Re: [users@httpd] Spurious access denied errors

[Marat Khalili]

On Sun, Feb 11, 2018 at 4:56 AM, Daniel <dferra...@gmail.com> wrote:


The error may come from a subrequest, which is an internal feature
where a module like mod_dir might use to probe if some URL exists.


Thank you for the suggestion. I tried to disable mod_dir, fortunately 
mediawiki seem to work fine without it, but the error is still there. 
Allowing access to DocumentRoot of course solves the problem, but I'm 
still curious...


--

With Best Regards,
Marat Khalili


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Setting up Apache 2.4 with Letsencrypt

[Marat Khalili]

But I just get a failed to load error and I don't see anything helpful in the 
logs.

I tried removing the links in the apache24 folder and copying the .pem files 
(privkey.pem to ssl.key), but still get an unable to establish secure 
connection error.


You did not post exact errors, but just in case the following works here:


    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
    SSLUseStapling On


--

With Best Regards,
Marat Khalili


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Retry connection to reverse proxy backend

[Marat Khalili]

If your upgrade procedure is indeed "a second", I'd try to DROP with iptables 
SYN packets from proxy to appserver for this period, proxy will likely retry 
connection attempts. Depends on many factors, but at least worths a try.

> Where can I request that feature to be considered for adding?

On developers, not users maillist? With a patch ready or a bounty for 
implementation?

> What solutions do you have for this issue?

Most users will just reload the page upon seeing 503 error. Applications need 
to be taught case-by-case, since not all operations are sensible or safe to 
retry. That's going to be a problem when you discuss automating it 
unconditionally with developers.
-- 

With Best Regards,
Marat Khalili

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Spurious access denied errors

[Marat Khalili]

> Probably because you are essentially denying access to documentroot and this 
> path is checked for all requests.

Looks like your are right, but why? What if there's a file there? What if 
there's a script there? A device file or a symbolic link to one?

> or change documentroot to a directory you can give access even if it's an 
> empty directory to get rid of those messages or change the documentoot to 
> something else.

I will do like you advise, but would still like to learn what's going on.
-- 

With Best Regards,
Marat Khalili

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Spurious access denied errors

[Marat Khalili]

At first glance, something in your browser is probably requesting the 
page /test. Since it doesn't correspond to any of your alias 
statements, it hits the DocumentRoot which you have denied access to.


Is there a corresponding entry in your access log?



There's no entry in access log, and the problem is easily reproduced 
with curl/wget. There's only one request visible in tcpdump. I've also 
confirmed that excluding proxy does not fix the problem.


On the other hand, I don't see same problem on bare Apache installation 
serving only static files. Can Mediawiki PHP create some internal 
requests? How can I debug this?


--

With Best Regards,
Marat Khalili


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Spurious access denied errors

[Marat Khalili]

Dear list,

I've installed and configured mediawiki as follows (on top of default 
Ubuntu 16.04 Apache/2.4.18 installation):



    DocumentRoot /var/www/html

    
    Options None
    Require all denied
    

    
    Options ExecCGI
    Require host proxy.example.com
    
    
    Options None
    Require host proxy.example.com
    

    Alias /wiki /opt/local/mediawiki/index.php
    Alias /w/images /mnt/mediawiki/images
    Alias /w /opt/local/mediawiki


*Everything works*, i.e. client successfully receive all pages with 
appropriate HTTP statuses in both client and Apache access log. However, 
for each request like /wiki/test I see the following extra message in 
error.log:


[Fri Feb 09 09:35:25.368731 2018] [authz_core:error] [pid 695] [client 
10.4.1.4:56622] AH01630: client denied by server configuration: 
/var/www/html/test


If I remove  clause, these messages disappear. They 
trigger fail2ban and are generally confusing. What may be causing them 
and how to make them stop?



--

With Best Regards,
Marat Khalili

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Probably small problem with SSL config

[Marat Khalili]

>When I try to connect with HTTPS, I get the error:
>
>“Unable to retrieve https://<ip address>/:
>
>SSL error”

Isn't everything working as designed, since it is unlikely that you have SSL 
certificate issued for ip address? Probably try to connect by domain name 
instead?
-- 

With Best Regards,
Marat Khalili

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Redirect only a specific index.php page to new location

[Marat Khalili]

On 24/01/18 22:53, Kory Wheatley wrote:
Ya there is a .htaccess that has the base set to deptblogs what could 
I change in here to get it to work?


[kwheatley@sftpface2 wordpress]$ cat .htaccess
RewriteEngine On
RewriteBase /deptblogs/
RewriteRule ^index\.php$ - [L]

# uploaded files
RewriteRule ^([_0-9a-zA-Z-]+/)?files/(.+) 
wp-includes/ms-files.php?file=$2 [L]


# add a trailing slash to /wp-admin
RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L]

RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^[_0-9a-zA-Z-]+/(wp-(content|admin|includes).*) $1 [L]
RewriteRule  ^[_0-9a-zA-Z-]+/(.*\.php)$ $1 [L]
RewriteRule . index.php [L]
#Redirect 301 / http://intranet/template_departments.cfm


This looks too complex for me to interpret for sure without real-world 
tests, particularly, because [L] in .htaccess context does not actually 
end rewriting 
<https://httpd.apache.org/docs/current/rewrite/flags.html#flag_l> like 
one might though. (If you really want to be sure no redirect is already 
in progress, test REDIRECT_STATUS environment variable like this:

RewriteCond %{ENV:REDIRECT_STATUS} ^$

.)

Looks like you have added some rules while trying to solve your problem, 
while rest came from default Wordpress installation. I'd leave only 
default Wordpress ones and see if it solves unnecessary redirects.


--

With Best Regards,
Marat Khalili

Re: [users@httpd] Redirect only a specific index.php page to new location

[Marat Khalili]

On 18/01/18 07:53, Kory Wheatley wrote:
When someone types to go to http://sftpinterface/deptblogs/  or a link 
I need it to redirect to http://intranet/template_departments.cfm. 
Which I was able to accomplish in the index.php header content with


http://intranet/template_departments.cfm;);

/* Make sure that code below does not get executed when we redirect. */
exit;
?>

It should work.

But the problem is all pages underneath http://sftpinterface/deptblogs 
redirect to http://intranet/template_departments.cfm. [...]
This shouldn't happen. Most likely there's another redirect rule 
somewhere, e.g. in .htaccess file.


--

With Best Regards,
Marat Khalili

Re: [users@httpd] Correctly configuring OCSP Stapling cache

[Marat Khalili]

Hello,



I.e., the following: Only ever do valid tickets end up in the cache.
After a period that is *shorter* than the ticket lifetime (one day in my
example), Apache tries to refresh the ticket. If a valid ticket is
returned by the responder, that ticket replaces the currently cached one
and is returned. If an invalid ticket ("try again" or timeout) is
returned by the responder, the valid cached ticket is returned.


Did you read 
https://blog.hboeck.de/archives/886-The-Problem-with-OCSP-Stapling-and-Must-Staple-and-why-Certificate-Revocation-is-still-broken.html 
? Judging by https://bz.apache.org/bugzilla/show_bug.cgi?id=57121 it is 
still unfixed, I wonder why too.


--

With Best Regards,
Marat Khalili


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache Virtual Host not working properly

[Marat Khalili]

> For the second question, for sure it's not the application because I ever use 
> the same app before but i didn't get the problem [...]

Try to set ProxyPreserveHost
-- 

With Best Regards,
Marat Khalili

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] mirror a html site

[Marat Khalili]

> the resulting files are not browsable without creating a structure of folders 
> for each domain downloaded (the original www.mydomain.com and the folders for 
> the cdn) which ends up having an ugly URL
www.mydomain.com/www.mydomain.com/index.hml.
> 
> Can anyone know how to solve this without manual interaction?

Returning to topic, you can keep structure on disk as it is, and shorten 
user-visible URLs with redirects: one external redirect from /www.mydomain.com/ 
to / , and one internal back from / to /www.mydomain.com/ with appropriate 
exceptions for all other domains.
-- 

With Best Regards,
Marat Khalili

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Authentication options besides basic

[Marat Khalili]

Basic authentication within SSL connection is actually pretty secure, but not 
very user-friendly. For instance, digest authentication is actually less 
secure, because it forces you to store passwords in plaintext.

Form authentication, like everything inside the webpage, is better be left to a 
layer above the web server. If you don't like basic authentication, you 
probably need to implement authentication as part of your Tomcat application.
-- 

With Best Regards,
Marat Khalili

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Best practice for restricting access to exact IP addresses

[Marat Khalili]

On 01/12/17 18:36, Timothy D Legg wrote:

and then believes that running a2dissite on all these, perhaps to make a
backup of a php-encrusted website (such as mine) that the document root
will default to the top level of all these sites and perhaps reveal SQL
passwords in the process.

I hope this is not true...


As far as I understand it will work exactly as you described, although 
keeping virtual hosts under default document root is not a good 
practice. Also, leaving Apache listen to some port without configuring 
site on that port does not look like good practice too.


I personally favour creating default virtualhost with dummy name which 
(among other things) will get shown to bots that don't provide host name 
or SNI. For instance, it may always return 403.


--

With Best Regards,
Marat Khalili

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Best practice for restricting access to exact IP addresses

[Marat Khalili]

On 01/12/17 15:39, Timothy D Legg wrote:


To be much more explicit, this is a conf file located in
/etc/apache2/sites-available and is the only file symlinked into
/etc/apache2/sites-enabled
It is most likely included into /etc/apache2/apache2.conf or 
/etc/apache2/httpd.conf . Which most likely contains `Include 
ports.conf` which contains line `Listen 80`. Since no virtual host or 
DocumentRoot is defined for this port, most likely server uses compiled 
in value of DocumentRoot, which is most likely /var/www/html . Also, 
main conf most likely contains several `Require all ...` lines which 
affect all virtual hosts.


--

With Best Regards,
Marat Khalili


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Best practice for restricting access to exact IP addresses

[Marat Khalili]

On 01/12/17 15:39, Timothy D Legg wrote:

There is only one virtualhost active, so it is inherently unique.


Just in case, verify it with: apachectl -D DUMP_VHOSTS


This is a privacy-sanitized edit of the exact conf file.


This is most likely a virtual-host conf file included into the main conf 
along with tons of other things.


--

With Best Regards,
Marat Khalili

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Best practice for restricting access to exact IP addresses

[Marat Khalili]

On 01/12/17 13:42, Marat Khalili wrote:
Most likely it is overridden by other Directory or Location or some 
other kind of block somewhere in your configuration. Try to replace 
 with  to be closer 
to the end of pipeline as described here: 
https://httpd.apache.org/docs/current/sections.html#merging


P.S. Correction: second most likely. Most likely cause is incorrect 
virtualhost indeed.




--

With Best Regards,
Marat Khalili



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Best practice for restricting access to exact IP addresses

[Marat Khalili]

I added these lines inside the  block:


Require ip 192.168.40.80


But a test revealed I was able to wget graphs/test.html on a different
machine (192.168.40.81).

I've only read the documentation.  Practically every non-Apache website
still uses Order-Allow-Deny methodologies, so it's still not clear how
this is actually done in practice.  Why did this not work?
Most likely it is overridden by other Directory or Location or some 
other kind of block somewhere in your configuration. Try to replace 
 with  to be closer to 
the end of pipeline as described here: 
https://httpd.apache.org/docs/current/sections.html#merging


--

With Best Regards,
Marat Khalili


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] On proxy insert header from database using client certificate CN as a key

[Marat Khalili]

Dear all,

I'd like to perform the following task on Apache proxy:
* take some value from client certificate (either common name or email);
* query some database by this value as a key;
* use resulting value in a new header inserted into connection.

Is it possible to solve it using only Apache modules? What modules 
should I look into?


(Plan B is to pre-generate Apache config with many If's on 
%{SSL:SSL_CLIENT_S_DN_CN}, but of course I'd like cleaner solution.)


--

With Best Regards,
Marat Khalili


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Update OCSP stapling response in advance

[Marat Khalili]

Dear list,
good time of the day,

Is it possible to make Apache start requesting fresh OCSP response some 
time before previous one expires, in order to prevent outages due to 
poor OCSP server availability? SSLStaplingResponseMaxAge directive looks 
promising, but will it return older response if fresh one cannot be 
obtained, or will it just fail?


(Sorry if discussed earlier, I remember something along these lines, but 
don't remember of some solution or workaround was found.)


--

With Best Regards,
Marat Khalili

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Permission to enable CGI Scripts to do an I/O on the file system

[Marat Khalili]

> So, there's no way of creating a log file in the default directory or some 
> special directory ?

Apache usually logs stderr of CGI scripts to its error log, you can use this. 
If you give any file or directory the permissions you observe on your /tmp file 
(something like writeable by group www-data), it might work for debugging, or 
not if SELinux or apparmor gets in the way.

Better solution for debugging Python scripts is cgitb: it will show everything 
but syntax errors in browser window, and syntax errors will still be visible in 
Apache logs. In production you can configure cgitb to create tracefiles in a 
predefined directory.

(Also, typical initial problem with CGI scripts is forgetting to write HTTP 
headers.)
-- 

With Best Regards,
Marat Khalili

On August 11, 2017 9:20:19 PM GMT+03:00, Kiorp Pilu <klp...@gmail.com> wrote:
>Hello Marat,
>
>Thanks for the comment.
>Yes, I am in the linux environment on a cluster. Tested your idea.
>
>1. The script works, but no output file is written on the cluster i.e.
>earlier I can't see anything in the console of my browser, now I see
>that
>the script executes successfully read off from the console.
>[  ]
>
>2. So, there's no way of creating a log file in the default directory
>or
>some special directory ?
>
>However, I have set it up in Xampp and it works great, just worked out
>of
>the box.
>
>On Fri, Aug 11, 2017 at 12:59 AM, Marat Khalili <m...@rqc.ru> wrote:
>
>> You didn't specify system, so I assume it's a standard Linux
>installation.
>> CGI scripts by default run with permissions of the web server, which
>are
>> intentionally limited. However, you can create new files and
>directories in
>> /tmp, possibly using tempfile module. If you want more than just a
>> temporary file then you should consider using database since writing
>> arbitrary files from CGI scripts would otherwise cause concurrency
>and
>> security problems.
>> --
>>
>> With Best Regards,
>> Marat Khalili
>>
>> On 11/08/17 00:29, Kiorp Pilu wrote:
>>
>> Hello,
>>
>> I have written a python script that will spit out a log file. This
>python
>> script will be executed as a CGI script.
>>
>> I am able to run the python program, but not able to make it write to
>an
>> output file. How can I enable Apache web server to do so ?
>>
>> Thanks,
>> Dann
>>
>>
>>
><https://www.avast.com/sig-email?utm_medium=email_source=link_campaign=sig-email_content=webmail_term=icon>
>Virus-free.
>> www.avast.com
>>
><https://www.avast.com/sig-email?utm_medium=email_source=link_campaign=sig-email_content=webmail_term=link>
>>
>>
>>

Re: [users@httpd] Permission to enable CGI Scripts to do an I/O on the file system

[Marat Khalili]

You didn't specify system, so I assume it's a standard Linux 
installation. CGI scripts by default run with permissions of the web 
server, which are intentionally limited. However, you can create new 
files and directories in /tmp, possibly using tempfile module. If you 
want more than just a temporary file then you should consider using 
database since writing arbitrary files from CGI scripts would otherwise 
cause concurrency and security problems.


--

With Best Regards,
Marat Khalili

On 11/08/17 00:29, Kiorp Pilu wrote:

Hello,

I have written a python script that will spit out a log file. This 
python script will be executed as a CGI script.


I am able to run the python program, but not able to make it write to 
an output file. How can I enable Apache web server to do so ?


Thanks,
Dann

<https://www.avast.com/sig-email?utm_medium=email_source=link_campaign=sig-email_content=webmail_term=icon> 
	Virus-free. www.avast.com 
<https://www.avast.com/sig-email?utm_medium=email_source=link_campaign=sig-email_content=webmail_term=link> 

Re: [users@httpd] graceful restarts

[Marat Khalili]

  I assume that a certain time of day (or even time of week?) would be most 
desirable to configure for such a restart? Anything else?
A lot of additional actions could be required, therefore opportunity to 
call a shell script or sequence of shell commands is the best.


For instance, I currently auto-renew certificates with a custom script, 
and apart from restarting Apache it also:

* commits changes to etckeeper;
* propagates new certificates to other users (SMTP server in my case).

--

With Best Regards,
Marat Khalili


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Migrate webDAV on IIS to Apache?

[Marat Khalili]

Hello,

WebDAV is just file access protocol, and Apache supports. Neither server holds 
any data, it just rests in the filesystem or can be managed by some 
application. Depending on what you're accessing you can even run Apache and IIS 
in parallel. What exactly you're afraid to lose?
-- 

With Best Regards,
Marat Khalili

On July 22, 2017 12:06:43 AM GMT+03:00, Todd Blum <t...@toddblum.org> wrote:
>Hello,
>
>I'm currently have IIS set up to run webDAV.  Is it possible to migrate
>to 
>webDAV on Apache instead without losing any data?
>
>Todd
>
>--
>Todd Blum
>http://www.toddblum.org
>
>
>-
>To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache 2.4 access control question

[Marat Khalili]

On 19/07/17 02:02, Jason Brooks wrote:
The same thing happens if I don’t use a .htaccess file but instead 
define a  section in my apache config.

What happens if you try ?

--

With Best Regards,
Marat Khalili

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: 'require' directive result

[Marat Khalili]

My 2.4.18 already logs AH01797 (client denied by server configuration) 
to a configured ErrorLog in this case. I don't use syslog myself so I 
cannot help you with this part, but quick google search shows it is 
possible in various ways.


--

With Best Regards,
Marat Khalili

On 20/06/17 11:42, Andrei Ivanov wrote:

Anybody? Can this be done in some way?

On Fri, Jun 16, 2017 at 4:23 PM, Andrei Ivanov 
<andrei.iva...@gmail.com <mailto:andrei.iva...@gmail.com>> wrote:


Hi,
Now that I've managed to configure my 'require' directive, I have
a requirement to log some details to syslog in case the request is
not authorized.


  Require expr ""
  // if expression is false, log details about the request and
maybe the SSL certificate to syslog


I've searched around, but I can't find how I could do that.

Please help.

Thank you

Re: [users@httpd] Re: Access control to allow local clients or remote with SSL client certificate

[Marat Khalili]

Technically it should work, but you may also want to:

1. Check that client belongs to some a organization/unit as specified in 
certificate, see 
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslrequire for 
example. (BTW I don't know if %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ is still 
necessary, but I'd specify it just in case.)


2. Configure revocation list with using SSLCARevocationCheck and 
SSLCARevocationFile (see same page). But be careful to update your CRL 
file and reload your server timely (there's usually a cron job for 
this), or it'll stop accepting any certificates as soon as CRL expires.


Without these changes you are granting access to any certificate you (or 
any other CAs specified in SSLCACertificateFile) ever issued, even to 
unrelated or obsolete ones.


--

With Best Regards,
Marat Khalili

On 16/06/17 12:24, Darren S. wrote:

I ended up with this as a test; is this as easy as it should be?

 ServerName example.com
 DocumentRoot /var/www/app

 SSLEngine On
 SSLCertificateFile /etc/ssl/certs/server.crt
 SSLCertificateKeyFile /etc/ssl/private/server.key
 SSLCACertificateFile "/etc/apache2/client-ca.crt"
 
 SSLVerifyClient optional
 SSLVerifyDepth 1
 Options -Indexes
 AllowOverride all
 
 Require ssl-verify-client
 Require local
 
 





-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Suggestion/Question about HTTP & HTTPS configurations

[Marat Khalili]

If you really don't need vhost-specific HTTPS configurations (have wildcard 
certificate?), you can probably make HTTPS copies of all of your HTTP vhosts 
with some clever use of mod_proxy and mod_rewrite. I wouldn't recommend going 
this way though, sounds like interesting exercise but more trouble than 
benefits in production.

> Debian uses "Include" by default because of it's built-in `a2ensite` 
> shortcut. Even with the Include (as your code illustrates) there needs to be 
> a Virtual Host configuration block for HTTP on port 80 and for HTTPS on port 
> 443.

You can still use your Include within that Include. Works great for me.

> Unless specifically configured differently, why not assume they are the same 
> (as HTTP/port 80 for a matching Virtual Host)?

Because: 
* Most real installations are more complex than that.
* Apache configuration does not work this way (what if I don't want either of 
HTTP or HTTPS vhosts?)
* Every HTTPS vhost normally needs some configuration, at least a separate 
certificate.
* Finally, your proposed behavior is not even a good default these days 
(redirect from HTTP to HTTPS is).
-- 

With Best Regards,
Marat Khalili

On May 20, 2017 7:46:39 PM GMT+03:00, Adam Powell <a...@adaminfinitum.com> 
wrote:
>Hi Daniel,
>
>Thanks for trying to help but maybe I didn't explain this well enough.
>
>Debian uses "Include" by default because of it's built-in `a2ensite`
>shortcut.
>
>Even with the Include (as your code illustrates) there needs to be a
>Virtual Host configuration block for HTTP on port 80 and for HTTPS on
>port
>443.
>
>Unless specifically configured differently, why not assume they are the
>same (as HTTP/port 80 for a matching Virtual Host)?
>
>I hope that helps clarify.
>
>Adam Powell
>http://www.adaminfinitum.com
>
>
>On Sat, May 20, 2017 at 6:05 AM, Daniel <dferra...@gmail.com> wrote:
>
>> There is a directive called "Include"
>>
>> With this directive you can specify any number of directives in a
>file
>> and then define the Include pointing to the same file wherever you
>may
>> need.
>>
>> For instance
>>
>> 
>> Include conf/common.conf
>> 
>>
>> 
>> SSLEngine on
>> SSLCertificatefile conf/x509.crt
>> SSLCertitificateKeyFile conf/rsa.key
>> Include conf/common.conf
>> 
>>
>> and common.conf can have:
>> ServerName myserver.exam.com
>> DocumentRoot /var/www
>> DirectoryIndex index.html
>> FallbackResource /index.html
>> Redirect /one/ /two/
>> Header set myheader "Hello"
>> # and all directives you may need.
>>
>>
>>
>>
>> 2017-05-20 2:53 GMT+02:00 Adam Powell <a...@adaminfinitum.com>:
>> > Hello,
>> >
>> > I am a user of Apache in the sense that I install it, configure it
>and
>> run
>> > it to host sites...I'm hoping this is the correct list to send this
>to.
>> >
>> > Anyway, I recently did my first "from scratch" Apache install,
>build and
>> > configuration in a cloud server (I had always used cPanel & WHM
>before).
>> >
>> > My suggestion is that Apache should "assume" that port 80 for HTTP
>and
>> port
>> > 443 for HTTPS and that they both serve the same content.
>> >
>> > I'm not suggesting people shouldn't be able to customize it, but
>adding
>> > duplicate and redundant directives for each Virtual Host for HTTP
>and
>> HTTPS
>> > seems unneeded.
>> >
>> > In short, I'm suggesting a "smart default" that in the absence of a
>> specific
>> > Virtual Host configuration for HTTPS, just assumes that the HTTPS
>matches
>> > the HTTP config for that Virtual Host.
>> >
>> > Background: I got Apache (2.4.x) up and running on a Debian VM,
>> configured
>> > all my Virtual Hosts, installed an SLL certificate and went to view
>the
>> > HTTPS version of a site.
>> >
>> > I was redirected to the 'default' page for the server (not the
>default
>> page
>> > for the Virtual Host).
>> >
>> > I then realized I needed additional, identical rules for that
>Virtual
>> Host
>> > for HTTPS on port 443...simply put, it seems like that extra level
>of
>> > configuration shouldn't be required...that it should work that way
>> > automagically unless specifically configured otherwise.
>> >
>> > If not, I'd love to know why that's a bad idea.
>> >
>> > Thanks!
>> >
>> > Adam Powell
>> > http://www.adaminfinitum.com
>> >
>>
>>
>>
>> --
>> Daniel Ferradal
>> IT Specialist
>>
>> email dferradal at gmail.com
>> linkedin es.linkedin.com/in/danielferradal
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>>
>>

Re: [users@httpd] TLS1.2

[Marat Khalili]

And, for completeness, if your server is public-facing (no pages need to 
be available, being able to connect is enough): 
https://www.ssllabs.com/ssltest/



--

With Best Regards,
Marat Khalili

On 16/05/17 22:04, ANKIT PALRECHA wrote:

Hello Team,

Any idea how can we test if apache supports TLS1.1 and TLS1.2?


This is bundled with openssl?


Please share detail on tls , how to test?

Thanks
Ankit Jain
+91-9741336404

Re: [users@httpd] How to customize error responses (while using mod_rewrite)?

[Marat Khalili]

Just in case you are stuck, you can always use internal redirect to a CGI 
script (or PHP or whatever) and write whatever response you want with that 
script. It's kind of cheating but it should work.
-- 

With Best Regards,
Marat Khalili

On May 15, 2017 5:46:52 PM GMT+03:00, Jens Schleusener 
<jens.schleuse...@t-online.de> wrote:
>Hi,
>
>my general question is how I can generate customized error responses 
>while using the mod_rewrite module. Yes, I know the page
>
>  https://httpd.apache.org/docs/2.4/custom-error.html
>
>but the ErrorDocument directive allows only to do some customization
>per 
>status code optionally refined by context but I want to output
>customized 
>error pages specifically for many different request conditions
>determined 
>mainly by various RewriteCond directives.
>
>Here an actual special example: On a server running httpd 2.4 I want to
>
>disallow the HTTPS access using the TLSv1.0 protocol. To order do that
>not 
>too "hard" but a little bit client-friendly TLSv1.0 accesses aren't yet
>
>really disabled but redirected for a limited period to an according 
>information page. Currently that is realized with the following 
>configuration
>
>  RewriteCond %{SSL:SSL_PROTOCOL} ^TLSv1$
>  RewriteRule (.*) /https_tlsv10.html [R=permanent,L]
>
>The big disadvantage of that solution is that it returns an obviously 
>incorrect HTTP response status code 301 ("Moved Permanently") but I
>want 
>that the server returns an appropriate 4xx or 5xx status code (ok, I am
>not 
>sure what would be an "appropriate" one). By the way, the current 301 
>redirection let some bots (using still TLSv1.0) nevertheless access
>that 
>information page many thousand times (but maybe they would that do also
>
>with a returned 4xx or 5xx response status code).
>
>Unfortunately for the RewriteRule directive for e.g. a Rewrite flag
>R=4xx 
>instead of R=permanent isn't allowed (only 300-399, why?) so I had 
>considered the usage of the  directive but didn't find a working 
>solution.
>
>So maybe the only working solution is the detour via an external CGI 
>program.
>
>Probably I have something overseen, so any ideas or comments?
>
>Jens
>
>
>-
>To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache 2.4: Proxy certificate configuration question

[Marat Khalili]

Sorry, haven't configured it this way; probably someone who did will 
help. I can only advise you to look into SSLProxyMachineCertificatePath, 
maybe you could use that.



--

With Best Regards,
Marat Khalili

On 04/05/17 14:54, Markus Gausling wrote:

Thanks for response.

Maybe I did not make it clear but I need to have the certificates for the
authentication between HTTP Proxy and WebServer. So HTTP Proxy shall
authenticate WebServer and vice versa with the client certificate and
the secret key.

The clients that use the HTTP Proxy shall not be involved here and
authentication shall be handled completely between HTTP Proxy and remote
WebServer.

Basically I have configured the HTTP Proxy using
SSLProxyMachineCertificateFile and it is working fine. The problem I have
is that I have certificate and key as two separate files and so I
always have to combine them into one (and rewrite key BEGIN and END to add
RSA).

​Regards
Markus Gausling​


2017-05-04 12:54 GMT+02:00 Marat Khalili <m...@rqc.ru <mailto:m...@rqc.ru>>:

You configure certificates of your proxy server exactly the same
way as for web server, using SSLCertificateFile,
SSLCertificateKeyFile and possibly SSLCertificateChainFile. Most
likely you don't need SSLProxyMachineCertificateFile (it
configures _client_ certificate of your server before other servers).


--

With Best Regards,
Marat Khalili

On 03/05/17 18:11, Markus Gausling wrote:

Hello,

when Apache is configured as a WebServer I can configure the private
key and the certificate of the server separately using
SSLCertificateFile and SSLCertificateKeyFile.

When configuring Apache as an HTTP Proxy (Reverse Proxy or Forward
Proxy) it seems I can only configure the proxy private key and
certificate if they are combined into a single PEM file with
SSLProxyMachineCertificateFile.

Is that understanding corrector is there also a way to defined
key and
certificate for an HTTP Proxy configuration separately?

Regards
Markus

Re: [users@httpd] Apache 2.4: Proxy certificate configuration question

[Marat Khalili]

You configure certificates of your proxy server exactly the same way as 
for web server, using SSLCertificateFile, SSLCertificateKeyFile and 
possibly SSLCertificateChainFile. Most likely you don't need 
SSLProxyMachineCertificateFile (it configures _client_ certificate of 
your server before other servers).



--

With Best Regards,
Marat Khalili

On 03/05/17 18:11, Markus Gausling wrote:

Hello,

when Apache is configured as a WebServer I can configure the private
key and the certificate of the server separately using
SSLCertificateFile and SSLCertificateKeyFile.

When configuring Apache as an HTTP Proxy (Reverse Proxy or Forward
Proxy) it seems I can only configure the proxy private key and
certificate if they are combined into a single PEM file with
SSLProxyMachineCertificateFile.

Is that understanding corrector is there also a way to defined key and
certificate for an HTTP Proxy configuration separately?

Regards
Markus

Re: [users@httpd] XSS Issue in v2.0.59

[Marat Khalili]

XSS is a vulnerability of the application running on top of web-server 
and browser, there's hardly a way to fix it on a web-server level. But 
outdated web-server may have vulnerabilities of its own.


Of the ways you listed #1 without #2 usually doesn't work; OTOH #2 done 
comprehensively (with some library) usually helps. But it has nothing to 
do with Apache.


--

With Best Regards,
Marat Khalili

On 02/05/17 06:24, Hagan, Mark wrote:


Hello All,

Looking for some help to determine if I can configure Apache 2.0.59 to 
address a couple Cross Site Scripting (XSS) vulnerabilities. I'm not 
able to upgrade to a later version, so I'm trying to understand if 
there is functionality within this version to address the XSS issue.



I have 2 specific issues:

1. Validating input (whitelisting acceptable characters)

2. Sanitizing or encoding output (For instance, the character < would 
be encoded as  which would be displayed by the browser as the 
“less-than” character instead of being interpreted as the start

of an HTML tag.)


I am not an experienced apache administrator, so any help would be 
most appreciated.


Thanks.

Re: [users@httpd] Problem with Apache2 after upgrade from Ubuntu14.04 to 16.04

[Marat Khalili]

> Given where I AM what would you suggest would be the best course of action to 
> get back to a working system please?

As was already suggested, run:
  sudo netstat -tpln
to see what program occupies port 80. Also try:
  ps -AFH
to see if other instances of Apache are already running. Compare their PIDs 
with those reported by:
  systemctl status apache2

If you don't know how to interpret the outputs post them here.

If you already established that e.g. nginx is to blame, decide what to do with 
it, e.g. daisy-chain web servers, bind them to different IPs or leave only one.
-- 

With Best Regards,
Marat Khalili

Re: [users@httpd] Problem with Apache2 after upgrade from Ubuntu14.04 to 16.04

[Marat Khalili]

Versions of Apache used by 14.04 and 16.04 are in fact very close: 2.4.7 
and 2.4.18, I doubt their configurations are so much different (unless 
14.04 was also an upgrade, since 13.10 used 2.2.x AFAIR). Breakage in 
the way Apache is started (upstart vs systemd) is much more probable. 
Reinstallation of Apache might not even fix this.


Moreover, Apache clearly complains on ports being already in use. It'd 
investigate what uses the ports before doing anything else. It could 
even be Apache itself (different instance started independently).



--

With Best Regards,
Marat Khalili


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] SSLSessionCache file not created

[Marat Khalili]

Hello,

I tried to investigate this issue on my installations (I have it too), 
but didn't come to any conclusion. Here (scroll all the way down) 
someone suggest that moving it to /dev/shm fixes the problem: 
https://serverfault.com/questions/400089/apache2-sslsessioncache-running-but-not-working 
. I didn't have time to try it myself in some VM, and obviously don't 
work to experiment on production installations.




Both these link destinations are deleted. So it looks like the SSL
session and stapling caches are created, opened, and then deleted, with
the file descriptors remaining active and the caches remaining functional.
This is totally normal practice in UNIX to create files and immediately 
delete them. They will continue to exist as long as any process(es) 
holding handles on these files running. However, examples you provided 
are about different files, not ssl_scache. I couldn't find deleted 
handle on ssl_scache in my system.




the above file descriptors point inside/run/, not/var/run/

These are probably symlinked.


--

With Best Regards,
Marat Khalili

Re: [users@httpd] Apache 2.4 : Rewrite to keep the original URL

[Marat Khalili]

Best way is to avoid redirects completely: show requested application page if 
user is authenticated, otherwise show login page. This is what happens if you 
use apache authentication modules, like mode_auth_basic (warning: SSL is 
mandatory for it). Some applications use redirects, but pass original url in 
query string and hidden form fields.

From your scenario it is not clear how application will know that user actually 
passed login page and not typed application URL directly. Also, you'll need to 
securely pass user identity from login page to application. Generally, writing 
your own authentication is not recommended, because it's almost impossible to 
avoid major security blunders when you do it the first time.
-- 

With Best Regards,
Marat Khalili

On March 11, 2017 4:07:54 PM GMT+03:00, "Fabio S. Schmidt" 
<fa...@improve.inf.br> wrote:
>Hi,
>
>I'm trying to setup an environment with a frontend interface which
>login
>and redirects to my application.
>
>The scenario is: The user access with webmail.domain.com and the login
>page
>redirects to the application, running on the same host, but on port 81.
>
>How could I keep the original URL? I mean, the browser should keep the
>"
>webmail.domain.com" as the address.
>
>My Apache configuration:
>
>
>DocumentRoot "/var/www/html/login_domain"
>DirectoryIndex index.html *.php
>ServerName webmail.domain.com
>SSLEngine on
>SSLCertificateFile /etc/ssl/crt/apache.crt
>SSLCertificateKeyFile /etc/ssl/crt/apache.key
>SSLCertificateChainFile /etc/ssl/crt/ca.crt
>
>
>
>DocumentRoot "/var/www/html/login_domain"
>DirectoryIndex index.html *.php
>ServerName  webmail.domain.com
>
>
>Kind regards.
>Fabio S. Schmidt

Re: [users@httpd] Forward Proxy on behalf of the client instead of as a tunnel

[Marat Khalili]

> I spent some time looking at the P option for mod_rewrite but I got the 
> impression that it would only work in the case of the reverse proxy 
> situation.  I was not able to get it to work but I wanted to make sure you 
> thought there was potential for that to help with my forward proxy issue 
> before I spent a lot more time on it.

I think it's a matter of definitions: I'd call it forward proxy already if 
client decides what services to connect to, and proxy server is specified on it 
as, well, proxy. In any case, it does not matter much how you call it.

In your case you'll need rather simple rewrite rule that changes URLs of all 
requests from http to https, with P option, and that's all. It is hard to say 
more without doing experiments.
-- 

With Best Regards,
Marat Khalili

Re: [users@httpd] Forward Proxy on behalf of the client instead of as a tunnel

[Marat Khalili]

Solution using reverse proxy does not require any control over proxied 
services, but you'll need to enumerate them all in your proxy configuration. 
Proxy will discriminate requests by hostname and port and forward them to 
specified services. This will give you additional control and security at the 
cost of management overhead.

If you cannot or wish not enumerate all your target services, looks like you 
can use "P" option of mod_rewrite: 
https://httpd.apache.org/docs/2.4/rewrite/flags.html#flag_p . I do not have 
much experience with it, but it might work.
-- 

With Best Regards,
Marat Khalili

On February 28, 2017 6:39:38 PM GMT+03:00, Daniel Frank 
<danthehit...@gmail.com> wrote:
>I see how my original question made it sound like a single service.  I
>was
>trying to keep the scenario as simple as possible and probably over
>simplified it.  The reality is that the endpoint we will be connecting
>to
>will be many appliances at many different IPs.
>
>Regarding using a reverse proxy, even if it were one service I dont see
>how
>the reverse proxy would work since we dont control that service or
>where it
>is running.  Maybe I am misunderstanding how the reverse proxy works as
>well.
>
>Thanks for the response.  Regarding the original question, is what I am
>asking possible?
>
>-Dan
>
>On Tue, Feb 28, 2017 at 12:19 AM, Marat Khalili <m...@rqc.ru> wrote:
>
>> Why are you calling it _forward_ proxy if it's only going to connect
>to
>> one service? Your problem can easily be solved with _reverse_ proxy.
>>
>> --
>>
>> With Best Regards,
>> Marat Khalili
>>
>> On 28/02/17 02:16, Daniel Frank wrote:
>>
>> All,
>>
>> I am trying to set Apache up as a forward proxy to help solve an
>issue
>> that we have where an HTTP Client in our application does not support
>TLS
>> 1.2 but an API that we need to consume only supports TLS 1.2.  What I
>am
>> attempting to do is use Apache to talk HTTPS/TLS 1.2 to the target
>API but
>> allow my internal client to talk to the proxy over HTTP.
>>
>> I had it in my head that this was what a forward proxy was going to
>give
>> me so after having set up a forward proxy and configuring my
>application to
>> use it I was surprised to see that I was getting exactly the same
>behavior
>> that I was getting when I had no proxy configured (failure of my
>internal
>> client to speak TLS 1.2).
>>
>> So my question is; can Apache be configured as a FORWARD proxy to
>speak
>> HTTP with the caller but HTTPS to the callee?
>>
>> I have spent a lot of time searching and I did check the mailing list
>> archives but it's entirely possible that I just dont even know what
>to
>> search for to get a good answer so if this is a dumb question I
>sincerely
>> apologize for wasting the groups time.
>>
>> Thanks in advance for any help.
>>
>> -Dan
>>
>>
>>

Re: [users@httpd] Forward Proxy on behalf of the client instead of as a tunnel

[Marat Khalili]

Why are you calling it _forward_ proxy if it's only going to connect to 
one service? Your problem can easily be solved with _reverse_ proxy.



--

With Best Regards,
Marat Khalili

On 28/02/17 02:16, Daniel Frank wrote:

All,

I am trying to set Apache up as a forward proxy to help solve an issue 
that we have where an HTTP Client in our application does not support 
TLS 1.2 but an API that we need to consume only supports TLS 1.2.  
What I am attempting to do is use Apache to talk HTTPS/TLS 1.2 to the 
target API but allow my internal client to talk to the proxy over HTTP.


I had it in my head that this was what a forward proxy was going to 
give me so after having set up a forward proxy and configuring my 
application to use it I was surprised to see that I was getting 
exactly the same behavior that I was getting when I had no proxy 
configured (failure of my internal client to speak TLS 1.2).


So my question is; can Apache be configured as a FORWARD proxy to 
speak HTTP with the caller but HTTPS to the callee?


I have spent a lot of time searching and I did check the mailing list 
archives but it's entirely possible that I just dont even know what to 
search for to get a good answer so if this is a dumb question I 
sincerely apologize for wasting the groups time.


Thanks in advance for any help.

-Dan

Re: [users@httpd] php curl

[Marat Khalili]

it appears that get request never gets executed


You didn't write what happens. Does your PHP code gets executed at all? 
One common error is not configuring Apache to recognize scripts in the 
first place.


--

With Best Regards,
Marat Khalili


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] redirect port from 80 to 443

[Marat Khalili]

On 20/02/17 11:01, Nick Kew wrote:

it's commonly used as a hacked-up
scripting language comprisising just two main instructions
(single IF aka RewriteCond, and GOTO aka RewriteRule) with
side-effects. [...]
By analogy, when I got my first programming job in the 1980s,
there was still lots of ancient FORTRAN around, from before the
FORTRAN-77 standard brought block structure to that language.
We newbies were NOT encouraged to write old-style spaghetti code.
It's very insightful, but what other _general purpose_ tool do we have 
here? Correct me if I'm wrong, but seems like URL rewrite C (let alone 
Python) is not yet created.


--

With Best Regards,
Marat Khalili

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] redirect port from 80 to 443

[Marat Khalili]

Just a personal opinion: mod_rewrite is perfectly fine as long as you know it 
well, and any Apache admin will have to learn and use it eventually. If you can 
accomplish your task with one powerful module you already know, learning 
"simpler" modules and enabling them on your server is both silly and dangerous.

"When not to use mod_rewrite" page was probably written by people frustrated 
with too many examples of incorrect mod_rewrite configurations in this forum. 
It makes sense _for them_ to point people to easier to use modules, not 
necessarily for you to use them.

--
With Best Regards,
Marat Khalili   

On 19/02/17 00:33, Spork Schivago wrote:

Sorry to butt in here.   I've been following this post with some interest.   I 
wanted to accomplish the same thing the original OP wanted to accomplish, 
redirect all traffic to the secure version of my site.   I went to the internet 
and found directions on how to do this using mod_rewrite rules.   Now that I 
know I should be using redirect instead, I had some questions.   Should I start 
my own topic or just ask in this one?   What's generally considered best 
practice in a situation like this, where my question revolves around the 
original ops question?

Thanks!


On Sat, Feb 18, 2017 at 3:02 PM, Dr James Smith <j...@sanger.ac.uk> wrote:

As I only run HTTPS - I have the following on port 80 - (this can't be done 
with redirect)



  ...
  ...
  ...

  RewriteEngine on
  RewriteCond   %{REQUEST_URI}  !^/.well-known/acme-challenge
  RewriteRule   ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=permanent,L,NE]


So I only have one port 80 configuration - even tho' I'm running something like 
30 sub-domains on one machine and 70 sub-domains on the other...

{There is some other stuff associated with this - and I've got HTST headers set 
- and preloaded where I can - so most browsers won't hit the port 80 anyway!} 




On 18/02/2017 19:00, Daniel wrote:

Yes please, let's stay away of convoluted and most times innecessary 
mod_rewrite examples to do simpleton configurations. 


If you are in virtualhost 80, you have specified servername correctly and you 
just want to redirect to ssl, why not a single Redirect statement?


As Yann's refered document says:

Redirect / https://something.example.com/


Most people here knows this but there are gazillions web pages refering to bad 
advice, duck and tape solutions and convolued ways of using mod_rewrite for a 
simple redirection when placed in proper context, we need to finish with that 
trend, and the best way is to give simple, straight to the point examples 
"first".


The mod_rewrite example given,lets slice it out:

> RewriteCond %{HTTP_HOST} =www.example.com
> RewriteCond %{SERVER_PORT} =80
> RewriteRule ^(.*)$ https://www.example.com/$1 [R]


This clearly assumes it is a generic recipe in a .htaccess somewhere which can 
be read from a non-SSL virtualhost or non-SSL virtualhost (just to be ignored). 


1º It checks the host name, but why? if you have defined a VirtualHost with 
that servername and there are no conflicts the request is already landing there.

2º It checks for port 80. But we are redirecting to SSL, so we are already on 
port 80, why check it?

3º Can be replaced with a Redirect as mentioned above.


So instead of giving out recipes for .htaccess thought out for an aging era or 
shared virtualhosting, lets recommend the ideal virtualhost context recipe 
first as Yann proposed earlier:


Define the virtualhost with the names you serve.



ServerName something.example.com

Redirect / https://something.example.com/




There is no guessing here, no unnecessary directives and it's hard to miss or 
confuse with other directives and the context where it resides is crystal clear.


Later on, when things need to be complicated, then I guess we can use "If" or 
"mod_rewrite", and recommend it as needed.



2017-02-18 19:38 GMT+01:00 Richard <lists-apa...@listmail.innovate.net>:



> Date: Saturday, February 18, 2017 11:04:34 -0700
> From: James Moe <ji...@sohnen-moe.com>
>
> On 02/18/2017 05:08 AM, Rodrigo Cunha wrote:
>> i want redirect all request from port 80 to 443.
>> what is better setting for fix this?
>>
>   Better than what?
>   Fix? Is it broken?
>
> RewriteCond %{HTTP_HOST} =www.example.com
> RewriteCond %{SERVER_PORT} =80
> RewriteRule ^(.*)$ https://www.example.com/$1 [R]

Perhaps, better than using a "rewrite"? See the documentation
reference, given in an earlier post:

  <https://httpd.apache.org/docs/2.4/rewrite/avoid.html#redirect>

that has this as a specific example of when/why to use a "redirect"
rather than a "rewrite".




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-- 

Re: [users@httpd] SSL_CLIENT_SAN IP addr validation

[Marat Khalili]

As additional benefit, when you will be able to issue certificates with 
regular expressions matching whole subnets! :)


--

With Best Regards,
Marat Khalili


On 19/12/16 20:41, Marat Khalili wrote:
Are you suggesting to put the IP address with the DNS prefix instead 
of the proper IP prefix?
Actually, I was not aware of official possibility of having an IP 
address in subjectAltName until 5 minutes ago :) But since Apache 
developers also didn't provide for this, using DNS prefix is 
definitely an option.


Also what about the possibility of having a variable number of 
addresses there?
Provided you are not going to have too many SANs, quick and dirty 
solution would be:
Require expr "%{REMOTE_ADDR} =~ 
/^(%{SSL_CLIENT_SAN_DNS_1}|%{SSL_CLIENT_SAN_DNS_2}|%{SSL_CLIENT_SAN_DNS_3}|%{SSL_CLIENT_SAN_DNS_4}|...)$/"
(Missing variables will expand to empty strings). I hope  I know it's 
ugly as hell, but so are client certificates with multiple IP address 
aliases.


--

With Best Regards,
Marat Khalili


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] SSL_CLIENT_SAN IP addr validation

[Marat Khalili]

Are you suggesting to put the IP address with the DNS prefix instead 
of the proper IP prefix?
Actually, I was not aware of official possibility of having an IP 
address in subjectAltName until 5 minutes ago :) But since Apache 
developers also didn't provide for this, using DNS prefix is definitely 
an option.


Also what about the possibility of having a variable number of 
addresses there?
Provided you are not going to have too many SANs, quick and dirty 
solution would be:
Require expr "%{REMOTE_ADDR} =~ 
/^(%{SSL_CLIENT_SAN_DNS_1}|%{SSL_CLIENT_SAN_DNS_2}|%{SSL_CLIENT_SAN_DNS_3}|%{SSL_CLIENT_SAN_DNS_4}|...)$/"
(Missing variables will expand to empty strings). I hope  I know it's 
ugly as hell, but so are client certificates with multiple IP address 
aliases.


--

With Best Regards,
Marat Khalili


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] SSL_CLIENT_SAN IP addr validation

[Marat Khalili]

If you really put IP address in domain subjectAltName and want to verify 
it, I suppose expression should be something like this:



Require expr "%{SSL_CLIENT_SAN_DNS_1} == %{REMOTE_ADDR}"



--

With Best Regards,
Marat Khalili

On 19/12/16 18:48, Andrei Ivanov wrote:

Hi,
Yes, I did notice the suggestion of using Require expr, the problem is 
that I don't know what expression I could use, with the details 
explained bellow.


Anyway to do this without a variable containing the subjectAltName IP 
address?


Regarding if this actually makes sense or not is a different story, as 
this was decided by other people... :-)



On Mon, Dec 19, 2016 at 5:41 PM, Marat Khalili <m...@rqc.ru 
<mailto:m...@rqc.ru>> wrote:


Docs suggest
<https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslrequire>
using Require expr in place of SSLRequire. Require expr supports
such variables as REMOTE_ADDR and CONN_REMOTE_ADDR. In any case, I
do not see much sense in issuing or verifying certificates with IP
address in subjectAltName.

What you probably want is accepting clients belonging to
particular group. Issue them certificates with the same
organizational unit and verify SSL_CLIENT_S_DN_OU as well as
SSL_CLIENT_S_DN_O.

--

With Best Regards,
Marat Khalili

On 15/12/16 13:46, Andrei Ivanov wrote:

Hi,
I'm trying to validate incoming requests by comparing the request
IP to the IP addresses provided in the client certificate
subjectAltName.

Searching around, I found
http://wiki.cacert.org/ApacheServerClientCertificateAuthentication
<http://wiki.cacert.org/ApacheServerClientCertificateAuthentication>,
which gives an example using the email address:
SSLRequire %{SSL_CLIENT_S_DN_Email} =~ m/^[^@]*@example\.com$/
   or %{SSL_CLIENT_S_DN_Email_0} =~ m/^[^@]*@example\.com$/
   or %{SSL_CLIENT_S_DN_Email_1} =~ m/^[^@]*@example\.com$/
   or %{SSL_CLIENT_S_DN_Email_2} =~ m/^[^@]*@example\.com$/
   or %{SSL_CLIENT_S_DN_Email_3} =~ m/^[^@]*@example\.com$/

But there 2 problems:
1. the IP addresses are not exported as a variables by mod_ssl
(see https://bz.apache.org/bugzilla/show_bug.cgi?id=60456
<https://bz.apache.org/bugzilla/show_bug.cgi?id=60456>)
2. The number of IP addresses is variable, not sure how I could
do the check with an expression

The Apache Httpd is a frontend for a PHP and a Python
application, so it would be nice to be able to do this filtering
in one place instead of doing it at the applications level.

Any suggestions?

Thank you.

Re: [users@httpd] SSL_CLIENT_SAN IP addr validation

[Marat Khalili]

Docs suggest 
<https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslrequire> using 
Require expr in place of SSLRequire. Require expr supports such 
variables as REMOTE_ADDR and CONN_REMOTE_ADDR. In any case, I do not see 
much sense in issuing or verifying certificates with IP address in 
subjectAltName.


What you probably want is accepting clients belonging to particular 
group. Issue them certificates with the same organizational unit and 
verify SSL_CLIENT_S_DN_OU as well as SSL_CLIENT_S_DN_O.


--

With Best Regards,
Marat Khalili

On 15/12/16 13:46, Andrei Ivanov wrote:

Hi,
I'm trying to validate incoming requests by comparing the request IP 
to the IP addresses provided in the client certificate subjectAltName.


Searching around, I found 
http://wiki.cacert.org/ApacheServerClientCertificateAuthentication, 
which gives an example using the email address:

SSLRequire %{SSL_CLIENT_S_DN_Email} =~ m/^[^@]*@example\.com$/
   or %{SSL_CLIENT_S_DN_Email_0} =~ m/^[^@]*@example\.com$/
   or %{SSL_CLIENT_S_DN_Email_1} =~ m/^[^@]*@example\.com$/
   or %{SSL_CLIENT_S_DN_Email_2} =~ m/^[^@]*@example\.com$/
   or %{SSL_CLIENT_S_DN_Email_3} =~ m/^[^@]*@example\.com$/

But there 2 problems:
1. the IP addresses are not exported as a variables by mod_ssl (see 
https://bz.apache.org/bugzilla/show_bug.cgi?id=60456)
2. The number of IP addresses is variable, not sure how I could do the 
check with an expression


The Apache Httpd is a frontend for a PHP and a Python application, so 
it would be nice to be able to do this filtering in one place instead 
of doing it at the applications level.


Any suggestions?

Thank you.

Re: [users@httpd] Which config file is fit for my apache2?

[Marat Khalili]

ServerName outside VirtualHost mostly has cosmetic effect AFAIU, just 
put some canonical name of your server there.


--

With Best Regards,
Marat Khalili

On 16/11/16 07:33, 水静流深 wrote:

Let's suppose a scene on centos7.

- domain name:  xyz.com
- the domain parsed by third-party dns server:   ns1.xxx.com
- IP address bound with domain:  123.123.123.123
- apache2 was installed on  123.123.123.123

It is the ServerName confused me.
### ServerName

In the `/etc/httpd/conf/httpd.conf`, `ServerName` gives the name and 
port that the server uses to identify itself. This can often be 
determined automatically, but we recommend you specify it explicitly 
to prevent problems during startup. If your host doesn't have a 
registered DNS name, enter its IP address here.


#ServerName [url]www.example.com:80[/url]

Should my /etc/httpd/conf/httpd.conf be this way :

config1:

ServerRoot "/etc/httpd"
Listen 80
Include conf.modules.d/*.conf
User apache
Group apache
ServerName 123.123.123.123:80

ServerName [url]www.xyz.com[/url]
DocumentRoot "/var/www/html"


config2:

ServerRoot "/etc/httpd"
Listen 80
Include conf.modules.d/*.conf
User apache
Group apache
ServerName xyz.com:80

ServerName [url]www.xyz.com[/url]
DocumentRoot "/var/www/html"


config3:

ServerRoot "/etc/httpd"
Listen 80
Include conf.modules.d/*.conf
User apache
Group apache
ServerName localhost:80

ServerName [url]www.xyz.com[/url]
DocumentRoot "/var/www/html"


config4:

ServerRoot "/etc/httpd"
Listen 80
Include conf.modules.d/*.conf
User apache
Group apache
ServerName 127.0.0.1:80

ServerName [url]www.xyz.com[/url]
DocumentRoot "/var/www/html"


Which config file is fit for my example?



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Install and Configure Apache on Windows Server

[Marat Khalili]

I have obtain a certificate file, and the key file. No chain file.


Most public CAs use intermediate certificates (and hence chains) so it 
is strange you didn't get one. Since chain is often the same for all 
clients, it may be available for download from CA's site somewhere. If 
you don't need chain, just omit SSLCertificateChainFile line. Browser 
warnings and SSLTest <https://www.ssllabs.com/ssltest/> will tell you if 
something is amiss.



To httpd.conf or to default-ssl.conf. 

You can put everything into httpd.conf


Also where do i find sample site configurations ? so i can have a look.
Well, e.g. if you download Apache for Windows binaries from Apache Haus 
<https://www.apachehaus.com/cgi-bin/download.plx>, you will find them in 
/Apache24/conf/extra/


--

With Best Regards,
Marat Khalili


On 08/11/16 17:38, Robert Ramoutar wrote:



Hi Marat,


I have obtain a certificate file, and the key file. No chain file.


Just to be sure


Do I add :


Listen 443



 SSLEngine on
 SSLCertificateFile /some-path/cert.pem
 SSLCertificateKeyFile /some-path/privkey.pem
 SSLCertificateChainFile /some-path/chain.pem

# rest of your virtualhost configuration here




To httpd.conf or to default-ssl.conf.


Also where do i find sample site configurations ? so i can have a look.


Thanks.


Regards,


Robert Ramoutar.
__
This email is intended for the intended recipient(s) and may contain 
confidential information.
Reproduction, dissemination or distribution of this message is 
prohibited unless authorized by
 the sender.If you are not the intended recipient, please notify the 
sender immediately and you
must not read, keep, use, disclose, copy or distribute this email 
without the sender's

 prior permission.
_
_


----
*From:* Marat Khalili <m...@rqc.ru>
*Sent:* Friday, November 4, 2016 2:08 PM
*To:* users@httpd.apache.org
*Subject:* Re: [users@httpd] Install and Configure Apache on Windows 
Server
I have been able to generate CSR file and key using OpenSSL as you 
mentioned. 
Now pass the CSR file (without the key) to your CA to get it signed. 
In return you should obtain a certificate file, and possibly also a 
certificate chain file. Again, your CA should help you with Apache 
configuration, but generally it should contain the following lines:


Listen 443



 SSLEngine on
 SSLCertificateFile /some-path/cert.pem
 SSLCertificateKeyFile /some-path/privkey.pem
 SSLCertificateChainFile /some-path/chain.pem

# rest of your virtualhost configuration here



Apache usually comes with sample site configurations (i.e. 
default-ssl.conf), just read them.


Cannot help you with Tomcat, sorry. Saw it last time in 2004.


--

With Best Regards,
Marat Khalili
On 04/11/16 16:19, Robert Ramoutar wrote:



Hello ,


Thank you for that explanation. I have been able to generate CSR file 
and key using OpenSSL as you mentioned.



Can anyone indicate what is the next step and also if possible how 
does one test this configuration to ensure it is working.



I am trying to accomplish the following:


1. Use apache for certificate

2. Use tomcat to host website


Am i stating this correctly or do i just specify the location of the 
certificates in tomcat's configuration ?



If so how do i test this configuration.


Thanks  for your guidance


Robert.




Regards,

Robert Ramoutar.
__
This email is intended for the intended recipient(s) and may contain 
confidential information.
Reproduction, dissemination or distribution of this message is 
prohibited unless authorized by
 the sender.If you are not the intended recipient, please notify the 
sender immediately and you
must not read, keep, use, disclose, copy or distribute this email 
without the sender's

 prior permission.
_
_


--------
*From:* Marat Khalili <m...@rqc.ru>
*Sent:* Friday, November 4, 2016 1:37 AM
*To:* users@httpd.apache.org
*Subject:* Re: [users@httpd] Install and Configure Apache on Windows 
Server

Hello Robert,

There seems some misunderstanding here. Apache does not generate 
certificates, nor there's "import" process - you just put files 
wherever you want and specify their location in configuration. 
Minimal Apache configuration of site with SSL is less than dozen 
lines, nothing difficult.


Generating necessary certificate files is indeed more involved, but 
it has nothing to do with Apache. Ask your CA for help, they should 
have clear instructions on what to do (or use different CA). Usually 
it means running some commands in OpenSSL. You can use any working 
installation of OpenSSL, not necessarily on your Windows PC with Apache.

--

С уважением,
Марат Халили (Российский Квантовый Центр)
+7 926 950 0804

On November 3, 2016 10:06:47 PM GMT+03:00, Robert Ramoutar 
<robert_ramou...@hotmail.com> wrote:


Hi Again,


Thanks for

Re: [users@httpd] Install and Configure Apache on Windows Server

[Marat Khalili]

I have been able to generate CSR file and key using OpenSSL as you 
mentioned. 
Now pass the CSR file (without the key) to your CA to get it signed. In 
return you should obtain a certificate file, and possibly also a 
certificate chain file. Again, your CA should help you with Apache 
configuration, but generally it should contain the following lines:



Listen 443



 SSLEngine on
SSLCertificateFile /some-path/cert.pem
SSLCertificateKeyFile /some-path/privkey.pem
SSLCertificateChainFile /some-path/chain.pem

# rest of your virtualhost configuration here



Apache usually comes with sample site configurations (i.e. 
default-ssl.conf), just read them.


Cannot help you with Tomcat, sorry. Saw it last time in 2004.


--

With Best Regards,
Marat Khalili

On 04/11/16 16:19, Robert Ramoutar wrote:



Hello ,


Thank you for that explanation. I have been able to generate CSR file 
and key using OpenSSL as you mentioned.



Can anyone indicate what is the next step and also if possible how 
does one test this configuration to ensure it is working.



I am trying to accomplish the following:


1. Use apache for certificate

2. Use tomcat to host website


Am i stating this correctly or do i just specify the location of the 
certificates in tomcat's configuration ?



If so how do i test this configuration.


Thanks  for your guidance


Robert.




Regards,

Robert Ramoutar.
__
This email is intended for the intended recipient(s) and may contain 
confidential information.
Reproduction, dissemination or distribution of this message is 
prohibited unless authorized by
 the sender.If you are not the intended recipient, please notify the 
sender immediately and you
must not read, keep, use, disclose, copy or distribute this email 
without the sender's

 prior permission.
_
_



*From:* Marat Khalili <m...@rqc.ru>
*Sent:* Friday, November 4, 2016 1:37 AM
*To:* users@httpd.apache.org
*Subject:* Re: [users@httpd] Install and Configure Apache on Windows 
Server

Hello Robert,

There seems some misunderstanding here. Apache does not generate 
certificates, nor there's "import" process - you just put files 
wherever you want and specify their location in configuration. Minimal 
Apache configuration of site with SSL is less than dozen lines, 
nothing difficult.


Generating necessary certificate files is indeed more involved, but it 
has nothing to do with Apache. Ask your CA for help, they should have 
clear instructions on what to do (or use different CA). Usually it 
means running some commands in OpenSSL. You can use any working 
installation of OpenSSL, not necessarily on your Windows PC with Apache.

--

С уважением,
Марат Халили (Российский Квантовый Центр)
+7 926 950 0804

On November 3, 2016 10:06:47 PM GMT+03:00, Robert Ramoutar 
<robert_ramou...@hotmail.com> wrote:


Hi Again,


Thanks for the reply,


I was able to download, install apache service and got IT WORKS
when entering localhost:80 in my browser.


I was reading the following page :


Apache SSL/TLS Encryption
http://httpd.apache.org/docs/2.4/ssl/

But i'm still unable to configure.

Can you say how to import certificates into apache and how to test
the imported certificates to make sure they function.

1. I have to generate a CSR request and key,
2. Then after i get the files from the cert provider import
it into apache

Any ideas on how to complete the above two steps.

Thanks again for your help,



Regards,

Robert Ramoutar.
__
This email is intended for the intended recipient(s) and may
contain confidential information.
Reproduction, dissemination or distribution of this message is
prohibited unless authorized by
 the sender.If you are not the intended recipient, please notify
the sender immediately and you
must not read, keep, use, disclose, copy or distribute this email
without the sender's
 prior permission.
_
_



*From:* Alexandru Duzsardi <alexandru.duzsa...@pitechnologies.ro>
*Sent:* Thursday, November 3, 2016 10:49 AM
*To:* users@httpd.apache.org
*Subject:* RE: [users@httpd] Install and Configure Apache on
Windows Server

Hi ,

I think is a good starting point
http://httpd.apache.org/docs/2.4/platform/windows.html

Using Apache HTTP Server on Microsoft Windows - Apache ...
<http://httpd.apache.org/docs/2.4/platform/windows.html>
httpd.apache.org
This document explains how to install, configure and run Apache
2.4 under Microsoft Windows. If you have questions after reviewing
the documentation (and any event ...


It’s pretty straight forward , download the installer from one of
those links
http://httpd.apache.org/docs/2.4/platform/windows.html#down

Install li

Re: [users@httpd] Install and Configure Apache on Windows Server

[Marat Khalili]

Hello Robert,

There seems some misunderstanding here. Apache does not generate certificates, 
nor there's "import" process - you just put files wherever you want and specify 
their location in configuration. Minimal Apache configuration of site with SSL 
is less than dozen lines, nothing difficult.

Generating necessary certificate files is indeed more involved, but it has 
nothing to do with Apache. Ask your CA for help, they should have clear 
instructions on what to do (or use different CA). Usually it means running some 
commands in OpenSSL. You can use any working installation of OpenSSL, not 
necessarily on your Windows PC with Apache.
-- 

С уважением,
Марат Халили (Российский Квантовый Центр)
+7 926 950 0804

On November 3, 2016 10:06:47 PM GMT+03:00, Robert Ramoutar 
 wrote:
>Hi Again,
>
>
>Thanks for the reply,
>
>
>I was able to download, install apache service and got IT WORKS when
>entering localhost:80 in my browser.
>
>
>I was reading the following page :
>
>
>Apache SSL/TLS Encryption
>http://httpd.apache.org/docs/2.4/ssl/
>
>But i'm still unable to configure.
>
>Can you say how to import certificates into apache and how to test the
>imported certificates to make sure they function.
>
>1. I have to generate a CSR request and key,
>2. Then after i get the files from the cert provider import it into
>apache
>
>Any ideas on how to complete the above two steps.
>
>Thanks again for your help,
>
>
>
>Regards,
>
>Robert Ramoutar.
>
>This email is intended for the intended recipient(s) and may contain
>confidential information.
>Reproduction, dissemination or distribution of this message is
>prohibited unless authorized by
>the sender. If you are not the intended recipient, please notify the
>sender immediately and you
>must not read, keep, use, disclose, copy or distribute this email
>without the sender's
> prior permission.
>
>
>
>
>From: Alexandru Duzsardi 
>Sent: Thursday, November 3, 2016 10:49 AM
>To: users@httpd.apache.org
>Subject: RE: [users@httpd] Install and Configure Apache on Windows
>Server
>
>
>Hi ,
>
>I think is a good starting point
>http://httpd.apache.org/docs/2.4/platform/windows.html
>
>Using Apache HTTP Server on Microsoft Windows - Apache
>...
>httpd.apache.org
>This document explains how to install, configure and run Apache 2.4
>under Microsoft Windows. If you have questions after reviewing the
>documentation (and any event ...
>
>
>
>It’s pretty straight forward , download the installer from one of those
>links http://httpd.apache.org/docs/2.4/platform/windows.html#down
>
>Install like any other software
>
>
>
>Install the windows serverice for apache
>http://httpd.apache.org/docs/2.4/platform/windows.html#winsvc , and set
>it to start automatically
>
>Anything else is pretty much the same on any platform
>http://httpd.apache.org/docs/2.4/ , just be careful with the PATH’s
>
>Apache HTTP Server Version 2.4
>Documentation
>httpd.apache.org
>Copyright 2016 The Apache Software Foundation. Licensed under the
>Apache License, Version 2.0. Modules | Directives | FAQ | Glossary |
>Sitemap
>
>
>
>
>
>
>
>
>
>
>
>From: Robert Ramoutar [mailto:robert_ramou...@hotmail.com]
>Sent: Thursday, November 3, 2016 4:42 PM
>To: users@httpd.apache.org
>Subject: [users@httpd] Install and Configure Apache on Windows Server
>
>
>
>
>
>Hello all,
>
>
>
>I have been tasked with Installing and Configuring Apache 2.4 on a
>windows server for the following purpose:
>
>
>
>1. Configure SSL through apache
>
>
>
>2. Apache Tomcat also installed on server to handle web request to a
>specific web application - MySQL db also on the same server.
>
>
>
>How does one go about installing and configuring SSL through apache 2.4
>on Windows Server 2012?
>
>
>
>I have read so many documents and so many questions on forums etc and
>is now more confused than before.
>
>Can someone please outline the steps require and if possible how to
>perform these steps for apache in Windows.
>
>
>
>Thanks.
>
>Regards,
>
>Robert Ramoutar.
>
>
>
>This email is intended for the intended recipient(s) and may contain
>confidential information.
>Reproduction, dissemination or distribution of this message is
>prohibited unless authorized by
>the sender. If you are not the intended recipient, please notify the
>sender immediately and you
>must not read, keep, use, disclose, copy or distribute this email
>without the sender's
> prior permission.
>
>
>
>
>
>
>
>From: users-h...@httpd.apache.org
>>
>Sent: Thursday, November 3, 2016 10:35 AM
>To: robert_ramou...@hotmail.com
>Subject: WELCOME to
>users@httpd.apache.org
>
>
>
>Hi! This is the ezmlm program. 

Re: [users@httpd] Perl prg RewriteMap always returns blank

[Marat Khalili]

On 08/10/16 10:54, spggw...@posteo.eu wrote:

However, running from within Apache it always returns a blank value.

Running the same IPs through the script manually does return values.

Any ideas what could be going on here?
First, I totally agree with Julian about evilness of using user's IP for 
selecting user's locale or (worse) geo-blocking. As for the technical 
part of the question, I'd start with:
1. Testing the script with exact privileges it receives from Apache. It 
can be prevented from working by file modes, chroot (or other jail), 
apparmor/selinux etc.
2. Injecting some logging statements into the script (or use wrapper) to 
see if it actually tries to return something to Apache or not.


--

With Best Regards,
Marat Khalili


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Showing exact filesize in bytes instead of shortform in directory listing

[Marat Khalili]

On 03/10/16 19:35, Rich Bowen wrote:
Or use rsync 


WebDAV would be more on-topic.

--

With Best Regards,
Marat Khalili

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] TLS Proxy client certificates per virtualhost

[Marat Khalili]

Do you mean proxy _client_ certificates? That is, certificates for 
identifying your proxy to upstream server(s)? Looks like there's indeed 
no option to make them virtual-host dependent. I wonder why do you need it.


Local server (proxy or not) certificates can be made virtual-host 
dependent using SSLCertificateFile etc. Likewise, remote server CA 
certificates can be made virtual-host dependent using 
SSLProxyCACertificateFile etc.


--

With Best Regards,
Marat Khalili

On 30/09/16 17:42, Mark Blackman wrote:

Hi,

What kind of options do I have if I want to use different SSL proxy 
certificates for different virtual hosts?

SSLProxyMachineCertificateFile is close, but only has server scope. What's the 
equivalent for virtualhost context?

I have a feeling I have zero options, but would like to confirm that here, 
please.  If so, how much work would it take to provide that?

Regards,
Mark



---
This e-mail may contain confidential and/or privileged information. If you are 
not the intended recipient (or have received this e-mail in error) please 
notify the sender immediately and delete this e-mail. Any unauthorized copying, 
disclosure or distribution of the material in this e-mail is strictly forbidden.

Please refer to https://www.db.com/disclosures for additional EU corporate and 
regulatory disclosures and to 
http://www.db.com/unitedkingdom/content/privacy.htm for information about 
privacy.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Unit file of apache2.service changed on disk

[Marat Khalili]

This is a message of systemd, not Apache. Either apache2.service file 
really changes (gets rewritten by something?), or (more likely) it's a 
bug of systemd. As long as Apache starts successfully and it is not 
mission critical I would ignore this message.



--

With Best Regards,
Marat Khalili

On 28/09/16 10:19, Ronald E. Raikes wrote:

Apache/2.4.10 (Raspbian)

Anyone know what's changed recently with regard to apache2? This only 
started happening recently:


After a fresh install of Raspbian Jessie Lite (2016-05-27), I install 
apache2:


root@raspberrypi:~# apt-get install apache2

At this point, 'service apache2 restart' executes with no warning.

root@raspberrypi:~# service apache2 restart
root@raspberrypi:~#

Following a reboot, however, I get a warning:

Last login: Wed Sep 21 14:31:14 2016 from gigabyte
root@raspberrypi:~# service apache2 restart
Warning: Unit file of apache2.service changed on disk, 'systemctl 
daemon-reload' recommended.

root@raspberrypi:~#

Following the recommendation eliminates the warning:

root@raspberrypi:~# systemctl daemon-reload
root@raspberrypi:~# service apache2 restart
root@raspberrypi:~#

After a reboot, however, the problem is back. No changes are being 
made anywhere.



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache: Avoiding users to access 'www.foo.com/subdomain1/'

[Marat Khalili]

There's a way to achieve what you ask with mod_rewrite directives in 
.htaccess, but before trying this, why not point foo.com to a separate 
directory?



--

With Best Regards,
Marat Khalili


On 19/09/16 21:41, thomas Armstrong wrote:

Hi.

I have an Apache server, which main rootwebdir is 
'/usr/www/users/foo/' and 'foo.com <http://foo.com>' points there. 
However, I have some subdomains pointing within their directories:


|subdomain1.foo.com <http://subdomain1.foo.com> ---> 
/usr/www/users/foo/subdomain1 subdomain2.foo.com 
<http://subdomain2.foo.com> ---> /usr/www/users/foo/subdomain2 |


This causes me a problem: if anyone types 
'www.foo.com/subdomain1/aboutme.html 
<http://www.foo.com/subdomain1/aboutme.html>', they find 
'subdomain1.foo.com/aboutme.html 
<http://subdomain1.foo.com/aboutme.html>' with another URL, and I'd 
like to avoid it.


I wondered if there was any way to avoid this (e.g., showing a 404 
page), by using a directive within the '.htaccess' file of 
'/usr/www/users/foo/subdomain1'.


Any other solution is welcome. Thank you very much.

Re: [users@httpd] 2.4 named virtual hosts question

[Marat Khalili]

On 12/09/16 18:47, Rainer Canavan wrote:


The obvious ones I can come up with would be Alias, ScriptAlias,
FastCGIExternalServer,
Action and RewriteRule. All those can be defined in the global context
(i.e. outside
of any vhost) and are valid for all vhosts. (for RewriteRule, that may require
RewriteOptions Inherit), all others simply apply to all vhosts.
But if I remove my default "deny" virtual host, what changes? That's 
what I cannot quite get in your explanation.


--

With Best Regards,
Marat Khalili

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] 2.4 named virtual hosts question

[Marat Khalili]

On 12/09/16 15:25, Rainer Canavan wrote:


However, in this example, you'd add a virtualhost that may expose
globally configured resources without the individual access controls of
the "real" vhosts. On top of that, the additional vhost may not see any
significant testing in case of configuration changes.
I don't get it, can you please provide an example? IMO any additional 
vhosts should not depend at all on what's inside this vhost.




Do _exactly_ that, e.g. with a RewriteRule to - and RewriteCond that
checks the Host: header.
You mean, outside any virtualhost? Why do you think it's better? Initial 
problem was default virtualhost -- I want none. Your method only 
protects from absence of Host header, not from incorrect Host header, 
SNI etc. IMO presupposing Apache vhost selection is bad solution here.



If you're really serious, you'd also have to make sure that any error messages
don't contain the hostname, and you'd have to set reverse DNS lookups to
point to a useless name.

I did.


Overall I'd say that the negligible gain in
perceived security isn't worth the effort or the additional risks
(both regarding security and availability).
Well, for one thing log messages from actual vhosts and from internet 
scans are separated, this alone saves a lot of time.


--

With Best Regards,
Marat Khalili

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] 2.4 named virtual hosts question

[Marat Khalili]

On 12/09/16 12:03, Rainer Canavan wrote:

I'm not 100% sure, but that may not deny access to absolutely 
everything, in case you have global
directives such as cgi aliases or proxy constructs, possibly with 
mod_rewrite and [P] which point

to non-directory resources.

Therefore it may be better to use  instead of .
Thanks for noticing! Of course all other directives are supposed to be 
within virtualhosts, but worth changing just to be extra sure.


Additionally, if you bind any further vhosts to specific IP addresses, 
e.g.
http://192.0.2.1:80>>, then that 
virtualhost will have precedence for

requests to 192.0.2.1:80 <http://192.0.2.1:80> over the *:80 virtualhost.
In this case you'll have create separate default deny configuration for 
each IP address, right?


Overall, I'd say that such a construct is more likely to increase the 
attack surface

instead of reducing it.
I don't think _denying_ something can _increase_ attack surface. But 
since there's seemingly demand for this kind of configuration it'd be 
nice if community helped make it better and more secure. What extra 
steps do you think one should take to securely deny (and subsequently 
ban) clients (mostly bots) that do not even know domain name they are 
accessing?


--

With Best Regards,
Marat Khalili

Re: [users@httpd] 2.4 named virtual hosts question

[Marat Khalili]

There has to be some configuration Apache will use if it cannot match 
any virtualhost; or, if no hostname is specified by client. You can make 
a configuration that denies access in this case, and put it before 
others. That's what I use:




ServerName default


AllowOverride none
Order Allow,Deny
Require all denied



SSLStrictSNIVHostCheck on

ServerName default

SSLEngine on
SSLCertificateFile  /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

AllowOverride none
Order Allow,Deny
Require all denied



Works great in pair with fail2ban ;)

--

With Best Regards,
Marat Khalili

On 12/09/16 04:43, Ronald F. Guilmette wrote:

A simple question.  Sorry if this is an FAQ.

I'm just bringing up a fresh VM system that I plan to move my small
handful of web sites to.

I'v so far managed to mostly get apache24 installed and configured.
I've moved all of my web sites over to the new system, and it mostly
all seems to be working, but I ran the "httpd -S" command to see
if that would detect any goof-ups on my part.  (It did, but I already
fixed those.)

Now when I run "httpd -S" I am seeing in the output:

===
VirtualHost configuration:
*:*is a NameVirtualHost
  default server tristatelogic.com 
(/usr/local/etc/apache24/extra/httpd-vhosts.conf:40)
  port * namevhost tristatelogic.com 
(/usr/local/etc/apache24/extra/httpd-vhosts.conf:40)
  alias www.tristatelogic.com
  port * namevhost 47-usc-230c2.org 
(/usr/local/etc/apache24/extra/httpd-vhosts.conf:69)
  alias www.47-usc-230c2.org
  port * namevhost sordid-details.com 
(/usr/local/etc/apache24/extra/httpd-vhosts.conf:94)
  alias www.sordid-details.com
...
===

I have three domains that I want to serve (as vhosts) from this newly
installed server, and all three are mentioned above.  But the part I don't
get (and don't really want) is all that stuff about a default (*:*)
server/service.  How can I get rid of that while still providing service
for my three vhosts?

(Note:  People may say: "Oh, just leave it.  It isn't really any
problem to just leave it."  But I'm paranoid about security, so I'm
always inclined to minimize my attack surface as much as possible.)

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] SNI SSL per domain?

[Marat Khalili]

What do you mean by “non-canonical domain”? Do you mean something in the 
ServerAlias?
I mean canonical from user/marketing point of view. These days if you 
have, say, www.theregister.co.uk, theregister.co.uk, 
www.theregister.com, theregister.com etc., usually only the first one 
contains real site, and all the rest just return 301 Moved Permanently. 
Because of caching, cookie/javascript domains etc.



It works beautifully and requires no restart of the server to add/remove/update 
certificates.
I am not an Apache developer, but it does not sound like a difficult 
patch. Although I'd cache certificates in memory, not check filesystem 
every time. It is not hard to type service apache2 reload when you need it.


--

With Best Regards,
Marat Khalili

On 08/09/16 06:04, Felipe Gasper wrote:

On 7 Sep 2016, at 9:43 PM, Marat Khalili <m...@rqc.ru> wrote:

Did you consider having two instances of Apache: one for handling SSL with 
vhost per certificate, and one for actual web sites with vhost per site? First 
one will proxy requests to the second. Some people do it this way for 
performance reasons, but it lets you be more flexible with certificates too.


I never considered this, but I would think the memory consumption of two Apache 
instances would be undesirable. Worth investigating, though. HAProxy may also 
work toward this end.


All the same, would it not make sense to decouple the SNI logic from the 
vhosts? Just thinking at a conceptual level, there seems no particular reason 
why these entities are combined in the configuration.

Except for the fact that in 99.999% of use cases SNI determines vhost and 
non-canonical domains are just redirects.


What do you mean by “non-canonical domain”?

Do you mean something in the ServerAlias? That seems more an implementation 
detail of Apache’s particular configuration format; both conceptually and in 
practice all domains that point to a vhost are coequal in status, right?


OTOH, since every certificate contains domain names it is valid for, why cannot 
Apache pick certificate from a list or directory automatically before even 
considering virtualhosts? Isn't certificate-domain relationship in Apache 
configuration redundant (in most cases) and error-prone?

^^^ Ding, ding, ding, ding, ding!!! :)

This is how we’ve set up our own SNI-capable daemons: they load the cert chain 
and key from files named for the relevant domain. The service knows where the 
certs and key are as a function of the domain name; there’s no configuration 
besides filesystem setup. It works beautifully and requires no restart of the 
server to add/remove/update certificates.

-FG




--

With Best Regards,
Marat Khalili

On September 8, 2016 3:03:35 AM GMT+03:00, Felipe Gasper 
<fel...@felipegasper.com> wrote:
Reviving this thread …

This would mean that every vhost will needs its own common.conf file, which, on 
a server with thousands of vhosts, will make for expensive loads of the 
configuration file.

mod_macro in 2.4 is another route we may explore, but we have some really 
complex vhost templating logic that would be difficult to port.

All the same, would it not make sense to decouple the SNI logic from the 
vhosts? Just thinking at a conceptual level, there seems no particular reason 
why these entities are combined in the configuration.

Are there plugin controls that would facilitate control of the SSL certificate 
sent to the browser? Or would a change like this really need to be in Apache 
itself?

Thank you!

-FG

  On 3 Feb 2016, at 5:54 AM, Stefan Eissing <stefan.eiss...@greenbytes.de> 
wrote:
  
  common.conf:
  
  
  ...
  ...
  ---
  
  

   ServerName foo.tld
  
   SSLCertificateFile foo.pem
  
   Include common.con

  
  
   ServerName bar.tld
  
   SSLCertificateFile bar.pem
  
   Include common.con

  
  
  
  Am 03.02.2016 um 11:45 schrieb Felipe Gasper <fel...@felipegasper.com>:
  
  What if I have a vhost with:
  
  ServerName foo.tld

  ServerAlias bar.tld
  
  … but I have two separate SSL certificates for these domains? Is there any way to accommodate this without either splitting the domains onto separate vhosts or buying a new certificate that covers both domains?
  
  -FG
  
  On 3 Feb 2016 12:26 AM, William A Rowe Jr wrote:

  Sounds like you have mis-structured the config.  Per servername - each
  can and should have its own cert and will be selected via SNI.  If there
  are subadmins beneath each vhost section #include those snippets and
  they all still fall within the given host name.
  
  On Feb 1, 2016 11:21 AM, "Felipe Gasper" <fel...@felipegasper.com

  <mailto:fel...@felipegasper.com>> wrote:
  
On 1 Feb 2016 12:16 PM, Oscar Knorn wrote:
  
On 2016/02/01 Felipe Gasper wrote:
  
Hello,
  
  Is it possible to do SNI SSL per domain rather than

per vhost? If
not, is there a feature request in for this?
  
 

Re: [users@httpd] SNI SSL per domain?

[Marat Khalili]

Did you consider having two instances of Apache: one for handling SSL with 
vhost per certificate, and one for actual web sites with vhost per site? First 
one will proxy requests to the second. Some people do it this way for 
performance reasons, but it lets you be more flexible with certificates too.

> All the same, would it not make sense to decouple the SNI logic from the 
> vhosts? Just thinking at a conceptual level, there seems no particular reason 
> why these entities are combined in the configuration.

Except for the fact that in 99.999% of use cases SNI determines vhost and 
non-canonical domains are just redirects.

OTOH, since every certificate contains domain names it is valid for, why cannot 
Apache pick certificate from a list or directory automatically before even 
considering virtualhosts? Isn't certificate-domain relationship in Apache 
configuration redundant (in most cases) and error-prone?
-- 

With Best Regards,
Marat Khalili

On September 8, 2016 3:03:35 AM GMT+03:00, Felipe Gasper 
<fel...@felipegasper.com> wrote:
>Reviving this thread …
>
>This would mean that every vhost will needs its own common.conf file,
>which, on a server with thousands of vhosts, will make for expensive
>loads of the configuration file.
>
>mod_macro in 2.4 is another route we may explore, but we have some
>really complex vhost templating logic that would be difficult to port.
>
>All the same, would it not make sense to decouple the SNI logic from
>the vhosts? Just thinking at a conceptual level, there seems no
>particular reason why these entities are combined in the configuration.
>
>Are there plugin controls that would facilitate control of the SSL
>certificate sent to the browser? Or would a change like this really
>need to be in Apache itself?
>
>Thank you!
>
>-FG
>
>> On 3 Feb 2016, at 5:54 AM, Stefan Eissing
><stefan.eiss...@greenbytes.de> wrote:
>> 
>> common.conf:
>> 
>> > ...
>> ...
>> ---
>> 
>> 
>>  ServerName foo.tld
>> 
>>  SSLCertificateFile foo.pem
>> 
>>  Include common.con
>> 
>> 
>>  ServerName bar.tld
>> 
>>  SSLCertificateFile bar.pem
>> 
>>  Include common.con
>> 
>> 
>> 
>>> Am 03.02.2016 um 11:45 schrieb Felipe Gasper
><fel...@felipegasper.com>:
>>> 
>>> What if I have a vhost with:
>>> 
>>> ServerName foo.tld
>>> ServerAlias bar.tld
>>> 
>>> … but I have two separate SSL certificates for these domains? Is
>there any way to accommodate this without either splitting the domains
>onto separate vhosts or buying a new certificate that covers both
>domains?
>>> 
>>> -FG
>>> 
>>> On 3 Feb 2016 12:26 AM, William A Rowe Jr wrote:
>>>> Sounds like you have mis-structured the config.  Per servername -
>each
>>>> can and should have its own cert and will be selected via SNI.  If
>there
>>>> are subadmins beneath each vhost section #include those snippets
>and
>>>> they all still fall within the given host name.
>>>> 
>>>> On Feb 1, 2016 11:21 AM, "Felipe Gasper" <fel...@felipegasper.com
>>>> <mailto:fel...@felipegasper.com>> wrote:
>>>> 
>>>>   On 1 Feb 2016 12:16 PM, Oscar Knorn wrote:
>>>> 
>>>>   On 2016/02/01 Felipe Gasper wrote:
>>>> 
>>>>   Hello,
>>>> 
>>>> Is it possible to do SNI SSL per domain rather than
>>>>   per vhost? If
>>>>   not, is there a feature request in for this?
>>>> 
>>>> Thank you!
>>>> 
>>>>   -Felipe Gasper
>>>>   Houston, TX
>>>> 
>>>>  
>-
>>>>   To unsubscribe, e-mail:
>users-unsubscr...@httpd.apache.org
>>>>   <mailto:users-unsubscr...@httpd.apache.org>
>>>>   For additional commands, e-mail:
>users-h...@httpd.apache.org
>>>>   <mailto:users-h...@httpd.apache.org>
>>>> 
>>>> 
>>>> 
>>>>   Hello Felipe,
>>>> 
>>>>   are'nt in your configuration the domains organized in vhost
>sections
>>>>   yet? Do you think, there might be a reason you can't organize
>>>>   them that way?
>>>> 
>>>>   Cheers Oscar
>>>> 
>>>> 
>>>>   Hi Oscar,
>>>>

Re: [users@httpd] httpd session timeout

[Marat Khalili]

> I am testing it by logging into the website using basic authentication [...]

Session you are observing is browser-based, not server-based. Your browser 
repeats once learned credentials in every request until it's restarted (may 
depend on the browser of course). And server verifies credentials of every 
request, there's no session or timeout for HTTP authentication.
-- 

With Best Regards,
Marat Khalili

On August 24, 2016 4:53:28 PM GMT+03:00, Roger Paanini <rogerpaan...@gmail.com> 
wrote:
>Chris, I am testing it by logging into the website using basic
>authentication and then waiting for the time out duration and try to
>access
>the page again. I am expecting to be challenged for credentials again
>when
>I tried to access the page after the timeout. But I am never challenged
>after the timeout - ever after several hours beyond the timeout value.
>
>But I see the following messages in my log file... I suspect my session
>modules are not configured correctly?
>
>[Wed Aug 24 08:41:46.851228 2016] [session:warn] [pid 61410:tid
>140098663421696] [client x.x.x.x:5675] AH01815: session is enabled but
>no
>session modules have been configured, session not loaded:
>
>I have the following in my httpd.conf:
>
>LoadModule session_module modules/mod_session.so
>LoadModule session_cookie_module modules/mod_session_cookie.so
>#LoadModule session_dbd_module modules/mod_session_dbd.so
>***
>
>Session on
>SessionMaxAge 1
>AuthType Basic
>AuthLDAPBindDN "x"
>AuthLDAPBindPassword ""
>AuthBasicProvider ldap
>AuthName "LDAP - login"
>AuthLDAPURL "x"
>Require valid-user
>Require ldap-group ""
>AuthLDAPRemoteUserAttribute uid
>
>
>Any thoughts on what I am missing?
>
>Thanks!
>
>
>
>On Tue, Aug 23, 2016 at 3:29 PM, Christopher Schultz <
>ch...@christopherschultz.net> wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA256
>>
>> Roger,
>>
>> On 8/23/16 4:26 PM, Roger Paanini wrote:
>> > Folks, I have tried to configure httpd with session timeout but it
>> > does not seem to work. My httpd.conf has the following:
>> >
>> > Session on SessionMaxAge 1 AuthType Basic ***
>> >
>> > I was trying to put a timeout value of 1 sec just to test. This is
>> > not working. Am I missing something?
>> >
>> > Thanks for any pointers on this.
>>
>> How are you testing it? What did you expect? What happened if it
>> wasn't what you expected?
>>
>> - -chris
>> -BEGIN PGP SIGNATURE-
>> Comment: GPGTools - http://gpgtools.org
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iQIcBAEBCAAGBQJXvLIwAAoJEBzwKT+lPKRYWnAP/Ax2yBWc8laAbRC3jKTA7TlI
>> 3Y5kfIrJi8tiNfzga/PXUWR82b6KmjMbXD5VKlD98YFFJhOjlMF8JSqV1MQIX1Lu
>> v9mfjkasfwhapPGtlksecNzJEA2KtSS+sLZfg5m1gPmv9R8sH5A6aFICmwVs87b8
>> DcZK/e/4STGvzGs6hGwQGaSgDDT3H4UFZqrLPCHx/jK85wNDkIZ+rHodzsLXjD9Y
>> /St2ER0bCWr090v0s/sKqKP28g7WrXBCiqh/MpCnIJ70B798GEmGI3sXnepFKSWV
>> 1IzsK8J8KAufGY24XCgRMXad1TshaftnPiTIGmZ6pPesyq8sc4Rr8FN/Mo7xvR3Z
>> eSZYCJd639Ir76MHikCjVhgRzWphh82PN+9wf9hA7snk0yt+uFEsrcxTlURdErbB
>> 0XWW7lKSor7R+OksK9HmL3izhEyNymXiOryRy5wBa2emlCajCoczy8XYy9CffkNq
>> OM81k343CdbdjLO5Z7AUdTIbnZjx5zGS9r6nVcf5uyg5j70ZuOyE1P6zft94KR4S
>> b6R2UMWUJ9aku7tzwP1cSox3DRSnhAI6VPXuwYiJYAZo6+kSTLCs0gW3Jb1q5nWj
>> 1IF2lsGvZIqH0yqxZ49rgvYSnkCdp+pp3ZVFHfDED9LBD4B90tRzlQFI4QF0w5YV
>> TLNlGhmIB+eqb5dW9LnK
>> =9Yn+
>> -END PGP SIGNATURE-
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>>
>>

Re: [users@httpd] "localhost/index.php" don't run.

[Marat Khalili]

How is PHP configured in Apache? (Is it?) There are several ways to do it, 
mod_php is probably easiest.
-- 

With Best Regards,
Marat Khalili

Re: [users@httpd] 404 rewrite error using special character \

[Marat Khalili]

What about trying:

RewriteRule ^\# \%2523 [R,L,NE]

? (Not sure if NE is necessary, but it won't hurt.) Let's break the system!

BTW I don't think using # as part of the request path is a good idea, since 
browsers, libraries and proxies may treat it as fragment delimiter and behave 
accordingly (for instance, fail to reload page on just fragment change).
-- 

With Best Regards,
Marat Khalili

On August 19, 2016 8:20:28 AM GMT+03:00, elliott sterling 
<elliottlsterl...@gmail.com> wrote:
> 
> 
>I learned that the error was that it was looking for folder or
>directory "/#".So after I created that folder I get endless
>redirect loop. So I am researching how to fix that.   
> 
> 
> 
>
> 
> 
>>  
>> On Aug 19, 2016 at 12:45 AM,  (mailto:icici...@gmail.com)>  wrote:
>>  
>>  
>>  
>>
>>  
>>
>>  
>> On Fri, Aug 19, 2016 at 12:16 PM (x-apple-data-detectors://1),
>elliott sterling  <elliottlsterl...@gmail.com
>(mailto:elliottlsterl...@gmail.com)>  wrote:
>>  
>> >  Hello,
>> >  
>> >  My project for this client is such that his directories contain
>"#" in
>> >  the folder names, #test, and other symbols.The '#' is the only
>one
>> >  that gives me problems because I know its a anchor and htacess
>ignores
>> >  it.My rewrite code is:
>> >  
>> >  RewriteRule [^\#] \%23
>>  
>>
>>  
>> Try adding NE flag at the end:
>>  
>>  RewriteRule ^\# \%23 [R,L,NE]
>>  
>>  
>> >  
>> >  My goal was to convert the '#' to %23 because it works as
>> >   example.com/%23test/test.html
>(http://example.com/%23test/test.html)  but not as 
>example.com/#test/test.html (http://example.com/#test/test.html).
>> >  The error is get is:
>> >  
>> >  The requested URL /# was not found on this server.
>> >  
>> >  So I am on the write track as when i try ^# %23 the # is ignore or
>> >  other variations give me 500 error.Thanks for any help.
>> >  
>> > 
>-
>> >  To unsubscribe, e-mail:  users-unsubscr...@httpd.apache.org
>(mailto:users-unsubscr...@httpd.apache.org)
>> >  For additional commands, e-mail:  users-h...@httpd.apache.org
>(mailto:users-h...@httpd.apache.org)
>> >  
>>
>>

Re: [users@httpd] HTTPD asking for password after power failure

[Marat Khalili]

>From what I saw, this behavior of /dev/random is totally normal on an idle 
>Linux system. Just do not ever use /dev/random.
-- 

With Best Regards,
Marat Khalili

On July 30, 2016 6:04:42 AM GMT+03:00, Nick Williams 
<nicho...@nicholaswilliams.net> wrote:
>It took me a while to get back to this (it’s not a mission-critical
>server, but I have hit a point where I really do need to get it working
>again).
>
>`apachectl restart` hung for many, many minutes without any input, and
>I eventually quit it. I ran it again with `strace -Ff apachectl
>restart`. Towards the end it had read all of the vhost config files and
>opened up the request and error logs configured in them, and it read
>the media types config file:
>
>[pid 22537] read(35, "# This file maps Internet media "..., 4096) =
>4096
>
>But after that is where things got weird:
>
>[pid 22537] mmap(NULL, 8192, PROT_READ|PROT_WRITE,
>MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f73aff27000
>[pid 22537] open("/dev/random", O_RDONLY|O_CLOEXEC) = 35
>[pid 22537] read(35, " p$\242\33\241", 1024) = 6
>[pid 22537] read(35, "\205\31\345\274A\336", 1018) = 6
>[pid 22537] read(35, "\335\16\7\370\343\311", 1012) = 6
>[pid 22537] read(35, "\265\362\20}F\234", 1006) = 6
>[pid 22537] read(35, "\223}\\\0+\242", 1000) = 6
>[pid 22537] read(35, 
>
>Each `read` line there took about a full minute. It’s spending FOREVER
>reading from /dev/random. That led me to try to read from /dev/random,
>and it is only generating a byte every few seconds. I don’t know why,
>but /dev/random appears to be borked on this machine.
>
>I changed ssl-global.conf to use /dev/urandom instead of /dev/random,
>and it started right up in a matter of seconds.
>
>I know this is now off-topic, but does anyone know why /dev/random
>would suddenly be gathering almost no entropy? I have never had this
>problem on this system before.
>
>Thanks,
>
>Nick
>
>> On Jul 16, 2016, at 9:56 PM, Frank Gingras <thu...@apache.org> wrote:
>> 
>> Try to use apachectl restart instead to bypass your init scripts. The
>latter are likely to hide actual errors that would appear on STDERR.
>> 
>> If apachectl restart still gives you that error, perhaps your distro
>mangled it as well. Then, I would use strace with httpd -X to get the
>complete picture.
>> 
>> On Sat, Jul 16, 2016 at 6:47 AM, Nicholas Williams
><nicho...@nicholaswilliams.net <mailto:nicho...@nicholaswilliams.net>>
>wrote:
>> I have a server running OpenSUSE 42.1 with stock Apache HTTPD 2
>installed from the package manager. It has been running without issue
>for well over a year. We've restarted the service and the server since
>then without issue. The service always starts  on its own when the
>server boots.
>> 
>> Last night we had a power failure. The sever came up fine. All
>services, including MySQL, started fine. No obvious issues appear
>anywhere. But HTTPD didn't start automatically. So I logged in to the
>server to investigate and try to start it.
>> 
>> `service apache2 status` said FAILED with no details.
>`/var/log/apache2/error_log` showed nothing since the day before the
>power failure.
>> 
>> `service apache2 start` hung for about 2 minutes, and then said
>FAILED with no details. `/var/log/apache2/error_log` still showed
>nothing since the day before the power failure. There was nothing in
>the system log since my log-in to the server.
>> 
>> So I tried `strace -Ff service apache2 start`. The only thing I see
>suspicious is it calls open on `/run/systemd/ask-password-block`. It
>appears it times out after never receiving a password. But I have no
>idea why it would do that. None of my SSL certificates have
>passphrases, and I've always been able to start HTTPD without a
>password.
>> 
>> I'm at a loss here. Any suggestions?
>> 
>> Thanks,
>> 
>> Nick
>> -
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
><mailto:users-unsubscr...@httpd.apache.org>
>> For additional commands, e-mail: users-h...@httpd.apache.org
><mailto:users-h...@httpd.apache.org>
>> 
>> 

Re: [users@httpd] Content negotiation with language subtags

[Marat Khalili]

According to RFC 2616 
<https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html>:

   Note: This use of a prefix matching rule does not imply that
   language tags are assigned to languages in such a way that it is
   always true that if a user understands a language with a certain
   tag, then this user will also understand all languages with tags
   for which this tag is a prefix. The prefix rule simply allows the
   use of prefix tags if this is the case.
Thus the server must not simply return "de" version in response to 
"de-DE" request from the client. The browser is probably in error in not 
stating that "de" version is acceptable (likewise for "en").


--

With Best Regards,
Marat Khalili

On 15/07/16 14:31, Martin Reinders wrote:

Im am using content negotiation to present different HTML pages
depending on the browsers language preference. This works in general,
but not with language "subtags", e.g. if the preferred language is sent
as "de-DE" only.

Here is my setup (reduced to two languages for simplicity):
--
// .htaccess:
AddHandler type-map var
DirectoryIndex index.var
LanguagePriority en de
ForceLanguagePriority Prefer Fallback

// index.var:
URI: index

URI: index.en.html
Content-type: text/html
Content-language: en

URI: index.de.html
Content-type: text/html
Content-language: de

// index.en.html: English index page
// index.de.html: German index page
--

This works as expected when the client sends the preferred language as

Accept-Language: de,en;q=0.8

and "index.de.html" is returned from the Apache server. But with

Accept-Language: de-DE,en-US;q=0.8

the server returns "index.en.html", so apparently "de-DE" does not match
"de" when the language is negotiated.

Do I really have to add all possible combinations in "index.var", such
as "de, de-DE, de-CH, de-AT" for German? Or is there at way to specify
"match this language with any language subtags"? My naive approach
"de-*" did not work.

Or is it a bug in the HTTP client (in my case: Android WebView) if it
sends only "de-DE" in the Accept-Language header, without a plain "de"?

Thanks for any help,
Martin


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Implement request white list in Apache

[Marat Khalili]

You can do this with mod_rewrite:

RewriteCond %{REQUEST_URI} !^allowed_url_1$
RewriteCond %{REQUEST_URI} !^allowed_url_2$
...
RewriteCond %{REQUEST_URI} !^allowed_url_N$
RewriteRule .* - [F,L]


--

With Best Regards,
Marat Khalili
 


On 08/07/16 13:53, Joice Joseph wrote:

Hi All,

Can someone help me to make the Apache in such a way that It will 
block all the request filter by default and process only those 
specified requests to tomcat server.


--
​​
​Cheers​

*Joice Joseph
*

Re: [users@httpd] Apache listening on UDP ports

[Marat Khalili]

Well, you can redirect UDP to TCP with tools like netcat. Not sure what you 
want to achieve, though. HTTP is mostly stream-oriented IMO.
-- 

With Best Regards,
Marat Khalili

On July 6, 2016 7:09:22 PM GMT+03:00, Hermes Moraes <hermes.mor...@gmail.com> 
wrote:
>Dear all,
>
>   I'm wondering how to get Apache listening on TCP and UDP ports. I've
>found an option through Apache CXF framework but it seems to be quite
>complex (Web-Services, XML, etc.).
>   All I need is a simple HTTP server with one or two simple web pages
>answering requests on TCP or UDP ports. Any idea/direction?
>
>With best regards,
>Hermes.

Re: [users@httpd] ProxyPreserveHost doesn't work with SSL

[Marat Khalili]

On 04/07/16 17:29, Eric Covener wrote:

SNI is in the ClientHello, you'd be able to eliminate/confirm that bit.


Yes you're right. But now I cannot reproduce original problem. And SNI 
is correctly transferred from client in packet capture. Either the 
problem is transient or it's gone. Will post again if I see it appear again.


--

With Best Regards,
Marat Khalili

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] ProxyPreserveHost doesn't work with SSL

[Marat Khalili]

On 04/07/16 16:19, Eric Covener wrote:

packet capture.
Tried to already. Seems like Wireshark cannot decrypt TLS 1.2 exchange 
with Server Key Exchange part present.


--

With Best Regards,
Marat Khalili

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] ProxyPreserveHost doesn't work with SSL

[Marat Khalili]

On 01/07/16 23:19, Yann Ylavic wrote:

On Fri, Jul 1, 2016 at 6:26 PM, Marat Khalili <m...@rqc.ru> wrote:

Is the header Host sent by the proxy different from the one sent by
the client (with and without using SSL) or are you talking about the
SNI (in the SSL handshake) which is not set when using SSL?
I don't know how to check what Apache is actually sending to back-end 
server. I could make another experiment on a fresh Apache installation 
with many SSL virtual hosts but: (1) it still won't be IIS; (2) I 
suppose there must be easier way to find out. I have only one IIS and 
it's being used in production, so I don't want to twiddle it.



In the latter case, you may need this fix released in from 2.4.20
(http://svn.apache.org/r1733474).

Sounds like it. Will take a look at package update plans.

--

With Best Regards,
Marat Khalili

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] ProxyPreserveHost doesn't work with SSL

[Marat Khalili]

Dear all,

I'm reverse proxying requests on Apache/2.4.18 (stock version on Ubuntu 
16.04) via SSL to an application running on IIS 7.0. Somehow, despite 
ProxyPreserveHost, IIS app manages to sniff IP-address 10.1.2.3 
specified in ProxyPass (see below) and breaks. If I replace 10.1.2.3 
with myapp.com and put "10.1.2.3 myapp.com" in /etc/hosts everything 
works (but I don't like the solution).


Because of SSL the problem is somewhat hard to debug, can't just packet 
trace. I tried to replace IIS application with CGI script on different 
Apache, without SSL, and found that ProxyPreserveHost is not ignored 
(environment variable SERVER_NAME set correctly to myapp.com). I guess 
for SSL the ProxyPreserveHost is implemented partially, i.e. for Host 
header but not for SNI. Any ideas on how to investigate?


Here's the complete virtualhost configuration:
---

ServerName myapp.com

SSLEngine on
SSLCertificateFile  /etc/ssl/certs/myapp.pem
SSLCertificateKeyFile /etc/ssl/private/myapp.key

SSLProxyEngine on
SSLProxyProtocol all
SSLProxyCipherSuite ALL
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off


ProxyPreserveHost on
ProxyPass https://10.1.2.3/ connectiontimeout=300 timeout=300
ProxyPassReverse /
ProxyPassReverseCookieDomain myapp.com 10.1.2.3


---

--

With Best Regards,
Marat Khalili

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: CLOSED - Re: [users@httpd] Macros + Require constructs

[Marat Khalili]

On 18/06/16 22:03, John Allen wrote:
Interestingly, without the RequireAll around the "Require user %user" 
it does not work.


Sounds like a bug?

--

With Best Regards,
Marat Khalili


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Change TMP dir

[Marat Khalili]

One other thought.  If the proxy's backend supports HTTP/1.1
then there's no reason to spool any tempfile in the first place.
Check out proxy-sendchunked vs proxy-sendcl in the docs.
I'd also check if it's Apache creating temporary files and not user 
agent. E.g. Windows WebClient may do it.


--

With Best Regards,
Marat Khalili

Re: [users@httpd] Re: Want friendly error message for failed attempt to access a restricted directory

[Marat Khalili]

On 11/05/16 16:35, Tom Browder wrote:

Is there any way via CGI to check for a valid client cert?  If so, I
could interject another script to do that at the Enter button.
Client verification state should be visible to a CGI script via SSL_* 
environment variables. SSL_CLIENT_VERIFY looks promising.


--

With Best Regards,
Marat Khalili


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: Want friendly error message for failed attempt to access a restricted directory

[Marat Khalili]

There's no code at all. HTTP connection is not even established. I don't 
think it can be easily solved. You have to ALLOW connections from 
clients without valid certificate in order to send them your custom 
message, and resulting reduction of security probably does not worth it.


--

With Best Regards,
Marat Khalili

On 11/05/16 15:28, Tom Browder wrote:

On Wed, May 11, 2016 at 7:19 AM, Tom Browder <tom.brow...@gmail.com> wrote:

I am running Apache 2.4.18 and have one site (https://usafa-1965.org)
that requires a client certificate to access a restricted directory
("Classmates
Only").  How can I return a friendlier message than, e.g., Chrome
emits when a user without a valid certificate attempts to access the
restricted directory?

...

I think I can do something like this:

   
SSLOptions +StrictRequire
SSLVerifyClient require
# do NOT allow dir listings
Options -Indexes
# error 403 is "Forbidden"
ErrorDocument 403 "Sorry, you must have a valid client
certificate.\nContact your CS Rep to get one."
  

That doesn't work, so maybe I have the wrong error code.  How can I
see what error code is actually being returned?

-Tom

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] I need to activate a NULL cipher in modssl

[Marat Khalili]

Been discussed recently, see 
https://www.spinics.net/lists/apache-users/msg112140.html (or other 
browser for this maillist). I still vote for stunnel.


--

With Best Regards,
Marat Khalili
 


On 03/05/16 16:48, Gaetan Njinang wrote:

Hello,

Please, I have a problem. I need to activate NULL cipher in modssl.

I need to implement a strong authentication between two servers 
groups. First group of servers: reverse proxies. Second group of 
servers: backend application servers.
It is very important to not increase the load of reverse proxies 
(because they are already overloaded - they will not support the price 
of ciphering communications). So, I need to force the proxies servers 
and the backends to negotiate a NULL cipher. Conceptually, it makes 
sense, since I just need authentication.


Can someone help me on that, please ? Is it possible without 
recompiling apache and/or the modssl ?


Thanks



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache keeping open deleted files

[Marat Khalili]

Well, apparently they are used as locks (mutexes) so that multiple 
Apache processes could safely access common resources. You can guess 
specific resources by file names. (Disclaimer: I'm not an Apache 
developer, probably one of them reading this will give better answer.)


The process shouldn't need to end for the file to disappear - just the 
file descriptor to be closed.
Yes, that's correct. What I wanted to say (but didn't) is such files 
disappear by themselves even if process that uses them ends abnormally 
and doesn't have chance to execute clean up.


--

With Best Regards,
Marat Khalili

On 18/04/16 12:49, David Cunningham wrote:

Hi Marat,

Thanks for the reply. Do you know why Apache keeps them open? The 
process shouldn't need to end for the file to disappear - just the 
file descriptor to be closed.



On 18 April 2016 at 16:54, Marat Khalili <m...@rqc.ru 
<mailto:m...@rqc.ru>> wrote:


Hello David,

It is a normal practice in Linux to delete temporary files
immediately after creating them. These files will still work for
the process that keeps them open, and will automatically disappear
as soon as the process ends.

I typed lsof /run/lock on a couple of my Ubuntu machines with
Apache installed, and the output was similar to yours.

--

With Best Regards,
Marat Khalili

On 18/04/16 08:25, David Cunningham wrote:

Hi,

While reviewing filesystem usage we noticed lots of deleted files
still open by Apache, as reported by lsof. Some example lines are
below.

Can anyone advise why Apache is keeping these files open, and if
there's anything we can do about it? I have verified that the
process numbers listed are still existing processes.

The server is running Apache 2.4.7-1ubuntu4.8 on Ubuntu 14.04
server, 64bit. Thank you in advance.

/usr/sbin 13262 root 23w  REG 0,19   0 
110619773 /run/lock/apache2/rewrite-map.13262 (deleted)
/usr/sbin 13262 root 24w  REG 0,19   0 
105844737 /run/lock/apache2/ssl-cache.13261 (deleted)
/usr/sbin 22669 apacheuser 23w  REG 0,19   0 
110619773 /run/lock/apache2/rewrite-map.13262 (deleted)
/usr/sbin 22669 apacheuser 24w  REG 0,19   0 
105844737 /run/lock/apache2/ssl-cache.13261 (deleted)
/usr/sbin 22669 22671   apacheuser 23w  REG 0,19   0 
110619773 /run/lock/apache2/rewrite-map.13262 (deleted)
/usr/sbin 22669 22671   apacheuser 24w  REG 0,19   0 
105844737 /run/lock/apache2/ssl-cache.13261 (deleted)
/usr/sbin 22669 22672   apacheuser 23w  REG 0,19   0 
110619773 /run/lock/apache2/rewrite-map.13262 (deleted)
/usr/sbin 22669 22672   apacheuser 24w  REG 0,19   0 
105844737 /run/lock/apache2/ssl-cache.13261 (deleted)
/usr/sbin 22669 22673   apacheuser 23w  REG 0,19   0 
110619773 /run/lock/apache2/rewrite-map.13262 (deleted)
/usr/sbin 22669 22673   apacheuser 24w  REG 0,19   0 
105844737 /run/lock/apache2/ssl-cache.13261 (deleted)
/usr/sbin 22669 22674   apacheuser 23w  REG 0,19   0 
110619773 /run/lock/apache2/rewrite-map.13262 (deleted)
/usr/sbin 22669 22674   apacheuser 24w  REG 0,19   0 
105844737 /run/lock/apache2/ssl-cache.13261 (deleted)



-- 
David Cunningham, Voisonics

http://voisonics.com/
USA: +1 213 221 1092 <tel:%2B1%20213%20221%201092>
UK: +44 (0) 20 3298 1642 <tel:%2B44%20%280%29%2020%203298%201642>
Australia: +61 (0) 2 8063 9019
<tel:%2B61%20%280%29%202%208063%209019>





--
David Cunningham, Voisonics
http://voisonics.com/
USA: +1 213 221 1092
UK: +44 (0) 20 3298 1642
Australia: +61 (0) 2 8063 9019

Re: [users@httpd] Apache keeping open deleted files

[Marat Khalili]

Hello David,

It is a normal practice in Linux to delete temporary files immediately 
after creating them. These files will still work for the process that 
keeps them open, and will automatically disappear as soon as the process 
ends.


I typed lsof /run/lock on a couple of my Ubuntu machines with Apache 
installed, and the output was similar to yours.


--

With Best Regards,
Marat Khalili

On 18/04/16 08:25, David Cunningham wrote:

Hi,

While reviewing filesystem usage we noticed lots of deleted files 
still open by Apache, as reported by lsof. Some example lines are below.


Can anyone advise why Apache is keeping these files open, and if 
there's anything we can do about it? I have verified that the process 
numbers listed are still existing processes.


The server is running Apache 2.4.7-1ubuntu4.8 on Ubuntu 14.04 server, 
64bit. Thank you in advance.


/usr/sbin 13262 root   23w REG   
0,19   0  110619773 /run/lock/apache2/rewrite-map.13262 (deleted)
/usr/sbin 13262 root   24w REG   
0,19   0  105844737 /run/lock/apache2/ssl-cache.13261 (deleted)
/usr/sbin 22669 apacheuser   23w REG   
0,19   0  110619773 /run/lock/apache2/rewrite-map.13262 (deleted)
/usr/sbin 22669 apacheuser   24w REG   
0,19   0  105844737 /run/lock/apache2/ssl-cache.13261 (deleted)
/usr/sbin 22669 22671   apacheuser   23w REG   
0,19   0  110619773 /run/lock/apache2/rewrite-map.13262 (deleted)
/usr/sbin 22669 22671   apacheuser   24w REG   
0,19   0  105844737 /run/lock/apache2/ssl-cache.13261 (deleted)
/usr/sbin 22669 22672   apacheuser   23w REG   
0,19   0  110619773 /run/lock/apache2/rewrite-map.13262 (deleted)
/usr/sbin 22669 22672   apacheuser   24w REG   
0,19   0  105844737 /run/lock/apache2/ssl-cache.13261 (deleted)
/usr/sbin 22669 22673   apacheuser   23w REG   
0,19   0  110619773 /run/lock/apache2/rewrite-map.13262 (deleted)
/usr/sbin 22669 22673   apacheuser   24w REG   
0,19   0  105844737 /run/lock/apache2/ssl-cache.13261 (deleted)
/usr/sbin 22669 22674   apacheuser   23w REG   
0,19   0  110619773 /run/lock/apache2/rewrite-map.13262 (deleted)
/usr/sbin 22669 22674   apacheuser   24w REG   
0,19   0  105844737 /run/lock/apache2/ssl-cache.13261 (deleted)



--
David Cunningham, Voisonics
http://voisonics.com/
USA: +1 213 221 1092
UK: +44 (0) 20 3298 1642
Australia: +61 (0) 2 8063 9019

Re: [users@httpd] Apache with mod_rewrite and mod_proxy doesn't work / P Flag

[Marat Khalili]

OOPS, sorry, posted too fast. According to logs RewriteRule does not 
perform internal redirect. You might try ProxyPass instead.


--

With Best Regards,
Marat Khalili

On 05/04/16 16:17, Marat Khalili wrote:
You also need ProxyPassReverse in order to rewrite header URLs from 
the backend, and probably ProxyPassReverseCookieDomain and 
ProxyPassReverseCookiePath too.


--

With Best Regards,
Marat Khalili

On 05/04/16 14:01, Rael wrote:

Hello,

I'm in the process to use Apache as a reverse proxy with mod_rewrite to have 
nicer URLs for an APEX-application.

The user shouldn't never see the actual URLs from 
app1.example.com:/apex..., that's why I use mod_proxy too.

Alas, it doesn't work.

  


Current settings in default vhost:

 
   Options Indexes FollowSymLinks MultiViews
   AllowOverride All
   Order allow,deny
   allow from all

   ### Rewrite Rules ###

   RewriteEngine On
   LogLevel alert rewrite:trace6

   RewriteRule ^$http://app1.example.com:/apex/f?p=111:3

   #
 

For example with "RewriteRule ^$http://app1.example.com:/apex/f?p=111:3; 
the user gets a http redirection from e.g.http://localhost  
tohttp://app1.example.com:/apex/f?p=111:3  and then he also sees this last URL in his 
browser, which I don't want.

Infos from the log when I sent a request with the previous rewrite rule:

 [perdir /var/www/html/] strip per-dir prefix: /var/www/html/ ->
 [perdir /var/www/html/] applying pattern '^$' to uri ''
 [perdir /var/www/html/] rewrite '' -> 'http://app1.example.com:
   /apex/f?p=111:3'
 split uri=http://app1.example.com:/apex/f?p=111:3  ->
   uri=http://app1.example.com:/apex/f, args=p=111:3
 [perdir /var/www/html/] implicitly forcing redirect (rc=302) with
   http://app1.example.com:/apex/f
 [perdir /var/www/html/] escapinghttp://app1.example.com:
   /apex/f?p=111:3 for redirect
 [perdir /var/www/html/] escaping p=111:3 to query string for redirect
   p=111:3
 [perdir /var/www/html/] redirect tohttp://app1.example.com:
   /apex/f?p=111:3 [REDIRECT/302]

Adding the flag [P] to the RewriteRule, as far as I see it, should bring the 
desired behavior, but doesn't. I just get the index page from apache.

 From the logs, with [P] flag added to the previous rule:

 [perdir /var/www/html/] strip per-dir prefix: /var/www/html/ ->
 [perdir /var/www/html/] applying pattern '^$' to uri ''
 [perdir /var/www/html/] rewrite '' -> 'http://app1.example.com:
   /apex/f?p=111:3'
 uri=http://app1.example.com:/apex/f?p=111:3  ->
   uri=http://app1.example.com:/apex/f, args=p=111:3
 [perdir /var/www/html/] escaped URI in per-dir context for proxy,
   http://app1.example.com:/apex/f  ->http://app1.example.com:
   /apex/f
 [perdir /var/www/html/] forcing proxy-throughput with
   http://app1.example.com:/apex/f
 [perdir /var/www/html/] go-ahead with proxy request
   proxy:http://app1.example.com:/apex/f?p=111:3  [OK]
 [perdir /var/www/html/] strip per-dir prefix: /var/www
   /html/index.html -> index.html
 [perdir /var/www/html/] applying pattern '^$' to uri 'index.html'
 [perdir /var/www/html/] pass through /var/www/html/index.html

OS: Ubuntu 14.04 Apache(with mod_rewrite and mod_proxy enabled): 2.4.7

Thank you!

-
To unsubscribe, e-mail:users-unsubscr...@httpd.apache.org
For additional commands, e-mail:users-h...@httpd.apache.org

Re: [users@httpd] Apache with mod_rewrite and mod_proxy doesn't work / P Flag

[Marat Khalili]

You also need ProxyPassReverse in order to rewrite header URLs from the 
backend, and probably ProxyPassReverseCookieDomain and 
ProxyPassReverseCookiePath too.


--

With Best Regards,
Marat Khalili

On 05/04/16 14:01, Rael wrote:

Hello,

I'm in the process to use Apache as a reverse proxy with mod_rewrite to have 
nicer URLs for an APEX-application.

The user shouldn't never see the actual URLs from 
app1.example.com:/apex..., that's why I use mod_proxy too.

Alas, it doesn't work.

  


Current settings in default vhost:

 
   Options Indexes FollowSymLinks MultiViews
   AllowOverride All
   Order allow,deny
   allow from all

   ### Rewrite Rules ###

   RewriteEngine On
   LogLevel alert rewrite:trace6

   RewriteRule ^$ http://app1.example.com:/apex/f?p=111:3

   #
 

For example with "RewriteRule ^$ http://app1.example.com:/apex/f?p=111:3; 
the user gets a http redirection from e.g. http://localhost to 
http://app1.example.com:/apex/f?p=111:3 and then he also sees this last URL in his 
browser, which I don't want.

Infos from the log when I sent a request with the previous rewrite rule:

 [perdir /var/www/html/] strip per-dir prefix: /var/www/html/ ->
 [perdir /var/www/html/] applying pattern '^$' to uri ''
 [perdir /var/www/html/] rewrite '' -> 'http://app1.example.com:
   /apex/f?p=111:3'
 split uri=http://app1.example.com:/apex/f?p=111:3 ->
   uri=http://app1.example.com:/apex/f, args=p=111:3
 [perdir /var/www/html/] implicitly forcing redirect (rc=302) with
   http://app1.example.com:/apex/f
 [perdir /var/www/html/] escaping http://app1.example.com:
   /apex/f?p=111:3 for redirect
 [perdir /var/www/html/] escaping p=111:3 to query string for redirect
   p=111:3
 [perdir /var/www/html/] redirect to http://app1.example.com:
   /apex/f?p=111:3 [REDIRECT/302]

Adding the flag [P] to the RewriteRule, as far as I see it, should bring the 
desired behavior, but doesn't. I just get the index page from apache.

 From the logs, with [P] flag added to the previous rule:

 [perdir /var/www/html/] strip per-dir prefix: /var/www/html/ ->
 [perdir /var/www/html/] applying pattern '^$' to uri ''
 [perdir /var/www/html/] rewrite '' -> 'http://app1.example.com:
   /apex/f?p=111:3'
 uri=http://app1.example.com:/apex/f?p=111:3 ->
   uri=http://app1.example.com:/apex/f, args=p=111:3
 [perdir /var/www/html/] escaped URI in per-dir context for proxy,
   http://app1.example.com:/apex/f -> http://app1.example.com:
   /apex/f
 [perdir /var/www/html/] forcing proxy-throughput with
   http://app1.example.com:/apex/f
 [perdir /var/www/html/] go-ahead with proxy request
   proxy:http://app1.example.com:/apex/f?p=111:3 [OK]
 [perdir /var/www/html/] strip per-dir prefix: /var/www
   /html/index.html -> index.html
 [perdir /var/www/html/] applying pattern '^$' to uri 'index.html'
 [perdir /var/www/html/] pass through /var/www/html/index.html

OS: Ubuntu 14.04 Apache(with mod_rewrite and mod_proxy enabled): 2.4.7

Thank you!

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Quick 2.4 Require question

[Marat Khalili]

Yes. According to documentation at 
https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#require :
When multiple |Require| directives are used in a single configuration 
section <https://httpd.apache.org/docs/2.4/sections.html#merging> and 
are not contained in another authorization directive like 
| 
<https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#requireall>|, 
they are implicitly contained within a | 
<https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#requireany>| directive. 
Thus the first one to authorize a user authorizes the entire request, 
and subsequent |Require| directives are ignored.


You can make your intent more clear with:


  AllowOverride None
  php_value include_path "/srv/cdn/phpinclude"
  
Require local
Require ip 2001:db8::a00:20ff:fea7:ccea
Require ip 10.1.2.3
  



Also, "Require local" seem to have only appeared in documentation to 
version 2.5. Are you using 2.5 already?


--

With Best Regards,
Marat Khalili

On 01/04/16 12:15, Michael A. Peters wrote:

Take the following :


  AllowOverride None
  php_value include_path "/srv/cdn/phpinclude"
  Require local
  Require ip 2001:db8::a00:20ff:fea7:ccea
  Require ip 10.1.2.3


I assume that would allow connections from the local host, from the 
IPv6 specified, and from the IPv4 specified - but would refuse 
connections from anywhere else?


Out of town and can't really test to see.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Rewrite domain to language specific page but no address bar redirection

[Marat Khalili]

It's tricky. Here's a rule set that works for me (but it may depend on 
Apache version and configuration):


# fr-lang {
  RewriteCond %{ENV:REDIRECT_STATUS} ^$
  RewriteCond %{REQUEST_URI} ^/fr$
  RewriteRule ^fr$ http://lang-fr.hostname.com/ [L,R=302]

  RewriteCond %{ENV:REDIRECT_STATUS} ^$
  RewriteCond %{REQUEST_URI} ^/fr/.*$
  RewriteRule ^fr/(.*)$ http://lang-fr.hostname.com/$1 [L,R=302]

  RewriteCond %{HTTP_HOST} ^www\.lang-fr\.hostname\.com$ [NC]
  RewriteRule ^(.*)$ http://lang-fr.hostname.com/$1 [R=301,L]

  RewriteCond %{HTTP_HOST} ^lang-fr\.hostname\.com$ [NC]
  RewriteCond %{REQUEST_URI} !^/fr/.*$
  RewriteRule ^(.*)$ /fr/$1 [L]

  RewriteCond %{HTTP_HOST} ^lang-fr\.hostname\.com$ [NC]
  RewriteRule ^(.*)$ - [L]
# fr-lang }

Repeat for each language (probably it's possible to make a single rule 
set for all languages, but I didn't try it).


--

With Best Regards,
Marat Khalili


On 25/03/16 11:13, Alexandru Duzsardi wrote:


Hello,

I’ve search around on search engines but I could not find any answers 
that solve my dilemma


I have a VirtualHost configured to respond on multiple hostnames

Example: hostname.com , lang-fr.hostname.com , lang-nl.hostname.com , 
fr-lang.hostname.com , nl-lang.hostname.com


Now , what I would like is that

If somebody is accessing lang-fr.hostname.com and fr-lang.hostname.com 
to actually  see the pages under hostname.com/fr/… but without 
redirection


Like lang-fr.hostname.com/users to actually be hostname.com/fr/users , 
and so on for other languages.


I’ve tried some things but always get to many redirects or some other 
error and can’t figure it out why is that happening , but if I had to 
guess is because I’m using RewriteCond  correctly.


Thank you in advance!



Cu stima,

Kind regards,

*Alexandru Duzsardi*

System Administrator

*PITECH+PLUS*

www.pitechplus.com <http://www.pitechplus.com/>

mobil: +4/ 0745-775.258

E-mail: alexandru.duzsa...@pitechnologies.ro 
<mailto:alexandru.duzsa...@pitechnologies.ro>


Adresa: Str. Campul Painii 3-5 (Cladirea Coratim)

Cluj-Napoca

Romania

Re: [users@httpd] Override a File to Same Name in Another Directory

[Marat Khalili]

Why is Joomla designed this way?  Seems that yet another MySQL DB 
table could have been designed into the system and the configuration 
extracted from the same, rather than reading the content of a 
configuration.php file.
What stops you from implementing configuration.php the way you describe: 
select parameters set depending on current domain, hard coded or 
obtained from a database? I'm not saying it'll work for sure, but it's 
worth a try IMO.


--

With Best Regards,
Marat Khalili

On 13/03/2016 18:25, Ron Wingfield wrote:
First, thanks for your quick reply.  I suspected there was no “magic” 
in Apache to accomplish my task. My concern is the fact that the 
inclusion of configure.php is embedded in the application system, 
which by-the-way is . . .Joomla.  Aside from being a totally php based 
application (there are no executable binaries, etc.), the Joomla 
people will tell you that an “instance” of Joomla does not support 
multiple domains. In my opinion, this is a serious design oversight by 
omission. What is advertised as a major leading CMS, can only support 
one domain.  In other words, Joomla is designed with only the 
“bed-room blogger” or “mom-and-pop cupcake bakery” in mind.


If your installation is to serve multiple domains, for example a 
corporate headquarters with dozens of branch offices where each branch 
is semi-autonomous and requires a separate MySQL database, then this 
can get ugly.  Each instance of the Joomla core requires approximately 
58MB, not including the MySQL database tables.  The latter regarding 
the DB tables is OK because we want to keep the data segregated . . 
.easier to backup and restore; however, if you are serving dozens of 
branch domains (virtual hosts) where each branch requires a separate 
instance of the Joomla core system, the system objects are redundant . 
. .parallel systems . . .each requiring individual attention every 
time a new “ball is rolled down the ally”.  This is where a symbolic 
link to this common core would be/is practical.  Problem is that a 
configuration file, ./joomla3/configure.php, is embedded within the 
core objects.


This configuration file contains about fifty-eight parameters that 
include arguments such as


   public $sitename = 'Corporate Home Office';
   public $db = 'CorpHQ';
   public $dbprefix = 'joom_';

Alternately, another virtual host could be:

   public $sitename = 'Little Rock Branch';
   public $db = 'LIT';
   public $dbprefix = 'joom_';

Why is Joomla designed this way?  Seems that yet another MySQL DB 
table could have been designed into the system and the configuration 
extracted from the same, rather than reading the content of a 
configuration.php file.  Regardless, this configuration file 
customizes each instance (virtual host).  Were there a way (method) to 
create this custom configuration, ./parent(vhost)/configuration.php 
and override the ./parent/child(joomla3 default 
instance)/configuration.php); then Joomla could easily support 
multiple domains with only one instance of the core code.  (By the 
way, the MySQL DB table schema exists in 
./installation/sql/mysql/joomla.sql.  Execute [ mysql> ./ joomla.sql ] 
to generate the tables; then use phpMyAdmin to change the database 
names as appropriate.)


Which brings us full-circle to why the need to override the 
configuration file.  I have read the Linux document, 
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/filesystems/overlayfs.txt 
(BTW, I’m working with FreeBSD v10.2), and yes, the “upper” and 
“lower” directory scenario does sound analogous to the OS/400 override 
concepts.  Also keep in mind that OS/400 is not a hierarchal file 
system but rather what is described as single level storage.  
Analogous to directories are libraries, but all on the same level – 
think of taking a roll of pennies(libraries) and scattering them over 
the shop floor . . .all at the same level. Paths or search orders to 
these libraries are arranged in library lists.  These lists can be 
defined by user profiles, job descriptions, etc.  Another way to avoid 
the override action is to simply rearrange the library list.  For 
example, given the following library list:


   production-lib
   corp-office
   branch-1
   branch-2
   test-lib
   programmer-john-lib

. . .should programmer John want to test his version of a 
configuration file, then he simply moves his library containing the 
file to the top of (or up) the list.. . .sweet!


My apologies if this is a little wordy; I still don’t have a solution, 
but perhaps this will help others understand the Joomla task and 
problems.


Thanks again,
Ron W.


On 3/13/2016 12:57 AM, Marat Khalili wrote:
If you want client requests to http://your.site/config.php be served 
by ./parent/config.php , then the answer is yes -- I'd start with 
mod_rewrite for instance. If config.php is invoked by PHP, not by 
Apache, then you cannot fix it using Apache features -- you really 
n

Re: [users@httpd] Override a File to Same Name in Another Directory

[Marat Khalili]

If you want client requests to http://your.site/config.php be served by 
./parent/config.php , then the answer is yes -- I'd start with 
mod_rewrite for instance. If config.php is invoked by PHP, not by 
Apache, then you cannot fix it using Apache features -- you really need 
to change that symbolic link or PHP configuration or something in the 
system. Actual analogue of OVRDBF as I understand it in Linux is 
OverlayFS, but it's overkill for your task.


--

With Best Regards,
Marat Khalili

On 12/03/2016 23:14, Ron Wingfield wrote:

I don’t know if and how this can be accomplished.

Scenario:

Two directories, parent and child.
parent is in a virtual host “container”.
child is a symbolic link to an application default core distribution 
directory (php objects).

./parent/child contains a default config.php file.
./parent contains a custom config.php file.

DocumentRoot points to ./parent/child.

Can the various features of Apache, .htaccess, , , 
Alias, etc., be configured to effectively override ./child/config.php 
to ./parent/config.php?


In other words, I want to substitute the custom file for the default 
version.  In IBM OS/400 world, this can be easily accomplished with 
the Override with DataBase File command . . .something like:


 OVRDBF FILE(child/config.php) TOFILE(parent/config.php)

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Block access to "OPTIONS *"

[Marat Khalili]

I'm sorry to suggest it without myself testing it first, but are you 
aware of mod_allowmethods?


--

With Best Regards,
Marat Khalili

On 12/02/16 14:47, Yann Ylavic wrote:

On Fri, Feb 12, 2016 at 10:47 AM, Daniel <dferra...@gmail.com> wrote:

The typical way to block OPTIONS in 2.2 does not need mod_rewrite at all
IIRC. You just add this in your location/directory:
 
 deny from all
 

and will return 403 if you try OPTIONS method there

That wouldn't work because the replies to OPTIONS requests happen
before in the map_to_storage hook, that is before the authz hooks
(Toomas tried that already).

Will discuss this on dev@, because ISTM that should work with something like:
  # matches / and *
 
Deny from all  # 2.2
Require all denied # 2.4
 
   

For now I could only make it work with:
   RewriteEngine on
   RewriteOptions AllowAnyURI # for * to be taken into account by mod_rewrite
   RewriteCond %{REQUEST_METHOD} OPTIONS
   RewriteRule ^ - [R=405,L]
   RewriteRule ^[^/] - [R=403,L]
which should be the first rewrite rules for AllowAnyURI to not be
"dangerous" for further rules (if any) failing to match the leading
slash.

Regards,
Yann.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] 回覆︰ [users@httpd] How to solve ONE fixed IP serving multiple web-servers running on VMs

[Marat Khalili]

Have no experience with HA Proxy, sorry. Your task can be solved with 
plain Apache, information about using one as reverse proxy is easier to 
find.


--

With Best Regards
Marat Khalili

On 25/12/15 18:44, Stephen Liu wrote:

Hi Marat,

Thanks for your advice.  I suppose you referred to HA Proxy
HAProxy
http://www.haproxy.org/

I'm now busily googling on document re its setup on domain base.  Can 
you help?  Thanks


Regards
Stephen L


Marat Khalili <m...@rqc.ru> 於 2015年12月25日 (週五) 11:31 PM 寫道﹕



Reverse proxy running on host may be the answer. It may
discriminate sites by domain name and redirect requests to
corresponding virtual hosts.

--

With Best Regards
    Marat Khalili

On 25/12/15 18:11, Stephen Liu wrote:

Hi all,

I have following problem:

Host   Ubuntu 14.04 desktop
VMs   Ubuntu 14.04 desktop/server edition
VirtualBox

I have several web-servers running on VMs, each with its own
domain/subdomain and internal IP address.  But I have only one
Fixed IP/External IP.

All VMs are Apache server running WordPress.  I can create many
internal IPs on router.

Please advise how can I make all web-servers be browsed on Internet

Thanks in advance.

Regards
satimis

Re: [users@httpd] How to solve ONE fixed IP serving multiple web-servers running on VMs

[Marat Khalili]

Reverse proxy running on host may be the answer. It may discriminate 
sites by domain name and redirect requests to corresponding virtual hosts.


--

With Best Regards
Marat Khalili

On 25/12/15 18:11, Stephen Liu wrote:

Hi all,

I have following problem:

Host   Ubuntu 14.04 desktop
VMs   Ubuntu 14.04 desktop/server edition
VirtualBox

I have several web-servers running on VMs, each with its own 
domain/subdomain and internal IP address.  But I have only one Fixed 
IP/External IP.


All VMs are Apache server running WordPress.  I can create many 
internal IPs on router.


Please advise how can I make all web-servers be browsed on Internet

Thanks in advance.

Regards
satimis

Re: [users@httpd] 回覆︰ [users@httpd] 回覆︰ [users@httpd] How to solve ONE fixed IP serving multiple web-servers running on VMs

[Marat Khalili]

Looks ok at first glance.

--

With Best Regards
Marat Khalili

On December 25, 2015 7:17:47 PM GMT+03:00, Stephen Liu 
<sati...@yahoo.com.INVALID> wrote:
>Hi, Marat,
>Whether following document is good for me to follow;
>Building Apache for Proxying
>http://www.apachetutor.org/admin/reverseproxies
>?
>
>Thanks
>RegardsStephen L
>
>|   |
>|   |   |   |   |   |
>| Running a Reverse Proxy with Apache:As with any modules, the first
>thing to do is to load them in httpd.conf (this is not necessary if we
>build them statically into Apache).  |
>|  |
>| 查看於 www.apachetutor.org | Yahoo 預覽 |
>|  |
>|   |
>
> 
>
>Marat Khalili <m...@rqc.ru> 於 2015年12月26日 (週六) 12:01 AM 寫道﹕
> 
> 
>
>Have no experience with HA Proxy, sorry. Your task can be solved with
>plain Apache, information about using one as reverse proxy is easier to
>find.
> 
> --
> 
> With Best Regards
> Marat Khalili  
>  On 25/12/15 18:44, Stephen Liu wrote:
>  
>  Hi Marat, 
>  Thanks for your advice.  I suppose you referred to HA Proxy HAProxy
> http://www.haproxy.org/ 
>I'm now busily googling on document re its setup on domain base.  Can
>you help?  Thanks 
>  Regards Stephen L
>  
> 
>  Marat Khalili <m...@rqc.ru> 於 2015年12月25日 (週五) 11:31 PM 寫道﹕
>  
> 
> 
>Reverse proxy running on host may be the answer. It may discriminate
>sites by domain name and redirect requests to corresponding virtual
>hosts.
> 
>  --
> 
> With Best Regards
> Marat Khalili
> 
>   On 25/12/15 18:11, Stephen Liu wrote:
>  
>  Hi all,
> 
> I have following problem:
> 
> Host   Ubuntu 14.04 desktop
> VMs   Ubuntu 14.04 desktop/server edition
> VirtualBox
> 
>I have several web-servers running on VMs, each with its own
>domain/subdomain and internal IP address.  But I have only one Fixed
>IP/External IP. 
> 
>All VMs are Apache server running WordPress.  I can create many
>internal IPs on router. 
>  Please advise how can I make all web-servers be browsed on Internet 
>  Thanks in advance. 
>  Regards satimis
>   
>  
>   
> 
>  
> 
> 
> 
>
> 

Re: [users@httpd] ProxyPass + Redirect

[Marat Khalili]

Crude, but what about:

ProxyPassMatch "^/foo/(.+)$" "http://localhost:8009/foo/$1;

? (not sure about + escaping, can be \+)

--

With Best Regards,
Marat Khalili


On 17/12/15 01:34, Christopher Schultz wrote:

All,

I've got a reverse-proxy in front of Tomcat that I'd like to configure.
When using mod_jk, we have a configuration like this:

RedirectMatch ^/foo(/)?$ /foo/someplace_specific.html
RedirectMatch ^/foo/index.html$ /foo/someplace_specific.html
JkMount /foo/*.do myWorker

This works swimmingly.

Now, we have an environment where we need to use mod_proxy instead, so
we have tried this:

RedirectMatch ^/foo(/)?$ /foo/someplace_specific.html
RedirectMatch ^/foo/index.html$ /foo/someplace_specific.html

ProxyPass /foo/ http://localhost:8009/foo/
ProxyPassReverse /foo/ http://localhost:8009/foo/

(There may be typos in there, but I typed it from memory and sanitized
it at the same time. Don't worry too much about that; the order and gist
is correct.)

Sharp-eyed readers will note that ProxyPass will take precedence over
the RedirectMatch directive. No problem, we can just un-proxy that
special path:

RedirectMatch ^/foo(/)?$ /foo/someplace_specific.html
RedirectMatch ^/foo/index.html$ /foo/someplace_specific.html
ProxyPass /foo/index.html !
ProxyPass /foo/ http://localhost:8009/foo/
ProxyPassReverse /foo/ http://localhost:8009/foo/

Unfortunately, this doesn't seem to be working for me: a request for
/foo/index.html gives me a 404 error *and a JSESSIONID from Tomcat*, so
I'm fairly certain that the request is being proxied.

I'm certain that I have some small error in my configuration for the
index.html case, but I think I'm up against a wall when it comes to the
/foo/ case: the RedirectMatch looks for ^/foo(/)?$ which is necessarily
the "root" of the virtual-directory being proxied... so I'm going to
need to tell mod_proxy to turn-off proxying for a specific URL.

I know that using mod_rewrite, we can use the [P] flag to send things
through mod_proxy. Is there a do-not-proxy flag for mod_rewrite that I
can use? Or do I have to change from using ProxyPass to using
RewriteRule with [P] for everything instead? I'd prefer a solution that
doesn't involve mod_rewrite if I can get away with it.

Thanks,
-chris

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] explicitly including other ciphers for use with https

[Marat Khalili]

Can't you just use stunnel for the TLS part? According to some information on 
the net it can be configured to use null cipher without recompilation. IMO it 
should be compatible with 'normal' HTTPS, save for things like virtualhost name 
extension. If HTTPS compatibility matters to you at all, because you can use 
stunnel on both sides.
--

With Best Regards,
Marat Khalili

On December 7, 2015 11:39:30 PM GMT+03:00, Ron Croonenberg <r...@lanl.gov> 
wrote:
>Hello,
>
>I a building a storage system, using HTTP/HTTPS for ingesting data.
>
>I would like to use the authentication over HTTPS, while after that I 
>want no encryption on the data because of peformance.
>
>I think using  null ciphers, like eNULL would work, but how do I change
>
>the configurations is httpd.conf/ssl.conf ?
>
>The NULL cipher keys are in openssl,  I just want to use them.
>
>
>thanks,
>
>Ron
>
>-
>To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] explicitly including other ciphers for use with https

[Marat Khalili]

what gives you the suggestion that the user agent or the httpd server 
would notice any modification of plaintext bytes in transit through a 
router or other network intermediate?

Isn't this authentication is for?

--

With Best Regards,
Marat Khalili

On 08/12/15 08:54, William A Rowe Jr wrote:


On Dec 7, 2015 11:36 PM, "Marat Khalili" <m...@rqc.ru 
<mailto:m...@rqc.ru>> wrote:

>>
>> Everything *after* that handshake, in cleartext, is open for 
inspection or for manipulation

>
> Are you sure about the manipulation part? Why do you think 
encryption helps here then?


To turn the question around, what gives you the suggestion that the 
user agent or the httpd server would notice any modification of 
plaintext bytes in transit through a router or other network intermediate?

Re: [users@httpd] explicitly including other ciphers for use with https

[Marat Khalili]

Everything *after* that handshake, in cleartext, is open for 
inspection or for manipulation
Are you sure about the manipulation part? Why do you think encryption 
helps here then?


--

With Best Regards,
Marat Khalili


On 08/12/15 05:30, William A Rowe Jr wrote:
On Mon, Dec 7, 2015 at 7:40 PM, Jacob Champion <champio...@gmail.com 
<mailto:champio...@gmail.com>> wrote:


On 12/07/2015 05:06 PM, William A Rowe Jr wrote:

On Mon, Dec 7, 2015 at 2:39 PM, Ron Croonenberg <r...@lanl.gov
<mailto:r...@lanl.gov>
<mailto:r...@lanl.gov <mailto:r...@lanl.gov>>> wrote:

Hello,

I a building a storage system, using HTTP/HTTPS for
ingesting data.

I would like to use the authentication over HTTPS, while
after that
I want no encryption on the data because of peformance.


Then you probably don't understand the performance impact of TLS.


To help Ron out a little... he's coming from this conversation [1]
on the openssl-users mailing list, where he's described his rather
unusual network topology already.

I'm still unsure as to whether or not his proposed solution is
secure... but I am convinced that his use case is atypical.


It should be straightforward to patch mod_ssl to accept null ciphers, 
for such an unusual use case, but it isn't something we would likely 
accept in the ASF distribution for the reasons I outlined.


Otherwise,
any man-in-the-middle can observe the data in transit and alter
the data passed between your client and backend storage server


Wait, why does the use of NULL encryption have any effect on the
authenticity/integrity characteristics of the cipher? I asserted
otherwise on openssl-users and was not corrected...


I didn't suggest it that it would.  Everything *after* that handshake, 
in cleartext, is open for inspection or for manipulation by every link 
in between the user agent and server.


--Jacob

[1] https://marc.info/?t=14490098273=1=2

Re: [users@httpd] Architecture recommendations, tips, hints and help

[Marat Khalili]

since this is not a very good architecture from several point of views
It would be helpful if you name these explicitly. While it is well known 
that adding another level of indirection can solve any problem, it is 
good to know what a problem is.


In any case, I also think CGI/WSGI/FCGI/HTTP 
<https://ef.gy/fastcgi-is-pointless> is an easier and safer way than 
building Apache module. JSON or not depends on data you have; it's ok 
for small independent records.


--

With Best Regards,
Marat Khalili
 


On 29/11/2015 16:12, Torge Riedel wrote:

Dear list,

I'm faced with the following "architecture" of an application:

- Linux Server (small VM) with MySQL-DB, accessible via SSL from 
outside of the server, access is limited to a set of users
- Client is a .NET-Application connecting to the DB with one user for 
each installation


since this is not a very good architecture from several point of views 
I am thinking about changing it:


- develop own Apache module offering REST services (one endpoint 
(resource part of url) for each operation)

- use JSON as data format for GET/POST requests
- let Apache handle SSL and authentication (authentication in the 
meaning of "general access" to the services)
- manage permissions to protected data in DB and handle authentication 
to access this data by the new Apache module


The decision to develop an Apache module instead of using Tomcat/Java 
is to avoid additional load on server, since Apache is already active. 
And I'm a C/C++ geek but not for Java. ;-)


Questions to the list:
- Am I one the right way?
- Is there something missing from the security point of view?
- Is there something pre-compiled for parsing JSON data in Apache 
modules (didn't find something, only Apache independent libs)


Thanks in advance
Torge

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Persistent proxied connections with Apache 2.4.x?

[Marat Khalili]

> I am wondering if there is a way to do this (make all the backend connections 
> persistent with the "Connection: keepalive")?

IMO there's no way to do it without enumerating all your backend hosts. Apache 
needs to create a separate worker for each host at startup time.


> "Connection: keepalive" in the request headers

Just in case you are actually looking at the headers, it should be "Connection: 
keep-alive" in the obsolete HTTP 1.0, and they are all persistent by default in 
HTTP 1.1 unless "Connection: close" is specified by any side. If SharePoint 
follows any standards, that is.
-- 

With Best Regards,
Marat Khalili

On October 22, 2015 7:28:20 PM GMT+03:00, o haya <oh...@yahoo.com.INVALID> 
wrote:
>Hi,
>We want to use Apache 2.4.x to proxy through to some SharePoint
>instances using NTLM logins.  From testing, it looks like the
>Apache-to-SharePoint connections need to be persistent, with
>"Connection: keepalive" in the request headers going from
>Apache-to-SharePoint.
>We can do this using a directive:
>ProxySet keepalive=On
>inside a  section, but we would like to do this (enable
>keepalive on the backend connections) on all of the backend
>connections.  But, if we try to put that ProxySet inside a , we
>get a startup error saying that it needs an absolute URL.
>So I am wondering if there is a way to do this (make all the backend
>connections persistent with the "Connection: keepalive")?
>Thanks,Jim

Re: [users@httpd] VirtualHost configuration not working?

[Marat Khalili]

I suspect something beyond virtualhost selection. Can you please:

1. Share more about the way site directories on server are specified. 
DocumentRoot, Alias'es, Redirect's etc.


2. Share access logs to make sure Apache is accessing same virtualhosts 
we think it is accessing. :)


Also, is it possible that sites-enabled directory is not populated 
properly, or not included in apache2.conf? And, have you tried to fully 
stop and start Apache again (not just restart gracefully)? Clearing 
browser caches and force-reloading pages may also help. Make sure no 
proxy is configured in either Firefox (that has independent proxy 
settings) or system. There're no transparent proxies and reverse proxies 
in your network, are there?


It's obvious, but sometimes it helps to try reproduce your configuration 
on a clean Apache installation (since issue is observed for HTTP too, no 
need to configure SSL part).


--

With Best Regards,
Marat Khalili

On 29/09/15 21:07, Felix Rubio Dalmau wrote:


Hi Marat, httpd-users :)

I have updated the configuration of my apache. Following these lines 
there is the updated version. The behavior now is:


a) If I type in the url box the non-ssl address of site1 IN FIREFOX, 
It gets transformed into the ssl address of site0, and its content is 
loaded. No entries in error log, neither in site1 or site0 logs.


b) If I type in the url box the non-ssl addres of site1 IN KONQUEROR, 
the index.html file for site1 is loaded (without any styles) and an 
entry in error.log in apache is created, pointing to a file that can 
not be accessed... Because although it belongs to site1, it is being 
searched for in /srv/site0/... !!


This is becoming more and more strange on a per-second basis :S

Thank you!

ports.conf:

Listen 80

Listen 443

000-default sites (same .conf) (a catch-all for everything not falling 
in any other site's specs).


 --> Not SSL-enabled





 --> SSL-enabled





Site external and internal (same .conf):

 --> SSL-enabled

ServerName site0.example.org





 --> Not SSL-enabled

ServerName site0.example.org





site only internal (same .conf):

 --> Not SSL-enabled

ServerName site1.example.org





site internal, external, and local (same .conf):

 --> Not SSL-enabled

ServerName site2.example.org





 --> SSL-enabled

ServerName site2.example.org





On Tuesday 29 September 2015 16:12:23 Marat Khalili wrote:

> This is very strange. Even when Apache cannot determine request host

> name, it loads the first defined virtual host, not the last one. I

> wonder, in your case, what will it load if you disable last two virtual

> host records?

>

> (BTW, it's usually either Listen 80, or Listen specific-ip:80, but I

> don't think it causes your issue.)

>

Re: [users@httpd] VirtualHost configuration not working?

[Marat Khalili]

This is very strange. Even when Apache cannot determine request host 
name, it loads the first defined virtual host, not the last one. I 
wonder, in your case, what will it load if you disable last two virtual 
host records?


(BTW, it's usually either Listen 80, or Listen specific-ip:80, but I 
don't think it causes your issue.)


--

With Best Regards,
Marat Khalili

On 29/09/15 15:49, felix rubio dalmau wrote:

Hi,
  No, the reason is that site2 holds a cardav server, that is accessed 
by other of the sites on the same host. The idea behind this is that I 
can save all the time spent in encryption (the SSL layer) if I know 
that both sites are local.


  I am testing this configuration from a client on the VPN (10.8.0.6).
  Thank you!

On Tue, Sep 29, 2015 at 5:57 AM, Marat Khalili <m...@rqc.ru 
<mailto:m...@rqc.ru>> wrote:


Hello,

127.0.0.1 <http://127.0.0.1> is only configured for site2 -- is it
a bug or a feature? Are you testing it from the same host, or via
proxy on the same host?
-- 


With Best Regards,
Marat Khalili


On September 28, 2015 10:06:04 PM GMT+03:00, Felix Rubio
<chro...@kngnt.org <mailto:chro...@kngnt.org>> wrote:

Hi everybody :-)

I have an Apache server (2.4) running on a Debian testing.
Because I need to access some sites from Internet (iface
192.168.1.2)(with and without SSL), some others through a VPN
(iface 10.8.0.1) and some others are purely local to the
server (iface 127.0.0.2), I have created the following setup:

ports.conf:

Listen *:80

Listen *:443

site external and internal (same .conf):

http://192.168.1.2:443>> -->
SSL-enabled

ServerName site0.example.org <http://site0.example.org>





http://10.8.0.1:80>> --> Not SSL-enabled

ServerName site0.example.org <http://site0.example.org>





site only internal (same .conf):

http://10.8.0.1:80>> --> Not SSL-enabled

ServerName site1.example.org <http://site1.example.org>





site internal, external, and local (same .conf):

http://10.8.0.1:80> 127.0.0.1:80
<http://127.0.0.1:80>> --> Not SSL-enabled

ServerName site2.example.org <http://site2.example.org>





http://10.8.0.1:443>
192.168.1.2:443 <http://192.168.1.2:443>> --> SSL-enabled

ServerName site2.example.org <http://site2.example.org>





The problem is: when I try to access the with any browser
site1, I get in the address bar of the browser the URL from
site0, and what is loaded is site2 (¿¿??). I have been
searching for a solution for some days but I can not find my
way through. Am I doing something dramatically wrong? Any help
will be appreciated. Thanks!

Felix

Re: [users@httpd] VirtualHost configuration not working?

[Marat Khalili]

Hello,

127.0.0.1 is only configured for site2 -- is it a bug or a feature? Are you 
testing it from the same host, or via proxy on the same host?
-- 

With Best Regards,
Marat Khalili

On September 28, 2015 10:06:04 PM GMT+03:00, Felix Rubio <chro...@kngnt.org> 
wrote:
>Hi everybody :-)
>
>I have an Apache server (2.4) running on a Debian testing. Because I
>need to access some sites from Internet (iface 192.168.1.2)(with and
>without SSL), some others through a VPN (iface 10.8.0.1) and some
>others are purely local to the server (iface 127.0.0.2), I have created
>the following setup: 
>ports.conf:
>  Listen *:80
>  Listen *:443
> 
>site external and internal (same .conf): 
>--> SSL-enabled
>  ServerName site0.example.org
>  
>  
>--> Not SSL-enabled
>  ServerName site0.example.org
>  
>  
> 
>site only internal (same .conf): 
>--> Not SSL-enabled
>  ServerName site1.example.org
>  
>  
> 
>site internal, external, and local (same .conf): 
>--> Not SSL-enabled
>  ServerName site2.example.org
>  
>  
> --> SSL-enabled
>  ServerName site2.example.org
>  
>  
> 
>The problem is: when I try to access the with any browser site1, I get
>in the address bar of the browser the URL from site0, and what is
>loaded is site2 (¿¿??). I have been searching for a solution for some
>days but I can not find my way through. Am I doing something
>dramatically wrong? Any help will be appreciated. Thanks!
>Felix

Re: [users@httpd] Help configure non-SSL webpages on an SSL site?

[Marat Khalili]

The redirect just permanently redirects everything to use https. 

IMO you should fix this part by excluding the subset you want.

I tried adding another VirtualHost for port 80, with a DocumentRoot 
pointed at my "freely-available" subdirectory.
Not sure why you need another VirtualHost, but in any case you can 
always configure it to make unnecessary inaccessible. Just check Apache 
access controls for directories.


--

With Best Regards,
Marat Khalili

On 16/09/15 01:12, . wrote:

Hello,

I am a novice website admin, running Apache 2.4.7 on a Ubuntu box. I 
want to be able to serve a subset of my website as http (port 80), 
even though the overall site is on https (port 443).  I managed to 
convert it all to https this summer by providing links in 
/etc/apache2/sites-enabled/ to sites-available/default-ssl.conf and 
sites-available/http-redirect.conf.  The redirect just permanently 
redirects everything to use https.


I tried adding another VirtualHost for port 80, with a DocumentRoot 
pointed at my "freely-available" subdirectory.  That seemed to work, 
but the problem is that if somebody just browses to that subdirectory, 
they get a directory listing that includes a hyperlink to the parent 
directory.  By clicking on that hyperlink, they can escape into the 
rest of the website using http instead of https.


I suspect there's a "proper" way to do this, but I don't know what it 
is.  Any help, or pointers, would be appreciated.


thanks,
-Bob Montante


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org