[users@httpd] RE: output buffer php ProxySet

[Marc]

> I am experimenting a bit with output buffering with php-fpm[1]. In my
> default setup I can't get this to work. Currently I am only getting this
> to work when I add this to my virtualhost config:
> 
> 
> ProxySet enablereuse=on flushpackets=on
> 
> 
> I assume this will impact the rest of the website. Is there a way to
> limit this to a directory or file? I prefer to have this done in a
> .htaccess file because I am not sure if I will be able to access httpd
> conf files.
> 
> 
> 
> 
> [1]
> header( 'Content-type: text/html; charset=utf-8' );
> echo 'Begin ...';
> for( $i = 0 ; $i < 10 ; $i++ )
> {
> echo $i . '';
> flush();
> ob_flush();
> sleep(1);
> }
> echo 'End ...';
> ?>
> 

side effect of this is that the max execution time set in php.ini is no 
honoured any more.

[users@httpd] output buffer php ProxySet

[Marc]

I am experimenting a bit with output buffering with php-fpm[1]. In my default 
setup I can't get this to work. Currently I am only getting this to work when I 
add this to my virtualhost config:


ProxySet enablereuse=on flushpackets=on


I assume this will impact the rest of the website. Is there a way to limit this 
to a directory or file? I prefer to have this done in a .htaccess file because 
I am not sure if I will be able to access httpd conf files.




[1]
header( 'Content-type: text/html; charset=utf-8' );
echo 'Begin ...';
for( $i = 0 ; $i < 10 ; $i++ )
{
echo $i . '';
flush();
ob_flush();
sleep(1);
}
echo 'End ...';
?>

RE: [users@httpd] http ok, https Forbidden

[Marc]

> 
> we have a apache 2.4.59 running on windows for an internal page.
> Now we would like to use https instead of http
> 
> Opening the url via http works,
> when I use https I get
> 
> Forbidden
> You don't have permission to access this resource.
> 
> I activated the debug level and see this lines
> 

Not enough info, maybe you just lack the configuration of a https virtual host 
entry?



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] RE: proxypass to next proxy

[Marc]

> 
> 
> On some production environment I am using this:
> 
> 
>  ProxyPass http://test.example.com/test
> 
> 

ProxyRemote "http://test.example.com/test " "http://proxy.local.net:5000;

 ProxyPass http://test.example.com/test

[users@httpd] proxypass to next proxy

[Marc]

On some production environment I am using this:


 ProxyPass http://test.example.com/test


But on development I can't access test.example.com, traffic needs to be routed 
through another proxy on a different port. How should I rewrite this so 
requests for /test -> test.example.com go via proxy.local.net on port 5000?

RE: [users@httpd] better configtest

[Marc]

> >
> > 1.
> > what is the point of having a apachectl configtest, when a restart can
> still fail? It can't be to difficult to include cert checks here, can it?
> This is now becoming a significant part.
> 
> The bar is useful, not perfect.  configtest checks for _syntax_ validity.
> 
> > 2.
> > AH00016: Configuration Failed
> > AH00016: Configuration Failed
> > AH00016: Configuration Failed
> > AH00016: Configuration Failed
> > AH00016: Configuration Failed
> > AH00016: Configuration Failed
> > AH00016: Configuration Failed
> >
> > This is useless, why not list config line or cert name?
> 
> This error means post-configuration failed. This is when the collected
> config is acted upon, which is not really within line-by-line mode.
> Normally there's a preceding error message with more details, maybe in
> a vhost-specific error log?

Maybe, I would have to look through quite a lot. 

Can't the development team re-think about this? What is the point of not 
starting httpd if there is an issue with a single virtual host? Why not have 
that specific virtual host fail only? I would like to have this config syntax 
check expanded to cert content or some other way of validating that I can test 
if I can restart httpd safely.






-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

[Marc]

> 
>   So, is this wrong forum for asking about openssl commands required
> for generating certificates for enabling https on apache?
>

Mostly you will be notified. The only thing you need to add to your virtual 
host for https is this:

SSLEngine on
SSLCertificateFile 
SSLCertificateChainFile 
SSLCertificateKeyFile 

It really does not matter how keys / crts have been generated. Just choose 
something that is quick and easy. 

> 
>   Most of the websites showed how to generate .pem certificates, but
> after reading about ssl/https on apache website, I saw that apache
> requires .crt certificates.

pem, crt, cer check if they start like this

-BEGIN CERTIFICATE-

check apache log file for start up errors.

>   Obviously, I can figure out this whole thing if I read whole
> openssl manual and apache ssl configs, etc. but I don't want to invest
> time in that and I was looking for a quick solution and that's why I
> posted here.
> 

Just choose a tool that can quickly generate key and crt. Does not matter which 
tool. Someone send you already reply to something.


>   I would really like to know how my idea of hardcoding https can go
> wrong?
> 

It can be anything, it is just unexpected application behaviour to someone who 
might work with it in the future. Maybe internal health check url? Cron? 
Debugging? Personally I find it sometimes annoying with testing container 
images. In my own development environment I am constantly switching between 
development and production certs.

I would always opt for having this at least configured as an option.

> 
> Anyways, I looked more on google and I think that I have found what I was
> looking for on this page:
> https://gist.github.com/taoyuan/39d9bc24bafc8cc45663683eae36eb1a
> 

Forget about going specific for openssl, it is just a tool. Choose the simplest 
solution for your development environment. If you are doing hosting yourself. 
Your going to end up with automated certs on your hosting environment any way, 
you will never see an openssl command.

RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

[Marc]

> I don't know what you are trying to prove by your points + you are
> insulting people for no reason.

I am insulting no one, mostly stating what is common.


> If you insult people, they may insult you back.
> 
> Russia attacked Ukraine and Ukraine/NATO hit Russia back.

I think you are the only one on this planet that would dare to summarize this 
conflict like this. But it proves my point, stick just to what you know, with 
development.


> The original discussion was about openssl commands and I think that since
> you don't know openssl commands, you should not have said anything.
> 

You wrote it was for a local development environment. I just thought why bother 
with the openssl? Obviously I should not have made assumptions. You could also 
be cryptographer working on mod_ssl.


> Let other people do what they want to do. If they want to hardcode
> something, why are you bothered.

I am just pointing out there multiple roads that lead to Rome. Some of which 
are known to be less troublesome than others. If you get stuck on some dirt 
track to Rome, others will be required to come and help.


> I will hard code https, its my choice. It has nothing to do with you.
> 

Obviously, I am just stating it is not really what most experienced 
professionals do. 


> Now, you are saying to hard code root name servers, etc. which doesn't
> make sense.

Because you do not know about it. That is the point I am trying to make. Just 
separate it from application development.


> You are taking this discussion in all sorts of directions and I don't
> know what you want to prove.

Really? I thought I made my point numerous times.


> If people are asking for advice on PHP then advise them on PHP or don't say 
> anything.
> Don't start advising them about Java.

Please... I am not even making remarks about you asking openssl questions at 
httpd.


> 
> By the way, if you insult me, I will insult you back.
> 

I think most people will understand that I try to make you see the difference 
between developing an application and how it is hosted/used what ever, operate 
within your area of expertise. 

RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

[Marc]

> 
>   http is an insecure protocol. I don't want my website to run on
> http. So, I am hardcoding https in links in my website that refer to
> pages in my website.
>
>
>   Now, I know that you will write why not redirect http to https by
> default. 

No because that is not relevant to me and what I would like to address. I am 
even deploying https on tasks in private air-gapped environments. This is not a 
discussion about whether or not https should be used and when.


> The problem with this is that if the website gets migrated to
> different provider and if people forget to redirect http to https in new
> setup then it will become a security problem.

I know there are many idiots out there and your concern is very valid. Most of 
the security breaches you read about is about such issues. 
However, can you imagine the apache dev team thinking like you? Hard coding 
everything to https? Can you imagine all http ports of tomcat, httpd, jboss 
etc. being dropped? These people have been making rock solid applications for 
decades they don't lecture others how to use or not use https. 
You will never match them in any way, why not follow their lead?


>   Hardcoding https solves all issues.
> 

A few years back I had an argument with apple developers. They were having in 
the build process of the calendar server openssl. The developers thought for 
security purposes it would be better to include it in the build. This resulted 
in that calenderservers were always having an old insecure openssl, because the 
openssl updated by the distribution was not used. (and nobody is going to build 
the application frequently) This is what happens when application developers 
think they are security geniuses.

The point I am trying to make is that you as an application developer should be 
focussed on developing your application it is not your business how this 
application is hosted. You should not concern yourself with things you are not 
experienced in/with. Especially when it comes to something as crucial as 
security. You are not removing ca certs from the trust store, your are not 
setting secure ciphers, you are not setting limits on key sizes etc. Why would 
you then even bother with https or http?

With your argument you might as well hard code the domain name in your 
application (like wordpress) and hardcode root name servers etc. 
If you buy an egg in the store, it does not come with any requirement that it 
should be used only for making cakes. Grasp this concept.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

[Marc]

> 
> On Tuesday 16 April 2024 at 18:42:09, Marc wrote:
> 
> > This is more about the ability to host an application regardless if it
> is
> > on http or https. How https is enforced/applied is up to the manager of
> > the server, why would you even care as a developer of an application?
> 
> I often develop applications on servers which I manage.

How is this relevant?

> Please stop trying to enforce your opinion of the demarcation between
> disciplines on other people.
> 
> Not every developer is only a developer.
> 

This is also not relevant to what I am stating. If you develop, do it 
regardless of http/https that is convenient for everyone. It will be to your 
own benefit. If you have to host the application on your own server, so be it. 
It will be easier with choosing your https solution. You could already be 
developing it now, and later you can check how to use openssl. Last thing you 
want, is an application that forces https or http.

RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

[Marc]

>   >
>   >   But should your development be not protocol independent? If
> your
>   > code works on http it should also work on https. I am getting
> sick of
>   > these wordpress idiots where they still have hardcoded links
> everywhere
>   > and I can't even convert a website from http to https.
>   >
>   >
>   >
>   > Are you saying that I am a wordpress idiot?
>   >
> 
>   No :) Development/management team of wordpress are idiots. They are
> still advising people incorrectly to upgrade eg while distributions are
> backporting security stuff. A developer should just do developing. A
> dentist is also not telling an ophthalmologist what to do. Why do you
> care if you are using http or https? Unless you are developing something
> specific to the https protocol (eg. sni) forget about it.
> 
> 
> 
> Marc, let's try to be friendly towards users and adopt a more neutral
> tone.  New users have questions, and it's normal. Calling folks "idiots"
> isn't helping here.
> 

And I am trying so hard to be part of the woke movement. 15 years ago people 
were not writing about gays. Maybe it takes another 15 years to be allowed to 
write about idiots. They already are officially mentioned in the dictionary. ;)


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

[Marc]

> 
> Pardon me- have 443 redirect to 80 of the environment variable is true.
> Alternatively, have a completely different 443 vhost declared for
> development purposes
> 
> On Tue, Apr 16, 2024 at 11:30 AM Will Fatherley   > wrote:
> 
> 
> 
>   But should your development be not protocol independent? If
> your code works on http it should also work on https. I am getting sick
> of these wordpress idiots where they still have hardcoded links
> everywhere and I can't even convert a website from http to https.
> 
> 
>   TLS is not in the application layer as HTTP is, so it’s just a
> complication that has to be managed in development. I don’t know how
> Wordpress works, but there are solutions beyond its configuration.

You are writting it is not application layer and then write it needs to be 
addressed in development?

>   For example, if you just need to verify your HTTP-based application
> functions as desired, but there is commingling of HTTPS and HTTP in
> application HREFs then use the `if` directive with a development-only
> environment variable in your virtual hosts. If the client follows a HTTPS
> link that isn’t going to work for keying material reasons, have the 443
> virtual host redirect to 80 if the development variable in the
> development environment
> 

This is more about the ability to host an application regardless if it is on 
http or https. How https is enforced/applied is up to the manager of the 
server, why would you even care as a developer of an application?

RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

[Marc]

> 
> 
>   But should your development be not protocol independent? If your
> code works on http it should also work on https. I am getting sick of
> these wordpress idiots where they still have hardcoded links everywhere
> and I can't even convert a website from http to https.
> 
> 
> 
> Are you saying that I am a wordpress idiot?
> 

No :) Development/management team of wordpress are idiots. They are still 
advising people incorrectly to upgrade eg while distributions are backporting 
security stuff. A developer should just do developing. A dentist is also not 
telling an ophthalmologist what to do. Why do you care if you are using http or 
https? Unless you are developing something specific to the https protocol (eg. 
sni) forget about it.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

[Marc]

> 
> Windows is my development environment. Later the website will be hosted
> on linux and the linux hosting provider will provide SSL certificate.
> 

But should your development be not protocol independent? If your code works on 
http it should also work on https. I am getting sick of these wordpress idiots 
where they still have hardcoded links everywhere and I can't even convert a 
website from http to https.

RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

[Marc]

> 
> I was looking for openssl command(s) to generate server side certificate
> and key so that https start working on my apache 2.4 web server on
> windows.
> 
> I looked on Internet but found few commands but they all used different
> arguments to openssl.
> 
> Can someone please give me exact openssl command(s) to use.
> 
> I will appreciate it.

I think you need to search for setting up your own CA and sign certs. I don't 
think openssl commands are any differnt on windows. Maybe easier to get an 
existing cert and use that, and just ignore the warning?
Maybe there are even easier to use tools on windows that do this all for you? 
Microsoft certool?


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] better configtest

[Marc]

With the forced upon us 90 day certificate renewal crap, my httpd was down 
today although I have a 'restart procedure' that verifies a bit for errors with 
apachectl configtest.

1. 
what is the point of having a apachectl configtest, when a restart can still 
fail? It can't be to difficult to include cert checks here, can it? This is now 
becoming a significant part.

2.
AH00016: Configuration Failed
AH00016: Configuration Failed
AH00016: Configuration Failed
AH00016: Configuration Failed
AH00016: Configuration Failed
AH00016: Configuration Failed
AH00016: Configuration Failed

This is useless, why not list config line or cert name?

RE: [users@httpd] RE: pipe logs to somethings that resembles a curl post

[Marc]

> >
> > [1]
> > https://httpd.apache.org/docs/current/mod/mod_log_config.html
> >
> > [2]
> > https://httpd.apache.org/docs/current/mod/mod_log_config.html#formats
> 
> You could also use
> https://httpd.apache.org/docs/current/mod/mod_lua.html#luahooklog to
> split up your logs or discard/silence certain entries.
> 

Thanks! that is indeed also a nice option. I would not be surprised if I would 
want to manage this a bit more in the near future. 

[users@httpd] RE: pipe logs to somethings that resembles a curl post

[Marc]

%v sorry for polluting this list

PS. If it is any consolation, I have registered myself at a retirement home

> -Original Message-
> From: Marc 
> Sent: Wednesday, 10 April 2024 14:22
> To: users@httpd.apache.org
> Subject: [users@httpd] RE: pipe logs to somethings that resembles a curl
> post
> 
> 
> Oops I was mislead by some old posts. GlobalLog[1] does this for
> everything. However I have not found what value[2] has the requested
> virtual host name.
> 
> [1]
> https://httpd.apache.org/docs/current/mod/mod_log_config.html
> 
> [2]
> https://httpd.apache.org/docs/current/mod/mod_log_config.html#formats
> 
> >
> > Currently I have modified some rust application that does this to
> > satisfaction. But piping to a 60MB binary for quite a few virtual hosts
> > does not really seem efficient to me.
> > Is there not some apache module that can offer a "global" access to
> > logging and 'clones' all logging to some tcp socket? (I prefer not to
> > route first to syslog)
> >
> > >
> > >
> > > I was wondering how I could use piped logs to redirect some logs,
> > > comparable to curl post requests.
> > >
> > > [1]
> > > https://httpd.apache.org/docs/current/logs.html
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] RE: pipe logs to somethings that resembles a curl post

[Marc]

Oops I was mislead by some old posts. GlobalLog[1] does this for everything. 
However I have not found what value[2] has the requested virtual host name. 

[1]
https://httpd.apache.org/docs/current/mod/mod_log_config.html

[2]
https://httpd.apache.org/docs/current/mod/mod_log_config.html#formats

> 
> Currently I have modified some rust application that does this to
> satisfaction. But piping to a 60MB binary for quite a few virtual hosts
> does not really seem efficient to me.
> Is there not some apache module that can offer a "global" access to
> logging and 'clones' all logging to some tcp socket? (I prefer not to
> route first to syslog)
> 
> >
> >
> > I was wondering how I could use piped logs to redirect some logs,
> > comparable to curl post requests.
> >
> > [1]
> > https://httpd.apache.org/docs/current/logs.html
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] RE: pipe logs to somethings that resembles a curl post

[Marc]

Currently I have modified some rust application that does this to satisfaction. 
But piping to a 60MB binary for quite a few virtual hosts does not really seem 
efficient to me. 
Is there not some apache module that can offer a "global" access to logging and 
'clones' all logging to some tcp socket? (I prefer not to route first to 
syslog) 

> 
> 
> I was wondering how I could use piped logs to redirect some logs,
> comparable to curl post requests.
> 
> [1]
> https://httpd.apache.org/docs/current/logs.html

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] pipe logs to somethings that resembles a curl post

[Marc]

I was wondering how I could use piped logs to redirect some logs, comparable to 
curl post requests. 

[1]
https://httpd.apache.org/docs/current/logs.html

[users@httpd] RE: virtualhost environment setting for proxy

[Marc]

> I have currently this in my virtual host config
> 
> SetEnvIf Host test\.example\.com CODE=123
> 
> 
> How should I change this line for when this website is being access via
> ProxyPass and ProxyPassReverse?
> 

SetEnvIf X-Forwarded-Server

[users@httpd] virtualhost environment setting for proxy

[Marc]

I have currently this in my virtual host config

SetEnvIf Host test\.example\.com CODE=123


How should I change this line for when this website is being access via 
ProxyPass and ProxyPassReverse?

RE: [users@httpd] Measurements of htaccess processing penalty

[Marc]

> 
> The whole point of .htaccess files is that they aren't cached, it gives
> users who are not able to control the server the ability to make
> configuration changes.

I have never ever modified these in application directories. You do this maybe 
once in the top level, maybe for some redirection and other configs. That is 
then the last time you touched them.

> If you can control the server process, you should
> prut configuration in  sections that are loaded at start time
> which are then cached in memory by the server process.

Yes I will now ;) On the other hand, you could argue to just stick to web 
application defaults and maybe cache them.

RE: [users@httpd] Measurements of htaccess processing penalty

[Marc]

If you are testing, can you do it again with putting the .htaccess in cache? I 
am just curious :)

https://hoytech.com/vmtouch/

> 
> The HTTPD documentation says "You should avoid using .htaccess files
> completely if you have access to httpd main server config file. Using
> .htaccess files slows down your Apache http server. Any directive that you
> can include in a .htaccess file is better set in a Directory block, as it
> will have the same effect with better performance."
> I wanted to see if I could measure how much slower it is and boy does it
> make a difference. (This is actually part of my PhD research into how to
> better understand configuration management.)
> 
> I built HTTPD from source with a lot of debugging features (i.e. symbols, no
> compiler optimization), so these specific numbers are only valid in the
> context of this test, but they are still interesting.
> 
> I created a file DOCUMENT_ROOT/1.txt containing just the text "1" (Short
> URL) and a file
> DOCUMENT_ROOT/1/2/3/4/5/6/7/8/9/10/11/12/13/14/15/16/17/18/19/20/21.txt
> containing the text "21" (Long URL).
> I used ab to run get requests, first 10,000, then 100,000, then 100,000
> again, just to check for variability (and it turns out there isn't any
> significant variability). I ran ab on the same machine as httpd.
> I ran the requests first with AllowOverride None, then with AllowOverride
> All but no .htaccess files, then with AllowOverride All and .htaccess files
> with a mix of "Require all denied" and "Require all granted".
> I also collected the number of instructions executed by the system using
> perf.
> 
> Here is a quick summary of the results:
> 
> AllowOverride None / Long URL:
> - 1.367 seconds
> - 13.637 seconds
> - 13.607\ seconds
> 
> AllowOverride None / Short URL:
> - 1.283 seconds
> - 12.981 seconds
> - 12.989 seconds
> 
> AllowOverride All / Long URL:
> - 2.002 seconds
> - 20.015 seconds
> - 20.032 seconds
> 
> AllowOverride All / Short URL:
> - 1.370 seconds
> - 13.581 seconds
> - 13.590 seconds
> 
> AllowOverride All / Long URL with `.htaccess` files:
> - 3.062 seconds
> - 31.042 seconds
> - 31.122 seconds
> 
> AllowOverride All / Short URL with `.htaccess` files
> - 1.431 seconds
> - 14.487 seconds
> - 14.461 seconds
> 
> 
> The change in perf counters matched the changes in wall clock time.
> The only thing surprising about any of these results was the magnitude of
> the performance effects.
> I think it is most interesting that for this example of a path 20
> directories deep, having an extra .htaccess file nested in each directory
> actually doubled the amount of time it took to process the request.
> 
> - Y

RE: [users@httpd] working with a reverse proxy

[Marc]

> > Should I for instance set headers, and in the proxied website should I
> check on such headers? (Btw this is php). Or are there other things
> available like HTTP_X_FORWARDED_FOR
> 
> mod_proxy should add the "X-Forwarded-Host" header (i.e.
> HTTP_X_FORWARDED_HOST in cgi/php) with the value of defaulthost, when
> forwarding the request to proxyhost. This is the default behaviour,
> unless "ProxyAddHeaders off".
> 


Thanks Yann! I was looking indeed at the wrong headers, these two are having 
the correct value.

[HTTP_X_FORWARDED_SERVER] 
[HTTP_X_FORWARDED_HOST]

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] working with a reverse proxy

[Marc]

> 
> 
>   >
>   > > What would a best practice of 'informing' the proxyhost about that
> it is
>   > being proxied and it should send the defaulthost hostname?
>   >
>   > can try
>   >
> https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypreservehost
> 
>   Proxy only works when I am having ProxyPreserveHost Off, I can't
> change that.
> 
> 
> What happens when you use ProxyPreserveHost, exactly?

I am getting a 'Content Encoding Error'. I think this proxied web application 
by default is doing some routing based on host names. 

RE: [users@httpd] working with a reverse proxy

[Marc]

> 
> > What would a best practice of 'informing' the proxyhost about that it is
> being proxied and it should send the defaulthost hostname?
> 
> can try
> https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypreservehost

Proxy only works when I am having ProxyPreserveHost Off, I can't change that.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] working with a reverse proxy

[Marc]

I am having a more or less default setup where I proxy a website with something 
like this

ProxyPass"https://${proxyhost}/en_gb;
ProxyPassReverse "https://${proxyhost}/en_gb;

ProxyPassReverseCookieDomain "${proxyhost}" "${defaulthost}"

ProxyHTMLURLMap ... 
ProxyHTMLURLMap ..

Everything on the default host seems to work quite well and you can navigate 
all pages that are proxied.

The issue that I have is that the proxied website at some point does an api 
request to an external host, sending it's hostname. I want it to send the 
hostname of the defaulthost, not the proxyhost. 

What would a best practice of 'informing' the proxyhost about that it is being 
proxied and it should send the defaulthost hostname?

Should I for instance set headers, and in the proxied website should I check on 
such headers? (Btw this is php). Or are there other things available like 
HTTP_X_FORWARDED_FOR

RE: [users@httpd] dynamic ssl cert/key selection

[Marc]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -. 
F1 Outsourcing Development Sp. z o.o.
Poland 

t:  +48 (0)12 4207 835
e:  m...@f1-outsourcing.eu

> -Original Message-
> From: Will Fatherley 
> Sent: Friday, 20 October 2023 16:04
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] dynamic ssl cert/key selection
> 
> 
>   Is there a way to chose what ssl certs/keys to load when you have
> something like
> 
>ServerAlias test.*.*
> 
>   So when host test.example.com   is serviced,
> that it will get
> 
>   SSLCertificateFile "/etc/pki/tls/certs/example.com.crt"
> 
> 
>   So when host test.example.net   is serviced,
> that it will get
> 
>   SSLCertificateFile "/etc/pki/tls/certs/example.net.crt"
> 
> 
> A trivial and safe way if you need a solution asap might involve declaring
> a  for each host.

I would like to have single access/error log for all these serveralias matches.

> I’ve not seen globbing/wildcarding like this, and also makes me curious is
> it possible to get a public key signed by a CA with this globbing pattern?

yes I am getting the certs like this. I just want to prevent creating the vhosts



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] dynamic ssl cert/key selection

[Marc]

Is there a way to chose what ssl certs/keys to load when you have something like

 ServerAlias test.*.*

So when host test.example.com is serviced, that it will get 

SSLCertificateFile "/etc/pki/tls/certs/example.com.crt"


So when host test.example.net is serviced, that it will get 

SSLCertificateFile "/etc/pki/tls/certs/example.net.crt"

RE: [users@httpd] Is it true that Nginx is faster, more secure and better than Apache?

[Marc]

I know that with nginx you can't configure your chain certificate separately, 
super annoying.

> 
> Hello,
> Thanks again.
> Why has Apache Foundation never tested Apache performance with Nginx?
> 
> 
> 
> 
>   On Sat, Sep 30, 2023 at 12:00 PM, Frank Gingras
>wrote:
>   There might be some online, however, due to the different
> architectures, they are not likely to be terribly useful. Do avoid the ones
> that bash needlessly either product.
> 
>   On Sat, Sep 30, 2023 at 3:09 AM Jason Long
>  wrote:
> 
> 
>   Hello,
>   Thank you so much for your info.
>   Why are they trollish? I am curious to learn more.
>   Is there a fair comparison between Apache and Nginx?
> 
> 
> 
>   On Saturday, September 30, 2023 at 10:35:12 AM GMT+3:30, Frank
> Gingras mailto:thu...@apache.org> > wrote:
> 
> 
> 
> 
> 
>   Additionally, your recent string of questions to this mailing
> list come off as a bit trollish.
> 
>   On Sat, Sep 30, 2023 at 3:04 AM Frank Gingras   > wrote:
>   > If any of the mod_php extensions are not thread-safe, you will
> need to use the prefork mpm, which will indeed bloat every httpd worker.
> This is not the ideal nor recommended configuration.
>   >
>   > Instead, use the event mpm and proxy_fcgi to pass the request
> to php-fpm.
>   >
>   > Alternatively, you can recompile php to be thread-safe and use
> event mpm with mod_php, which will give you a small execution speed
> advantage.
>   >
>   > The statement you posted is more or less FUD which leaves out
> very important details.
>   >
>   > On Sat, Sep 30, 2023 at 2:56 AM Jason Long
>  wrote:
>   >> Hello,
>   >> Is the following sentence correct?
>   >> "The way Apache loads PHP in its standard setup (with
> mod_php) compared to Nginx alone puts it at a disadvantage. You will see
> performance gains, particularly in memory usage, just by switching to
> Nginx, given you're using a PHP-driven application."
>   >>
>   >> Thank you.
>   >>
>   >> -
> 
>   >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> 
>   >> For additional commands, e-mail: users-h...@httpd.apache.org
> 
>   >>
>   >>
>   >
> 
> 
>   
> -
>   To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> 
>   For additional commands, e-mail: users-h...@httpd.apache.org
> 
> 
> 

RE: [users@httpd] proxying SSL -> SSL

[Marc]

> 
> Hi guys.
> 
> I've sroogled & have found people suggesting working examples, I thought I
> had some notes but now I'm thinking I read that it should not work..
> so I'm not sure what to think of this seemingly setup:
> 
> 
>   ServerAdmin web...@lemko.xyz 
>   ServerName siem.mine.priv
> 
>   ErrorLog /var/log/httpd/siem.mine.priv-error_log
>   CustomLog /var/log/httpd/siem.mine.priv-access_log common
> 
>   SSLProxyEngine on
>   #SSLEngine on
>   #SSLProxyVerify none
>   #SSLProxyCheckPeerCN off
>   SSLCertificateFile  /etc/pki/tls/certs/siem.mine.priv.crt
>   SSLCertificateKeyFile   /etc/pki/tls/private/siem.mine.priv.key
>   #SSLProxyCACertificateFile /etc/wazuh-indexer/certs/root-ca.pem
>   #SSLProxyMachineCertificateFile /etc/wazuh-indexer/certs/admin.pem
> 
>   RequestHeader set X-Forwarded-Proto “https”
>   RequestHeader set X-Forwarded-Port “443”
> 
>   ProxyRequests Off
>   #ProxyPreserveHost on
>   #ProxyPass /  https://127.0.0.1:8443/
>   #ProxyPassReverse  /  https://127.0.0.1:8443/
> 
>   
> # preserve Host header to avoid cross-origin problems
> ProxyPreserveHost on
> # proxy to
> ProxyPass https://127.0.0.1:8443/
> ProxyPassReverse  https://127.0.0.1:8443/
>   
> 
> 
> 
> As you can see I've fiddle whit all those options in different combinations
> but nothing works for me.
> Would you know how to fix or... perhaps you have Apache rev-proxying to
> Wazuh?
> 

Have you added this 
SSLProxyEngine on

RE: [users@httpd] realtime protection against cloud scans

[Marc]

> > using the NTP firewall
> 
> Sorry, using the NFT firewall.
> 

I still need to get familiar with nft. Currently I am using ipset, adding ip's 
with scripts. But ipset is preconfigured for specific netmask /24 /X. So at 
some point your /24 is getting full with 65k entries. It would be nice if then 
automitcally /24 are merged/moved to ipsets bigger than /24. 

I am looking for something that can do this automatically. 

Currently I am thinking of creating multiple ipsets for /16 /18 /22 etc and I 
don't know if I should just put corresponding ranges in there form 
digitalocean, amazon, googleusercloud and azure. Or indeed go ips from abuse 
lists, but then risking that lots are not there and you are still adding slowly 
these clouds like digitalocean. 

Afaik was ipset very good with latency. I have no idea how this is replaced.

RE: [users@httpd] realtime protection against cloud scans

[Marc]

I would even state that >80% of your server load is crap, if you don't block 
any ranges. Besides that you open yourself up to vulnerability checks and 
monitoring for domain hijacking etc.

> 
> Does the traffic from those cloud ranges have any significant impact on
> your server performance?
> 
> On Tue, Sep 12, 2023 at 10:33 AM Marc  <mailto:m...@f1-outsourcing.eu> > wrote:
> 
> 
> 
>   Anyone having a suggestion on how to block cloud crawlers/bots?
> Obviously I would like search engine bots to have access, but all the other
> crap I want to lose. Only 'real users'.
> 
>   What is best practice for this? Just getting amazon,
> googleusercontent, digitalocean, azure ip ranges and put them in something
> like ipset or are there currently better ways of doing this?
> 
> 
> 

RE: [users@httpd] where to change this "internal server error message"

[Marc]

> 
> What is returning the 500 response here? Is php/python/perl involved?

No, I think this mod_security is generating this

> As for the scrapers, you are absolutely wasting your time customizing the
> response. I would just return a 403, actually.

I think you might be right. I did not expect to waste so much time on trying to 
just send an 'empty' body.

> 
> 
>   > See the ErrorDocument directive.
> 
>   It does not seem to work. It looks like this config is skipped and
> the error is loaded directly from the httpd binary.
> 
>   ErrorDocument 500 /406.html
> 
>   > Now, why is that response not suitable? And why would you respond
> with a
>   > 200 for a blocked user agent?
> 
>   I think it is better to return to scrapers 200 and empty content,
> instead of notifying them so they can reconfigure their systems.
> 
>   >
>   >
>   >   Where/how can I change this message?
>   >
>   >   The server encountered an internal error or
>   >   misconfiguration and was unable to complete
>   >   your request.
>   >   Please contact the server administrator at
>   >xxx to inform them of the time this error occurred,
>   >and the actions you performed just before this error.
>   >   More information about this error may be available
>   >   in the server error log.
>   >   
>   >
>   >   or as a work-a-round, how can refuse access with modsecurity
> and just
>   > generate a 200 blank page response.
>   >
>   >   SecRule REQUEST_HEADERS:User-Agent "blockthisua"
>   > "id:'13006',phase:2,log,deny,status:200"
>   >
> 
> 

RE: [users@httpd] where to change this "internal server error message"

[Marc]

> See the ErrorDocument directive.

It does not seem to work. It looks like this config is skipped and the error is 
loaded directly from the httpd binary. 

ErrorDocument 500 /406.html

> Now, why is that response not suitable? And why would you respond with a
> 200 for a blocked user agent?

I think it is better to return to scrapers 200 and empty content, instead of 
notifying them so they can reconfigure their systems.

> 
> 
>   Where/how can I change this message?
> 
>   The server encountered an internal error or
>   misconfiguration and was unable to complete
>   your request.
>   Please contact the server administrator at
>xxx to inform them of the time this error occurred,
>and the actions you performed just before this error.
>   More information about this error may be available
>   in the server error log.
>   
> 
>   or as a work-a-round, how can refuse access with modsecurity and just
> generate a 200 blank page response.
> 
>   SecRule REQUEST_HEADERS:User-Agent "blockthisua"
> "id:'13006',phase:2,log,deny,status:200"
> 

[users@httpd] where to change this "internal server error message"

[Marc]

Where/how can I change this message?

The server encountered an internal error or
misconfiguration and was unable to complete
your request.
Please contact the server administrator at
 xxx to inform them of the time this error occurred,
 and the actions you performed just before this error.
More information about this error may be available
in the server error log.


or as a work-a-round, how can refuse access with modsecurity and just generate 
a 200 blank page response.

SecRule REQUEST_HEADERS:User-Agent "blockthisua" 
"id:'13006',phase:2,log,deny,status:200"

[users@httpd] realtime protection against cloud scans

[Marc]

Anyone having a suggestion on how to block cloud crawlers/bots? Obviously I 
would like search engine bots to have access, but all the other crap I want to 
lose. Only 'real users'.

What is best practice for this? Just getting amazon, googleusercontent, 
digitalocean, azure ip ranges and put them in something like ipset or are there 
currently better ways of doing this?

[users@httpd] allow general access after 1 auth

[Marc]

I was wondering if it is possible to allow general access to an url after some 
account authenticated for this url. Without the necessity to adapt the web 
application for this

Say we have closed https://www.example.com/webapp with something like
Require valid-user
Order deny,allow
Deny from all

If someone authenticates on https://www.example.com/webapp, the url is 
available for everyone. 

Some inactivity timeout should lock the url again.

RE: [users@httpd] loading shop.example.com in www.test.com/shop/

[Marc]

> 
> 
>   I was wondering if it is even possible to publish an existing shop
> hosted on the subdomain shop.example.com   and
> show it as a 'folder' in www.test.com/shop  .
> Will I have problems with browsers (cookies?). I don't want to resolve
> this on the file system because both have different uid/gids on files.
> 
> 
> 
> 
> You can just Alias /shop/ /path/to/documentrootof/shop.example.com/
> 

Yes I did not expect this to work because of file system permissions and 
different php version.

>  From the http server side, there are a few ways to do it, Alias,
> internal redirects, reverse proxy.
> 

Currently I am having 

 24 SSLProxyEngine On
 25 SSLProxyVerify none
 26 SSLProxyCheckPeerCN off
 27 SSLProxyCheckPeerName off
 28 SSLProxyCheckPeerExpire off
 29 
 30 ProxyPass"https://shop.example.com/;
 31 ProxyPassReverse "https://shop.example.com/;
 32
 33 Options +Indexes +ExecCGI +FollowSymLinks -MultiViews
 34 Order Allow,Deny
 35 Allow from all
 36 
 37

Home page loads fine however, I have static urls in html pages to 
https://shop.example.com/ is it possible to have those rewriten to / relative 
urls?


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] loading shop.example.com in www.test.com/shop/

[Marc]

I was wondering if it is even possible to publish an existing shop hosted on 
the subdomain shop.example.com and show it as a 'folder' in www.test.com/shop. 
Will I have problems with browsers (cookies?). I don't want to resolve this on 
the file system because both have different uid/gids on files.

[users@httpd] RE: *****SPAM***** [users@httpd] How can I force a server name header?

[Marc]

> 
> I'm trying to test a new server located at internal IP 192.168.1.5.  The
> production server lives at IP 192.168.1.7 on the same network.
> 
> How can I force the browser to connect to the correct server?  If I try
> "http://192.168.1.5; the redirect on the first (alphabetically) virtual
> server redirects to the production server.
> 
> What I need to be able to do is combine the virtual server id with the
> network address so I connect to the same name but on the machine I'm
> testing.  I think this is the "ServerName" header but I don't know where
> I can enter this on Firefox.
> 
> Anybody have any experience with this problem?

Put in the /etc/hosts or c:\windows\system32\drivers\etc\hosts


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] RE: config - how are multiple VirtualHost directives for the same address handled?

[Marc]

> >
> > How does apache httpd 2.4 handle multiple VirtualHost directives for
> > the same address ?
> >
> > For example:
> >
> > 
> >   SSLCertificateFile "${SRVROOT}/conf/server.crt"
> ># ...
> > 
> >
> > 
> >   DocumentRoot "/www/docs/host.example.com"
> >   # ...
> > 
> >
> > Are the settings merged, as if written like this:
> >
> > 
> >   SSLCertificateFile "${SRVROOT}/conf/server.crt"
> ># ...
> >   DocumentRoot "/www/docs/host.example.com"
> >   # ...
> > 
> 
> But you are using ServerName and ServerAlias to load the correct one
> not?
> 
> There is no correct one. Both are correct. I want both.

I don't understand the problem you are trying to solve. 

FWIIW from my past experience having identical virtual host configurations, 
apache services the one it first/last loads and ignores the rest. You just have 
to test this, but I would not want to use such a thing in production.

[users@httpd] RE: config - how are multiple VirtualHost directives for the same address handled?

[Marc]

> 
> How does apache httpd 2.4 handle multiple VirtualHost directives for the
> same address ?
> 
> For example:
> 
> 
>   SSLCertificateFile "${SRVROOT}/conf/server.crt"
># ...
> 
> 
> 
>   DocumentRoot "/www/docs/host.example.com"
>   # ...
> 
> 
> Are the settings merged, as if written like this:
> 
> 
>   SSLCertificateFile "${SRVROOT}/conf/server.crt"
># ...
>   DocumentRoot "/www/docs/host.example.com"
>   # ...
> 

But you are using ServerName and ServerAlias to load the correct one not?


> 
> Or is one directive block used and the other ignored (which one)?
> 
> The reason I ask is that I have general SSL related settings in one file
> ( ssl.conf ) and the content related settings in another ( content.conf
> ) and both config files are included in the main config file.
> 

You can have general ssl stuff in different (global) config. There is already 
such file and just add these to the Virtualhost

SSLEngine on
SSLCertificateFile
SSLCertificateKeyFile
SSLCertificateChainFile

RE: [users@httpd]

[Marc]

/tmp is just an example. Files are located elsewhere, actually at a location 
where the rest should not be available/accessible. I only want to 'redirect' 
this file.

> 
> You want to use  instead. I also strongly recommend
> storing your images in another path.
> 
> On Mon, May 15, 2023 at 3:48 AM Marc  <mailto:m...@f1-outsourcing.eu> > wrote:
> 
> 
> 
> 
>   > >
>   > > How do I get that the file (docroot)/images/favicon.ico is not
> loaded
>   > from the disk but instead from the /tmp/os-favicon.ico?
>   >
>   > Use the Alias directive.
>   > https://httpd.apache.org/docs/2.4/urlmapping.html
>   >
> 
>   Hmmm, so I am ending up with somwthing like this. Is that really
> the best way to do this?
> 
>61 Alias "/images/favicon.ico" "/tmp/os-
> favicon.ico"
>62 
>63 Require all granted
>64 
> 
> 

RE: [users@httpd]

[Marc]

> >
> > How do I get that the file (docroot)/images/favicon.ico is not loaded
> from the disk but instead from the /tmp/os-favicon.ico?
> 
> Use the Alias directive.
> https://httpd.apache.org/docs/2.4/urlmapping.html
> 

Hmmm, so I am ending up with somwthing like this. Is that really the best way 
to do this?

 61 Alias "/images/favicon.ico" "/tmp/os-favicon.ico"
 62 
 63 Require all granted
 64 

[users@httpd]

[Marc]

How do I get that the file (docroot)/images/favicon.ico is not loaded from the 
disk but instead from the /tmp/os-favicon.ico?


"/tmp/os-favicon.ico"
  

https://httpd.apache.org/docs/2.4/mod/core.html#files
Is this te best manual?? "# Insert stuff that applies to cat.html here" is not 
very helpful. How should ever be able to learn/read this from the 
documentation???

Re: [users@httpd] Help with mod_rewrite

[Marc Serra]

For your information, seems now works adding this rules as the first rules ...

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/(gb|es|ca|fr)/ [NC]
RewriteRule . /  [R,L]



Missatge de Frank Gingras  del dia dj., 20 d’abr.
2023 a les 16:12:
>
> The best way to tackle this complex set of rules is to use your development 
> server, clone the directives, comment out everything and uncomment a few 
> rules at a time.
>
> While you do this, see if you still have a loop (test with curl, not a 
> browser), examine the log entries, and then uncomment another rule. Repeat 
> until the loop appears.
>
> If you have a specific question about one log entry, do ask it.
>
> On Thu, Apr 20, 2023 at 2:18 AM Marc Serra  wrote:
>>
>> Thank's for answer Frank,
>>
>> A simple https://www.domain.tld/gb/ query generates a thousand lines
>> log file (attached). I'm really lost, I dont' know what I'm looking
>> for in the log file.
>>
>>
>>
>> Missatge de Frank Gingras  del dia dc., 19 d’abr.
>> 2023 a les 20:19:
>> >
>> > I would start with the rewrite log in your development environment, if you 
>> > can't change the configuration on the live server.
>> >
>> > I would also look to replace this entire mess with a FallbackResource 
>> > directive.
>> >
>> > On Tue, Apr 18, 2023 at 6:32 AM Marc Serra  wrote:
>> >>
>> >> Hi,
>> >>
>> >> A few weeks ago we renewed our prestashop website.
>> >>
>> >> One of the new features is the support for multiple languages.
>> >>
>> >> A typical home URL are...
>> >> https://www.domain.tld/gb/ for english
>> >> https://www.domain.tld/es/ for spanish
>> >> etc.
>> >>
>> >> A typical product URL are...
>> >> https://www.domain.tld/gb/PRODUCT_CATEGORY_FRIENDLY_URL/PRODUCT_CODE-PRODUCT_URL_FRIENDLY_DESCRIPTION.html
>> >> for english
>> >> https://www.domain.tld/es/PRODUCT_CATEGORY_FRIENDLY_URL/PRODUCT_CODE-PRODUCT_URL_FRIENDLY_DESCRIPTION.html
>> >> for spanish
>> >> etc.
>> >>
>> >> Our old URL wasn't contain the language, for example:
>> >> https://www.domain.tld/.html for home
>> >> https://www.domain.tld/PRODUCT_CATEGORY_FRIENDLY_URL/PRODUCT_CODE-PRODUCT_URL_FRIENDLY_DESCRIPTION.html
>> >> for product
>> >> etc.
>> >>
>> >> I'm trying to save the old URL and move to our default language (gb
>> >> for example).
>> >>
>> >> For start, I added the following two lines at the beginning of the
>> >> htaccess file. I try to redirect any URL not starting with /gb/ to the
>> >> english home page instead of 404 page ...
>> >>
>> >> RewriteCond %{REQUEST_URI} !^/gb/
>> >> RewriteRule ^.*$ /gb/ [L]
>> >>
>> >> # Followed by the prestashop default rules ...
>> >>
>> >> RewriteRule . - [E=REWRITEBASE:/]
>> >> RewriteRule ^api(?:/(.*))?$
>> >> %{ENV:REWRITEBASE}webservice/dispatcher.php?url=$1 [QSA,L]
>> >>
>> >> # Images
>> >> RewriteCond %{HTTP_HOST} ^www.domain.tld$
>> >> RewriteRule ^([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$
>> >> %{ENV:REWRITEBASE}img/p/$1/$1$2$3.jpg [L]
>> >> RewriteCond %{HTTP_HOST} ^www.domain.tld$
>> >> RewriteRule ^([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$
>> >> %{ENV:REWRITEBASE}img/p/$1/$2/$1$2$3$4.jpg [L]
>> >> RewriteCond %{HTTP_HOST} ^www.domain.tld$
>> >> RewriteRule ^([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$
>> >> %{ENV:REWRITEBASE}img/p/$1/$2/$3/$1$2$3$4$5.jpg [L]
>> >> RewriteCond %{HTTP_HOST} ^www.domain.tld$
>> >> RewriteRule 
>> >> ^([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$
>> >> %{ENV:REWRITEBASE}img/p/$1/$2/$3/$4/$1$2$3$4$5$6.jpg [L]
>> >> RewriteCond %{HTTP_HOST} ^www.domain.tld$
>> >> RewriteRule 
>> >> ^([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$
>> >> %{ENV:REWRITEBASE}img/p/$1/$2/$3/$4/$5/$1$2$3$4$5$6$7.jpg [L]
>> >> RewriteCond %{HTTP_HOST} ^www.domain.tld$
>> >> RewriteRule 
>> >> ^([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$
>> >> %{ENV:REWRITEBASE}img/p/$1/$2/$3/$4/$5/$6/$1$2$3$4$5$6$7$8.jpg [L]
>> >> RewriteCond %{HTTP_HOST} ^www.domain.tld$
>> 

Re: [users@httpd] Apache VirtualHost Config Tool management

[Marc Serra]

I used ISPConfig for years and it's a great tool!

If you have money for the license or your hosting provider has it for
free, plesk web host edition it's a great option too.


Missatge de Curtis  del dia dj., 27 d’abr. 2023 a les 15:41:
>
> I might also suggest ispconfig
>
> https://ispconfig.org.
>
> Sent from my iPhone
>
> > On Apr 27, 2023, at 8:24 AM, Carlos García Gómez 
> >  wrote:
> >
> > Yes.
> > Something like this but simpler
> >
> > Carlos
> >
> >
> >
> > -Mensaje original-
> > De: Antony Stone 
> > Enviado el: jueves, 27 de abril de 2023 13:03
> > Para: users@httpd.apache.org
> > Asunto: Re: [users@httpd] Apache VirtualHost Config Tool management
> >
> >> On Thursday 27 April 2023 at 12:53:29, Carlos García Gómez wrote:
> >>
> >> I am looking for a tool that makes it easier for me to manage the all
> >> virtual hosts that I have configured.
> >
> > How about http://doxfer.webmin.com/Webmin/Apache_Webserver ?
> >
> >
> > Antony.
> >
> > --
> > I just got a new mobile phone, and I called it Titanic.  It's already 
> > syncing.
> >
> >   Please reply to the list;
> > please *don't* CC 
> > me.
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org
> >
> >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org
> >
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>

-- 


   
  
  
  

 Manxa 1876, S.L.
Ctra. Les 
Tries, 85.17800 Olot (Girona)
*Tel. 972 27 45 30 www.manxa.com 
* 

  *Manxa 
Industrial *
 
  *Manxa Ferros *
   *Manxa Ferreteria i Parament de la Llar 
*

  

  



-- 
 

-- 


El contingut d’aquest correu electrònic i els seus annexos és 
estrictament confidencial. En el cas que no siguis el destinatari i hagis 
rebut aquest missatge per error, preguem que ho comuniquis al remitent i 
procedeixis a la seva eliminació, sense difondre, emmagatzemar o copiar el 
seu contingut. Imprimeix aquest correu només si és necessari.

El contenido 
de este correo electrónico y sus anexos es estrictamente confidencial. En 
el caso de que no seas el destinatario y hayas recibido este mensaje por 
error, rogamos lo comuniques al remitente y procedas a su eliminación, sin 
difundir, almacenar o copiar su contenido. Imprimir este correo solo si es 
necesario.

The content of this email and its attachments is strictly 
confidential. If you are not the recipient and you have received this 
message by mistake, please notify the sender and proceed to its 
elimination, without spreading, storing or copying its content. Print this 
email only if necessary.

Le contenu de cet e-mail et de ses pièces jointes 
est strictement confidentiel. Dans le cas où vous n'êtes pas le 
destinataire et avez reçu ce message par erreur, veuillez en informer 
l'expéditeur et procéder à sa suppression, sans diffuser, stocker ou copier 
son contenu. Imprimez cet e-mail uniquement si nécessaire.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Help with mod_rewrite

[Marc Serra]

Hi,

A few weeks ago we renewed our prestashop website.

One of the new features is the support for multiple languages.

A typical home URL are...
https://www.domain.tld/gb/ for english
https://www.domain.tld/es/ for spanish
etc.

A typical product URL are...
https://www.domain.tld/gb/PRODUCT_CATEGORY_FRIENDLY_URL/PRODUCT_CODE-PRODUCT_URL_FRIENDLY_DESCRIPTION.html
for english
https://www.domain.tld/es/PRODUCT_CATEGORY_FRIENDLY_URL/PRODUCT_CODE-PRODUCT_URL_FRIENDLY_DESCRIPTION.html
for spanish
etc.

Our old URL wasn't contain the language, for example:
https://www.domain.tld/.html for home
https://www.domain.tld/PRODUCT_CATEGORY_FRIENDLY_URL/PRODUCT_CODE-PRODUCT_URL_FRIENDLY_DESCRIPTION.html
for product
etc.

I'm trying to save the old URL and move to our default language (gb
for example).

For start, I added the following two lines at the beginning of the
htaccess file. I try to redirect any URL not starting with /gb/ to the
english home page instead of 404 page ...

RewriteCond %{REQUEST_URI} !^/gb/
RewriteRule ^.*$ /gb/ [L]

# Followed by the prestashop default rules ...

RewriteRule . - [E=REWRITEBASE:/]
RewriteRule ^api(?:/(.*))?$
%{ENV:REWRITEBASE}webservice/dispatcher.php?url=$1 [QSA,L]

# Images
RewriteCond %{HTTP_HOST} ^www.domain.tld$
RewriteRule ^([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$
%{ENV:REWRITEBASE}img/p/$1/$1$2$3.jpg [L]
RewriteCond %{HTTP_HOST} ^www.domain.tld$
RewriteRule ^([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$
%{ENV:REWRITEBASE}img/p/$1/$2/$1$2$3$4.jpg [L]
RewriteCond %{HTTP_HOST} ^www.domain.tld$
RewriteRule ^([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$
%{ENV:REWRITEBASE}img/p/$1/$2/$3/$1$2$3$4$5.jpg [L]
RewriteCond %{HTTP_HOST} ^www.domain.tld$
RewriteRule ^([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$
%{ENV:REWRITEBASE}img/p/$1/$2/$3/$4/$1$2$3$4$5$6.jpg [L]
RewriteCond %{HTTP_HOST} ^www.domain.tld$
RewriteRule 
^([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$
%{ENV:REWRITEBASE}img/p/$1/$2/$3/$4/$5/$1$2$3$4$5$6$7.jpg [L]
RewriteCond %{HTTP_HOST} ^www.domain.tld$
RewriteRule 
^([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$
%{ENV:REWRITEBASE}img/p/$1/$2/$3/$4/$5/$6/$1$2$3$4$5$6$7$8.jpg [L]
RewriteCond %{HTTP_HOST} ^www.domain.tld$
RewriteRule 
^([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$
%{ENV:REWRITEBASE}img/p/$1/$2/$3/$4/$5/$6/$7/$1$2$3$4$5$6$7$8$9.jpg
[L]
RewriteCond %{HTTP_HOST} ^www.domain.tld$
RewriteRule ^c/([0-9]+)(\-[\.*_a-zA-Z0-9-]*)(-[0-9]+)?/.+\.jpg$
%{ENV:REWRITEBASE}img/c/$1$2$3.jpg [L]
RewriteCond %{HTTP_HOST} ^www.domain.tld$
RewriteRule ^c/([a-zA-Z_-]+)(-[0-9]+)?/.+\.jpg$
%{ENV:REWRITEBASE}img/c/$1$2.jpg [L]
# AlphaImageLoader for IE and fancybox
RewriteRule ^images_ie/?([^/]+)\.(jpe?g|png|gif)$
js/jquery/plugins/fancybox/images/$1.$2 [L]

# Dispatcher
RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [NC,L]
RewriteRule ^.*$ %{ENV:REWRITEBASE}index.php [NC,L]



But when I visit https://www.domain.tld/sdfsdf/, an internal server
errors appears. In apache error log:

[Tue Apr 18 12:28:43.520237 2023] [core:error] [pid 521174:tid
140459917698624] [client 90.x.x.x:47218] AH00124: Request exceeded the
limit of 10 internal redirects due to probable configuration error.
Use 'LimitInternalRecursion' t
o increase the limit if necessary. Use 'LogLevel debug' to get a backtrace.
[Tue Apr 18 12:28:43.520326 2023] [core:error] [pid 521174:tid
140459917698624] [client 90.x.x.x:47218] AH00124: Request exceeded the
limit of 10 internal redirects due to probable configuration error.
Use 'LimitInternalRecursion' t
o increase the limit if necessary. Use 'LogLevel debug' to get a backtrace.

If I visit https://www.domain.tld/gb/, an internal server errors
appears. In apache error log (the same):

[Tue Apr 18 12:28:03.961530 2023] [core:error] [pid 521174:tid
140460882368064] [client 90.x.x.x:37092] AH00124: Request exceeded the
limit of 10 internal redirects due to probable configuration error.
Use 'LimitInternalRecursion' t
o increase the limit if necessary. Use 'LogLevel debug' to get a backtrace.
[Tue Apr 18 12:28:03.961606 2023] [core:error] [pid 521174:tid
140460882368064] [client 90.x.x.x:37092] AH00124: Request exceeded the
limit of 10 internal redirects due to probable configuration error.
Use 'LimitInternalRecursion' t
o increase the limit if necessary. Use 'LogLevel debug' to get a backtrace.

Can anyone help me?

Thank's

-- 
Marc Serra

-- 


   
  
  
  <https://www.manxa.com>

 Manxa 1876, S.L.
Ctra. Les 
Tries, 85.17800 Olot (Girona)
*Tel. 972 27 45 30 www.manxa.com 
<https://www.manxa.com>* 

 <https://www.manxaindustrial.com> *Manxa 
Industrial <https://www.manxaindustrial.com>*
 
<https://www.manxaferros.com>  *Manxa Ferros <https://www.manxaferros.com>*
 <https://www.manxabricol

[users@httpd] GeoIP module problem

[Marc Serra]

nt-ttf font/otf application/x-font-otf
font/opentype image/svg+xml
   


#If rewrite mod isn't enabled
ErrorDocument 404 /index.php?controller=404

# ~~end~~ Do not remove this comment, Prestashop will keep
automatically the code outside this comment when .htaccess will be
generated again

GeoIPEnable On
SetEnvIf GEOIP_COUNTRY_CODE AD AllowCountry
SetEnvIf GEOIP_COUNTRY_CODE AT AllowCountry
SetEnvIf GEOIP_COUNTRY_CODE BE AllowCountry
SetEnvIf GEOIP_COUNTRY_CODE CH AllowCountry
SetEnvIf GEOIP_COUNTRY_CODE DE AllowCountry
SetEnvIf GEOIP_COUNTRY_CODE DK AllowCountry
SetEnvIf GEOIP_COUNTRY_CODE ES AllowCountry
SetEnvIf GEOIP_COUNTRY_CODE FI AllowCountry
SetEnvIf GEOIP_COUNTRY_CODE FR AllowCountry
SetEnvIf GEOIP_COUNTRY_CODE GB AllowCountry
SetEnvIf GEOIP_COUNTRY_CODE IE AllowCountry
SetEnvIf GEOIP_COUNTRY_CODE IT AllowCountry
SetEnvIf GEOIP_COUNTRY_CODE LU AllowCountry
SetEnvIf GEOIP_COUNTRY_CODE MC AllowCountry
SetEnvIf GEOIP_COUNTRY_CODE NL AllowCountry
SetEnvIf GEOIP_COUNTRY_CODE NO AllowCountry
SetEnvIf GEOIP_COUNTRY_CODE PT AllowCountry
SetEnvIf GEOIP_COUNTRY_CODE SE AllowCountry
SetEnvIf GEOIP_COUNTRY_CODE US AllowCountry
Deny from all
Allow from env=AllowCountry






The page loads, but I see this error on the apache error_log ...

[Fri Nov 11 13:23:06.906754 2022] [access_compat:error] [pid
2668535:tid 140474346104576] [client 90.161.x.x:43760] AH01797: client
denied by server configuration:
/var/www/vhosts/mydomain.tld/httpdocs/index.php
[Fri Nov 11 13:23:07.052376 2022] [access_compat:error] [pid
2668534:tid 140474580969216] [client 90.161.x.x:43776] AH01797: client
denied by server configuration:
/var/www/vhosts/mydomain.tld/httpdocs/index.php

Because I have activated fail2ban, after a few page loads, the IP is
banned and I can't access my site.

After removing the banned IP from fail2ban and If I remove the GeoIP
part of my .htaccess file, no errors are recorded on error_log and the
page loads correctly.

More strange though, if I replace the previous GeoIP config on the
.htaccess file with the following ...


GeoIPEnable On
SetEnvIf GEOIP_COUNTRY_CODE AF DenyCountry
SetEnvIf GEOIP_COUNTRY_CODE AX DenyCountry
# ... 200 lines ... (all countries except the previous ones: AD, AT, BE, ...)
SetEnvIf GEOIP_COUNTRY_CODE ZM DenyCountry
SetEnvIf GEOIP_COUNTRY_CODE ZW DenyCountry
Deny from env=DenyCountry



No errors logged on apache error_log file and page loads correctly.

And yes, it seems the GeoIP module is working. For exemple, If I add
"SetEnvIf GEOIP_COUNTRY_CODE ES DenyCountry" to the .htaccess file
with the latest described setup (more than 200 denied countries), my
IP is instantly blocked (no first load) as expected. And this entries
appears in apache error_log file (as expected too):

[Fri Nov 11 13:40:33.698490 2022] [access_compat:error] [pid
2668535:tid 140474346104576] [client 90.161.x.x:38306] AH01797: client
denied by server configuration:
/var/www/vhosts/mydomain.tld/httpdocs/ca
[Fri Nov 11 13:40:33.860555 2022] [access_compat:error] [pid
2668535:tid 140474713110272] [client 90.161.xx.x:38310] AH01797:
client denied by server configuration:
/var/www/vhosts/mydomain.tld/httpdocs/favicon.ico, referer: https:/
/mydomain.tld/ca/

Any Idea what's happening and how to find more information?

Thank's!

-- 
Marc Serra

-- 


   
  
  
  <https://www.manxa.com>
 Manxa 1876, S.L.
Ctra. Les 
Tries, 85.17800 Olot (Girona)
*Tel. 972 27 45 30 www.manxa.com 
<https://www.manxa.com>* 
 <https://www.manxaindustrial.com> *Manxa 
Industrial <https://www.manxaindustrial.com>*
 
<https://www.manxaferros.com>  *Manxa Ferros <https://www.manxaferros.com>*
 <https://www.manxabricolatge.com>  *Manxa Ferreteria i Parament de la Llar 
<https://www.manxabricolatge.com>*
  

  



-- 


El contingut d’aquest correu electrònic i els seus annexos és 
estrictament confidencial. En el cas que no siguis el destinatari i hagis 
rebut aquest missatge per error, preguem que ho comuniquis al remitent i 
procedeixis a la seva eliminació, sense difondre, emmagatzemar o copiar el 
seu contingut. Imprimeix aquest correu només si és necessari.

El contenido 
de este correo electrónico y sus anexos es estrictamente confidencial. En 
el caso de que no seas el destinatario y hayas recibido este mensaje por 
error, rogamos lo comuniques al remitente y procedas a su eliminación, sin 
difundir, almacenar o copiar su contenido. Imprimir este correo solo si es 
necesario.

The content of this email and its attachments is strictly 
confidential. If you are not the recipient and you have received this 
message by mistake, please notify the sender and proceed to its 
elimination, without spreading, storing or copying its content. Print this 
email only if necessary.

Le contenu de cet e-mail et de ses pièces jointes 
est strictement confidentiel. Dans le cas où vous n'êtes pas le 
destinataire et avez reçu ce message par erreur, veuillez en informer 
l'expéditeur et procé

RE: [users@httpd] Log to syslog?

[Marc]

> > i went through this issue the hard way
> 
> Urgh - thanks for the comprehensive reply.
> 
> > there does not seem to be anything at all as apache seems to be all file
> > related
> 
> I wonder why mod_syslog has not been made more generic?
> 
> > redirecting to logger just does not work.
> >
> > i wrote a python script that uses sockets (assuming linux, freebsd etc)
> 
> Yes, I'm on Linux - thanks for the script, and for the comments re logger etc.
> 
> *If anyone else has a suggestion for how Apache can log to syslog, I'm still
> interested in other possible ways to achieve it!*
> 

I have been asking something similar a while ago, logggin to something like 
influx. I know how to redirect syslog to influx. So if I can redirect eg ip's 
and 2XX/4XX to syslog, that would be very interesting. 

RE: [users@httpd] Re: Getting XAMPP Apache on Windows 10 to work through local network!

[Marc]

Some client told me to never do business with companies/people that call 
themselves hero, master etc. Makes me wonder about people calling themselves 
good guy.



> -Original Message-
> From:  Good Guy  
> Sent: Thursday, 7 April 2022 04:57
> To: users@httpd.apache.org
> Subject: [users@httpd] Re: Getting XAMPP Apache on Windows 10 to work
> through local network!
> 
> I am assuming you have installed WordPress in a folder. If this is so
> and assuming your Apache is working as you say then it is simply to type
> something like this in the browser:
> 
> 
> In the above command WordPress is the folder in which the index.php file
> resides.
> 
> Have you "installed" wordpress or are you just beginning to install it
> and got stuck with it?
> 
> 
> On 07/04/2022 03:04, A Z wrote:
> > I don't want to introduce the complications of bind or dns,
> > or any other similar facility in Windows.
> >
> >
> 
> --
> 
> With over 1.9 billion devices now running Windows 10/11, customer
> satisfaction is higher than any previous version of windows.
> 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: Are this option

[Marc Serra]

Please don't spend more time on this until I write another email. I
found sometrhng strange on our PHP code.

Missatge de Marc Serra  del dia dj., 24 de març 2022
a les 12:42:
>
> > Pretty bad numbers actually, aren't you limited by the network
> > bandwidth between ab and the server?
>
> I think it isn't a bandwidth problem. Look ...
>
> wget https://domain.tld/test.zip
> --2022-03-24 12:04:26--  https://domain.tld/test.zip
> Resolving domain.tld (domain.tld)... 82.x.x.x
> Connecting to domain.tld (domain.tld)|82.x.x.x|:443... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 688466403 (657M) [application/zip]
> Saving to: ‘test.zip’
>
> test.zip
> 100%[===>]
> 656.57M  11.2MB/sin 59s
>
> 2022-03-24 12:05:25 (11.2 MB/s) - ‘test.zip’ saved [688466403/688466403]
>
>
> > What are the numbers from ab when it's running on the server (i.e. ab
> > ... https://localhost/index.html)?
>
> Not good (this test is made from the same server where are hosted
> www.domain.tld) ...
>
> ab -l -H 'Accept-Encoding: gzip,deflate' -k -n 1 -c 1000
> https://www.domain.tld/index.html
> This is ApacheBench, Version 2.3 <$Revision: 1843412 $>
> Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
> Licensed to The Apache Software Foundation, http://www.apache.org/
>
> Benchmarking www.domain.tld (be patient)
> Completed 1000 requests
> Completed 2000 requests
> Completed 3000 requests
> Completed 4000 requests
> Completed 5000 requests
> Completed 6000 requests
> Completed 7000 requests
> Completed 8000 requests
> Completed 9000 requests
> Completed 1 requests
> Finished 1 requests
>
>
> Server Software:Apache
> Server Hostname:www.domain.tld
> Server Port:443
> SSL/TLS Protocol:   TLSv1.2,ECDHE-RSA-AES128-GCM-SHA256,2048,128
> Server Temp Key:X25519 253 bits
> TLS Server Name:www.domain.tld
>
> Document Path:  /index.html
> Document Length:Variable
>
> Concurrency Level:  1000
> Time taken for tests:   262.963 seconds
> Complete requests:  1
> Failed requests:0
> Non-2xx responses:  9582
> Keep-Alive requests:9582
> Total transferred:  57837957 bytes
> HTML transferred:   49816818 bytes
> Requests per second:38.03 [#/sec] (mean)
> Time per request:   26296.304 [ms] (mean)
> Time per request:   26.296 [ms] (mean, across all concurrent requests)
> Transfer rate:  214.79 [Kbytes/sec] received
>
> Connection Times (ms)
>   min  mean[+/-sd] median   max
> Connect:0  292 1179.6  08078
> Processing: 0 24796 6927.5  27341   54249
> Waiting:0 25726 5596.4  27377   54249
> Total:  0 25088 6821.9  27372   54249
>
> Percentage of the requests served within a certain time (ms)
>   50%  27372
>   66%  27532
>   75%  27641
>   80%  27767
>   90%  28015
>   95%  28133
>   98%  31766
>   99%  40137
>  100%  54249 (longest request
>
>
> > The CPU usage looks high (20%) too for the requested load, but that's
> > probably on mod_deflate (and TLS handshakes), how does "-H
> > 'Accept-Encoding: gzip,deflate'" change things?
>
> I tried without the -H option and I got similar results
>
> ab -l -k -n 1 -c 1000 https://www.domain.tld/index.php
> This is ApacheBench, Version 2.3 <$Revision: 1843412 $>
> Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
> Licensed to The Apache Software Foundation, http://www.apache.org/
>
> Benchmarking www.domain.tld (be patient)
> Completed 1000 requests
> Completed 2000 requests
> Completed 3000 requests
> Completed 4000 requests
> Completed 5000 requests
> Completed 6000 requests
> Completed 7000 requests
> Completed 8000 requests
> Completed 9000 requests
> Completed 1 requests
> Finished 1 requests
>
>
> Server Software:Apache
> Server Hostname:www.domain.tld
> Server Port:443
> SSL/TLS Protocol:   TLSv1.2,ECDHE-RSA-AES128-GCM-SHA256,2048,128
> Server Temp Key:X25519 253 bits
> TLS Server Name:www.domain.tld
>
> Document Path:  /index.php
> Document Length:Variable
>
> Concurrency Level:  1000
> Time taken for tests:   325.617 seconds
> Complete requests:  1
> Failed requests:0
> Keep-Alive requests:0
> Total transferred:  157188 bytes
> HTML transferred:   156440 bytes
> Requests per second:30.71 [#/sec] (mean)
> Time per r

Re: [users@httpd] Re: Are this option

[Marc Serra]

> Pretty bad numbers actually, aren't you limited by the network
> bandwidth between ab and the server?

I think it isn't a bandwidth problem. Look ...

wget https://domain.tld/test.zip
--2022-03-24 12:04:26--  https://domain.tld/test.zip
Resolving domain.tld (domain.tld)... 82.x.x.x
Connecting to domain.tld (domain.tld)|82.x.x.x|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 688466403 (657M) [application/zip]
Saving to: ‘test.zip’

test.zip
100%[===>]
656.57M  11.2MB/sin 59s

2022-03-24 12:05:25 (11.2 MB/s) - ‘test.zip’ saved [688466403/688466403]


> What are the numbers from ab when it's running on the server (i.e. ab
> ... https://localhost/index.html)?

Not good (this test is made from the same server where are hosted
www.domain.tld) ...

ab -l -H 'Accept-Encoding: gzip,deflate' -k -n 1 -c 1000
https://www.domain.tld/index.html
This is ApacheBench, Version 2.3 <$Revision: 1843412 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking www.domain.tld (be patient)
Completed 1000 requests
Completed 2000 requests
Completed 3000 requests
Completed 4000 requests
Completed 5000 requests
Completed 6000 requests
Completed 7000 requests
Completed 8000 requests
Completed 9000 requests
Completed 1 requests
Finished 1 requests


Server Software:Apache
Server Hostname:www.domain.tld
Server Port:443
SSL/TLS Protocol:   TLSv1.2,ECDHE-RSA-AES128-GCM-SHA256,2048,128
Server Temp Key:X25519 253 bits
TLS Server Name:www.domain.tld

Document Path:  /index.html
Document Length:Variable

Concurrency Level:  1000
Time taken for tests:   262.963 seconds
Complete requests:  1
Failed requests:0
Non-2xx responses:  9582
Keep-Alive requests:9582
Total transferred:  57837957 bytes
HTML transferred:   49816818 bytes
Requests per second:38.03 [#/sec] (mean)
Time per request:   26296.304 [ms] (mean)
Time per request:   26.296 [ms] (mean, across all concurrent requests)
Transfer rate:  214.79 [Kbytes/sec] received

Connection Times (ms)
  min  mean[+/-sd] median   max
Connect:0  292 1179.6  08078
Processing: 0 24796 6927.5  27341   54249
Waiting:0 25726 5596.4  27377   54249
Total:  0 25088 6821.9  27372   54249

Percentage of the requests served within a certain time (ms)
  50%  27372
  66%  27532
  75%  27641
  80%  27767
  90%  28015
  95%  28133
  98%  31766
  99%  40137
 100%  54249 (longest request


> The CPU usage looks high (20%) too for the requested load, but that's
> probably on mod_deflate (and TLS handshakes), how does "-H
> 'Accept-Encoding: gzip,deflate'" change things?

I tried without the -H option and I got similar results

ab -l -k -n 1 -c 1000 https://www.domain.tld/index.php
This is ApacheBench, Version 2.3 <$Revision: 1843412 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking www.domain.tld (be patient)
Completed 1000 requests
Completed 2000 requests
Completed 3000 requests
Completed 4000 requests
Completed 5000 requests
Completed 6000 requests
Completed 7000 requests
Completed 8000 requests
Completed 9000 requests
Completed 1 requests
Finished 1 requests


Server Software:Apache
Server Hostname:www.domain.tld
Server Port:443
SSL/TLS Protocol:   TLSv1.2,ECDHE-RSA-AES128-GCM-SHA256,2048,128
Server Temp Key:X25519 253 bits
TLS Server Name:www.domain.tld

Document Path:  /index.php
Document Length:Variable

Concurrency Level:  1000
Time taken for tests:   325.617 seconds
Complete requests:  1
Failed requests:0
Keep-Alive requests:0
Total transferred:  157188 bytes
HTML transferred:   156440 bytes
Requests per second:30.71 [#/sec] (mean)
Time per request:   32561.691 [ms] (mean)
Time per request:   32.562 [ms] (mean, across all concurrent requests)
Transfer rate:  4714.25 [Kbytes/sec] received

Connection Times (ms)
  min  mean[+/-sd] median   max
Connect:1  177 610.2  23500
Processing:   334 30715 5844.0  32449   48394
Waiting:  218 30593 5846.3  32327   48264
Total:336 30892 5586.1  32456   48396

Percentage of the requests served within a certain time (ms)
  50%  32456
  66%  32616
  75%  32700
  80%  32733
  90%  32833
  95%  32934
  98%  33002
  99%  33033
 100%  48396 (longest request)


> Sorry, more questions than answers, but results on my (poor) laptop look like:

Oh, no! Thank's for all your answers, questions and time!

> Or with a shorter resource (1KB) and 10x more r

Re: [users@httpd] Re: Are this option

[Marc Serra]

Hi again,

I tested the settings with Apache Bench ...

ab -l -H 'Accept-Encoding: gzip,deflate' -k -n 1 -c 1000
https://www.DOMAIN1.TLD/index.html

I'm not sure if the following are good numbers or bad numbers. Can
anyone help me interpret this result please?



This is ApacheBench, Version 2.3 <$Revision: 1843412 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking www.DOMAIN1.TLD (be patient)
Completed 1000 requests
Completed 2000 requests
Completed 3000 requests
Completed 4000 requests
Completed 5000 requests
Completed 6000 requests
Completed 7000 requests
Completed 8000 requests
Completed 9000 requests
Completed 1 requests
Finished 1 requests


Server Software:Apache
Server Hostname:www.DOMAIN1.TLD
Server Port:443
SSL/TLS Protocol:   TLSv1.2,ECDHE-RSA-AES128-GCM-SHA256,2048,128
Server Temp Key:X25519 253 bits
TLS Server Name:www.DOMAIN1.TLD

Document Path:  /index.html
Document Length:Variable

Concurrency Level:  1000
Time taken for tests:   318.542 seconds
Complete requests:  1
Failed requests:0
Non-2xx responses:  9572
Keep-Alive requests:9561
Total transferred:  208048597 bytes
HTML transferred:   200026656 bytes
Requests per second:31.39 [#/sec] (mean)
Time per request:   31854.176 [ms] (mean)
Time per request:   31.854 [ms] (mean, across all concurrent requests)
Transfer rate:  637.82 [Kbytes/sec] received

Connection Times (ms)
  min  mean[+/-sd] median   max
Connect:0   67 283.1  02752
Processing:91 30309 7974.2  33159   49480
Waiting:0 31523 5907.8  33184   49478
Total: 91 30376 7926.5  33162   49480

Percentage of the requests served within a certain time (ms)
  50%  33162
  66%  33264
  75%  33324
  80%  33357
  90%  33503
  95%  33578
  98%  33626
  99%  33692
 100%  49480 (longest request





The memory used on the server it's really low ...

free -m
  totalusedfree  shared  buff/cache   available
Mem:  643072752 448 196   61106   60683
Swap:  7629   47625






I remind you of the current settings

StartServers 2
ServerLimit 45
ThreadLimit 100
ThreadsPerChild 100
MinSpareThreads 100
MaxSpareThreads 750
MaxRequestWorkers 1500
MaxConnectionsPerChild 0









 Finally here you have the result of mod_status (very looong)


Apache Server Status for 82.x.x.x (via 82.x.x.x)
Server Version: Apache/2.4.41 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/1.1.1f
Server MPM: event
Server Built: 2022-03-16T16:52:53
Current Time: Thursday, 24-Mar-2022 09:06:54 CET
Restart Time: Thursday, 24-Mar-2022 09:05:13 CET
Parent Server Config. Generation: 1
Parent Server MPM Generation: 0
Server uptime: 1 minute 41 seconds
Server load: 6.17 5.45 3.68
Total accesses: 2932 - Total Traffic: 68.5 MB - Total Duration: 66037674
CPU Usage: u15.82 s2.52 cu.97 cs.21 - 19.3% CPU load
29 requests/sec - 0.7 MB/second - 23.9 kB/request - 22523.1 ms/request
1004 requests currently being processed, 396 idle workers
Slot PID Stopping Connections Threads Async connections
total accepting busy idle writing keep-alive closing
0 245322 no 100 no 100 0 0 0 0
1 247187 no 100 no 100 0 0 0 0
2 245581 no 100 no 100 0 0 0 0
3 245737 no 100 no 100 0 0 0 0
4 245738 no 100 no 100 0 0 0 0
5 245991 no 99 yes 99 1 0 0 0
6 245992 no 100 no 100 0 0 0 0
7 247321 no 100 no 100 0 0 0 0
8 245994 no 100 no 100 0 0 0 0
9 247322 no 100 no 100 0 0 0 0
10 247565 no 0 yes 0 100 0 0 0
11 247566 no 0 yes 0 100 0 0 0
12 247570 no 1 yes 2 98 0 0 0
13 247582 no 3 yes 3 97 0 0 0
Sum 14 0 1003 1004 396 0 0 0









WW_W

Re: [users@httpd] Re: Are this option

[Marc Serra]

Thank you very much Yann,

The workload will be static HTML files.

The site typically has 1.000 visits per hour, but some days it has a
sudden demand of 10.000 unique visitors in a matter of seconds.

We start with your values and check periodically with mod_status.

Thank's again

Missatge de Yann Ylavic  del dia dv., 18 de març
2022 a les 11:19:


>
> On Fri, Mar 18, 2022 at 8:27 AM Marc Serra  wrote:
> >
> > Thank's for your comments Frank,
> >
> > Reading the Apache documentation
> > (https://httpd.apache.org/docs/2.4/en/mod/mpm_common.html#threadlimit)
> > I cannot find the way to calculate an optimal value for ThreadLimit
> > and ThreadsPerChild directives for that reason I kept the default
> > values (64 and 25).
> >
> > Can you (or anyone) help me to find the right values?
>
> This script might help for an MPM event configuration based on
> MaxRequestWorkers:
> ```
> #!/bin/bash
>
> if [ $# -lt 1 ]; then
> echo>&2 "usage: `basename $0` "
> exit 1
> fi
>
> # Some pre-computations
> numWorkers=$1
> if [ $numWorkers -lt 1000 ]; then
> numProcesses=10
> elif [ $numWorkers -lt 1 ]; then
> numProcesses=$(($numWorkers / 100))
> else
> numProcesses=100
> fi
> numThreads=$(($numWorkers / $numProcesses))
>
> cat < # MPM event settings
> StartServers 1
> ServerLimit  $(($numProcesses * 3))
> ThreadLimit  $numThreads
> ThreadsPerChild  $numThreads
> MinSpareThreads  $numThreads
> MaxSpareThreads  $(($numWorkers / 2))
> MaxRequestWorkers$numWorkers
> #ThreadStackSize 524288
> MaxConnectionsPerChild   0
> EOF
> ```
>
> For a MaxRequestWorkers of 1500, it gives:
> # MPM event settings
> StartServers 1
> ServerLimit  45
> ThreadLimit  100
> ThreadsPerChild  100
> MinSpareThreads  100
> MaxSpareThreads  750
> MaxRequestWorkers1500
> #ThreadStackSize 524288
> MaxConnectionsPerChild   0
>
> But you didn't describe your workload: static resources, dynamic
> content (local with mod_cgid or offloaded with mod_proxy_fcgi),
> proxying (HTTP, websocket), etc.
> Since your system looks quite capable (RAM/CPU), the limit for
> MaxRequestWorkers depends mainly on the average request time (bounded
> by timeouts) which you probably should measure for your workload.
>
>
> Regards;
> Yann.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>

-- 
Marc Serra

-- 


   
  
  
  <https://www.manxa.com>
 Manxa 1876, S.L.
Ctra. Les 
Tries, 85.17800 Olot (Girona)
*Tel. 972 27 45 30 www.manxa.com 
<https://www.manxa.com>* 
 <https://www.manxaindustrial.com> *Manxa 
Industrial <https://www.manxaindustrial.com>*
 
<https://www.manxaferros.com>  *Manxa Ferros <https://www.manxaferros.com>*
 <https://www.manxabricolatge.com>  *Manxa Ferreteria i Parament de la Llar 
<https://www.manxabricolatge.com>*
  

  



-- 


El contingut d’aquest correu electrònic i els seus annexos és 
estrictament confidencial. En el cas que no siguis el destinatari i hagis 
rebut aquest missatge per error, preguem que ho comuniquis al remitent i 
procedeixis a la seva eliminació, sense difondre, emmagatzemar o copiar el 
seu contingut. Imprimeix aquest correu només si és necessari.

El contenido 
de este correo electrónico y sus anexos es estrictamente confidencial. En 
el caso de que no seas el destinatario y hayas recibido este mensaje por 
error, rogamos lo comuniques al remitente y procedas a su eliminación, sin 
difundir, almacenar o copiar su contenido. Imprimir este correo solo si es 
necesario.

The content of this email and its attachments is strictly 
confidential. If you are not the recipient and you have received this 
message by mistake, please notify the sender and proceed to its 
elimination, without spreading, storing or copying its content. Print this 
email only if necessary.

Le contenu de cet e-mail et de ses pièces jointes 
est strictement confidentiel. Dans le cas où vous n'êtes pas le 
destinataire et avez reçu ce message par erreur, veuillez en informer 
l'expéditeur et procéder à sa suppression, sans diffuser, stocker ou copier 
son contenu. Imprimez cet e-mail uniquement si nécessaire.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: Are this option

[Marc Serra]

Thank's for your comments Frank,

Reading the Apache documentation
(https://httpd.apache.org/docs/2.4/en/mod/mpm_common.html#threadlimit)
I cannot find the way to calculate an optimal value for ThreadLimit
and ThreadsPerChild directives for that reason I kept the default
values (64 and 25).

Can you (or anyone) help me to find the right values?



Missatge de Frank Gingras  del dia dj., 17 de març
2022 a les 17:19:
>
> Those settings could fit your workload, or not. You need to measure it with 
> /server-status to see how many idle workers you have.
>
> That being said, ThreadsPerChild seems very low. Depending on your content, 
> you could likely ramp up to a much higher value, which means that you would 
> need less parent processes.
>
>
>
> On Wed, 16 Mar 2022 at 08:14, Marc Serra  wrote:
>>
>> I'm sorry to insist ... if this list is not the right place to ask that 
>> question, could anyone tell me where to do it?
>>
>> Thank's
>>
>> Missatge de Marc Serra  del dia dc., 9 de març 2022 a les 
>> 18:01:
>>>
>>> Hi, I want to configure an apache server to support a high load site. Are 
>>> these settings correct?
>>>
>>> /etc/apache2/mods-enabled/mpm_event.conf
>>>
>>> 
>>> StartServers 2
>>> MinSpareThreads  75
>>> MaxSpareThreads  250
>>> ThreadLimit  64
>>> ThreadsPerChild  25
>>> MaxRequestWorkers 1500
>>> MaxConnectionsPerChild   0
>>> ServerLimit 75
>>> 
>>>
>>> I used a combination of 
>>> https://httpd.apache.org/docs/2.4/en/mod/mpm_common.html and 
>>> https://support.plesk.com/hc/en-us/articles/214529205-Apache-keeps-going-down-on-a-Plesk-server-server-reached-MaxRequestWorkers-setting
>>>  ...
>>>
>>> MaxRequestWorkers = (Total RAM - Memory used for Linux, DB, etc.) / average 
>>> Apache process size
>>> =>
>>> 1500 = (64000 - 6) / 40
>>>
>>> The default ServerLimit value is 16. To increase it, you must also raise 
>>> MaxRequestWorkers using the following formula: ServerLimit value x 25 = 
>>> MaxRequestWorkers value. For example, if ServerLimit is set to 20, then 
>>> MaxRequestWorkers will be 20 x 25 = 500.
>>> =>
>>> 75 x 25 = 1500
>>>
>>>
>>>
>>> The hardware includes 64GB of memory, AMD Ryzen 7 PRO 3700 8-Core Processor 
>>> and NVME disks.
>>>
>>> I'm using Apache 2.4.41 with event MPM on ubuntu 20.04 ...
>>>
>>> Server version: Apache/2.4.41 (Ubuntu)
>>> Server built:   2022-01-05T14:49:56
>>> Server's Module Magic Number: 20120211:88
>>> Server loaded:  APR 1.6.5, APR-UTIL 1.6.1
>>> Compiled using: APR 1.6.5, APR-UTIL 1.6.1
>>> Architecture:   64-bit
>>> Server MPM: event
>>>   threaded: yes (fixed thread count)
>>> forked: yes (variable process count)
>>> Server compiled with
>>>  -D APR_HAS_SENDFILE
>>>  -D APR_HAS_MMAP
>>>  -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
>>>  -D APR_USE_SYSVSEM_SERIALIZE
>>>  -D APR_USE_PTHREAD_SERIALIZE
>>>  -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
>>>  -D APR_HAS_OTHER_CHILD
>>>  -D AP_HAVE_RELIABLE_PIPED_LOGS
>>>  -D DYNAMIC_MODULE_LIMIT=256
>>>  -D HTTPD_ROOT="/etc/apache2"
>>>  -D SUEXEC_BIN="/usr/lib/apache2/suexec"
>>>  -D DEFAULT_PIDLOG="/var/run/apache2.pid"
>>>  -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
>>>  -D DEFAULT_ERRORLOG="logs/error_log"
>>>  -D AP_TYPES_CONFIG_FILE="mime.types"
>>>  -D SERVER_CONFIG_FILE="apache2.conf"
>>>
>>> And this loaded Modules...
>>>  core_module (static)
>>>  so_module (static)
>>>  watchdog_module (static)
>>>  http_module (static)
>>>  log_config_module (static)
>>>  logio_module (static)
>>>  version_module (static)
>>>  unixd_module (static)
>>>  access_compat_module (shared)
>>>  aclr_module (shared)
>>>  actions_module (shared)
>>>  alias_module (shared)
>>>  auth_basic_module (shared)
>>>  authn_core_module (shared)
>>>  authn_file_module (shared)
>>>  authz_core_module (shared)
>>>  authz_host_module (shared)
>>>  authz_user_module (shared)
>>>  autoindex_module (shared)
>>>  cgid_module (shared)

[users@httpd] Re: Are this option

[Marc Serra]

I'm sorry to insist ... if this list is not the right place to ask that
question, could anyone tell me where to do it?

Thank's

Missatge de Marc Serra  del dia dc., 9 de març 2022 a les
18:01:

> Hi, I want to configure an apache server to support a high load site. Are
> these settings correct?
>
> /etc/apache2/mods-enabled/mpm_event.conf
>
> 
> StartServers 2
> MinSpareThreads  75
> MaxSpareThreads  250
> ThreadLimit  64
> ThreadsPerChild  25
> MaxRequestWorkers 1500
> MaxConnectionsPerChild   0
> ServerLimit 75
> 
>
> I used a combination of
> https://httpd.apache.org/docs/2.4/en/mod/mpm_common.html and
> https://support.plesk.com/hc/en-us/articles/214529205-Apache-keeps-going-down-on-a-Plesk-server-server-reached-MaxRequestWorkers-setting
> ...
>
> MaxRequestWorkers = (Total RAM - Memory used for Linux, DB, etc.) /
> average Apache process size
> =>
> 1500 = (64000 - 6) / 40
>
> The default ServerLimit value is 16. To increase it, you must also raise
> MaxRequestWorkers using the following formula: ServerLimit value x 25 =
> MaxRequestWorkers value. For example, if ServerLimit is set to 20, then
> MaxRequestWorkers will be 20 x 25 = 500.
> =>
> 75 x 25 = 1500
>
>
>
> The hardware includes 64GB of memory, AMD Ryzen 7 PRO 3700 8-Core
> Processor and NVME disks.
>
> I'm using Apache 2.4.41 with event MPM on ubuntu 20.04 ...
>
> Server version: Apache/2.4.41 (Ubuntu)
> Server built:   2022-01-05T14:49:56
> Server's Module Magic Number: 20120211:88
> Server loaded:  APR 1.6.5, APR-UTIL 1.6.1
> Compiled using: APR 1.6.5, APR-UTIL 1.6.1
> Architecture:   64-bit
> Server MPM: event
>   threaded: yes (fixed thread count)
> forked: yes (variable process count)
> Server compiled with
>  -D APR_HAS_SENDFILE
>  -D APR_HAS_MMAP
>  -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
>  -D APR_USE_SYSVSEM_SERIALIZE
>  -D APR_USE_PTHREAD_SERIALIZE
>  -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
>  -D APR_HAS_OTHER_CHILD
>  -D AP_HAVE_RELIABLE_PIPED_LOGS
>  -D DYNAMIC_MODULE_LIMIT=256
>  -D HTTPD_ROOT="/etc/apache2"
>  -D SUEXEC_BIN="/usr/lib/apache2/suexec"
>  -D DEFAULT_PIDLOG="/var/run/apache2.pid"
>  -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
>  -D DEFAULT_ERRORLOG="logs/error_log"
>  -D AP_TYPES_CONFIG_FILE="mime.types"
>  -D SERVER_CONFIG_FILE="apache2.conf"
>
> And this loaded Modules...
>  core_module (static)
>  so_module (static)
>  watchdog_module (static)
>  http_module (static)
>  log_config_module (static)
>  logio_module (static)
>  version_module (static)
>  unixd_module (static)
>  access_compat_module (shared)
>  aclr_module (shared)
>  actions_module (shared)
>  alias_module (shared)
>  auth_basic_module (shared)
>  authn_core_module (shared)
>  authn_file_module (shared)
>  authz_core_module (shared)
>  authz_host_module (shared)
>  authz_user_module (shared)
>  autoindex_module (shared)
>  cgid_module (shared)
>  deflate_module (shared)
>  dir_module (shared)
>  env_module (shared)
>  fcgid_module (shared)
>  filter_module (shared)
>  headers_module (shared)
>  include_module (shared)
>  mime_module (shared)
>  mpm_event_module (shared)
>  negotiation_module (shared)
>  proxy_module (shared)
>  proxy_fcgi_module (shared)
>  proxy_http_module (shared)
>  proxy_wstunnel_module (shared)
>  remoteip_module (shared)
>  reqtimeout_module (shared)
>  rewrite_module (shared)
>  setenvif_module (shared)
>  socache_shmcb_module (shared)
>  ssl_module (shared)
>  status_module (shared)
>  suexec_module (shared)
>  unique_id_module (shared)
>  userdir_module (shared)
>
>
> Thank's for your time.
>
>

-- 
Marc Serra
Organització i Sistemes

-- 


   
  
  
  <https://www.manxa.com>
 Manxa 1876, S.L.
Ctra. Les 
Tries, 85.17800 Olot (Girona)
*Tel. 972 27 45 30 www.manxa.com 
<https://www.manxa.com>* 
 <https://www.manxaindustrial.com> *Manxa 
Industrial <https://www.manxaindustrial.com>*
 
<https://www.manxaferros.com>  *Manxa Ferros <https://www.manxaferros.com>*
 <https://www.manxabricolatge.com>  *Manxa Ferreteria i Parament de la Llar 
<https://www.manxabricolatge.com>*
  

  



-- 


El contingut d’aquest correu electrònic i els seus annexos és 
estrictament confidencial. En el cas que no siguis el destinatari i hagis 
rebut aquest missatge per error, preguem que ho comuniquis al remitent i 
procedeixis a la seva eliminació, sense difondre, emmagatzemar o copia

Re: [users@httpd] mod_evasive [OT?]

[Marc Serra]

Hi Darryl,

Take a look at mod_security: https://github.com/SpiderLabs/ModSecurity

Not perfect for fending off DoS attacks, but provides a rate-limit option:
https://stackoverflow.com/questions/26409546/protecting-against-ddos-attacks-is-mod-security-and-the-owasp-rule-set-adequate

Missatge de Darryl Philip Baker  del dia
dj., 10 de març 2022 a les 16:35:

> I am trying to upgrade our webservers from RHEL7 to RHEL8. One third party
> module we use is mod_evasive. Searching for information I find that in 2020
> it was in the EPEL repository for RHEL8/CentOS8 but it is no longer there.
> I have no problem building it from source if necessary. Where can I find
> the current source for it? Is there another module that is better for
> fending off DoS and DDoS attacks?
>
>
>
> *Darryl Baker, *GSEC, GCLD  (he/him/his)
>
> Sr. System Administrator
>
> Distributed Application Platform Services
>
> *Northwestern University*
>
> 4th Floor
>
> 2020 Ridge Avenue
>
> Evanston, IL  60208-0801
>
> *darryl.ba...@northwestern.edu *
>
> (847) 467-6674 <+18474676674>
>
>
>


-- 
Marc Serra
Organització i Sistemes

-- 


   
  
  
  <https://www.manxa.com>
 Manxa 1876, S.L.
Ctra. Les 
Tries, 85.17800 Olot (Girona)
*Tel. 972 27 45 30 www.manxa.com 
<https://www.manxa.com>* 
 <https://www.manxaindustrial.com> *Manxa 
Industrial <https://www.manxaindustrial.com>*
 
<https://www.manxaferros.com>  *Manxa Ferros <https://www.manxaferros.com>*
 <https://www.manxabricolatge.com>  *Manxa Ferreteria i Parament de la Llar 
<https://www.manxabricolatge.com>*
  

  



-- 


El contingut d’aquest correu electrònic i els seus annexos és 
estrictament confidencial. En el cas que no siguis el destinatari i hagis 
rebut aquest missatge per error, preguem que ho comuniquis al remitent i 
procedeixis a la seva eliminació, sense difondre, emmagatzemar o copiar el 
seu contingut. Imprimeix aquest correu només si és necessari.

El contenido 
de este correo electrónico y sus anexos es estrictamente confidencial. En 
el caso de que no seas el destinatario y hayas recibido este mensaje por 
error, rogamos lo comuniques al remitente y procedas a su eliminación, sin 
difundir, almacenar o copiar su contenido. Imprimir este correo solo si es 
necesario.

The content of this email and its attachments is strictly 
confidential. If you are not the recipient and you have received this 
message by mistake, please notify the sender and proceed to its 
elimination, without spreading, storing or copying its content. Print this 
email only if necessary.

Le contenu de cet e-mail et de ses pièces jointes 
est strictement confidentiel. Dans le cas où vous n'êtes pas le 
destinataire et avez reçu ce message par erreur, veuillez en informer 
l'expéditeur et procéder à sa suppression, sans diffuser, stocker ou copier 
son contenu. Imprimez cet e-mail uniquement si nécessaire.

[users@httpd] Are this option

[Marc Serra]

Hi, I want to configure an apache server to support a high load site. Are
these settings correct?

/etc/apache2/mods-enabled/mpm_event.conf


StartServers 2
MinSpareThreads  75
MaxSpareThreads  250
ThreadLimit  64
ThreadsPerChild  25
MaxRequestWorkers 1500
MaxConnectionsPerChild   0
ServerLimit 75


I used a combination of
https://httpd.apache.org/docs/2.4/en/mod/mpm_common.html and
https://support.plesk.com/hc/en-us/articles/214529205-Apache-keeps-going-down-on-a-Plesk-server-server-reached-MaxRequestWorkers-setting
...

MaxRequestWorkers = (Total RAM - Memory used for Linux, DB, etc.) / average
Apache process size
=>
1500 = (64000 - 6) / 40

The default ServerLimit value is 16. To increase it, you must also raise
MaxRequestWorkers using the following formula: ServerLimit value x 25 =
MaxRequestWorkers value. For example, if ServerLimit is set to 20, then
MaxRequestWorkers will be 20 x 25 = 500.
=>
75 x 25 = 1500



The hardware includes 64GB of memory, AMD Ryzen 7 PRO 3700 8-Core Processor
and NVME disks.

I'm using Apache 2.4.41 with event MPM on ubuntu 20.04 ...

Server version: Apache/2.4.41 (Ubuntu)
Server built:   2022-01-05T14:49:56
Server's Module Magic Number: 20120211:88
Server loaded:  APR 1.6.5, APR-UTIL 1.6.1
Compiled using: APR 1.6.5, APR-UTIL 1.6.1
Architecture:   64-bit
Server MPM: event
  threaded: yes (fixed thread count)
forked: yes (variable process count)
Server compiled with
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/etc/apache2"
 -D SUEXEC_BIN="/usr/lib/apache2/suexec"
 -D DEFAULT_PIDLOG="/var/run/apache2.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="mime.types"
 -D SERVER_CONFIG_FILE="apache2.conf"

And this loaded Modules...
 core_module (static)
 so_module (static)
 watchdog_module (static)
 http_module (static)
 log_config_module (static)
 logio_module (static)
 version_module (static)
 unixd_module (static)
 access_compat_module (shared)
 aclr_module (shared)
 actions_module (shared)
 alias_module (shared)
 auth_basic_module (shared)
 authn_core_module (shared)
 authn_file_module (shared)
 authz_core_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 cgid_module (shared)
 deflate_module (shared)
 dir_module (shared)
 env_module (shared)
 fcgid_module (shared)
 filter_module (shared)
 headers_module (shared)
 include_module (shared)
 mime_module (shared)
 mpm_event_module (shared)
 negotiation_module (shared)
 proxy_module (shared)
 proxy_fcgi_module (shared)
 proxy_http_module (shared)
 proxy_wstunnel_module (shared)
 remoteip_module (shared)
 reqtimeout_module (shared)
 rewrite_module (shared)
 setenvif_module (shared)
 socache_shmcb_module (shared)
 ssl_module (shared)
 status_module (shared)
 suexec_module (shared)
 unique_id_module (shared)
 userdir_module (shared)


Thank's for your time.

-- 


   
  
  
  
 Manxa 1876, S.L.
Ctra. Les 
Tries, 85.17800 Olot (Girona)
*Tel. 972 27 45 30 www.manxa.com 
* 
  *Manxa 
Industrial *
 
  *Manxa Ferros *
   *Manxa Ferreteria i Parament de la Llar 
*
  

  



-- 


El contingut d’aquest correu electrònic i els seus annexos és 
estrictament confidencial. En el cas que no siguis el destinatari i hagis 
rebut aquest missatge per error, preguem que ho comuniquis al remitent i 
procedeixis a la seva eliminació, sense difondre, emmagatzemar o copiar el 
seu contingut. Imprimeix aquest correu només si és necessari.

El contenido 
de este correo electrónico y sus anexos es estrictamente confidencial. En 
el caso de que no seas el destinatario y hayas recibido este mensaje por 
error, rogamos lo comuniques al remitente y procedas a su eliminación, sin 
difundir, almacenar o copiar su contenido. Imprimir este correo solo si es 
necesario.

The content of this email and its attachments is strictly 
confidential. If you are not the recipient and you have received this 
message by mistake, please notify the sender and proceed to its 
elimination, without spreading, storing or copying its content. Print this 
email only if necessary.

Le contenu de cet e-mail et de ses pièces jointes 
est strictement confidentiel. Dans le cas où vous n'êtes pas le 
destinataire et avez reçu ce message par erreur, veuillez en informer 
l'expéditeur et procéder à sa suppression, sans diffuser, stocker 

RE: [users@httpd] How to get someone to look at a Apache bug report on Red Hat's Bugzilla?

[Marc]

> 
> Since you don't have paid support from RedHat, there is absolutely no
> reason to not install your own version of httpd.
> 

I agree. The days of relying on a lts distribution are coming to an end. I have 
the impression that RedHat is not the place to be anymore. Moving packages from 
the lts to scl, now dropping centos etc. They seem not to be able to catch up 
with patching everything. I think the trend will be getting your crucial rpm's 
directly from the source.

Re: [users@httpd] Dynamic authentication rules

[Marc SCHAEFER]

On Fri, Feb 11, 2022 at 06:21:50PM -0500, stormy wrote:
> Maybe I'm missing something that you refer to as "tricks" and "presumably"?
> Proof of concept?  Context?

If the dynamic way does not work, I will simply generate about 100
different configurations and merge them in Apache, it's not complicated
to do, just a bit silly IF there is some support dynamicity that
I missed in the documentation.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Dynamic authentication rules

[Marc SCHAEFER]

Hello,

In general, I would handle that kind of authentification tricks in a
perl script, however in this case I would need to protect a script
directly in Apache.

What presumably would work:


   AuthType Basic
   AuthName "Login Required for testing"
   AuthUserFile /shared/testing/htpasswd
   Require valid-user


What I would like to do:


   AuthType Basic
   AuthName "Login Required for $1"
   AuthUserFile /shared/$1/htpasswd
   Require valid-user


Is there a way to do something dynamic like this ?

Thank you for any pointer.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] Is it possible to install/configure SSL certificates on a server behind a reverse proxy?

[Marc]

You can just do that. I have also certs behind a reverse proxy. My whole 
'virtual/internal' applications in containers is running with my own CA 
certificates and on the reverse proxy I have some certs from known CA's
Specific for this setup is a proxy protocol, that informs the public ip 
addresses instead of local ones.

Best is it to ask on something like the haproxy community.

> My question:
> 
> Would it have been possible to install the SSL certificates in the virtual
> machines?
> 
> 
> As far as I know, no, because then the reverse proxy can be seen as a 'man
> in the middle attack'.
> 
> This is why I configured the SSL certificates on the host, and as far as I
> know this is also how it should be (after reading some articles about it
> on the internet).
> 
> 
> I do however also found the Apache directive SSLProxyEngine
>  . Is
> it possible with this directive the install/configure the SSL certificates
> inside the virtual machines?
> 
> 
> I'm curious :-)!
> 

RE: [users@httpd] Re: Choosing Windows platfrorm

[Marc]

> 
> With over 1.4 billion devices now running Windows 10/11, customer
> satisfaction is higher than any previous version of windows.
> 
> 

WTF WTF I @#$@#$@#$ hate windows 10. Customer statisfaction with Microsoft is 0
https://www.reddit.com/r/aargh_Microsoft/





-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] How to display the True-Client-IP header in the access log

[Marc]

With haproxy you have an option to enable a proxy protocol, this transmits the 
client ip. I guess something similar must exist in your case.

> 
> When Apache is accessed via a CDN (Akamai), I would like to record the
> IP of the accessing client in the Apache logs.
> In order to display the True-Client-IP header sent by Akamai in the
> access log like X-Forward-For, do I have to change the Logformat setting
> in httpd.conf as follows?
> 
> Logformat
> "%{True-Client-IP}i %h %l %u %t˶~˵"%r\" %>s %b˶~˵"%{Referer}i\" \%{User-
> Agent}i\" combined
> 
> If anyone has had any success with True-Client-IP showing up in the
> logs, please let me know.
> 
> Regards,
> 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] Local css/js files take 5 seconds to load

[Marc]

> Httpd with default settings. Opening a local html document with cleared
> cache in any browser takes very long to load. The Chrome network tab
> shows that the "Content Download" from included local css/js files take
> 5 seconds to load. No matter how many or which files. Issue appeared
> after updating to v2.4.48.

I would guess that is either your network connection or your filesystem, but 
even static files would be loaded into ram cache. What if you do a curl -v from 
localhost?




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] duplicate logging into one global access/error log

[Marc]

Currently I have virtualhost configuration files that configure logging like 
this[1] (in a local dir). How can I add something to eg 
/etc/httpd/conf/httpd.conf that logs everything of all configured virtual hosts 
ALSO into some global log file? 



[1]

..
..
CustomLog "|/usr/sbin/rotatelogs -L /home//logs/www.example.com-access.log 
-p /usr/local/sbin/rlogs-umask.sh -l 
/home//logs/%Y/www.example.com-%Y%m%d-access.log 86400" combined
ErrorLog "|/usr/sbin/rotatelogs -L /home//logs/www.example.com-error.log -p 
/usr/local/sbin/rlogs-umask.sh -l 
/home//logs/%Y/www.example.com-%Y%m%d-error.log 86400"
..
..
..

Re: [users@httpd] Issues with accessing web page using DNS URL

[Marc Serra]

If you ping (or dig, or nslookup, or ...) your www.mywebpage.com (the noip
name) from outside your home is resolved to you public IP address?

I think it's not an apache related issue.



El dc., 18 d’ag. 2021, 20:41,  va escriure:

> I set up my router to port forward. I was using NOIP with my previous ISP
> because the IP address was changing. With my new ISP I don't have that
> problem. My goal is to use something like "www.mywebpage.com" to access my
> home server instead of using my actual IP. I am thinking about having a
> place for family to see pictures and videos I have of my kids. I am also
> wanting to have my own cloud server for files and media. I am under the
> impression that to have my own domain name I would need to do that through
> NOIP. Is there another way to have name address resolution without NoIp?
> -Original Message- From: Richard Sent: Wednesday, August 18, 2021
> 1:19 PM To: users@httpd.apache.org Subject: Re: [users@httpd] Issues with
> accessing web page using DNS URL > Date: Wednesday, August 18, 2021
> 12:48:36
> -0500 > From: wendellkb...@gmail.com > > I am wondering if anyone has any
> idea as to what could be happening to > prevent me from using the URL I
> have
> set up with No-IP. > > Particulars: > > 1. I have a static IP > 2. I setup
> NOIP to send port 80 traffic to port 8080 > > I can use the internal IP
> address on my home network and bring up my > web page. I can input the
> static IP of my router and access my web > page. If I use the web address
> URL I set up with No-Ip it just times > out. Does anyone have any ideas why
> this is the case? > Not a lot of detail to work from ... Are you using NAT
> for your network behind the router? If so, are you port-forwarding the
> necessary port(s) to the target machine's internal/lan IPnumber?
> Separately,
> if you have a static (public) IPnumber why not set up DNS rather than using
> "no-ip", which is intended for cases where you *don't* have a static
> IPnumber.
> - To
> unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional
> commands, e-mail: users-h...@httpd.apache.org Scanned by McAfee and
> confirmed virus-free. Find out more here: https://bit.ly/2zCJMrO
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

-- 


   
  
  
  
 Manxa 1876, S.L.
Ctra. Les 
Tries, 85.17800 Olot (Girona)
*Tel. 972 27 45 30 www.manxa.com 
* 
  *Manxa 
Industrial *
 
  *Manxa Ferros *
   *Manxa Ferreteria i Parament de la Llar 
*
  

  



-- 


El contingut d’aquest correu electrònic i els seus annexos és 
estrictament confidencial. En el cas que no siguis el destinatari i hagis 
rebut aquest missatge per error, preguem que ho comuniquis al remitent i 
procedeixis a la seva eliminació, sense difondre, emmagatzemar o copiar el 
seu contingut. Imprimeix aquest correu només si és necessari.

El contenido 
de este correo electrónico y sus anexos es estrictamente confidencial. En 
el caso de que no seas el destinatario y hayas recibido este mensaje por 
error, rogamos lo comuniques al remitente y procedas a su eliminación, sin 
difundir, almacenar o copiar su contenido. Imprimir este correo solo si es 
necesario.

The content of this email and its attachments is strictly 
confidential. If you are not the recipient and you have received this 
message by mistake, please notify the sender and proceed to its 
elimination, without spreading, storing or copying its content. Print this 
email only if necessary.

Le contenu de cet e-mail et de ses pièces jointes 
est strictement confidentiel. Dans le cas où vous n'êtes pas le 
destinataire et avez reçu ce message par erreur, veuillez en informer 
l'expéditeur et procéder à sa suppression, sans diffuser, stocker ou copier 
son contenu. Imprimez cet e-mail uniquement si nécessaire.

Re: [users@httpd] Can't get the list of loaded modules with apache2 -M

[Marc Serra]

Try to source your envvars by running it like this

source /etc/apache2/envvars

and then

/usr/sbin/apache2 -M

El dl., 26 de jul. 2021, 19:18, Andrea Croci  va
escriure:

> Hi, I have Apache 2.4.48 installed in Ubuntu 20.04 by adding the
> ondrej-ppa. When I do
>
> sudo apache2 -M
>
> (and other apache2 commands as well) I get
>
> [Mon Jul 26 19:03:15.930435 2021] [core:warn] [pid 10739] AH00111: Config
> variable ${APACHE_RUN_DIR} is not defined
> apache2: Syntax error on line 82 of /etc/apache2/apache2.conf:
> DefaultRuntimeDir must be a valid directory, absolute or relative to
> ServerRoot
>
> The envvars file does define those variables and I didn't touch it from
> installation. The only thing I did is to add to the apache2.conf file a
> global ServerName directive, because it was complaining by reloading that
> it couldn't find the fully qualified domain name.
>
> Now it reloads and restarts fine, but I get that error. The error log only
> shows my restarts and reloads, nothing else. I didn't find anything useful
> on the net. How could I go about troubleshooting this?
>
> Thanks,
>
> Andrea
>

-- 


   
  
  
  
 Manxa 1876, S.L.
Ctra. Les 
Tries, 85.17800 Olot (Girona)
*Tel. 972 27 45 30 www.manxa.com 
* 
  *Manxa 
Industrial *
 
  *Manxa Ferros *
   *Manxa Ferreteria i Parament de la Llar 
*
  

  



-- 


El contingut d’aquest correu electrònic i els seus annexos és 
estrictament confidencial. En el cas que no siguis el destinatari i hagis 
rebut aquest missatge per error, preguem que ho comuniquis al remitent i 
procedeixis a la seva eliminació, sense difondre, emmagatzemar o copiar el 
seu contingut. Imprimeix aquest correu només si és necessari.

El contenido 
de este correo electrónico y sus anexos es estrictamente confidencial. En 
el caso de que no seas el destinatario y hayas recibido este mensaje por 
error, rogamos lo comuniques al remitente y procedas a su eliminación, sin 
difundir, almacenar o copiar su contenido. Imprimir este correo solo si es 
necesario.

The content of this email and its attachments is strictly 
confidential. If you are not the recipient and you have received this 
message by mistake, please notify the sender and proceed to its 
elimination, without spreading, storing or copying its content. Print this 
email only if necessary.

Le contenu de cet e-mail et de ses pièces jointes 
est strictement confidentiel. Dans le cas où vous n'êtes pas le 
destinataire et avez reçu ce message par erreur, veuillez en informer 
l'expéditeur et procéder à sa suppression, sans diffuser, stocker ou copier 
son contenu. Imprimez cet e-mail uniquement si nécessaire.

Re: [users@httpd] blacklisting

[Marc Serra]

We are using a border firewall too. This firewall includes an option to
auto update "list of bad IP" from a proprietary database.

Also you can use a public bad IP list, for example:
https://feodotracker.abuse.ch/blocklist/ or
https://github.com/mlsecproject/combine/wiki/Threat-Intelligence-Feeds-Gathered-by-Combine,
and create a crontab script to parse this list and update your .htaccess
file

Missatge de Jim Albert  del dia dj., 17 de juny 2021 a
les 3:30:

> On 6/16/2021 9:05 PM, Will Fatherley wrote:
> > Hi All,
> >
> > I have been using A2 for a few years now, but I've not really needed
> > to implement any deny/black-listing because I simply have no
> > meaningful security/traffic constraints. In moving forward with
> > development on top of A2 which does have security implications, I'm
> > hoping it might be possible that folks might be willing to share how
> > they store blocked remote addresses. For instance, are relational
> > datastores and other such objects typically required at the enterprise
> > level to store blocked addresses? Or is a plaintext file suitable from
> > an efficiency standpoint?
> >
> > Best,
> > Will F
>
> I find it easiest to implement blocks at the border firewall especially
> if I'm implementing a stored list of known attack IP addresses. At the
> border firewall I can easily block a set of IP addresses from the WAN to
> all my resources... httpd and others.
>
> Within Apache there are a variety of examples of what you can do at:
> https://httpd.apache.org/docs/2.4/howto/access.html
>
> I'm sure others can add to this advice from their own experiences.
>
> Jim
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

-- 
Marc Serra
Organització i Sistemes

-- 

   
  


 
  

  
  
  
 
 Manxa 1876, S.L.
Ctra. Les Tries, 
85.17800 Olot (Girona)
*Tel. 972 27 45 30 www.manxa.com 
<https://www.manxa.com>* 
_ *Manxa Industrial 
<https://www.manxaindustrial.com>*
_ *Manxa Ferros 
<https://www.manxaferros.com>*
_ *Manxa Ferreteria i Parament de la Llar 
<https://www.manxabricolatge.com>*___
  

  




-- 

Manxa 
1876, S.L. *
Ctra. 
Les Tries, 85. 17800 Olot (Girona)**Tel. 972 27 
45 30 Fax 972 27 45 32*


* Manxa Industrial | *Coneix
més aquí 
<http://www.manxaindustrial.com>



* Manxa Ferros | *Coneix
més aquí 
<http://www.manxaferros.com/>



* Manxa Ferreteria i Parament de la Llar | 
*Coneix
més aquí <https://www.manxabricolatge.com>


**

-- 


El contingut d’aquest correu electrònic i els seus annexos és 
estrictament confidencial. En el cas que no siguis el destinatari i hagis 
rebut aquest missatge per error, preguem que ho comuniquis al remitent i 
procedeixis a la seva eliminació, sense difondre, emmagatzemar o copiar el 
seu contingut. Imprimeix aquest correu només si és necessari.

El contenido 
de este correo electrónico y sus anexos es estrictamente confidencial. En 
el caso de que no seas el destinatario y hayas recibido este mensaje por 
error, rogamos lo comuniques al remitente y procedas a su eliminación, sin 
difundir, almacenar o copiar su contenido. Imprimir este correo solo si es 
necesario.

The content of this email and its attachments is strictly 
confidential. If you are not the recipient and you have received this 
message by mistake, please notify the sender and proceed to its 
elimination, without spreading, storing or copying its content. Print this 
email only if necessary.

Le contenu de cet e-mail et de ses pièces jointes 
est strictement confidentiel. Dans le cas où vous n'êtes pas le 
destinataire et avez reçu ce message par erreur, veuillez en informer 
l'expéditeur et procéder à sa suppression, sans diffuser, stocker ou copier 
son contenu. Imprimez cet e-mail uniquement si nécessaire.

Re: [users@httpd] Improve memory use [EXT]

[Marc Serra]

Thank's James,

99% of the hosted content is static. I think it's time to migrate to MPM
event.

Thank's again.

Missatge de James Smith  del dia dl., 14 de juny 2021 a
les 11:21:

> Yes the answer is almost certainly to do with the number of domains/size
> of code – even if all the sites are running the same code – they are likely
> to have different copies of it (unless they are all running the exact same
> copy of the code – and using a name based switch somewhere in it) There may
> be better ways of handling this – having 800 PHP children is not ideal –
> look at ways of using static servers if you can e.g.
>
>- you may be able to sit another apache in front of this one to handle
>the static requests {using the event mpm} and use this one to server PHP
>code;
>- or more this to mpm event model and use one of the fcgi wrappers for
>PHP {mileage may vary on this if you have a large number of PHP code
>basese};
>
>
>
> *From:* Marc Serra 
> *Sent:* 14 June 2021 10:08
> *To:* users@httpd.apache.org
> *Subject:* [users@httpd] Improve memory use [EXT]
>
>
>
> Hi again,
>
> I got an old Ubuntu server 16.04 with apache 2.4.18 serving 140 different
> domains.
>
> The server has 8 vCPUs and 16GB of memory. It's a virtual server hosted in
> Digital Ocean.
>
> As you can see above, the average memory use per apache process is 93MB.
>
> It's possible to improve that? If not, why is so much memory used? In
> other servers with similar configurations but with fewer hosted domains and
> low resources (see at the bottom of this email), the memory usage is much
> lower. Is it due precisely to the number of domains hosted? If not, what?
>
> Sorry to insist on the memory used by each apache process, but I need to
> improve it (if it's possible).
>
> # ls /etc/apache2/sites-enabled/|grep -v ssl |wc
> 140
>
> # cat /etc/issue
> Ubuntu 16.04.6 LTS
>
> # apache2 -V
> Server version: Apache/2.4.18 (Ubuntu)
> Server built:   2019-10-08T13:31:25
> Server's Module Magic Number: 20120211:52
> Server loaded:  APR 1.5.2, APR-UTIL 1.5.4
> Compiled using: APR 1.5.2, APR-UTIL 1.5.4
> Architecture:   64-bit
> Server MPM: prefork
>   threaded: no
> forked: yes (variable process count)
> Server compiled with
>  -D APR_HAS_SENDFILE
>  -D APR_HAS_MMAP
>  -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
>  -D APR_USE_SYSVSEM_SERIALIZE
>  -D APR_USE_PTHREAD_SERIALIZE
>  -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
>  -D APR_HAS_OTHER_CHILD
>  -D AP_HAVE_RELIABLE_PIPED_LOGS
>  -D DYNAMIC_MODULE_LIMIT=256
>  -D HTTPD_ROOT="/etc/apache2"
>  -D SUEXEC_BIN="/usr/lib/apache2/suexec"
>  -D DEFAULT_PIDLOG="/var/run/apache2.pid"
>  -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
>  -D DEFAULT_ERRORLOG="logs/error_log"
>  -D AP_TYPES_CONFIG_FILE="mime.types"
>  -D SERVER_CONFIG_FILE="apache2.conf"
>
> # apache2 -M
> Loaded Modules:
>  core_module (static)
>  so_module (static)
>  watchdog_module (static)
>  http_module (static)
>  log_config_module (static)
>  logio_module (static)
>  version_module (static)
>  unixd_module (static)
>  access_compat_module (shared)
>  alias_module (shared)
>  auth_basic_module (shared)
>  authn_core_module (shared)
>  authn_file_module (shared)
>  authz_core_module (shared)
>  authz_host_module (shared)
>  authz_user_module (shared)
>  autoindex_module (shared)
>  deflate_module (shared)
>  dir_module (shared)
>  env_module (shared)
>  expires_module (shared)
>  filter_module (shared)
>  headers_module (shared)
>  mime_module (shared)
>  mpm_prefork_module (shared)
>  negotiation_module (shared)
>  php7_module (shared)
>  rewrite_module (shared)
>  setenvif_module (shared)
>  socache_shmcb_module (shared)
>  ssl_module (shared)
>  status_module (shared)
>
> Relevant part of /etc/apache2/apache2.conf ...
> 
> ServerLimit 800
> StartServers10
> MinSpareServers 200
> MaxSpareServers 400
> MaxRequestWorkers   800
> MaxConnectionsPerChild  1
> 
>
> # free -m
>   totalusedfree  shared  buff/cache
> available
> Mem:  160467198 496 2328351
>  8187
> Swap:  4095 2433852
>
> # ps aux | grep apache
> root  1204  0.0  0.2 431016 47312 ?Ss   May04   7:43
> /usr/sbin/apache2 -k start
> www-data  4778  0.0  0.4 531744 77132 ?S09:00   0:03
> /usr/sbin/apache2 -k start
> www-data 11661  0.1  0.3 518652 57868 ?S

[users@httpd] Improve memory use

[Marc Serra]

  S07:09   0:21
/usr/sbin/apache2 -k start
www-data 28566  0.0  0.4 525804 80060 ?S07:09   0:05
/usr/sbin/apache2 -k start
www-data 28567  0.1  0.5 522436 86684 ?S07:09   0:17
/usr/sbin/apache2 -k start
www-data 28568  0.0  0.7 559216 116156 ?   S07:09   0:11
/usr/sbin/apache2 -k start
www-data 28569  0.1  0.5 531404 94140 ?S07:09   0:14
/usr/sbin/apache2 -k start
www-data 28570  0.1  0.4 519344 74340 ?S07:09   0:15
/usr/sbin/apache2 -k start








An example of a very similar server with very similar apache configuration
but with less domains (6). The average memory used are 27MB ...


# ls /etc/apache2/sites-enabled/|grep -v ssl  |wc
  6   6 148

# ps aux|grep apache
www-data   936  0.0  1.4 414692 14272 ?S10:55   0:00
/usr/sbin/apache2 -k start
www-data   937  0.1  2.1 423736 21900 ?S10:55   0:00
/usr/sbin/apache2 -k start
www-data   941  0.0  1.0 414328 10244 ?S10:55   0:00
/usr/sbin/apache2 -k start
www-data   943  0.0  2.8 500268 29376 ?S10:55   0:00
/usr/sbin/apache2 -k start
root 21633  0.0  3.1 414296 32304 ?Ss   May04   1:46
/usr/sbin/apache2 -k start
www-data 28923  0.0  3.1 500432 31840 ?S06:30   0:00
/usr/sbin/apache2 -k start
www-data 28924  0.0  3.1 500392 32264 ?S06:30   0:00
/usr/sbin/apache2 -k start
www-data 28925  0.0  3.1 500412 31756 ?S06:30   0:00
/usr/sbin/apache2 -k start
www-data 28926  0.0  3.2 500324 33124 ?S06:30   0:00
/usr/sbin/apache2 -k start
www-data 29160  0.0  3.2 500456 33184 ?S06:41   0:00
/usr/sbin/apache2 -k start
www-data 29612  0.0  3.5 504596 35632 ?S06:47   0:00
/usr/sbin/apache2 -k start

# apache2 -M
Loaded Modules:
 core_module (static)
 so_module (static)
 watchdog_module (static)
 http_module (static)
 log_config_module (static)
 logio_module (static)
 version_module (static)
 unixd_module (static)
 access_compat_module (shared)
 alias_module (shared)
 auth_basic_module (shared)
 authn_core_module (shared)
 authn_file_module (shared)
 authz_core_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 deflate_module (shared)
 dir_module (shared)
 env_module (shared)
 expires_module (shared)
 filter_module (shared)
 headers_module (shared)
 mime_module (shared)
 mpm_prefork_module (shared)
 negotiation_module (shared)
 php7_module (shared)
 rewrite_module (shared)
 setenvif_module (shared)
 socache_shmcb_module (shared)
 ssl_module (shared)
 status_module (shared)

# cat /etc/issue
Ubuntu 16.04.6 LTS

# apache2 -V
Server version: Apache/2.4.18 (Ubuntu)
Server built:   2019-10-08T13:31:25
Server's Module Magic Number: 20120211:52
Server loaded:  APR 1.5.2, APR-UTIL 1.5.4
Compiled using: APR 1.5.2, APR-UTIL 1.5.4
Architecture:   64-bit
Server MPM: prefork
  threaded: no
forked: yes (variable process count)
Server compiled with
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/etc/apache2"
 -D SUEXEC_BIN="/usr/lib/apache2/suexec"
 -D DEFAULT_PIDLOG="/var/run/apache2.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="mime.types"
 -D SERVER_CONFIG_FILE="apache2.conf"


Thank's

-- 
Marc Serra
Organització i Sistemes

-- 

Manxa 
1876, S.L. *
Ctra. 
Les Tries, 85. 17800 Olot (Girona)**Tel. 972 27 
45 30 Fax 972 27 45 32*


* Manxa Industrial | *Coneix
més aquí 
<http://www.manxaindustrial.com>



* Manxa Ferros | *Coneix
més aquí 
<http://www.manxaferros.com/>



* Manxa Ferreteria i Parament de la Llar | 
*Coneix
més aquí <https://www.manxabricolatge.com>


**

-- 


El contingut d’aquest correu electrònic i els seus annexos és 
estrictament confidencial. En el cas que no siguis el destinatari i hagis 
rebut aquest missatge per error, preguem que ho comuniquis al remitent i 
procedeixis a la seva eliminació, sense difondre, emmagatzemar o copiar el 
seu contingut. Imprimeix aquest correu només si és necessari.

El contenido 
de este correo electrónico y sus anexos es estrictamente confidencial. En 
el caso de que no seas el destinatario y hayas recibido este mensaje por 
error, rogamos lo comuniques al remitente y procedas a su eliminación, sin 
difundir, almacenar o copiar su contenido. Imprimir este correo solo si es 
necesario.

The content of this email and its attachments is strictly 
confidential. If you are not the recipient and you have received this 
message by mistake, please notify the sender and proceed to its 
elimination, without spreading, storing or copying its content. Print this 
email only i

Re: [users@httpd] Is ServerLimit 256 in prefork mode somehow hardcoded?

[Marc Serra]

https://httpd.apache.org/docs/2.4/en/mod/mpm_common.html#serverlimit

There is a hard limit of ServerLimit 2 compiled into the server (for
the prefork MPM 20). This is intended to avoid nasty effects caused by
typos. To increase it even further past this limit, you will need to modify
the value of MAX_SERVER_LIMIT in the mpm source file and rebuild the server.

Missatge de Alois Treindl  del dia dt., 1 de juny 2021 a
les 11:02:

> I am using Apache on RHEL 7 since along time.
> httpd-2.4.6-97.el7_9.x86_64
>
> I use it with mod_mpm_prefork module, the default on Redhat.
>
> I see, shortly after startup, messages in errorlog like
> AH00161: server reached MaxRequestWorkers setting, consider raising the
> MaxRequestWorkers setting
>
> I have tried to do that
> 
> StartServers  20
> MinSpareServers   10
> MaxSpareServers   20
> ServerLimit   512
> MaxRequestWorkers 512
> MaxConnectionsPerChild  1
> 
>
> I also tried much higher values of ServerLimit and MaxRequestWorkers, like
> 6400 or 30'000
>
> It makes no difference, the error message appears.
>
> In server-status, I always see four lines of 64 servers, i.e. a total of
> 256 servers shown, like this:
>
> .R_R_RKCCC_C..R_RRRKRRCC.R_CCKRKRKC.KRKR_R.__RKCRRRK
> .KKRWRC_R_RCRRCKR_KRKKRRRKRC.C_RRRKR_C.K
> 
> 
>
> How can I get beyond these 256 servers?
>
> The machine has 64 cores, and 132 Gb RAM.
>
> I know that I can switch to mod_mpm_event, but before I go that way, I
> would like to know why I cannot more than 256 servers in prefork mode.
>
>
> - To
> unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional
> commands, e-mail: users-h...@httpd.apache.org



-- 
Marc Serra
Organització i Sistemes

-- 

Manxa 
1876, S.L. *
Ctra. 
Les Tries, 85. 17800 Olot (Girona)**Tel. 972 27 
45 30 Fax 972 27 45 32*


* Manxa Industrial | *Coneix
més aquí 
<http://www.manxaindustrial.com>



* Manxa Ferros | *Coneix
més aquí 
<http://www.manxaferros.com/>



* Manxa Ferreteria i Parament de la Llar | 
*Coneix
més aquí <https://www.manxabricolatge.com>


**

-- 


El contingut d’aquest correu electrònic i els seus annexos és 
estrictament confidencial. En el cas que no siguis el destinatari i hagis 
rebut aquest missatge per error, preguem que ho comuniquis al remitent i 
procedeixis a la seva eliminació, sense difondre, emmagatzemar o copiar el 
seu contingut. Imprimeix aquest correu només si és necessari.

El contenido 
de este correo electrónico y sus anexos es estrictamente confidencial. En 
el caso de que no seas el destinatario y hayas recibido este mensaje por 
error, rogamos lo comuniques al remitente y procedas a su eliminación, sin 
difundir, almacenar o copiar su contenido. Imprimir este correo solo si es 
necesario.

The content of this email and its attachments is strictly 
confidential. If you are not the recipient and you have received this 
message by mistake, please notify the sender and proceed to its 
elimination, without spreading, storing or copying its content. Print this 
email only if necessary.

Le contenu de cet e-mail et de ses pièces jointes 
est strictement confidentiel. Dans le cas où vous n'êtes pas le 
destinataire et avez reçu ce message par erreur, veuillez en informer 
l'expéditeur et procéder à sa suppression, sans diffuser, stocker ou copier 
son contenu. Imprimez cet e-mail uniquement si nécessaire.

Re: [users@httpd] Poor Load Balancer performance

[Marc Serra]

Thank's for your reply Eric.

 if you have thousands of connections you need to have more servers and
> then a balancer will help spreading the load (not increasing performance)
> among all the servers, or add bigger figures to your mpm settings in your
> single server (if the hardware will be able to cope with it).
>
> If you have thousand of connections and just 800 workers, then it is
> logical that it clogs.
>
> Supposing 800 connections would be enough for peaks if you want no
> clogging with prefork because load is quite variable it is better to
> specify a higher minspareservers value (more workers readily available, not
> have to be spawned, less cpu usage because less processes have to be
> spawned).
>
> I would try to go for event asap though, much better to have to spawn 8
> processes with 100 threads than 800 processes.
>

Daniel, after your words, I think it's important to move to event too. I
will take a look. Thank's.

-- 

Manxa 
1876, S.L. *
Ctra. 
Les Tries, 85. 17800 Olot (Girona)**Tel. 972 27 
45 30 Fax 972 27 45 32*


* Manxa Industrial | *Coneix
més aquí 




* Manxa Ferros | *Coneix
més aquí 




* Manxa Ferreteria i Parament de la Llar | 
*Coneix
més aquí 


**

-- 


El contingut d’aquest correu electrònic i els seus annexos és 
estrictament confidencial. En el cas que no siguis el destinatari i hagis 
rebut aquest missatge per error, preguem que ho comuniquis al remitent i 
procedeixis a la seva eliminació, sense difondre, emmagatzemar o copiar el 
seu contingut. Imprimeix aquest correu només si és necessari.

El contenido 
de este correo electrónico y sus anexos es estrictamente confidencial. En 
el caso de que no seas el destinatario y hayas recibido este mensaje por 
error, rogamos lo comuniques al remitente y procedas a su eliminación, sin 
difundir, almacenar o copiar su contenido. Imprimir este correo solo si es 
necesario.

The content of this email and its attachments is strictly 
confidential. If you are not the recipient and you have received this 
message by mistake, please notify the sender and proceed to its 
elimination, without spreading, storing or copying its content. Print this 
email only if necessary.

Le contenu de cet e-mail et de ses pièces jointes 
est strictement confidentiel. Dans le cas où vous n'êtes pas le 
destinataire et avez reçu ce message par erreur, veuillez en informer 
l'expéditeur et procéder à sa suppression, sans diffuser, stocker ou copier 
son contenu. Imprimez cet e-mail uniquement si nécessaire.

Re: [users@httpd] Poor Load Balancer performance

[Marc Serra]

Thank's Eric, I understand.

But if configuring a load balancer I'm adding another hop with reducing the
performance, seems that is not the best way to improve this performance,
correct?

As I explained before, it's only a test setup before move to a real
environment.

Now I have a single server (8 cores, 32GB RAM with prefork) and the
following apache tunning. In some moments, I have thousands of concurrent
connections that collapse the server and I thought the best way to fix this
was by setting up a load balancer. Isn't it?

ServerLimit 800
StartServers 10
MinSpareServers 200
MaxSpareServers 400
MaxRequestsWorkers 800
MaxConnectionsPerChild 1

Missatge de Eric Covener  del dia dj., 27 de maig 2021 a
les 13:15:

> On Thu, May 27, 2021 at 7:06 AM Marc Serra  wrote:
> > I has inverted the results! I'm sorry!
>
> I see -- I think this is a case where you aren't taxing either backend
> and you've just added another hop.
> This is probably especially true when testing static files.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

-- 
Marc Serra
Organització i Sistemes

-- 

Manxa 
1876, S.L. *
Ctra. 
Les Tries, 85. 17800 Olot (Girona)**Tel. 972 27 
45 30 Fax 972 27 45 32*


* Manxa Industrial | *Coneix
més aquí 
<http://www.manxaindustrial.com>



* Manxa Ferros | *Coneix
més aquí 
<http://www.manxaferros.com/>



* Manxa Ferreteria i Parament de la Llar | 
*Coneix
més aquí <https://www.manxabricolatge.com>


**

-- 


El contingut d’aquest correu electrònic i els seus annexos és 
estrictament confidencial. En el cas que no siguis el destinatari i hagis 
rebut aquest missatge per error, preguem que ho comuniquis al remitent i 
procedeixis a la seva eliminació, sense difondre, emmagatzemar o copiar el 
seu contingut. Imprimeix aquest correu només si és necessari.

El contenido 
de este correo electrónico y sus anexos es estrictamente confidencial. En 
el caso de que no seas el destinatario y hayas recibido este mensaje por 
error, rogamos lo comuniques al remitente y procedas a su eliminación, sin 
difundir, almacenar o copiar su contenido. Imprimir este correo solo si es 
necesario.

The content of this email and its attachments is strictly 
confidential. If you are not the recipient and you have received this 
message by mistake, please notify the sender and proceed to its 
elimination, without spreading, storing or copying its content. Print this 
email only if necessary.

Le contenu de cet e-mail et de ses pièces jointes 
est strictement confidentiel. Dans le cas où vous n'êtes pas le 
destinataire et avez reçu ce message par erreur, veuillez en informer 
l'expéditeur et procéder à sa suppression, sans diffuser, stocker ou copier 
son contenu. Imprimez cet e-mail uniquement si nécessaire.

Re: [users@httpd] Poor Load Balancer performance

[Marc Serra]

Oh shit! copy/paste error!!!

I has inverted the results! I'm sorry!

the real ones...

Results when I run 'ab  -k -n 1 -c 1000 http://vm_host_ip_address:8010/'
with NO balancer configured...
 Finished 1 requests
 Server Software:Apache/2.4.41
 Server Hostname:192.168.68.210
 Server Port:8010
 Document Path:  /
 Document Length:97098 bytes
 Concurrency Level:  1000
 Time taken for tests:   15.527 seconds
 Complete requests:  1
 Failed requests:834
   (Connect: 0, Receive: 0, Length: 834, Exceptions: 0)
 Keep-Alive requests:9166
 Total transferred:  892851836 bytes
 HTML transferred:   89268 bytes
 Requests per second:644.04 [#/sec] (mean)
 Time per request:   1552.701 [ms] (mean)
 Time per request:   1.553 [ms] (mean, across all concurrent requests)
 Transfer rate:  56155.42 [Kbytes/sec] received
 Connection Times (ms)
  min  mean[+/-sd] median   max
 Connect:0   22 146.6  01038
 Processing: 0  657 1668.1122   13453
 Waiting:0  752 1883.8121   13453
 Total:  0  679 1763.1122   14476
 Percentage of the requests served within a certain time (ms)
  50%122
  66%234
  75%330
  80%402
  90%   1657
  95%   4987
  98%   7221
  99%   8733
  100%  14476 (longest request)
 Finished 1 requests



Results when I run 'ab  -k -n 1 -c 1000 http://vm_host_ip_address:8010/'
with (YES) balancer...
 Finished 1 requests
 Server Software:Apache/2.4.41
 Server Hostname:192.168.68.210
 Server Port:8010
 Document Path:  /
 Document Length:97098 bytes
 Concurrency Level:  1000
 Time taken for tests:   24.029 seconds
 Complete requests:  1
 Failed requests:5526
(Connect: 0, Receive: 0, Length: 5526, Exceptions: 0)
 Keep-Alive requests:8938
 Total transferred:  870844342 bytes
 HTML transferred:   868062523 bytes
 Requests per second:416.16 [#/sec] (mean)
 Time per request:   2402.908 [ms] (mean)
 Time per request:   2.403 [ms] (mean, across all concurrent requests)
 Transfer rate:  35391.87 [Kbytes/sec] received
 Connection Times (ms)
  min  mean[+/-sd] median   max
 Connect:0   22 144.2  01039
 Processing: 0 1087 2291.1451   18504
 Waiting:0 1207 2615.1426   18470
 Total:  0 1109 2372.3451   19514
 Percentage of the requests served within a certain time (ms)
  50%451
  66%585
  75%678
  80%764
  90%   1868
  95%   7315
  98%  10098
  99%  11156
  100%  19514 (longest request)
 Finished 1 requests

Missatge de Eric Covener  del dia dj., 27 de maig 2021 a
les 12:51:

> On Thu, May 27, 2021 at 6:22 AM Marc Serra  wrote:
>
>> I got better performance without the load balancer.
>>
>
>
>> Results when I run 'ab  -k -n 1 -c 1000
>> http://vm_host_ip_address:8010/' with no balancer...
>>  Requests per second:416.16 [#/sec] (mean)
>>  Transfer rate:  35391.87 [Kbytes/sec] received
>>
>
>
>
>> Results when I run 'ab  -k -n 1 -c 1000
>> http://vm_host_ip_address:8010/' with balancer configured...
>>  Requests per second:644.04 [#/sec] (mean)
>>  Transfer rate:  56155.42 [Kbytes/sec] received
>>
>
>
> It doesn't look like the no-proxy case did better.  Which metric were you
> looking at?
>
> + a few cautions:
> - If you aren't taxing the system beyond what a single backend could
> handle, it can easily be slower by adding a proxy.
> - A layer 7 proxy can easily be more overhead than a basic VIP / LB / IP
> sprayer if there's nothing actually being offloaded in the proxy.
>
>


-- 
Marc Serra
Organització i Sistemes

-- 

Manxa 
1876, S.L. *
Ctra. 
Les Tries, 85. 17800 Olot (Girona)**Tel. 972 27 
45 30 Fax 972 27 45 32*


* Manxa Industrial | *Coneix
més aquí 
<http://www.manxaindustrial.com>



* Manxa Ferros | *Coneix
més aquí 
<http://www.manxaferros.com/>



* Manxa Ferreteria i Parament de la Llar | 
*Coneix
més aquí <https://www.manxabricolatge.com>


**

-- 


El contingut d’aquest correu electrònic i els seus annexos és 
estrictament confidencial. En el cas que no siguis el destinatari i hagis 
rebut aquest missatge per error, preguem que ho comuniquis al remitent i 
procedeixis a la seva eliminació, sense difondre, emmagatzemar o copiar el 
seu contingut. Imprimeix aquest correu només si és necessari.

El contenido 
de este correo electrónico y sus anexos es estrictamente confidencial. En 
el caso de que no seas el destinatario y hayas recibido este mensaje por 
error, rogamos lo comuniques al remitente y procedas a su eliminación, sin 
difundir, almacenar o copiar su contenido. Imprimir este correo solo si es 
necesario.

The content of this email and its attachments is strictly 
confident

[users@httpd] Poor Load Balancer performance

[Marc Serra]

 ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined







Results when I run 'ab  -k -n 1 -c 1000 http://vm_host_ip_address:8010/'
with balancer configured...
 Finished 1 requests
 Server Software:Apache/2.4.41
 Server Hostname:192.168.68.210
 Server Port:8010
 Document Path:  /
 Document Length:97098 bytes
 Concurrency Level:  1000
 Time taken for tests:   15.527 seconds
 Complete requests:  1
 Failed requests:834
   (Connect: 0, Receive: 0, Length: 834, Exceptions: 0)
 Keep-Alive requests:9166
 Total transferred:  892851836 bytes
 HTML transferred:   89268 bytes
 Requests per second:644.04 [#/sec] (mean)
 Time per request:   1552.701 [ms] (mean)
 Time per request:   1.553 [ms] (mean, across all concurrent requests)
 Transfer rate:  56155.42 [Kbytes/sec] received
 Connection Times (ms)
  min  mean[+/-sd] median   max
 Connect:0   22 146.6  01038
 Processing: 0  657 1668.1122   13453
 Waiting:0  752 1883.8121   13453
 Total:  0  679 1763.1122   14476
 Percentage of the requests served within a certain time (ms)
  50%122
  66%234
  75%330
  80%402
  90%   1657
  95%   4987
  98%   7221
  99%   8733
  100%  14476 (longest request)
 Finished 1 requests



I replaced the apache vhost config file with...


BalancerMember http://vm_host_ip_address:8011
BalancerMember http://vm_host_ip_address:8012

ProxyPreserveHost On
ProxyPass / balancer://mycluster/
ProxyPassReverse / balancer://mycluster/




The index.html file is a 90KB plain text file for both node1 and node2

I'm missing something?

The problem is the way virtualbox handles this network configuration and in
a real world the results would be different?


-- 
Marc Serra

-- 

Manxa 
1876, S.L. *
Ctra. 
Les Tries, 85. 17800 Olot (Girona)**Tel. 972 27 
45 30 Fax 972 27 45 32*


* Manxa Industrial | *Coneix
més aquí 
<http://www.manxaindustrial.com>



* Manxa Ferros | *Coneix
més aquí 
<http://www.manxaferros.com/>



* Manxa Ferreteria i Parament de la Llar | 
*Coneix
més aquí <https://www.manxabricolatge.com>


**

-- 


El contingut d’aquest correu electrònic i els seus annexos és 
estrictament confidencial. En el cas que no siguis el destinatari i hagis 
rebut aquest missatge per error, preguem que ho comuniquis al remitent i 
procedeixis a la seva eliminació, sense difondre, emmagatzemar o copiar el 
seu contingut. Imprimeix aquest correu només si és necessari.

El contenido 
de este correo electrónico y sus anexos es estrictamente confidencial. En 
el caso de que no seas el destinatario y hayas recibido este mensaje por 
error, rogamos lo comuniques al remitente y procedas a su eliminación, sin 
difundir, almacenar o copiar su contenido. Imprimir este correo solo si es 
necesario.

The content of this email and its attachments is strictly 
confidential. If you are not the recipient and you have received this 
message by mistake, please notify the sender and proceed to its 
elimination, without spreading, storing or copying its content. Print this 
email only if necessary.

Le contenu de cet e-mail et de ses pièces jointes 
est strictement confidentiel. Dans le cas où vous n'êtes pas le 
destinataire et avez reçu ce message par erreur, veuillez en informer 
l'expéditeur et procéder à sa suppression, sans diffuser, stocker ou copier 
son contenu. Imprimez cet e-mail uniquement si nécessaire.

Re: [users@httpd] Why so much difference in memory used per process in apache2 between two different systems

[Marc Serra]

Thank's Daniel,

> The list of modules is different. I don't think you can compare event and
prefork servers as if they should behave the same, even more if you have a
different list of modules. Consider in prefork each process is a worker,
 while on event processes are not workers, but threads of each process.
> In order to compare fairly you have to use the same modules, same load,
similar resulting mpm settings and compare the total usage, still your
biggest concern unless you have a faulty module mostly will be CPU.
> Also consider there are some different modules in each case too, some are
third party modules.

As I already commented on my answer to Dino, I didn’t really think a module
would cause this change in memory usage, which is why I haven’t dedicated
myself to disabling them one by one. But I was clearly wrong. Thank you
again too!

-- 

Manxa 
1876, S.L. *
Ctra. 
Les Tries, 85. 17800 Olot (Girona)**Tel. 972 27 
45 30 Fax 972 27 45 32*


* Manxa Industrial | *Coneix
més aquí 




* Manxa Ferros | *Coneix
més aquí 




* Manxa Ferreteria i Parament de la Llar | 
*Coneix
més aquí 


**

-- 


El contingut d’aquest correu electrònic i els seus annexos és 
estrictament confidencial. En el cas que no siguis el destinatari i hagis 
rebut aquest missatge per error, preguem que ho comuniquis al remitent i 
procedeixis a la seva eliminació, sense difondre, emmagatzemar o copiar el 
seu contingut. Imprimeix aquest correu només si és necessari.

El contenido 
de este correo electrónico y sus anexos es estrictamente confidencial. En 
el caso de que no seas el destinatario y hayas recibido este mensaje por 
error, rogamos lo comuniques al remitente y procedas a su eliminación, sin 
difundir, almacenar o copiar su contenido. Imprimir este correo solo si es 
necesario.

The content of this email and its attachments is strictly 
confidential. If you are not the recipient and you have received this 
message by mistake, please notify the sender and proceed to its 
elimination, without spreading, storing or copying its content. Print this 
email only if necessary.

Le contenu de cet e-mail et de ses pièces jointes 
est strictement confidentiel. Dans le cas où vous n'êtes pas le 
destinataire et avez reçu ce message par erreur, veuillez en informer 
l'expéditeur et procéder à sa suppression, sans diffuser, stocker ou copier 
son contenu. Imprimez cet e-mail uniquement si nécessaire.

Re: [users@httpd] Why so much difference in memory used per process in apache2 between two different systems

[Marc Serra]

Thank's for answer Yann,

> MPM prefork is single threaded, while MPM event uses multiple threads,
> and each thread "consumes" 8MB of rss (for its stack) on a typical
> linux system.
> The default thread stack size can be changed with "ulimit -s" (or
> LimitSTACK= on systemd), depending on the loaded modules and their
> stack "consumption".
> I usually run httpd with "ulimit -s 512" (KB) without issues, but this
> needs testing in your environment (i.e. no crash)..


For me is new the ulimit command, I take a look in a near future.

-- 

Manxa 
1876, S.L. *
Ctra. 
Les Tries, 85. 17800 Olot (Girona)**Tel. 972 27 
45 30 Fax 972 27 45 32*


* Manxa Industrial | *Coneix
més aquí 




* Manxa Ferros | *Coneix
més aquí 




* Manxa Ferreteria i Parament de la Llar | 
*Coneix
més aquí 


**

-- 


El contingut d’aquest correu electrònic i els seus annexos és 
estrictament confidencial. En el cas que no siguis el destinatari i hagis 
rebut aquest missatge per error, preguem que ho comuniquis al remitent i 
procedeixis a la seva eliminació, sense difondre, emmagatzemar o copiar el 
seu contingut. Imprimeix aquest correu només si és necessari.

El contenido 
de este correo electrónico y sus anexos es estrictamente confidencial. En 
el caso de que no seas el destinatario y hayas recibido este mensaje por 
error, rogamos lo comuniques al remitente y procedas a su eliminación, sin 
difundir, almacenar o copiar su contenido. Imprimir este correo solo si es 
necesario.

The content of this email and its attachments is strictly 
confidential. If you are not the recipient and you have received this 
message by mistake, please notify the sender and proceed to its 
elimination, without spreading, storing or copying its content. Print this 
email only if necessary.

Le contenu de cet e-mail et de ses pièces jointes 
est strictement confidentiel. Dans le cas où vous n'êtes pas le 
destinataire et avez reçu ce message par erreur, veuillez en informer 
l'expéditeur et procéder à sa suppression, sans diffuser, stocker ou copier 
son contenu. Imprimez cet e-mail uniquement si nécessaire.

Re: [users@httpd] Why so much difference in memory used per process in apache2 between two different systems

[Marc Serra]

Wow! The memory eater was security2 ...

With the module enabled (120-160MB per process) ...
# ps axo 'user rss cmd' | grep apache | grep -v "\(root\|grep\|tomcat\)"
www-data 121232 /usr/sbin/apache2 -k start
www-data 120596 /usr/sbin/apache2 -k start
www-data 156816 /usr/sbin/apache2 -k start
www-data 162668 /usr/sbin/apache2 -k start

With the module disabled (9-15MB per process) ...
# a2dismod security2
Module security2 disabled.
To activate the new configuration, you need to run:
  systemctl restart apache2
# systemctl restart apache2
# ps axo 'user rss cmd' | grep apache | grep -v "\(root\|grep\|tomcat\)"
www-data 10340 /usr/sbin/apache2 -k start
www-data  9764 /usr/sbin/apache2 -k start
www-data 14164 /usr/sbin/apache2 -k start
www-data 14220 /usr/sbin/apache2 -k start

Thank's for your answer Dino. That's enough for me.

I didn’t really think a module would cause this change in memory usage,
which is why I haven’t dedicated myself to disabling them one by one. But I
was clearly wrong. Thank you again.

For your information, my problem was understand why so much difference
between to systems because I want to optimize some parameters
like: ServerLimit, StartServers, MinSpareServers, MaxSpareServers,
MaxClients and MaxRequestsPerChild

I need to know the memory used per each Apache process to find
the MaxClients value.

Missatge de Dino Ciuffetti  del dia dl., 17 de maig 2021 a
les 14:54:
>
> Try to comment out mod_security, it's a module that use enough memory.
> Also on server2 there are modules not loaded on server1. BTW what's your
problem? Your server is plenty of ram and RSS memory is not creating any
problem. Right?
>
>
> 17 maggio 2021 13:34, "Marc Serra"  wrote:
>
> Hi to all,
> I already posted this question to stackoverflow.com but no answer after 9
days:
https://stackoverflow.com/questions/67439771/why-so-much-difference-in-memory-used-per-process-in-apache2-between-two-differe
> I hope the apache gurus in this list can help me :)
> I have a pair of Ubuntu dedicated servers...
>
> Server1:
> Ubuntu 16.04.7 (64 bits)
> 16GB RAM
> 8 Xeon CPU
> Apache 2.4.18
> MPM mode: prefork
>
> Server2:
> Ubuntu server 20.04.2 (64 bits)
> 32GB RAM
> 8 Xeon CPU
> 2.4.41
> MPM mode: event
>
> On Server1, each apache2 process uses between 7MB and 18MB of RAM ...
> # ps axo 'user rss cmd' | grep apache | grep -v "\(root\|grep\|tomcat\)"
> www-data 18232 /usr/sbin/apache2 -k start
> www-data 11700 /usr/sbin/apache2 -k start
> www-data 11276 /usr/sbin/apache2 -k start
> www-data 10792 /usr/sbin/apache2 -k start
> www-data 11216 /usr/sbin/apache2 -k start
> www-data 11600 /usr/sbin/apache2 -k start
> www-data 10336 /usr/sbin/apache2 -k start
> www-data 11356 /usr/sbin/apache2 -k start
> www-data 11348 /usr/sbin/apache2 -k start
> www-data 10980 /usr/sbin/apache2 -k start
> www-data 11316 /usr/sbin/apache2 -k start
> www-data 6808 /usr/sbin/apache2 -k start
>
> On Server2, each apache2 process uses between 120MB and 130MB of RAM ...
> # ps axo 'user rss cmd' | grep apache | grep -v "\(root\|grep\|tomcat\)"
> www-data 120436 /usr/sbin/apache2 -k start
> www-data 119784 /usr/sbin/apache2 -k start
> www-data 128720 /usr/sbin/apache2 -k start
> www-data 130208 /usr/sbin/apache2 -k start
>
> Why so much difference in memory used?
>
> After read a few documentation and googleing, I thought about loaded
modules, but there are not a lot of difference between each server...
>
> Server1
> # apache2 -M
> Loaded Modules:
> core_module (static)
> so_module (static)
> watchdog_module (static)
> http_module (static)
> log_config_module (static)
> logio_module (static)
> version_module (static)
> unixd_module (static)
> access_compat_module (shared)
> actions_module (shared)
> alias_module (shared)
> auth_basic_module (shared)
> auth_digest_module (shared)
> auth_openidc_module (shared)
> authn_core_module (shared)
> authn_file_module (shared)
> authz_core_module (shared)
> authz_host_module (shared)
> authz_user_module (shared)
> autoindex_module (shared)
> bw_module (shared)
> cgi_module (shared)
> dav_module (shared)
> dav_fs_module (shared)
> dav_lock_module (shared)
> deflate_module (shared)
> dir_module (shared)
> env_module (shared)
> expires_module (shared)
> fcgid_module (shared)
> filter_module (shared)
> headers_module (shared)
> include_module (shared)
> mime_module (shared)
> mpm_prefork_module (shared)
> negotiation_module (shared)
> proxy_module (shared)
> proxy_balancer_module (shared)
> proxy_fcgi_module (shared)
> proxy_http_module (shared)
> rewrite_module (shared)
> setenvif_module (shared)
> slotmem_shm_module (shared)
> socache_shmcb_module (shared)
> ssl_modu

[users@httpd] Why so much difference in memory used per process in apache2 between two different systems

[Marc Serra]

Hi to all,

I already posted this question to stackoverflow.com but no answer after 9
days:
https://stackoverflow.com/questions/67439771/why-so-much-difference-in-memory-used-per-process-in-apache2-between-two-differe

I hope the apache gurus in this list can help me :)

I have a pair of Ubuntu dedicated servers...

Server1:
Ubuntu 16.04.7 (64 bits)
16GB RAM
8 Xeon CPU
Apache 2.4.18
MPM mode: prefork

Server2:
Ubuntu server 20.04.2 (64 bits)
32GB RAM
8 Xeon CPU
2.4.41
MPM mode: event

On Server1, each apache2 process uses between 7MB and 18MB of RAM ...
# ps axo 'user rss cmd' | grep apache | grep -v "\(root\|grep\|tomcat\)"
www-data 18232 /usr/sbin/apache2 -k start
www-data 11700 /usr/sbin/apache2 -k start
www-data 11276 /usr/sbin/apache2 -k start
www-data 10792 /usr/sbin/apache2 -k start
www-data 11216 /usr/sbin/apache2 -k start
www-data 11600 /usr/sbin/apache2 -k start
www-data 10336 /usr/sbin/apache2 -k start
www-data 11356 /usr/sbin/apache2 -k start
www-data 11348 /usr/sbin/apache2 -k start
www-data 10980 /usr/sbin/apache2 -k start
www-data 11316 /usr/sbin/apache2 -k start
www-data  6808 /usr/sbin/apache2 -k start


On Server2, each apache2 process uses between 120MB and 130MB of RAM ...
# ps axo 'user rss cmd' | grep apache | grep -v "\(root\|grep\|tomcat\)"
www-data 120436 /usr/sbin/apache2 -k start
www-data 119784 /usr/sbin/apache2 -k start
www-data 128720 /usr/sbin/apache2 -k start
www-data 130208 /usr/sbin/apache2 -k start


Why so much difference in memory used?

After read a few documentation and googleing, I thought about loaded
modules, but there are not a lot of difference between each server...

Server1
# apache2 -M
Loaded Modules:
 core_module (static)
 so_module (static)
 watchdog_module (static)
 http_module (static)
 log_config_module (static)
 logio_module (static)
 version_module (static)
 unixd_module (static)
 access_compat_module (shared)
 actions_module (shared)
 alias_module (shared)
 auth_basic_module (shared)
 auth_digest_module (shared)
 auth_openidc_module (shared)
 authn_core_module (shared)
 authn_file_module (shared)
 authz_core_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 bw_module (shared)
 cgi_module (shared)
 dav_module (shared)
 dav_fs_module (shared)
 dav_lock_module (shared)
 deflate_module (shared)
 dir_module (shared)
 env_module (shared)
 expires_module (shared)
 fcgid_module (shared)
 filter_module (shared)
 headers_module (shared)
 include_module (shared)
 mime_module (shared)
 mpm_prefork_module (shared)
 negotiation_module (shared)
 proxy_module (shared)
 proxy_balancer_module (shared)
 proxy_fcgi_module (shared)
 proxy_http_module (shared)
 rewrite_module (shared)
 setenvif_module (shared)
 slotmem_shm_module (shared)
 socache_shmcb_module (shared)
 ssl_module (shared)
 status_module (shared)
 suexec_module (shared)
 userdir_module (shared)

Server2
# apache2 -M
Loaded Modules:
 core_module (static)
 so_module (static)
 watchdog_module (static)
 http_module (static)
 log_config_module (static)
 logio_module (static)
 version_module (static)
 unixd_module (static)
 access_compat_module (shared)
 aclr_module (shared)
 actions_module (shared)
 alias_module (shared)
 auth_basic_module (shared)
 auth_digest_module (shared)
 auth_openidc_module (shared)
 authn_core_module (shared)
 authn_file_module (shared)
 authz_core_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 cgid_module (shared)
 dav_module (shared)
 dav_fs_module (shared)
 dav_lock_module (shared)
 deflate_module (shared)
 dir_module (shared)
 env_module (shared)
 fcgid_module (shared)
 filter_module (shared)
 headers_module (shared)
 include_module (shared)
 mime_module (shared)
 mpm_event_module (shared)
 negotiation_module (shared)
 proxy_module (shared)
 proxy_balancer_module (shared)
 proxy_fcgi_module (shared)
 proxy_http_module (shared)
 remoteip_module (shared)
 reqtimeout_module (shared)
 rewrite_module (shared)
 security2_module (shared)
 setenvif_module (shared)
 slotmem_shm_module (shared)
 socache_shmcb_module (shared)
 ssl_module (shared)
 status_module (shared)
 suexec_module (shared)
 unique_id_module (shared)
 userdir_module (shared)


I already changed MPM mode from Event to Prefork on Server2, with the same
results.

What else can I check to understand this difference?

Thank's!

-- 

Manxa 
1876, S.L. *
Ctra. 
Les Tries, 85. 17800 Olot (Girona)**Tel. 972 27 
45 30 Fax 972 27 45 32*


* Manxa Industrial | *Coneix
més aquí 




* Manxa Ferros | *Coneix
més aquí 




* Manxa Ferreteria i Parament de la Llar | 
*Coneix
més aquí 


**

-- 


El contingut d’aquest correu electrònic i els seus annexos és 
estrictament confidencial. En el cas que no siguis el destinatari i hagis 
rebut aquest missatge per error, preguem que ho comuniquis al remitent i 
procedeixis a la seva eliminació, sense 

Re: [users@httpd] Re: RemoteIPProxyProtocolExceptions with negated IP list

[Marc Haber]

On Sun, May 10, 2020 at 01:57:31PM -0400, Eric Covener wrote:
> On Sun, May 10, 2020 at 12:55 PM Marc Haber
>  wrote:
> >
> > On Fri, May 08, 2020 at 01:16:28PM +0200, Marc Haber wrote:
> > > Is it possible to have a negated IP address list in
> > > RemoteIPProxyProtocolExceptions? I think that I cannot use SetEnvIf at
> > > this point because the ProxyProtocol processing happens way before any
> > > http processing begins.
> >
> > After pondering about this a bit, I would like to file an enhancement
> > suggestion that the configuration options of mod_remoteip get somewhat
> > canonicalized in the way that both methods offered by mod_remoteip get a
> > positive _AND_ a negative exception list from the default behavior.
> >
> > As this is not a bug, how do the apache devs accept enhancement
> > suggestions? Is that handled via the bug tracker as well or is there
> > another point of contact for enhancement requests?
> 
> You can mark a bugzilla entry as an enhancement.

https://bz.apache.org/bugzilla/show_bug.cgi?id=64433

Thanks for all your help.

Greetings
Marc

-- 
-
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany|  lose things."Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: RemoteIPProxyProtocolExceptions with negated IP list

[Marc Haber]

On Fri, May 08, 2020 at 01:16:28PM +0200, Marc Haber wrote:
> Is it possible to have a negated IP address list in
> RemoteIPProxyProtocolExceptions? I think that I cannot use SetEnvIf at
> this point because the ProxyProtocol processing happens way before any
> http processing begins.

After pondering about this a bit, I would like to file an enhancement
suggestion that the configuration options of mod_remoteip get somewhat
canonicalized in the way that both methods offered by mod_remoteip get a
positive _AND_ a negative exception list from the default behavior.

As this is not a bug, how do the apache devs accept enhancement
suggestions? Is that handled via the bug tracker as well or is there
another point of contact for enhancement requests?

Greetings
Marc

-- 
-----
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany|  lose things."Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] RemoteIPProxyProtocolExceptions with negated IP list

[Marc Haber]

On Fri, May 08, 2020 at 03:15:23PM +0200, Antony Stone wrote:
> On Friday 08 May 2020 at 15:00:07, Marc Haber wrote:
> > On Fri, May 08, 2020 at 02:01:03PM +0200, Antony Stone wrote:
> > > On Friday 08 May 2020 at 13:16:28, Marc Haber wrote:
> > > > I have a vhost in a https-only IPv6-only setup and would like to make
> > > > the web site hosted there reachable from the IPv4 Internet.
> > > 
> > > Is the vhost capable of dealing with IPv4 queries if you can only manage
> > > to get them to the machine?
> > 
> > Yes, but I'd prefer having the setup IPv6 only. I only build IPv4 if
> > absolutely necessary.
> 
> To be honest I would have thought that "talking to a very large part of the 
> current Internet" is reasonably necessary :)

I would do it differently in an infrastructure project, but this is my
personal blog, somewhere between "engineering study" and "production".
And I know of at least one ISP who has built the datacenter in a quite
similiar way.

Being reachable from the IPv4 internet is very well done with sniproxy,
it's just apache making this unnecessarily complicated by offering two
methods from the same module with the exception list backwards in one of
those two. I was hoping that somebody would explain _why_ the haproxy
protocol is implemented so differently from the http header method in
the very same module, and maybe I have missed something in the docs.

> Dual-stack I can quite understand, but attempting IPv6-only seems a bit too 
> far ahead of the game for my liking.
> 
> > I'd rather take the approach of having a dedicated apache listener for
> > the proxied requests than building more IPv4.
> 
> Okay, I just thought I'd offer an alternative possible solution.

The least evil solutions seems to look different for different people,
although a solution inside apache would actually help the most.

Greetings
Marc

-- 
-
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany|  lose things."Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] RemoteIPProxyProtocolExceptions with negated IP list

[Marc Haber]

On Fri, May 08, 2020 at 02:01:03PM +0200, Antony Stone wrote:
> On Friday 08 May 2020 at 13:16:28, Marc Haber wrote:
> > I have a vhost in a https-only IPv6-only setup and would like to make
> > the web site hosted there reachable from the IPv4 Internet.
> 
> Is the vhost capable of dealing with IPv4 queries if you can only manage to 
> get them to the machine?

Yes, but I'd prefer having the setup IPv6 only. I only build IPv4 if
absolutely necessary.

I'd rather take the approach of having a dedicated apache listener for
the proxied requests than building more IPv4.

Greetings
Marc

-- 
-----
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany|  lose things."Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] RemoteIPProxyProtocolExceptions with negated IP list

[Marc Haber]

Hi,

I have a vhost in a https-only IPv6-only setup and would like to make
the web site hosted there reachable from the IPv4 Internet. On a
dual-homed host, I have sniproxy that forwards requests coming in via
IPv4 over IPv6 depending on the SNI header. The web server is directly
reachable from the IPv6 Internet without proxy.

sniproxy can utilize the haproxy proxy protocol to forward the IPv4
address of the requesting client to the weberver. With the
RemoteIPProxyProtocol directive of mod_remoteip, apache can make sense
from that. So far so good.

With this option set, apache expects the proxy protocol on all
connections for the listener in question, making it unsuitable for
direct client connections. There is RemoteIPProxyProtocolExceptions,
which specifies IP addresse from where the proxy protocol is not
required. In the situation in question, I'd need "require proxy
protocol fom the IP address of the proxy ONLY". If I set like 2000::/3
as Exceptions, the entire Internet could send me a wrong IP address.

This logic completely backwards than the other mechanism for
X-Forwarded-For headers using RemoteIPInternalProxy, where I need to put
in a list of IP addresses that are allowed to send a clien IP address.
Confusing.

Is it possible to have a negated IP address list in
RemoteIPProxyProtocolExceptions? I think that I cannot use SetEnvIf at
this point because the ProxyProtocol processing happens way before any
http processing begins.

I would like to avoid defining a dedicated listener for the sniproxy
mechanism.

Any ideas?

Greetings
Marc

-- 
-
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany|  lose things."Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Need help getting php7 working..

[Marc Chamberlin]

Hello - I guess I need to appeal to some kind gurus for help, I've been
racking my brains out trying to get PHP scripts working under Apache2
and just not getting any traction... I am running the following Apache2
server -

> httpd -v
> Server version: Apache/2.4.33 (Linux/SUSE)
> Server built:   2019-03-25 13:11:14.0 +

which supports a number of virtual hosts. I need to be able to get the
server to support PHP scripts so as to run applications like WordPress
and phpMyAdmin amongst others. Towards this goal I am trying to setup
php-fpm and I have been trying to follow the instructions at

> https://wiki.apache.org/httpd/PHP-FPM
At the moment I do have the php-fpm service up an running. I did not
change any of the configuration files for the service, I just left them
in the default setup as distributed by OpenSuSE. (I didn't see anything
that needed to be changed, but I can post them if that will be helpful.)
The log files for php-fpm does not seem to show much -

> quasar:/var/log # more php-fpm.log
> [16-Apr-2019 09:40:45] NOTICE: fpm is running, pid 15415
> [16-Apr-2019 09:40:45] NOTICE: ready to handle connections
> [16-Apr-2019 09:40:45] NOTICE: systemd monitor interval set to 1ms

As for Apache2, these are the modules I have loaded -

> quasar:/srv/apache # apachectl -M
> Loaded Modules:
>  core_module (static)
>  so_module (static)
>  http_module (static)
>  mpm_prefork_module (static)
>  unixd_module (static)
>  systemd_module (static)
>  actions_module (shared)
>  alias_module (shared)
>  auth_basic_module (shared)
>  authn_core_module (shared)
>  authn_file_module (shared)
>  authz_host_module (shared)
>  authz_groupfile_module (shared)
>  authz_core_module (shared)
>  authz_user_module (shared)
>  autoindex_module (shared)
>  cgi_module (shared)
>  dir_module (shared)
>  env_module (shared)
>  expires_module (shared)
>  include_module (shared)
>  log_config_module (shared)
>  mime_module (shared)
>  negotiation_module (shared)
>  proxy_module (shared)
>  proxy_html_module (shared)
>  proxy_http_module (shared)
>  setenvif_module (shared)
>  ssl_module (shared)
>  socache_shmcb_module (shared)
>  userdir_module (shared)
>  reqtimeout_module (shared)
>  jk_module (shared)
>  rewrite_module (shared)
>  headers_module (shared)
>  substitute_module (shared)
>  filter_module (shared)
>  xml2enc_module (shared)
>  version_module (shared)
>  php7_module (shared)
>  proxy_fcgi_module (shared)

My vhost.conf file looks something like this -

> 
>     ServerAdmin u...@mydomain.com
>     ServerName www.mydomain.com
>     ServerAlias mydomain.com
>
>     DocumentRoot "/websites/home/user/mydomain.com"
>     ErrorLog "/var/log/apache2/mydomain.com-error_log"
>     TransferLog "/var/log/apache2/mydomain.com-access_log"
>     HostnameLookups Off
>     UseCanonicalName Off
>     ServerSignature On
>     Include /etc/apache2/conf.d/*.conf
>     Alias / /websites/home/user/mydomain.com/
>
>     ProxyPassMatch ^/(.*\.php(/.*)?)$
> fcgi://127.0.0.1:9000/websites/home/user/mydomain.com/$1
>
>     
>   JkAutoAlias /websites/home/user/mydomain.com
>   JkMount / tomcatWorker1
>   JkMount /* tomcatWorker1
>   JkUnMount /*.html tomcatWorker1
>   JkUnMount /*.css tomcatWorker1
>   JkUnMount /*.js tomcatWorker1
>   JkUnMount /*.jpg  tomcatWorker1
>   JkUnMount /*.png  tomcatWorker1
>   JkUnMount /*.gif  tomcatWorker1
>   JkUnMount /*.php  tomcatWorker1
>     
>
>     ScriptAlias /cgi-bin/ "/websites/home/user/mydomain.com/cgi-bin/"
>     
>     AllowOverride None
>     Options +ExecCGI -Includes
>     
>       Require all granted
>     
>     
>     Order allow,deny
>     Allow from all
>     
>     
>
>     
>     UserDir public_html
>     Include /etc/apache2/mod_userdir.conf
>     
>
>     
>     Options Indexes FollowSymLinks
>     DirectoryIndex /index.php index.php index.html
>     AllowOverride None
>     
>     Require all granted
>     
>     
>     Order allow,deny
>     Allow from all
>     
>     
>
> 
>
This is some extra info (for example I am linked to a Tomcat server to
handle JSP documents.) but I am striving to be complete and clear. If I
try an invoke a url directly on a php file, for example
http://mydomain.com/test.php I will get a "File not found" error. If I
try an invoke a url on a directory containing an index.php file, I get a
listing of the directory. When I try to access a .php file directly the
vhost log file displays this error message -

> mydomain.com-error_log
> [Tue Apr 16 15:21:28.961374 2

[users@httpd] Virtual hosts, include php.conf, DirectoryIndex failure

[Marc Chamberlin]

 



as I said, if I move the "Include /etc/apache2/conf.d/php7.conf" 
statement to a global configuration file, then everything works OK. Any 
kind guru got an explanation, I don't grok this one...  Perhaps this is 
a bug?  Thanks in advance...   Marc..


--
"The Truth is out there" - Spooky


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Weird connection issues with mod_proxy_wstunnel

[Marc Hörsken]

Hello everyone,

I just figured out the configuration issue causing my problem.

Original configuration mod_proxy_wstunnel with SwampDragon:

ProxyPass /data/ ws://127.0.0.1:9001/data/
ProxyPassReverse /data/ ws://127.0.0.1:9001/data/
ProxyPass /settings.js http://127.0.0.1:9001/settings.js
ProxyPassReverse /settings.js http://127.0.0.1:9001/settings.js
ProxyPreserveHost On
ProxyRequests Off
ProxyVia On

The following configuration for mod_proxy_wstunnel with SwampDragon works fine:

ProxyPassMatch /data/(\d+)/(\w+)/websocket 
ws://127.0.0.1:9001/data/$1/$2/websocket
ProxyPass /data/info http://127.0.0.1:9001/data/info
ProxyPassReverse /data/info http://127.0.0.1:9001/data/info
ProxyPass /settings.js http://127.0.0.1:9001/settings.js
ProxyPassReverse /settings.js http://127.0.0.1:9001/settings.js
ProxyPreserveHost On
ProxyRequests Off
ProxyVia On

The issue was caused by the fact that /data/info is requested before a 
WebSocket-upgrade request to /data/(\d+)/(\w+)/websocket is performed. Because 
/data/info was redirected to the WebSocket-server using the same rule as 
/data/(\d+)/(\w+)/websocket before, mod_proxy_wstunnel continued to also 
forward all HTTP-traffic to the WebSocket-server.

Hope this helps in case anyone else runs into the same problem. You have to 
make sure that ws:// or was:// forwarding is only configured for the actual 
WebSocket-URL and does not affect any other requests.

Thanks for pointing me into the right direction.

Best regards,
Marc
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Weird connection issues with mod_proxy_wstunnel

[Marc Hörsken]

Hello Eric,

 Am 15.04.2015 um 14:05 schrieb Eric Covener cove...@gmail.com:
 
 On Wed, Apr 15, 2015 at 7:16 AM, Marc Hörsken i...@marc-hoersken.de wrote:
 I was unable to find any useful resources about how to do this, yet.
 Can you point me in the right direction?
 
 Is there some special header that needs to be sent by the server?
 
 
 I would have thought this is purely a browser bug and the application
 has very little influence.  Does it fail cross-browser?

At first I thought so, too. But it does fail using Firefox 37.0.1 and Safari 
8.0.5 on Mac OS X Yosemite 10.10.3.

Best regards,
Marc
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Weird connection issues with mod_proxy_wstunnel

[Marc Hörsken]

Hello Eric,

 Am 15.04.2015 um 19:47 schrieb Eric Covener cove...@gmail.com:
 
 On Wed, Apr 15, 2015 at 12:18 PM, Marc Hörsken i...@marc-hoersken.de wrote:
 Hello Eric,
 
 Am 15.04.2015 um 14:05 schrieb Eric Covener cove...@gmail.com:
 
 On Wed, Apr 15, 2015 at 7:16 AM, Marc Hörsken i...@marc-hoersken.de wrote:
 I was unable to find any useful resources about how to do this, yet.
 Can you point me in the right direction?
 
 Is there some special header that needs to be sent by the server?
 
 
 I would have thought this is purely a browser bug and the application
 has very little influence.  Does it fail cross-browser?
 
 At first I thought so, too. But it does fail using Firefox 37.0.1 and Safari 
 8.0.5 on Mac OS X Yosemite 10.10.3.
 
 And not sharing any proxy between browser and httpd?

no, there is no proxy between the browsers and httpd.
The connections are using HTTPS over TCP over IPv4.

Best regards,
Marc
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Weird connection issues with mod_proxy_wstunnel

[Marc Hörsken]

Hello everyone,

I am experiencing weird connection issues with mod_proxy_wstunnel. My Apache 2 
web server is still running on Debian Wheezy, so I had to backport 
mod_proxy_wstunnel using the following patches:
https://github.com/mback2k/build-apache2.2-wstunnel

I compiled all mod_proxy* modules using these patches against the apache 2.2.22 
sources provided by apt-get source apache2 on Debian Wheezy.

The following represents the relevant parts of my Apache 2 virtual host 
configuration for https://webgcal.uxnr.de https://webgcal.uxnr.de/

VirtualHost ...:443
ServerName webgcal.uxnr.de
ServerAdmin ...

IfModule mod_ssl.c
...
/IfModule

Alias /media/ /var/local/pyweb/project/webgcal/webgcal/_media/
Alias /static/ /var/local/pyweb/project/webgcal/webgcal/_static/

WSGIDaemonProcess webgcal user=webgcal group=webgcal processes=2 
maximum-requests=100 
python-path=/var/local/pyweb/project/webgcal:/var/local/pyweb/virtualenv/webgcal/lib/python2.7/site-packages
WSGIProcessGroup webgcal
WSGIScriptAlias / /var/local/pyweb/project/webgcal/webgcal/wsgi.py

SetEnv DJANGO_SETTINGS_MODULE ...

Location /data/
ProxyPass ws://127.0.0.1:9001/data/ retry=0 disablereuse=On
ProxyPassReverse ws://127.0.0.1:9001/data/
/Location
Location /settings.js
ProxyPass http://127.0.0.1:9001/settings.js retry=0 
disablereuse=On
ProxyPassReverse http://127.0.0.1:9001/settings.js
/Location
ProxyPreserveHost On
ProxyVia On
/VirtualHost

Now once a browser has upgraded a connection from HTTP to WebSocket traffic, 
all traffic is proxied to the WebSocket-server at 127.0.0.1:9001. The problem 
is that the browser continues to use that upgraded WebSocket-connection for 
further HTTP-requests, for example to load the next page.

But since all traffic is forwarded to the WebSocket-server, the browser 
receives a 404 from there. So for some reason HTTP- and WebSocket-connections 
are not isolated properly. And Apache2 forwards URLs not beginning with /data 
or /settings.js to the Web-Socket-server.

Any ideas why this might happen?

I also tried the original patch to backport mod_proxy_wstunnel available here:
http://blog.cafarelli.fr/2013/04/backporting-apache-support-for-websockets-reverse-proxy-aka-getting-gateone-to-work-behind-apache/
 
http://blog.cafarelli.fr/2013/04/backporting-apache-support-for-websockets-reverse-proxy-aka-getting-gateone-to-work-behind-apache/

I applied the patch using the following approach:
https://i.rationa.li/mark/note/2TWATCchRQGyMA0RlvZSQA 
https://i.rationa.li/mark/note/2TWATCchRQGyMA0RlvZSQA

That approach was also the basis for my own approach that can be found in the 
Github repo mentioned before.

If you want to see the issue in action, you will have to signing to 
webgcal.uxnr.de http://webgcal.uxnr.de/ and create a dummy calendar. This 
will enable the WebSocket-based status functionality of the dashboard.

Thanks in advance.

Best regards,
Marc

Re: [users@httpd] Weird connection issues with mod_proxy_wstunnel

[Marc Hörsken]

Hello Yann,

 Am 15.04.2015 um 12:32 schrieb Yann Ylavic ylavic@gmail.com:
 
 Once the connection is upgraded, mod_proxy_wstunnel (as its name
 suggests) creates a tunnel between the browser and the application.
 It will not check requests boundaries anymore, this is not HTTP but
 application data now, …

thanks for the clarification.

 and hence application's responsability to not
 (make the browser) reuse the same connection for further HTTP
 requests.

I was unable to find any useful resources about how to do this, yet.
Can you point me in the right direction?

Is there some special header that needs to be sent by the server?

All examples I found assume that the WebSocket connection is made to a 
different subdomain / host.
But that is not possible for me, because my secure cookies are bound to the 
main domain / host.

I am using SwampDragon [1] with Django and AngularJS.

Thanks in advance.

Best regards,
Marc

 [1] http://swampdragon.net/
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] require valid-user with ldap

[Marc Patermann]

Hi,

I using the following .htaccess

AuthBasicProvider ldap file
AuthType Basic
AuthzLDAPAuthoritative off
Authname ...
AuthUserFile /srv/www/.htusers-mf
AuthLDAPURL 
ldap://ldapserver/ou=humans,ou=foo,c=de?mail??(mail=*@ofd-*.foo.de)

Limit PROPFIND OPTIONS GET
 #Require ldap-group ou=Benutzer-Opst,ou=gruppen,ou=humans,ou=foo,c=de
 #Require user k1-st-01
 Require valid-user
/Limit
...

The require valid-user does not work for ldap users. I get the 
following message in error_log:


/var/log/apache2/error_log:[Thu Nov 21 09:40:48 2014] [error] [client 
10.49.64.85] access to /documents/ failed, reason: user 'u...@foo.de' 
does not meet 'require'ments for user/valid-user to be allowed access


Apache is version 2.2.10

If I set it to require ldap-user u...@foo.de or require ldap-group 
... it is all fine, so the ldap part does it's thing.



Marc

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Differences between FcgidProcessLifeTime and FcgidIdleTimeout

[Marc Aymerich]

Hi,
it is not clear to me what the differences between these two directives are.

FcgidProcessLifeTime: Idle application processes which have existed for
greater than this time will be terminated.

FcgidIdleTimeout: Application processes which have not handled a request
for this period of time will be terminated.

It's not the same? an Fcgid application will be Idle exactly the same
amount of time that it's not handling any request, right?

-- 
Marc

[users@httpd] Re: Differences between FcgidProcessLifeTime and FcgidIdleTimeout

[Marc Aymerich]

On Tue, Nov 11, 2014 at 11:16 AM, Marc Aymerich glicer...@gmail.com wrote:

 Hi,
 it is not clear to me what the differences between these two directives
 are.


Ups, I get it now


 FcgidProcessLifeTime: Idle application processes which have existed for
 greater than this time will be terminated.


This is the Idle time combine over all the process lifetime


 FcgidIdleTimeout: Application processes which have not handled a request
 for this period of time will be terminated.


And this is the Idle time after just one request :)




-- 
Marc

Re: [users@httpd] Client certificate auth behind f5 loadbalancer

[Marc Schöchlin]

Hi,

thanks for your response.

I know that F5 loadbalancers can do this - unfortunately i use a shared
loadbalancer without the possibility to do fast changes to the
certificate revocation list.

Regards
Marc

 
Am 28.06.2014 19:54, schrieb Marco Pizzoli:
 Hi Marc,
 as F5 user maybe you are not yet aware that with F5, leveraging
 iRules, you can:
 - implement client cert verification/validation, also specifically
 checking the CN of the certificate
 - publish to the apache backend custom HTTP headers carrying
 informations extracted from the client certificate

 Both cases are well documented on the F5 site. The first one in
 particular I can say by having implemented on my own.

 Is it something useful to your case?

 Regards
 Marco




 On Sat, Jun 28, 2014 at 5:04 PM, Marc Schöchlin m...@256bit.org
 mailto:m...@256bit.org wrote:

 Hi,

 On 06/26/2014 04:08 PM, andre.wen...@bmw.de
 mailto:andre.wen...@bmw.de wrote:
  Why do you terminate the ssl on the F5 and not on the
 Apache-backend? We load balance IP/Port-based on the F5 and
 terminate the SSL on the Apache backend, so you would be able to
 turn on your SSLEngine and Proxy the SSL from the F5 on the SSL
 Standard SSL Port 443 of the Apache and you can do everything you
 want because you have all SSL information.

 i use a wildcard certificate on my frontend ip to do irule-based
 (looking for the hostheader) backend pool selection.
 Therefore it would be good to terminate ssl in the f5.

 I will now use a new frontend ip on the loadbalancer and i then i
 will forward the traffic to the backend servers

 Regards
 Marc

 --
 GPG encryption available: 0x670DCBEC/pool.sks-keyservers.net
 http://pool.sks-keyservers.net


 -
 To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
 mailto:users-unsubscr...@httpd.apache.org
 For additional commands, e-mail: users-h...@httpd.apache.org
 mailto:users-h...@httpd.apache.org