Re: [users@httpd] Hexadecimal representation of special characters breaking JSON logs
On Tue, Jul 2, 2024 at 6:54 PM Dominic Humphries wrote: > > As per > https://httpd.apache.org/docs/current/mod/mod_log_config.html#format-notes we > see special characters getting represented in our logs by their hexadecimal > representation - \xhh > > However, we output our logs in a json format, and this representation results > in invalid JSON, which gives us problems when we forward them to Logstash. > > A path of /abc gives us the expected output: "@message": "GET /abc HTTP/1.1" > which is valid JSON > But a path of e.g. /abcé results in: "@message": "GET /abc\xc3\xa9 HTTP/1.1" > which results in jq reporting parse error: Invalid escape > > Ideally, we'd like to disable the hex representation and just have the > original string in our logs. Failing that, adding additional backslashes to > escape the inserted hex seems like it should work, and I thought piping the > log via sed would allow for this, but for some reason > > CustomLog "|$/usr/bin/sed 's/old/new/g' >> logfile" logstash_ext_json > > just results in nothing being logged to the file - no errors anywhere, just > no logging happening. sed may buffer input/output, so it might take a while before anything is written to the logfile. > Any advice on how to fix the logging so every special character doesn't break > JSON parsing would be appreciated! The correct solution - proper JSON-style escaping is currently stuck in this Pull request: https://github.com/apache/httpd/pull/429 If you build httpd yourself anyway, you can just apply that patch locally, test it, and report your resuts in the pull request. That may help it move towards getting merged into the 2.4 branch. As a workaround, substitute \x with % in your log pipeline. Rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Directory Trailing Slash When Behind Load Balancer
On Tue, May 14, 2024 at 6:07 PM Gavin Spomer wrote: > > Hello, > > I recently migrated my Apache web server from FreeBSD to Ubuntu Server and > found an issue with URLs that point to a directory, but don't include the > trailing slash, when going through our institution's load balancer. If I > access directly (not going through the load balancer), everything works fine: > >http://mywebserver.example.com/application > >Above works as, from reading the mod_dir documentation, it redirects to >http://mywebserver.example.com/application/ (adds the trailing slash) and > thus the application's index.php script >is executed. > > My web server is fronted by our institution's load balancer which does SSL > termination and then sends the request to my web server on port 81. I am not > seeing the same behavior when accessing through our load balancer: > >https://loadbalancer.example.com/application > >The above doesn't work. It hangs, times out and then redirects to > http://loadbalancer.example.com:81/application/ >with a "This site can’t be reached" message. It does work if I explicitly > add the slash to the URL in my browser: That's probably not the order that events are acutally happening. It most likely redirects to http://loadbalancer.example.com:81/application/ first. [...] > >ServerName mywebserver.example.com:81 Redirects require a complete URL, and mod_dir is probably assembling that using the ServerName. Use the developer tools in your browser or curl -v to see what's actually going on, particularly the "Location:" response header, which is the URL the redirect is sending your browser to. Rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Redirecting based on IP
On Thu, May 16, 2024 at 1:15 AM Dave Wreski wrote: > > Hi, > [...] > The staging site is even protected with a RequireAll statement for the > DocumentRoot based on the IP, which then results in a 404 and other errors in > GSC. That sound wrong. If your RequireAll was working as advertised, should it not return a 403? [...] > > The next steps I'd like to do is to redirect anyone not in that RequireAll > statement to be redirected to the production site. Is this possible? Perhaps > a RewriteCond that depends upon certain IPs, then otherwise redirects to the > production site? I don't think relying on the IPs is a good idea, since those will change, and the proper process to validate them requires 2 DNS lookups, if I'm not mistaken. Just use a rewriteCond + rewriteRule to generously check the User-Agent and perform the redirect. You may have to set an environment variable in the rewrite rule and check that in your RequireAll statement to permit the 301 response to be sent. You may want to verify that the Vary:User-Agent response header gets sent to the client to prevent cache pollution. Rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: Re: [users@httpd] Unable to unset Set-Cookie response header&In-Reply-To=
On Tue, Nov 14, 2023 at 3:24 PM Luigi Bellio wrote: > > Hi Eric, > > thanks for your feedback ... I just tried, nothing is changed ... > moreover as documented the "always" directive should apply to all > response codes not only "on success". You're missing one important issue the documentation raises: https://httpd.apache.org/docs/2.4/mod/mod_headers.html#header "always" and "onsuccess" apply to different sets of headers, therefore it might help if you try duplicating your 'Header unset' line, one with *and* one without "always". Rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Unable to build Apache httpd
On Tue, Oct 24, 2023 at 5:32 AM Frank Gingras wrote: > > Perhaps the libtool version is older/different - what happens when you remove > the space? > > On Fri, Oct 20, 2023 at 12:19 PM Daga, Navin (Navin) wrote: >> >> I'm trying to build Apache httpd RPM from the source tarball as mentioned in >> https://httpd.apache.org/docs/2.4/install.html >> >> However, it always fails with the error "libtool: error: require no space >> between '-L' and '-R'" >> >> Complete Error : >> >> /usr/lib64/apr-1/build/libtool --silent --mode=link gcc -o >> htpasswd htpasswd.lo passwd_common.lo -L -R -laprutil-1 -ldb-5.3 >> -lexpat >> >> /usr/lib64/libapr-1.la -lpthread -lcrypt >> >> libtool: error: require no space between '-L' and '-R' The problem here is not the space, but the fact that -L requires a directory as an argument - like -L/usr/local/lib - and consumes the following argument (in this case -R) instead. You'll need to figure out why no path is included here. -R should also have a path argument, but I would have expected -Wl,-rpath to be used instead on Linux. All this points to the ./configure script and its friends getting very confused. I'd recommend re-trying the build in a clean Fedora Docker container with only the required packages (gcc, make, ...) installed from the distribution's default repositories. Once you have a working build, it should be easier to determine where your current problems actually start. Rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] dynamic ssl cert/key selection
On Fri, Oct 20, 2023 at 5:31 PM Marc wrote: [...] > >ServerAlias test.*.* [...] > > > > A trivial and safe way if you need a solution asap might involve declaring > > a for each host. > > I would like to have single access/error log for all these serveralias > matches. That's no problem, multiple vhosts can write into the same access/error logs. > > I’ve not seen globbing/wildcarding like this, and also makes me curious is > > it possible to get a public key signed by a CA with this globbing pattern? > > yes I am getting the certs like this. I just want to prevent creating the > vhosts I think what he ment is whether CAs issue wildcard certificates like test.*.*. They don't, and that wouldn't work anyway, since only one * is allowed, only at the beginning, and only representing a single level of host names. Concerning your problem, I think you're stuck with creating multiple vhosts if you want to use httpd with multiple separate certificates. If you can get a single certificate with all your hostnames as SAN entries, that would work as well. As an alternative, you could use OpenResty as an SSL offloader, and load your certificates on demand using some lua code in ssl_certificate_by_lua_block (https://github.com/openresty/lua-nginx-module#ssl_certificate_by_lua_block) Rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Apache static compile
On Wed, Apr 12, 2023 at 1:49 AM Chris me wrote: > > Basically I am trying to run a later version of apache that supports the > newer TLS alongside a much older version. I know it is better to upgrade the > server, etc. but that is not an option for the legacy server. > > I basically need a completely stand alone version of httpd so I don’t have to > worry about upgrading the server libs and current openssl version. set an installation path with --prefix=/usr/local/completelyseparatehttpd and LDFLAGS=-Wl,-rpath,/usr/local/completelyseparatetlslibrary when you configure your httpd and you should be done. rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Apache static compile
On Sat, Apr 8, 2023 at 11:22 PM Chris me wrote: > > Right. Is there an option to compile Apache using a non-standard location for > dynamic libs? IE instead of /usr/lib it could use /usr/lib/custom > > I was not able to find anything other than using an ELF patcher to try and > change the paths directly in the httpd binary file, but not sure how that > would turn out. Those are usually configured during link time, i.e. via LDFLAGS. It's not entirely clear what you want, and the are at least a dozen rules how the various options interact, so I'd recommend you check the man page for your system's runtime linker (probably man ld). Normally, you'l just pass -Wl,-rpath,/your/lib/search/path, but maybe you want to mess with DT_RUNPATH, DT_RPATH or SEARCH_DIR. Rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Multi-domain with SSL - Virtualhost all need IPs?
On Wed, May 18, 2022 at 11:53 PM Frank Gingras wrote: > > Not sure if you saw the other answer on the other email: > > // If you can't use a SAN, then you need to configure all your vhosts as > IP:443, whereas one vhost uses a separate IP, and the remainder uses the > second IP. That sounds wrong to me. Apache should pick a matching certificate for the hostname specified via SNI by the client, if any, or the first one configured as a fallback (assuming the vhost IP / * specification matches). Note that only vhosts with IP:port are considered, if any are specified and match the request. You should be able to use *:443 for all vhosts. Rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] How to use DH 4096 parameters?
On Sun, Mar 13, 2022 at 8:08 PM Walter Hop wrote: [...] > I’m confused where the DH 3072 comes from. My question is, what should I > configure so that DH 4096 is sent? Your problem is in step 2) generate DH params - internet.nl explicitly states that "Self-generated groups are 'Insufficient'". Follow their instructions to download one of the pre-defined groups from RFC 7919 to make that test happy. Rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] RE: (EXTERNAL) Re: [users@httpd] Patching httpd in MacOS?
On Thu, Oct 28, 2021 at 1:18 AM Rich Barron wrote: > > We are doing a security audit. The software saw the unpatched version in the > MacOS and flagged it as a violation – so that is what needs to be patched. I don't know how Apple handles bundled software. Are you sure that this is not a false positive and that the relevant security issues have not been patched even though the version number wasn't changed? Anyway, I think this is a MacOS problem, you'll have to find out how to disable, uninstall or update httpd with the MacOS specific tools, find evidence that the installed httpd is actually safe or plead with Apple to provide an update. rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] How to display the True-Client-IP header in the access log
On Tue, Oct 19, 2021 at 1:44 PM Mason Hayes wrote: > > Hi, All > > When Apache is accessed via a CDN (Akamai), I would like to record the IP of > the accessing client in the Apache logs. > In order to display the True-Client-IP header sent by Akamai in the access > log like X-Forward-For, do I have to change the Logformat setting in > httpd.conf as follows? > > Logformat > "%{True-Client-IP}i %h %l %u %t˶~˵"%r\" %>s %b˶~˵"%{Referer}i\" > \%{User-Agent}i\" combined That looks OK, but you may want to look into using https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html You would have to set RemoteIPHeader to True-Client-IP and, since Akamai to my knowledge doesn't publish a list of its source IPs, consider some kind of authentication, e.g. basic auth https://httpd.apache.org/docs/2.4/mod/mod_auth_basic.html to protect the vhost from access without Akamai. Otherwise anyone would be able to fake an arbitrary source IP in your logs. rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Re: Reverse proxy to a website with HTTPS
On Mon, Aug 23, 2021 at 10:45 AM Scott Trakker wrote: [...] > The certificate for the subdomain 'nextcloud.jeroenverhoeckx.com' is > installed correctly: No. Having a certificate and actually using it on the https server listening on port 443 are two entirely different things. Try https://www.ssllabs.com/ssltest/analyze.html?d=nextcloud.jeroenverhoeckx.com regards, rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] brotli with Apache and PHP-FPM - possible?
[...] > But does not work if it's PHP - in this case, the content is compressed > with "gzip": > > $ curl -v -H "Accept-Encoding: gzip, deflate, br" > https://server.tld/pp.php 2>&1 | grep content-encoding > < content-encoding: gzip > > Curiously, it does work with PHP if I specify "br" as the only value in > "Accept-Encoding" (browsers however use "gzip, deflate, br"): Sounds like you need to enforce the correct order of the filters. I don't know how to do that using "AddOutputFilterByType", but with "FilterProvider", the example below should work. While you're there, you can also enable mod_buffer to improve the compression ratio: BufferSize 131072 FilterProvider buffer BUFFER "resp('Transfer-Encoding') == '' && %{CONTENT_TYPE} =~ m|^text/|" FilterProvider gzip_compression DEFLATE "resp('Transfer-Encoding') == '' && %{CONTENT_TYPE} =~ m|^text/|" FilterProvider brotli_compression BROTLI_COMPRESS "resp('Transfer-Encoding') == '' && %{CONTENT_TYPE} =~ m|^text/|" FilterChain buffer brotli_compression gzip_compression rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: Re: [users@httpd] Set SSLCipherSuite dependent on client IP
On Wed, Feb 24, 2021 at 6:01 PM Hildegard Meier wrote: [...] > Could it be possible another way to give clients of a specific vHost > different SSLCipherSuite's depending on their IP address? (cipher of first > handshake, no renegotiation) You can work around this by setting up a separate vhost on a different port or IP and redirect the incoming traffic using the firewall/NAT tools supplied with your OS. Under Linux, something similar to the following might work: iptables -t nat -A PREROUTING -p tcp -s 1.2.3.0/24 --dport 80 -j REDIRECT --to 8080 regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Self built httpd 2.4.43 problems
On Mon, Nov 2, 2020 at 4:17 PM Gabriele Bulfon wrote: > > Thanks, I configured and ran server-status after stopping/starting apache. > Top output is: > [...] > What should I check? > Also, when system blocks I won't be able to see server-status, as it will be > not responding. > Should I check it daily and look for a specific info that grows? "requests currently being processed" would probably increase if threads are permanently blocked. I would recommend logging this every few seconds, so that you can at least check after the fact how quickly the system filled up. You should have ExtendedStatus enabled, which should give you a complete list of all threads and their states. Any that are active (probably "W", definitively not "." or "_") processing a single request for extended periods are suspicious, especially if multiple of the same kind strat piling up. If httpd does not respond to requests anymore, and you have multiple worker childs, you can sometimes get away with killing one and try to squeeze a status request in there before it gets overrun again. Anyway, serverstatus will only provide rough hints of what's going on. If it is indeed httpd, you'll probably need gdb backtraces. rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Self built httpd 2.4.43 problems
On Mon, Nov 2, 2020 at 11:13 AM Gabriele Bulfon wrote: >[...] > Recently we built version 2.4.43 and installed on a test machine. > Here, we are experiencing a problem where almost once a week we have to > restart apache, which is no more responding. > Threads are there, but none is answering on port 80, waiting forever. [...] > What may be the issue? Lots of options, more information needed. If it's an issue that slowly eats up your worker threads, monitoring the server-status page with ExtendedStatus On may provide good hints. Otherwise, wait until it stops responding and try to check with strace if anything suspicious is going on. Finally, check "thread apply all bt" in a gdb session attached to some of the blocked processes, possibly a few times with cont and Ctrl+C inbetween to see where it's really waiting. You may need to re-build with debug info, and/or install the debug info for all libraries your httpd is linked against. rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Apache mod_autoindex and mod_deflate (gzip). Can't get pages compressed
[...] > FilterProvider COMPRESSDEFLATE "%{Content_Type} = > 'text\/html.*$'" I don't think you can use regular expressions with just '=', you'll have to use '=~' search 'regex' in the documentation at https://httpd.apache.org/docs/2.4/expr.html for the exact syntax required. rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Apache mod_autoindex and mod_deflate (gzip). Can't get pages compressed
On Fri, Jul 31, 2020 at 9:01 PM eika from Ru-Board wrote: > > Hi folks! > > I come across with issue I can't fix. I have Apache/2.4.43 OpenSSL/1.1.1g > with mod_autoindex (showing directory listings instead of index.html) and > with mod_deflate. > > I was able to get content gzipped, but only if they are files with > extensions (e.g. .css, .html, etc.) But when I want to get gzipped page > coming from mod_autoindex, I can't get it. E.g. https://domain.dom, > https://domain.dom/somedir/, https://domain.dom/test/, etc. These URLs comes > without Content-encoding: gzip header. > > I think that I am not far from the reason why, because I found that > directory indexes sent by chunks (transfer-encoding: chunked). But files > with extensions came with these headers: I suspect that you have simply configured mod_gzip to be only active for URLs ending in .html etc, and the transfer-encoding just happens to correlate with that because it's not a local "file" but generated dynamically. You should check the outgoing content-type instead of the URL. We've been using the following for quite some time: FilterProvider buffer BUFFER "%{CONTENT_TYPE} =~ m|^text/|" FilterProvider buffer BUFFER "%{CONTENT_TYPE} =~ m|^model/|" [... more content types ] FilterProvider gzip_compression DEFLATE "%{CONTENT_TYPE} =~ m|^text/|" FilterProvider gzip_compression DEFLATE "%{CONTENT_TYPE} =~ m|^model/|" [...] FilterChain buffer gzip_compression rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] TLS Client Hello not responded by mod_ssl
> Dear Apache enthusiasts ... > > My application is a very simple https-only apache (2.4.43) server with > mod_ssl (openssl 1.1.1g) in Linux (crux distribution 3.5). [...] > ./configure --enable-layout=CRUX \ > --with-apr=/usr \ > --with-apr-util=/usr \ > --with-pcre=/usr \ > --enable-so \ > --enable-modules=all \ > --enable-mods-shared=all \ > --enable-mpms-shared=all [...] > == (d) > ./config --prefix=/usr \ > --libdir=lib \ > --openssldir=/etc/ssl \ > shared \ > enable-ec_nistp_64_gcc_128 > == -the end- It appears that you're trying to use a custom openssl installation to build your httpd, but at a casual glance, I haven't seen anything that would actually make your httpd use that openssl installation. Make sure that only the correct openssl headers are included during the build, and that the LD_LIBRARY_PATH, LD_RUN_PATH or preferrably DT_RUNPATH or DT_RPATH are set so that the matching libraries are loaded and used (typically using -Wl,-R,/). Also, make sure that no other modules or libraries are - possibly indirectly - linked against other versions of openssl and load those during runtime. Use ldd against all binaries involved to make sure. If you want to dig deeper, I'd recommend re-compiling with debug infos (-g), running with mpm_prefork for simplicity, attaching one httpd process that's stuck in the ssl handshake and getting a full backtrace (bt full). rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] force secondary authentication for one Proxy URL QUERY_STRING
On Thu, Jun 11, 2020 at 3:13 PM Jason Keltz wrote: [...] > The URL that I would like to limit looks like this: > > https://example.com/#/?key=KJKJHjkdflkjsdflkjJhdsfjhf [...] > I want to only apply authentication when the QUERY_STRING includes "?key". In the URL you have given above, "key" is not in the query string, it's in the fragment, which should never be sent to the server. I would suspect that that part is evaluated by Javascript in the browser, which probably triggers additional requests to some arbitrary, different URL. Not sure if authentication failures for such requests would ever cause the browser to request username/password interactively. Use the developer tools in your browser to check what's really going on. rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Proxy pass settings
On Fri, Jun 12, 2020 at 5:02 AM Niranjan Rao wrote: > [...] Example could be > > https://myserver/uat/app1 > https://myserver/qa/app1 > > > Earlier I have tried just https://myserver/app1 and it works correctly. > But now I want to add environment to it. Applications don't know they > are proxied and when "app1/" is accessed it sends back to "/app1/login", > relative to app1. T sounds like something you could fix with proxypassreverse: https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypassreverse If the html generated in your tomcat also contains absolute links, the note about mod_proxy_html may apply, but you'll have to decide for yourself at what point you may be better off re-configuring the tomcat applications. rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Where is gone RemoteIPProxyProtocol directive (mod_remoteip) ?
On Wed, May 6, 2020 at 11:04 AM JK Pard0x wrote: > Looking at the mod_remoteip source code for httpd 2.4.6 [1], it appears > the directive RemoteIPProxyProtocol does not exist anymore. I'm not sure > to understand how the versioning works. And indeed, it looks like versioning works differently than you believe it does. With the vast majority of open source projects, the dots separate decimal numbers, not digits that are used individually. So 2.4.9 is older than 2.4.10 and 2.4.4 is a lot older than 2.4.40. Compiling a mod_remoteip from a different version of httpd may work, but you should compile just the one module using the header files from the httpd developer packages, apr etc. that belong to the httpd you're actually using, not the where you're getting the updated mod_remoteip. I suspect you're using RHEL or CentOS. There are packages of newer httpds available, for example in the redhat software collections, but they are probably supported differently from the one included in the standard distribution. rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Compiling Apache with Non-System OpenSSL
On Wed, Jul 31, 2019 at 1:39 AM Nigel B. Peck wrote: > > Thanks for the answers, great to have more insight on this. > > Is this a bug? Shouldn't it set up the linking correctly itself when > the library has been specified using `--with-ssl`, as it does for > `--with-pcre`? I'm considering submitting a bug report, but only want > to do so if it really is. In my opinion, this is not a bug. autoconf has been handling this the way it currently does for decades. Adding an RUN_PATH has the potentially unwanted side effect that the binary will preferentially use libraries from that directory instead of the system search paths. Additionally, the library locations during build time are frequently different from those used at run time. If you want your library locations fixed at build time, try cmake. rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Compiling Apache with Non-System OpenSSL
On Tue, Jul 30, 2019 at 7:15 AM Nigel B. Peck wrote: > > Hi, > > Having some trouble compiling Apache with non-system OpenSSL, any help > appreciated. Looked at many threads online but no answers so far. [...] > Is there any way I can resolve this without having to add the location > to LD_LIBRARY_PATH? LDFLAGS=-Wl,-rpath,/path/to/libs ./configure --prefix to set the rpath. Depending on the platform you're on or the linker you're using, you may have to use -R instead. You could also switch to cmake instead of autoconf, since cmake usually gets the linker options right on its own, if you point it to the correct directories. rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] caching of HTML5 (MP4)
On Sun, Jun 16, 2019 at 12:21 PM rexkogit...@gmx.at wrote: [...] > > In HTTP 1.1, the caching is a simple HTTP header field, see section 14.9 here: > > https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html The current RFC would be https://tools.ietf.org/html/rfc7234, but https://tools.ietf.org/html/rfc7232#section-2 may also apply here. If you're serving the same file from multiple servers, you may have to ensure that the modification times are identical on all servers, so that the Last-Modified Headers don't change, and possibly adjust the way ETags are calculated (see https://httpd.apache.org/docs/2.4/de/mod/core.html#fileetag), since the INode numbers may be different from one server to the next. rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] RE: Need some advice - thread safe php module
On Thu, May 23, 2019 at 12:15 AM Jeff Cauhape wrote: > > Yehuda, > > But how do you tell if the Apache thread-safe module is included? > > I’ve already wasted more than enough time on this task, and I’d like > > some way to determine I’m not just wasting more time. It's in the FAQ, a single mouse click away from the link Yehuda has provided: https://blog.remirepo.net/pages/English-FAQ#scl in short: pick the right package from Remi's repositories. rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Tuning Apache Web Server Parameters
On Thu, May 2, 2019 at 11:57 AM Supun Abeysinghe wrote: > > Hi all, > > I'm working on a project to dynamically tune the parameters of the Apache web > server. I'm particularly looking at changing MaxRequestWorkers (formerly > known as MaxClients) parameter by looking at runtime characteristics. I have > tried setting the parameter using the /etc/apache2/apache2.conf file, and > gracefully restarting the server. However, the value set for > MaxRequestWorkers does not seem to get reflected after the restart (I checked > the running processes). Is there any alternative way of doing this? Are you sure you're not hitting ServerLimit (https://httpd.apache.org/docs/2.4/en/mod/mpm_common.html#serverlimit)? rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Re: CVE-2019-0211 - Apache 2.2
On Wed, Apr 3, 2019 at 10:18 AM LuKreme wrote: > > On Apr 3, 2019, at 02:05, Hajo Locke wrote: > > Is apache 2.2 exploitable by CVE-2019-0211 ? > > Description says that first affected version is 2.4.17, but may be 2.2 was > > not analyzed. > > “Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38” seems clear. Since Apache httpd 2.2 is not supported anymore, it is quite possible that nobody has checked if 2.2 is affected. However, it looks like redhat has checked for their old RHEL releases that ship with 2.2 and they appear to be unaffected: https://access.redhat.com/security/cve/cve-2019-0211 rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] restrict Location URL with special string
On Wed, Jun 13, 2018 at 2:27 PM MOKRANI Rachid wrote: > I have URL like below (with ? and =) > http://myserver/?s=about > > What’s the correct syntax to allow only some IP. > > Require ip 127.0.0.1 > only matches the path part of the URL, not the query string (i.e. the part after the ?). There's an example for matching QUERY_STRING in https://httpd.apache.org/docs/2.4/en/mod/core.html#if Require ip 127.0.0.1 may work, but I haven't tested it. rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Logging in apache
On Wed, Apr 18, 2018 at 9:29 PM, Eric Covener wrote: > On Wed, Apr 18, 2018 at 3:18 PM, Hemant Chaudhary > wrote: >> Thanks Eric >> >> It means thread are using lock so that one thread/process can write a time. > I believe it's unlocked, I think posix promises they will not be > interleaved if written through a shared file descriptor. If I recall correctly, that's only true as long as the log lines are shorter than PIPE_BUF (apparently 4096 on Linux). Very long log lines are actually sometimes written interleaved by httpd. rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Need Help in AB load testing with random query params.
On Wed, Apr 11, 2018 at 5:54 PM, Absonworld . wrote: > Hi All , [...] > a) Input file : text1 text2 text3 > > b) URL :- {{BaseURL}}/apps/{{ApplId}}/courses/search?query={{random text > from input file }} > > I would like to hit this search URL with different/random texts present in > the input file [...] maybe try siege (https://www.joedog.org/siege-home/) instead, but you'd still have to expand your list of "random" texts to full URLs, e.g. for i in `cat inputfile`; do echo {{BaseURL}}/...?query=$i ; done > URLs and then use siege -f URLs rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Is httpd 2.4.x is supported on CentOs6?
On Tue, Nov 28, 2017 at 1:47 PM, chetan jain wrote: > Hi All, > > As apache 2.2.x is EOL, I need to upgrade to httpd 2.4.x version but I am > not able to verify anywhere if it is supported/tested configuration with > Centos 6 OS? If your requirement is that you are only allowed to run supported software, you may be able to stick with what you currently have, because the httpd 2.2.x packages that ship with RHEL 6 are still supported by Redhat. In same vein, the essentially identical httpd 2.2.x packages that ship with CentOS 6 are of course still supported by the CentOS team until November 2020, if I'm not mistaken. rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Apache 2.4 DoS?
On Fri, Nov 10, 2017 at 6:41 PM, Douglas Duckworth wrote: > Hi > > I am running old PHP under Apache httpd-2.4. [...] > Though, ever few weeks, we see sudden increase in workers who never seem to > retire: > > [Fri Nov 10 02:43:20.019924 2017] [mpm_prefork:error] [pid 13584] AH00161: > server reached MaxRequestWorkers setting, consider raising the > MaxRequestWorkers setting > > user@server[/var/www]$ ps aux | grep [h]ttpd | wc -l > 257 If the php locks up while processing your request, no logs will be written. You may be running into a bug where circular, unresolvable dependencies for a lock prevent the processes from completing their requests. To check what's going on, install gdb, the debug info for your php and httpd and find the .gdbinfo that came with the httpd and php version you're using. Then attach gdb to any of the hanging processes (gdb `which httpd` PID), source both .gdbinit files, do a "zbacktrace" and a "bt full", and repeat for some other hanging processes. Depending on the type of lock, you may be able to identify the first process that has acquired that lock that all others are waiting for, and the php code and / or php module that causes it. rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] How can I detect if SSLEngine is ON?
[...] > But, I don’t just need to know if a module is available: once the module is > loaded, its available for all virtualhosts. I need to know if the SSLEngine > has been enabled within a virtualhost so I can do something like the > following: mod_ssl sets the environment variable HTTPS to "on" if the current request was received via https. You should be able to use the "env=" conditions for Header set to get your example to work as intended. https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#envvars rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Apache upgrade error
[...] > [Wed Aug 02 23:57:17.644430 2017] [http:error] [pid 23461910:tid 4627] > [client 10.140.66.12:50843] AH02429: Response header name 'P3P: > policyref="/w3c/p3p.xml"' contains invalid characters, aborting request > The header name may not contain : or space. You have to assemble them as separate name and value. rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Mod_ Backtrace in apache-2.4.25
On Wed, Jun 21, 2017 at 8:16 AM, Hemant Chaudhary wrote: > Hi > > Can mod_backtrace is available to support apache-2.4.25. I want to support > it on HPE Non-stop. > If no then order module which can work as backtrace. You can enable core dumps and use a cron job to automatically generate backtraces and delete the core dump files in case there are too many. rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Rewrite REMOTE_USER environment variable
On Tue, May 23, 2017 at 8:45 PM, Ken Mycock wrote: > Eric > > It seems to make sense that REMOTE_USER wasn't set when the rule I tried in > htaccess ran, as that would explain RU not being set. > > But, REMOTE_USER must be set by Apache, even if it is late in the sequence, > so where/how can I get at it? ap_add_common_vars() sets REMOTE_USER from r->user, and practically nothing happens between then and the execution of the cgi script (assuming you're using mod_cgi, I haven't checked anything else). So it looks like your options are - change the environment variable in the CGI process itself - write an apache module to remove the leading zeroes - possibly use mod_lua rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Rewrite REMOTE_USER environment variable
On Tue, May 23, 2017 at 2:10 PM, Ken Mycock wrote: [...] > Hence, we need to allow authentication of either form of number but to strip > leading zeros from the number stored in REMOTE_USER. > > I've tried various combinations of: > RewriteCond %{REMOTE_USER} ^0*([1-9][0-9]+) > RewriteRule ^0*([1-9]+)$ [E=RU:$1] I haven't tested it, but I think RewriteCond %{REMOTE_USER} ^0*([1-9][0-9]+) RewriteRule ^ - [env=REMOTE_USER:%1] might work. The RewriteRule does nothing to the current location, and sets REMOTE_USER from a backreference on the RewriteCond matches. rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Best Form Redirect Http --> Https VirtualHost Apache.
On Thu, Apr 20, 2017 at 2:05 AM, Wilmer Arambula wrote: > > If that domain points to your servers external IP, it will be handled by the > first *:443 virtualhost: > > Ok, Perfect thanks a lot for your answer, is there any way to prevent it from > redirecting to the first *: 443 virtualhost, without having to define a > virtualhost > for each domain undefined. You can define one virtual host that handles all requests that do not match any of your existing virtual hosts. If you define the new wildcard virtual host in the correct order, you won't even have to use a ServerAlias with lots of "*.* *.*.*" etc. There's a detailed description of how virtualhost matching works at https://httpd.apache.org/docs/2.4/vhosts/details.html rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Re: Spoofing SERVER_PORT/HTTPS env?
[...] >> SetEnvIf X-HTTPS "on" SERVER_PORT=443 >> >> The above results in: [...] >> $_SERVER[SERVER_PORT]; => 80 We had the same problem a few years ago, and went with a workaround in the end. We're simply setting and evaluating a different variable instead of SERVER_PORT, e.g. OVERRIDE_SERVER_PORT, if it is set. rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Some basic (idiotic) queries regarding tunnelling-proxy
> Now, we require something like opening an IFrame on the Server, and provide > virtual access to the HTTP-Server (via Intermediatary), something like what > Teamviewer does. We have the ability to modify to Server and Intermediatary, > but not HTTP-Server in the general case. > > It would be great to have a Teamviewer-like experience, providing access of > the HTTP-Server on the Server (via Intermediatary as the tunnelling-proxy). > We are running Linux-flavours on Server and Intermediatary. I don't understand what half of your statements may exactly mean, but this doesn't appear to be an apache httpd related request. I think the dynamic proxy option of most ssh clients (-D for openssh), used as a SOCKS proxy in your browser may solve your problem. If that doesn't help, some sort of VPN tunnel may be an alternative. rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Unable to start apache-2.4.25; missing ssl module
On Wed, Mar 22, 2017 at 3:29 AM, John Iliffe wrote: > Just in case anyone is thinking about this, I managed to resolve it, more > by luck than by any plan. > > Basically, I just added links in the httpd/lib directory to everything that > it claimed it couldn't find. Some are actually links to links. Links to links are perfectly fine. Alternatives to your solution would be setting LD_LIBRARY_PATH=/usr/openssl-1.0.2k/lib in the environment or re-building apache with suitable LDFLAGS, e.g. on linux -Wl,-rpath, /usr/openssl-1.0.2k/lib. Check the man pages for ld and ld.so (or however the dynamic linker on your platform may be called). rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] apache run status: how to tell as non-root user (on *nix)?
On Tue, Feb 21, 2017 at 3:53 PM, Yann Ylavic wrote: > On Tue, Feb 21, 2017 at 3:19 PM, Rainer Canavan > wrote: [...] >> If you know where the .pid file is, you can read that and check if the >> process is >> running, e.g. via ps --pid `cat /var/run/apache2.pid` > > Or: > kill -0 `cat /var/run/apache2.pid` > > which is likely "lighter". That's probably the preferred way if the user has the proper permissions, but fails if a non-privileged user attempts to check if a process running as root is actually running. I also haven't checked if ps --pid is POSIX or a GNU extension, but it should at least work on debian. rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] apache run status: how to tell as non-root user (on *nix)?
On Tue, Feb 21, 2017 at 2:53 PM, Tom Browder wrote: > I need to programatically determine whether httpd is running or not, whether > I'm root or not. The only reliable way I have found is to use the system > command 'ps -C httpd' and grep the results. > > Is there a better way? If you know where the .pid file is, you can read that and check if the process is running, e.g. via ps --pid `cat /var/run/apache2.pid` rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Apache 2.4.18: warnings issued since environment vars definitions isn't always loaded
> sudo apache2 -M > > writes spurious lines like this: > > [Wed Jan 18 03:32:29.510875 2017] [core:warn] [pid 11564] AH00111: Config > variable ${APACHE_LOG_DIR} is not defined > > even though the mentioned variable *is* defined in /etc/apache2/envvars apache2 is the binary - you're not really supposed to use that directly when starting the httpd service. The envvars script is used by the apache2ctl script, not the httpd (=apache2) binary itself. rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] unresolved reference to ap_getword_nulls
On Fri, Dec 2, 2016 at 6:08 AM, Hemant Chaudhary wrote: >> > "unresolved reference to ap_getword_nulls". > After "make install", I started my apache server, but it was not running > because it was unable to recognize .so file. Hence I planned to convert .a > into .so file. > > I am porting apache on Tendem NonStop. > While converting I got this error. I think I am missing some library. You don't state how you attempt that conversion. You should not need to perform any conversion, instead, apxs should generate a dynamic module. ap_getword_nulls is defined by the httpd executable, but you shouldn't link against it (if that is even possible), since the symbol is resolved when the module is loaded. rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Re: apache 2.4 core dump on launch, no error logging
On Thu, Nov 17, 2016 at 4:08 PM, @lbutlr wrote: > On Nov 17, 2016, at 3:56 AM, Nick Kew wrote: >> On Wed, 2016-11-16 at 12:12 -0700, @lbutlr wrote: >>> When launching apache 2.4 I get a core dump. Nothing is logged to the >>> http-error log. I’ve tried rebuilding it to no avail. Ideas? >>> >> At the top of your coredump is libpcre. Could it be that your >> httpd has been built against a different/slightly incompatible >> pcre version? > > Maybe? I’ve rebuilt apache several times and there’s been no change in > behavior, and I’ve updated all port versions as of yesterday. > > PCRE-8.39 is installed. I’m not sure how to tell if http is trying to access > a different version. The output as posted is probably not too helpful, since it doesn't appear to incude a backtrace. Try a 'thread apply all bt full' in gdb, it there's only one thread, and it's really OPENSSL_ia32_cpuid(), then openssl is the culprit, and it's possible that the openssl command line client segfaults as well, e.g. with openssl s_client or openssl s_server. The list with pcre on the top is just the list of libraries gdb tries to load debug symbols from. To get a more useful backtrace, you have to install the debug symbols for all the relevant libraries, such that gdb does not complain "(no debugging symbols found)" on startup for any library that is referenced in any backtrace shown by 'thread apply all bt full'. rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Parameter POST to PHP with proxy
[...] > But I have a HTML form which calls doctechnique.example.com like this [...] > redirection to http://doctechnique.exemple.com is OK but I cannot retrieve > the variable Hqsdf218regTYH414 in the PHP code of doctechnique.example.com > (variable POST). If by redirect you mean a 301 or 302 redirect, then your browser is probably not POSTing the second request, but just using GET. If such a redirect is indeed currently used and necessary, you may have to use 307. Check https://tools.ietf.org/html/rfc7231#section-6.4 rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Unknown accepted traffic to my site
On Wed, Oct 5, 2016 at 6:26 PM, Joe Muller wrote: > From the looks of it I would say it is targeting servers running SSL. Are > you serving up HTTP or HTTPS ? I don't think that that is valid SSL, unless your httpd discards the first few bytes. There was a SANS handler diary entry just yesterday about this: https://isc.sans.edu/forums/diary/SSL+Requests+to+nonSSL+HTTP+Servers/21551/ if I try `openssl s_client -connect localhost:14020`, I get the below entry in my access.log, which matches the description in the diary: 127.0.0.1 localhost:14020 - - [06/Oct/2016:14:24:53 +0200] - "\x16\x03\x01\x01,\x01" 400 226 "-" "-" this, however, is something completely different. I'd also guess it's some kind of vulnerability scan: > IP > 0.0.0.0 - - [02/Oct/2016:11:29:08 +0300] > "n\x1d\xb6\x18\x9ad\xec[\x1d\b\xe6k\xbb\xe5L" 200 48605 > 0.0.0.0 - - [02/Oct/2016:16:04:20 +0300] > "\x95\xa3\xb1\xce\xc8\xeb:\x86\x87\xb4\x03g\xfa~\x9f{\x07\xda\xef6O\xa1~\x91[\xf2\x05E\xac\xad\x8d\x9d\xbe\xf5\xfc\xc5\"\xed\xa3u" > 200 48605 Rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] 2.4 named virtual hosts question
On Mon, Sep 12, 2016 at 7:37 PM, Marat Khalili wrote: > On 12/09/16 18:47, Rainer Canavan wrote: >> The obvious ones I can come up with would be Alias, ScriptAlias, >> FastCGIExternalServer, >> Action and RewriteRule. All those can be defined in the global context >> (i.e. outside >> of any vhost) and are valid for all vhosts. (for RewriteRule, that may >> require >> RewriteOptions Inherit), all others simply apply to all vhosts. > > But if I remove my default "deny" virtual host, what changes? That's what I > cannot quite get in your explanation. If you remove the special "deny" vhost, everything is fine. If you add one, you may have set yourself a much larger set of traps than the configuration options I've listed above. rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] 2.4 named virtual hosts question
On Mon, Sep 12, 2016 at 3:21 PM, Marat Khalili wrote: > On 12/09/16 15:25, Rainer Canavan wrote: >> >> >> However, in this example, you'd add a virtualhost that may expose >> globally configured resources without the individual access controls of >> the "real" vhosts. On top of that, the additional vhost may not see any >> significant testing in case of configuration changes. > > I don't get it, can you please provide an example? IMO any additional vhosts > should not depend at all on what's inside this vhost. The obvious ones I can come up with would be Alias, ScriptAlias, FastCGIExternalServer, Action and RewriteRule. All those can be defined in the global context (i.e. outside of any vhost) and are valid for all vhosts. (for RewriteRule, that may require RewriteOptions Inherit), all others simply apply to all vhosts. >> Do _exactly_ that, e.g. with a RewriteRule to - and RewriteCond that >> checks the Host: header. > > You mean, outside any virtualhost? Why do you think it's better? Initial > problem was default virtualhost -- I want none. that's exaclty what I'm saying. A default vhost has the potential to add more problems than it can ever solve. [...] >> Overall I'd say that the negligible gain in >> perceived security isn't worth the effort or the additional risks >> (both regarding security and availability). > > Well, for one thing log messages from actual vhosts and from internet scans > are separated, this alone saves a lot of time. Finally, an actual, measurable benefit, although it only filters out the not-too-smart scanners. rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] 2.4 named virtual hosts question
[...] >> Additionally, if you bind any further vhosts to specific IP addresses, e.g. >> , then that virtualhost will have precedence for >> requests to 192.0.2.1:80 over the *:80 virtualhost. > > In this case you'll have create separate default deny configuration for each > IP address, right? > >> Overall, I'd say that such a construct is more likely to increase the attack >> surface >> instead of reducing it. > > I don't think _denying_ something can _increase_ attack surface. However, in this example, you'd add a virtualhost that may expose globally configured resources without the individual access controls of the "real" vhosts. On top of that, the additional vhost may not see any significant testing in case of configuration changes. > But since > there's seemingly demand for this kind of configuration it'd be nice if > community helped make it better and more secure. What extra steps do you > think one should take to securely deny (and subsequently ban) clients > (mostly bots) that do not even know domain name they are accessing? Do _exactly_ that, e.g. with a RewriteRule to - and RewriteCond that checks the Host: header. I'd guess that httpd 2.4 has more elegant means to express this with actual "deny" directives, possibly combined with a SetEnvIf. If you're really serious, you'd also have to make sure that any error messages don't contain the hostname, and you'd have to set reverse DNS lookups to point to a useless name. Overall I'd say that the negligible gain in perceived security isn't worth the effort or the additional risks (both regarding security and availability). rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] 2.4 named virtual hosts question
>> >> ServerName default >> >> >> AllowOverride none >> Order Allow,Deny >> Require all denied >> >> [...] I'm not 100% sure, but that may not deny access to absolutely everything, in case you have global directives such as cgi aliases or proxy constructs, possibly with mod_rewrite and [P] which point to non-directory resources. Therefore it may be better to use instead of . Additionally, if you bind any further vhosts to specific IP addresses, e.g. , then that virtualhost will have precedence for requests to 192.0.2.1:80 over the *:80 virtualhost. Overall, I'd say that such a construct is more likely to increase the attack surface instead of reducing it. rainer
Re: [users@httpd] Apache Host not found
On Wed, Jul 13, 2016 at 10:16 AM, Theo Sweeny wrote: > Thank you Daniel. > > > > At the moment it is set to – > > > > STATUSURL="http://localhost:80/server-status"; > > > > Should it be configured like so when there are multiple sites? > > > > STATUSURL="http://www.site1.com:80/server-status; > http://www.site2.com:80/server-status; http://www.site3.com:80/server-status"; No, the output of mod_status is identical on all vhosts. If you get “Host not found” for localhost, you should fix your /etc/hosts. You also may have to unset http_proxy and related variables, if you have them in your environment. rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] RE: Apache default page shows up periodically
On Thu, Jun 30, 2016 at 11:37 PM, Rose, John B wrote: > Single host. If you haven't already, make sure that your LogFormat contains %v:%p _and_ host:\"%{host}i\" and check both if the problem reappears. Is there any good reason why you still have the default vhost configured at all, much less as the first (and therefore default) vhost? rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] How i can determine SSL protocol?
On Mon, Apr 18, 2016 at 10:47 AM, Виталий Фадеев wrote: > Hello! > We want to show different page for users that come with SSL3 or TLS/1.0 > Is this possible? > For example, by creating two virtual servers with different > SSLProtocols. DirectoryRoot, and the same ServerName? I don't think that will work, because the SSL Handshake runs only once. If you set SSLOptions StdEnvVars, you should be able to select/alter content based on the SSL_PROTOCOL variable. https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#envvars rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Get UID/GID from a username string
On Fri, Apr 15, 2016 at 9:14 AM, Ben RUBSON wrote: > Hello, > > I already do it with a RewriteMap Perl script, but perhaps a faster (in terms > of performance) solution exists. > Let's assume an incoming request contains a username, is there a way to get > the system UID of this username string (Linux/FreeBSD) ? > And from a UID string, to get the corresponding GID ? I can't think of any solution that would work out of the box, but you can always write your own apache module in C. rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Self-compiled httpd and OpenSSL: Trying to start httpd without using LD_LIBRARY_PATH
On Fri, Apr 8, 2016 at 6:02 PM, Christopher Schultz wrote: [...] > I'm speaking from a position of ignorance, here, but can a dynamic > library modify the main process's search path? If only mod_ssl is > compiled with the static-path to OpenSSL but httpd is not (and it's > not clear to me that httpd is missing this static-path), surely the > loadable module isn't modifying the process's library load-path, is it? The manpage would indicate that the rnupath is only valid for the library for which it has been set: https://docs.oracle.com/cd/E19683-01/816-0210/6m6nb7md6/index.html The runtime linker uses a prescribed search path for locating the dynamic dependencies of an object. The default search paths are therunpath recorded in the object, followed by /usr/lib for 32-bit objects or /usr/lib/64 for 64-bit objects. This latter component can be modified using a configuration file created with crle(1). The runpath is specified when the dynamic object is constructed using the -Roption to ld(1). LD_LIBRARY_PATH can be used to indicate directories to be searched before the default directories. rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Self-compiled httpd and OpenSSL: Trying to start httpd without using LD_LIBRARY_PATH
On Fri, Apr 8, 2016 at 12:31 AM, Yann Ylavic wrote: > On Thu, Apr 7, 2016 at 5:21 PM, Poggenpohl, Daniel > wrote: >> >> LDFLAGS="-L$OPENSSLDIR/lib -R $OPENSSLDIR/lib" > > I don't know which compiler you are using, but gcc's -R is not working > correctly (on Linux at least), whereas "-Wl,-rpath,$OPENSSLDIR/lib" > is... -R used to work for us on Solaris with gcc to compile/link/run our own httpd / php / curl / openssl stack. However, I'm not sure which linker we used to use. If ldd claims it's picking up the correct libraries, I'd assume it should work at runtime as well. In case there's any doubt, lsof may show which libraries are actually used. rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Re: How to load an image with out extension in browser
On Tue, Feb 16, 2016 at 3:42 PM, Curtis Maurand wrote: > > > On 2/16/2016 5:37 AM, @lbutlr wrote: > > On Feb 16, 2016, at 2:02 AM, Aravin wrote: > > Before we upgrade the apache 2.4 the below image url can be viewable through > browsers. but after upgraded the apache we are not able to view this image > > http://www.mytechlogy.com/upload/f457c545a9ded88f18ecee47145a72c01411190633050_5R4EHmGwkmmVaSaQLJdvH2hE6EZBaSOQIx2zHDrnJWubAdd6djHQQSkZHG4eSE0Ek4VNFEmDqcVw > > Works fine here. > > Works OK, here, too. The response does not include a Content-Type: header field (with an appropriate value, such as "image/jpeg" or whatever). Therefore it isn't guaranteed to work, although it should work with practically all modern browsers. If this is indeed the source of the problem, the MimeMagicFile directive may help. http://httpd.apache.org/docs/current/mod/mod_mime_magic.html#mimemagicfile rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] AH00273: apr_proc_mutex_lock failed, possibly caused by cron, systemd or su
Hi, we've got an obscure problem with the apache httpd that was shipped with CentOS 7.2. We perform automatic builds and updates via cron, and, since the update to CentOS 7.2. The update script is triggered by cron and stops, yum updates and starts the httpd. When the next cron job that is run as the same user as the httpd (not the update job) terminates, the httpd frequently fails, starting with a AH00273: apr_proc_mutex_lock failed message, and then a never ending loop of AH00272 messages, one from each httpd process that is forked, until the listener process is stopped. [Thu Dec 17 08:30:04.895455 2015] [mpm_worker:notice] [pid 12021:tid 140011320178752] - AH00295: caught SIGTERM, shutting down [Thu Dec 17 08:30:52.783949 2015] [mpm_worker:notice] [pid 23947:tid 140703866935360] - AH00292: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips configured -- resuming normal operations [Thu Dec 17 08:30:52.784091 2015] [core:notice] [pid 23947:tid 140703866935360] - AH00094: Command line: '/usr/sbin/httpd -d /opt/sevenval/fit14/ -f /opt/sevenval/fit14/conf/httpd.conf' [Thu Dec 17 08:40:54.959482 2015] [mpm_worker:emerg] [pid 23949:tid 140703388559104] (43)Identifier removed: - AH00273: apr_proc_mutex_lock failed. Attempting to shutdown process gracefully. [Thu Dec 17 08:40:55.669532 2015] [mpm_worker:emerg] [pid 25505:tid 140703388559104] (22)Invalid argument: - AH00272: apr_proc_mutex_lock failed before this child process served any requests. [Thu Dec 17 08:40:55.991490 2015] [mpm_worker:emerg] [pid 23950:tid 140703388559104] (22)Invalid argument: - AH00273: apr_proc_mutex_unlock failed. Attempting to shutdown process gracefully. [Thu Dec 17 08:40:57.672519 2015] [mpm_worker:emerg] [pid 25540:tid 140703388559104] (22)Invalid argument: - AH00272: apr_proc_mutex_lock failed before this child process served any requests. [Thu Dec 17 08:40:59.676573 2015] [mpm_worker:emerg] [pid 25575:tid 140703388559104] (22)Invalid argument: - AH00272: apr_proc_mutex_lock failed before this child process served any requests. The httpd version is the old version from RHEL (httpd-2.4.6-40.el7). The backtrace is rather uninteresting: (gdb) bt full #0 accept_mutex_error (func=0x7f3fcac5d299 "unlock", rv=22, process_slot=0) at worker.c:659 level = 0 #1 0x7f3fcac5b46a in listener_thread (thd=0x7f3fcdc405c8, dummy=) at worker.c:849 ti = process_slot = 0 tpool = csd = 0x7f3fc00444c0 ptrans = 0x7f3fc0044438 pollset = 0x7f3fc003fa30 rv = lr = 0x7f3fcdbd5a98 have_idle_worker = 1 last_poll_idx = 1 #2 0x7f3fcc26cdc5 in start_thread (arg=0x7f3fb0fe1700) at pthread_create.c:308 __res = pd = 0x7f3fb0fe1700 now = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139911529109248, 4832434510689815290, 0, 139911529109952, 139911529109248, 0, -4796579440261772550, -4796375556103124230}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = pagesize_m1 = sp = freesize = #3 0x7f3fcbd9621d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 No locals. Does anyone habe any ideas what may cause these mutex errors? thanks, rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Logging an masqueraded header in Apache 2.4
2015-12-16 17:56 GMT+01:00 Christian Georg : > Hi all, > > > I am looking for a solution to masquerade/anonymize data I am writing to the > acccess log on my proxy. For debugging purposes we need to trace data based > on the x-auth header. As this header contains critical data I do not want to > enable logging of the full header. Instead I am looking for a solution to > only log the first X and the last y header. so instead of logging > > > ycsfsfdawlkcfawncfewmlcsdfacs > > > I would like to see something like this > > ycsfsfd###csdfacs > > or this. > > ycsfsfd..csdfacs > > > I am using apache 2.4 on centos > Any suggestion? setenvif or a RewriteRule, possibly together with a RewriteCond should be able to apply a regular expression to the value of a header and set a new environment variable based on that. rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] debugging segmentation fault
2015-07-27 6:33 GMT+02:00 deva seetharam : > hello > > we are running debian linux stable (Jessie) with apache 2.4.10 and mod_wsgi > 4.3.0-1 on a x86_64 machine. > our application is written in python 2.7 and django 1.8. > > the list of modules as reported by apachectl -M are: > Loaded Modules: [...] > we were getting segmentation faults when rest api clients were making > requests. the apache error log has the following messages: > > [Mon Jul 27 09:04:38.375433 2015] [core:notice] [pid 32693:tid > 140315326191488] AH00052: child pid 32700 exit signal Segmentation fault > (11) > [Mon Jul 27 09:04:38.375556 2015] [core:notice] [pid 32693:tid > 140315326191488] AH00052: child pid 32701 exit signal Segmentation fault > (11) > > i have enabled core dumps by setting ulimit to unlimited and adding core > dump config directive in the apache2.conf file. > > but the core dumps are not happening. Does www-data have write permissions in the CoreDumpDirectory? Another method to set the core dump directory in linux is echo "/var/tmp/core-%e.%p" > /proc/sys/kernel/core_pattern The ulimit is only valid for the shell (and subsequent child processes) you're currently in, so you should restart apache from the same shell. You can test if your configuration works by just sending a SIGSEGV yourself, just kill -11 one of the apache processes. rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Apache24 - how to optimize httpd.conf
>> Remove etags (Header unset Etag/FileETag None) > Won't this disable conditional requests, ex. If-None-Match and friends? Is > your recomendation because of the header overhead or am I missing something? Just if-None-Match. If-Modified-Since would still work. I believe people recommend disabling ETags because they may cause problems with clusters (i.e. different inode numbers or modification times for otherwise identical files), or gzip content encoding (https://bz.apache.org/bugzilla/show_bug.cgi?id=45023). rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Random latency in reentrant calls (Bug 57916)
2015-05-12 10:03 GMT+02:00 Luc Andre : > Thanks for your reply. > > We did a test on a powerful server with > > StartServers 20 > MinSpareServers 5 > MaxSpareServers 20 > > And we still have the issue... > To ensure that you don't hit the child spin up issue, you'll have to set MinSpareServers to a value equal to or greater than the number of processes you need for your test, I'd recommend 20 in this case, just to be sure. Are you sure that you're using the prefork mpm, and therefore those settings are actually relevant? If you don't have a good reason to use prefork, you may get better performance with worker or event (but be sure to tune the associated settings, such as ThreadsPerChild appropriately) Additionally, you don't specify how your PHP is configured. If you're using PHP-FPM, you need to ensure that pm.start_servers and pm.min_spare_servers are large enough as well. rainer
Re: [users@httpd] Handling MS "Internet Shortcuts" and "Links"
2015-05-01 16:00 GMT+02:00 David A. Cobb : [...] > However, if I click the URL file in a "Directory List" served from Apache, I > get the plain text file displayed. I can go to the target with one or two > extra steps, but it's a PITA. It's a text file, so that's the expected result, since there are no special handlers for .url-Files in httpd. > It seems what I should do is to parse the file in the server and send a > "Permanently Moved To" redirection to the browser. I don't think you can achieve this with the likes of mod_rewrite, mod_setenvif etc. It should require a proper program, e.g. via CGI, mod_perl mod_php or the likes, plus probably a RewriteRule to start the script whenever a .url file is requested. Or maybe mod_lua and a LuaOutputFilter. > Or, I suppose, I could simply do the redirection; but somehow that feels less > safe. Not sure what you're trying to say here. > Now, if I can be allowed a second question in the same post, can I do the > same thing with Microsoft ".lnk" shortcuts? It would be a simple script > operation to transform the local FileSystem path to a "localhost:8080/" > path. That's actually not trivial in the general case, since it's not necessarily obvious how file system paths map to URLs. rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org