Re: [users@httpd] CVE-2023-38709: Apache HTTP Server: HTTP response splitting

2024-04-04 Thread Otis Dewitt - NOAA Affiliate 
https://nvd.nist.gov/vuln/detail/CVE-2023-38909

MEDIUM

Otis DeWitt
Contractor with Concept Plus, LLC in support of
NOAA Fisheries NMFS / ST6  |  U.S. Department of Commerce
Office: ‪(302) 648-7481 | otis.dew...@noaa.gov


"If there is no struggle, there is no progress."



On Thu, Apr 4, 2024 at 1:46 PM Mcalexander, Jon J.
 wrote:

> Is there a severity level for this one?
>
>
>
> *Dream * Excel * Explore * Inspire*
>
> Jon McAlexander
>
> Senior Infrastructure Engineer
>
> Asst. Vice President
>
> He/His
>
>
>
> Middleware Product Engineering
>
> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>
>
>
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
>
> Tel 515-988-2508 | Cell 515-988-2508
>
>
>
> jonmcalexan...@wellsfargo.com
>
> This message may contain confidential and/or privileged information. If
> you are not the addressee or authorized to receive this for the addressee,
> you must not use, copy, disclose, or take any action based on this message
> or any information herein. If you have received this message in error,
> please advise the sender immediately by reply e-mail and delete this
> message. Thank you for your cooperation.
>
>
>
> *From:* Eric Covener 
> *Sent:* Thursday, April 4, 2024 8:57 AM
> *To:* annou...@apache.org; users@httpd.apache.org
> *Subject:* [users@httpd] CVE-2023-38709: Apache HTTP Server: HTTP
> response splitting
>
>
>
> Affected versions: - Apache HTTP Server through 2. 4. 58 Description:
> Faulty input validation in the core of Apache allows malicious or
> exploitable backend/content generators to split HTTP responses. This issue
> affects Apache HTTP Server: through
>
>
>
> Affected versions:
>
>
>
> - Apache HTTP Server through 2.4.58
>
>
>
> Description:
>
>
>
> Faulty input validation in the core of Apache allows malicious or exploitable 
> backend/content generators to split HTTP responses.
>
>
>
> This issue affects Apache HTTP Server: through 2.4.58.
>
>
>
> Credit:
>
>
>
> Orange Tsai (@orange_8361) from DEVCORE (finder)
>
>
>
> References:
>
>
>
> https://urldefense.com/v3/__https://httpd.apache.org/__;!!F9svGWnIaVPGSwU!vZWSYGByQMPoLmzn8sQqALUlF4E_iHa0hd7NgWXP1J4iQbaHarWSmsrOM-tWew_I3iuHcgPO7FOZTp1zBvVc3Bys$
>  
> 
>
> https://urldefense.com/v3/__https://www.cve.org/CVERecord?id=CVE-2023-38709__;!!F9svGWnIaVPGSwU!vZWSYGByQMPoLmzn8sQqALUlF4E_iHa0hd7NgWXP1J4iQbaHarWSmsrOM-tWew_I3iuHcgPO7FOZTp1zBt4tO_xM$
>  
> 
>
>
>
>
>
> -
>
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
>
>

Re: [users@httpd] question on CVE-2023-36760

2023-02-07 Thread Otis Dewitt - NOAA Affiliate 
If you are not using "*Apache JServ Protocol (AJP)" *then the CVE does not
pertain to your Apache server.

On Mon, Feb 6, 2023 at 5:46 PM Thao, Pashia 
wrote:

> PWEB server is running a version of Apache affected.
>
>
>
> Our prod web server is running a version of the Apache affected by by
> CVE-2023-36760 , which
> is a critical vulnerability affecting versions of Apache server <= 2.4.54
> . *CVE-2023-36760
> allows for potential HTTP request smuggling from the Apache server through
> the Apache JServ Protocol (AJP) to the application server*.
>
>
>
> How do I check whether *AJP* is being utilized to proxy requests from the
> WEB server to the APPlication server? Also does that mean that if our WEB
> server does not use AJP, then that means we shouldn’t need to worry about
> this vulnerability and do not need to upgrade to the new Apache version,
> 2.4.55?
>
>
>
> Please clarify.
>
>
>
> Thank you,
>
> Pashia
>
>
>

Re: [users@httpd] Httpd is hanging intermittently

2021-09-24 Thread Otis Dewitt - NOAA Affiliate 
I did not find many but here are some notes for Yocto.

1.)
http://ch.ege.io/blog/2015/05/04/using-h-slash-w-randaom-generator-on-odrod-c1-with-yocto/
2.)  https://wiki.yoctoproject.org/wiki/Entropy_on_Autobuilders

Thanks,
Otis

On Fri, Sep 24, 2021 at 9:14 AM alchemist vk  wrote:

> Thanks Dewitt for very thorough and insightful explanation. We are using
> Yocto packaged linux version with openssl version being OpenSSL 1.1.1k-fips
>  25 Mar 2021.
>
> With Regards,
> Venkatesh
>
> On Fri, Sep 24, 2021 at 12:11 AM Otis Dewitt - NOAA Affiliate
>  wrote:
>
>> No problem Venkatesh.
>>
>> No, I don't know how to generate entropy in Apache because I think Apache
>> uses the system entropy.
>> You can check how many are available via: "cat
>> /proc/sys/kernel/random/entropy_avail".
>>
>> Under the system I know of two different packages, one *rngd *and the
>> other *haveged.*
>>
>> The *rngd* daemon, which is a part of the rng-tools package, is capable
>> of using both environmental noise and hardware random number generators for
>> extracting entropy. The daemon checks whether the data supplied by the
>> source of randomness is sufficiently random and then stores it in the
>> kernel's random-number entropy pool. The random numbers it generates are
>> made available through the /dev/random and /dev/urandom character
>> devices.
>>
>> The *haveged *project is an attempt to provide an easy-to-use,
>> unpredictable random number generator based upon an adaptation of the
>> HAVEGE <http://www.irisa.fr/caps/projects/hipsor/> algorithm. Haveged
>> was created to remedy low-entropy conditions in the Linux random device
>> that can occur under some workloads, especially on headless servers.
>> Current development of haveged is directed towards improving overall
>> reliability and adaptability while minimizing the barriers to using haveged
>> for other tasks.
>>
>> What OS are you using? Redhat CentOS etc . . .
>>
>>
>> On Thu, Sep 23, 2021 at 2:06 PM alchemist vk 
>> wrote:
>>
>>> Thanks Dewitt for your inputs.
>>> Will check from system perspective how to generate more entropy and
>>> resolve this issue.
>>>
>>> Do you know, how to generate more entropy in system or via apache so
>>> that it can never be deprived of entropy?
>>>
>>> With Regards,
>>> Venkatesh
>>>
>>> On Thu, Sep 23, 2021 at 8:46 PM Otis Dewitt - NOAA Affiliate
>>>  wrote:
>>>
>>>> Hmm I see, I not sure why you did not get this right away when
>>>> switching from openssl to openssl-fips because FIPS require a lot of 
>>>> entropy
>>>> and if this is on VMWARE, that has very poor entropy unless you use
>>>> entropy generator like "*haveged*" or load *virtio_rng *kernel module.
>>>> As I said before I am not sure how you will fix this without generating
>>>> more entropy, it seems the system is unable to create enough and
>>>> there is no way around this.
>>>>
>>>>
>>>> On Thu, Sep 23, 2021 at 1:15 AM alchemist vk 
>>>> wrote:
>>>>
>>>>> Thanks *Jon *for openssl command confirmation.
>>>>> *@ylavik*,
>>>>>  Its linux OS and openssl version is 1.1.1k-fips. I not yet
>>>>> explored with SSLRandomSeed changes.
>>>>>  Yes, we upgraded openssl few months back to 1.1.1k, but we are
>>>>> seeing this httpd hangs issue from last month.
>>>>>
>>>>> *@otis Dewitt*, Since its production code in systems, I cant install
>>>>> haveged and try it out.
>>>>>
>>>>>
>>>>> On Thu, Sep 23, 2021 at 4:57 AM Otis Dewitt - NOAA Affiliate
>>>>>  wrote:
>>>>>
>>>>>>
>>>>>> I don't think "insufficient entropy" has anything to do with Apache,
>>>>>> but you could try installing "haveged" rpm.
>>>>>> That may solve your problem.
>>>>>>
>>>>>> On Wed, Sep 22, 2021 at 2:11 PM alchemist vk 
>>>>>> wrote:
>>>>>>
>>>>>>> Hi All,
>>>>>>>  We are using httpd version 2.4.46 and its working fine for a long
>>>>>>> time. But recently, we started seeing an issue where apache hangs
>>>>>>> indefinitely even when the system is in idle state.
>>>>>>> And when apache hangs, I see below entries in error_log:
>>>>>>> [Tue Sep 21 22:05:53.243013 2021] [ssl:warn] [pid 5769:tid
>>>>>>> 2644435888] AH01990: Server: PRNG still contains insufficient entropy!
>>>>>>> [Tue Sep 21 22:05:54.501476 2021] [ssl:warn] [pid 5769:tid
>>>>>>> 2787111856] AH01990: Server: PRNG still contains insufficient entropy!
>>>>>>> [Tue Sep 21 22:05:54.502449 2021] [ssl:warn] [pid 5769:tid
>>>>>>> 2787111856] AH01990: Server: PRNG still contains insufficient entropy!
>>>>>>> ...
>>>>>>> 
>>>>>>> 
>>>>>>>
>>>>>>> I am pretty sure, we not changed anything related to httpd config
>>>>>>> for quite a time time and have no idea, why this issue started getting
>>>>>>> manifested now.
>>>>>>> Please help me how to RC this and what logs can be looked to debug
>>>>>>> further?
>>>>>>>
>>>>>>> PS: Occurence of issue is more in systems where FIPS is enabled. In
>>>>>>> FIPS disabled systems, occurrence is less.
>>>>>>>
>>>>>>> With Regards
>>>>>>> Venkat
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>

Re: [users@httpd] Httpd is hanging intermittently

2021-09-23 Thread Otis Dewitt - NOAA Affiliate 
No problem Venkatesh.

No, I don't know how to generate entropy in Apache because I think Apache
uses the system entropy.
You can check how many are available via: "cat
/proc/sys/kernel/random/entropy_avail".

Under the system I know of two different packages, one *rngd *and the other
*haveged.*

The *rngd* daemon, which is a part of the rng-tools package, is capable of
using both environmental noise and hardware random number generators for
extracting entropy. The daemon checks whether the data supplied by the
source of randomness is sufficiently random and then stores it in the
kernel's random-number entropy pool. The random numbers it generates are
made available through the /dev/random and /dev/urandom character devices.

The *haveged *project is an attempt to provide an easy-to-use,
unpredictable random number generator based upon an adaptation of the HAVEGE
<http://www.irisa.fr/caps/projects/hipsor/> algorithm. Haveged was created
to remedy low-entropy conditions in the Linux random device that can occur
under some workloads, especially on headless servers. Current development
of haveged is directed towards improving overall reliability and
adaptability while minimizing the barriers to using haveged for other tasks.

What OS are you using? Redhat CentOS etc . . .


On Thu, Sep 23, 2021 at 2:06 PM alchemist vk  wrote:

> Thanks Dewitt for your inputs.
> Will check from system perspective how to generate more entropy and
> resolve this issue.
>
> Do you know, how to generate more entropy in system or via apache so that
> it can never be deprived of entropy?
>
> With Regards,
> Venkatesh
>
> On Thu, Sep 23, 2021 at 8:46 PM Otis Dewitt - NOAA Affiliate
>  wrote:
>
>> Hmm I see, I not sure why you did not get this right away when switching
>> from openssl to openssl-fips because FIPS require a lot of entropy
>> and if this is on VMWARE, that has very poor entropy unless you use
>> entropy generator like "*haveged*" or load *virtio_rng *kernel module.
>> As I said before I am not sure how you will fix this without generating
>> more entropy, it seems the system is unable to create enough and
>> there is no way around this.
>>
>>
>> On Thu, Sep 23, 2021 at 1:15 AM alchemist vk 
>> wrote:
>>
>>> Thanks *Jon *for openssl command confirmation.
>>> *@ylavik*,
>>>  Its linux OS and openssl version is 1.1.1k-fips. I not yet explored
>>> with SSLRandomSeed changes.
>>>  Yes, we upgraded openssl few months back to 1.1.1k, but we are
>>> seeing this httpd hangs issue from last month.
>>>
>>> *@otis Dewitt*, Since its production code in systems, I cant install
>>> haveged and try it out.
>>>
>>>
>>> On Thu, Sep 23, 2021 at 4:57 AM Otis Dewitt - NOAA Affiliate
>>>  wrote:
>>>
>>>>
>>>> I don't think "insufficient entropy" has anything to do with Apache,
>>>> but you could try installing "haveged" rpm.
>>>> That may solve your problem.
>>>>
>>>> On Wed, Sep 22, 2021 at 2:11 PM alchemist vk 
>>>> wrote:
>>>>
>>>>> Hi All,
>>>>>  We are using httpd version 2.4.46 and its working fine for a long
>>>>> time. But recently, we started seeing an issue where apache hangs
>>>>> indefinitely even when the system is in idle state.
>>>>> And when apache hangs, I see below entries in error_log:
>>>>> [Tue Sep 21 22:05:53.243013 2021] [ssl:warn] [pid 5769:tid 2644435888]
>>>>> AH01990: Server: PRNG still contains insufficient entropy!
>>>>> [Tue Sep 21 22:05:54.501476 2021] [ssl:warn] [pid 5769:tid 2787111856]
>>>>> AH01990: Server: PRNG still contains insufficient entropy!
>>>>> [Tue Sep 21 22:05:54.502449 2021] [ssl:warn] [pid 5769:tid 2787111856]
>>>>> AH01990: Server: PRNG still contains insufficient entropy!
>>>>> ...
>>>>> 
>>>>> 
>>>>>
>>>>> I am pretty sure, we not changed anything related to httpd config for
>>>>> quite a time time and have no idea, why this issue started getting
>>>>> manifested now.
>>>>> Please help me how to RC this and what logs can be looked to debug
>>>>> further?
>>>>>
>>>>> PS: Occurence of issue is more in systems where FIPS is enabled. In
>>>>> FIPS disabled systems, occurrence is less.
>>>>>
>>>>> With Regards
>>>>> Venkat
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>

Re: [users@httpd] Httpd is hanging intermittently

2021-09-23 Thread Otis Dewitt - NOAA Affiliate 
Hmm I see, I not sure why you did not get this right away when switching
from openssl to openssl-fips because FIPS require a lot of entropy
and if this is on VMWARE, that has very poor entropy unless you use entropy
generator like "*haveged*" or load *virtio_rng *kernel module.
As I said before I am not sure how you will fix this without generating
more entropy, it seems the system is unable to create enough and
there is no way around this.


On Thu, Sep 23, 2021 at 1:15 AM alchemist vk  wrote:

> Thanks *Jon *for openssl command confirmation.
> *@ylavik*,
>  Its linux OS and openssl version is 1.1.1k-fips. I not yet explored
> with SSLRandomSeed changes.
>  Yes, we upgraded openssl few months back to 1.1.1k, but we are seeing
> this httpd hangs issue from last month.
>
> *@otis Dewitt*, Since its production code in systems, I cant install
> haveged and try it out.
>
>
> On Thu, Sep 23, 2021 at 4:57 AM Otis Dewitt - NOAA Affiliate
>  wrote:
>
>>
>> I don't think "insufficient entropy" has anything to do with Apache, but
>> you could try installing "haveged" rpm.
>> That may solve your problem.
>>
>> On Wed, Sep 22, 2021 at 2:11 PM alchemist vk 
>> wrote:
>>
>>> Hi All,
>>>  We are using httpd version 2.4.46 and its working fine for a long time.
>>> But recently, we started seeing an issue where apache hangs indefinitely
>>> even when the system is in idle state.
>>> And when apache hangs, I see below entries in error_log:
>>> [Tue Sep 21 22:05:53.243013 2021] [ssl:warn] [pid 5769:tid 2644435888]
>>> AH01990: Server: PRNG still contains insufficient entropy!
>>> [Tue Sep 21 22:05:54.501476 2021] [ssl:warn] [pid 5769:tid 2787111856]
>>> AH01990: Server: PRNG still contains insufficient entropy!
>>> [Tue Sep 21 22:05:54.502449 2021] [ssl:warn] [pid 5769:tid 2787111856]
>>> AH01990: Server: PRNG still contains insufficient entropy!
>>> ...
>>> 
>>> 
>>>
>>> I am pretty sure, we not changed anything related to httpd config for
>>> quite a time time and have no idea, why this issue started getting
>>> manifested now.
>>> Please help me how to RC this and what logs can be looked to debug
>>> further?
>>>
>>> PS: Occurence of issue is more in systems where FIPS is enabled. In FIPS
>>> disabled systems, occurrence is less.
>>>
>>> With Regards
>>> Venkat
>>>
>>>
>>>
>>>
>>>

Re: [users@httpd] Httpd is hanging intermittently

2021-09-22 Thread Otis Dewitt - NOAA Affiliate 
I don't think "insufficient entropy" has anything to do with Apache, but
you could try installing "haveged" rpm.
That may solve your problem.

On Wed, Sep 22, 2021 at 2:11 PM alchemist vk  wrote:

> Hi All,
>  We are using httpd version 2.4.46 and its working fine for a long time.
> But recently, we started seeing an issue where apache hangs indefinitely
> even when the system is in idle state.
> And when apache hangs, I see below entries in error_log:
> [Tue Sep 21 22:05:53.243013 2021] [ssl:warn] [pid 5769:tid 2644435888]
> AH01990: Server: PRNG still contains insufficient entropy!
> [Tue Sep 21 22:05:54.501476 2021] [ssl:warn] [pid 5769:tid 2787111856]
> AH01990: Server: PRNG still contains insufficient entropy!
> [Tue Sep 21 22:05:54.502449 2021] [ssl:warn] [pid 5769:tid 2787111856]
> AH01990: Server: PRNG still contains insufficient entropy!
> ...
> 
> 
>
> I am pretty sure, we not changed anything related to httpd config for
> quite a time time and have no idea, why this issue started getting
> manifested now.
> Please help me how to RC this and what logs can be looked to debug further?
>
> PS: Occurence of issue is more in systems where FIPS is enabled. In FIPS
> disabled systems, occurrence is less.
>
> With Regards
> Venkat
>
>
>
>
>

Re: [users@httpd] mod_ssl: http to https ErrorDocument redirect stops working when only TLSv1.2 specified

2021-06-24 Thread Otis Dewitt - NOAA Affiliate 
Connection closed to child 151 with
> abortive shutdown (server 127.0.0.1:443)
> [Thu Jun 24 08:00:40.331214 2021] [ssl:info] [pid 2754:tid 26] [client
> 10.175.18.160:60594] AH01964: Connection to child 151 established (server
> 127.0.0.1:443)
> [Thu Jun 24 08:00:40.331513 2021] [ssl:info] [pid 2754:tid 26]
> (-1385897552)Unknown error: [client 10.175.18.160:60594] AH02008: SSL
> library error 1 in handshake (server 127.0.0.1:443)
> [Thu Jun 24 08:00:40.331555 2021] [ssl:info] [pid 2754:tid 26] SSL Library
> Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
> [Thu Jun 24 08:00:40.331573 2021] [ssl:info] [pid 2754:tid 26] [client
> 10.175.18.160:60594] AH01998: Connection closed to child 151 with
> abortive shutdown (server 127.0.0.1:443)
>
> With
> SSLProtocol TLSv1.1 +TLSv1.2
> in config:
> (The startup part is identical, skipping that)
> [Thu Jun 24 08:07:11.248472 2021] [ssl:info] [pid 2773:tid 27] [client
> 10.175.18.160:60708] AH01964: Connection to child 344 established (server
> 127.0.0.1:443)
> [Thu Jun 24 08:07:11.249320 2021] [ssl:info] [pid 2773:tid 27] [client
> 10.175.18.160:60708] AH01996: SSL handshake failed: HTTP spoken on HTTPS
> port; trying to send HTML error page
> [Thu Jun 24 08:07:11.249464 2021] [ssl:info] [pid 2773:tid 27] SSL Library
> Error: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request --
> speaking HTTP to HTTPS port!?
> [Thu Jun 24 08:07:11.382584 2021] [ssl:info] [pid 2773:tid 27] [client
> 10.175.18.160:60710] AH01964: Connection to child 344 established (server
> 127.0.0.1:443)
> [Thu Jun 24 08:07:11.390393 2021] [ssl:debug] [pid 2773:tid 27]
> ssl_engine_kernel.c(2389): [client 10.175.18.160:60710] AH02044: No
> matching SSL virtual host for servername myserver found (using
> default/first virtual host)
> [Thu Jun 24 08:07:11.390553 2021] [core:debug] [pid 2773:tid 27]
> protocol.c(2346): [client 10.175.18.160:60710] AH03155: select protocol
> from , choices=h2,http/1.1 for server 127.0.0.1
> [Thu Jun 24 08:07:11.472125 2021] [ssl:debug] [pid 2773:tid 27]
> ssl_engine_kernel.c(2252): [client 10.175.18.160:60710] AH02041:
> Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
> [Thu Jun 24 08:07:11.478503 2021] [ssl:debug] [pid 2773:tid 27]
> ssl_engine_kernel.c(415): [client 10.175.18.160:60710] AH02034: Initial
> (No.1) HTTPS request received for child 344 (server 127.0.0.1:443)
> [Thu Jun 24 08:07:11.478634 2021] [authz_core:debug] [pid 2773:tid 27]
> mod_authz_core.c(815): [client 10.175.18.160:60710] AH01626:
> authorization result of Require all granted: granted
> [Thu Jun 24 08:07:11.478654 2021] [authz_core:debug] [pid 2773:tid 27]
> mod_authz_core.c(815): [client 10.175.18.160:60710] AH01626:
> authorization result of : granted
> [Thu Jun 24 08:07:11.478675 2021] [core:info] [pid 2773:tid 27] [client
> 10.175.18.160:60710] AH00129: Attempt to serve directory:
> /var/apache2/2.4/htdocs/
>
>
>
> čt 24. 6. 2021 v 3:46 odesílatel Otis Dewitt - NOAA Affiliate
>  napsal:
>
>> What does the /var/log/httpd/error_log say?  Paste that.
>>
>>

Re: [users@httpd] mod_ssl: http to https ErrorDocument redirect stops working when only TLSv1.2 specified

2021-06-23 Thread Otis Dewitt - NOAA Affiliate 
What does the /var/log/httpd/error_log say?  Paste that.

On Wed, Jun 23, 2021 at 8:06 PM Pavel Heimlich, a.k.a. hajma <
tropikha...@gmail.com> wrote:

> st 23. 6. 2021 v 23:06 odesílatel Otis Dewitt - NOAA Affiliate
>  napsal:
>
>> Check your Openssl ciphers to see if it supports TLS 1.2
>> Try:
>>
>> SSLProtocol -ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
>> SSLCipherSuite
>>  
>> HIGH:!aNULL:!eNULL:!kECDH:!aDH:!RC4:!3DES:!CAMELLIA:!MD5:!AES256-SHA:!AES128-SHA256:!AES256-SHA256:!AES256-GCM-SHA384:!AES128-SHA:!AES128-SHA:!AES128-GCM-SHA256:!AES128-GCM-SHA384:!PSK:!SRP:!KRB5:@STRENGTH
>>
>
> This made no difference. 'The connection was reset'
>
>
>>
>> # openssl ciphers -tls1
>>
>
> # openssl ciphers -tls1
>
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA
>
>

Re: [users@httpd] mod_ssl: http to https ErrorDocument redirect stops working when only TLSv1.2 specified

2021-06-23 Thread Otis Dewitt - NOAA Affiliate 
Check your Openssl ciphers to see if it supports TLS 1.2
Try:

SSLProtocol -ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
SSLCipherSuite
 
HIGH:!aNULL:!eNULL:!kECDH:!aDH:!RC4:!3DES:!CAMELLIA:!MD5:!AES256-SHA:!AES128-SHA256:!AES256-SHA256:!AES256-GCM-SHA384:!AES128-SHA:!AES128-SHA:!AES128-GCM-SHA256:!AES128-GCM-SHA384:!PSK:!SRP:!KRB5:@STRENGTH

# openssl ciphers -tls1

On Wed, Jun 23, 2021 at 4:53 PM Pavel Heimlich, a.k.a. hajma <
tropikha...@gmail.com> wrote:

> Hi,
> I use
> ErrorDocument 400 "https://myserver:215";
> to achieve redirection to secure connection for anyone who would access my
> server with just 'http://myserver:215'.
>
> This works as long as there's
> SSLProtocol TLSv1.1 +TLSv1.2
> specified in the configuration. However when I change that to just
> SSLProtocol TLSv1.2
> it stops working and the client gets "The connection was reset
> The connection to the server was reset while the page was loading."
> in their browser.
>
> I guess this is because Apache calls different OpenSSL functions based on
> the config setting at
>
> https://github.com/apache/httpd/blob/2f0f0d4e31bcf8b151ebc833ddd56c09dbff6462/modules/ssl/ssl_engine_init.c#L643
> or
>
> https://github.com/apache/httpd/blob/2f0f0d4e31bcf8b151ebc833ddd56c09dbff6462/modules/ssl/ssl_engine_init.c#L649
>
> and I am not sure if this is something that could be dealt with within
> Apache.
> Would you consider this worth logging a bug?
> Or would there be another way to achieve this?
>
> Thanks!
> P.
>
> P.S.:
> This is on Solaris 11.4, x86, Apache 2.4.47, OpenSSL 1.0
> My simplified config below:
>
> ServerRoot "/usr/apache2/2.4"
>
> Listen 215
>
> 
> LoadModule mpm_prefork_module libexec/mod_mpm_prefork.so
> 
> 
> LoadModule mpm_worker_module libexec/mod_mpm_worker.so
> 
> 
> 
> LoadModule mpm_event_module libexec/mod_mpm_event.so
> 
> 
>
> LoadModule ssl_module libexec/mod_ssl-fips-140.so
> LoadModule authz_core_module libexec/mod_authz_core.so
> LoadModule unixd_module libexec/mod_unixd.so
>
> 
> User webservd
> Group webservd
>
> 
>
>
> ServerName 127.0.0.1
>
> 
> AllowOverride none
> Require all denied
> 
>
> DocumentRoot "/var/apache2/2.4/htdocs"
> 
> Options Indexes FollowSymLinks
>
> AllowOverride None
>
> Require all granted
> 
>
> 
> Require all denied
> 
>
> ErrorLog "/var/apache2/2.4/logs/error_log"
>
> LogLevel warn
>
> 
> AllowOverride None
> Options None
> Require all granted
> 
>
> 
> SSLRandomSeed startup builtin
> SSLRandomSeed connect builtin
> 
>
> SSLEngine   on
> SSLProtocol TLSv1.1 +TLSv1.2
> SSLCertificateFile /etc/certs/localhost/host.crt
> SSLCertificateKeyFile /etc/certs/localhost/host.key
> SSLCACertificateFile /etc/certs/localhost/host-ca/hostca.crt
> SSLCertificateChainFile /etc/certs/localhost/host-ca/hostca.crt
> ErrorDocument 400 "https://myserver:215";
>

Re: [users@httpd] Expose my server to internet

2020-01-14 Thread Otis Dewitt - NOAA Affiliate 
You are being firewalld, those ports are not available from outside.

On Tue, Jan 14, 2020 at 3:23 PM Larry Irwin (work) <
larry.ir...@ccamedical.com> wrote:

> nmap shows all ports as filtered:
>
> # nmap -Pn padmahasa.ddns.net
>
> Starting Nmap 7.01 ( https://nmap.org ) at 2020-01-14 15:17 EST
> Nmap scan report for padmahasa.ddns.net (103.228.221.102)
> Host is up.
> rDNS record for 103.228.221.102: 103.228.221.102.static.belltele.in
> All 1000 scanned ports on padmahasa.ddns.net (103.228.221.102) are
> filtered
>
> Nmap done: 1 IP address (1 host up) scanned in 201.85 seconds--
>
> Larry Irwin
>
> On 1/14/20 2:58 PM, Richard wrote:
> > The IPnumber associated with padmahasa.ddns.net (103.228.221.102) is
> > not reachable via ping or traceroute. A traceroute ends at:
> >
> > 43.254.160.42.static.belltele.in (43.254.160.42)
> >
> > Additionally, attempting to telnet to either port 80 or 8080 on
> > 103.228.221.102 results in a "network hang".
> >
> > So, it would seem that that IPnumber is not publicly reachable.
> > {Assuming the dns entry to be correct] if you're not firewalling it
> > then you need to speak with your provider.
> >
> >
> >> Date: Wednesday, January 15, 2020 01:03:27 +0530
> >> From: Padmahas Bn 
> >>
> >> Hello @Richard and @Monah baki
> >>
> >> @Richard,
> >>
> >>> -- what is the public IPnumber of your server?
> >>>
> >> I'm not sure whether it's OK or not to tell my public IP openly.
> >> But I can give partial IP address.
> >> xxx.xxx.221.102
> >>
> >>> -- what is the public DNS name for your server (i.e., the dns entry
> >>>
> >> padmahasa.ddns.net
> >>
> >>>   that points to the public IPnumber)?
> >>>
> >> Yeah that points to public IP number.
> >>
> >> @Monah,
> >> I think the firewall will not be active by default and I double
> >> checked with firewall, which is not active in my Ubuntu system.
> >> But should I do any weird thing like, activating it and explicitly
> >> allow http traffic in?
> >> Until now this is the situation.
> >> 1. There is no problem with OS and firewall.
> >> 2. There is no problem with web server configuration.
> >> 3. There is no problem with my ISP (I had asked my ISP whether they
> >> are going to block any incoming traffic but they said No).
> >>
> >> Still not able to reach my server from internet.
> >> Let me know what you guys think the reason could be.
> >>
> >> Thank you.
> >>
> >> On Tue, Jan 14, 2020 at 9:23 PM Monah Baki 
> >> wrote:
> >>
> >>> Check firewall
> >>>
> >>> On Tue, Jan 14, 2020 at 10:43 AM Richard <
> >>> lists-apa...@listmail.innovate.net> wrote:
> >>>
>  Looking back some months I'm not finding the beginning of this
>  thread, so maybe you should start fresh.
> 
>  -- what is the public IPnumber of your server?
> 
>  -- what is the public DNS name for your server (i.e., the dns
>  entry that points to the public IPnumber)?
> 
> 
> > Date: Tuesday, January 14, 2020 09:28:45 +0530
> > From: Padmahas Bn 
> >
> > Continued from my previous email.
> > One more interesting observation.
> >
> > I've forwarded both both port 80 and port 8080.
> > On port 80 my Apache web server is running on port 8080, Tomcat
> > server is running.
> >
> > When I hit IP_ADDR:80, I got "Connection timed out".
> > When I hit IP_ADDR:8080, I got "This site can't be reached".
> >
> > Any reason why this happened?
> >
> 
>  -
>   To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>  For additional commands, e-mail: users-h...@httpd.apache.org
> 
> 
> >  End Original Message 
> >
> >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] Web sockets & proxypass - No protocol handler was valid for the URL

2016-12-27 Thread Otis Dewitt - NOAA Affiliate 
You can also check this URL:
http://blog.revathskumar.com/2015/09/proxy-websocket-via-apache.html

Thanks,
Otis

On Tue, Dec 27, 2016 at 9:07 AM, Adam Teale  wrote:

> ​Hi Daniel,
>
> Yes in the http_server_app.conf file it is activated:
> LoadModule ssl_module libexec/apache2/mod_ssl.so
>
> It is interesting though that when I run an "sudo apachectl -M" i can't
> see ssl_module in there.
>
>
> ​
>

Re: [users@httpd] Web sockets & proxypass - No protocol handler was valid for the URL

2016-12-27 Thread Otis Dewitt - NOAA Affiliate 
Check this link out.

http://stackoverflow.com/questions/17889676/apache-2-4-6-reverseproxy-mod-proxy-wstunnel-for-secure-websocket-wss-fails

Thanks,
Otis

On Tue, Dec 27, 2016 at 8:55 AM, Daniel  wrote:

> Silly question perhaps, are you also loading mod_ssl?
>
> 2016-12-27 14:39 GMT+01:00 Adam Teale :
>
>> Hi!
>>
>> I've been trying to setup a reverse proxy to a localhost websocket url.
>>
>> ProxyPass /chat/stream/ wss://localhost:8000/chat/stream/
>> ProxyPassReverse /chat/stream/ wss://localhost:8000/chat/stream/
>>
>> I get an error in the apache error_log that reads:
>>
>> No protocol handler was valid for the URL /chat/stream/. If you are using
>> a DSO version of mod_proxy, make sure the proxy submodules are included in
>> the configuration using LoadModule.
>>
>> I have read a lot of pages via google of people using this method so I
>> wonder if there is some issue in our setup/install of Apache that ships
>> with Mac OS X 10.11 & Server.app 5.2?
>>
>> I have all the standard modules loaded in httpd_server_app.conf
>>
>> LoadModule proxy_module libexec/apache2/mod_proxy.so
>> LoadModule proxy_http_module libexec/apache2/mod_proxy_http.so
>> LoadModule proxy_wstunnel_module libexec/apache2/mod_proxy_wstunnel.so
>>
>> When I access the application running on localhost:8000 directly on the
>> server everything works fine
>>
>> Any ideas what could be going on?
>>
>> Thanks!
>>
>> Adam
>> Apache 2.4.18, Mac OS X 10.11, Server.app 5.2
>>
>
>
>
> --
> *Daniel Ferradal*
> IT Specialist
>
> email dferradal at gmail.com
> linkedin es.linkedin.com/in/danielferradal
>

Re: [users@httpd] Apache says "It works" but also "Requested URL could not be found"

2016-11-18 Thread Otis Dewitt - NOAA Affiliate 
Try changing all your directories to lower case and check permissions and
check selinux.

Thanks,
Otis

On Fri, Nov 18, 2016 at 9:13 AM, Roparzh Hemon 
wrote:

> Apache says "It works" but also "Requested URL could not be found"
>
>   This problem seems to have jumped out of nowhere when I returned
> from other projects. The project worked fine before.
> A random Google search suggests the problem might come from permissions,
> but file permissions seem OK (see below).
>
>The access and log files are blank.
>   Any help appreciated.
>
>   The details :
>
> Apache says "It works" when I type http://www.lacolhost.com
> Apache says "The requested URL /index.php was not found on this server"
> when
> I type   http://www.lacolhost.com/index.php
>
>  My /private/etc/hosts file  contains the line
>
>   127.0.0.1 localshow.com www.localshow.com
>
> My /private/etc/apache2/extra/httpd-vhosts.conf file contains the
> following paragraph :
>
>  
> ServerName localshow.com
> ServerAlias www.localshow.com
> DocumentRoot "/Users/myusernamehere/Documents/Sites/Show"
> ErrorLog "/private/var/log/apache2/localshow.com-error_log"
> CustomLog "/private/var/log/apache2/localshow.com-access_log" common
> ServerAdmin w...@coolestguidesontheplanet.com
> LoadModule php5_module /usr/libexec/apache2/libphp5.so
> 
> Require all granted
> DirectoryIndex index.php
> 
> 
>
>  Permissions for /Users/myusernamehere/Documents/Sites/Show
>
>  drwxr-xr-x  18 myusernamehere  staff  612 11 nov 15:07
>
>
>  Permissions for /Users/myusernamehere/Documents/Sites/Show/index.php :
>
>  -rw-r--r--@ 1 myusernamehere  staff23 18 nov 14:25 index.php
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] Apache ldaps ceritificate directive issue

2015-04-14 Thread Otis Dewitt - NOAA Affiliate 
[image: top] 
LDAPTrustedCA DirectiveDescription:
Sets
the file containing the trusted Certificate Authority certificate or
databaseSyntax:

LDAPTrustedCA directory-path/filenameContext:
server
configStatus:
Experimental
Module: 
mod_ldap

It specifies the directory path and file name of the trusted CA mod_ldap
 should use when
establishing an SSL connection to an LDAP server. If using the
Netscape/iPlanet Directory SDK, the file name should be cert7.db.
[image: top] 
LDAPTrustedCAType DirectiveDescription:
Specifies
the type of the Certificate Authority fileSyntax:

LDAPTrustedCAType typeContext:
server
configStatus:
Experimental
Module: 
mod_ldap

The following types are supported:
DER_FILE - file in binary DER format
BASE64_FILE - file in Base64 format
CERT7_DB_PATH - Netscape certificate database file ")

Note: Add here:
  vi  /etc/http/conf.d/ca.conf

On Tue, Apr 14, 2015 at 7:49 PM, John Beaulaurier -X (jbeaulau - ADVANCED
NETWORK INFORMATION INC at Cisco)  wrote:

>  Hello,
>
>
>
> We’re running Server version: Apache/2.0.63 that needs to be configured
> for LDAPS. I have run into an issue with the certificate directives.
>
>
>
> I have a .pem file with the trusted ca-certs, but when I configure
> httpd.conf to use it with the directives “LDAPTrustedCA /local/.pem” and
>  “LDAPTrustedCAType BASE64_FILE”
>
> The following error occurs.
>
>
>
> Syntax error on line 349 of /local/apache/conf/httpd.conf:
>
> LDAPTrustedCA not allowed here
>
>
>
> This is a directive for this Apache release, so I’m not sure why.
>
>
>
> Thanks
>
> -John
>
>
>

Re: [users@httpd] How to enable TLSV1.1 or above on Apache

2015-03-19 Thread Otis Dewitt - NOAA Affiliate 
Greetings,

For httpd version 2.2.22 and older, only specify TLSv1. This is treated as
a wildcard for all TLS versions.

SSLProtocol TLSv1

​
Thanks,
Otis

Re: [users@httpd] ProxyReverse Issue on - httpd-2.2.29

2015-02-23 Thread Otis Dewitt - NOAA Affiliate 
Everything works on this site except this url:
https://www.docu.com/class/page/createpdf.jsp?requestId=7

weird problem.

Thanks,
Otis

On Mon, Feb 23, 2015 at 1:15 PM, Otis Dewitt - NOAA Affiliate <
otis.dew...@noaa.gov> wrote:

> oops yeah missed adding that to the email.
>
> Its in the config:
>
> # Class Directive (443) #EXAMPLE
> RewriteRule ^/class$(.*) https://www.docu.com/class$1 [L,NC]
>
> ProxyPass /class https://example.com:20201/class
>
> 
> SetOutputFilter   proxy-html
> ProxyPassReverse  https://example.com:20201/class
> ProxyHTMLEnable   On
> ProxyHTMLExtended On
> ProxyHTMLURLMap   http://example.com:20201/class  /class
> RequestHeader unset  Accept-Encoding
> 
>
> Thanks,
> Otis
>
>
> On Mon, Feb 23, 2015 at 1:11 PM, Eric Covener  wrote:
>
>> > # Class Directive (443) #EXAMPLE
>> > RewriteRule ^/class$(.*) https://www.docu.com/class$1 [L,NC]
>> >
>> > 
>> > SetOutputFilter   proxy-html
>> > ProxyPassReverse  https://example.com:20201/class
>> > ProxyHTMLEnable   On
>> > ProxyHTMLExtended On
>> > ProxyHTMLURLMap   http://example.com:20201/class  /class
>> > RequestHeader unset  Accept-Encoding
>> > 
>>
>> Missing ProxyPass?  I don't see why this would be proxied.
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>>
>>
>

Re: [users@httpd] ProxyReverse Issue on - httpd-2.2.29

2015-02-23 Thread Otis Dewitt - NOAA Affiliate 
oops yeah missed adding that to the email.

Its in the config:

# Class Directive (443) #EXAMPLE
RewriteRule ^/class$(.*) https://www.docu.com/class$1 [L,NC]

ProxyPass /class https://example.com:20201/class


SetOutputFilter   proxy-html
ProxyPassReverse  https://example.com:20201/class
ProxyHTMLEnable   On
ProxyHTMLExtended On
ProxyHTMLURLMap   http://example.com:20201/class  /class
RequestHeader unset  Accept-Encoding


Thanks,
Otis


On Mon, Feb 23, 2015 at 1:11 PM, Eric Covener  wrote:

> > # Class Directive (443) #EXAMPLE
> > RewriteRule ^/class$(.*) https://www.docu.com/class$1 [L,NC]
> >
> > 
> > SetOutputFilter   proxy-html
> > ProxyPassReverse  https://example.com:20201/class
> > ProxyHTMLEnable   On
> > ProxyHTMLExtended On
> > ProxyHTMLURLMap   http://example.com:20201/class  /class
> > RequestHeader unset  Accept-Encoding
> > 
>
> Missing ProxyPass?  I don't see why this would be proxied.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

[users@httpd] ProxyReverse Issue on - httpd-2.2.29

2015-02-23 Thread Otis Dewitt - NOAA Affiliate 
Can someone please tell what I am doing wrong here, I am using Apache
reverse proxy. I have been having this issue for sometime.

#WORKS
1. If I use the Internal url directly to the server.
  a. https://example.com:20201/class/page/createpdf.jsp?requestId=7
  b. I get a pdf to download.

# FAILS
2. If I use the External url I get "might be temporarily down or it may
have moved permanently to a new web address."
  a. https://www.docu.com/class/page/createpdf.jsp?requestId=7
  b. "Web Page Not Available" - "The webpage at
https://www.docu.com/class/page/createpdf.jsp?requestId=7 might be
temporarily down or it may have moved permanently to a new web address.
Error code: ERR_INVALID_RESPONSE"


# Class Directive (443) #EXAMPLE
RewriteRule ^/class$(.*) https://www.docu.com/class$1 [L,NC]


SetOutputFilter   proxy-html
ProxyPassReverse  https://example.com:20201/class
ProxyHTMLEnable   On
ProxyHTMLExtended On
ProxyHTMLURLMap   http://example.com:20201/class  /class
RequestHeader unset  Accept-Encoding



Thanks,
Otis

Re: [users@httpd] Re: Keeping an archive of httpd processes

2014-07-21 Thread Otis Dewitt - NOAA Affiliate 
Greetings Rose,

You could use SNMP MRTG or Catci.

Thanks,
Otis


On Mon, Jul 21, 2014 at 3:40 PM, Rose, John B  wrote:

>  This is on Solaris 10
>
>   From: , John Rose 
> Date: Monday, July 21, 2014 2:47 PM
> To: "users@httpd.apache.org" 
> Subject: Keeping an archive of httpd processes
>
>   Any suggestions on mechanism to archive httpd processes over a couple
> months?
>
>  The idea being to  see the peak number of httpd processes reached during
> say 2 months?
>
> Thanks
>

Re: [users@httpd] Hiding Query Strings

2014-07-11 Thread Otis Dewitt - NOAA Affiliate 
Greetings Paul,

You could use code (php,ruby,asp . . .)  to query the database without
actually being on the page.
I will try to use re-capture to prevent such actions.

Thanks,
Otis


On Thu, Jul 10, 2014 at 2:00 PM, Stormy  wrote:

> At 01:16 PM 7/10/2014 -0400, Otis Dewitt - NOAA Affiliate wrote:
>
>> Greetings,
>>
>> I am having a problem hiding query strings:
>>
>> Example:
>>
>> Change: <http://www.fishfry.gov/pls/webpls/car_1.data_in?jtype=
>> IMP&jmnth=01&jyear=2014&jcountry=USA&joutput=TABLE>htt
>> p://www.fishfry.gov/pls/webpls/car_1.data_in?jtype=
>> IMP&jmnth=01&jyear=2014&jcountry=USA&joutput=TABLE
>>
>> To Show: <http://www.fishfry.gov>http://www.fishfry.gov on query return
>> instead of showing the complete URL as above to help mitigate the public
>> trying different years,country,output from the URL.
>>
>> Is there a way to solve this as a re-write?
>>
>
> Counterintuitive?  How could I reference your specific document in an
> email, journal, webpage, report, whatever?
>
> Paul
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

[users@httpd] Hiding Query Strings

2014-07-10 Thread Otis Dewitt - NOAA Affiliate 
Greetings,

I am having a problem hiding query strings:

Example:

Change:
http://www.fishfry.gov/pls/webpls/car_1.data_in?jtype=IMP&jmnth=01&jyear=2014&jcountry=USA&joutput=TABLE

To Show: http://www.fishfry.gov on query return instead of showing the
complete URL as above to help mitigate the public trying different
years,country,output from the URL.

Is there a way to solve this as a re-write?

Thanks,
Otis

Re: [users@httpd] Change from ~username to /username questions

2014-05-04 Thread Otis Dewitt - NOAA Affiliate 
Greetings Yehuda,


1.) You can try something likfe this for one url:

RewriteRule ^~blog/(.*)$ /site/legacy/users/blog/$1 [R=301,L]


2.) You can also play with this rewrite to make fit for you:

RewriteEngine On
#RewriteLog logs/rewrite.log # Uncomment for rewrite logging
#RewriteLogLevel 3 # uncomment for verbose logging
RewriteCond %{REQUEST_URI} ^/([^/]+)
RewriteCond /home/%1 -d
RewriteRule ^/([^/]+)(.*) /home/$1/public_html/$2


Thanks,
Otis


On Sun, May 4, 2014 at 10:54 PM, Yehuda Katz  wrote:

> mod_userdir does not support this. You would have to create a symlink for
> each user.
> Off the top of my head, you might be able to work around it with
> mod_rewrite, but I can't test any rules now, so I don't want to try writing
> one.
>
> - Y
>
>
> On Fri, May 2, 2014 at 2:18 PM, Rose, John B  wrote:
>
>>  Has anyone changed access to personal web sites from
>>
>>  website.com/~username
>>
>>   to
>>
>>  website.com/username
>>
>>  And still use
>>
>>  /home/username/public_html
>>
>>  As the home web directories?
>>
>> If so, can you share your method?
>>
>>  Thanks
>>
>
>

Re: [users@httpd] php fpm and ProxyPass

2014-05-04 Thread Otis Dewitt - NOAA Affiliate 
Thanks for that update.



On Sun, May 4, 2014 at 9:36 PM, Eric Covener  wrote:

> On Sun, May 4, 2014 at 9:03 PM, Otis Dewitt - NOAA Affiliate
>  wrote:
> > Something you should know about mod_proxy_fcgi is that currently it
> doesn’t
> > support UNIX sockets,
>
> Supported since 2.4.7
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] php fpm and ProxyPass

2014-05-04 Thread Otis Dewitt - NOAA Affiliate 
Greetings Lennsen,

Something you should know about mod_proxy_fcgi is that currently it doesn’t
support UNIX sockets,
so you must start your PHP-FPM process using a TCP port, which is default
when you install it.

Daniel Garajau wrote a interesting document on this subject:
http://garajau.com.br/blog/2013/12/apache-2-4-and-php-fpm-using-mod_proxy_fcgi/

Hope this helps.

Thanks,
Otis




On Sun, May 4, 2014 at 7:55 PM,  wrote:

> I would like to set up php fpm and I am experiencing some difficulties
> there.
>
> 1. is it possible to solve that issue described e.g. here?
>  http://forum.nginx.org/read.php?3,246804,246804
>
> 2. assuming that the users executing scripts can not be trusted, how would
> one ensure that e.g. open_basedir is respected?
>  I know that this question is more related to php itself, but maybe you
> happen to know the answer there as well.
> This is because I do not know how to bind specific settings per-vhost
> here, since the given example below does not specify custom arguments, such
> as configuration directives or own php.ini files.
>
> the configuration is e.g.
>
>
> 
> ...
>  Options +Indexes
>  DirectoryIndex index.html index.php
>
>  ProxyPassMatch ^/(.*\.php(/.*)?)$
> unix:/some/path/to/php-fpm.sock|fcgi://foobar/path/to/documentroot
> ...
> 
>
>
> httpd 2.4.9, php 5.5.12, all latest
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] localhost Forbidden

2014-05-04 Thread Otis Dewitt - NOAA Affiliate 
Greetings Eric,

Try this:


DocumentRoot /www/default/Site

AuthType None
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
Require all granted



Thanks,
Otis


On Sun, May 4, 2014 at 9:58 AM, Eric Covener  wrote:

> On Sun, May 4, 2014 at 9:48 AM, Andy Canfield 
> wrote:
> > What am I missing?
>
>
> Maybe you're not getting into that virtualhost?  Review the output of
> apache2ctl -S, and/or add a custom access log for that virtual host.
>
>  is always a directory on disk.  You should also be sure to
> review the errorlog for each 403.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] Apache commercial support

2014-04-02 Thread Otis Dewitt - NOAA Affiliate 
Greetings Joe,

Understand your frustration, had similar problems in the past.
The price can vary depending on infrastructure setup.

Please email at odew...@linusoft.com so we can talk further.

Thanks,
Otis


On Wed, Apr 2, 2014 at 1:08 PM, Joe Jensen (ConAgra Foods) <
joe.jen...@conagrafoods.com> wrote:

> Can anybody recommend any commercial support vendors for apache httpd and
> tomcat?  Who do you use for apache/tomcat support and how does it work out?
>
> I'm running about 2 dozen servers and am frustrated that my existing
> vendor 1) adds (required) proprietary modules forcing me to pay licensing
> costs and 2) does not distribute current apache httpd/tomcat versions with
> their current software.   They do not support the open source version.  I'm
> also curious how much support of pure open source apache/tomcat costs as a
> comparison.
>
> Joe Jensen
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] virtualhost redirects to root on mobiles

2014-01-30 Thread Otis Dewitt - NOAA Affiliate 
NameVirtualHost *:80


ServerAdmin webmaster@localhost
 ServerName www.morebearsmore.com 
ServerAlias morebearsmore.com 


On Thu, Jan 30, 2014 at 1:30 PM, Josh Stratton wrote:

> I tried that.  I'm including the actual config file in sites-available if
> it helps.
>
> 
> ServerAdmin webmaster@localhost
>  ServerName morebearsmore.com
> ServerAlias www.morebearsmore.com
>
> DocumentRoot /var/www/morebearsmore.com/public_html
> 
>  Options FollowSymLinks
> AllowOverride None
> 
>  
> Options Indexes FollowSymLinks MultiViews
> AllowOverride None
>  Order allow,deny
> allow from all
> 
>
> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
> 
>  AllowOverride None
> Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
> Order allow,deny
>  Allow from all
> 
>
> ErrorLog ${APACHE_LOG_DIR}/error.log
>
> # Possible values include: debug, info, notice, warn, error, crit,
> # alert, emerg.
> LogLevel warn
>
> CustomLog ${APACHE_LOG_DIR}/access.log combined
> 
>
>
>
> On Thu, Jan 30, 2014 at 10:26 AM, Otis DeWitt wrote:
>
>> Try creating a server alias and restart apache.
>>
>> 
>> DocumentRoot /www/server1
>>
>> ServerName example.com
>> ServerAlias www.example.com
>>
>>
>> Sent from my iPhone
>>
>> On Jan 30, 2014, at 1:04 PM, Josh Stratton 
>> wrote:
>>
>> I setup an apache server a while back without a virtualhost and got
>> everything working fine.  I added a virtualhost for my wife and it seems to
>> work fine on desktops, but on our phones (an iphone and a windows phone),
>> both redirect to my root site if the user adds www to the domain in the
>> address bar.  I assume it's just some mistake in my virtualhost setup, but
>> I don't understand why it works on desktop but not mobile.  I added a
>> ServerAlias to include the www prefix onto the domain and restarted apache,
>> but it doesn't seem to make a difference.  I always get the "root" (hope
>> I'm using the right naming convention) host back.
>>
>>
>

Re: [users@httpd] virtualhost redirects to root on mobiles

2014-01-30 Thread Otis Dewitt - NOAA Affiliate 
Try

NameVirtualHost *:80   "above "

Thanks,
Otis



On Thu, Jan 30, 2014 at 1:30 PM, Josh Stratton wrote:

> I tried that.  I'm including the actual config file in sites-available if
> it helps.
>
> 
> ServerAdmin webmaster@localhost
>  ServerName morebearsmore.com
> ServerAlias www.morebearsmore.com
>
> DocumentRoot /var/www/morebearsmore.com/public_html
> 
>  Options FollowSymLinks
> AllowOverride None
> 
>  
> Options Indexes FollowSymLinks MultiViews
> AllowOverride None
>  Order allow,deny
> allow from all
> 
>
> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
> 
>  AllowOverride None
> Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
> Order allow,deny
>  Allow from all
> 
>
> ErrorLog ${APACHE_LOG_DIR}/error.log
>
> # Possible values include: debug, info, notice, warn, error, crit,
> # alert, emerg.
> LogLevel warn
>
> CustomLog ${APACHE_LOG_DIR}/access.log combined
> 
>
>
>
> On Thu, Jan 30, 2014 at 10:26 AM, Otis DeWitt wrote:
>
>> Try creating a server alias and restart apache.
>>
>> 
>> DocumentRoot /www/server1
>>
>> ServerName example.com
>> ServerAlias www.example.com
>>
>>
>> Sent from my iPhone
>>
>> On Jan 30, 2014, at 1:04 PM, Josh Stratton 
>> wrote:
>>
>> I setup an apache server a while back without a virtualhost and got
>> everything working fine.  I added a virtualhost for my wife and it seems to
>> work fine on desktops, but on our phones (an iphone and a windows phone),
>> both redirect to my root site if the user adds www to the domain in the
>> address bar.  I assume it's just some mistake in my virtualhost setup, but
>> I don't understand why it works on desktop but not mobile.  I added a
>> ServerAlias to include the www prefix onto the domain and restarted apache,
>> but it doesn't seem to make a difference.  I always get the "root" (hope
>> I'm using the right naming convention) host back.
>>
>>
>

[users@httpd] Reverse Proxy Issue on Apache version 2.0.65

2014-01-10 Thread Otis Dewitt - NOAA Affiliate 
Greetings,

I am constantly getting this error below in my log file:

*[error] (20014)Error string not specified yet: proxy: pass request body
failed to 172.16.11.212:7705  (www.example.com
) from 192.168.100.34 ()*

[Thu Jan 09 15:52:47 2014] [error] (20014)Error string not specified yet:
proxy:
[Thu Jan 09 15:52:59 2014] [error] (20014)Error string not specified yet:
proxy:
[Thu Jan 09 15:52:59 2014] [error] (20014)Error string not specified yet:
proxy:
[Thu Jan 09 16:03:27 2014] [error] (20014)Error string not specified yet:
proxy:
[Thu Jan 09 16:03:27 2014] [error] (20014)Error string not specified yet:
proxy:
[Thu Jan 09 16:08:59 2014] [error] (20014)Error string not specified yet:
proxy:
[Thu Jan 09 16:08:59 2014] [error] (20014)Error string not specified yet:
proxy:

This error is causing sporadic "*Internal Server Errors*" when render pages
in Jira. I do not get any other errors.

Can someone please point out the meaning of this error as it does not make
any sense to me whatsoever. I have been trying to solve this issue for over
a year to no avail.

I decided to make 2014 the year for get rid of this error.

Any help would be highly appreciated. I have specified the directives in
use below:

# JIRA Reverse Proxy
ProxyPass /jira https://www.example.com:7705/jira
ProxyPassReverse /jira https://www.example.com:7705/jira

# JIRA (15min Timeout)
ProxyTimeout 900


Order allow,deny
Allow from all
# Avoid proxy errors
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
SetEnv proxy-initial-not-pooled 1


Thanks,
Otis

[users@httpd] Reverse Proxy Issue on Apache version 2.0.65

2014-01-09 Thread Otis Dewitt - NOAA Affiliate 
Greetings,

I am constantly getting this error below in my log file:

*[error] (20014)Error string not specified yet: proxy: pass request body
failed to 172.16.11.212:7705  (www.example.com
) from 192.168.100.34 ()*

[Thu Jan 09 15:52:47 2014] [error] (20014)Error string not specified yet:
proxy:
[Thu Jan 09 15:52:59 2014] [error] (20014)Error string not specified yet:
proxy:
[Thu Jan 09 15:52:59 2014] [error] (20014)Error string not specified yet:
proxy:
[Thu Jan 09 16:03:27 2014] [error] (20014)Error string not specified yet:
proxy:
[Thu Jan 09 16:03:27 2014] [error] (20014)Error string not specified yet:
proxy:
[Thu Jan 09 16:08:59 2014] [error] (20014)Error string not specified yet:
proxy:
[Thu Jan 09 16:08:59 2014] [error] (20014)Error string not specified yet:
proxy:

This error is causing sporadic "*Internal Server Errors*" when render pages
in Jira. I do not get any other errors.

Can someone please point out the meaning of this error as it does not make
any sense to me whatsoever. I have been trying to solve this issue for over
a year to no avail.

I decided to make 2014 the year for get rid of this error.

Any help would be highly appreciated. I have specified the directives in
use below:

# JIRA Reverse Proxy
ProxyPass /jira https://www.example.com:7705/jira
ProxyPassReverse /jira https://www.example.com:7705/jira

# JIRA (15min Timeout)
ProxyTimeout 900


Order allow,deny
Allow from all
# Avoid proxy errors
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
SetEnv proxy-initial-not-pooled 1


Thanks,
Otis

Re: [users@httpd] Access controls

2013-12-16 Thread Otis Dewitt - NOAA Affiliate 
What do you mean?

* "Since our requirement is to control access based on a path.*"


AuthType basic
AuthName "Example 1 use your LDAP login."
AuthBasicProvider ldap
AuthLDAPURL "ldaps://
example-ldap.example.com:636/o=example.com?uid??(&(objectClass=inetOrgPerson)(groups=groupA))
"
AuthBasicProvider ldap
Require user bob.stanton
SetOutputFilter DEFLATE



AuthType basic
AuthName "Example 2 use your LDAP login."
AuthBasicProvider ldap
AuthLDAPURL "ldaps://
example-ldap.example.com:636/o=example.com?uid??(&(objectClass=inetOrgPerson)(groups=groupA))
"
AuthBasicProvider ldap
Require user tom.scott
SetOutputFilter DEFLATE


This works perfect for me.

Thanks,
Otis


On Sun, Dec 15, 2013 at 11:19 AM, Ramesh Nadupalli <
nadupalliram...@gmail.com> wrote:

> I use Directory. This is how my config file look like
>
> 
> AuthType Basic
> AuthName "Enter your ID"
> AuthBasicProvider ldap
> AuthBasicAuthoritative off
> AuthLDAPUrl
> ldap://url:389/dc=domain,dc=com?samAccountName?sub?(objectClass=*)
> NONE
> AuthLDAPBindDN "cn=xxx,ou=xxx,dc=domain,dc=com"
> AuthLDAPBindPassword x
> Require valid-user
> 
>
> On Sun, Dec 15, 2013 at 9:12 PM, Eric Covener  wrote:
> > On Sun, Dec 15, 2013 at 9:54 AM, Ramesh Nadupalli
> >  wrote:
> >> Thanks Eric for your response. I have tried below options,
> >>
> >> Require valid-user (when I pass valid-user, it authenticates
> >> and allows everyone in the LDAP filter to access the webserver)
> >> Require user usera userb userc (It allows only these users)
> >>
> >> Since our requirement is to control access based on a path, I am not
> >> sure what else can be used to read an access file.
> >
> > Enclose the directives in   or ?
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org
> >
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] #error mod_ssl requires OpenSSL 0.9.8a or later

2013-12-16 Thread Otis Dewitt - NOAA Affiliate 
Try:

First make sure openssl-devel-1.0.1e is installed.

--with-ssl=

Example:

--with-ssl=/usr/include/openssl


Thanks,
Otis



On Mon, Dec 16, 2013 at 1:58 AM, Abdul Anshad  wrote:

> Hello All,
>
> I'm trying to compile httpd-2.4.7 from source, but i get the following
> error "#error mod_ssl requires OpenSSL 0.9.8a or later".
>
> But my installed openssl version is openssl-1.0.1e and i have specified it
> --with-ssl option.
>
> Could anyone please help me on this ?
>
> --
> Regards,
> Abdul
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] diagnosing an httpd memory "leak"

2013-12-13 Thread Otis Dewitt - NOAA Affiliate 
Very weird scenario, I can only think of a couple of reason's this can be
happening.

1. Enable debug on loglevel and see what happens in that 15mins.
2. Try removing the httpd.conf and put a default httpd.conf in place and
start it to see if the same thing happens. if not then you know it's in the
configuration.
3.  There was a issue with this very under Redhat, you can view it here:
http://rhn.redhat.com/errata/RHSA-2009-1075.html

4. Change Memory

Hope this is helpful.

Thanks,
Otis


On Fri, Dec 13, 2013 at 4:19 PM, Wang, Andy  wrote:

> Hi all,
> We have a customer who's running our httpd 2.2.22 build on a Windows
> 2008 R2 server and they're seeing pretty significant memory usage over
> time.  Just starting up and running for a 15 minutes or so with a few
> requests causes the web server private bytes to hit 120mb or so.
> Leave it long enough and it's well over 1GB and eventually (32-bit
> process) certain things start to run out of memory, particular deflate
> starts being unable to allocate memory and they have to restart.
>
> So here's the really annoying thing.  They can only reproduce this on
> their production system.  It's not seen on any other system. I did
> suggest they try one of the later versions (we have builds available for
> 2.2.24 and I can make 2.2.25 and 26 versions available to them but given
> how this is isolated to one system I'm not really hopeful.  I've been
> unable to reproduce anything remotely like it in house.  In fact, when I
> do it, and hit the server for a while, I peak out in the 80mb range or
> so.  Oddly, they can't reproduce it on the same version installed on
> another server (so this really points to something weird about this
> particular server).
>
> I've gotten process monitor captures to see if maybe there are some
> oddities with dependency libraries being loaded and as far as I can tell
> there, the libraries being loaded are correct and I don't see any
> unusual libraries being loaded.  I've asked them to get me a listing of
> all the installed programs on the system, and I've also asked for a save
> file from sysinternals autoruns program to see if there's something
> there that might tell me anything.
>
> I've been researching methods of debugging memory use on windows
> (unfortunately, I'm not a Windows developer in anyway.  Primarily *nix
> and java).  But the best mechanisms I can find are to use windbg and try
> to debug the process live.  Given that they're half a world away,
> walking them through that process might not be so fruitful.
>
> Grasping at ideas here, but any thoughts, tips ideas?  Help?!? :)
>
> I've been looking at the MaxRequestsPerChild directive but I'm a little
> concerned by the Windows single child process architecture and just how
> long a replacement process comes up.  Does anyone have any real world
> experience with this to know if it's really a bad idea?
>
> Thanks,
> Andy
>

Re: [users@httpd] Only garbage was found in the patch input - httpd-2.4.7-sslsninotreq.patch

2013-12-12 Thread Otis Dewitt - NOAA Affiliate 
contact: Joe Orton <*jorton*@redhat.com>


On Thu, Dec 12, 2013 at 4:01 AM, Abdul Anshad  wrote:

>  I downloaded the source rpm httpd-2.4.7-1.fc20 from
> http://koji.fedoraproject.org/koji/buildinfo?buildID=483947which was
> built by jorton, i don't know where to report this issue.
>
> Could you please guide me ?
>  <http://koji.fedoraproject.org/koji/buildinfo?buildID=483947>
>
> Regards,
> Abdul
>
> On 12/12/2013 12:32 PM, Otis Dewitt - NOAA Affiliate wrote:
>
>  This patch is corrupt, it is missing content .
>
>  contact the submitter of the patch.
>
>
> On Thu, Dec 12, 2013 at 12:23 AM, Abdul Anshad  wrote:
>
>>  Hello All,
>>
>> I can't apply a patch named *httpd-2.4.7-sslsninotreq**.patch*, when i
>> try to build the package httpd-2.4.7 it throws out the error as "Only
>> garbage was found in the patch input".
>>
>> The whole content of the patch is just two lines as follows :
>>
>> diff --git a/modules/ssl/ssl_engine_config.c
>> b/modules/ssl/ssl_engine_config.c
>> index 15993f1..53ed6f1 100644
>>
>> I download the source rpm httpd-2.4.7 from 
>> http://koji.fedoraproject.org.<http://koji.fedoraproject.org/>
>>
>> Is this because of the fault commit from the user ? or is there anything
>> i should install on my side like git before building the package ?
>>
>> Is there any alternate source to this patch *httpd-2.4.7-sslsninotreq*
>>
>> *.patch ? *Thanks in advance.
>>
>> --
>> Regards,
>> Abdul
>>
>>
>
>

Re: [users@httpd] Web Site Testing

2013-12-11 Thread Otis Dewitt - NOAA Affiliate 
Take a look at awstats.



On Thu, Dec 12, 2013 at 1:51 AM, Jim Barchuk  wrote:

>
> On Wed, 11 Dec 2013, Roman Gelfand wrote:
>
>  I think I was misunderstood.  I am looking for a web site monitoring
>> software that periodically downloads a page from that site and records
>> statistics like how many times it got 200, 404, etc...
>>
>
> For that -specific- task, 'a page,' and '200, 404, etc...,' that's not
> 'Software' as such, with a capital S. That's about a 20-30 line shell
> script, that runs via cron. It requests a page, and records and increments
> HTTP responses to a plain text file, which you can cat whenever you want to
> to see results.
>
> --
> Jim Barchuk
> j...@jbarchuk.com
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] Can not Find Apache 2.4 Installable Version (Binary or .msi)

2013-12-11 Thread Otis Dewitt - NOAA Affiliate 
Try:
http://www.anindya.com/apache-http-server-2-4-2-x86-and-x64-windows-installers/


On Thu, Dec 12, 2013 at 1:35 AM, Yogesh patel
wrote:

> HI
>
> I am not able to find apache 2.4 installable version. Apache official site
> provides source code of it. Can i anywhere find binary file or .msi file of
> apache 2.4?
> One  thing i found is On Apache Lounge , But i dont know how to build it
> and is it official from apache ?
>
> --
>
>
>
>
> *Regards,Yogesh Patel*
>
>
>

Re: [users@httpd] Only garbage was found in the patch input - httpd-2.4.7-sslsninotreq.patch

2013-12-11 Thread Otis Dewitt - NOAA Affiliate 
This patch is corrupt, it is missing content .

contact the submitter of the patch.


On Thu, Dec 12, 2013 at 12:23 AM, Abdul Anshad  wrote:

>  Hello All,
>
> I can't apply a patch named *httpd-2.4.7-sslsninotreq**.patch*, when i
> try to build the package httpd-2.4.7 it throws out the error as "Only
> garbage was found in the patch input".
>
> The whole content of the patch is just two lines as follows :
>
> diff --git a/modules/ssl/ssl_engine_config.c
> b/modules/ssl/ssl_engine_config.c
> index 15993f1..53ed6f1 100644
>
> I download the source rpm httpd-2.4.7 from 
> http://koji.fedoraproject.org.
>
> Is this because of the fault commit from the user ? or is there anything i
> should install on my side like git before building the package ?
>
> Is there any alternate source to this patch *httpd-2.4.7-sslsninotreq*
>
> *.patch ? *Thanks in advance.
>
> --
> Regards,
> Abdul
>
>

[users@httpd] Mod_Proxy Bug in Apache 2.0.65

2013-12-10 Thread Otis Dewitt - NOAA Affiliate 
Greetings,

I am using Apache 2.0.65 with mod_proxy as a reverse proxy, this proxy sits
in the DMZ and serves to the backend servers. I am getting constant errors
in the log file stating whats below.

*[Tue Dec 10 12:33:17 2013] [error] (20014)Error string not specified yet:
proxy: pass request body failed to 192.168.2.5:7710
 (example.com )
from 192.168.2.5:7710  ()*

I have searched many forums to only find people with the same issue that
has not been answered. This error message is very vague and points to no
where to start looking. The URL works but occasionally gets "Internal
Server Error" due to this issue.

I have managed to find this out by using the 192.168.2.5:7710 directly
without the proxy and it works flawless, below you can find my proxy
directives.

 #Prevent the use of this httpd server to be used as a proxy
ProxyRequests Off

Order deny,allow
Allow from all


 #Proxy related options
ProxyHTMLExtended On
ProxyHTMLMeta On
ProxyPreserveHost On
ProxyVia on

## Jira [PROD]
ProxyPass /jira https://example.com:7710/jira
ProxyPassReverse /jira https://example.com:7710/jira


1. I would like to know what is causing this problem?
2. How can I solve this problem?

Thanks,
Otis

[users@httpd] Mod_Proxy Bug in Apache 2.0.65

2013-12-10 Thread Otis Dewitt - NOAA Affiliate 
Greetings,

I am using Apache 2.0.65 with mod_proxy as a reverse proxy, this proxy sits
in the DMZ and serves to the backend servers. I am getting constant errors
in the log file stating whats below.

*[Tue Dec 10 12:33:17 2013] [error] (20014)Error string not specified yet:
proxy: pass request body failed to 192.168.2.5:7710
 (example.com ) from
192.168.2.5:7710  ()*

I have searched many forums to only find people with the same issue that
has not been answered. This error message is very vague and points to no
where to start looking. The URL works but occasionally gets "Internal
Server Error" due to this issue.

I have managed to find this out by using the 192.168.2.5:7710 directly
without the proxy and it works flawless, below you can find my proxy
directives.

 #Prevent the use of this httpd server to be used as a proxy
ProxyRequests Off

Order deny,allow
Allow from all


 #Proxy related options
ProxyHTMLExtended On
ProxyHTMLMeta On
ProxyPreserveHost On
ProxyVia on

## Jira [PROD]
ProxyPass /jira https://example.com:7710/jira
ProxyPassReverse /jira https://example.com:7710/jira


1. I would like to know what is causing this problem?
2. How can I solve this problem?

Thanks,
Otis