Re: [users@httpd] CSP nonces in apache

2017-09-11 Thread Mitchell Krog Photography 
As per the original article from Scott Helme that you intially referred to, you 
will need to generate a random string yourself.
Something like this might help you in the right direction - 
https://gist.github.com/earthgecko/3089509



From: Luis Speciale 
Reply: users@httpd.apache.org , lspeci...@gmail.com 

Date: 11 September 2017 at 11:35:17 AM
To: users@httpd.apache.org 
Subject:  Re: [users@httpd] CSP nonces in apache  

Le 11/09/2017 à 10:59, Daniel Gruno a écrit :  
> On 09/11/2017 10:48 AM, Luis Speciale wrote:  
>> Le 07/09/2017 à 20:57, Daniel Gruno a écrit :  
>>  
>>>  
>>> might be that you need to uppercase it to NUMBNONCE.  
>>  
>> After a week trying I'm beginning to think that it can't be done the way  
>> I thought. Is there a way (another, of course) to achieve this?  
>  
> It SHOULD work.  
> I tested the following:  
>  
> SubstituteInheritBefore on  
> SetOutputFilter SUBSTITUTE # Forcing substitute on everything  
> Define NUMBNONCE "1234"  
> Substitute "s/<(script|style)((?!\s*src=)?.*)>/<$1 nonce-${NUMBNONCE}$2>/i"  
>  
> My HTML then showed

Re: [users@httpd] Problem with Redirect

2017-07-09 Thread Mitchell Krog Photography 
@daniel my bad :) …. as I did mention though I dropped Apache over a year ago 
and that was my last working method and it worked for me, was not saying it is 
right and certainly with all the changes that have happened in Apache clearly 
NOT the correct way of doing things at all these days :) Clearly a a Redirect / 
https://myhost is the correct way 

I am only now myself re-looking into all the changes in 2.4 as one of my 
projects is going to be affected by certain upcoming deprecations so even 
though my mainstream servers are Nginx I have to spend some time now 
re-learning all the good and proper methods of doing things in Apache these 
days to keep my projects working for those on 2.4+. Have my own separate 
question on a different topic which I have posted on StackOverflow but will 
post it here later too to see if anyone can help.


From: Daniel <dferra...@gmail.com>
Reply: users@httpd.apache.org <users@httpd.apache.org>
Date: 09 July 2017 at 12:36:30 PM
To:  <users@httpd.apache.org>
Subject:  Re: [users@httpd] Problem with Redirect  

Define specific customlog entries for your virtualhost, you will see they don't 
get any entries, another virtualhost is grabbing those requests and the 
redirect as you can see is not happening.

apachectl -S as has been previously said would have helped you, but you just 
"grepped" it, it's not just about names, it can also be about greedy 
virtualhost name matching. Share it here so we can see.

Also note Redirect would send a 30x response so you are definetly not landing 
in that virtualhost, note Redirect redirects "all" and appends that to the 
target, but looking at the whole directive it seems you want RedirectMatch ^ 
https://www.def.com/ghi#about instead.

So, briefly: 
review "apachectl -S" again
add spceific customlog entry for this virtualhost when it grabs the requests 
you should see entries in it, otherwise it will remain empty.
Make sure your redirect is correct.

@mitchel why use those convoluted rewrite directives, why check for port 80? it 
is already a port 80 virtualhost, why check if it has www? that can be handled 
through servername and serveralias, and the objective of the virtualhost is 
external redirect,  appending query string? but not appending the original 
request? etc.. 
Seriously, people should stop using mod_rewrite by default for the most 
simpleton tasks filling the configuration with unneeded garbage. It is bad 
advice and just contributes to send the idea all configurations in httpd have 
to be convoluted and ugly for the most simple tasks (which is false).

2017-07-08 18:11 GMT+02:00 Blake McBride <blake1...@gmail.com>:
The tool returned:

>>> http://abc.com

> 
> 200 OK
> 

Status: 200 OK
Code:   200
Date:   Sat, 08 Jul 2017 16:10:12 GMT
Server: Apache/2.4.18 (Ubuntu)
Last-Modified:  Tue, 09 May 2017 01:03:45 GMT
ETag:   "1748-54f0ced6b7e40"
Accept-Ranges:  bytes
Content-Length: 5960
Vary:   Accept-Encoding
Connection:     close
Content-Type:   text/html


On Sat, Jul 8, 2017 at 9:44 AM, Mitchell Krog Photography 
<mitchellk...@gmail.com> wrote:
I agree use this tool - http://www.redirect-checker.org/index.php
It’s one of the best and doesn’t cache anything so any updates you make when 
working with redirects are picked up instantly.

Kind Regards
Mitchell


From: Nick Kew <n...@apache.org>
Reply: users@httpd.apache.org <users@httpd.apache.org>
Date: 08 July 2017 at 4:43:01 PM
To: users@httpd.apache.org <users@httpd.apache.org>
Subject:  Re: [users@httpd] Problem with Redirect

On Sat, 2017-07-08 at 08:35 -0500, Blake McBride wrote:
> When, through my browser, I go to abc.com,

Probably what Eric said. But is there history to this?
As in, trying different variants on your configuration?

If you have previously had a permanent (301) redirect
from abc.com, then what you see is likely to be your
browser (rightly) remembering it.

Solution: use a lower-level tool than a general-purpose
browser when testing any aspect of your server setup.
A commandline browser like lynx, or a tool like curl.

(There are also web developer toolkits for Big Browsers.
They would also do the job, but give you more scope for
getting confused and messing it up).

--



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org






--
Daniel Ferradal
IT Specialist

email         dferradal at gmail.com
linkedin     es.linkedin.com/in/danielferradal

Re: [users@httpd] Problem with Redirect

2017-07-08 Thread Mitchell Krog Photography 
I agree use this tool - http://www.redirect-checker.org/index.php
It’s one of the best and doesn’t cache anything so any updates you make when 
working with redirects are picked up instantly.

Kind Regards
Mitchell


From: Nick Kew 
Reply: users@httpd.apache.org 
Date: 08 July 2017 at 4:43:01 PM
To: users@httpd.apache.org 
Subject:  Re: [users@httpd] Problem with Redirect  

On Sat, 2017-07-08 at 08:35 -0500, Blake McBride wrote:  
> When, through my browser, I go to abc.com,  

Probably what Eric said. But is there history to this?  
As in, trying different variants on your configuration?  

If you have previously had a permanent (301) redirect  
from abc.com, then what you see is likely to be your  
browser (rightly) remembering it.  

Solution: use a lower-level tool than a general-purpose  
browser when testing any aspect of your server setup.  
A commandline browser like lynx, or a tool like curl.  

(There are also web developer toolkits for Big Browsers.  
They would also do the job, but give you more scope for  
getting confused and messing it up).  

--  



-  
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org  
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Problem with Redirect

2017-07-08 Thread Mitchell Krog Photography 
Hi Blake, worth a shot, try this. I used to do my redirects like this but don't 
use Apache anymore but this worked perfect for me.


ServerName abc.com
ServerAlias *.abc.com
ServerAdmin m...@xyz.com
        RewriteEngine On
        RewriteCond %{HTTPS} off
        RewriteCond %{HTTP_HOST} ^(?:www\.)?(.*)$ [NC]
        RewriteRule (.*) https://def.com/ghi/#about [END,QSA,R=permanent]


or



ServerName abc.com
ServerAlias *.abc.com
ServerAdmin m...@xyz.com
        RewriteEngine On
        RewriteCond %{HTTPS} off
        RewriteCond %{HTTP_HOST} ^(?:www\.)?(.*)$ [NC]
        RewriteRule (.*) https://def.com%{REQUEST_URI} [END,QSA,R=permanent]




Kind Regards
Mitchell Krog
**
Visit me at https://mitchellkrog.com
**


From: Blake McBride <blake1...@gmail.com>
Reply: users@httpd.apache.org <users@httpd.apache.org>
Date: 08 July 2017 at 3:35:00 PM
To: users@httpd.apache.org <users@httpd.apache.org>
Subject:  [users@httpd] Problem with Redirect  

Hello,

I am using Apache 2.4.18 on a 64 bit Linux box.  I am serving several different 
URL's via VirtualHost.  All is working well except a single, unique case.   In 
the case with the problem, I am attempting to redirect a URL to an external 
URL.  All the cases that work, I am hosting the site, but not in this one case.

Naturally, I own the domain name.  The DNS points to my server, but I want it 
redirected to a site I pay for but isn't hosted by my machine.  Under 
/etc/apache2/sites-enabled, I have:


ServerName abc.com
ServerAlias *.abc.com 
ServerAdmin m...@xyz.com
Redirect / https://www.def.com/ghi#about


Let's say the main URL for my machine is jkl.com.  Now, when I go to abc.com it 
ends up at jkl.com !!

Whenever I change the apache2 settings, I do:  apache2ctl restart

When, through my browser, I go to abc.com, I see the following under 
/var/log/other_vhosts_access.log:

jkl.com:80 174.195.128.13 - - [08/Jul/2017:13:31:07 +] "GET / HTTP/1.1" 200 
2846 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like 
Gecko) Chrome/59.0.3071.115 Safari/537.36"

How the heck is access to abc.com showing as jkl.com?  How can I make abc.com 
redirect to the external server at URL https://www.def.com/ghi#about ?

Thanks so much for help!

Blake McBride

Re: [users@httpd] mod_lua and subprocess_env

2017-06-20 Thread Mitchell Krog Photography 
Yes as it addresses a number of vulnerabilities discovered. Check mailing
list for CVE messages sent earlier today.

Kind Regards
Mitchell Krog
**
Visit me at https://mitchellkrog.com
**
License My Images From Getty Images Here
<http://www.gettyimages.com/search/photographer?family=creative=1=mitchell%20krog=best=true#license>

or From Gallo Images Here
<http://galloimages.co.za/Search?q=mitchell%20krog=1=1=2,1=2=on=1=48034=13=6>
**

On 20 June 2017 at 17:41:22, Andrei Ivanov (andrei.iva...@gmail.com) wrote:

> Hi,
> Seeing that 2.4.26 was released, is this a good time? 
>
> Thanks again.
>
> On Sun, May 28, 2017 at 11:54 PM, Yann Ylavic <ylavic@gmail.com>
> wrote:
>
>> Hi Andrei,
>>
>> On Wed, May 24, 2017 at 5:50 PM, Andrei Ivanov <andrei.iva...@gmail.com>
>> wrote:
>> >
>> > Does anybody know anything about Yann?
>>
>> I do :)
>>
>> Sorry I didn't have the time to propose something to the dev team for
>> now, while 2.4.26 is coming soon and is very unlikely to include such
>> a change on the core expression parser (without quite some testing and
>> review, we can't regress here...).
>>
>> Once 2.4.26 is out, I'll propose/commit the patch so that we can
>> discuss and hopefuly backport it to some future 2.4.x.
>>
>>
>> Regards,
>> Yann.
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>>
>>
>

Re: [users@httpd] Problem with Apache2 after upgrade from Ubuntu14.04 to 16.04

2017-04-18 Thread Mitchell Krog Photography 
Trust me. it’s the safest way to know you are starting off clean and have
no remnants that didn’t upgrade properly, there were a number of
deprecations from old to new Apache and they do not upgrade nicely.

And it really does not take that long, it should take you (depending on how
many sites) that entire fresh upgrade in under an hour.

For me when I had to do it after one upgrade from 14 > 16 I had 18 sites,
it took me barely an hour and everything was fresh and working properly,
then I moved to Nginx a few months later but that was for other reasons.

Tell me about it ….. the things we have to do !!! LOL

But just bite the bullet and start fresh, then you know you are fresh and
squeaky clean

Cheers
Mitch



From: Purvez <pur...@nexar.free-online.co.uk>
<pur...@nexar.free-online.co.uk>
Reply: users@httpd.apache.org <users@httpd.apache.org>
<users@httpd.apache.org>
Date: 18 April 2017 at 5:25:21 PM
To: users@httpd.apache.org <users@httpd.apache.org> <users@httpd.apache.org>
Subject:  Re: [users@httpd] Problem with Apache2 after upgrade from
Ubuntu14.04 to 16.04

Hi Mitchell

Many thanks for your response.  I'm coming to the same conclusion as you.
Best to cut my losses and rebuild Apache and PHPbut I HATE not knowing
what went wrong.  So...I'm going to spend some time getting to the bottom
of the problem...whilst being pragmatic and building my production server
with apache and php again to get back to 'real life'!!  Ugh the things we
have to do to survive in this game!! LOL.

On 18/04/17 12:59, Mitchell Krog Photography wrote:

My experience with upgrading from 14.04 to 16.04 is apache does not upgrade
well at all, had it happen on several servers already in the past.

I would suggest backup your entire etc/apache2 folder or rename it
/etc/apache_backup/

Then uninstall apache and purge it, uninstall PHP and purge it and then
reinstall both Apache and PHP

Then you will get a clean Apache with PHP 7, then move your sites back into
/etc/apache2/sites-available/ one at a time, enable them one at a time and
test as you go along.

Good luck


From: Purvez <pur...@nexar.free-online.co.uk>
<pur...@nexar.free-online.co.uk>
Reply: users@httpd.apache.org <users@httpd.apache.org>
<users@httpd.apache.org>
Date: 18 April 2017 at 1:35:12 PM
To: users@httpd.apache.org <users@httpd.apache.org> <users@httpd.apache.org>
Subject:  [users@httpd] Problem with Apache2 after upgrade from Ubuntu14.04
to 16.04

Hi

Newbie to the forum here so I hope I'm doing this right.  If not please
would someone guide me.  Thx in advance.

As the subject line says Apache2 is not working at all / satisfactorily
since the Ubuntu upgrade.  The details follow:

===

Here is my full post on askubuntu:

http://askubuntu.com/questions/904042/upgrade-to-16-04-lts-has-broken-apache

Currently the biggest help I could get would be if someone would decipher
what the following output means when I do :

systemctl status apache2.service

output:
===
*Code:*

purvez@127:~$ systemctl status apache2.service
● apache2.service - LSB: Apache2 web server
   Loaded: loaded (/etc/init.d/apache2; bad; vendor preset: enabled)
  Drop-In: /lib/systemd/system/apache2.service.d
   └─apache2-systemd.conf
   Active: inactive (dead) since Thu 2017-04-13 10:01:02 BST; 11s ago
 Docs: man:systemd-sysv-generator(8)
  Process: 6997 ExecStop=/etc/init.d/apache2 stop (code=exited,
status=0/SUCCESS)
  Process: 6978 ExecStart=/etc/init.d/apache2 start (code=exited,
status=0/SUCCESS)

Apr 13 10:01:02 127.0.1.1purvez-Aspire-5750 apache2[6978]: (98)Address
already in use: AH00072: make_sock: could not bind to address [::]:80
Apr 13 10:01:02 127.0.1.1purvez-Aspire-5750 apache2[6978]: (98)Address
already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
Apr 13 10:01:02 127.0.1.1purvez-Aspire-5750 apache2[6978]: no listening
sockets available, shutting down
Apr 13 10:01:02 127.0.1.1purvez-Aspire-5750 apache2[6978]: AH00015: Unable
to open logs
Apr 13 10:01:02 127.0.1.1purvez-Aspire-5750 apache2[6978]: Action 'start'
failed.
Apr 13 10:01:02 127.0.1.1purvez-Aspire-5750 apache2[6978]: The Apache error
log may have more information.
Apr 13 10:01:02 127.0.1.1purvez-Aspire-5750 apache2[6978]:  *
Apr 13 10:01:02 127.0.1.1purvez-Aspire-5750 apache2[6997]:  * Stopping
Apache httpd web server apache2
Apr 13 10:01:02 127.0.1.1purvez-Aspire-5750 apache2[6997]:  *
Apr 13 10:01:02 127.0.1.1purvez-Aspire-5750 systemd[1]: Started LSB:
Apache2 web server.
purvez@127:~$


The MAIN question is : Is Apache started and functioning or is it inactive
(dead)?

The last line of the output suggests that it is working but the 5th / 6th
line from the top suggests the opposite.

The errorlog is blank and the accesslog is blank as well since the day of
the upgrade.
===
Thanks in advance

Purvez

Re: [users@httpd] Problem with Apache2 after upgrade from Ubuntu14.04 to 16.04

2017-04-18 Thread Mitchell Krog Photography 
My experience with upgrading from 14.04 to 16.04 is apache does not upgrade
well at all, had it happen on several servers already in the past.

I would suggest backup your entire etc/apache2 folder or rename it
/etc/apache_backup/

Then uninstall apache and purge it, uninstall PHP and purge it and then
reinstall both Apache and PHP

Then you will get a clean Apache with PHP 7, then move your sites back into
/etc/apache2/sites-available/ one at a time, enable them one at a time and
test as you go along.

Good luck


From: Purvez 

Reply: users@httpd.apache.org 

Date: 18 April 2017 at 1:35:12 PM
To: users@httpd.apache.org  
Subject:  [users@httpd] Problem with Apache2 after upgrade from Ubuntu14.04
to 16.04

Hi

Newbie to the forum here so I hope I'm doing this right.  If not please
would someone guide me.  Thx in advance.

As the subject line says Apache2 is not working at all / satisfactorily
since the Ubuntu upgrade.  The details follow:

===

Here is my full post on askubuntu:

http://askubuntu.com/questions/904042/upgrade-to-16-04-lts-has-broken-apache

Currently the biggest help I could get would be if someone would decipher
what the following output means when I do :

systemctl status apache2.service

output:
===
*Code:*

purvez@127:~$ systemctl status apache2.service
● apache2.service - LSB: Apache2 web server
   Loaded: loaded (/etc/init.d/apache2; bad; vendor preset: enabled)
  Drop-In: /lib/systemd/system/apache2.service.d
   └─apache2-systemd.conf
   Active: inactive (dead) since Thu 2017-04-13 10:01:02 BST; 11s ago
 Docs: man:systemd-sysv-generator(8)
  Process: 6997 ExecStop=/etc/init.d/apache2 stop (code=exited,
status=0/SUCCESS)
  Process: 6978 ExecStart=/etc/init.d/apache2 start (code=exited,
status=0/SUCCESS)

Apr 13 10:01:02 127.0.1.1purvez-Aspire-5750 apache2[6978]: (98)Address
already in use: AH00072: make_sock: could not bind to address [::]:80
Apr 13 10:01:02 127.0.1.1purvez-Aspire-5750 apache2[6978]: (98)Address
already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
Apr 13 10:01:02 127.0.1.1purvez-Aspire-5750 apache2[6978]: no listening
sockets available, shutting down
Apr 13 10:01:02 127.0.1.1purvez-Aspire-5750 apache2[6978]: AH00015: Unable
to open logs
Apr 13 10:01:02 127.0.1.1purvez-Aspire-5750 apache2[6978]: Action 'start'
failed.
Apr 13 10:01:02 127.0.1.1purvez-Aspire-5750 apache2[6978]: The Apache error
log may have more information.
Apr 13 10:01:02 127.0.1.1purvez-Aspire-5750 apache2[6978]:  *
Apr 13 10:01:02 127.0.1.1purvez-Aspire-5750 apache2[6997]:  * Stopping
Apache httpd web server apache2
Apr 13 10:01:02 127.0.1.1purvez-Aspire-5750 apache2[6997]:  *
Apr 13 10:01:02 127.0.1.1purvez-Aspire-5750 systemd[1]: Started LSB:
Apache2 web server.
purvez@127:~$


The MAIN question is : Is Apache started and functioning or is it inactive
(dead)?

The last line of the output suggests that it is working but the 5th / 6th
line from the top suggests the opposite.

The errorlog is blank and the accesslog is blank as well since the day of
the upgrade.
===
Thanks in advance

Purvez

Re: [users@httpd] What is preferred PHP interface?

2017-03-30 Thread Mitchell Krog Photography 
+1 php-fpm 


From: Lester Caine  
Reply: users@httpd.apache.org 

Date: 30 March 2017 at 11:14:57 AM
To: users@httpd.apache.org  
Subject:  Re: [users@httpd] What is preferred PHP interface?

On 30/03/17 02:00, John Iliffe wrote:
> Surprised that the PHP docs don't seem to have anything equivalent to
that
> Wiki.

The equivalent page for PHP is perhaps
https://secure.php.net/manual/en/install.php, but with the growing
number of alternatives to Apache it's difficult to keep everything up to
date. This is one reason php-fpm is now preferred since it essentially
separates PHP from the web server. I currently have php5.4, php5.6 and
php7 running into apache and nginx and can update one without affecting
the other.

-- 
Lester Caine - G8HFL
-
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Run Control for Apache in Fedora 25

2017-03-29 Thread Mitchell Krog Photography 
Brilliant, so glad you got it sorted :)

Cheers
Mitch



From: John Iliffe  
Reply: users@httpd.apache.org 

Date: 28 March 2017 at 6:08:33 PM
To: users@httpd.apache.org  
Subject:  Re: [users@httpd] Run Control for Apache in Fedora 25

First, my sincere thanks to all the folks who responded so fast to my
problem. I have it fixed, I think. Testing so far seems to work as
expected.

The problem is that when "systemctl enable" generates the new unit file
(httpd.service) it didn't get it quite right. For one thing, it dropped
apachectl from the start up and used httpd directly. For another, the pid
file was being written to a directory that was transient, as noted in the
post by Mikael. In this case I had the reason in my initial post but
didn't understand it.

So.

the solution is to generate a new unit file (read man page systemd.service)
and force the parameters you need. Delete the one generated by systemctl.
be sure that all of the related configuration files (httpd.service,
httpd.conf, init.d/httpd) match as far as where the files are going.

I used the sample in Stack Overflow suggested by Mitchell, modified a bit
to
match my installation. This works one for me.

---
[Unit]
Description=The Apache HTTP Server

[Service]
Type=forking
EnvironmentFile=/usr/apache-2.4.25/bin/envvars
PIDFile=/var/run/httpd.pid
ExecStart=/usr/apache-2.4.25/bin/apachectl -k start
ExecReload=/usr/apache-2.4.25/bin/apachectl -k graceful
ExecStop=/usr/apache-2.4.25/bin/apachectl -k stop
KillSignal=SIGCONT
PrivateTmp=true

[Install]
WantedBy=multi-user.target
-

Regards,

John

On Tuesday 28 March 2017 10:35:44 Kartik Vashishta wrote:
> Maybe this will help:
> http://stackoverflow.com/questions/32977557/how-do-i-compile-apache-http
> d-2-4-16-with-systemd-support
>
> On Tue, Mar 28, 2017 at 9:35 AM, John Iliffe 
wrote:
> > Thank you Mickey.
> >
> > That is exactly what the problem is; all /var/run subdirectories get
> > deleted on reboot.
> >
> > I tried to move the pid file to another location, for a start its
> > default location under the apache install directory, but even
> > directly on /var/run/, with the result that systemctl could not find
> > it. The pid file was written correctly, under the correct name, and
> > was readable by root, but was reported as missing by systemctl and as
> > a result the "systemctl stop httpd" command didn't work. It just
> > issued an error message and httpd kept right on running.
> >
> > One trhing that I have been careful to do is keep the start up script
> > at init.d/httpd pointed at the same location as httpd.conf.
> >
> > I'm not sure why but systemctl seems to insist that that the httpd pid
> > file be exactly /var/run/httpd/httpd.pid .
> >
> > I think there must be a configuration parameter somewhere for
> > systemctl but I have not been able to find it; can't believe it would
> > be hard coded in the
> > programme!
> >
> > That said, thank you for the reply. It does give me the idea that I
> > am on the right track.
> >
> > John
> > ===
> > ==snip

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Run Control for Apache in Fedora 25

2017-03-28 Thread Mitchell Krog Photography 
What does

sudo systemctl edit --full httpd

show you ???




From: John Iliffe  
Reply: users@httpd.apache.org 

Date: 28 March 2017 at 4:35:52 PM
To: users@httpd.apache.org  
Subject:  Re: [users@httpd] Run Control for Apache in Fedora 25

Thank you Mickey.

That is exactly what the problem is; all /var/run subdirectories get
deleted on reboot.

I tried to move the pid file to another location, for a start its default
location under the apache install directory, but even directly on
/var/run/, with the result that systemctl could not find it. The pid file
was written correctly, under the correct name, and was readable by root,
but was reported as missing by systemctl and as a result the "systemctl
stop httpd" command didn't work. It just issued an error message and httpd
kept right on running.

One trhing that I have been careful to do is keep the start up script at
init.d/httpd pointed at the same location as httpd.conf.

I'm not sure why but systemctl seems to insist that that the httpd pid file
be exactly /var/run/httpd/httpd.pid .

I think there must be a configuration parameter somewhere for systemctl but
I have not been able to find it; can't believe it would be hard coded in
the
programme!

That said, thank you for the reply. It does give me the idea that I am on
the right track.

John
===

On Tuesday 28 March 2017 03:05:31 Mickey Nordstrom wrote:
> Hi John,
>
> I didn't read your full post so apologies if I'm not answering your
> question. I have had similar problems on SuSE Linux whith systemd and
> the solution was to create a file under /etc/tmpfiles.d with content
> something like this:
>
> d /var/run/httpd 770 webservd webservd
>
> Modify it to the user and group that runs your httpd daemon.
>
> This is needed because /run and /var/run are volatile and gets cleaned
> out at each reboot.
>
> /Mikael
>
> On 28/03/17 04:22, John Iliffe wrote:
> > First, I know this is probably not an Apache question, but I'm hoping
> > that someone on this list may have seen this problem before and knows
> > the solution.
> >
> > I know this is going to be very long winded, my apologies in advance,
> > but I have done quite a bit of research so I have a good idea what
> > won't work :-(
> >
> > Problem:
> >
> > OS is Fedora 25
> >
> > Fedora replaces service with systemctl control using service files for
> > starting and stopping daemons. This is a bit different than the
> > traditional init.d approach.
> >
> > I installed Apache-2.4.25 from source without using the Fedora
> > installation so I had to produce my own start up scripts and used the
> > compatibility feature of systemctl so httpd can be started from
> > /etc/init.d/httpd
> >
> > My startup script works perfectly UNTIL I reboot. At that point the
> > directory where httpd.pid resides (/var/run/httpd/httpd.pid) gets
> > deleted. I have a good idea of why this happens; it is this line in
> >
> > /etc/rc.d/init.d/functions which runs during shutdown or reboot:
> > rm -f "${pid_file:-/var/run/$base.pid}"
> >
> > It is obvious that $base includes the httpd/ subdirectory so that gets
> > deleted too.
> >
> > Changing the pid file location away from /var/run/httpd/ can't be
> > done. Even if the start up script in init.d is changed systemctl
> > expects to find it there. So I changed the httpd.conf file to put it
> > where systemctl wants it to be.
> >
> > In case anyone wonders, I can put the pid file anywhere during start
> > up but if I do that systemctl hangs and then times out during startup
> > with a message that the pid file is unreadable, leaving httpd running
> > and an orphan. Also "systemctl stop httpd" hangs and httpd stays up.
> > In this one case, "systemctl reboot" never completes; you end up
> > having to push the reset button; although I would assume that in the
> > fullness of time it might time out.
> >
> > "systemctl status httpd" in this case shows that httpd is NOT running
> > due to a missing resource (the pid file) even though it is up and
> > running fine.
> >
> > There is one obvious work-around, check for /var/run/httpd on startup
> > in the init.d script, and it it isn't there, create it, but that begs
> > the question of what am I not understanding.
> >
> > So, has anyone encountered this before. I sure hope it isn't a fat
> > finger error on my part but two days is enough for something like
> > this. I need help!
> >
> > Here is the relevant part of the (current) httpd.conf file in
> > /usr/apache-2.4.25/conf/httpd.conf
> >
> > # Added with 2.4.25, 25/3/2017, to work with Fedora which won't
> > # relocate the pid file to the default location
> > PidFile /var/run/httpd/httpd.pid
> > #
> >
> > and here is the complete init.d/httpd startup script. Mostly it was
> > cribbed from the old server's (RHEL6 and apache-2.4.10) script. A
> > lot of the

Re: [users@httpd] ServerAlias limit and conflicts?

2017-03-17 Thread Mitchell Krog Photography 
Actually to clarify point 3. That error I stated was due to something else.

However I tested the following config and the first virtualhost completely
over-rides the second one due to the wildcard.


ServerAdmin webmaster@centos.local
DocumentRoot /var/www/html/centos
ServerName centos.local
ServerAlias centos2.local centos3.local
#ServerAlias centos4.local *.local
ServerAlias centos5.local
ErrorLog logs/centos-error_log
CustomLog logs/centos-access_log common

allow from all
Options +Indexes


#

ServerAdmin webmaster@centos.local
DocumentRoot /var/www/html/centos2
ServerName centos20.local
ErrorLog logs/centos2-error_log
CustomLog logs/centos2-access_log common

allow from all
Options +Indexes





From: Rose, John B  
Reply: users@httpd.apache.org 

Date: 16 March 2017 at 11:31:17 PM
To: users@httpd.apache.org  
Subject:  [users@httpd] ServerAlias limit and conflicts?

1.   Is there a limit on how many  “ServerAlias” lines can be in a
virtual host block?



2.   Is there a limit on how many hostnames can be in one “ServerAlias”
line?



3.   If you used “ServerAlias *.abc.com” in one virtual host conf file,
would that cause any conflict with existing virtual host conf files using
the same abc.com domain?





Thanks

Re: [users@httpd] ServerAlias limit and conflicts?

2017-03-17 Thread Mitchell Krog Photography 
1. I have always stuck to one ServerAlias line but for fun I tested this
config this morning and it works just fine

ServerName centos.local
ServerAlias centos2.local centos3.local
ServerAlias centos4.local
ServerAlias centos5.local centos6.local centos7.local


2. Not that I am aware of, I have had Apache hosts in the past with well
over 200 domains on a ServerAlias line

3. No tested that for you too got … [warn] _default_ VirtualHost overlap on
port 80, the first has precedence



From: Rose, John B  
Reply: users@httpd.apache.org 

Date: 16 March 2017 at 11:31:17 PM
To: users@httpd.apache.org  
Subject:  [users@httpd] ServerAlias limit and conflicts?

1.   Is there a limit on how many  “ServerAlias” lines can be in a
virtual host block?



2.   Is there a limit on how many hostnames can be in one “ServerAlias”
line?



3.   If you used “ServerAlias *.abc.com” in one virtual host conf file,
would that cause any conflict with existing virtual host conf files using
the same abc.com domain?





Thanks

RE: [users@httpd] Hiding Apache version info on the Aix server for Apache.

2017-03-16 Thread Mitchell Krog Photography 
I’ve tested on CentOS 6.8, Apache 2.2.15

Both

*ServerTokens PROD*
*ServerSignature Off*

Work perfectly and do not affect the starting of the server.

Secondly have you actually ever run a configtest?

*apachectl configtest*

If you copy and paste the the ServerTokens and ServerSignature lines above
exactly as I have them they will work. If not then you have messed up
something else in your httpd.conf file which is why a configtest is so
important.

I attach a very basic httpd.conf which you can try, it’s as basic as it
gets.

Regards
Mitchell



From: Chunduru, Krishnachaithanya


Reply: users@httpd.apache.org 

Date: 15 March 2017 at 3:05:15 PM
To: users@httpd.apache.org  
Subject:  RE: [users@httpd] Hiding Apache version info on the Aix server
for Apache.

Hi,

Below are the entries I have updated in the httpd.conf and tried restarting
the apache, but it didn't started and didn't even gave any errors.

$cat /etc/httpd/conf/httpd.conf | grep -i signature
ServerSignature Off

$ cat /etc/httpd/conf/httpd.conf | grep -i tokens
ServerTokens Prod

Regards,
Krishna


-Original Message-
From: Konstantin Kolinko [mailto:knst.koli...@gmail.com]
Sent: Wednesday, March 15, 2017 1:24 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Hiding Apache version info on the Aix server for
Apache.

2017-03-14 14:56 GMT+03:00 Chunduru, Krishnachaithanya
:
> Hi All,
>
>
>
> Can anyone please let me know how to hide the apache version and the
> OS name running on Aix server.
>
>
>
> The servertokens or the server signature fields are set to PROD and
> signature off, then I tried restarting the httpd but apache was not
> starting until these two parameters are removed from the config file.

Thus your edits have an effect. Good.

What are the actual lines, and what was the actual error message?

Check you spelling. Copy-paste from documentation, if possible.

Try to search if other configuration files define those directives.
(The files included into main httpd.conf file with "Include" directive).


Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


This message and any attachments are intended only for the use of the
addressee and may contain information that is privileged and confidential.
If the reader of the message is not the intended recipient or an authorized
representative of the intended recipient, you are hereby notified that any
dissemination of this communication is strictly prohibited. If you have
received this communication in error, please notify us immediately by
e-mail and delete the message and any attachments from your system.
B‹CB• È
[œÝXœØÜšX™K K[XZ[ ˆ \Ù\œË][œÝXœØÜšX™P ˜\ XÚ K›Ü™ÃB‘›Üˆ Y ] [Û˜[ ÛÛ[X[™ Ë
K[XZ[ ˆ \Ù\œËZ [ ˜\ XÚ K›Ü™ÃB


httpd.conf
Description: Binary data

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Hiding Apache version info on the Aix server for Apache.

2017-03-14 Thread Mitchell Krog Photography 
Sorry typo ….  /etc/apache2/conf-available/security.conf



From: Chunduru, Krishnachaithanya


Reply: users@httpd.apache.org 

Date: 14 March 2017 at 1:56:04 PM
To: users@httpd.apache.org  
Subject:  [users@httpd] Hiding Apache version info on the Aix server for
Apache.

Hi All,



Can anyone please let me know how to hide the apache version and the OS
name running on Aix server.



The servertokens or the server signature fields are set to PROD and
signature off, then I tried restarting the httpd but apache was not
starting until these two parameters are removed from the config file.



*Regards,*

*Krishna*



This message and any attachments are intended only for the use of the
addressee and may contain information that is privileged and confidential.
If the reader of the message is not the intended recipient or an authorized
representative of the intended recipient, you are hereby notified that any
dissemination of this communication is strictly prohibited. If you have
received this communication in error, please notify us immediately by
e-mail and delete the message and any attachments from your system.

Re: [users@httpd] Hiding Apache version info on the Aix server for Apache.

2017-03-14 Thread Mitchell Krog Photography 
What happens you run a configtest ??? On your distro it could be either

sudo apachectl configtest

or

sudo apache2ctl configtest


Really wish package maintainers would agree on some kind of layout standard
of the apache directory structure between distro’s.




From: Yehuda Katz <yeh...@ymkatz.net> <yeh...@ymkatz.net>
Reply: Yehuda Katz <yeh...@ymkatz.net> <yeh...@ymkatz.net>
Date: 14 March 2017 at 3:58:48 PM
To: users@httpd.apache.org <users@httpd.apache.org> <users@httpd.apache.org>
Cc: Mitchell Krog Photography <mitchellk...@gmail.com>
<mitchellk...@gmail.com>
Subject:  Re: [users@httpd] Hiding Apache version info on the Aix server
for Apache.

HTTPD should be logging somewhere, often /var/log/httpd or
/var/log/apache2. See if there is an error there.

- Y

On Tue, Mar 14, 2017 at 9:35 AM, Chunduru, Krishnachaithanya <
krishnachaithanya.chund...@broadridge.com> wrote:

> Hi,
>
>
>
> No, I was not getting any error. When the script is executed, it is giving
> message like “starting Apache” later when we are checking the process is
> not running.
>
>
>
> I can’t even find the /etc/conf-* dir in our Aix server.
>
>
>
> *Regards,*
>
> *Krishna*
>
>
>
> * From:* Yehuda Katz [mailto:yeh...@ymkatz.net]
> *Sent:* Tuesday, March 14, 2017 7:02 PM
> *To:* users@httpd.apache.org
> *Cc:* Mitchell Krog Photography
>
> *Subject:* Re: [users@httpd] Hiding Apache version info on the Aix server
> for Apache.
>
>
>
> /etc/conf-available/security.conf is part of the Debian/Ubuntu packaged
> layout of HTTPD, not standard.
>
>
>
> Do you get an error when you try to start up the server?
>
>
>
> - Y
>
>
>
> On Tue, Mar 14, 2017 at 9:08 AM, Chunduru, Krishnachaithanya <
> krishnachaithanya.chund...@broadridge.com> wrote:
>
> Hi,
>
>
>
> I couldn’t find the file security.conf.
>
>
>
> We are having 2.4.x version running. I have only /etc/httpd/ dir, but not
> /etc/apache2. Can you please help me if there are any other files to check.
>
>
>
> *Regards,*
>
> *Krishna*
>
>
>
> * From:* Mitchell Krog Photography [mailto:mitchellk...@gmail.com]
> *Sent:* Tuesday, March 14, 2017 5:54 PM
> *To:* Chunduru, Krishnachaithanya; users@httpd.apache.org
> *Subject:* Re: [users@httpd] Hiding Apache version info on the Aix server
> for Apache.
>
>
>
> Sorry typo ….  /etc/apache2/conf-available/security.conf
>
>
>
>
>
>
> From: Chunduru, Krishnachaithanya <krishnachaithanya.chunduru@
> broadridge.com> <krishnachaithanya.chund...@broadridge.com>
> Reply: users@httpd.apache.org <users@httpd.apache.org>
> <users@httpd.apache.org>
> Date: 14 March 2017 at 1:56:04 PM
> To: users@httpd.apache.org <users@httpd.apache.org>
> <users@httpd.apache.org>
> Subject:  [users@httpd] Hiding Apache version info on the Aix server for
> Apache.
>
>
>
> Hi All,
>
>
>
> Can anyone please let me know how to hide the apache version and the OS
> name running on Aix server.
>
>
>
> The servertokens or the server signature fields are set to PROD and
> signature off, then I tried restarting the httpd but apache was not
> starting until these two parameters are removed from the config file.
>
>
>
> *Regards,*
>
> *Krishna*
>
>
>
>
> This message and any attachments are intended only for the use of the
> addressee and may contain information that is privileged and confidential.
> If the reader of the message is not the intended recipient or an authorized
> representative of the intended recipient, you are hereby notified that any
> dissemination of this communication is strictly prohibited. If you have
> received this communication in error, please notify us immediately by
> e-mail and delete the message and any attachments from your system.
>
>
> This message and any attachments are intended only for the use of the
> addressee and may contain information that is privileged and confidential.
> If the reader of the message is not the intended recipient or an authorized
> representative of the intended recipient, you are hereby notified that any
> dissemination of this communication is strictly prohibited. If you have
> received this communication in error, please notify us immediately by
> e-mail and delete the message and any attachments from your system.
>
>
>
> This message and any attachments are intended only for the use of the
> addressee and may contain information that is privileged and confidential.
> If the reader of the message is not the intended recipient or an authorized
> representative of the intended recipient, you are hereby notified that any
> dissemination of this communication is strictly prohibited. If you have
> received this communication in error, please notify us immediately by
> e-mail and delete the message and any attachments from your system.
>

Re: [users@httpd] Hiding Apache version info on the Aix server for Apache.

2017-03-14 Thread Mitchell Krog Photography 
Not sure what version of apache you are using but in versions 2.4.x the
modification is done in /etc/conf-available/security.conf and not in the
http.conf or apache2.conf file.



From: Chunduru, Krishnachaithanya


Reply: users@httpd.apache.org 

Date: 14 March 2017 at 1:56:04 PM
To: users@httpd.apache.org  
Subject:  [users@httpd] Hiding Apache version info on the Aix server for
Apache.

Hi All,



Can anyone please let me know how to hide the apache version and the OS
name running on Aix server.



The servertokens or the server signature fields are set to PROD and
signature off, then I tried restarting the httpd but apache was not
starting until these two parameters are removed from the config file.



*Regards,*

*Krishna*



This message and any attachments are intended only for the use of the
addressee and may contain information that is privileged and confidential.
If the reader of the message is not the intended recipient or an authorized
representative of the intended recipient, you are hereby notified that any
dissemination of this communication is strictly prohibited. If you have
received this communication in error, please notify us immediately by
e-mail and delete the message and any attachments from your system.

Re: [users@httpd] Webserver intranet https categorized for insecure for broesers.

2017-02-20 Thread Mitchell Krog Photography 
That’s because you have generated your own certificates, they are not
trusted by any browser.

Get yourself a fully trusted free SSL certificate using the Certbot client
from Let’s Encrypt.
https://letsencrypt.org / https://community.letsencrypt.org



From: Rodrigo Cunha  
Reply: users@httpd.apache.org 

Date: 21 February 2017 at 12:11:04 AM
To: users@httpd.apache.org  
Subject:  [users@httpd] Webserver intranet https categorized for insecure
for broesers.

Dears, i make enviroment with keys and csr files setting in respective
directories for my websites work in https protocol.
my settings work fine, but in my browser i have alerts for insecure
websites.
i think with my local browser alert for not certificates valid but i dont
want pay for certificates valid in my local webserver.
how i setting my enviroment for not insecuret alert for my local webhosts?I

follow my config webhost:


ServerName www.wiki.oduvaldocozzi.intranet
DocumentRoot /opt/www/www.wiki.oduvaldocozzi.intranet/public_html
DirectoryIndex index.html index.php
ServerAlias wiki.oduvaldocozzi.intranet

SSLEngine On
SSLCertificateFile /etc/ssl/certs/wiki.crt
SSLCertificateKeyFile /etc/ssl/private/wiki.key

SSLRequireSSL On
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars +StrictRequire




--
Atenciosamente,
Rodrigo da Silva Cunha
São Gonçalo, RJ - Brasil

Re: [users@httpd] apache2 config test failed

2017-02-20 Thread Mitchell Krog Photography 
Line 219 of your .conf file reads "IncludeOptional sites-enabled/*.conf”

that’s where it starts loading the sites you have configured and that’s
where it is failing. So start looking for errors on line 32 on one of your
enabled-sites conf files and not for an error in your apache2.conf which
looks perfectly bog standard and fine to me.

Either that or disable all sites, and enabled them one by one doing an
“apache2ctl configtest” each time and you will find the culprit

Hope you come right.
Cheers ;)


From: Daniel Baker 

Reply: users@httpd.apache.org 

Date: 21 February 2017 at 3:17:02 AM
To: users@httpd.apache.org  
Subject:  [users@httpd] apache2 config test failed

Hi,

Apache fails to start on a Ubuntu 16.04   Virtual Machine.

The error says  a syntax error however when I compare a working
apache2.conf to a non working apache2.conf  version I can see that both
configs are identical.


The error says a syntax error :

ERROR:

systemctl status apache2.service
● apache2.service - LSB: Apache2 web server
   Loaded: loaded (/etc/init.d/apache2; bad; vendor preset: enabled)
  Drop-In: /lib/systemd/system/apache2.service.d
   └─apache2-systemd.conf
   Active: failed (Result: exit-code) since Tue 2017-02-21 05:05:04 ICT;
17s ago
 Docs: man:systemd-sysv-generator(8)
  Process: 24742 ExecStart=/etc/init.d/apache2 start (code=exited,
status=1/FAILURE)

Feb 21 05:05:04 ubuntu apache2[24742]:  *
Feb 21 05:05:04 ubuntu apache2[24742]:  * The apache2 configtest failed.
Feb 21 05:05:04 ubuntu apache2[24742]: Output of config test was:
Feb 21 05:05:04 ubuntu apache2[24742]: *apache2: Syntax error on line 219
of /etc/apache2/apache2.conf: Syntax error on line 32*
Feb 21 05:05:04 ubuntu apache2[24742]: Action 'configtest' failed.
Feb 21 05:05:04 ubuntu apache2[24742]: The Apache error log may have more
information.
Feb 21 05:05:04 ubuntu systemd[1]: apache2.service: Control process exited,
code=exited status=1
Feb 21 05:05:04 ubuntu systemd[1]: Failed to start LSB: Apache2 web server.
Feb 21 05:05:04 ubuntu systemd[1]: apache2.service: Unit entered failed
state.
Feb 21 05:05:04 ubuntu systemd[1]: apache2.service: Failed with result
'exit-code'.





 journalctl -xe
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- The system clock has been changed to REALTIME microseconds after January
1st, 1970.
Feb 21 05:06:34 ubuntu systemd[1]: snapd.refresh.timer: Adding 3h 53min
28.746372s random time.
Feb 21 05:06:34 ubuntu systemd[1]: apt-daily.timer: Adding 2h 8min
4.565188s random time.
Feb 21 05:09:01 ubuntu CRON[25087]: pam_unix(cron:session): session opened
for user root by (uid=0)
Feb 21 05:09:01 ubuntu CRON[25088]: (root) CMD (  [ -x
/usr/lib/php/sessionclean ] && /usr/lib/php/sessionclean)
Feb 21 05:09:02 ubuntu CRON[25087]: pam_unix(cron:session): session closed
for user root
Feb 21 05:09:02 ubuntu postfix/pickup[25040]: 55E2661615: uid=0 from=
Feb 21 05:09:02 ubuntu postfix/cleanup[25131]: 55E2661615:
message-id=<20170220220902.55E2661615@ubuntu>
Feb 21 05:09:02 ubuntu postfix/qmgr[3227]: 55E2661615: from=,
size=767, nrcpt=1 (queue active)
Feb 21 05:09:02 ubuntu postfix/local[25133]: 55E2661615: to=,
orig_to=, relay=local, delay=0.45, delays=0.2
Feb 21 05:09:02 ubuntu postfix/qmgr[3227]: 55E2661615: removed
Feb 21 05:11:09 ubuntu ntpd[1524]: 203.158.118.2 local addr 192.168.0.103
-> 
Feb 21 05:12:02 ubuntu ntpd[1524]: 61.216.153.107 local addr 192.168.0.103
-> 
Feb 21 05:12:14 ubuntu ntpd[1524]: 61.216.153.105 local addr 192.168.0.103
-> 
Feb 21 05:12:56 ubuntu systemd[1]: Starting LSB: Apache2 web server...
-- Subject: Unit apache2.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit apache2.service has begun starting up.
Feb 21 05:12:56 ubuntu apache2[25210]:  * Starting Apache httpd web server
apache2
Feb 21 05:12:56 ubuntu apache2[25210]:  *
Feb 21 05:12:56 ubuntu apache2[25210]:  * The apache2 configtest failed.
Feb 21 05:12:56 ubuntu apache2[25210]: Output of config test was:
Feb 21 05:12:56 ubuntu apache2[25210]: *apache2: Syntax error on line 219
of /etc/apache2/apache2.conf: Syntax error on line 32*
Feb 21 05:12:56 ubuntu apache2[25210]: Action 'configtest' failed.
Feb 21 05:12:56 ubuntu apache2[25210]: The Apache error log may have more
information.
Feb 21 05:12:56 ubuntu systemd[1]: apache2.service: Control process exited,
code=exited status=1
Feb 21 05:12:56 ubuntu systemd[1]: Failed to start LSB: Apache2 web server.
-- Subject: Unit apache2.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit apache2.service has failed.
--
-- The result is failed.
Feb 21 05:12:56 ubuntu systemd[1]: apache2.service: Unit entered failed
state.
Feb 21

Re: [users@httpd] apache 2.4.10 sslv3 not offering when tls is enabled

2017-02-09 Thread Mitchell Krog Photography 
Your SSL config for Apache 2.4.10 should be as follows


...
SSLEngine on
SSLCertificateFile
/path/to/signed_certificate_followed_by_intermediate_certs
SSLCertificateKeyFile   /path/to/private/key

# Uncomment the following directive when using client certificate
authentication
#SSLCACertificateFile/path/to/ca_certs_for_client_authentication


# HSTS (mod_headers is required) (15768000 seconds = 6 months)
Header always set Strict-Transport-Security "max-age=15768000"
...


# intermediate configuration, tweak to your needs
SSLProtocol all -SSLv3
SSLCipherSuite
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
SSLCompression  off


# OCSP Stapling, only in httpd 2.3.3 and later
SSLUseStapling  on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCacheshmcb:/var/run/ocsp(128000)


Always check with >
https://mozilla.github.io/server-side-tls/ssl-config-generator/




From: Christopher Schultz 

Reply: users@httpd.apache.org 

Date: 10 February 2017 at 12:15:30 AM
To: users@httpd.apache.org  
Subject:  Re: [users@httpd] apache 2.4.10 sslv3 not offering when tls is
enabled

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Daniel,

On 2/9/17 4:53 PM, Daniel wrote:
> Try manually:
>
> SSLProtocol SSLv3 TLSv1 TLSv1.1 TLSv1.2

And, please, for the love of god, add these, too:

SSLHonorServerOrder On
SSLCipherSuite TLSv1.2:TLSv1.1:TLSv1:SSLv3

This will cause "better" ciphers to be preferred over the lesser ones.
Don't forget to eliminate the insecure ones like EXPORT, MD5, DES,
RC4, etc.

A typical cipher string I might use looks like this:

SSLCipherSuite
!aNULL:!eNULL:!EXPORT:!DSS:!DES:!SSLv2:!RC4:ECDHE:ECDH:DHE:AES256-GCM-SH
A384:AES128-GCM-SHA256:HIGH

- -chris

> 2017-02-09 17:30 GMT+01:00 Sven Crul  >:
>
> Hi,
>
>
> I switch to debian with apache 2.4.10 where I need sslv3 for
> backwards compatibility with some OLD clients
>
> I use openssl 1.0.1t (latest stable for debian)
>
>
> with the settings "sslprotocol all" in ssl.conf sslv3 is not
> offered
>
> with the setting "sslprotocol sslv3" in ssl.conf it works but
> unfortunately without tls (I need TLS also)
>
>
> I must be the only one who has this problem because can't find
> anything about it anywhere, and I tried about anything there is
>
>
> sslprotocol all +sslv3 ... etc nothing works
>
>
> Anybody has an idea
>
>
> THX!
>
> Sven
>
>
>
>
>
>
> -- *Daniel Ferradal* IT Specialist
>
> email dferradal at gmail.com  linkedin
> es.linkedin.com/in/danielferradal
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYnOoCAAoJEBzwKT+lPKRYgnkP/jHquyBGVH2uYKcF6Pzyn7Uw
LduZ+8eVqnSC5OsI7s6HBZrqxJthIb2c5Ns+w/rR8ga4o86bzWd+Shr+lwI41UXJ
gEjJDUyQYN5/1YMwlc+w/MFyqgWIaJTdJEhC1kgBMzQzNt53og13tMT7z93rvMsE
NZC1Gb0ANYx68d4/QC/J1Qoh3H0PkqLniHuV6GOuM7zeu9i5IcLQDW4WX7yXcG63
2VsTKwcPdQ1uH3t3i5c3+bbtvWsfMn0bj5Z8SaYInpLWX1swIBLh9b2+dzD5+A2Q
wLgSdIqgZhbkSyqFvq8oqXiaKQ6oxXVXfEJ6bivTkQNbyflR64eqqWXSRsc/RxfK
GJnalLogEM3iP2L7BUAE7Ok3r8xP4Drxy8JaVSLYNm+0BboSP80MZ0YPiIKcniZF
lkyQwyqOWX+OO1Eo0Z6SOTRoRMbymIPvgV+34aVp4admwNtfUN/2F+dPn+7xExHW
Y5oA7j9qBEYXJg63AHY3R//tGm/rtnDlHPt8bxCw5tWrR6HFgoqabyR5MhSYpfED
g8ReWrkd+Ygr10++hw2wwHf9Qwq9jHa2WYhGQyT5HiTIm+ui1X5gD19p9rpyCfcn
ARZ+NgoBHjFGNg0gLu1m3mwDDElnr9/kQE+KRdoVnICm18i3vO4CXzZLUC3moPRR
43zsMR858V8ZOZThX0s7
=/YOD
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] am i hacked ?

2017-02-06 Thread Mitchell Krog 
I see these type of attack strings all the time on Nginx except Nginx gives
a 403. Apache is notoriously bad with security and giving 200 ok responses
makes you  yourself. A reason  I and many other people have switched.
User support on this list was also non existent when I ran into serious SSL
problems with 2.4 that until today have been ignored and unanswered.

On 06 Feb 2017 19:21, "Ken Robinson"  wrote:

>
>
> On 2017-02-06 12:08 pm, Lentes, Bernd wrote:
>
> The first line is trying to create the file webconfig.txt.php in your
>>> DOCUMENT_ROOT directory, with the contents of the file being:
>>>
>>> 
>>>
>>> I didn't decode the remaining lines. I think they're just trying to do
>>> the same
>>> thing.
>>>
>>
>> Fortunately there is no webconfig.txt.php. And all folders in /srv/www
>> belongs to root and user wwwrun
>> is not allowed to write there.
>>
>
> What seems to be happening here is that your system is being probed for
> vulnerabilities.
>
> The attacker is sending a payload string to your index.php file in hopes
> that it will not complain and write the string to the file
> webconfig.txt.php which the attacker would then attempt to get to with the
> real hack in the Posted contents. Are there any requests to get to that
> file?
>
> You should make sure you sanitized any input to your index.php and reject
> anything that's not expected.
>
> Ken
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] Unknown accepted traffic to my site

2016-10-08 Thread Mitchell Krog Photography 
Thanks Spork for the detailed reply you got from Berkeley, I got a similar one, 
though not quite as detailed. I think the problem with Apache is that it is 
simply an index.html sending a 200 “OK” and not actually replying to say yes I 
am infected with whatever it is they are looking for. At the time when I first 
noticed this I looked into various ways of getting Apache to send a 400 or 403 
but it involved messy rewrite rules which I just hate.

Seeing that I am now seeing this same string in various different formats 
coming in daily now from IP’s all over the globe I would say whatever infected 
servers out there who have been already been implanted with this malicious 
software are now perhaps being called into action, possibly a big DDOS attack 
planned or something else of a more sinister nature. Seeing that Berkeley are 
working with and reporting this to law enforcement makes me believe there is 
something quite sinister behind all of this. 

Anyways, certainly a very interesting one to keep an eye on. I am now also 
seeing similarly formatted strings now coming in over the past few days as per 
the example below which now also seem to be targetting SQL servers. Luckily 
none of mine are open to the public and only run as localhost but I am a sure a 
lot of people which port 3306 exposed are in for something being planned. 

This example below came in as a User-Agent string this morning in my logs, so 
not only are they sending crazy formatted strings via normal http / https 
requests but also now forging user agent string with similar stuff. 

"}__test|O:21:\x22JDatabaseDriverMysqli\x22:3:{s:2:\x22fc\x22;O:17:\x22JSimplepieFactory\x22:0:{}s:21:\x22\x5C0\x5C0\x5C0disconnectHandlers\x22;a:1:{i:0;a:2:{i:0;O:9:\x22SimplePie\x22:5:{s:8:\x22sanitize\x22;O:20:\x22JDatabaseDriverMysql\x22:0:{}s:8:\x22feed_url\x22;s:46:\x22eval($_REQUEST[1]);JFactory::getConfig();exit;\x22;s:19:\x22cache_name_function\x22;s:6:\x22assert\x22;s:5:\x22cache\x22;b:1;s:11:\x22cache_class\x22;O:20:\x22JDatabaseDriverMysql\x22:0:{}}i:1;s:4:\x22init\x22;}}s:13:\x22\x5C0\x5C0\x5C0connection\x22;b:1;}\xFD\xFD\xFD\xFD
 “

I must say every morning there is always something interesting to be found in 
one’s logs, sadly a great deal of people running servers out there don’t seem 
to monitor their logs as frequently as they should if at all.


Kind Regards
Mitchell
https://mitchellkrog.com







From: Spork Schivago 
Reply: users@httpd.apache.org 
Date: 07 October 2016 at 8:10:58 AM
To: users@httpd.apache.org 
Subject:  Re: [users@httpd] Unknown accepted traffic to my site  

Oh!   Tawasol, I forgot.   If you're not already doing so, you should have your 
server scanned for vulnerabilities.  There's free websites out there that can 
do this, like https://scanmyserver.com/

I believe nmap can also help you scan your server, although I don't think it 
was really designed for vulnerability scanning.   There's free for personal use 
programs, like Nessus.   The free version of Nessus only works on the local 
area network though.   However, websites like https://scanmyserver.com use the 
paid version of Nessus.   So, you can have your server scanned with Nessus by 
using something like scanmyserver.com.

If there's any exploits installed, the vulnerability scanner(s) should detect 
them.   Just make sure to whitelist the IP address in LFD and CSF before 
proceeding and double check the logs to make sure that CSF / LFD doesn't block 
the scanning website.

On Fri, Oct 7, 2016 at 1:53 AM, Spork Schivago  wrote:
Tawasol,

You might want to look into more than just mod_security.  For example, there's 
modules out there for PHP, for instance, that will make PHP run as a certain 
user.   If someone manages to take advantage of some poorly written PHP code, 
for example, they would only have limited user access and only be able to 
access the files in the directory where the html files are being stored.

I have crontab entries setup to scan for rootkits and do a bunch of other 
things.

Another program you might want to look into is ClamAV.   It's freeware.

Mod_security I like the best though.   It really does catch a lot of bad stuff. 
 It can be a bit confusing setting it up though.   Best of luck.

On Fri, Oct 7, 2016 at 1:31 AM, Tawasol Go  wrote:
I use CentOS 7.x also CSF/LFD installed.
Till now they did not get into the server.

I'll look into mod_security.

Thanks,

On Fri, Oct 7, 2016 at 1:01 AM, Anthony Biacco  wrote:


On Thu, Oct 6, 2016 at 3:42 PM, Spork Schivago  wrote:
Are you sure they haven't successfully found away in?   There are some free 
programs that I use to help prevent this stuff.   ConfigServer Firewall / LFD 
is a good one.   Rkhunter and chkrootkit scan for rootkits.   The big one that 
helps the most, I feel, is Mod Security.   That's the one that

RE: [users@httpd] Unknown accepted traffic to my site

2016-10-06 Thread Mitchell Krog Photography 
That could well be the case. I have two trap web sites set up which monitor 
this stuff and both the http and https get hit daily, in fact the non https 
site gets hit much more frequently. Still interested to know if anyone has any 
more in depth information on exactly what this type of exploit is. Can’t for 
the life of me find the reply I got from Berkeley on it.

KR
Mitchell
https://mitchellkrog.com



From: Joe Muller <jmul...@arccorp.com>
Reply: users@httpd.apache.org <users@httpd.apache.org>
Date: 05 October 2016 at 6:26:54 PM
To: users@httpd.apache.org <users@httpd.apache.org>, tawaso...@gmail.com 
<tawaso...@gmail.com>
Subject:  RE: [users@httpd] Unknown accepted traffic to my site

From the looks of it I would say it is targeting servers running SSL.  Are you 
serving up HTTP or HTTPS ?

 
From: Mitchell Krog Photography
Sent: Wednesday, October 05, 2016 8:18:38 AM
To: Tawasol Go; users@httpd.apache.org
Subject: Re: [users@httpd] Unknown accepted traffic to my site

It’s some kind of buffer overflow attempt. I’ve been seeing this in logs for 
months. It started a few months back with the Berkeley University Scanner who 
are researching by sending out a string like that and then seeing what response 
they get. It’s to check for some kind of exploit. Their IP for their scanner is 
169.229.3.91 but now in the last 8 weeks I am seeing the same string coming in 
from numerous other IP addresses. 

I no longer run Apache after 9 years of using it, Nginx is unaffected 
completely in any way by that kind of buffer overflow string but I cannot speak 
for Apache anymore personally as I switched over 4 months ago due to numerous 
issues with Apache I could not handle anymore. 

My one problem is that Apache as per your logs (I had the same in my apache 
logs) gives a 200 “OK” response whereas Nginx responds to that with a 400 “Bad 
Response”.

So exactly what that flaw or web server that string is intended to exploit is 
still unknown to me but still keeping a close eye on it daily. I personally 
have felt since I first started noticing it that it is perhaps targeting Apache 
but I that is merely a whim and I have nothing concrete to back that up.

For more info from on the Berkeley scanner project Visit 
http://secure-web.cisco.com/1kSe4hH5QaFg5iurDPeLNPEj2NfHD71wJ6ewbgosIG0LZCg4nnchPkhh5UrR8zZG_jbf6-f9AO2Jj0DRVnnFp6Zd8U8t8op7GBrxRIKs1l-mlyOSLHK_Bwd8Wt4Yc2WI-L_yWe_lHopRLE44Fd1oD0hhviJGCfuK8-WiTD293Qk2pUp9n0HmeFtTYXs8bWRiRBl7jm1O7K6ME5Et0IWSLtPfvQLMFkEnOf1t34ifD9hPt-HFblHBRG42diyg9VRacu4n5N7aVn5A_S3T3KRDR3RzGf81KOv7Mx6bqTSFPl_X934G7T3HCxyCrjcyqtGDlqplGwcTAX1MEExuH32QRyhZ7-8IpQkikfrH4wzNZjM0/http%3A%2F%2F169.229.3.91%2F
 for more info. They do respond to emails and if you want them to not scan your 
server you just ask. But as I say it’s not just them running that exploit now, 
it comes from IP’s all over. 

KR
Mitchell



From: Tawasol Go <tawaso...@gmail.com>
Reply: users@httpd.apache.org <users@httpd.apache.org>
Date: 05 October 2016 at 12:01:58 PM
To: users@httpd.apache.org <users@httpd.apache.org>
Subject:  [users@httpd] Unknown accepted traffic to my site

Hello Guys,

Need to Understand this kind of traffic where I noticed many of them hitting my 
site.

IP
0.0.0.0 - - [02/Oct/2016:11:29:08 +0300] 
"n\x1d\xb6\x18\x9ad\xec[\x1d\b\xe6k\xbb\xe5L" 200 48605
0.0.0.0 - - [02/Oct/2016:16:04:20 +0300] 
"\x95\xa3\xb1\xce\xc8\xeb:\x86\x87\xb4\x03g\xfa~\x9f{\x07\xda\xef6O\xa1~\x91[\xf2\x05E\xac\xad\x8d\x9d\xbe\xf5\xfc\xc5\"\xed\xa3u"
 200 48605


Please advise.

Thanks,
Karim

Re: [users@httpd] Unknown accepted traffic to my site

2016-10-05 Thread Mitchell Krog Photography 
It’s some kind of buffer overflow attempt. I’ve been seeing this in logs for 
months. It started a few months back with the Berkeley University Scanner who 
are researching by sending out a string like that and then seeing what response 
they get. It’s to check for some kind of exploit. Their IP for their scanner is 
169.229.3.91 but now in the last 8 weeks I am seeing the same string coming in 
from numerous other IP addresses. 

I no longer run Apache after 9 years of using it, Nginx is unaffected 
completely in any way by that kind of buffer overflow string but I cannot speak 
for Apache anymore personally as I switched over 4 months ago due to numerous 
issues with Apache I could not handle anymore. 

My one problem is that Apache as per your logs (I had the same in my apache 
logs) gives a 200 “OK” response whereas Nginx responds to that with a 400 “Bad 
Response”.

So exactly what that flaw or web server that string is intended to exploit is 
still unknown to me but still keeping a close eye on it daily. I personally 
have felt since I first started noticing it that it is perhaps targeting Apache 
but I that is merely a whim and I have nothing concrete to back that up.

For more info from on the Berkeley scanner project Visit http://169.229.3.91/ 
for more info. They do respond to emails and if you want them to not scan your 
server you just ask. But as I say it’s not just them running that exploit now, 
it comes from IP’s all over. 

KR
Mitchell



From: Tawasol Go 
Reply: users@httpd.apache.org 
Date: 05 October 2016 at 12:01:58 PM
To: users@httpd.apache.org 
Subject:  [users@httpd] Unknown accepted traffic to my site  

Hello Guys,

Need to Understand this kind of traffic where I noticed many of them hitting my 
site.

IP
0.0.0.0 - - [02/Oct/2016:11:29:08 +0300] 
"n\x1d\xb6\x18\x9ad\xec[\x1d\b\xe6k\xbb\xe5L" 200 48605
0.0.0.0 - - [02/Oct/2016:16:04:20 +0300] 
"\x95\xa3\xb1\xce\xc8\xeb:\x86\x87\xb4\x03g\xfa~\x9f{\x07\xda\xef6O\xa1~\x91[\xf2\x05E\xac\xad\x8d\x9d\xbe\xf5\xfc\xc5\"\xed\xa3u"
 200 48605


Please advise.

Thanks,
Karim

[users@httpd] mod_socache_shmcb

2016-08-02 Thread Mitchell Krog 

Hi all

I am hoping someone can please give me a more concise description of 
what the socache_shmcb module is and what it actually does. The 
documentation at 
https://httpd.apache.org/docs/2.4/mod/mod_socache_shmcb.html is very 
vague and in 2 years has not changed. Google searches do not reveal much 
information other than people on forums saying enable the module for 
better performance and what not.


I just cannot get my head around what it is actually really designed to 
do and if one was to use it how to configure it. Guess as I said it will 
first help to know what it actually is.


Regards
Mitchell


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org