyVia On http://*.tuxedo.org*> # Allow only those "Allow"ed that are not "Deny"ed. Order allow,deny # Exceptions to the default "Deny". Allow from 127.0.0.1 Allow from 192.1.0.0/16 Allow from 192.0.0.0/16 # No "Deny" exceptions to the explicit "Allow"s. http://*.linux.org*> # Allow only those "Allow"ed that are not "Deny"ed. Order allow,deny # Exceptions to the default "Deny". Allow from 127.0.0.1 Allow from 192.1.0.0/16 Allow from 192.0.0.0/16 # No "Deny" exceptions to the explicit "Allow"s. http://*.tux.org*> # Deny only those "Deny"ed unless they are "Allow"ed - this is the default Order deny,allow # No "Deny" exceptions to the default "Allow". # No "Allow" exceptions to any explicit "Deny"s. # Allow only those "Allow"ed that are not "Deny"ed. Order allow,deny # Exceptions to the default "Deny" Allow from 127.0.0.1 Allow from 192.1.0.0/16 Allow from 192.0.0.0/16 # Exceptions to the explicit "Allow"s Deny from 192.0.2.0/24 The idea is that various people will have various levels of access to the proxy when they insert "http://proxyhost.example.com:8081/"; in as their Web browser proxy server. - Everyone may use this proxy to reach *.tux.org/* - Everyone in the two /16's may use this proxy to reach *.tuxedo.org/* and *.linux.org/*. - Everyone in the two 16's, except for those in the one /24, may use this proxy to reach every other URL. HOWEVER, when doing testing from a workstation at (say) 192.1.2.3, if one adds a "Deny from 192.1.2.3" to the LAST block, then the tester can no longer reach all of the URLs, which he could before. It's been suggested that I consider the ProxyMatch directive instead, but the only difference between the two is SUPPOSED to be that the former uses Shell-style wildcards [but which shell???], and the latter uses Perl-style regular expressions [presumably the current version]. For my purposes, both can express what I want to accept. Can anybody suggest where my error is? Thanks! -- /*\ ** ** Joe Yao [EMAIL PROTECTED] - Joseph S. D. Yao ** \*/ - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Problem with configs
On Sat, Aug 23, 2008 at 12:40:13AM -0500, William A. Rowe, Jr. wrote: > Joseph S D Yao wrote: > > > > I have just joined this mailing list, but a Google indicates that this > > topic has not come up before. If I am wrong, I apologize, and ask for a > > pointer. > > Good way to attract attention of lurkers :) ;-) > > I understand that the argument to the Proxy directive is supposed to be > > a shell-style wildcard (rather than a simple prefix match), as the > > argument to the ProxyMatch directive is supposed to be a Perl-style > > regular expression. > > Ok. So a shell style wildcard never hits on a path delimiter, right? That depends on what "shell-style wildcard" means in a given implementation. I have seen ones where the path delimiter is not a special character. As the '/' is (a) not solely a path delimiter and (b) not the unique path delimiter, in a URL, I had not expected that to be a special character here. In fact, noting that a "*" will match "http://www.example.com/dir1/dir2/dir3/page.html";, I rather suspect that it is not. > > http://*.tuxedo.org*> > > Perhaps you meant http://*.tuxedo.org/* > > But the trailing * is redundant. drop it all together. Yours does not accept the common usage, "http://www.tuxedo.org";, with no trailing '/'. Most Web servers will accept and correct this. It is not clear to me that the "*" is redundant. Without it, don't I restrict myself to the home page? All examples I have seen used with that are not using "*" end in '*'. -- /*\ ** ** Joe Yao [EMAIL PROTECTED] - Joseph S. D. Yao ** \*/ - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Problem with configs
On Mon, Aug 25, 2008 at 12:20:12AM -0500, William A. Rowe, Jr. wrote: > Joseph S D Yao wrote: > >>> I understand that the argument to the Proxy directive is supposed to be > >>> a shell-style wildcard (rather than a simple prefix match), as the > >>> argument to the ProxyMatch directive is supposed to be a Perl-style > >>> regular expression. > >> Ok. So a shell style wildcard never hits on a path delimiter, right? > > > > That depends on what "shell-style wildcard" means in a given > > implementation. I have seen ones where the path delimiter is not a > > special character. As the '/' is (a) not solely a path delimiter and > > (b) not the unique path delimiter, in a URL, I had not expected that to > > be a special character here. > > Shell wildcards are sensitive to path delimiters; read RFC 2616 and its > cited RFC's; "/" are path delimiters, End of discussion. "Shell" != "shell-style". YES, '/' is a delimiter when interpreting a URL. But in a proxy, the interpretation occurs at the Web server - or other server! - to which proxying is being done. > > In fact, noting that a "*" will match > > "http://www.example.com/dir1/dir2/dir3/page.html";, I rather suspect that > > it is not. > > It will. Then '/' is not a delimiter. True end of discussion. > No; they don't - your browser did. But that correction is prior to httpd > handling the request. "/" is the minimal path, see the RFC. Fair point. Please do remember, though, that except in reference implementations, software writers often consider RFC's to be - what is that line from the pirate movie? - more like guidelines. And anyway, there's many a slip 'twixt the intention and the implementation. ;-) > > It is not clear to me that the "*" is redundant. Without it, don't I > > restrict myself to the home page? > > No References? > > All examples I have seen used with > > that are not using "*" end in '*'. > > Who suggested random configurations you discover from google are any good? I'm talking about Apache documentation and published books. I do realize that the latter may need substantiation, as even people who are expert in one part of a project may not be definitive for another part. -- /*\ ** ** Joe Yao [EMAIL PROTECTED] - Joseph S. D. Yao ** \*/ - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] How to restart Apache
On Wed, Aug 27, 2008 at 01:41:48PM +0200, [EMAIL PROTECTED] wrote: > Is there a way how to restart Apache if pid file is missing? > I use my own demon.It happened that the demon deleted /var/run/apache2.pid > file. > Then I can not use /etc/init.d/apache2 restart > > but I must restart my Debian server by init 6 . > After that the Apache starts normally. > > So, if the init 6 can solve the problem , > is there a way how to restart Apache without restarting the server( Debian > box) > Thank you for help > L.a. Check whether the 'killall' or 'skill' commands have been installed on your system. Check the manual pages. You should be aboe to do one of these [assuming that the information about 'httpd' renamed to 'apache2' is correct]: killall -HUP apache2 skill -HUP -c apache2 and then: cd / /etc/init.d/apache2 start It looks like 'killall' is in the "psmisc" package, if you don't have it installed. http://www.ducea.com/2008/08/18/killall-in-debian/ I will add my voice to the rising choir saying, find out why the thing disappears before everything goes. ;-) What do you mean, you use your own daemon? Do you mean, your own shell script to start the daemon? -- /*****************\ ** ** Joe Yao [EMAIL PROTECTED] - Joseph S. D. Yao ** \*/ - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] How to start Apache automatically with certificate?
On Thu, Aug 28, 2008 at 10:31:42AM -0300, Tan, Liao wrote: > Ok, ic I can simply remove the passphrase, and provided the new key be > readabale by root only, I should not have any security problems... is it > simply remove it? or any other settings, configuratios, re-installation? > It should not be owned by root, because you should not be running your server as root. You should be running your servers as some other user, say, "apache", and so the uncloaked cert files should be stored as read-only by "apache". Nothing should ever be owned by or done as root. Nothing. Absolutely nothing. Ever. Unless you absolutely have to, and then it's still a good idea to stop and think how to do it without being root. Why should nothing be owned by root? Because then manipulating it must be done by root. We should nothing be done by root? Because you're human and are capable of making mistakes, such as: cd / rm -rf /tmp/cruftdir. * and because people cracking into systems LOVE to find daemon processes running as "root", because then if they own that one daemon process, they own the whole system. YES, there is a bare minimum of things that must run as root. The trick is to find out how to approach that bare minimum. No application daemons should be running as root. -- /*\ ** ** Joe Yao [EMAIL PROTECTED] - Joseph S. D. Yao ** \*/ - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] How to start Apache automatically with certificate?
On Thu, Aug 28, 2008 at 05:42:59PM -0400, Eric Covener wrote: ... > root-owned private key sure sounds wiser to me. ... Tell me three good reasons why. Bad ones don't count. There is nothing special about a file that is owned by root vs. another UID. There is a PROBLEM, that you must be root to do anything with that file. If 'httpd' is run as user "apache", as it should be on any well-regulated system, then a file that is readable only by root will not be usable by it. It will be USELESS. > There are lots of files you don't want to be owned, or modifiable, by > non-root users. This is a good thing. By non-root USERS, yes, absolutely. Who said anything about users? I'm talking about a SYSTEM account. Again, there is ABSOLUTELY NOTHING SPECIAL about a file that is owned by root, except that to do anything with it, you have to have super-user powers, which YOU SHOULD NEVER DO! They are DANGEROUS. -- /*\ ** ** Joe Yao [EMAIL PROTECTED] - Joseph S. D. Yao ** \*/ - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] How to start Apache automatically with certificate?
On Thu, Aug 28, 2008 at 04:53:05PM -0500, William A. Rowe, Jr. wrote: > Joseph S D Yao wrote: > > On Thu, Aug 28, 2008 at 10:31:42AM -0300, Tan, Liao wrote: > >> Ok, ic I can simply remove the passphrase, and provided the new key be > >> readabale by root only, I should not have any security problems... is it > >> simply remove it? or any other settings, configuratios, re-installation? > > > > It should not be owned by root, because you should not be running your > > server as root. You should be running your servers as some other user, > > say, "apache", and so the uncloaked cert files should be stored as > > read-only by "apache". > > Yes, and the server should be *started* as root, User/Group modified to > a limited access account (e.g. apache, or nobody), all system resources > initially created and owned by root (e.g. logs/, certs etc), and the > appropriate access control granted to the apache/nobody user (no write > access to logs/, no read access to keys). > > There are logs that are dynamically created, give your apache user write > access to a logs/safe/ directory to put those into. But the logs/ dir > should never be modifiable by the apache user. Similarly the certs dir > should never be readable by the apache user. > > If you start your server (e.g. launch it) from the 'apache' user account, > it's impossible to keep the running server from manipulating the logs/ > directory etc, or accessing keys files, etc. Sorry, yes, of course, it is almost always started [or re-started] as root, and then chowns itself. I was thinking that it read the cert after the chown, but I don't remember with certainty. I need to go re-read the code anyway, I'll look next time so I can give a good cite if this thread is still running. ;-) -- /*\ ** ** Joe Yao [EMAIL PROTECTED] - Joseph S. D. Yao ** \*/ - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] How to start Apache automatically with certificate?
On Fri, Aug 29, 2008 at 01:39:06AM -0400, Joseph S D Yao wrote: > On Thu, Aug 28, 2008 at 05:42:59PM -0400, Eric Covener wrote: > ... > > root-owned private key sure sounds wiser to me. > ... > > > Tell me three good reasons why. Bad ones don't count. > > There is nothing special about a file that is owned by root vs. another > UID. There is a PROBLEM, that you must be root to do anything with that > file. > > If 'httpd' is run as user "apache", as it should be on any > well-regulated system, then a file that is readable only by root will > not be usable by it. It will be USELESS. Even if 'httpd' is still running as root when reading the cert, and so able to use it, it is still a bad idea to have it OWNED by root - you still have to have super-user powers to maintain it. Bad, bad, bad, bad, bad. -- /*****************\ ** ** Joe Yao [EMAIL PROTECTED] - Joseph S. D. Yao ** \*/ - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] How to install SSL certificate for virtual server?
On Fri, Aug 29, 2008 at 08:11:24AM +0200, Krist van Besien wrote: > On Thu, Aug 28, 2008 at 17:46, <[EMAIL PROTECTED]> wrote: > > > How do you secure a second virtual host with an SSL certificate, so I can > > then > > access https://www.myserver2.com? > > The usual answer to this question is: You can't. See: > http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts2 > > There is an experimental extension to the SSL protocol, called SNI, > which would make virtualhosts possible. As far as I can see this > requires a recompile of both apache and openssl... ISTM that you can run a second instance of 'httpd' with a second certificate on a different port [e.g. https://www.myserver2.com:8443/] and a different configuration file. I have never tried this, though. -- /*\ ** ** Joe Yao [EMAIL PROTECTED] - Joseph S. D. Yao ** \*/ - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] How to start Apache automatically with certificate?
On Fri, Aug 29, 2008 at 08:48:34AM +0200, Krist van Besien wrote: ... > You need super user powers to maintain a webserver anyway. Why? I do 'su - apache' sometimes. On other systems I have stuff group-writable. Depends on what the owner wants. > Doesn't mean you need to become root. You can use sudo. ... Sudo makes you root, unless it's sudo -u apache or something. > . And putting in > place a key is something you're not going to do often anyway. On any given system, true. OTOH, on some systems I have all the server configurations for all the individual physical and virtual machine Web servers on one NAS box, and if they did HTTPS more ... again, what the owner wants. -- /*\ ** ** Joe Yao [EMAIL PROTECTED] - Joseph S. D. Yao ** \*/ - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] How to start Apache automatically with certificate?
On Mon, Sep 01, 2008 at 06:34:09AM +0200, Krist van Besien wrote: > On Fri, Aug 29, 2008 at 18:43, Joseph S D Yao <[EMAIL PROTECTED]> wrote: > > On Fri, Aug 29, 2008 at 08:48:34AM +0200, Krist van Besien wrote: > > ... > >> You need super user powers to maintain a webserver anyway. > > > > Why? > > Because you need to start apache as root if you want it to bind to ports > > 1024 maintaining != starting -- /*\ ** ** Joe Yao [EMAIL PROTECTED] - Joseph S. D. Yao ** \*/ - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Why do I need /var/www as DocumentRoot & www-data as www owner?
I have no clue why the Debian Etch distribution is set up as you describe. I do remember discussion about the time /var/www was first used, long ago, about /var always being a read-write file system even if the others were mounted read-only from some other medium [CD-ROM, NFS, etc.]. This seemed to be at least part of the motivation. But I can't speak for Apache at all. -- /*\ ** ** Joe Yao [EMAIL PROTECTED] - Joseph S. D. Yao ** \*/ - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] How to start Apache automatically with certificate?
On Wed, Sep 03, 2008 at 02:02:16PM +0200, Krist van Besien wrote: > On Tue, Sep 2, 2008 at 20:18, Joseph S D Yao <[EMAIL PROTECTED]> wrote: ... > > maintaining != starting > > Since any change to the config requires a restart maintaing a server > requires you to be able to start it. ... Fair. For most changes, anyway. But maintaining the server files should not require root privileges. And if it is possible to re-start the server without becoming root [requires some assembly - or C], then do so. The whole point, which seems to be missed among my earlier whimsical phrasing and some possible mistakes on my part, is this. You should do as little as possible as root. In the over 35 years that I've been working on and maintaining *n*x systems, it's amazing the number of mistakes - often lethal [for the system] - that have been made possible because someone was doing something as root, rather than as a system account. The corollary, of course, is that as few files as possible should be owned by root, so that you don't have to be root to maintain them. The ownership, if possible/necessary, should be spread around to system accounts with different roles. Doing everything as root is just plain bad security. Plan around it. -- /*\ ** ** Joe Yao [EMAIL PROTECTED] - Joseph S. D. Yao ** \*/ - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Error when creating certificate in HPUX
On Wed, Sep 03, 2008 at 09:52:46AM -0300, Tan, Liao wrote: > Folks, > Im trying to find solution for this issue. When running the command below > > openssl genrsa -des3 -out mydomain.com.key 1024 > > to create the key pair certificate, it gives me the error: > > = > warning, not much extra random data, consider using the -rand option ... Long ago but not far away, when I had to implement this on HP-UX, I found that it had no "random" device. Not many systems did, then or now. So I got the Entropy Generating Daemon [egd, written in Perl], and it worked fine. Remember to have it start at boot BEFORE anything that uses random data. And you will have to tell 'openssl' etc. about it. Oh, look, it's moved to sourceforge. ;-) http://sourceforge.net/projects/egd/ -- /*\ ** ** Joe Yao [EMAIL PROTECTED] - Joseph S. D. Yao ** \*/ - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Error when creating certificate in HPUX
On Wed, Sep 03, 2008 at 11:46:12AM -0500, William A. Rowe, Jr. wrote: ... > Or, just search hpux site for their /dev/random device patch. It's built > into 11.23 but was a separate download/add-in for earlier 11.x flavors. ... Good to know! Obviously, I don't have recent HP-UX experience, nor does anyone else here but you! Either solution would work, but some tremble at the thought of changing the kernel. ;-] -- /*\ ** ** Joe Yao [EMAIL PROTECTED] - Joseph S. D. Yao ** \*/ - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] How to start Apache automatically with certificate?
On Thu, Sep 04, 2008 at 07:55:09AM +0200, Krist van Besien wrote: > On Wed, Sep 3, 2008 at 18:12, Joseph S D Yao <[EMAIL PROTECTED]> wrote: > > > Doing everything as root is just plain bad security. Plan around it. > > That is why sudo is so convenient. I never meant that you would need > to do everything as root, only that you needed to be able to do things > as root. I almost never do a su - root, and use sudo almost whenever I > need root powers. > > I keep my config files writable only by root, and use sudoedit to edit > them. I use sudo apachectl to restart apache etc... Sudo without "-u ..." is root. Plan how to do without it. Does it matter whether you say: $ su # cd / # ls tmp/"temp files "* # rm -rf tmp/"temp files" * or $ cd / $ ls tmp/"temp files "* $ sudo rm -rf tmp/"temp files" * ? Either way, you're history. Have your files owned by a system account and readable by the Web server account, and 'su' or 'sudo' to that account to RCS control and edit them. Then again, this may be a level of effort too great for casual Web sites that can be easily reconstructed by hand, and where it doesn't really matter if it is off the Web for a while. For such personal-use systems, doing everything as "root" is fine, since the only one upset with you if you make such a mistake, will be you. ;-) -- /*****************\ ** ** Joe Yao [EMAIL PROTECTED] - Joseph S. D. Yao ** \*/ - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] How to start Apache automatically with certificate?
On Thu, Sep 04, 2008 at 03:55:33PM +0100, Tom Evans wrote: ... > They've also suggested that their conf files be owned by root, and only > readable by the apache user, which you also disagree with. ... Nobody has come up with a good argument for this, or a refutation of my argument against it. > If you do not start apache as root and then drop privileges, it means > that any resources required to start their server will be accessible by > the web server. ... Now when did I e v e r suggest that? I agree with your condemnation of it whole-heartedly. > If the servers conf file is not owned by root, then generally that is > okay, as long as it is not writable by the user running apache. I would > personally still have it owned by root. But, you see, then you have to BE root to edit it - 'sudo counts - and this is what you agreed above was bad. > Your security advice, from what I've seen, is at best misinformed, and > at worst it is negligent. I urge anyone reading this thread to check > some reputable sources before implementing any of Joseph's suggestions. I urge anyone reading this thread to actually read it. -- /*\ ** ** Joe Yao [EMAIL PROTECTED] - Joseph S. D. Yao ** \*/ - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] How to start Apache automatically with certificate?
On Thu, Sep 04, 2008 at 12:33:20PM -0500, William A. Rowe, Jr. wrote: > Joseph S D Yao wrote: > > On Thu, Sep 04, 2008 at 03:55:33PM +0100, Tom Evans wrote: > > ... > >> They've also suggested that their conf files be owned by root, and only > >> readable by the apache user, which you also disagree with. > > ... > > > > Nobody has come up with a good argument for this, or a refutation of my > > argument against it. > > The refutation is that in order to bind to port 80, have access to keys, > etc, httpd must start as root. If the conf files are owned by an "wwwadmin" > role user, that's fine, it's one degree removed from root. ... Which is all I've been saying. Thanks for finally agreeing. -- /*****************\ ** ** Joe Yao [EMAIL PROTECTED] - Joseph S. D. Yao ** \*/ - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] How to start Apache automatically with certificate?
On Thu, Sep 04, 2008 at 04:35:53PM -0400, Eric Covener wrote: ... > That's not all you've been saying. > > | You should be running your servers as some other user, say, "apache", > | and so the uncloaked cert files should be stored as read-only by "apache". I did note at one point that my original note had been dashed off hastily, and that it had some flaws. For this I apologize. If you are running your Web server as the account "apache" then, as has been pointed out, you should have your content files owned by, say "wwwadmin" [to use the most recent suggestion]. The cert files can be owned by the same account or, better, another one that is solely for the certs rather than the Web content updaters, if this is a multi-person show. I did figure someone would point out that I'd said more words than those in the last entry. I really don't want to add any more to this topic. If anyone else can stand up and say that THEY have admin'ed Unix, Linux, BSD, etc. for over 35 years, and NEVER seen a mistake made worse because the person making the mistake was su'ed or sudo'ed to root, then I will applaud that person's good luck - SILENTLY. -- /*****************\ ** ** Joe Yao [EMAIL PROTECTED] - Joseph S. D. Yao ** \*/ - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] HTTP Server 2.2.9 - Unable to view the files from IE
On Sun, Sep 07, 2008 at 06:46:54AM -0700, Jay wrote: > Hello Edward, > > The problem was solved, when I disabled the iptables > > Thank You for your help. Good catch. Glad I read to the current end of thread, to see that you located the issue I was going to suggest. Of course, you don't want to stand naked and vulnerable for too long. Allow queries to destination port 80 on INPUT, and replies, and then turn iptables back on. -- /*\ ** ** Joe Yao [EMAIL PROTECTED] - Joseph S. D. Yao ** \*/ - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Stoping bots from sucking files
On Fri, Oct 24, 2008 at 08:29:43PM +0100, Mário Gamito wrote: > Hi, > > I have this site that has a directory with some files. > A few weeks ago, two web bots started sucking those files at an impressive > rate. Use a robots.txt file in your home directory. http://www.robotstxt.org/ http://en.wikipedia.org/wiki/Robots.txt If they ignore it, then use iptables to block them. That takes the strain off httpd. -- /*\ ** ** Joe Yao [EMAIL PROTECTED] - Joseph S. D. Yao ** \*/ - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
