Re: [users@httpd] Default of ErrorLogFormat

[Rainer Jung]

I hope the docs are correct:

https://httpd.apache.org/docs/2.4/en/mod/core.html#errorlogformat

look for "#Example (default format for threaded MPMs)".

Best regards,

Rainer

Am 01.03.24 um 17:12 schrieb Vladimir Chlup:

Hi,

In the referenced commit, there is a function `do_errorlog_default`
(in log.c:846) which should be used by default. Also, the if starting
at log.c:1174 might be helpful.

Regards,
Vladimir Chlup

On Fri, Mar 1, 2024 at 2:48 PM Marco Hald  wrote:


Hi,

How do I know what the Default of ErrorLogFormat is when it is not configured?
I found this commit 
https://github.com/apache/httpd/commit/70be0f7a073f54474461c22ba8ca943bf8e0373a 
where it was introduced but I'm not skilled enough to get the default from it.
I already tried apache2ctl -DDUMP_CONFIG to get it that way, but this only 
lists changed values like ErrorLog

Mit freundlichen Grüßen / Best regards,
Marco Hald
Cloud Engineer
USU GmbH
Charlottenburger Allee 60
52068 Aachen
marco.h...@usu.com
www.usu.com
USU GmbH, Sitz: Möglingen, Registergericht und Handelsregisternummer: 
Amtsgericht Stuttgart HRB 764549,
Geschäftsführer: Bernhard Oberschmidt, Dr. Benjamin Strehl


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Issues with files accessed over NFS

[Rainer Jung]

Am 30.06.2022 um 21:07 schrieb Chris Woelkers - NOAA Federal:
Although I realize that this question is more about NFS than Apache it 
still concerns my web server so here goes. This is at work so a bit of 
history first, sorry for the novel length email in advance.


The set up I have was already in existence when I started my current 
position. The web server, running Apache on top of Debian 8, was 
directly connected to a storage server, also on Debian 8, via a 
dedicated 10Gbps network link. The storage was accessed via NFS mounts, 
different mounts for different areas in order to section them off within 
the website with aliases. Not all of the website  was stored on the 
server, just the ones that used the most disk space.
Of course this was three years ago and Debian 8 went EOL. Before that 
occurred it was my job to upgrade the servers to a later version of 
Debian. In order to keep the distribution upgrades as far apart as 
possible I went with Debian 11, upgrading on a path from 9 to 10 to 11. 
During the upgrade all services were checked out for basic functionality 
and no problems were seen.
Not long after the upgrade an interesting problem was apparent. Files 
accessed over NFS were not downloading properly. The download would 
start but then stop anywhere from 30% to 60%. These files were not large 
with the smallest ones being just over 1MB. Any file stored on the web 
server itself downloaded just fine, no matter the size. I checked just 
about everything on that connection from the cable, which was only 1 
foot in length so I got a longer one, to the NFS mount options. Changes 
were made but they did not seem to make a difference and all file 
transfer tests done within the OS itself worked fine with files up to 
100MB tested.
The only thing I did not check until recently was the NFS version. The 
mounts were automatically using NFSv4 which I considered, at this point 
in its development, to be stable. However when I switched to NFSv3 the 
problem went away. So after all that I seemed to have "solved" it by 
dropping back to an older version of NFS.


So the questions I have for the community are: Has anyone seen a similar 
issue and solved it? If so did you find another solution other than 
reverting to NFSv3?


Try disabling sendfile and mmap:

https://httpd.apache.org/docs/2.4/en/mod/core.html#enablesendfile

https://httpd.apache.org/docs/2.4/en/mod/core.html#enablemmap

If that helps, check out, which of the two is the culprit.

Best regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] mod_ajp: adding "secret=xxx" parameter to config yields syntax error

[Rainer Jung]

Am 13.02.2020 um 19:29 schrieb Mark H. Wood:

HTTPD 2.4.41

I'm trying to set up authenticated proxying between HTTPD and Tomcat.
I have, for example:

   ProxyPass "/host-manager/" \
 "ajp://[::1]:8009/host-manager/" \
 secret="secret"

When I run configtest, the result is:
  * apache2 has detected an error in your setup:
AH00526: Syntax error on line 101 of 
/etc/apache2/vhosts.d/default_vhost.include:
ProxyPass unknown Worker parameter

Line 101 is the one with the 'secret' keyword.  If I un-fold the
directive to a single line, the same error is called against line 99
(the same ProxyPass directive).  The directive was previously working
before I added the 'secret' parameter.

What am I missing?


The feature was added in r1738878 (BZ53098) to httpd trunk and is not 
yet backported to 2.4.x.


Due to recent default config changes in Tomcat it would make sense to 
backport now.


Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Optimal way to trigger logging if certain URL is accessed

[Rainer Jung]

Am 23.10.2019 um 18:33 schrieb Martin T:

Hi,

I have a following Apache virtual host configuration where custom
call_Google_MP_API script receives the IP address and HTTP User-Agent
string as standard input if https://www.example.com/doc.pdf is
downloaded:


 
 /* configuration removed for brevity */
 SetEnvIf Request_URI "^/doc\.pdf$" pdfdoc
 LogFormat "%h %{User-agent}i" ga
 CustomLog "|/usr/local/bin/call_Google_MP_API" ga env=pdfdoc
 


As my web server had setenvif_module and log_config_module already
loaded, then I used SetEnvIf directive to set the "pdfdoc" internal
variable when doc.pdf is downloaded, LogFormat directive to set the
nickname "ga" for specific log format and finally CustomLog directive
to pipe this custom log format to call_Google_MP_API script if
"pdfdoc" variable is set, i.e https://www.example.com/doc.pdf URL is
accessed.

While this seems to work fine, then is this the correct/optimal way to
accomplish this?

I'm using Apache version 2.4.38 on Debian 10.


You could also use mod_log_debug:

https://httpd.apache.org/docs/2.4/en/mod/mod_log_debug.html

Despite it's name it is very useful not only for debugging but adding 
general custom log messages. The output goes to the ErrorLog though 
(which can be a pipe). The log messages generated can include references 
to request details, like e.g. %{REMOTE_ADDR} and %{HTTP_USER_AGENT}:


https://httpd.apache.org/docs/2.4/en/expr.html

and can be generated inside Location blocks.

Furthermore one can control, at what point in time during request 
processing the message is generated.


Since it goes to the error log, you would need to send it to a piped 
process separatig these log lines from the remaining error log lines, 
because I guess you want to only send the new log lines to your script 
and the remaining ones still to rotatelogs or similar.


Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] httpd 2.4.39 mod_reqtimeout causes large uploads to fail

[Rainer Jung]

Very likely a duplicate of

https://bz.apache.org/bugzilla/show_bug.cgi?id=63325

(regression in 2.4.39) with the fix

https://svn.apache.org/viewvc?view=revision&revision=1859376

which will be part of the next version 2.4.40.

You can try that patch if you like. 2.4.40 is not far away, maybe next week.

It is not yet in the published Changelog, because that is for 2.4.39 and 
this change will be in 2.4.40. The new item will be:


  *) mod_reqtimeout: Fix default rates missing (not applied) in 2.4.39.
 PR 63325. [Yann Ylavic]

Regards,

Rainer

Am 01.08.2019 um 02:39 schrieb Charles Parker:
A recent change to mod_reqtimeout (2.4.39) is causing large uploads to 
sporadically fail on my production server with a client error:


|ajp_read_into_msg_buff::jk_ajp_common.c (1553): (main_ajp13_worker) 
receiving data from client failed. Connection aborted or network problems|


This is happening partway though chunked PUT requests to mod_jk.

 From the changelog:


  *) mod_reqtimeout: Allow to configure (TLS-)handshake timeouts.

 PR 61310. [Yann Ylavic]



My short-term workarounds for this problem are:

a. Downgrade to httpd-2.4.38 (not recommended, see changelog for 7 CVEs)

b. Comment out the LoadModule line for mod_reqtimeout

For details, please see:

https://serverfault.com/q/972680/293818

Questions:

1. Was there any accompanying documentation for this change?

2. What configuration options are available to adjust this timeout?

3. Why does this result in a client error instead of a timeout error?

4. Has anyone else experienced this problem?


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] issue with mod_reqtimeout in Httpd server 2.4.39

[Rainer Jung]

Most likely it is this:

https://bz.apache.org/bugzilla/show_bug.cgi?id=63329

Fixed by:

https://svn.apache.org/viewvc?view=revision&revision=1857129

If you build the web server yourself, tha patch to apply is:

https://svn.apache.org/viewvc/httpd/httpd/trunk/modules/filters/mod_reqtimeout.c?r1=1857129&r2=1857128&pathrev=1857129

Let us know if it works for you.

Regards,

Rainer

Am 18.04.2019 um 09:09 schrieb Rathore, Rajendra:

Hi Team,

We are facing timeout issue while uploading long file, when I enable 
debug log and found that traces of


[reqtimeout:info] [pid 25680:tid 140121479206656] [client 
192.168.33.1:61857] AH01382: Request body read timeout


While looking into release notes of 2.4.39 there are some changes in 
mod_reqtimeout area, we never face that issue in 2.4.38, so please guide 
me how should I proceed to fix the issue. Please let me know if more 
details are required.


Thanks and Regards,

Rajendra Rathore

9922701491


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] apache 2.4.39 rpm package generation error

[Rainer Jung]

Yes, exactly.

Am 10.04.2019 um 11:58 schrieb Dmitry Stoyanov:

Thank you,
But it is still not fixed in release sources which can be downloaded here:
http://httpd.apache.org/download.cgi#apache24
within Source: httpd-2.4.39.tar.bz2

Am I right, that in such case it will be fixed only in next release?

Best Regards,
Dmitry Stoyanov

-Original Message-
From: Rainer Jung 
Sent: Wednesday, April 10, 2019 12:51 PM
To: users@httpd.apache.org; Dmitry Stoyanov 
Subject: Re: [users@httpd] apache 2.4.39 rpm package generation error

That was fixed shortly after the release by:



Author: ylavic
Date: Wed Apr  3 10:01:47 2019
New Revision: 1856868

URL: http://svn.apache.org/viewvc?rev=1856868&view=rev
Log:
Merge r1825375 from trunk:

rpm: Add mod_socache_redis to the build.

Submitted by: minfrin

Modified:
  httpd/httpd/branches/2.4.x/   (props changed)
  httpd/httpd/branches/2.4.x/build/rpm/httpd.spec.in

Propchange: httpd/httpd/branches/2.4.x/
--
--- svn:mergeinfo (original)
+++ svn:mergeinfo Wed Apr  3 10:01:47 2019
...

Modified: httpd/httpd/branches/2.4.x/build/rpm/httpd.spec.in
URL:
http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/build/rpm/httpd.spec.in?rev=1856868&r1=1856867&r2=1856868&view=diff
==
--- httpd/httpd/branches/2.4.x/build/rpm/httpd.spec.in (original)
+++ httpd/httpd/branches/2.4.x/build/rpm/httpd.spec.in Wed Apr  3
10:01:47 2019
@@ -392,6 +392,7 @@ rm -rf $RPM_BUILD_ROOT
   %{_libdir}/httpd/modules/mod_slotmem_shm.so
   %{_libdir}/httpd/modules/mod_socache_dbm.so
   %{_libdir}/httpd/modules/mod_socache_memcache.so
+%{_libdir}/httpd/modules/mod_socache_redis.so
   %{_libdir}/httpd/modules/mod_socache_shmcb.so
   %{_libdir}/httpd/modules/mod_speling.so
   %{_libdir}/httpd/modules/mod_status.so


Regards,

Rainer

Am 10.04.2019 um 10:38 schrieb Dmitry Stoyanov:

Hello,

Looks like I found the bug in httpd 2.4.39 release, during generation
of rpm package using

rpmbuild -tb SOURCES/apr-1.6.5.tar.bz2

Checking for unpackaged file(s): /usr/lib/rpm/check-files
/root/rpmbuild/BUILDROOT/httpd-2.4.39-1.x86_64

error: Installed (but unpackaged) file(s) found:

     /usr/lib64/httpd/modules/mod_socache_redis.so

To fix it need to add mod_socache_redis.so  in httpd.spec file:

…

%{_libdir}/httpd/modules/mod_socache_memcache.so

%{_libdir}/httpd/modules/mod_socache_redis.so

%{_libdir}/httpd/modules/mod_socache_shmcb.so

…

*Dmitry Stoyanov*


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] apache 2.4.39 rpm package generation error

[Rainer Jung]

That was fixed shortly after the release by:



Author: ylavic
Date: Wed Apr  3 10:01:47 2019
New Revision: 1856868

URL: http://svn.apache.org/viewvc?rev=1856868&view=rev
Log:
Merge r1825375 from trunk:

rpm: Add mod_socache_redis to the build.

Submitted by: minfrin

Modified:
httpd/httpd/branches/2.4.x/   (props changed)
httpd/httpd/branches/2.4.x/build/rpm/httpd.spec.in

Propchange: httpd/httpd/branches/2.4.x/
--
--- svn:mergeinfo (original)
+++ svn:mergeinfo Wed Apr  3 10:01:47 2019
...

Modified: httpd/httpd/branches/2.4.x/build/rpm/httpd.spec.in
URL: 
http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/build/rpm/httpd.spec.in?rev=1856868&r1=1856867&r2=1856868&view=diff

==
--- httpd/httpd/branches/2.4.x/build/rpm/httpd.spec.in (original)
+++ httpd/httpd/branches/2.4.x/build/rpm/httpd.spec.in Wed Apr  3 
10:01:47 2019

@@ -392,6 +392,7 @@ rm -rf $RPM_BUILD_ROOT
 %{_libdir}/httpd/modules/mod_slotmem_shm.so
 %{_libdir}/httpd/modules/mod_socache_dbm.so
 %{_libdir}/httpd/modules/mod_socache_memcache.so
+%{_libdir}/httpd/modules/mod_socache_redis.so
 %{_libdir}/httpd/modules/mod_socache_shmcb.so
 %{_libdir}/httpd/modules/mod_speling.so
 %{_libdir}/httpd/modules/mod_status.so


Regards,

Rainer

Am 10.04.2019 um 10:38 schrieb Dmitry Stoyanov:

Hello,

Looks like I found the bug in httpd 2.4.39 release, during generation of 
rpm package using


rpmbuild -tb SOURCES/apr-1.6.5.tar.bz2

Checking for unpackaged file(s): /usr/lib/rpm/check-files 
/root/rpmbuild/BUILDROOT/httpd-2.4.39-1.x86_64


error: Installed (but unpackaged) file(s) found:

    /usr/lib64/httpd/modules/mod_socache_redis.so

To fix it need to add mod_socache_redis.so  in httpd.spec file:

…

%{_libdir}/httpd/modules/mod_socache_memcache.so

%{_libdir}/httpd/modules/mod_socache_redis.so

%{_libdir}/httpd/modules/mod_socache_shmcb.so

…

*Dmitry Stoyanov*


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Question about configure not answered in documentation

[Rainer Jung]

Hi Jeff,

Am 06.04.2019 um 00:19 schrieb Jeff Cauhape:

Well,

That almost worked.

I edited the config.layout file and copied  to .
In  I made the following changes only:


 prefix:/usr/local/apache2
 exec_prefix:   ${prefix}
 bindir:${exec_prefix}/bin
 sbindir:   ${exec_prefix}/bin
 libdir:${exec_prefix}/lib
 libexecdir:${exec_prefix}/modules
 mandir:${prefix}/man
 sysconfdir:${prefix}/conf
 datadir:   ${prefix}
 installbuilddir: ${datadir}/build
 errordir:  ${datadir}/error
 iconsdir:  ${datadir}/icons
 htdocsdir: /var/www/html <- Changed
 manualdir: ${datadir}/manual
 cgidir:/var/www/cgi-bin<- Changed
 includedir:${prefix}/include
 localstatedir: ${prefix}
 runtimedir:${localstatedir}/logs
 logfiledir:${localstatedir}/logs
 proxycachedir: ${localstatedir}/proxy


I then ran config like this from a shell script:
#!/bin/bash

./configure --with-pcre=/usr/local/bin/pcre-config \
 --enable-layout=DETR \
 --prefix=/apps/apache_2.4.39 \
 --enable-proxy-html   \
 --enable-socache-shmcb \
 --enable-ssl

What happened is that the /var/www/html and /var/www/cgi-bin directories
got created, but in the httpd.conf file had this for the DocumentRoot and 
script locations:

DocumentRoot "/apps/apache_2.4.39/htdocs"

...

and

 ScriptAlias  /cgi-bin/   "/apps/apache_2.4.39/cgi-bin/"


It looks like there is someplace where directives in config.layout are being 
ignored. Ideas?

n.b. After I reanthe config command, I ran a 'make clean' prior to the 'make' 
to build a
new server.


Thanks for giving it a try, I think you are already pretty close.

To check, whether the layout was successfully picked up you can do a

% grep cgidir config.log
% grep htdocsdir config.log

The file config.log is written during configure and should contain 
cgidir, exp_cgidir, rel_cgidir, htdocsdir, exp_htdocsdir and rel_htdocsdir.


The values shown by grep should match those given in the layout.

Since you wrote, that the new directories were created, I expect the 
grep commands to show the correct values, but it is a good first step 
for double-checking.


Next: the source config file docs/conf/httpd.conf.in contains the right 
placeholders, e.g.


DocumentRoot "@exp_htdocsdir@"

ScriptAlias /cgi-bin/ "@exp_cgidir@/"
# "@exp_cgidir@" should be changed to whatever your ScriptAliased


etc. so it must do replacements and you should get your configured values.

But: I vaguely remember, that "make install" will not overwrite config 
files previously installed to the same installation directory to prevent 
loosing older customization during updates (and "make clean" will not 
remove them). Could that be your problem? Is the file timestamp of 
conf/httpd.conf in the installation directory later than your layout 
changes or older? Does it work if you remove the whole old installation 
directory and run a new "make install"?


Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Question about configure not answered in documentation

[Rainer Jung]

Hi Jeff,

Am 05.04.2019 um 20:55 schrieb Jeff Cauhape:

I am guessing the answer to my question is probably “no”, but I’m hoping

someone here has a silver bullet.

We are finally getting our act together and updating our Apache server 
instances.


Our chosen way to do this is as follows:

The /apps directory holds application software distributions, suche as

/apps/apache_2.4.25

/apps/apache_2.4.37

/apps/apache_2.4.39

/apps/apache   (this is a symbolic link to the current distribuiton)

We keep the DocumentRoot directory outside of the distribution tree because

when we want to update the server, we don’t want to have to copy the HTML

and cgi files.

Q: Is there some way to pass a parameter to configure to point to a 
directory


outside of the distribution tree?

For example, if I want our htdocs to go into /etc/html  by default?

I know, we can just go in and edit httpd.conf to do this, but it would 
be handy


to have it point to the right place as part of the build. I have checked

https://httpd.apache.org/docs/2.4/programs/configure.html

and I don’t see anything that indicates that.

Ideas?


In the source distribution there's a file config.layout. Each layout 
defined in the file has a name and consists of a list of paths to use.


You can add you own layout to that file, e.f. a layout named JEFF and 
then add the configure flag "--enable-layout=JEFF" when running configure.


See:

https://httpd.apache.org/docs/2.4/programs/configure.html

I'm not sure whether that suffices to put the manual into a custom 
directory but you should get close.


Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Rotate Logs | Number of Files | File Size

[Rainer Jung]

Am 26.02.2019 um 09:53 schrieb Khandelwal, Ankit:

Hello All,

I have configured rotatelogs inside httpd.conf at location:

#

# ErrorLog: The location of the error log file.

# If you do not specify an ErrorLog directive within a 

# container, error messages relating to that virtual host will be

# logged here.  If you *do* define an error logfile for a 

# container, that host's errors will be logged there and not here.

#

ErrorLog "logs/error.log"

ErrorLog "| D:/Apache24/bin/rotatelogs.exe -l 
D:/Apache24/logs/error_apache_%Y-%m-%d-%H_%M_%S.log 10KB"


The above command helps to split log file by 10 KB. However, I wish to 
use number of files using -n as mentioned :


https://httpd.apache.org/docs/current/programs/rotatelogs.html

Can anyone help me with exact syntax to use number of files in addition 
to file size of 10 KB.


According to the docs you linked to it would be

ErrorLog "| D:/Apache24/bin/rotatelogs.exe -l -n 20 
D:/Apache24/logs/error_apache_%Y-%m-%d-%H_%M_%S.log 10KB"


The number "20" is just an example. Note that 10KB is pretty small for 
rotation, but of course a small size is helpful for quick rotation 
during low traffic test.


Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] JWT Authentication behind an apache2 proxy

[Rainer Jung]

Am 02.02.2019 um 11:39 schrieb Xavier Gignac:

Hello,

I am using a Java application with JWT authentication through a 
Authorization header with Bearer  syntax.


I want to know how to configure Apache2 to transmit the Authorization 
header to the Java application while proxying the request.


Authorization is not a hop-to-hop header, so the proxy forwards it by 
default. As long as you web server config does not explicitly consume 
the header it will be automatically send to the backend.


Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: How to manage mod_jk status manager using command line

[Rainer Jung]

Hi Mahendiran,

you should post this question to the Tomcat users list. The module 
mod_jk is provided by the Tomcat project, not by the Apache web server 
project.


For a first idea, look at

http://tomcat.apache.org/connectors-doc/reference/status.html

and once you have the right view in the browser, copy and paste the URL 
and use it in your commandline client.


Regards,

Rainer

Am 02.02.2019 um 08:21 schrieb Mahendiran Vel:

Hi Team,

Please guide me to check Apache Jkstatus manager using command line.

On Wed, Jan 2, 2019 at 11:23 AM Mahendiran Vel > wrote:


Hi All,

I have a requirement to enable/disable the worker nodes in Apache
jkstatus manger using command line.  Please someone help me to
achieve the same.

Thanks.



--
Regards,
Mahendiran


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How to manage mod_jk status manager using command line

[Rainer Jung]

Hi Mahendiran,

Am 02.01.2019 um 06:53 schrieb Mahendiran Vel:

Hi All,

I have a requirement to enable/disable the worker nodes in Apache 
jkstatus manger using command line.  Please someone help me to achieve 
the same.


mod_jk is developed as part of the Tomcat project. You might get more 
responses by posting to the Tomcat users list (see 
http://tomcat.apache.org/lists.html).


Status worker documentation can be found at 
http://tomcat.apache.org/connectors-doc/reference/status.html


Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Which PCRE to use to build Apache 2.4.37?

[Rainer Jung]

Am 25.10.2018 um 23:51 schrieb Chris Punches:
It's pcre/pcre-devel.  the following paste shows how I found it: 
http://paste.silogroup.org/ehowecakoq




On Thu, Oct 25, 2018 at 5:38 PM Jeff Cauhape > wrote:


Folks,

__ __

I am building Apache 2.4.37 and it’s been awhile since I built
Apache, and in reading my instructions

it’s not clear whether I need pcre-8.42 or pcre2-10.32 or both. Can
someone throw me a bone and

explain this piece of it, or post a link that does?


Apache web server 2.4.x still uses pcre before 10.x, so latest 8.x 
(currently 8.42) would be fine.


Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Reverse proxy not sending certificate

[Rainer Jung]

Am 18.10.2018 um 17:32 schrieb Schettler, Marty L.:
Good advice. Thanks! However, I just retested with 2.4.35 and I get the 
exact same results as with 2.4.34. Any other ideas? I’d welcome a 
workaround too.


Could well be

http://svn.apache.org/viewvc?rev=1844226&view=rev

which is still missing in 2.4.35. It will be part of the fortcoming 
2.4.37, but you can also easily apply the small change to your 2.4.35 
sources if you build yourself. You only need to add the two lines marked 
with a leading "+" sign here:


http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c?r1=1844226&r2=1844225&pathrev=1844226

Regards,

Rainer


*From:*William A Rowe Jr [mailto:wr...@rowe-clan.net]
*Sent:* Friday, October 12, 2018 6:26 PM
*To:* users@httpd.apache.org
*Subject:* Re: [users@httpd] Reverse proxy not sending certificate

A number of regressions are fixed in 2.4.35, please retest against that 
version.


On Fri, Oct 12, 2018, 15:27 Schettler, Marty L. 
mailto:martin.l.schett...@leidos.com>> 
wrote:


My reverse proxy config doesn’t work with SSL any more as I try to
upgrade from 2.4.29 to 2.4.34.

My config:

SSLProxyEngine On

SSLProxyMachineCertificateFile /path/to/server_crt_and_key.crt

SSLProxyCACertificatePath /etc/cacerts



   ProxyPass https://host01:9443/p

   ProxyPassReverse https://host01:9443/p

   SSLVerifyClient require



Again, this works just fine with 2.4.29. However, in 2.4.34 I get a
502 in my browser “Error reading from remote server” and my httpd
log file has a warning “AH02268: Proxy client callback: (host01:443)
downstream server wanted client certificate but none are
configured.” Is this possible related to PR 62232? If so, I thought
it would have been fixed in 2.4.32.

Any help is greatly appreciated!!

Marty


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache crashes with: AH03104: apr_thread_create

[Rainer Jung]

Am 22.09.2018 um 22:17 schrieb Jerry Martinez:

Hello!

Apache has been randomly crashing (for a few months now) and I cannot seem
to understand why. I cannot replicate the crash even when hitting the server
with 4,000 requests @ a concurrency of 500. This is a production server and
I am willing to compensate someone for their efforts resolving this. Below
is a sample of one, of the many, error messages:

[Fri Sep 21 11:27:24 2018] [mpm_event:alert] (11)Resource temporarily
unavailable: AH03104: apr_thread_create: unable to create worker thread


apr_pthread_create() on Linux/Unix is mostly pthread_create(). The man 
page for that an SLES 12 tells us:


=== SNIP ===

   EAGAIN Insufficient resources to create another thread.

   EAGAIN A  system-imposed  limit  on  the number of threads was 
encountered.  There are a number of limits that may trigger this error: 
the RLIMIT_NPROC soft resource
  limit (set via setrlimit(2)), which limits the number of 
processes and threads for a real user ID, was reached; the kernel's 
system-wide limit on  the  number
  of  processes  threads,  /proc/sys/kernel/threads-max, 
was  reached  (see proc(5)); or the maximum number of PIDs, 
/proc/sys/kernel/pid_max, was reached (see

  proc(5)).

   EAGAIN The system lacked the  necessary  resources  to  create 
another  thread,  or  the  system-imposed  limit  on  the  total  number 
 of  threads  in  a  process

  {PTHREAD_THREADS_MAX} would be exceeded.

=== SNIP ===

Since your system seems to have lots of free memory, I don't expect a 
memory shortage unless there's a memory leak and the memory numbers you 
showed below would be very different when the crash actually happens. 
Each thread needs a thread stack in memory.


What could happen is that the limit of threads your use can create (sum 
over all of his processes) hits the nproc limit. Note that although it 
is called nproc = number of processes, what it limits on Linux is 
actually the (much bigger) number of threads per user.


Other limits could be total number of threads or processes and number of 
file descriptors per process.


What is a bit strange though: typically Apache httpd does not start 
single threads. When it needs more concurrency it starts new processes, 
each process having ThreadPerChild worker threads. So it seems that due 
to increased load - or more likely if it is a reverse proxy due to a 
temporary slowness of the backend - you web server needs to start new 
processes. The maximum number is in your MPM config.


So even if you find the reason for not being able to create more threads 
and you can get rid of that, the next thing might be that your httpd 
will end up with all worker threads busy and you need to find out, why 
the load is so high or more likely some backend gets slow.


BTW: if you want to get a better idea, what processes and threads get 
used, to can add %P (process id) and %{tid}p (thread id) to your access 
log format. And retrieving the number of busy and idle workers from 
server_status regularly can tell you, when exactly the increase in 
threads starts and how quickly it goes up.


Regards,

Rainer



Below is more information that might be useful:


cat /etc/SuSE-release

SUSE Linux Enterprise Server 12 (x86_64)
VERSION = 12
PATCHLEVEL = 2
# This file is deprecated and will be removed in a future service pack or
release.
# Please check /etc/os-release for details about this release.
  

cat /etc/os-release

NAME="SLES"
VERSION="12-SP2"
VERSION_ID="12.2"
PRETTY_NAME="SUSE Linux Enterprise Server 12 SP2"
ID="sles"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:12:sp2"
  

lscpu

Architecture:  x86_64
CPU op-mode(s):32-bit, 64-bit
Byte Order:Little Endian
CPU(s):12
On-line CPU(s) list:   0-11
Thread(s) per core:2
Core(s) per socket:6
Socket(s): 1
NUMA node(s):  1
Vendor ID: GenuineIntel
CPU family:6
Model: 63
Model name:Intel(R) Xeon(R) CPU E5-2620 v3 @ 2.40GHz
Stepping:  2
CPU MHz:   1200.199
CPU max MHz:   3200.
CPU min MHz:   1200.
BogoMIPS:  4794.82
Virtualization:VT-x
L1d cache: 32K
L1i cache: 32K
L2 cache:  256K
L3 cache:  15360K
NUMA node0 CPU(s): 0-11
Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge
mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall
nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl
xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor
ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid dca sse4_1 sse4_2
x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm
ida arat epb pln pts dtherm tpr_shadow vnmi flexpriority ept vpid fsgsbase
tsc_adjust bmi1 avx2 smep bmi2 erms invpcid cqm xsaveopt

Re: [users@httpd] facing issue with building apache for latest version 2.4.33

[Rainer Jung]

Am 09.04.2018 um 08:28 schrieb Rathore, Rajendra:

Hi Rainer,

Thanks for your quick response, below fix work fine with Windows machine, I had 
one question in next release fix will come out of the box or we need to again 
add that property, Please confirm?

Thanks and Regards,
Rajendra Rathore
9922701491


I have added the detailed info to your ticket 
https://bz.apache.org/bugzilla/show_bug.cgi?id=62266, but in short 
"yes", all releases of 2.4.x or higher starting with the next one will 
include this fix.


For all lurkers here: the change only fixes cmake builds of mod_ssl. We 
are still lacking a cmake build of the new mod_md.


Thanks for testing and giving feedback.

Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] facing issue with building apache for latest version 2.4.33

[Rainer Jung]

Hello,

Am 06.04.2018 um 08:41 schrieb Rathore, Rajendra:

Hi Team,

I am facing the issue while building apache on Window machine with the 
help of apache source code and got below error


[ 92%] Building C object 
CMakeFiles/mod_ssl.dir/modules/ssl/ssl_engine_init.c.obj


ssl_engine_init.c

C:\apacheBuild\apache2.4\build\httpd-2.4.33\modules\ssl\ssl_engine_init.c(33) 
: fatal error C1083: Cannot open include file: 'mod_md.h': No such file 
or directory


NMAKE : fatal error U1077: 'c:\PROGRA~2\MICROS~2.0\VC\bin\amd64\cl.exe' 
: return code '0x2'


Stop.

I did some investigation and found that with new version of apache we 
added a new module called *mod_md* which is experimental basis, I don’t 
know why experimental module added as a dependency and it will cause a 
build failure,


Can you please help me out to fix above issue?


for people who are not aware: the OP opened th eissue 
https://bz.apache.org/bugzilla/show_bug.cgi?id=62266 and I commented 
there, that this seems to be a cmake specific problem and proposed to 
test the following fix:


Index: CMakeLists.txt
===
--- CMakeLists.txt  (revision 1828523)
+++ CMakeLists.txt  (working copy)
@@ -649,6 +649,7 @@
   ${CMAKE_CURRENT_SOURCE_DIR}/modules/dav/main
   ${CMAKE_CURRENT_SOURCE_DIR}/modules/filters
   ${CMAKE_CURRENT_SOURCE_DIR}/modules/generators
+  ${CMAKE_CURRENT_SOURCE_DIR}/modules/md
   ${CMAKE_CURRENT_SOURCE_DIR}/modules/proxy
   ${CMAKE_CURRENT_SOURCE_DIR}/modules/session
   ${CMAKE_CURRENT_SOURCE_DIR}/modules/ssl

This should fix building mod_ssl, ie. the OP's original question.

To build mod_md itself is not yet supported by our cmake files.

Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How to print request headers before and after processing

[Rainer Jung]

Am 22.03.2018 um 18:56 schrieb Martin Knoblauch:

Hi Rainer,

  unfortunately mod_log_debug seems to work only on directory scope, not 
on virtual host. 


But note, that  is directory scope, for instance


   ...


And I considered the mod_rewrite thingy, but feared it 
to be to expensive.

>
  In the meantime I found "mod_log_forensic". Ugly, I do not know the 
cost, but it works for my purpose.


I think mod_rewrite is not that expensive.

When a RewriteCond and a RewriteRuke is combined, it will first check 
the left side of the RewriteRule against your URL. If it doesnt match, 
the RewriteCond and the flags are not evaluated. So it is important to 
not have a complex pattern in RewriteRule. In your case it is not complex.


Then next te RewriteCond is checked. In your case picking one header and 
matching with ".*" which is also not very expensive (not backtracking).


And then finally the env var setting. Performancewise this will be very 
close to the SetEnvIf variant.


Regards,

Rainer


Thanks
Martin

On Thu, Mar 22, 2018 at 6:16 PM, Rainer Jung <mailto:rainer.j...@kippdata.de>> wrote:


Am 22.03.2018 um 18:08 schrieb Eric Covener:

On Thu, Mar 22, 2018 at 1:03 PM, Martin Knoblauch
mailto:kn...@knobisoft.de>> wrote:

Hi Eric,

   thanks, but does not work.

login_jsid=Cookie  prints "Cookie"
login_jsid=%{Cookie} prints "%{Cookie}"

Apparently the right sides of the assignment are just taken
as literals
without evaluating them as variables.


Arg, sorry, It is only for the first arg.

Had a brief look at mod_log_debug, but do not see how it
helps me in this
case.


You could log expressions before/after the  your edits.


... by choosing different hooks.

If that does not work, you could also try to copy the header to an
env var using mod_rewrite. Something like

RewriteCond "%{HTTP_COOKIE}" "(.*)"
RewriteRule ^/cb2/facelets/logon.xhtml$ - [E=login_jsid:%1]

But you need to test. Not sure in what order the mod_headers
replacement and the mod_rewrite rule handling run. I vaguely
remember having used a trick like this.

Including your marker login_get should work like this:

RewriteCond "%{HTTP_COOKIE}" "(.*)"
RewriteRule ^/cb2/facelets/logon.xhtml$ - [E=login_jsid:%1,E=login_get]

Regards,

Rainer



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
<mailto:users-unsubscr...@httpd.apache.org>
For additional commands, e-mail: users-h...@httpd.apache.org
<mailto:users-h...@httpd.apache.org>




--
--
Martin Knoblauch
email: k n o b i AT knobisoft DOT de
www: http://www.knobisoft.de


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How to print request headers before and after processing

[Rainer Jung]

Am 22.03.2018 um 18:08 schrieb Eric Covener:

On Thu, Mar 22, 2018 at 1:03 PM, Martin Knoblauch  wrote:

Hi Eric,

  thanks, but does not work.

login_jsid=Cookie  prints "Cookie"
login_jsid=%{Cookie} prints "%{Cookie}"

Apparently the right sides of the assignment are just taken as literals
without evaluating them as variables.



Arg, sorry, It is only for the first arg.


Had a brief look at mod_log_debug, but do not see how it helps me in this
case.


You could log expressions before/after the  your edits.


... by choosing different hooks.

If that does not work, you could also try to copy the header to an env 
var using mod_rewrite. Something like


RewriteCond "%{HTTP_COOKIE}" "(.*)"
RewriteRule ^/cb2/facelets/logon.xhtml$ - [E=login_jsid:%1]

But you need to test. Not sure in what order the mod_headers replacement 
and the mod_rewrite rule handling run. I vaguely remember having used a 
trick like this.


Including your marker login_get should work like this:

RewriteCond "%{HTTP_COOKIE}" "(.*)"
RewriteRule ^/cb2/facelets/logon.xhtml$ - [E=login_jsid:%1,E=login_get]

Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache httpd 2.4.32 issue with mod_proxy_balancer

[Rainer Jung]

Am 15.03.2018 um 18:37 schrieb Steffen:

Httpd 2.4.32 has an issue with mod_proxy_balancer.


For users who are not aware of the details: version 2.4.32 is not yet 
officially released. The above problem only applies to the Apache web 
server 2.4.32 on the Windows platform. Other platforms do not have this 
problem. Once there's a release anouncement, we will cover the details 
there.



Stay tuned tomorrow the binary VC14/VC15 is updated,

see http://www.apachelounge.com/viewtopic.php?p=36605#36605


Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] websocket header not passing a long with ProxyPass and mod_headers

[Rainer Jung]

Am 08.02.2018 um 19:50 schrieb Mark Nenadov:

according to the docs, you can actually specify the protocol:

https://httpd.apache.org/docs/2.4/mod/mod_proxy_wstunnel.html :

"In fact the module can be used to upgrade to other protocols, you can set the 
upgrade parameter in the ProxyPass directive to allow the module to accept other 
protocol."

 From https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypass :

"Parameter "upgrade", default "WebSocket": Protocol accepted in the Upgrade header 
by mod_proxy_wstunnel. See the documentation of this module for more details."

So maybe setting "upgrade=websocket" as a ProxyPass parameter might already 
achieve what Mark is looking for?

Regards
Jens


Hi Jens,

I saw this upgrade parameter in the manual earlier and tried it. But
it doesn't appear to be valid (manual reference notwithstanding),
config test complains about a syntax error when I add it, even with
providing the default value.

The manual isn't very clear about it.

The documentation for the mod_proxy_wstunnel
(https://httpd.apache.org/docs/2.4/mod/mod_proxy_wstunnel.html)
suggests that it should be upgrade=ANY or upgrade=NONE. But I still
can't get configtest to pass with it set to ANY or NONE either.


Can you post one of your failed configs and the error message?

It should be something like

< LocationMatch "/somewhere" >
  ProxyPass wss://192.168.1.77/some_url_on_tomcat upgrade=websocket
< / LocationMatch >

Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] websocket header not passing a long with ProxyPass and mod_headers

[Rainer Jung]

Hi Mark,

Am 08.02.2018 um 16:49 schrieb Mark Nenadov:
Hello, I have an operational setup where Apache httpd is proxying secure 
websockets traffic to an Apache Tomcat server. In other words, I'm using 
ProxyPass to pass traffic along to a WSS url.


I'm now having some issues trying to throw mod_headers into the mix. I'm 
attempting to manipulate the "Upgrade" header like so in my Apache httpd 
Virtual Host:


< LocationMatch "/somewhere" >
   RequestHeader set Upgrade websocket
   ProxyPass wss://192.168.1.77/some_url_on_tomcat 


< / LocationMatch >

So, supposing the client sends something funky for Upgrade like 
"WebSocket" (as an older version of a certain websocket library does), 
this RequestHeader directive should, by my understanding, replace it 
with "websocket".


However, when I place %{Upgrade}i in both my Apache httpd and Apache 
Tomcat access logs, I'm finding that the modified Upgrade header appears 
only in my httpd access logs, Tomcat says it is getting the original 
unmodified value!


This is rather perplexing to me as my understanding is that 
RequestHeader should permanently alter that request header. The Tomcat 
setup I have is very straightforward and there should be no surprises there.


I've tried changing my RequestHeader usage to do an unset and add I've 
also tried adding the "early" directive to the end of RequestHeader, but 
that does not alter the behavior.


It sure seems like the problem is with how Apache httpd is passing 
things along somehow, but my research hasn't come up with an answer that 
explains it or offers a resolution. Am I missing something here?


Versions: Apache httpd 2.4.18 / Apache Tomcat 8.5.24


You are probably proxying with mod_proxy_wstunnel. It seems to me that 
"Upgrade: WebSocket" is hard-coded in that module.


Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] symbol SSLv2_client_method

[Rainer Jung]

Am 07.02.2018 um 11:03 schrieb Stefan Eissing:

Your openssl is not the version that your apache was compiled
against. If you updated it, you need to also re-compile
any executables that link it.

Note that running SSL without staying on current software
versions is highly discouraged. For example, Apache does
not support versions 2.0 or 2.2 any longer.


In addition it is also possible that you ran into a temporary 
incompatibility in OpenSSL 1.0.2g and 1.0.1s. The symbol 
SSLv2_client_method was accidentally removed when sslv2 support was 
removed. To stay API compatible, it should have been replaced by a dummy 
impl that simply returns NULL.


This was corrected in 1.0.2h and 1.0.1t, so if are using the buggy 
versions, any minor patch update should be fine.


The simple commits were:

https://github.com/openssl/openssl/commit/133138569f37d149ed1d7641fe8c75a93fded445

(for 1.0.2) and

https://github.com/openssl/openssl/commit/5bac9d44e712bc4acfbdd156244fca4486285ec9

(for 1.0.1).

Regards,

Rainer


Am 07.02.2018 um 10:44 schrieb Pietro Pesce :

hello

i have a solaris zone whit apache:

# /app/apache/bin/httpd -version
Server version: Apache/2.0.59
Server built:   Jun 18 2007 14:27:08

when a try to start receive this error:

yntax error on line 32 of /app/apache/conf/httpd.conf:
Cannot load /app/apache/modules/mod_ssl.so into server: ld.so.1: httpd: fatal: 
relocation error: file /app/apache/modules/mod_ssl.so: symbol 
SSLv2_client_method: referenced symbol not found

# ldd /app/apache/modules/mod_ssl.so
 libc.so.1 => /lib/libc.so.1
 libgcc_s.so.1 => /usr/sfw/lib/libgcc_s.so.1
 libm.so.2 => /lib/libm.so.2
 /lib/libm/libm_hwcap1.so.2
 /platform/sun4v/lib/libc_psr.so.1

ldd /lib/libc.so.1
 libm.so.2 => /lib/libm.so.2
 /lib/libm/libm_hwcap1.so.2
 /platform/sun4v/lib/libc_psr.so.1


can help please?

tnx



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




--
kippdata
informationstechnologie GmbH   Tel: 0228 98549 -0
Bornheimer Str. 33aFax: 0228 98549 -50
53111 Bonn www.kippdata.de

HRB 8018 Amtsgericht Bonn / USt.-IdNr. DE 196 457 417
Geschäftsführer: Dr. Thomas Höfer, Rainer Jung, Sven Maurmann

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] mod_ssl: problem using a self-compiled OpenSSL installation on a 64-bit Linux system

[Rainer Jung]

Am 24.09.2017 um 22:49 schrieb Jens Schleusener:

Hi,

if I formerly compiled the Apache httpd server myself using an also 
self-compiled OpenSSL installation for building "mod_ssl" as a shared 
module I added only the configure option "--with-ssl" to specify the 
according OpenSSL installation directory (if I remember correctly).


Now on a 64-bit Linux system it seems no longer to work. OpenSSL was 
installed by using the configure option "--prefix" say into a directory 
named /usr/local/sc (sc=self-compiled) so I added accordingly the httpd 
configure option "--with-ssl=/usr/local/sc". But looking in the output 
of the configure run and the configure script itself (below "Check 
whether --with-ssl was given") I had the impression that the script 
checks only for the condition


  -f "${ap_openssl_base}/lib/pkgconfig/openssl.pc"

In my example case that would be result into a check for the existence 
of the pkg-config file /usr/local/sc/lib/pkgconfig/openssl.pc but the 
self-compiled openssl libs (1.0.2l) were installed on my 64-bit system 
under /usr/local/sc/lib64 so the searched file exists instead under 
/usr/local/sc/lib64/pkgconfig/openssl.pc.


So I changed just for testing in the configure script within the four 
openssl relevant lines (line numbers 26048/26049 and 28901/28902)

the string /lib/pkgconfig into /lib64/pkgconfig and thereafter the
configure output now mentioned amongst others

  adding "-I/usr/local/sc/include" to CPPFLAGS
  adding "-L/usr/local/sc/lib64" to LDFLAGS

Ok, but that seems not sufficient since the following "ldd mod_ssl.so" 
output extract


  libssl.so.1.0.0 => /lib64/libssl.so.1.0.0
  libcrypto.so.1.0.0 => /lib64/libcrypto.so.1.0.0

showed that nevertheless the "default" openssl libs (1.0.2j) of the 
distribution seems to be used. Additionally after setting

"LogLevel ssl:info" in the httpd.conf and starting the httpd daemon
I found in the error_log file the corresponding lines

  [ssl:info] [xxx] AH01876: mod_ssl/2.4.27 compiled against Server:
    Apache/2.4.27, Library: OpenSSL/1.0.2l
  [ssl:warn] [xxx] AH01882: Init: this version of mod_ssl was compiled
    against a newer library (OpenSSL 1.0.2l  25 May 2017,
    version currently loaded is OpenSSL 1.0.2j-fips  26 Sep 2016) -
    may result in undefined or erroneous behavior

So I set before the configure run additionally the environment variable

  LDFLAGS="-Wl,-rpath=/usr/local/sc/lib64"

and that seems to help: A "ldd mod_ssl.so" showed now the self-compiled 
openssl libs in use


  libssl.so.1.0.0 => /usr/local/sc/lib64/libssl.so.1.0.0
  libcrypto.so.1.0.0 => /usr/local/sc/lib64/libcrypto.so.1.0.0

and the warning in the error_log also disappeared.

Alternatively I could probably add generally /usr/local/sc/lib64 into 
/etc/ld.so.conf but to avoid incompatibility conflicts I don't want all 
the other self-compiled libs in /usr/local/sc/lib64 used by default 
(maybe I could put /usr/local/sc/lib64 as last entry).


Maybe on 64-bit systems a loop at least over "lib" and "lib64" should be 
done in the according configure script checks.


Is that all correct or are there other mechanisms or better solutions 
existent in order to handle the described problem?


Not a full solution but concerning the rpath flag you can use the more 
precise


MOD_SSL_LDADD

instead of LDFLAGS. The latter will be used for any linking, 
MOD_SSL_LDADD only for mod_ssl linking. If you compile "ab" also with 
ssl support, you might also want to set ab_LDADD and if you compile apr 
crypto, you can use LDADD_crypto_openssl.


For the lib64 part a workaround might by setting PKG_CONFIG_PATH before 
running configure.


But you are right, it would be better if our configure script would also 
check lib64 on appropriate platforms.


Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] directive not having any effect

[Rainer Jung]

Am 25.01.2017 um 20:57 schrieb Jason Brooks:

Ok, that’s exactly what did it:

I put in two locationmatches:

one being:


and the other:


Thank you for your fast response!


What about multiple leading slashes, e.g. ///wp-login.php ?

Check and if those are not yet covered use something like



instead.

Regards,

Rainer


On Jan 25, 2017, at 11:42 AM, Eric Covener mailto:cove...@gmail.com>> wrote:

Yep

On Wed, Jan 25, 2017 at 2:41 PM, Jason Brooks mailto:jason.bro...@eroi.com>> wrote:

Ah: I am using a proxypassmatch for *.php.

Will  work?

—jason


Jason BrooksSystems Administrator
eROIPerformance is Art.


m:  505 nw couch #300   w:  eroi.com 
t:  503.290.3105f:  503.228.4249



fb: fb.com/eROI 










On Jan 25, 2017, at 11:39 AM, Eric Covener mailto:cove...@gmail.com>> wrote:


On Wed, Jan 25, 2017 at 2:32 PM, Jason Brooks
mailto:jason.bro...@eroi.com>> wrote:

What’s going on?


​If it's proxied,  won't match.
​



--
Eric Covener
cove...@gmail.com 





--
Eric Covener
cove...@gmail.com 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: Next version of Apache 2.2?

[Rainer Jung]

Am 03.01.2017 um 23:19 schrieb Good guy:

On 03/01/2017 21:31, Development Manager wrote:

CVE-2016-8743 was patched/mitigated in Apache 2.4 but is still an
outstanding issue in 2.2, according to
https://security-tracker.debian.org/tracker/CVE-2016-8743.

Is there a plan to rebase it to 2.2? If so, do you know when?
The reason I ask is PCI DSS requires that we have all vulnerabilities
patched within 30 days, and it's been 2 weeks since 2.4 was patched.


2.2 is dead and finished.  It is time to move to 2.4.  Nobody is working
on 2.2 as far as I know.


The backport vote for the fix is ongoing and likely there will be a 
release soon after the fix will have been voted into 2.2. But it might 
be it will be published after your 30 days deadline.


In general "yes": if you can, you should migrate to 2.4.

Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] HTTPD 2.4.25 crash in mod_proxy (ajp)

[Rainer Jung]

Hi Hajo,

Am 02.01.2017 um 11:54 schrieb Hajo Locke:

Hello list,

sorry guys. i think i have lost overview. Has this resulted in a public
patch?


The fix in trunk (2.5) is

http://svn.apache.org/viewvc?view=revision&revision=1775775

It is proposed for backport to 2.4 but has not yet been applied there.

ApacheLounge has provided fixed binaries for Windows including the 
suggested fix. See the discussion at


https://www.apachelounge.com/viewtopic.php?p=34723

Regards,

Rainer


Thanks,
Hajo

Am 23.12.2016 um 13:18 schrieb Konstantin Kolinko:

BCC: Steffen

I did quick tests to verify whether shutdown issues are related to
mod_proxy.  They are not related.

2016-12-23 15:01 GMT+03:00 Konstantin Kolinko :

2. Oddities at shutdown that I also mentioned are still there.

I mean the following:
- On Windows 7 (running as service, complex configuration):
"AH00431: Parent: Forcing termination of child process" log message

I do not see such message in old logs from 2.4.23.

Maybe the process is still broken, although it did not crash?

Quick test:

1) Start server service, Stop server service   (No HTTPS requests served)

No issue.

[Fri Dec 23 15:06:22.542629 2016] [mpm_winnt:notice] [pid 2636:tid
364] AH00422: Parent: Received shutdown signal -- Shutting down the
server.
[Fri Dec 23 15:06:24.570633 2016] [mpm_winnt:notice] [pid 3996:tid
256] AH00364: Child: All worker threads have exited.
[Fri Dec 23 15:06:24.648633 2016] [mpm_winnt:notice] [pid 2636:tid
364] AH00430: Parent: Child process 3996 exited successfully.

2) Start server service, Request a static page (root page of the
site), Stop server service.

The child process does not stop, is terminated forcedly.

[Fri Dec 23 15:07:02.353899 2016] [mpm_winnt:notice] [pid 3084:tid
364] AH00422: Parent: Received shutdown signal -- Shutting down the
server.
[Fri Dec 23 15:07:32.368352 2016] [mpm_winnt:notice] [pid 3084:tid
364] AH00431: Parent: Forcing termination of child process 5564

So this issue is real, but it is not related to mod_proxy.



- On Windows 10 (running as console, simple configuration example -
GitHub):

Before I hit Ctrl+C the error.log file is as follows:
(I added additional line breaks to separate lines that are wrapped in
e-mail.)
...
After I hit Ctrl+C in HTTPD console window, it becomes:
(I added additional line breaks to separate lines that are wrapped in
e-mail.)
...

The "Apache server interrupted..." line appears in the middle of the
file, overwriting some of existing text.


Quick test:

1) Start server service, Stop server service   (No HTTPS requests served)

This issue is observed.
("Apache server interrupted..." line appears in the middle of the file).

So this oddity is real, but it is not related to mod_proxy, not
related to processing of HTTP requests.

Maybe this is not a real issue, just an oddity.


Best regards,
Konstantin Kolinko


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] HTTPD 2.4.25 crash in mod_proxy (ajp)

[Rainer Jung]

Am 23.12.2016 um 00:43 schrieb Yann Ylavic:

On Fri, Dec 23, 2016 at 12:11 AM, Rainer Jung  wrote:

Am 22.12.2016 um 23:56 schrieb Yann Ylavic:


I was thinking about always using the new code, maybe with an "if
APLOGtrace2(s)" around to save a getsockname() call when not needed.


I see, thanks.


Committed in r1775775, and proposed for backport to 2.4.x.


Steffen from ApacheLounge recompiled mod_proxy.so for 2.4 including that 
fix. I handed over the new mod_proxy.so for Windows to Konstantin and 
hopefully he can do a quick retest.


Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] HTTPD 2.4.25 crash in mod_proxy (ajp)

[Rainer Jung]

Am 22.12.2016 um 23:56 schrieb Yann Ylavic:

On Thu, Dec 22, 2016 at 11:38 PM, Rainer Jung  wrote:

OK, looking closer at the suggested patch I see it fixes trace2-Loggging.
When I activate e.g. trace8, I do get the expected crash in
ap_proxy_check_connection.


Yes, it depends on the LogLevel, and probably also on AP_HAVE_C99
(which avoids ap_log_* args evaluation when the LogLevel doesn't
match).


Ah yes, you are right.


How is AP_HAVE_C99 defined with msvc (or the compiler used at apachelounge)?
If undefined/zero, it may segfault at any level.


It seems we set AP_HAVE_C99 in include/ap_config.h depending on 
__STDC_VERSION__. Various sources suggest MSVC isn't setting 
__STDC_VERSION__:


https://connect.microsoft.com/VisualStudio/feedback/details/1006806/c99-support-is-missing-stdc-version

So it could well be, that Windows users run into this with any log level.

@Jim: it only happens when backend connections get reused (that's what 
the broken log statement is logging), so e.g. not on the first request.



@Yann: your patch is just to check whether that is the problem? I guess the
final patch will distinguish between conn->connection being NULL (then using
your suggested code) or non-NULL (then using the original code). Or would
you always use your suggested code?


I was thinking about always using the new code, maybe with an "if
APLOGtrace2(s)" around to save a getsockname() call when not needed.


I see, thanks.

Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] HTTPD 2.4.25 crash in mod_proxy (ajp)

[Rainer Jung]

OK, looking closer at the suggested patch I see it fixes 
trace2-Loggging. When I activate e.g. trace8, I do get the expected 
crash in ap_proxy_check_connection.


@Konstantin: do you have LogLevel trace2 or higher? If s, do you also 
see crashes with trace1 or lower?


@Yann: your patch is just to check whether that is the problem? I guess 
the final patch will distinguish between conn->connection being NULL 
(then using your suggested code) or non-NULL (then using the original 
code). Or would you always use your suggested code?


Thanks and regards,

Rainer

Am 22.12.2016 um 18:38 schrieb Yann Ylavic:

On Thu, Dec 22, 2016 at 3:12 PM, Jim Jagielski  wrote:

H...

I wonder if it's due to:

 /* Step Two: Make the Connection */
-if (ap_proxy_connect_backend(scheme, backend, worker, r->server)) {
+if (ap_proxy_check_connection(scheme, backend, r->server, 0,
+  PROXY_CHECK_CONN_EMPTY)
+&& ap_proxy_connect_backend(scheme, backend, worker,
+r->server)) {
 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00896)


Probably, I think it comes from :

Index: modules/proxy/proxy_util.c
===
--- modules/proxy/proxy_util.c(revision 1775191)
+++ modules/proxy/proxy_util.c(working copy)
@@ -2754,10 +2754,11 @@ PROXY_DECLARE(apr_status_t) ap_proxy_check_connect
 }

 if (rv == APR_SUCCESS) {
+apr_sockaddr_t *local_addr = NULL;
+apr_socket_addr_get(&local_addr, APR_LOCAL, conn->sock);
 ap_log_error(APLOG_MARK, APLOG_TRACE2, 0, server,
  "%s: reusing backend connection %pI<>%pI",
- scheme, conn->connection->local_addr,
- conn->connection->client_addr);
+ scheme, local_addr, conn->addr);
 }
 else if (conn->sock) {
 /* This clears conn->scpool (and associated data), so backup and
_

because AJP has no conn->connection (conn->sock only).

Konstantin, can you apply a patch?

Regards,
Yann.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] HTTPD 2.4.25 crash in mod_proxy (ajp)

[Rainer Jung]

Am 22.12.2016 um 18:38 schrieb Yann Ylavic:

On Thu, Dec 22, 2016 at 3:12 PM, Jim Jagielski  wrote:

H...

I wonder if it's due to:

 /* Step Two: Make the Connection */
-if (ap_proxy_connect_backend(scheme, backend, worker, r->server)) {
+if (ap_proxy_check_connection(scheme, backend, r->server, 0,
+  PROXY_CHECK_CONN_EMPTY)
+&& ap_proxy_connect_backend(scheme, backend, worker,
+r->server)) {
 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00896)


Probably, I think it comes from :

Index: modules/proxy/proxy_util.c
===
--- modules/proxy/proxy_util.c(revision 1775191)
+++ modules/proxy/proxy_util.c(working copy)
@@ -2754,10 +2754,11 @@ PROXY_DECLARE(apr_status_t) ap_proxy_check_connect
 }

 if (rv == APR_SUCCESS) {
+apr_sockaddr_t *local_addr = NULL;
+apr_socket_addr_get(&local_addr, APR_LOCAL, conn->sock);
 ap_log_error(APLOG_MARK, APLOG_TRACE2, 0, server,
  "%s: reusing backend connection %pI<>%pI",
- scheme, conn->connection->local_addr,
- conn->connection->client_addr);
+ scheme, local_addr, conn->addr);
 }
 else if (conn->sock) {
 /* This clears conn->scpool (and associated data), so backup and
_

because AJP has no conn->connection (conn->sock only).

Konstantin, can you apply a patch?


Yes, that would be good but Konstantin wrote he is using the binary from 
Apache Lounge so we would probably need some help from Steffen.


I tried on Solaris with 2.4.25, default config plus snippet from 
Konstantin plus loading of mod_proxy and mod_proxy_ajp and I do not see 
a crash there. So it seems to be either platform specific or the 
reproduction scenario is more complex.


Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] TLS Proxy client certificates per virtualhost

[Rainer Jung]

Hi Mark,

in trunk sinve a few months we've got the feature, that any SSLProxy* 
directive can be used in vhosts but more important per  block. 
The feature is proposed for addition to 2.4.x. Currently two more 
reviewers are needed. The proposed patch is available at


http://home.apache.org/~ylavic/patches/httpd-2.4.x-r1740928_and_co.patch

If you can try and test it with a custom build of 2.4.x your feedback 
will be very welcome and might speed up the review process.


Some background discussion is available at:

https://marc.info/?t=14605441672&r=1&w=2

Regards,

Rainer

Am 30.09.2016 um 16:42 schrieb Mark Blackman:

Hi,

What kind of options do I have if I want to use different SSL proxy 
certificates for different virtual hosts?

SSLProxyMachineCertificateFile is close, but only has server scope. What's the 
equivalent for virtualhost context?

I have a feeling I have zero options, but would like to confirm that here, 
please.  If so, how much work would it take to provide that?

Regards,
Mark


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Httpd2.4.23 make failed with error util_pcre.c:128: error: 'PCRE_DUPNAMES' undeclared (first use in this function)

[Rainer Jung]

Am 28.09.2016 um 16:06 schrieb noor mahammad:

Hi Team,

I am trying to install httpd-2.4.23 on redhat system, it is always
failing as follows,

util_pcre.c: In function 'ap_regcomp':
util_pcre.c:128: error: 'PCRE_DUPNAMES' undeclared (first use in this
function)
util_pcre.c:128: error: (Each undeclared identifier is reported only once
util_pcre.c:128: error: for each function it appears in.)
make[2]: *** [util_pcre.lo] Error 1
make[2]: Leaving directory
`/opt/taleo/rccagent/wks/worker_1/apache_124194/httpd-2.4.23/server'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory
`/opt/taleo/rccagent/wks/worker_1/apache_124194/httpd-2.4.23/server'
make: *** [all-recursive] Error 1

i had used yum install pcre pcre-devel curl curl-devel libxml2
libxml2-devel expat-devel lua-devel, and then
/configure --prefix=${APACHE_INSTALL_DIR}
--with-pcre=/usr/bin/pcre-config --with-included-apr --with-mpm=worker \
--enable-mods-shared='alias authz_host cache cgi cgid deflate dir
disk-cache expires headers info logio mem-cache mime_magic negotiation
proxy proxy_ajp proxy_balancer proxy_http rewrite setenvif ssl version' \
--enable-reqtimeout \
--enable-unique-id\
--disable-asis --disable-auth-basic --disable-auth-basic
--disable-authn_file \
--disable-authn-file --disable-authz-groupfile --disable-authz-user \
--disable-cgi --disable-cgid --disable-filter --disable-imagemap \
--disable-userdir ${OPTIONAL}


Maybe you haven't installed the pcre dev rpm?

What is the output of "/usr/bin/pcre-config --cflags"? It should be 
something like


  -I/some/path/include

What is the full comnand line shown during make for compiling util_pcre.c?

Is there a file named "pcre.h" in the above /some/path/include?
This file should contain a line similar to:

#define PCRE_DUPNAMES   0x0008  /* C1   */

If not, which version does it include? For instance PCRE 8.39 contains 
in pcre.h:


#define PCRE_MAJOR  8
#define PCRE_MINOR  39

Regards,

Rainer





-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Issues migrating Weblogic proxies from Sun One 6.1 to Apache 2.4

[Rainer Jung]

Am 24.06.2016 um 21:58 schrieb Joe Muller:


 Just an update on this issue, if anybody is following. We have eliminated the 
Load Balancer and the Firewall as a possible cause.  Our last test was directly 
between the IE client browser and the Apache 2.4 proxy server, resulting in the 
same errors in the Apache logs similar to this:


   *Exception type] [WRITE_ERROR_TO_CLIENT raised at line 560 of  
BaseProxy.cpp, refer:  
https://intgalf.xyz.com/ALFA/selectFileType.do?fileType=O1MM


  We also tested using different browsers (IE, Fire Fox, Chrome, and had mixed 
results, but eventually we saw the same errors from the Weblogic 12c plug-in 
the Apache logs at some point.

 So at this point it is down to the Apache proxy and/or the Oracle Weblogic 12c 
Plug-in for Apache.  Anybody have any ideas ?  I am out of them right now :-(

Perhaps it has something to do with  the Apache 2.4 compilation options ?  If I 
had known  before that going with Apache 2.4 instead of IPlanet would have been 
this difficult we would have just purchased Oracle HTTP Server.  At least we 
would have full Oracle support through and through, although that may not be 
saying much, since it is based on Apache 2.2. Also I am worried about 
Oracle compatibility with 3rd party plug-ins like RSA Access Manager (SSO) and 
Tea Leaf.

To be honest I am surprised Oracle doesn't give more guidance on this.   I 
would think we wouldn't be the first people to encounter this, but based on the 
lack of information in their knowledge base and the response from their 
technical support it seems otherwise.


I'd sniff the network in front of Apache and when the problem happens 
filter the raw sniff packet dump file using the connection information 
from the error log line ("[client 10.165.254.1:28171]"). Then use the 
time stamp of the error message and look at the sniff of the single 
connection what happens before the error is logged.


In case you are using https and you can switch on a reproduction system 
to http this might help understanding the packet dump, but in general 
this approach could also be used for https.


Regards,

Rainer



-Original Message-
From: Mike Rumph [mailto:mike.ru...@oracle.com]
Sent: Monday, June 20, 2016 4:08 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Issues migrating Weblogic proxies from Sun One 6.1 
to Apache 2.4

Hello Joe,

It seems to me that mod_reqtimeout applies to the amount of time a allowed for 
the server to receive the request from the client  (Read from client).

But your errors are indicating a problem on the Write to client.
As I am understanding our WLS plugin developer, the problem seems to be that 
when the server has readied a response to send back to the client, the client 
has already dropped the connection.
So in your topology this could be client browser, firewall or load balancer.

Have you considered the email responses from Todd Simons and Daniel?
The response from Daniel concerning the load balancer may be the most pertinent.

Thanks,

Mike

On 6/20/2016 11:11 AM, Joe Muller wrote:

  I checked our httpd.conf and we do have reqtimeout_module already loaded, 
however there is nothing set.  According to the Apache 2.4 documentation the 
default values are:

Default: header=20-40,MinRate=500 body=20,MinRate=500

Wouldn't you think that should be high enough ?  I know for a fact
that the data is not taking 20-40 seconds to post in these
applications, as the users are not waiting that long.  They are only
seeing slowdowns of a few seconds between pages (which in network time
is pretty long, ecspecially accessing the applications locally and not
coming in from over the internet.)


-Original Message-
From: Mike Rumph [mailto:mike.ru...@oracle.com]
Sent: Monday, June 20, 2016 10:45 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Issues migrating Weblogic proxies from Sun
One 6.1 to Apache 2.4

Hello Joe,

I am not in a position to offer an official Oracle statement for your situation.
But I do work closely with the owners of the WLS plug-ins.

Here is an initial evaluation from one of the developers:

"WRITE_ERROR_TO_CLIENT is typically seen when there is an error
writing the response to the client (WLS plug-in client). This usually
occurs when the user sends a request, but closes the browser (or hits
a stop
button) before the response is received by the client. In such a scenario, from the 
plug-in perspective, whenever response is received from WLS, it cannot relay it to 
the client as the connection is broken, and it logs WRITE_ERROR_TO_CLIENT error. 
This is usually a harmless error. If the above is not true (closing the browser 
etc), then it may be possible that the client timeout is too low (or lower than the 
WLS response time for the request). In such cases, the timeout needs to be 
increased. I am not aware of what parameters to look out for here, but 
mod_reqtimeout may be a good beginning."

I hope that this is helpful to you.
For more 

Re: [users@httpd] Install Apache 2.4.20 on Solaris 10 --- Error "ld: fatal: file ab.o: wrong ELF class: ELFCLASS32"

[Rainer Jung]

Am 02.05.2016 um 20:35 schrieb Andy Wang:



On 05/02/2016 12:42 PM, Rainer Jung wrote:

Am 02.05.2016 um 19:07 schrieb Huang, Jinhui (OST):

Hi, Rainer:
I checked the 32/64 Bit issue on PCRE first. I found
/usr/local/apache2/pcre/lib/libpcre.a:  current ar archive, 32-bit
symbol table
/usr/local/apache2/pcre/lib/libpcreposix.a: current ar archive,
32-bit symbol table


The .so (shared libraries) look fine, the .a (static libraries) not.
They are 32 Bit and you can't link a 64 bit binary against them. By
default, the linking should happen against the .so (building dynamically
linked stuff). If you want to make sure, it'd be better to rename the .a
file to .a_ or similar, so they wont get used.

Why pcre has build the .a files only as 32 bit and didn't respect your
CC setting I don't know but shouldn't matter for now.


Are you basing that on the file command output?  Keep in mind the symbol
table size is not dependent on the bitwidth of the binaries in the
archive but rather the size of of the ar archive itself.

 From ar man page:

  -SWhen building the archive symbol table, force the  use
of the 64-bit capable symbol table format. By default,
the 32-bit format is used  for  all  archives  smaller
than  4GB,  and  the  larger format is used for larger
archives that exceed the 32-bit limit.


Yes, sorry, I just referred to "/usr/local/apache2/pcre/lib/libpcre.a: 
current ar archive, 32-bit symbol table". But since the OP shouldn't 
IMHO try to link against the .a files, it doesn't actually matter.



The compile error doesn't appear related to pcre though.  It looks to be
more still an openssl related problem.


Agreed.

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Install Apache 2.4.20 on Solaris 10 --- Error "ld: fatal: file ab.o: wrong ELF class: ELFCLASS32"

[Rainer Jung]

Am 02.05.2016 um 19:07 schrieb Huang, Jinhui (OST):

Hi, Rainer:
I checked the 32/64 Bit issue on PCRE first. I found
/usr/local/apache2/pcre/lib/libpcre.a:  current ar archive, 32-bit symbol table
/usr/local/apache2/pcre/lib/libpcreposix.a: current ar archive, 32-bit 
symbol table
/usr/local/apache2/pcre/lib/libpcre.so: ELF 64-bit MSB dynamic lib SPARCV9 
Version 1, dynamically linked, not stripped
/usr/local/apache2/pcre/lib/libpcreposix.so:ELF 64-bit MSB dynamic lib 
SPARCV9 Version 1, dynamically linked, not stripped

I guess the .so files are ok. But the two  .a files are 32-bit ones. Are they 
OK?  I used the following commands I thought they should be 64 bit version.

# cd /usr/local/apache2/install/pcre-8.38
# export CC="gcc -m64"
# ./configure --prefix=/usr/local/apache2/pcre --disable-cpp
# make clean
# make
# make install


The .so (shared libraries) look fine, the .a (static libraries) not. 
They are 32 Bit and you can't link a 64 bit binary against them. By 
default, the linking should happen against the .so (building dynamically 
linked stuff). If you want to make sure, it'd be better to rename the .a 
file to .a_ or similar, so they wont get used.


Why pcre has build the .a files only as 32 bit and didn't respect your 
CC setting I don't know but shouldn't matter for now.


Regards,

Rainer


-Original Message-
From: Huang, Jinhui (OST)
Sent: Monday, May 02, 2016 12:32 PM
To: users@httpd.apache.org
Cc: Huang, Jinhui (OST)
Subject: RE: [users@httpd] Install Apache 2.4.20 on Solaris 10 --- Error "ld: fatal: 
file ab.o: wrong ELF class: ELFCLASS32"

Thank you, Rainer. I will check that and try again.
Jin

-Original Message-
From: Rainer Jung [mailto:rainer.j...@kippdata.de]
Sent: Monday, May 02, 2016 12:27 PM
To: users@httpd.apache.org
Cc: Huang, Jinhui (OST)
Subject: Re: [users@httpd] Install Apache 2.4.20 on Solaris 10 --- Error "ld: fatal: 
file ab.o: wrong ELF class: ELFCLASS32"

Am 02.05.2016 um 15:36 schrieb Huang, Jinhui (OST):

Hi, Rainer:

I searched online to find the OpenSSL version supported by Apache 2.4.20. It 
should be openssl-1.0.2g. I installed this version and then tried to install 
Apache again. It failed with same error message.

Searching the error (ld: fatal: relocations remain against allocatable but non-writable 
sections) again, I am now trying to compile the apache source with "-fPIC" 
option. Hoping this will make a difference.
export CC="gcc -m64 -fPIC"

Do I need to recompile/build the PCRE and OpenSSL using the same gcc option?


You must compile PCRE and OpenSSL as 64 Bit versions. You can check using the output of 
the "file" command on the PCRE resp. OpenSSL library files. For OpenSSL you 
might need to use an appropriate Configure command argument instead of CC.

The below error message sounds as you didn't build the shared libraries for OpenSSL 
(*.so) and instead only the static ones (*.a). It should be easier to work with the 
shared ones (argument "shared" to Configure).

If you succeed in building 64 bit libraries and the shared ones are present, and then you 
still get "ld: fatal: relocations remain against allocatable but non-writable 
sections", you might succeed in setting

MOD_SSL_LDADD=-Wl,-Bsymbolic
export MOD_SSL_LDADD

Regards,

Rainr


-Original Message-
From: Huang, Jinhui (OST)
Sent: Friday, April 29, 2016 11:18 AM
To: Rainer Jung; users@httpd.apache.org
Cc: Huang, Jinhui (OST)
Subject: RE: [users@httpd] Install Apache 2.4.20 on Solaris 10 --- Error "ld: fatal: 
file ab.o: wrong ELF class: ELFCLASS32"

The error seems related to my OpenSSL.  On this server, I have two versions of 
OpenSSL. I am trying to use the one at /usr/local/ssl/ (OpenSSL 1.0.1s ).
Is this version supported for Apache 2.4.20?

==
# which openssl
/usr/sfw/bin/openssl

# openssl version
OpenSSL 0.9.7d 17 Mar 2004 (+ security fixes for: CVE-2005-2969
CVE-2006-2937 CVE-2006-2940 CVE-2006-3738 CVE-2006-4339 CVE-2006-4343
CVE-2006-7250 CVE-2007-5135 CVE-2007-3108 CVE-2008-5077 CVE-2008-7270
CVE-2009-0590 CVE-2009-2409 CVE-2009-3555 CVE-2010-4180 CVE-2011-4576
CVE-2011-4619 CVE-2012-0884 CVE-2012-1165 CVE-2012-2110 CVE-2012-2131
CVE-2012-2333 CVE-2013-0166 CVE-2013-0169 CVE-2014-0224 CVE-2014-3508
CVE-2014-3511 CVE-2014-3566 CVE-2014-3567 CVE-2014-3568 CVE-2014-3569
CVE-2014-3570 CVE-2014-8275 CVE-2015-0204 CVE-2015-0286 CVE-2015-0287
CVE-2015-0288 CVE-2015-0289 CVE-2015-0292 CVE-2015-0293 CVE-2015-1789
CVE-2015-1790 CVE-2015-4000)

# /usr/local/ssl/bin/openssl version
OpenSSL 1.0.1s  1 Mar 2016
======


-Original Message-
From: Huang, Jinhui (OST)
Sent: Friday, April 29, 2016 10:20 AM
To: Rainer Jung; users@httpd.apache.org
Cc: Huang, Jinhui (OST)
Subject: RE: [users@httpd] Install Apache 2.4.20 on Solaris 10 --- Error

Re: [users@httpd] Install Apache 2.4.20 on Solaris 10 --- Error "ld: fatal: file ab.o: wrong ELF class: ELFCLASS32"

[Rainer Jung]

Am 02.05.2016 um 15:36 schrieb Huang, Jinhui (OST):

Hi, Rainer:

I searched online to find the OpenSSL version supported by Apache 2.4.20. It 
should be openssl-1.0.2g. I installed this version and then tried to install 
Apache again. It failed with same error message.

Searching the error (ld: fatal: relocations remain against allocatable but non-writable 
sections) again, I am now trying to compile the apache source with "-fPIC" 
option. Hoping this will make a difference.
export CC="gcc -m64 -fPIC"

Do I need to recompile/build the PCRE and OpenSSL using the same gcc option?


You must compile PCRE and OpenSSL as 64 Bit versions. You can check 
using the output of the "file" command on the PCRE resp. OpenSSL library 
files. For OpenSSL you might need to use an appropriate Configure 
command argument instead of CC.


The below error message sounds as you didn't build the shared libraries 
for OpenSSL (*.so) and instead only the static ones (*.a). It should be 
easier to work with the shared ones (argument "shared" to Configure).


If you succeed in building 64 bit libraries and the shared ones are 
present, and then you still get "ld: fatal: relocations remain against 
allocatable but non-writable sections", you might succeed in setting


MOD_SSL_LDADD=-Wl,-Bsymbolic
export MOD_SSL_LDADD

Regards,

Rainr


-Original Message-
From: Huang, Jinhui (OST)
Sent: Friday, April 29, 2016 11:18 AM
To: Rainer Jung; users@httpd.apache.org
Cc: Huang, Jinhui (OST)
Subject: RE: [users@httpd] Install Apache 2.4.20 on Solaris 10 --- Error "ld: fatal: 
file ab.o: wrong ELF class: ELFCLASS32"

The error seems related to my OpenSSL.  On this server, I have two versions of 
OpenSSL. I am trying to use the one at /usr/local/ssl/ (OpenSSL 1.0.1s ).
Is this version supported for Apache 2.4.20?

==
# which openssl
/usr/sfw/bin/openssl

# openssl version
OpenSSL 0.9.7d 17 Mar 2004 (+ security fixes for: CVE-2005-2969 CVE-2006-2937 
CVE-2006-2940 CVE-2006-3738 CVE-2006-4339 CVE-2006-4343 CVE-2006-7250 
CVE-2007-5135 CVE-2007-3108 CVE-2008-5077 CVE-2008-7270 CVE-2009-0590 
CVE-2009-2409 CVE-2009-3555 CVE-2010-4180 CVE-2011-4576 CVE-2011-4619 
CVE-2012-0884 CVE-2012-1165 CVE-2012-2110 CVE-2012-2131 CVE-2012-2333 
CVE-2013-0166 CVE-2013-0169 CVE-2014-0224 CVE-2014-3508 CVE-2014-3511 
CVE-2014-3566 CVE-2014-3567 CVE-2014-3568 CVE-2014-3569 CVE-2014-3570 
CVE-2014-8275 CVE-2015-0204 CVE-2015-0286 CVE-2015-0287 CVE-2015-0288 
CVE-2015-0289 CVE-2015-0292 CVE-2015-0293 CVE-2015-1789 CVE-2015-1790 
CVE-2015-4000)

# /usr/local/ssl/bin/openssl version
OpenSSL 1.0.1s  1 Mar 2016
==


-Original Message-
From: Huang, Jinhui (OST)
Sent: Friday, April 29, 2016 10:20 AM
To: Rainer Jung; users@httpd.apache.org
Cc: Huang, Jinhui (OST)
Subject: RE: [users@httpd] Install Apache 2.4.20 on Solaris 10 --- Error "ld: fatal: 
file ab.o: wrong ELF class: ELFCLASS32"

Hi, Rainer:

The following is the new error I received when I try to install Apache 2.4.20 
again, using new PCRE 8.38. I have added a shortened screen capture 
(zptpt-20160428e-short.txt) as attachment. The original file is about 4.4 MB. 
In this short version, 45650 lines of make output have been deleted. Please let 
me know if you need the completed output.

===
# pwd
/usr/local/apache2/install/httpd-2.4.20

# env
CC=gcc -m64
HOME=/
HZ=
LOGNAME=root
MAIL=/var/mail/root
PATH=/bin:/usr/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/local/sbin:/usr/xpg4/bin:/usr/ccs/bin:/usr/ucb:/usr/dt/bin:/usr/openwin/bin:/usr/local/bin:/usr/local/sbin:/usr/platform/sun4u/sbin:/opt/VRTS/bin:/opt/VRTSob/bin:/etc/vx/bin:/usr/lib/vxvm/bin:/usr/sfw/bin:/var/tmp/tomcat/apache-ant-1.6.5/bin:/usr/local/apache2/bin:/usr/lib
PWD=/usr/local/apache2/install/pcre-8.38
SHELL=/sbin/sh
TERM=xterm
TZ=US/Eastern
_=/bin/script

# ./configure \
--prefix=/usr/local/apache2/httpd-2.4.20 \
--with-port=80 \
--with-mpm=worker \
--enable-mods-shared=most \
--enable-ssl \
--with-ssl=/usr/local/ssl \
--enable-proxy \
--disable-example \
--with-included-apr \
--with-pcre=/usr/local/apache2/pcre
..

# make clean
...

# make
...
/usr/local/apache2/install/httpd-2.4.20/srclib/apr/libtool --silent 
--mode=compile gcc -m64 -std=gnu99 -I/usr/local/ssl/include -g -O2  
-DSOLARIS2=10 -D_POSIX_PTHREAD_SEMANTICS -D_REENTRANT -I. 
-I/usr/local/apache2/install/httpd-2.4.20/os/unix 
-I/usr/local/apache2/install/httpd-2.4.20/include 
-I/usr/local/apache2/install/httpd-2.4.20/srclib/apr/include 
-I/usr/local/apache2/install/httpd-2.4.20/srclib/apr-util/include 
-I/usr/local/apache2/pcre/include 
-I/usr/local/apache2/install/httpd-2.4.20/modules/aaa 
-I/usr/local/apache2/install/httpd-2.4.20/modules/cache 
-I/usr/local/apache2/install/httpd-2.4.20/modules/core 
-I/usr/local/apache2/install/httpd-2.4.20/modules/

Re: [users@httpd] Install Apache 2.4.20 on Solaris 10 --- Error "ld: fatal: file ab.o: wrong ELF class: ELFCLASS32"

[Rainer Jung]

Am 28.04.2016 um 19:59 schrieb jinhui.huang@dot.gov:

Hi, Rainer:
The following is the output of make,  after I run a "make clean" first.
Jin

# make clean
Making clean in test
rm -f *.o *.lo *.slo *.obj *.a *.la
rm -rf .libs
Making clean in srclib
Making clean in apr-util
Making clean in test
rm -f ./*.o ./*.lo ./*.a ./*.la ./*.so ./*.obj
rm -rf ./.libs
rm -f manyfile.bin testfile.txt data/sqlite*.db dbd testall
rm -rf autom4te.cache
..
..

# make
Making all in srclib
Making all in apr
/usr/local/apache2/install/httpd-2.4.20/srclib/apr/build/mkdir.sh tools
/bin/bash /usr/local/apache2/install/httpd-2.4.20/srclib/apr/libtool --silent 
--mode=compile gcc -m64 -g -O2   -DHAVE_CONFIG_H  -DSOLARIS2=10 
-D_POSIX_PTHREAD_SEMANTICS -D_REENTRANT   -I./include 
-I/usr/local/apache2/install/httpd-2.4.20/srclib/apr/include/arch/unix 
-I./include/arch/unix 
-I/usr/local/apache2/install/httpd-2.4.20/srclib/apr/include/arch/unix 
-I/usr/local/apache2/install/httpd-2.4.20/srclib/apr/include 
-I/usr/local/apache2/install/httpd-2.4.20/srclib/apr/include/private 
-I/usr/local/apache2/install/httpd-2.4.20/srclib/apr/include/private  -o 
tools/gen_test_char.lo -c tools/gen_test_char.c && touch tools/gen_test_char.lo
/bin/bash /usr/local/apache2/inst
..
..
pd-2.4.20/modules/ssl -I/usr/local/apache2/install/httpd-2.4.20/modules/test 
-I/usr/local/apache2/install/httpd-2.4.20/server 
-I/usr/local/apache2/install/httpd-2.4.20/modules/arch/unix 
-I/usr/local/apache2/install/httpd-2.4.20/modules/dav/main 
-I/usr/local/apache2/install/httpd-2.4.20/modules/generators 
-I/usr/local/apache2/install/httpd-2.4.20/modules/mappers  -prefer-non-pic -static -c 
util_xml.c && touch util_xml.lo
/usr/local/apache2/install/httpd-2.4.20/srclib/apr/libtool --silent 
--mode=compile gcc -m64 -std=gnu99  -g -O2  -DSOLARIS2=10 
-D_POSIX_PTHREAD_SEMANTICS -D_REENTRANT -I. 
-I/usr/local/apache2/install/httpd-2.4.20/os/unix 
-I/usr/local/apache2/install/httpd-2.4.20/include 
-I/usr/local/apache2/install/httpd-2.4.20/srclib/apr/include 
-I/usr/local/apache2/install/httpd-2.4.20/srclib/apr-util/include 
-I/usr/local/apache2/pcre2/include 
-I/usr/local/apache2/install/httpd-2.4.20/modules/aaa 
-I/usr/local/apache2/install/httpd-2.4.20/modules/cache 
-I/usr/local/apache2/install/httpd-2.4.20/modules/core 
-I/usr/local/apache2/install/httpd-2.4.20/modules/database 
-I/usr/local/apache2/install/httpd-2.4.20/modules/filters 
-I/usr/local/apache2/install/httpd-2.4.20/modules/ldap 
-I/usr/local/apache2/install/httpd-2.4.20/modules/loggers 
-I/usr/local/apache2/install/httpd-2.4.20/modules/lua 
-I/usr/local/apache2/install/httpd-2.4.20/modules/proxy 
-I/usr/local/apache2/install/httpd-2.4.20/!

modules/
session -I/usr/local/apache2/install/httpd-2.4.20/modules/ssl 
-I/usr/local/apache2/install/httpd-2.4.20/modules/test 
-I/usr/local/apache2/install/httpd-2.4.20/server 
-I/usr/local/apache2/install/httpd-2.4.20/modules/arch/unix 
-I/usr/local/apache2/install/httpd-2.4.20/modules/dav/main 
-I/usr/local/apache2/install/httpd-2.4.20/modules/generators 
-I/usr/local/apache2/install/httpd-2.4.20/modules/mappers  -prefer-non-pic -static -c 
util_filter.c && touch util_filter.lo

/usr/local/apache2/install/httpd-2.4.20/srclib/apr/libtool --silent 
--mode=compile gcc -m64 -std=gnu99  -g -O2  -DSOLARIS2=10 
-D_POSIX_PTHREAD_SEMANTICS -D_REENTRANT -I. 
-I/usr/local/apache2/install/httpd-2.4.20/os/unix 
-I/usr/local/apache2/install/httpd-2.4.20/include 
-I/usr/local/apache2/install/httpd-2.4.20/srclib/apr/include 
-I/usr/local/apache2/install/httpd-2.4.20/srclib/apr-util/include 
-I/usr/local/apache2/pcre2/include 
-I/usr/local/apache2/install/httpd-2.4.20/modules/aaa 
-I/usr/local/apache2/install/httpd-2.4.20/modules/cache 
-I/usr/local/apache2/install/httpd-2.4.20/modules/core 
-I/usr/local/apache2/install/httpd-2.4.20/modules/database 
-I/usr/local/apache2/install/httpd-2.4.20/modules/filters 
-I/usr/local/apache2/install/httpd-2.4.20/modules/ldap 
-I/usr/local/apache2/install/httpd-2.4.20/modules/loggers 
-I/usr/local/apache2/install/httpd-2.4.20/modules/lua 
-I/usr/local/apache2/install/httpd-2.4.20/modules/proxy 
-I/usr/local/apache2/install/httpd-2.4.20/!

modules/
session -I/usr/local/apache2/install/httpd-2.4.20/modules/ssl 
-I/usr/local/apache2/install/httpd-2.4.20/modules/test 
-I/usr/local/apache2/install/httpd-2.4.20/server 
-I/usr/local/apache2/install/httpd-2.4.20/modules/arch/unix 
-I/usr/local/apache2/install/httpd-2.4.20/modules/dav/main 
-I/usr/local/apache2/install/httpd-2.4.20/modules/generators 
-I/usr/local/apache2/install/httpd-2.4.20/modules/mappers  -prefer-non-pic -static -c 
util_pcre.c && touch util_pcre.lo

util_pcre.c:49:18: pcre.h: No such file or directory
util_pcre.c: In function `ap_regfree':
util_pcre.c:104: error: `pcre_free' undeclared (first use in this function)
util_pcre.c:104: error: (Each undeclared identifier is reported only once
util_pcre.

Re: [users@httpd] Install Apache 2.4.20 on Solaris 10 --- Error "ld: fatal: file ab.o: wrong ELF class: ELFCLASS32"

[Rainer Jung]

Am 28.04.2016 um 18:56 schrieb jinhui.huang@dot.gov:

I am following the "Compilling and Installing" guide from
[url]http://httpd.apache.org/docs/2.4/install.html[/url]

The configure running OK:

# export CC="gcc -m64"

# ./configure \

--prefix=/usr/local/apache2/httpd-2.4.20 \

--with-port=80 \

--with-mpm=worker \

--enable-mods-shared=most \

--enable-ssl \

--with-ssl=/usr/local/ssl \

--enable-proxy \

--disable-example \

--with-included-apr \

--with-pcre=/usr/local/apache2/pcre2/bin/pcre2-config

But got a fatal error when run make:

# make





Making all in generators

Making all in dav/fs

Making all in mappers

Making all in support

/usr/local/apache2/install/httpd-2.4.20/srclib/apr/libtool --silent
--mode=link gcc -m64 -std=gnu99  -g -O2   -L/usr/local/ssl/lib -lssl
-lcrypto -luuid -lsendfile -lrt -lsocket -lnsl -lpthread  \

  -o ab  ab.lo
/usr/local/apache2/install/httpd-2.4.20/srclib/apr-util/libaprutil-1.la
-lexpat /usr/local/apache2/install/httpd-2.4.20/srclib/apr/libapr-1.la
-luuid -lsendfile -lrt -lsocket -lnsl -lpthread -lm

ld: fatal: file ab.o: wrong ELF class: ELFCLASS32

ld: fatal: file processing errors. No output written to .libs/ab

collect2: ld returned 1 exit status

*** Error code 1

make: Fatal error: Command failed for target `ab'

Current working directory /usr/local/apache2/install/httpd-2.4.20/support

*** Error code 1

The following command caused the error:

otarget=`echo all-recursive|sed s/-recursive//`; \

list='  '; \

for i in $list; do \

.

.

After searching online, I think the issue is related to the 32-bit class
(ELFCLASS32). I am trying to add some compile/link flags. But there are
many options to try. Is there anyone have this experience? Thank you
very much if you can give my any hint or clue.


The object file ab.o is 32 bit but you want to compile a 64 bit "ab" binary.

How does the make output line look, which compiles ab.c into ab.o 
(libtool ... mode=compile)?


Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Restart or Reload after changing MaxClients and ServerLimit

[Rainer Jung]

Am 25.04.2016 um 20:00 schrieb Cohen, Laurence:

Hi, I really appreciate your response.  What I'd like to know is, how do
I look up this information on my own?  I use this mailing list generally
as a last resort when I can't find the answer myself.  In the case, I
did a lot of research before I asked my question, but couldn't get a
definitive answer.  If you could point me to the documentation that you
are using I'd greatly appreciate it.


Since you are still using the slightly outdated 2.2, the page

https://httpd.apache.org/docs/2.2/en/mod/mpm_common.html

is the official documentation. Looking at for instance

https://httpd.apache.org/docs/2.2/en/mod/mpm_common.html#threadlimit

and

https://httpd.apache.org/docs/2.2/en/mod/mpm_common.html#serverlimit

there's at least some sort of info about restarts and how the params 
relate to each other. But maybe not as easy to grok as it should be.


Regards,

Rainer


On Mon, Apr 25, 2016 at 4:32 AM, Rainer Jung mailto:rainer.j...@kippdata.de>> wrote:

ServerLimit and ThreadLimit configure the size of an internal
structure which maintains data about processes and threads. This
structure is only created during Apache start, so if you want to
change these two params, you need to stop and start.

ThreadsPerChild and MaxClients can be changed and activates with
"apachectl graceful", no need to restart. Only if ThreadsPerChild
needs to get increased higher than ThreadLimit, or
MaxClients/ThreadsPerChild needs to be increased higher than
ServerLimit, you need to adjust these as well and therefore need a
completely new start.

So if you want to reserve some reserve space for ThreadsPerChild or
MaxClients, you should configure ThreadLimit = ThreadsPerChild +
"reserved additional threads" and ServerLimit =
MaxClients/ThreadsPerChild + "reserved additional
clients"/ThreadsPerChild.

HTH,

Rainer

Am 24.04.2016 um 21:28 schrieb Cohen, Laurence:

Thanks,

I should have mentioned that I'm running Apache HTTPD 2.2 on a
RHEL6.7
system.  There it is tied to MaxClients which is getting changed at
restart.  I believe, according to this that I need to do a full
stop and
start to get this to work.

Thanks for your help!

Larry

On Sun, Apr 24, 2016 at 3:22 PM, Ben RUBSON
mailto:ben.rub...@gmail.com>
<mailto:ben.rub...@gmail.com <mailto:ben.rub...@gmail.com>>> wrote:

https://httpd.apache.org/docs/current/en/mod/mpm_common.html#serverlimit

 Le 24 avr. 2016 à 21:20, Cohen, Laurence
mailto:lco...@novetta.com>
 <mailto:lco...@novetta.com
<mailto:lco...@novetta.com>>> a écrit :

 Thank you!  Which doc are you reading?  I'd like to
look at it.

 On Sun, Apr 24, 2016 at 3:08 PM, Ben RUBSON
mailto:ben.rub...@gmail.com>
 <mailto:ben.rub...@gmail.com
<mailto:ben.rub...@gmail.com>>> wrote:

 Reading the doc, seems that ServerLimit is related to
 MaxRequestWorkers (which has a default set to 256).

 Ben



 Le 24 avr. 2016 à 20:52, Cohen, Laurence
mailto:lco...@novetta.com>
 <mailto:lco...@novetta.com
<mailto:lco...@novetta.com>>> a écrit :

 Hello,

 While reloading httpd did increase MaxClients
to 400 as
 specified, it did not increase ServerLimit to
400 as
 specified.  What is worse is that since
ServerLimit remained
 at 256, this caused MaxClients to be reduced to
256 since
 ServerLimit seems to be the hard limit for
MaxClients.

 Even more frustrating is that when I did a
service httpd
 restart, it not only did not increase
ServerLimit to 400, but
 it threw an error that the attempt to increase
ServerLimit
 during a restart was ignored.

 Any ideas why I cannot increase the ServerLimit?

 Thanks,

 Laurence Cohen

 On Sun, Apr 24, 2016 at 11:15 AM, Ben RUBSON
 mailto:ben.rub...@gmail.com>
<mailto:ben.rub...@gmail.com
<mailto:ben.rub...@gmail.com>>> wrote:

 Hi,

 reload will do it !

  

Re: [users@httpd] Restart or Reload after changing MaxClients and ServerLimit

[Rainer Jung]

ServerLimit and ThreadLimit configure the size of an internal structure 
which maintains data about processes and threads. This structure is only 
created during Apache start, so if you want to change these two params, 
you need to stop and start.


ThreadsPerChild and MaxClients can be changed and activates with 
"apachectl graceful", no need to restart. Only if ThreadsPerChild needs 
to get increased higher than ThreadLimit, or MaxClients/ThreadsPerChild 
needs to be increased higher than ServerLimit, you need to adjust these 
as well and therefore need a completely new start.


So if you want to reserve some reserve space for ThreadsPerChild or 
MaxClients, you should configure ThreadLimit = ThreadsPerChild + 
"reserved additional threads" and ServerLimit = 
MaxClients/ThreadsPerChild + "reserved additional clients"/ThreadsPerChild.


HTH,

Rainer

Am 24.04.2016 um 21:28 schrieb Cohen, Laurence:

Thanks,

I should have mentioned that I'm running Apache HTTPD 2.2 on a RHEL6.7
system.  There it is tied to MaxClients which is getting changed at
restart.  I believe, according to this that I need to do a full stop and
start to get this to work.

Thanks for your help!

Larry

On Sun, Apr 24, 2016 at 3:22 PM, Ben RUBSON mailto:ben.rub...@gmail.com>> wrote:

https://httpd.apache.org/docs/current/en/mod/mpm_common.html#serverlimit


Le 24 avr. 2016 à 21:20, Cohen, Laurence mailto:lco...@novetta.com>> a écrit :

Thank you!  Which doc are you reading?  I'd like to look at it.

On Sun, Apr 24, 2016 at 3:08 PM, Ben RUBSON mailto:ben.rub...@gmail.com>> wrote:

Reading the doc, seems that ServerLimit is related to
MaxRequestWorkers (which has a default set to 256).

Ben




Le 24 avr. 2016 à 20:52, Cohen, Laurence mailto:lco...@novetta.com>> a écrit :

Hello,

While reloading httpd did increase MaxClients to 400 as
specified, it did not increase ServerLimit to 400 as
specified.  What is worse is that since ServerLimit remained
at 256, this caused MaxClients to be reduced to 256 since
ServerLimit seems to be the hard limit for MaxClients.

Even more frustrating is that when I did a service httpd
restart, it not only did not increase ServerLimit to 400, but
it threw an error that the attempt to increase ServerLimit
during a restart was ignored.

Any ideas why I cannot increase the ServerLimit?

Thanks,

Laurence Cohen

On Sun, Apr 24, 2016 at 11:15 AM, Ben RUBSON
mailto:ben.rub...@gmail.com>> wrote:

Hi,

reload will do it !

Ben



Le 24 avr. 2016 à 17:14, Cohen, Laurence
mailto:lco...@novetta.com>> a écrit :

Hi,

I need to increase my httpd server's MaxClients and
ServerLimit.  Can I just do a

service httpd reload

to load the new settings?

Or do I need to do a

service httpd restart

to load the new settings?

This is on a production server with active users, so
obviously the former is preferable.

Thanks,

Larry Cohen






--
www.novetta.com
Larry Cohen
System Administrator

12021 Sunset Hills Road, Suite 400
Reston, VA 20190
Email lco...@novetta.com 
Office 703-885-1064






--
www.novetta.com
Larry Cohen
System Administrator

12021 Sunset Hills Road, Suite 400
Reston, VA 20190
Email lco...@novetta.com 
Office 703-885-1064






--

www.novetta.com

Larry Cohen

System Administrator


12021 Sunset Hills Road, Suite 400

Reston, VA 20190

Email lco...@novetta.com 

Office 703-885-1064


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] A cronjob for the apache user - is the home dir for apache really necessary?

[Rainer Jung]

Am 23.04.2016 um 14:05 schrieb Poggenpohl, Daniel:

Hello everyone,

Preface: My system is Solaris 11.2/11.3 X86/64.

I'm changing some cronjobs which previously ran as root which surely isn't 
really necessary.
I entered some cronjob in the crontab for the apache and wondered why it didn't 
execute. I also wondered where the heck I could see what was wrong? I even 
thought that maybe the cronjob isn't even tried to run because the apache user 
doesn't have login enabled and has no password set.

Well, after googling a lot, I found out about /var/cron/log and 
/var/mail/apache, which got me less helpful information (The script was 
executed, but got rc=1), and more helpful information (real error messages 
which helped determine the cause). One of the error messages was that the 
apache user couldn't change directory to his home dir, /export/home/apache. 
That's correct, because the apache user doesn't need a home dir, because he 
isn't a real user.
But the script didn't work without me making the directory for the apache user.

Is there some way to prevent this? My cronjob was just "runSomeScript.sh >> 
script.out", to test it.


I suggest having a read of "man cron" and "man crontab". The latter 
contains the following paragraph:


 The shell is invoked from your $HOME directory with an  arg0
 of sh. Users who desire to have their .profile executed must
 explicitly do so  in  the  crontab  file.  cron  supplies  a
 default environment for every shell, defining HOME, LOGNAME,
 SHELL(=/bin/sh), TZ, and PATH. The  default  PATH  for  user
 cron  jobs  is  /usr/bin;  while  root  cron jobs default to
 /usr/sbin:/usr/bin.  The  default  PATH  can   be   set   in
 /etc/default/cron (see cron(1M)).

So "The shell is invoked from your $HOME directory" describes the 
observed behavior. So I expect there's no way to prevent it.


You can of course run the script as root user and "su" inside the 
script, but that doesn't actually sound better. If the script only needs 
read access to files used by apache, like for log reporting, you can 
design a separate user to run that task. The correct solution might 
depend on what you want to achieve with "runSomeScript.sh".


Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Using mod_lua to modify request body before being sent to mod_proxy

[Rainer Jung]

Am 19.04.2016 um 04:41 schrieb Matt Hughes:

Yeah, I misspoke when I said |LuaHookInsertFilter|; that isn’t actually
implemented yet at least on 2.4. Actually have been trying the quick
handler and hookfixups.

What hook should I be using? What value do I return from my handler so
that Apache will still send the request onto the reverse proxy?

I feel like this (http://www.modlua.org/recipes/loadbalancing) may be
what I want, but I don’t know how to hook that into my httpd.conf file.
Does this tie into mod_proxy at all, or is this instead of?

In that example, what is the magic string “proxy-server”?:


As far as I can see it is only used by mod_dir and set by mod_rewrite 
(in case a rewrite rule triggers proxying) and mod_proxy. I haven't 
inspected in detail, why mod_dir checks it.



|function proxy_handler(r) r.handler = "proxy-server" r.proxyreq =
apache2.PROXYREQ_REVERSE r.filename = "proxy:" ..
backends[math.random(1,#backends)] .. r.uri return apache2.DECLINED --
let the proxy handler do this instead end |


Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache proxy keeps cache directory empty

[Rainer Jung]

Am 15.04.2016 um 23:02 schrieb Bjoern Voigt:

Since some years I run a local Apache proxy cache for localhost and the
192.168.1.0/24 network. My proxy cache directory /var/cache/apache-proxy
is cleaned by a htcacheclean weekly cron job.

In the meantime Apache stopped writing files in my cache directory
/var/cache/apache-proxy. The proxy function still works.

I doubt, that an Apache update with configuration directive changes may
have caused the problem. But I don't know after which event Apache
stopped caching.

Here is my Apache proxy configuration. I verified, that the modules
mod_proxy and mod_cache_disk are loaded, e.g. by making temporary syntax
errors between the "IfModule" directives and "apachectl configtest".
- Distribution: openSUSE Tumbleweed
- Apache 2.4.20
- /etc/apache2/conf.d/proxy.conf:


 ProxyRequests On
 ProxyVia On
 AllowCONNECT 443

 
   Require ip 192.168.1.0/255.255.255.0 127.0.0.0/255.0.0.0 ::1
 




 CacheRoot /var/cache/apache-proxy
 CacheEnable disk /
 CacheDirLevels 2
 CacheDirLength 2



How can I debug the problem?
(Btw. "strace" shows, that the cache configuration directory
/var/cache/apache-proxy is never touched by Apache.)


First personally I don't like the use of IfModule. That is a nice 
feature, if you want to be flexible in turning on or of functional 
blocks. But if you have a more rigid configuration and you need a 
feature, why enclose it in IfModule? If the module really isn't loaded, 
you like a clear startup error, that tells you about CacheRoot directive 
isn't known etc. and not instead just load without having the cache 
enabled. So I suggest removing the IfModule directives (assuming that 
the proxy and cache features are not just optional for you).


Can you see the two level directory structure for the cache underneath 
/var/cache/apache-proxy? Are ownerships and permissions OK?


For further debugging you can:

- Add

 %{cache-hit}e %{cache-revalidate}e %{cache-miss}e %{cache-invalidate}e 
%{no-cache}e


  to the LogFormat that you are using in your CustomLog definition 
(access log)


- Add "CacheDetailHeader on" to the config and look at the response 
header "X-Cache-Detail" which tells you about the caching decision and 
reasons.


- Increase the log level of mod_cache and mod_cache_disk via

 LogLevel warn cache:trace8 cache_disk:trace8

Depending on your request load and cache activity this might result in 
lots of error log output.


- Have a look for mod_cache and mod_cache_disk entries for the time 
between your newest working version and the broken one in CHANGES:


  http://www.apache.org/dist/httpd/CHANGES_2.4

Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Get UID/GID from a username string

[Rainer Jung]

Am 16.04.2016 um 12:09 schrieb Ben RUBSON:

Ben: have a look at how mod_rewrite accesses its own 
ap_register_rewrite_mapfunc via


So Rainer, I just quickly wrote my module, it works, many thanks for your help.

Below is my code, I just have 2 questions regarding it :
1 - do I need to "free(pw)" ?


Good question. My (Solaris) man page for getpwnam() says:

  Reentrant Interfaces
 The  getpwnam(),  getpwuid(),  getpwent(),  and  fgetpwent()
 functions use thread-specific data storage that is reused in
 each call to one of these functions by the same thread, mak-
 ing  them  safe  to use but not recommeded for multithreaded
 applications.

The Linux man page says:

   The return value may point to a static area, and may be 
overwritten by subsequent calls to getpwent(3), getpwnam(), or 
getpwuid().   (Do  not  pass  the

   returned pointer to free(3).)

And the latest standards man page of the OpenGroup says:

The getpwnam() function need not be thread-safe.
...
The application shall not modify the structure to which the return value 
points, nor any storage areas pointed to by pointers within the 
structure. The returned pointer, and pointers within the structure, 
might be invalidated or the structure or the storage areas might be 
overwritten by a subsequent call to getpwent(), getpwnam(), or getpwuid().


So you must not free the returned pointer. Two of the man pages don't 
guarantee thread safety so to stay on the safe side you probably better 
use the reentrant variants getpwnam_r() and getpwuid_r(). For those you 
need to allocate the storage before calling them. You can either 
allocate storage from the request pool (apr_palloc(r->pool, N)) or using 
malloc/free. Modules typically prefer pool allocation. Pool allocation 
doesn't need to be freed. The request pool is automatically freed at the 
end of each request. Even if you need the memory only shorter, if it is 
not many bytes it should be OK to allocate from the request pool and let 
it free only at the end of the request.



2 - is "key = apr_palloc(r->pool, 7)" the right method ? Doing this I want to 
avoid buffer overflow in case of uid/gid greater in length than the key parameter.


Instead of

 key = apr_palloc(r->pool, 7);
 printf(key, "%d", pw->pw_uid);

you can also use

 key = apr_psprintf(r->pool, "%d", pw->pw_uid);

And if you are not going to use more complex formatting tokens

 key = apr_ltoa(r->pool, (long)pw->pw_uid);

There's also an apr_itoa() but we might not be sure, that uid_t fits 
into an int.


Finally as a matter of style, I wouldn't reuse the incoming variable 
"key" for outgoing tasks. Instead I would declare it "const char*" as a 
param, and where you set


 *key = '\0';

you could also

  return "";

and then later

 return apr_ltoa(r->pool, (long)pw->pw_uid);

Everything untested ...

But as always there are many solutions that will work.


Thank you very much,


You're welcome. Nice seeing you picking up that ball so quickly. Welcome 
to the world of module development :) Your example was a nice one, 
because you don't need much clutter to realize that module.


Regards,

Rainer


#include "http_core.h"
#include "mod_rewrite.h"
#include 

static char *uid(request_rec *r, char *key)
{
struct passwd *pw;
if((pw = getpwnam(key)) == NULL)
{
*key = '\0';
}
else
{
key = apr_palloc(r->pool, 7);
sprintf(key, "%d", pw->pw_uid);
}
return key;
}

static char *gid(request_rec *r, char *key)
{
int uid=atoi(key);
struct passwd *pw;
if((pw = getpwuid(uid)) == NULL)
{
*key = '\0';
}
else
{
key = apr_palloc(r->pool, 7);
sprintf(key, "%d", pw->pw_gid);
return key;
}
return key;
}

static void register_hooks(apr_pool_t *pool)
{
APR_OPTIONAL_FN_TYPE(ap_register_rewrite_mapfunc) *map_pfn_register;
map_pfn_register = 
APR_RETRIEVE_OPTIONAL_FN(ap_register_rewrite_mapfunc);
map_pfn_register("uid", uid);
map_pfn_register("gid", gid);
}

AP_DECLARE_MODULE(test) = {
STANDARD20_MODULE_STUFF,NULL,NULL,NULL,NULL,NULL,register_hooks
};


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Get UID/GID from a username string

[Rainer Jung]

Am 15.04.2016 um 18:59 schrieb Rainer Jung:

Am 15.04.2016 um 18:35 schrieb Eric Covener:

Well, it is one option to extend mod_rewrite. What I meant
specifically was that any module can implement a rewritemap internal
function.


Yes, the feature seems to be a bit too specific for general
implementation in mod_rewrite.

Ben: have a look at how mod_rewrite accesses its own
ap_register_rewrite_mapfunc via

map_pfn_register = APR_RETRIEVE_OPTIONAL_FN(ap_register_rewrite_mapfunc);

Any module can access the function using this construct. And then
mod_rewrite registers builtin rewrite map functions e.g. like

map_pfn_register("escape", rewrite_mapfunc_escape);



Your own module can also register your own functions like myuid and mygid:

map_pfn_register("escape", my_mapfunc_uid);


Oups, I meant: map_pfn_register("myuid", my_mapfunc_uid);


Then you can configure a RewriteMap to use these functions and they will
call directly the my_mapfunc_uid function in your module to get the uid
without the need of an external process with locking etc.

In short: the list of builtin functions for RewriteMap is extensible and
can be extended by 3rd-arty modules using the above method.

If uid and gid alone isn't powerful enough, you can code whatever logic
you need in your map function and register it with a name that is
reasonable for you and doesn't clash with what's already there in
mod_rewrite.

Regards,

Rainer


On Fri, Apr 15, 2016 at 12:19 PM, Ben RUBSON 
wrote:

I can't think of any solution that would work out of the box, but
you can always write your own apache module in C.



Which could provide nothing but a new internal rewritemap type.


Rainer, Eric,
Thank you very much for your feedback.

Yes a new rewritemap seems to be the solution.
type name : usr
functions : uid, gid
parameter : name or #uid

For example :
RewriteMap getuid usr:uid
RewriteMap getgid usr:gid

C functions getpwnam and getpwuid would do the job.

Is a pull request here the right method to proceed ?
https://github.com/apache/httpd/blob/trunk/modules/mappers/mod_rewrite.c

Thank you very much,

Ben


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Get UID/GID from a username string

[Rainer Jung]

Am 15.04.2016 um 18:35 schrieb Eric Covener:

Well, it is one option to extend mod_rewrite. What I meant
specifically was that any module can implement a rewritemap internal
function.


Yes, the feature seems to be a bit too specific for general 
implementation in mod_rewrite.


Ben: have a look at how mod_rewrite accesses its own 
ap_register_rewrite_mapfunc via


map_pfn_register = APR_RETRIEVE_OPTIONAL_FN(ap_register_rewrite_mapfunc);

Any module can access the function using this construct. And then 
mod_rewrite registers builtin rewrite map functions e.g. like


map_pfn_register("escape", rewrite_mapfunc_escape);

Your own module can also register your own functions like myuid and mygid:

map_pfn_register("escape", my_mapfunc_uid);

Then you can configure a RewriteMap to use these functions and they will 
call directly the my_mapfunc_uid function in your module to get the uid 
without the need of an external process with locking etc.


In short: the list of builtin functions for RewriteMap is extensible and 
can be extended by 3rd-arty modules using the above method.


If uid and gid alone isn't powerful enough, you can code whatever logic 
you need in your map function and register it with a name that is 
reasonable for you and doesn't clash with what's already there in 
mod_rewrite.


Regards,

Rainer


On Fri, Apr 15, 2016 at 12:19 PM, Ben RUBSON  wrote:

I can't think of any solution that would work out of the box, but
you can always write your own apache module in C.



Which could provide nothing but a new internal rewritemap type.


Rainer, Eric,
Thank you very much for your feedback.

Yes a new rewritemap seems to be the solution.
type name : usr
functions : uid, gid
parameter : name or #uid

For example :
RewriteMap getuid usr:uid
RewriteMap getgid usr:gid

C functions getpwnam and getpwuid would do the job.

Is a pull request here the right method to proceed ?
https://github.com/apache/httpd/blob/trunk/modules/mappers/mod_rewrite.c

Thank you very much,

Ben


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Can't activate LDAPS support in my OpenSSL 1.0.2g/OpenLDAP 2.4.44/Apache 2.4.18/PHP 5.6.20 combination

[Rainer Jung]

Am 14.04.2016 um 20:51 schrieb Rainer Jung:

Am 14.04.2016 um 20:39 schrieb Poggenpohl, Daniel:

Hello,

I just realized that this may not be the problem, but the plugin
architecture is. I would have to check all modules in Apache and all
extensions in PHP for dependencies to see all involved dependencies,
wouldn't I?


On Solaris "pldd" is your friend. It works on a running process, so also
shows shared objects loaded programattically via dlopen() etc. like
Apache modules or PHP extensions.


And yet another debug attempt is looking at "man ld.so.1", setting 
LD_DEBUG. The possible settings can be seen by running e.g.


LD_DEBUG=help ANYCOMMAND

in any shell that supports that way of setting an env var for a command 
(like sh or ksh) and ANYCOMMAND can be anything that is not a shell 
builtin (e.g. you can use again "sh").


Symbol resolution should be trackable with LD_DEBUG=symbols, but it will 
give LOTS of output. Probably it helps to start Apache in single process 
mode (-X). The output of the debug flag can be written to a file whose 
name is given by the LD_DEBUG_OUTPUT env var (again see "man ld.so.1").


Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Can't activate LDAPS support in my OpenSSL 1.0.2g/OpenLDAP 2.4.44/Apache 2.4.18/PHP 5.6.20 combination

[Rainer Jung]

Am 14.04.2016 um 20:39 schrieb Poggenpohl, Daniel:

Hello,

I just realized that this may not be the problem, but the plugin architecture 
is. I would have to check all modules in Apache and all extensions in PHP for 
dependencies to see all involved dependencies, wouldn't I?


On Solaris "pldd" is your friend. It works on a running process, so also 
shows shared objects loaded programattically via dlopen() etc. like 
Apache modules or PHP extensions.


Regards,

Rainer



Von: Poggenpohl, Daniel [daniel.poggenp...@fernuni-hagen.de]
Gesendet: Donnerstag, 14. April 2016 20:36
An: users@httpd.apache.org
Betreff: AW: [users@httpd] Can't activate LDAPS support in my OpenSSL 
1.0.2g/OpenLDAP 2.4.44/Apache 2.4.18/PHP 5.6.20 combination

Hello,

that sounds reasonable and enlightening to me. Is there a ldd switch or other 
method so that I see the complete dependency tree starting from a 
binary/library I select? ldd -s doesn't seem to go down to the bottom.

Regards,
Daniel P.

____
Von: Rainer Jung [rainer.j...@kippdata.de]
Gesendet: Donnerstag, 14. April 2016 19:53
An: users@httpd.apache.org
Betreff: Re: [users@httpd] Can't activate LDAPS support in my OpenSSL 
1.0.2g/OpenLDAP 2.4.44/Apache 2.4.18/PHP 5.6.20 combination

Am 14.04.2016 um 17:02 schrieb Poggenpohl, Daniel:

Hello everyone,

thanks to this mailing list I have identified and solved many problems in my 
builds regarding my current setup for a Moodle installation.
- Removed unnecessary switches from Apache build
- Placement of switches inside commands
- new switches for selective runtime search path changing (even if I don't use 
them yet...)
- found new (to me) tools for checking info about binaries and libraries
- Facts about the order of checking in runtime linking paths (-R, crle, 
LD_LIBRARY_PATH)

So thanks for this so far, you've been very helpful.

Yet two problems remain, which may or may be the same problem.
- I have to set LD_LIBRARY_PATH to my own OpenSSL. Only then does PHPInfo tell 
me that the correct OpenSSL is in use.
- Using the system OpenLDAP, I can't connect using LDAPS. Using my own OpenLDAP 
2.4.44, I can use LDAPS on the prompt and I can process a php file containing 
commands to connect via LDAPS. I just can't request the same file via the 
browser (PHP then reports that it can't bind to the LDAP server. I also can't 
login via LDAP to Moodle, but get a an error that the secured connection can't 
be established. (I will send the exact error message if I recompile again to 
test).

Checking in with ldd, all runtime search paths are set. I checked the paths for
OpenSSL: openssl, libssl, libcrypto
OpenLDAP: ldapsearch, libldap, liblber
Apache: httpd, the apr and apr-util libraries, mod_ssl
PHP: php, libphp5.so (in Apache)

The only things that's looked strange are:
- PHP uses Postgres libraries, which in turn depend on libssl and libcrypto. 
When I ldd, I have dependencies to both /my/own/openssl/install/lib and to 
/usr/lib (libssl and libcrypto). But I think that's okay?
- PHP uses libcurl, it finds it in /usr/local/lib . This in turn depends on 
libssl and libcrypto and when I ldd libcurl, it finds them in /usr/lib. Again, 
I don't know? How deep do I have to go here?

My configure commands for each of the four tools:
# OpenSSL
OPENSSLDIR=/moodle/openssl/1.0.2g \
; \
export CFLAGS="-I$OPENSSLDIR/include" \
CFLAG= \
CPPFLAGS= \
LDFLAGS= \
; \
./Configure shared --openssldir=$OPENSSLDIR enable-ssl2 solaris-x86-gcc \
-I$OPENSSLDIR/include -L$OPENSSLDIR/lib -R$OPENSSLDIR/lib \

openssl-102g-configure.out


# OpenLDAP
OPENLDAPDIR=/moodle/openldap/2.4.44 \
OPENSSLDIR=/moodle/openssl/1.0.2g \
; \
export CPPFLAGS="-I$OPENSSLDIR/include" \
CFLAGS= \
LDFLAGS="-L$OPENSSLDIR/lib -R$OPENSSLDIR/lib" \
; \
./configure --prefix=$OPENLDAPDIR --disable-slapd --with-cyrus-sasl 
--with-tls=openssl \

openldap-2444-configure.out 2>&1


# Apache
APACHEDIR=/moodle/apache2/2.4.18 \
OPENSSLDIR=/moodle/openssl/1.0.2g \
; \
export PKG_CONFIG_PATH=$OPENSSLDIR/lib/pkgconfig \
CFLAGS= \
CPPFLAGS="-I$OPENSSLDIR/include" \
LDFLAGS="-L$OPENSSLDIR/lib -R$OPENSSLDIR/lib" \
; \
./configure --prefix=$APACHEDIR \
--enable-rewrite --enable-deflate \
--enable-ssl --with-ssl=$OPENSSLDIR \
--disable-version \
--with-included-apr \
--with-mpm=prefork \

apache-2418-configure.out 2>&1


# PHP
APACHEDIR=/moodle/apache2/2.4.18 \
POSTGRESDIR= /usr/postgres/9.3-pgdg \
PHPDIR=/moodle/php/5.6.20 \
OPENSSLDIR=/moodle/openssl/1.0.2g \
; \
export PKG_CONFIG_PATH=$OPENSSLDIR/lib/pkgconfig \
CFLAGS="-std=gnu99" \
CPPFLAGS="-I$OPENLDAPDIR/include -I$OPENSSLDIR/include" \
LDFLAGS="-L$OPENLDAPDIR/lib -L$OPENSSLDIR/lib -R$OPENLDAPDIR/lib 
-R$OPENSSLDIR/lib" \
; \
./configure --prefix=$PHPDIR --with-config-file-path=$PHPDIR \
-

Re: [users@httpd] Can't activate LDAPS support in my OpenSSL 1.0.2g/OpenLDAP 2.4.44/Apache 2.4.18/PHP 5.6.20 combination

[Rainer Jung]

Am 14.04.2016 um 19:53 schrieb Rainer Jung:

Am 14.04.2016 um 17:02 schrieb Poggenpohl, Daniel:

Hello everyone,

thanks to this mailing list I have identified and solved many problems
in my builds regarding my current setup for a Moodle installation.
- Removed unnecessary switches from Apache build
- Placement of switches inside commands
- new switches for selective runtime search path changing (even if I
don't use them yet...)
- found new (to me) tools for checking info about binaries and libraries
- Facts about the order of checking in runtime linking paths (-R,
crle, LD_LIBRARY_PATH)

So thanks for this so far, you've been very helpful.

Yet two problems remain, which may or may be the same problem.
- I have to set LD_LIBRARY_PATH to my own OpenSSL. Only then does
PHPInfo tell me that the correct OpenSSL is in use.
- Using the system OpenLDAP, I can't connect using LDAPS. Using my own
OpenLDAP 2.4.44, I can use LDAPS on the prompt and I can process a php
file containing commands to connect via LDAPS. I just can't request
the same file via the browser (PHP then reports that it can't bind to
the LDAP server. I also can't login via LDAP to Moodle, but get a an
error that the secured connection can't be established. (I will send
the exact error message if I recompile again to test).

Checking in with ldd, all runtime search paths are set. I checked the
paths for
OpenSSL: openssl, libssl, libcrypto
OpenLDAP: ldapsearch, libldap, liblber
Apache: httpd, the apr and apr-util libraries, mod_ssl
PHP: php, libphp5.so (in Apache)

The only things that's looked strange are:
- PHP uses Postgres libraries, which in turn depend on libssl and
libcrypto. When I ldd, I have dependencies to both
/my/own/openssl/install/lib and to /usr/lib (libssl and libcrypto).
But I think that's okay?
- PHP uses libcurl, it finds it in /usr/local/lib . This in turn
depends on libssl and libcrypto and when I ldd libcurl, it finds them
in /usr/lib. Again, I don't know? How deep do I have to go here?

My configure commands for each of the four tools:
# OpenSSL
OPENSSLDIR=/moodle/openssl/1.0.2g \
; \
export CFLAGS="-I$OPENSSLDIR/include" \
CFLAG= \
CPPFLAGS= \
LDFLAGS= \
; \
./Configure shared --openssldir=$OPENSSLDIR enable-ssl2 solaris-x86-gcc \
-I$OPENSSLDIR/include -L$OPENSSLDIR/lib -R$OPENSSLDIR/lib \

openssl-102g-configure.out


# OpenLDAP
OPENLDAPDIR=/moodle/openldap/2.4.44 \
OPENSSLDIR=/moodle/openssl/1.0.2g \
; \
export CPPFLAGS="-I$OPENSSLDIR/include" \
CFLAGS= \
LDFLAGS="-L$OPENSSLDIR/lib -R$OPENSSLDIR/lib" \
; \
./configure --prefix=$OPENLDAPDIR --disable-slapd --with-cyrus-sasl
--with-tls=openssl \

openldap-2444-configure.out 2>&1


# Apache
APACHEDIR=/moodle/apache2/2.4.18 \
OPENSSLDIR=/moodle/openssl/1.0.2g \
; \
export PKG_CONFIG_PATH=$OPENSSLDIR/lib/pkgconfig \
CFLAGS= \
CPPFLAGS="-I$OPENSSLDIR/include" \
LDFLAGS="-L$OPENSSLDIR/lib -R$OPENSSLDIR/lib" \
; \
./configure --prefix=$APACHEDIR \
--enable-rewrite --enable-deflate \
--enable-ssl --with-ssl=$OPENSSLDIR \
--disable-version \
--with-included-apr \
--with-mpm=prefork \

apache-2418-configure.out 2>&1


# PHP
APACHEDIR=/moodle/apache2/2.4.18 \
POSTGRESDIR= /usr/postgres/9.3-pgdg \
PHPDIR=/moodle/php/5.6.20 \
OPENSSLDIR=/moodle/openssl/1.0.2g \
; \
export PKG_CONFIG_PATH=$OPENSSLDIR/lib/pkgconfig \
CFLAGS="-std=gnu99" \
CPPFLAGS="-I$OPENLDAPDIR/include -I$OPENSSLDIR/include" \
LDFLAGS="-L$OPENLDAPDIR/lib -L$OPENSSLDIR/lib -R$OPENLDAPDIR/lib
-R$OPENSSLDIR/lib" \
; \
./configure --prefix=$PHPDIR --with-config-file-path=$PHPDIR \
--enable-mbstring --enable-soap --enable-zip --enable-opcache \
--without-sqlite3 --without-pdo-sqlite \
--with-pgsql=$POSTGRESDIR --with-pdo-pgsql=$POSTGRESDIR \
--with-apxs2=$APACHEDIR/bin/apxs \
--with-gd --with-curl --with-xmlrpc --with-zlib --with-mcrypt \
--with-ldap=$OPENLDAPDIR \
--with-openssl=$OPENSSLDIR --with-jpeg-dir=$PHPDIR/jpeg \
--with-iconv=/usr/local \

php-5620-configure.out 2>&1


I also have output for the different stages of the build if that would
help.


I don't have a complete answer, only some hints. The problem with PHP
is, that is uses lots of libraries. Once you start updating some of the
more complex ones, it can happen, that a non-updated lib uses the same
other lib as a dependency that your updated lib also uses. OpenSSL is a
common example for such a dependency. Than you run into trouble, because
it starts to become harder to decide, which version of that dependency
lib (OpenSSL in your case) is actually used when.

Here symbol resolution comes into play. Say OpenSSl is linked into all
places it is needed as a shared object (dynamic linking, .so file), not
statically. Say you use PHp as mod_php, not via FPM. You start httpd,
which loads some modules and PHp as pone of the modules loads
extensions. Assume we have the following load order:

- httpd
   - ap

Re: [users@httpd] Can't activate LDAPS support in my OpenSSL 1.0.2g/OpenLDAP 2.4.44/Apache 2.4.18/PHP 5.6.20 combination

[Rainer Jung]

Am 14.04.2016 um 17:02 schrieb Poggenpohl, Daniel:

Hello everyone,

thanks to this mailing list I have identified and solved many problems in my 
builds regarding my current setup for a Moodle installation.
- Removed unnecessary switches from Apache build
- Placement of switches inside commands
- new switches for selective runtime search path changing (even if I don't use 
them yet...)
- found new (to me) tools for checking info about binaries and libraries
- Facts about the order of checking in runtime linking paths (-R, crle, 
LD_LIBRARY_PATH)

So thanks for this so far, you've been very helpful.

Yet two problems remain, which may or may be the same problem.
- I have to set LD_LIBRARY_PATH to my own OpenSSL. Only then does PHPInfo tell 
me that the correct OpenSSL is in use.
- Using the system OpenLDAP, I can't connect using LDAPS. Using my own OpenLDAP 
2.4.44, I can use LDAPS on the prompt and I can process a php file containing 
commands to connect via LDAPS. I just can't request the same file via the 
browser (PHP then reports that it can't bind to the LDAP server. I also can't 
login via LDAP to Moodle, but get a an error that the secured connection can't 
be established. (I will send the exact error message if I recompile again to 
test).

Checking in with ldd, all runtime search paths are set. I checked the paths for
OpenSSL: openssl, libssl, libcrypto
OpenLDAP: ldapsearch, libldap, liblber
Apache: httpd, the apr and apr-util libraries, mod_ssl
PHP: php, libphp5.so (in Apache)

The only things that's looked strange are:
- PHP uses Postgres libraries, which in turn depend on libssl and libcrypto. 
When I ldd, I have dependencies to both /my/own/openssl/install/lib and to 
/usr/lib (libssl and libcrypto). But I think that's okay?
- PHP uses libcurl, it finds it in /usr/local/lib . This in turn depends on 
libssl and libcrypto and when I ldd libcurl, it finds them in /usr/lib. Again, 
I don't know? How deep do I have to go here?

My configure commands for each of the four tools:
# OpenSSL
OPENSSLDIR=/moodle/openssl/1.0.2g \
; \
export CFLAGS="-I$OPENSSLDIR/include" \
CFLAG= \
CPPFLAGS= \
LDFLAGS= \
; \
./Configure shared --openssldir=$OPENSSLDIR enable-ssl2 solaris-x86-gcc \
-I$OPENSSLDIR/include -L$OPENSSLDIR/lib -R$OPENSSLDIR/lib \

openssl-102g-configure.out


# OpenLDAP
OPENLDAPDIR=/moodle/openldap/2.4.44 \
OPENSSLDIR=/moodle/openssl/1.0.2g \
; \
export CPPFLAGS="-I$OPENSSLDIR/include" \
CFLAGS= \
LDFLAGS="-L$OPENSSLDIR/lib -R$OPENSSLDIR/lib" \
; \
./configure --prefix=$OPENLDAPDIR --disable-slapd --with-cyrus-sasl 
--with-tls=openssl \

openldap-2444-configure.out 2>&1


# Apache
APACHEDIR=/moodle/apache2/2.4.18 \
OPENSSLDIR=/moodle/openssl/1.0.2g \
; \
export PKG_CONFIG_PATH=$OPENSSLDIR/lib/pkgconfig \
CFLAGS= \
CPPFLAGS="-I$OPENSSLDIR/include" \
LDFLAGS="-L$OPENSSLDIR/lib -R$OPENSSLDIR/lib" \
; \
./configure --prefix=$APACHEDIR \
--enable-rewrite --enable-deflate \
--enable-ssl --with-ssl=$OPENSSLDIR \
--disable-version \
--with-included-apr \
--with-mpm=prefork \

apache-2418-configure.out 2>&1


# PHP
APACHEDIR=/moodle/apache2/2.4.18 \
POSTGRESDIR= /usr/postgres/9.3-pgdg \
PHPDIR=/moodle/php/5.6.20 \
OPENSSLDIR=/moodle/openssl/1.0.2g \
; \
export PKG_CONFIG_PATH=$OPENSSLDIR/lib/pkgconfig \
CFLAGS="-std=gnu99" \
CPPFLAGS="-I$OPENLDAPDIR/include -I$OPENSSLDIR/include" \
LDFLAGS="-L$OPENLDAPDIR/lib -L$OPENSSLDIR/lib -R$OPENLDAPDIR/lib 
-R$OPENSSLDIR/lib" \
; \
./configure --prefix=$PHPDIR --with-config-file-path=$PHPDIR \
--enable-mbstring --enable-soap --enable-zip --enable-opcache \
--without-sqlite3 --without-pdo-sqlite \
--with-pgsql=$POSTGRESDIR --with-pdo-pgsql=$POSTGRESDIR \
--with-apxs2=$APACHEDIR/bin/apxs \
--with-gd --with-curl --with-xmlrpc --with-zlib --with-mcrypt \
--with-ldap=$OPENLDAPDIR \
--with-openssl=$OPENSSLDIR --with-jpeg-dir=$PHPDIR/jpeg \
--with-iconv=/usr/local \

php-5620-configure.out 2>&1


I also have output for the different stages of the build if that would help.


I don't have a complete answer, only some hints. The problem with PHP 
is, that is uses lots of libraries. Once you start updating some of the 
more complex ones, it can happen, that a non-updated lib uses the same 
other lib as a dependency that your updated lib also uses. OpenSSL is a 
common example for such a dependency. Than you run into trouble, because 
it starts to become harder to decide, which version of that dependency 
lib (OpenSSL in your case) is actually used when.


Here symbol resolution comes into play. Say OpenSSl is linked into all 
places it is needed as a shared object (dynamic linking, .so file), not 
statically. Say you use PHp as mod_php, not via FPM. You start httpd, 
which loads some modules and PHp as pone of the modules loads 
extensions. Assume we have the following load order:


- httpd
  - apr libs
  - ...
  - mod_php
- php curl extension
  - libcurl
- OpenSSL-old
- php ldap extension
  - libldap
- OpenSSL-new
  - ...
  - mod_ssl
   

Re: [users@httpd] Self-compiled httpd and OpenSSL: Trying to start httpd without using LD_LIBRARY_PATH

[Rainer Jung]

Hi Chris,

Am 08.04.2016 um 18:09 schrieb Rainer Canavan:

On Fri, Apr 8, 2016 at 6:02 PM, Christopher Schultz
 wrote:
[...]

I'm speaking from a position of ignorance, here, but can a dynamic
library modify the main process's search path? If only mod_ssl is
compiled with the static-path to OpenSSL but httpd is not (and it's
not clear to me that httpd is missing this static-path), surely the
loadable module isn't modifying the process's library load-path, is it?


The manpage would indicate that the rnupath is only valid for the library
for which it has been set:

https://docs.oracle.com/cd/E19683-01/816-0210/6m6nb7md6/index.html

The runtime linker uses a prescribed search path for locating the
dynamic dependencies of an object. The default search paths are
therunpath recorded in the object, followed by /usr/lib for 32-bit
objects or /usr/lib/64 for 64-bit objects. This latter component can
be modified using a configuration file created with crle(1). The
runpath is specified when the dynamic object is constructed using the
-Roption to ld(1). LD_LIBRARY_PATH can be used to indicate directories
to be searched before the default directories.


Adding to that for Solaris:

- there's the loading of the dependencies
and
- there's symbol resolution in the loaded objects

The loading of the dependencies happens immediately. The name of the 
dependencies are encoded in the shared object as the NEEDED entries.


Example:

 index  tagvalue
   [0]  NEEDED0x1331  libssl.so.1.0.0
   [1]  NEEDED0x1341  libcrypto.so.1.0.0

These are shared object names, not file names.

Looking at some file libssl.so we can see its shared object name:

 index  tagvalue
...
   [7]  SONAME0x4930  libssl.so.1.0.0

Aha, so that file would satisfy the dependency. The SONAMEs are 
typically chosen to express API compatibility.


Where are the files searched for? That's the question Rainer Canavan 
just answered. First on the RUNPATH set in the shared object for which 
we are looking for the dependencies, then in the LD_LIBRARY_PATH, then 
in the globally defined search path.


Example RUNPATH entry:

 index  tagvalue
...
   [6]  RUNPATH   0x101ff /some/path/lib
   [7]  RPATH 0x101ff /some/path/lib

The ldd command (and ldd -v) shows us the list of dependencies and where 
they are found, but "elfdump -d" resp. "objdump -p" helps to understand, 
what the modules/libs originally demanded.


Finally there comes symbol resolution, i.e. a function that is called in 
a shared object, but provided by another loaded shared object like the 
OpenSSL library. Such a symbol is searched for in the binary and the 
full tree of loaded shared objects and dependencies of this process. On 
Solaris the default order - which can be changed during build time - is 
always first searching in the main binary and then in the other shared 
objects in the order they were loaded. So e.g. a symbol needed by 
mod_ssl will first be looked up in httpd, then in the libs loaded by 
httpd directly, then in the various web server modules and their 
dependencies until finally found e.g. in libssl. One can build modules 
so that symbols are always first searched in their direct dependencies 
before searching in the rest of the process, but that's not the default.


Regards,

Rainer (the other one)

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Self-compiled httpd and OpenSSL: Trying to start httpd without using LD_LIBRARY_PATH

[Rainer Jung]

Hi,

Am 07.04.2016 um 20:52 schrieb Poggenpohl, Daniel:

Hi,

my setup is: I have a Moodle installation I need to run. So I need Apache, PHP, OpenSSL, 
iconv, mbstring, curl, zip, etc. . The plan is to have a relatively new PHP (5.6.20) and 
stay "new" with Apache and OpenSSL.
Solaris 11.3 seems to come with Apache 2.4.16, PHP 5.3.29, OpenSSL 1.0.1q, curl 
7.35.0, OpenLDAP 2.4.30, and others using the official package repository, so I 
don't really want to use the official packages for Apache, PHP and OpenSSL.
I tried using another package repository (OpenCSW), which seems to provide 
Apache 2.4.18, PHP 5.6.20, curl 7.48.0, OpenSSL 1.0.1s runtime libraries, 
OpenLDAP 2.4.40, etc. .The problem there is that officially, the packages have 
these release numbers, but when I install PHP via pkgutil, I get 5.3.XX ínstead.
So I decided to compile from source.

I compiled OpenSSL 1.0.2g from source without SSLv2 support (without 
enable-ssl2), because I don't really want to have SSLv2 support if I don't need 
it.
Compiling Apache with the setup below posed no problem other than httpd not 
finding 1.0.2g without LD_LIBRARY_PATH.
But the problems began when I compiled PHP 5.6.20 from source (I will send my 
configure call when I'm back at work tomorrow).
Basically, the configure checks curl, uses the system curl which tries to use 
one of the functions in OpenSSL 1.0.2g which are gone. So I had to compile curl 
7.48.0.
The next problem was the jpeg extension which I solved by setting some -I and 
-L options and the PKG_CONFIG_PATH  (pointing to the openssl and curl dirs) . 
It seems to have used the system curl as well.
Then I had to compile iconv because of unrelated reasons.
Then the zip extension wouldn't work so I had to compile libzip.
And so on and so on.

This all didn't happen when I compiled OpenSSL 1.0.2g with SSLv2 support, by 
the way (we deactivated SSLv2 in our Apache anyway, and SSLLabs says we're in 
the clear regarding to Drown). With SSLv2 support, PHP's configure finished 
without a real warning. And I could build it as well. So I frowned and accepted 
SSLv2 support for the moment.


The removal of symbols when SSLv2 support was removed from OpenSSL 
1.0.2g happened by accident and was not intended.


Under

https://github.com/openssl/openssl/commit/133138569f37d149ed1d7641fe8c75a93fded445

you can find a simple patch that was already applied to OpenSSL 1.0.2 
and will be part of the next version 1.0.2h. You might want to add this 
patch to 1.0.2g before compiling. Such an API break is not normal and as 
I said happened this time by accident.



By the way, you didn't quote my CPPFLAGS and LDFLAGS that I set. Using LDFLAGS, or rather -R I 
understand that I can set the runtime search path when linking the library. When I "ldd -s 
httpd", no SSL library is necessary there. And "ldd -s modules/mod_ssl.so" tells me 
it finds the locally installed 1.0.2g version. So I still don't understand why I need to set 
LD_LIBRARY_PATH when the linker finds what I want.


Since LDFLAGS are used for all linking actions, you might better use

MOD_SSL_LDADD="-R/path/to/openssl/lib"

or as Yann said the more compatible

MOD_SSL_LDADD="-Wl,-rpath -Wl,/path/to/openssl/lib"

For the "ab" support binary if you want to compile it with ssl support, 
I think there's also a similar "ab_LDADD" variable and for the crypto 
support in the bundled APR 1.5 there's LDADD_crypto_openssl.



Yes, I want to avoid using LD_LIBRARY_PATH, because I read about methods (like 
using -R) that could tell libraries where they should look first and 
LD_LIBRARY_PATH seems to be a kind of last resort.

Notes:
- Yes, OpenSSL is compiled as a shared library.
- Ideally, I would use /latest links combined with -R to avoid recompiling.
- Do I understand the following right? -I tells the compiler where to look for 
headers during compile time. -L tells the compiler where to find libraries to 
use in linking during the build. -R tells the Linker where to search for 
libraries during runtime.


You did understand it right. See my other post about elfdump/objdump.

Regards,

Rainer













-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Self-compiled httpd and OpenSSL: Trying to start httpd without using LD_LIBRARY_PATH

[Rainer Jung]

Am 08.04.2016 um 10:41 schrieb Rainer Canavan:

On Fri, Apr 8, 2016 at 12:31 AM, Yann Ylavic  wrote:

On Thu, Apr 7, 2016 at 5:21 PM, Poggenpohl, Daniel
 wrote:


LDFLAGS="-L$OPENSSLDIR/lib -R $OPENSSLDIR/lib"


I don't know which compiler you are using, but gcc's -R is not working
correctly (on Linux at least), whereas "-Wl,-rpath,$OPENSSLDIR/lib"
is...


-R used to work for us on Solaris with gcc to compile/link/run our own
httpd / php / curl / openssl stack. However, I'm not sure which linker we
used to use. If ldd claims it's picking up the correct libraries, I'd assume
it should work at runtime as well.  In case there's any doubt, lsof may show
which libraries are actually used.


... and you can check the result of the "-R" or "-Wl,-rpath" compilation 
using "elfdump":


  elfdump -d /path/to/modules/mod_ssl.so

will show you exactly, what NEEDED library names the linker has put into 
mod_ssl.so and also the RPATH and RUNPATH setting it has written to that 
shared object.


You can use that command on any shared object or binary (PHP libs etc.). 
I typically use it on Solaris Sparc, but I expect it to work as-is on 
Solaris x86. On Linux the info is available via "objdump -p".


Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] LogMessage not working

[Rainer Jung]

Am 01.01.2016 um 22:55 schrieb Michael D. Berger:

-Original Message-
From: Rainer Jung [mailto:rainer.j...@kippdata.de]
Sent: Friday, January 01, 2016 05:56
To: users@httpd.apache.org
Subject: Re: [users@httpd] LogMessage not working

Am 01.01.2016 um 03:55 schrieb Michael D. Berger:

I am converting my old complex httpd.config from 2.2 to 2.4, and
having numerous problems.  I added mod_log_debug, but I cannot get
LogMessage to work.  Here is one of numerous things I tried

inside a

VirtualHost that is working up to a point:


 LogMessage "herebefore02 httpdViMn" hook=type_checker expr=true


The message does not appear the log files.  I have seen on the web
that I have to "enable" mod_log_debug, but I have not seen

how to do

that.

Thanks for any advice.  Perhaps there is another way to

print things

from various parts of the config file?


How is LogLevel set in your config?

Quoting from the docs, the messages logged by mod_log_debug
"are logged at loglevel info." So if your server runs with
"LogLevel warn", they won't be logged. In that case use

LogLevel warn log_debug:info

instead, and start wth a simple


  LogMessage "herebefore02 httpdViMn"


before trying more complex constructs.

Regards,

Rainer


Thanks, but the above suggestions did not work.

I also tried:

LogLevel info

which also didn't work.  I did follow your suggestion for a simpler message.
FWIW, I forgot to mention that I am on Fedora 23.

Any other suggestions?


Do your requests actually hit the right vhost, the one into which you 
had put the LogMessage? Can you see the request in the access log if you 
add a separate access log in the same vhost?


Or in case you put the LogMessage into the global server: could it be 
that your request hits a vhost instead?


Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] LogMessage not working

[Rainer Jung]

Am 01.01.2016 um 03:55 schrieb Michael D. Berger:

I am converting my old complex httpd.config from 2.2 to 2.4, and
having numerous problems.  I added mod_log_debug, but I cannot get
LogMessage to work.  Here is one of numerous things I tried inside
a VirtualHost that is working up to a point:


LogMessage "herebefore02 httpdViMn" hook=type_checker expr=true


The message does not appear the log files.  I have seen on the web
that I have to "enable" mod_log_debug, but I have not seen how to
do that.

Thanks for any advice.  Perhaps there is another way to print
things from various parts of the config file?


How is LogLevel set in your config?

Quoting from the docs, the messages logged by mod_log_debug "are logged 
at loglevel info." So if your server runs with "LogLevel warn", they 
won't be logged. In that case use


  LogLevel warn log_debug:info

instead, and start wth a simple

  
LogMessage "herebefore02 httpdViMn"
  

before trying more complex constructs.

Regards,

Rainer




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Cross-compiled apache 2.4.17/OpenSSL 1.0.2d for SPARC fails to start on mutex error

[Rainer Jung]

Am 16.11.2015 um 10:22 schrieb spggwp7q:

Hi guys,

I cross-compiled apache 2.4.17 with APR 1.5.2 and APR Util 1.5.4 along
with OpenSSL 1.0.2d for 64-bit SPARC. I tried running it on one of my
boxes and got the following error in the apache error log (the box was
previously running 2.4.10):

[Mon Nov 16 10:04:52.463583 2015] [core:emerg] [pid 17310:tid 1]
(70023)This function has not been implemented on this platform: AH00023:
Couldn't create the ssl-cache mutex
AH00016: Configuration Failed

I suppose there are no changes between 2.4.10 and 2.4.17 that require
changes to the configuration, so I assume this is happening due to a
compile-time issue.

I was able to get over this error by explicitly setting:

Mutex sem default

However, now apache starts and then quickly dies.

[Mon Nov 16 10:13:59.531153 2015] [mpm_worker:notice] [pid 27481:tid 1]
AH00292: Apache/2.4.17 (Unix) OpenSSL/1.0.2d configured -- resuming
normal operations
[Mon Nov 16 10:13:59.532724 2015] [core:notice] [pid 27481:tid 1]
AH00094: Command line: '/opt/SP/apps/ena_apache/current/bin/httpd -f
/opt/SP/apps/apache/global/vfglfe/conf/httpd.conf'
[Mon Nov 16 10:14:02.533892 2015] [core:notice] [pid 27481:tid 1]
AH00051: child pid 27500 exit signal Bus error (10), possible coredump
in /var/tmp
[Mon Nov 16 10:14:02.534215 2015] [core:notice] [pid 27481:tid 1]
AH00060: seg fault or similar nasty error detected in the parent process

gdb is not installed on this box and I have no access to install
it...but just looking into the core file I see:

*** _THREAD_ERROR_DETECTION: lock usage error detected ***

Looking for this error, I found this:
https://issues.apache.org/jira/browse/STDCXX-1040, which seems to imply
a possible issue with certain versions of Solaris.

On my box, uname -a returns:

SunOS now-ena-fe346 5.10 Generic_150400-20 sun4v sparc
SUNW,SPARC-Enterprise-T5220

I don't know if this is impacted by the issue with the standard C++ library

Should I be using a specific version of the library for compilation?

Thanks in advance for your support.


The Bus error could also be due to this bug in 2.4.17, that was fixed 
after the release:


svn.apache.org/r1712294

Maybe you can try that patch?

Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] modifying Location header

[Rainer Jung]

Am 29.10.2015 um 10:11 schrieb Hleb Valoshka:

Hi!

Is it possible to modify Location using mod_headers? I want to replace
http:// with https:// but Header edit http://(.*) https://$1 does not
work, neither with always. unset and set don't work as well, only add
works.


I can't see the word "Location" in the configuration you cite.

Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] web server load testing

[Rainer Jung]

Am 16.10.2015 um 23:06 schrieb Rose, John B:

Does anyone have personal experience, or have heard anything, about any
of these load testing apps?

Soasta Cloudtest
http://www.soasta.com/cloudtest/

HP Stormrunner (Cloud)
http://www8.hp.com/us/en/software-solutions/stormrunner-load-agile-cloud-te
sting/

HP Loadrunner (Locally installed)
http://www8.hp.com/us/en/software-solutions/loadrunner-load-testing/

Flood I/O
https://flood.io 

Blazemeter
https://blazemeter.com 
Blazemeter Chrome extension
https://chrome.google.com/webstore/detail/blazemeter-the-load-testi/mbopgmd
npcbohhpnfglgohlbhfongabi?hl=en

Loadimpact
https://loadimpact.com 

Nouvola
http://www.nouvola.com


It depends a lot on what exact type of test you want to do but I often 
use Apache JMeter for web load testing.


Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Configure Apache behind proxy with auth [wd-vc]

[Rainer Jung]

Am 16.10.2015 um 15:08 schrieb Lucas Santos Sanches:

using cUrl

here is

$curl = curl_init();
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt($curl, CURLOPT_TIMEOUT, $curl_timeout);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0);


Look for "proxy" in http://php.net/manual/en/function.curl-setopt.php


if ($stream_context != null)
{
$opts = stream_context_get_options($stream_context);
if (isset($opts['http']['method']) &&
Tools::strtolower($opts['http']['method']) == 'post')
{
curl_setopt($curl, CURLOPT_POST, true);
if (isset($opts['http']['content']))
{
parse_str($opts['http']['content'], $post_data);
curl_setopt($curl, CURLOPT_POSTFIELDS, $post_data);
}
}
}
$content = curl_exec($curl);
curl_close($curl);
return $content;
}


Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Question on building mod_qos for Centos 6

[Rainer Jung]

Am 18.08.2015 um 12:09 schrieb Sophie Loewenthal:

Thanks Rainr.

I build the modules in the end with  apxs -i -c mod_qos.c -lcrypto
-lpcre because configure asked for items I could not find in my
repositories.

It build this in /etc/httpd/modules/mod_qos
-rw-r--r-- 1 root root 744576 Aug 18 11:37 mod_qos.o
-rw-r--r-- 1 root root276 Aug 18 11:37 mod_qos.lo
-rw-r--r-- 1 root root  0 Aug 18 11:37 mod_qos.slo
-rw-r--r-- 1 root root936 Aug 18 11:37 mod_qos.la

And put a compiled .so in :
# ls -l /usr/lib64/httpd/modules/mod_qos.so
-rwxr-xr-x 1 root root 518232 Aug 18 11:37
/usr/lib64/httpd/modules/mod_qos.so

:)


OK, if it loads that's fine.


Added to httpd.conf

LoadModule qos_module /usr/lib64/httpd/modules/mod_qos.so


Unsure for the conf file. I've created a file called mod_qos.conf in
/etc/httpd/conf.d/ and added:
## QoS Settings

 QS_LogOnly on#  put mod_qos into a permissive mode. No actions
are applied.
 # handles connections from up to 10 different IPs
 QS_ClientEntries 10


Does the last configuration step look correct?


mod_qos is quite complex and allows a lot of configuration depending on 
your use cases. You should probably switch over to the support channels 
provided by the people who created mod_qos. It is a 3rd party module, 
not one coming from the Apache Software Foundation. This list here is 
for questions concerning the Apache web server itself, not 3rd party 
modules.


The best configuration description for mod_qos is probably

http://opensource.adnovum.ch/mod_qos/

Support situation is a bit vague, but their sourceforge site

http://sourceforge.net/p/mod-qos/wiki/Home/

lists the project members and there is an issue tracker

http://sourceforge.net/p/mod-qos/bugs/?source=navbar

and a discusion forum

http://sourceforge.net/p/mod-qos/discussion/?source=navbar

Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Question on building mod_qos for Centos 6

[Rainer Jung]

Am 18.08.2015 um 09:59 schrieb Sophie Loewenthal:

Hi,

 I've been trying to build the module mod_qos on for Centos 6 and
wondered if somebody had some experience with this.

The documentation referred to a file buildconf but I did not find this
in the tarball mod_qos-11.16.tar.gz.   Does anybody know where I could
find the *buildconf* file?

Install guide read:

tar xfz httpd-2.2.27.tar.gz
tar xfz mod_qos-11.16-src.tar.gz
ln -s httpd-2.2.27 httpd
cd httpd
mkdir modules/qos
cp ../mod_qos-11.16/apache2/* modules/qos
./*buildconf*
./configure --with-mpm=worker --enable-so --enable-qos=shared --enable-ssl 
--enable-unique-id
make
cd ..

This creates a DSO module that can be loaded into the Apache server
using the following directive:

LoadModule qos_module /mod_qos.so


Typically a script named buildconf or similar is only needed for the 
people doing a release. It uses thr auto-tools (autoconf etc.) to 
generate the configure script.


If you have a real release tarball, configure should be already included 
and you don't need to run buildconf. Just start with the next step, 
running configure.


Regards,

Rainr


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Response headers set by apache

[Rainer Jung]

Am 30.05.2015 um 02:26 schrieb Emir Ibrahimbegovic:

I've got an app that runs on a tomcat web server, and I use mod-jk on my
apache web server side.

I think I've managed to configure everything to work seamlessly, I ran
into issues when I wanted to cache static assets on webserver, for some
reason my response headers expires is set to **1994**, these are my
headers for one of the javascript files I want to server as static asset
and cache it:

 Accept-Ranges:bytes
 Cache-Control:no-cache
 Connection:Keep-Alive
 Content-Encoding:gzip
 Content-Type:application/javascript
 Date:Fri, 29 May 2015 23:18:25 GMT
 ETag:W/"604348-1432950682000"
 Expires:Thu, 01 Dec 1994 16:00:00 GMT
 Keep-Alive:timeout=5, max=100
 Last-Modified:Fri, 29 May 2015 23:18:25 GMT
 Server:Apache
 Transfer-Encoding:chunked
 Vary:Accept-Encoding


Before trying to fix it I would first analyze, where the strange value 
comes from.


You can

- Add ""%{Expires}o"" to the access log valve pattern in your 
tomcat server.xml and check in the access log, whether the 1994 value is 
already being sent by your webapp.


- you can switch you JkLogLevel for a temporary test to "trace" and do a 
single request. mod_jk will log all headers it receives from Tomcat in 
its own log, so you can check which response headers arrive at the 
Apache web server.


If the wrong header originates in your webapp, first try to fix it 
there.  Only as a last resort, try to overwrite them in the web server. 
If you don't even find it among the ones that mod_jk logs, it must be 
even inside your web server or between your web server and the client. 
The Apache httpd server by itself would not use such a strange date.


You might also look for the string 786297600 somewhere in configurations 
or your webapp, because that is the seconds since the epoch that would 
result in December 1st, 1994, 16:00 GMT. Is it always exactly the same 
value?


Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] mod_rewrite vs. mod_jk

[Rainer Jung]

Am 06.05.2015 um 11:16 schrieb Hajo Locke:

Hello,

i have a small mod_jk.conf and want to use mod_rewrite also:

JkMount /* ajp13
JkUnmount /test/* ajp13
RewriteEngine On
RewriteRule ^/$ /java_app/ [L]

Rewriting by mod_rewrite only works with urls which are unmounted by
JkUnmount. So above Rule is not working because its immediately passed
to the java-worker.
Ist there a way to change this behaviour, so all mod_rewrite is done at
first and passing to java-worker follows last.
Or is unmounting mandatory for this?


Have a look at

http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html#URL%20Handling

Questions about mod_jk more likely get answered on the Apache Tomcat 
users list, because mod_jk is developed as part of the Tomcat project.


Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Compile apache2.4 with mod_proxy_html/libxml2

[Rainer Jung]

Am 14.04.2015 um 16:34 schrieb andre.wen...@bmw.de:

Hello,

today I tried to compile the current apache 2.4.12 together with
mod_proxy_html and xml2enc, but I ran into some problem with libxml2,
which is currently not installed on the system and I’m not able to
install the library in the system.

So what I did was to compile libxml2 as shared library with

./configure --prefix=//libxml2 --enable-shared=yes
--with-python=no

After that I tried to build the apache with the following parameters:

./configure

…

   --enable-proxy-html \

   --enable-xml2enc \

   --with-libxml2=${apache_prefix}/libxml2



I also tried the following:

./configure

…

   --enable-proxy-html \

   --enable-xml2enc \

   --with-libxml2 \

   --with-libxml2-include=${apache_prefix}/libxml2/include \

   --with-libxml2-lib=${apache_prefix}/libxml2/lib

But every time the following error comes up,

…

checking whether to enable mod_deflate... shared

checking whether to enable mod_xml2enc... checking dependencies

checking for libxml2... checking for libxml2... no

checking whether to enable mod_xml2enc... configure: error: mod_xml2enc
has been requested but can not be built due to prerequisite failures

…

Does somebody have any idea, what is the problem or which configuration
I need to set, so that I can build the apache with mod_proxy_html
support. But I don’t need to install libxml2 on the system? Is there any
additional compiler setting needed?


Try

   --with-libxml2=${apache_prefix}/libxml2/include/libxml2

(in my libxml2 installation all header files are in a directory 
.../include/libxml2/libxml which should be the default layout of libxml2).


In addition set the following envvars:

MOD_XML2ENC_LDADD="-L${apache_prefix}/libxml2/lib 
-R${apache_prefix}/libxml2/lib"


export MOD_XML2ENC_LDADD

MOD_PROXY_HTML_LDADD="-L${apache_prefix}/libxml2/lib 
-R${apache_prefix}/libxml2/lib"


export MOD_PROXY_HTML_LDADD

(the -R is optional for setting the RUNPATH in the binary module file).

Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Compile apache 2.4 on solaris 10 sparc with 64 bit openssl issue

[Rainer Jung]

Am 03.04.2015 um 17:50 schrieb ਜਤਿੰਦਰ ਸਿੰਘ:

~/openssl64/lib$ ls -ltr
total 10224
drwxr-x---   2 q1col2a1 q1col2a1  96 Apr  2 14:59 engines
-rw-r--r--   1 q1col2a1 q1col2a1 4401152 Apr  2 14:59 libcrypto.a
-rw-r--r--   1 q1col2a1 q1col2a1  823208 Apr  2 14:59 libssl.a
drwxr-x---   2 q1col2a1 q1col2a1  96 Apr  2 14:59 pkgconfig

by openssl/lib - i meant the lib generated after the openssl install.


So no shared libs.

Try adding "shared -fPIC" to your OpenSSL config flags. Note it is 
"shared" not "-shared". Check whether config output contains any 
warning. I remember openssl with gcc on Solaris having a problem when 
one wants to build 64Bit versions but the compiler gcc is a 32 bit 
binary. That is technically not a problem, but the detection method for 
64 bit support is broken on a platform, that supports 32 and 64 bits.


Youmight try the following patch to the OpenSSL config file:

@@ -446,7 +446,7 @@
   if [ $GCCVER -ge 30 ]; then
 # 64-bit ABI isn't officially supported in gcc 3.0, but it appears
 # to be working, at the very least 'make test' passes...
-if gcc -v -E -x c /dev/null 2>&1 | grep __arch64__ > /dev/null; then
+if gcc -m64 -v -E -x c /dev/null 2>&1 | grep __arch64__ > 
/dev/null; then

   GCC_ARCH="-m64"
 else
   GCC_ARCH="-m32"


Regards,

Rainer


On Fri, Apr 3, 2015 at 10:35 AM, Rainer Jung mailto:rainer.j...@kippdata.de>> wrote:

Am 03.04.2015 um 16:53 schrieb ਜਤਿੰਦਰ ਸਿੰਘ:


uname -a
SunOS  5.10 Generic_150400-14 sun4u sparc SUNW,Netra-T12

src distribution used - apache-httpd-2_4_12-src-__openssl-m.tar

/usr/sfw/bin/gcc -v
Reading specs from
/usr/sfw/lib/gcc/sparc-sun-__solaris2.10/3.4.3/specs
Configured with:
/sfw10/builds/build/sfw10-__patch/usr/src/cmd/gcc/gcc-3.4.__3/configure
--prefix=/usr/sfw --with-as=/usr/ccs/bin/as --without-gnu-as
--with-ld=/usr/ccs/bin/ld --without-gnu-ld --enable-languages=c,c++
--enable-shared
Thread model: posix
gcc version 3.4.3 (csl-sol210-3_4-branch+sol___rpath)

#Set ENV variables

export CFLAGS="-m64"
export LDFLAGS="-L/usr/sfw/lib -R/usr/sfw/lib -L/usr/X/lib
-R/usr/X/lib
-L/usr/X11/lib -R/usr/X11/lib -L/usr/ccs/lib -R/usr/ccs/lib"
export LD_LIBRARY_PATH=/usr/sfw/lib/__sparcv9:/usr/lib
export LD_LIBRARY_PATH_64=/usr/lib/__64:/usr/sfw/lib/64
export PATH=$PATH:/usr/sfw/bin:/usr/__ccs/bin:/usr/ccs/bin/sparcv9

# build pcre
cd ~/apache64-2-4-12/03-httpd/__pcre-8.36
./configure --disable-cpp CFLAGS="-g" CC="gcc -m64"
--prefix=~/apache64-2-4-12/03-__httpd/pcre-8.36
make clean
make
make install

# build apr
cd ~/apache64-2-4-12/03-httpd/__apr-util-1.5.4
./configure --prefix=~/apache64-2-4-12/03-__httpd/apr-1.5.1
make clean
make
make install

# build apr-util
cd ~/apache64-2-4-12/03-httpd/__apr-util-1.5.4
./configure --prefix=~/apache64-2-4-12/03-__httpd/apr-util-1.5.4
--with-apr=~/apache64-2-4-12/__03-httpd/apr-1.5.1
make clean
make
make install

# build openssl
cd ~/apache64-2-4-12/02-openssl/__openssl-1.0.1m
./config --prefix=~/openssl64


Here is it ~/openssl64

make clean
changed CGLAGS from m32 to m64 in makefile
make
make install


# build apache2.4-12
./configure --prefix=~/apache-64-2-4-12/__Apache64HTTP --enable-ssl
--with-pcre=~/apache-64-2-4-__12/03-httpd/pcre-8.36
--with-apr=~/apache-64-2-4-12/__03-httpd/apr-1.5.1
--with-apr-util=~/apache-64-2-__4-12/03-httpd/apr-util-1.5.4
--enable-ssl-staticlib-deps
make clean
make
Failing with below error...
ld: warning: file ~/openssl-64/lib/libssl.a(s2___clnt.o): wrong
ELF class:
ELFCLASS32
ld: warning: file ~/openssl-64/lib/libcrypto.a(__mem.o): wrong
ELF class:
ELFCLASS32


Here it is ~/openssl-64, additional dash!

these files are 32 bit on rechecking with file command inside
openssl/lib, but openssl executable is 64 bits.


What is "openssl/lib"?

Very strange, because openssl binary should link with openssl libs.

Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Compile apache 2.4 on solaris 10 sparc with 64 bit openssl issue

[Rainer Jung]

Am 03.04.2015 um 16:53 schrieb ਜਤਿੰਦਰ ਸਿੰਘ:


uname -a
SunOS  5.10 Generic_150400-14 sun4u sparc SUNW,Netra-T12

src distribution used - apache-httpd-2_4_12-src-openssl-m.tar

/usr/sfw/bin/gcc -v
Reading specs from /usr/sfw/lib/gcc/sparc-sun-solaris2.10/3.4.3/specs
Configured with:
/sfw10/builds/build/sfw10-patch/usr/src/cmd/gcc/gcc-3.4.3/configure
--prefix=/usr/sfw --with-as=/usr/ccs/bin/as --without-gnu-as
--with-ld=/usr/ccs/bin/ld --without-gnu-ld --enable-languages=c,c++
--enable-shared
Thread model: posix
gcc version 3.4.3 (csl-sol210-3_4-branch+sol_rpath)

#Set ENV variables

export CFLAGS="-m64"
export LDFLAGS="-L/usr/sfw/lib -R/usr/sfw/lib -L/usr/X/lib -R/usr/X/lib
-L/usr/X11/lib -R/usr/X11/lib -L/usr/ccs/lib -R/usr/ccs/lib"
export LD_LIBRARY_PATH=/usr/sfw/lib/sparcv9:/usr/lib
export LD_LIBRARY_PATH_64=/usr/lib/64:/usr/sfw/lib/64
export PATH=$PATH:/usr/sfw/bin:/usr/ccs/bin:/usr/ccs/bin/sparcv9

# build pcre
cd ~/apache64-2-4-12/03-httpd/pcre-8.36
./configure --disable-cpp CFLAGS="-g" CC="gcc -m64"
--prefix=~/apache64-2-4-12/03-httpd/pcre-8.36
make clean
make
make install

# build apr
cd ~/apache64-2-4-12/03-httpd/apr-util-1.5.4
./configure --prefix=~/apache64-2-4-12/03-httpd/apr-1.5.1
make clean
make
make install

# build apr-util
cd ~/apache64-2-4-12/03-httpd/apr-util-1.5.4
./configure --prefix=~/apache64-2-4-12/03-httpd/apr-util-1.5.4
--with-apr=~/apache64-2-4-12/03-httpd/apr-1.5.1
make clean
make
make install

# build openssl
cd ~/apache64-2-4-12/02-openssl/openssl-1.0.1m
./config --prefix=~/openssl64


Here is it ~/openssl64


make clean
changed CGLAGS from m32 to m64 in makefile
make
make install


# build apache2.4-12
./configure --prefix=~/apache-64-2-4-12/Apache64HTTP --enable-ssl
--with-pcre=~/apache-64-2-4-12/03-httpd/pcre-8.36
--with-apr=~/apache-64-2-4-12/03-httpd/apr-1.5.1
--with-apr-util=~/apache-64-2-4-12/03-httpd/apr-util-1.5.4
--enable-ssl-staticlib-deps
make clean
make
Failing with below error...
ld: warning: file ~/openssl-64/lib/libssl.a(s2_clnt.o): wrong ELF class:
ELFCLASS32
ld: warning: file ~/openssl-64/lib/libcrypto.a(mem.o): wrong ELF class:
ELFCLASS32


Here it is ~/openssl-64, additional dash!


these files are 32 bit on rechecking with file command inside
openssl/lib, but openssl executable is 64 bits.


What is "openssl/lib"?

Very strange, because openssl binary should link with openssl libs.

Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Missing log entries?

[Rainer Jung]

Am 03.04.2015 um 03:41 schrieb Andrew Moise:

   Hi Richard.
   Okay, that was exactly my question -- yes, I'm pretty confident that
that's what's happening (the page is not completely being served and
the transfer is aborted, even though from the user's perspective the
page is present and they can interact with it e.g. click off onto
another page). I just didn't know that it didn't go into the log in
that case; I assumed that it would go in with a count of the bytes
that were successfully sent.
   That leads me to my next question: Assuming that I've understood
this correctly, is there any accurate way to see what apache is
serving (even partially sent pages)? This is forming a significant
part of my traffic (i.e. apache log analysis only shows a fraction of
the visitors that google analytics tells me are present).
   Thanks,
   Andrew


mod_log_forensic?

Regards,

Rainer


On Thu, Apr 2, 2015 at 8:29 PM, Richard
 wrote:

If the log entry for the image has a "referer" for a site page, then
it is unlikely that the image is being served from another page/site
(unless there is referer-based access control and someone *really*
wants the image(s), so is mucking the referer).

Apache doesn't write the log entry until the page has been delivered
(otherwise it wouldn't be able to give you the number of bytes
served). If your page(s) have something that keeps them from being
fully served (js, and ad, etc.) then the user may click off the page
before everything closes out and the entry is logged. I.e., this
wouldn't require the user to explicitly abort the page delivery,
they may just be doing it implicitly if the page has delivery issues.

You should be able to check this fairly easily yourself.



 Original Message 

Date: Thursday, April 02, 2015 20:00:00 -0400
From: 5k Kate <5k.kate.1...@gmail.com>

Is it possible that the image links are being shared separately
from the page? Theoretically someone could go and post your image
into another page.

-Kate

On Wed, Apr 1, 2015 at 1:09 PM, Andrew Moise
 wrote:


   Hello all.
   I'm trying to analyze the behavior of visitors to my web site by
parsing my Apache access log, and it seems that the log is missing
some entries. For example, it's happened before that there's an
entry in the log for serving an image, with a referrer set to one
of my HTML pages, but there is no entry in the log for that HTML
page (either before or after the entry for the image loading)
from any similar IP address. I don't think that the headers I'm
emitting would cause the browser to cache that particular HTML
page.
   Furthermore (and more to the point of why I'm concerned about
   this), parsing the apache log indicates a small fraction (maybe
25%) of the number of visitors indicated by a third party logging
tool (in this case clicky.com).
   Is there anything that could cause this? For example, does
   apache not put an entry in the log if the connection is
interrupted before the entire HTML file is emitted?
   Thanks in advance for your help.
   -Andrew


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Dates in httpd.conf?

[Rainer Jung]

Am 31.03.2015 um 19:49 schrieb Joe Jensen (ConAgra Foods):

Can anybody tell me a good way to include a date in the apache
configuration?  For various reasons I’m trying to avoid |’s to logrotate
and want the date in a logfile’s name.  I’m really hoping to put the
date into an apache variable I can use within the config.

A prior install involved running sed commands to update the config files
on apache startup (!!) which I’m trying to get rid of.

Define DATE ??


If you only need a date which is per startup, but does not change after 
the web server start:


In you start script or in envvars define and export a shell variable, e.g.

NOW=`date +%Y%m%d_%H%M%S`
export NOW

and then in the config you can use ${NOW}

Note that this will not update the timestamp if you do a "apachectl 
restart" or "apachectl graceful", only by stop and then start.


What is your reason you don't want to use piped logging?

Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How to enable TLSV1.1 or above on Apache

[Rainer Jung]

Am 27.03.2015 um 14:40 schrieb Cathy Fauntleroy:

I am on a Windows 2008 R2 server with Apache 2.2.25/OpenSSL 0.9.8 installed.  I 
am attempting to upgrade OpenSSL to 1.0.1 so that TLS 1.1 and 1.2 will be 
enabled.  I am having problems installing 1.0.1 because of what appears to be a 
platform conflict.  My installation halts because a file in what is definitely 
a Unix/Linux path is not found.  I am on a Windows platform and downloaded a 
file for windows.  Any help would be greatly appreciated.  Am I missing 
something or have I stumbled upon a mis-categorized download?  I've tried 
several sites.


On the Windows platform many use the binary Apache httpd downloads from 
ApacheLounge:


http://www.apachelounge.com/download/

Regards,

Rainer


-Original Message-
From: Rainer Jung [mailto:rainer.j...@kippdata.de]
Sent: Friday, March 27, 2015 5:53 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] How to enable TLSV1.1 or above on Apache

Am 27.03.2015 um 06:22 schrieb Sailaja Gadireddy:

Hello Team,

I have upgraded my apache to Apache V2.4.3. and OpenSSL version is
0.9.8g

When I have modified httpd conf with SSLProtocol TLSV1.1, It says
Illegal protocol.

Do I need to install latest openssl version? If so please suggest the
version.

Please suggest me the way to enable TLSV1.1 on Apache.


You need OpenSSL 1.0.1 as a minimum for TLS 1.1 (and 1.2) support.

Regards,

Rainer



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How to enable TLSV1.1 or above on Apache

[Rainer Jung]

Am 27.03.2015 um 06:22 schrieb Sailaja Gadireddy:

Hello Team,

I have upgraded my apache to Apache V2.4.3. and OpenSSL version is 0.9.8g

When I have modified httpd conf with SSLProtocol TLSV1.1, It says
Illegal protocol.

Do I need to install latest openssl version? If so please suggest the
version.

Please suggest me the way to enable TLSV1.1 on Apache.


You need OpenSSL 1.0.1 as a minimum for TLS 1.1 (and 1.2) support.

Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Decompress requests using mod_deflate and uset Content-Encoding header

[Rainer Jung]

Am 09.03.2015 um 15:57 schrieb dennis.luna...@t-systems.com:

Hi,

I have some problems using mod_deflate to decompress requests.

I am using a apache 2.4 as a reverse proxy on Red Hat Enterprise Linux Server 
release 6.4 (Santiago). Within this apache I have to decompress requests and 
compress the answers.
To do this for some specific requests I defined a location:

   SetInputFilter DEFLATE   
   SetOutputFilter DEFLATE  

I got the result, that the request have been decompressed, but the header 
Content-Encoding gzip is still set causing problems on the next server.

So I removed the Content-Encoding header using mod_headers:

   RequestHeader unset Content-Encoding
   SetInputFilter DEFLATE   
   SetOutputFilter DEFLATE  
   Header set Content-Encoding gzip

As a result in the request the Content-Encoding is not set anymore. But the 
request is still compressed.
The manual of mod_deflate says that only requests with the header 
Content-Encoding gzip are decompressed. So it seems that mod_headers is 
executed before mod_deflate.

So basically either the decompression is done and the header is not changed or 
the header is changed but the decompression is not done.
Is there any way to decompress the request and remove the Content-Encoding gzip 
header?


mod_deflate does contain code to fix the content-encoding header. Could 
you provide info, how exactly your content-encoding request header looks 
like without and with inflation (no mod_headers manipulation)? Try to 
get the info directly on the reverse proxy, not on the backend, e.g. by 
logging %{Content-Encoding}i in the proxy access log.


mod_deflate did get quite a few fixes lately in 2.4. None of them was 
directly related to fixing the content-encoding header, but maybe you 
triger some other error path. Not likely, because the header fixing is 
done early but maybe still possible. Which version is your Apache httpd?


Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] ProxyReverse Issue on - httpd-2.2.29

[Rainer Jung]

Am 23.02.2015 um 19:18 schrieb Otis Dewitt - NOAA Affiliate:

Everything works on this site except this url:
https://www.docu.com/class/page/createpdf.jsp?requestId=7

weird problem.

Thanks,
Otis

On Mon, Feb 23, 2015 at 1:15 PM, Otis Dewitt - NOAA Affiliate
mailto:otis.dew...@noaa.gov>> wrote:

oops yeah missed adding that to the email.

Its in the config:

# Class Directive (443) #EXAMPLE
RewriteRule ^/class$(.*) https://www.docu.com/class$1 [L,NC]


What is the "$" in the left side of the rule supposed to do?

If you remove the dollar sign, or we just ignore it for a moment, I 
would suspect a redirect loop here. Is this the config from the http or 
https VHost? If http, then redirecting to https would be fine, but I 
woudn't understand why it should also proxy. If https, then the 
RweriteRule looks suspect.



ProxyPass /class https://example.com:20201/class


 SetOutputFilter   proxy-html
 ProxyPassReverse https://example.com:20201/class
 ProxyHTMLEnable   On
 ProxyHTMLExtended On
 ProxyHTMLURLMap http://example.com:20201/class  /class
 RequestHeader unset  Accept-Encoding



Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Help needed with event MPM configuration

[Rainer Jung]

Am 04.11.2014 um 20:36 schrieb Rajalakshmi Iyer:

Ok. Thanks.

Does this situation sound plausible - Keep alive connections are not
being used effectively by client applications (i.e. subsequent requests
on keep-alive connections are not frequent enough to keep Apache workers
busy all the time, resulting in low CPU utilisation). At the same time,
because there are already so many keep-alive connections, the server is
not accepting any more new connections from the client application.
Thus, the server is mostly idle but not accepting new connections.

Apologies for repeating the question, but wanted to confirm before I
proceed to change the configuration.


I strongly suggest you monitor your server using server-status. It shows 
you details about threads and connections and also per process info 
whether it is still accepting connections or not.


Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] AJP Errors?

[Rainer Jung]

Am 03.09.2014 um 23:23 schrieb Smith, Burton:

-Original Message-
From: Rainer Jung [mailto:rainer.j...@kippdata.de]
Sent: Saturday, August 30, 2014 3:12 AM



Am 28.08.2014 um 22:39 schrieb Smith, Burton:

-Original Message-

From: Rainer Jung [mailto:rainer.j...@kippdata.de]
Sent: Tuesday, August 26, 2014 2:37 AM



It is possible that your linux distribution doesn't provide current mod_jk 
packages. But building mod_jk is very
simple.

- You need to have gcc installed
- You need to have httpd and the httpd headers (httpd-dev?) installed

- Then you download the source release from 
http://tomcat.apache.org/download-connectors.cgi. Current version
is 1.2.40.

- You extract the tarball and change into sub directory "native".

- You run "./configure --with-apxs=/path/to/my/apxs" where you replace 
/ath/to/my/apxs with the full path to your
httpd apxs (or apxs2) command



I'm hung up on apxs.  I can't find one.  Where should I look next?


Whoever provided you httpd should also provide you with the apxs script. 
Most Linux distros put it into an additional httpd-devel or 
apache2-devel or similar package. The script is sometimes names apxs2 
instead of apxs. Often it is installed in /usr/sbin if Apche is 
installed into the OS platform, or in the Apache bin directory if Apache 
has a completely separate installation directory.


Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] AJP Errors?

[Rainer Jung]

Am 28.08.2014 um 22:39 schrieb Smith, Burton:

-Original Message-

From: Rainer Jung [mailto:rainer.j...@kippdata.de]
Sent: Tuesday, August 26, 2014 2:37 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] AJP Errors?



First: Since your Apache version 2.2.15 is pretty old and mod_jk had many 
improvements in the last years, I
suggest that you check your mod_jk version and consider upgrading to latest.


I thought I would start with the upgrades.  Yum pulled httpd-tools.x86_64 
0:2.2.15-31.el6_5 without mod_ssl and mod_jk.  I figured out the SSL part.  Can 
you recommend how to correct the JK?


It is possible that your linux distribution doesn't provide current 
mod_jk packages. But building mod_jk is very simple.


- You need to have gcc installed
- You need to have httpd and the httpd headers (httpd-dev?) installed

- Then you download the source release from 
http://tomcat.apache.org/download-connectors.cgi. Current version is 1.2.40.


- You extract the tarball and change into sub directory "native".

- You run "./configure --with-apxs=/path/to/my/apxs" where you replace 
/ath/to/my/apxs with the full path to your httpd apxs (or apxs2) command


- You run "make"

- You copy the new module file apache-2.0/mod_jk.so to wherever you want 
the module to be installed, e.g. in your httpd modules directory or 
elsewhere. Reference that chosen place in your "LoadModule" httpd 
directive for mod_jk.


- You add the example config files "conf/httpd-jk.conf" and 
"conf/workers.properties" from the extracted tarball to your httpd and 
customize it.


Regards,

Rainer




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] AJP Errors?

[Rainer Jung]

Hi Burton,

Am 25.08.2014 um 22:14 schrieb Smith, Burton:

Can someone tell me about this error set?  They show up in the
Apache(mod_jk) log.  They may or may not indicate that one node is
down.  I would like to know how to differentiate between a recoverable
and a non-recoverable issue so that 24x7 support can monitor the issue.
My Apache version is 2.2.15 if that helps.

[error] ajp_connect_to_endpoint::jk_ajp_common.c (1026): (103t1)
cping/cpong after connecting to the backend server failed (errno=110)

[error] ajp_send_request::jk_ajp_common.c (1630): (103t1) connecting to
backend failed. Tomcat is probably not started or is listening on the
wrong port (errno=110)

[info] ajp_service::jk_ajp_common.c (2623): (103t1) sending request to
tomcat failed (recoverable), because of error during request sending
(attempt=1)

[error] ajp_connect_to_endpoint::jk_ajp_common.c (1026): (103t1)
cping/cpong after connecting to the backend server failed (errno=110)

[error] ajp_send_request::jk_ajp_common.c (1630): (103t1) connecting to
backend failed. Tomcat is probably not started or is listening on the
wrong port (errno=110)

[info] ajp_service::jk_ajp_common.c (2623): (103t1) sending request to
tomcat failed (recoverable), because of error during request sending
(attempt=1)


First: Since your Apache version 2.2.15 is pretty old and mod_jk had 
many improvements in the last years, I suggest that you check your 
mod_jk version and consider upgrading to latest.


"recoverable" means mod_jk will send the same request again. If mod_jk 
has already send part of the request to Tomcat and doesn't get back a 
response or something breaks while sending the request, it decides on 
the type of request and config, whether it is allowed to send the same 
request again.


Consider a final request in some flow ordering stuff from a shop. mod_jk 
might have send the request and an error happens when trying to read the 
response. Should it then send the request again or not?


You can influence behavior using the ajp13 worker config property 
recovery_options, which is a bit mask. Look for "recovery_options" in 
the docs:


http://tomcat.apache.org/connectors-doc/reference/workers.html

Often value "31" (all available bits set) is appropriate, but it depends 
on the application.


Using cping/cpong is nice, because it checks the connection before 
mod_jk tries to send the request. So if cping/cpong fails it is clear, 
that mod_jk can always retry, because Tomcat hasn't received any part of 
the request yet.


The number of retries mod_jk will use for a worker is also configurable, 
by default "2", property "retries" on an ajp13 worker, see the same docs 
page.


If all retries fail, then it will try a fail over (for a recoverable 
request), but often a failover will work on the http level, but not on 
the application level, because e.g. a web session on one Tomcat doesn't

exist on the failover Tomcat (without adding session replication).

Log messages:

- a load balancer worker will log after an unrecoverable failure:

  "unrecoverable error XXX, request failed. Tomcat failed in the middle 
of request, we can't recover to another instance.", where XX is a number.


The message will be marked with [error]

- an AJP13 worker can log several message containing "recoverable" or 
"unrecoverable". I'll list them here based on the current version. RRR 
will either be the strings "recoverable" or "unrecoverable", SSS a 
socket number, EEE an error number:


[info]: "(WORKERNAME) failed sending request (RRR) "
   "(errno=EEE)",

[error]: "(WORKERNAME) failed sending request on a fresh connection 
(RRR), socket SSS (errno=EEE)",


[error]: "(WORKERNAME) failed sending request body of size LLL (RRR), "
   "socket SSS (errno=EEE)",

[error]: "(WORKERNAME) failed sending request body of size LLL (lb mode) 
(RRR), socket SSS (errno=EEE)",


[error]: "(WORKERNAME) unexpected condition err=EEE recoverable=%d",

[error]: "(WORKERNAME) sending request to tomcat failed (unrecoverable), 
%s (attempt=%d)",


[info]: "(WORKERNAME) sending request to tomcat failed (RRR), %s 
(attempt=%d)",


Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Slow performance in Apache

[Rainer Jung]

Am 25.08.2014 um 19:33 schrieb Frederik Nosi:

Hi,
On 08/19/2014 01:49 PM, Jeff Trawick wrote:

On Tue, Aug 19, 2014 at 6:00 AM, mailto:pratibha.dhank...@wipro.com>> wrote:

Hi All,

Need urgent help from all you experts. We have a tomcat and apache
server on same physical box .Earlier it was working fine however
last week application is integrated with IDAM, since then whenever
user is accessing the link through IDAM application is responding
either very slow or not at all, Once apache is restarted ,again it
start working and after 3-4 hours again same issue occurs. Please
suggest.

Have done some tuning at apache end as well like

Timeout 120

KeepAlive Off

MaxKeepAliveRequests 100

KeepAliveTimeout 15

Still not working.


See if there is a buildup over time of connections between httpd and
Tomcat.  netstat and mod_status with ExtendedStatus On would make this
relatively easy.  (mod_status won't show explicitly that the request
is handled by Tomcat, but you can check requests stuck in W state to
see if the URL is handled by Tomcat.)



Out of curiosity, on the summary page generated by mod_status, the
description of W is:

"*|W|*" Sending Reply

I thought that when in this state, the corresponding thread / proccess
was sending the reply to the client. From your reply if i understood
correctly seems that when using mod_proxy (and mod_jk right?) the W
state includes the time spent on sending the request and geting a reply
from the origin.

Is this right?


Yes, "W" is everything between having read the request and logging the 
request after having send the response. So especially it includes 
forwarding in proxy or mod_jk and waiting/reading the response from the 
origin server.


You should add response duration logging to the httpd server access log 
(%D) and to the origin server log file, if you want to track the 
performance of the latter. mod_jk allows you to additionally log origin 
server response times as observed by the httpd web server in the httpd 
access log.


Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Proxy Timeout problem with proxy_balancer

[Rainer Jung]

On 08.03.2014 17:50, Sascha Kühndel (InuSasha) wrote:
> Hi,
> 
> i have actual an problem with my proxy-timeout configuration.
> (Apache 2.2.26, but 2.4 seems to have the same problem).
> 
> In my apache configuration we have defined a global ProxyTimeout to 30
> seconds.
> But one of our JBoss-backends have some slow pages, and we want to raise
> the timeout to 2 minutes.
> (without change of the default timeout).
> 
> But the timeout is not used, for the backend. The timeout change for an
> other backend works fine.
> Imho, the imported difference is the backend type.
> balancer doesn't work, http work.
> 
> Example:
> ...
> ProxyTimeout 30
> ProxyPass /content balancer://jboss timeout=120 # timeout after 30 secs
> ProxyPass /mon http://monitor timeout=10# timeout after 10 secs
> ProxyPass /other   http://other # timeout after 30 secs
> ...
> 
> In the documentation, the timeout parameter seems to be redefined for
> balancer.
> If this correct? Documentation bug? Software bug? My configuration buggy?

Configuration bug. The docs are correct, timeout for a balancer worker
has a different meaning than timeout for a normal http or ajp worker.

> Know anyone a simple solution?

Depending on how you defined your balancer members, add the timeout
either to each "BalancerMember" (likely) or ProxySet for each member
(unlikely).

> We have many backends,
> so the workaround to change the default ProxyTimeout and set the timeout
> per backend is the last way.

Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache %D and %T meanings...

[Rainer Jung]

On 09.09.2013 20:50, Tony Anecito wrote:
> Many Thanks. I thought I was using the APR which is the native version
> of Apache so was thinking that produced the logs I was looking at. I
> will verify the valve is turned on for for APR. If it is should I see
> milliseconds for the %D?

APR does not influence the meaning of the pattern in the Tomcat access
log. If you are talking about a tomcat access log configured in
server.xml %D is always milliseconds.

For the Apache web server it is always microseconds.

If you need more advice on Tomcat, then I suggest you switch over to the
Tomcat users list.

Regards,

Rainer

> *From:* Rainer Jung 
> *To:* users@httpd.apache.org
> *Sent:* Monday, September 9, 2013 9:40 AM
> *Subject:* Re: [users@httpd] Apache %D and %T meanings...
> 
> On 09.09.2013 17:35, Tony Anecito wrote:
>> Hi All,
>>
>> I am using the Apache Realtime Plugin (APR) that comes with ApacheTomcat
>> 7.0.33. I am using Java 7.0.5 64-bit on Windows 7 64-bit.
>>
>> I have noticed in the logs that the %D looks like it gives me
>> milliseconds when compared to the %T seconds. For example:
>>
>> %D%T
>> 72  0.072
>> 1030.103
>> 32  0.032
>>
>> The Apache documention seems to indicate %D is microseconds not
>> milliseconds.
> 
> %T is seconds, %D in the Tomcat access logs is milliseconds, %D in the
> Apache web server access logs is microseconds.
> 
> Regards,
> 
> Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache %D and %T meanings...

[Rainer Jung]

On 09.09.2013 17:35, Tony Anecito wrote:
> Hi All,
> 
> I am using the Apache Realtime Plugin (APR) that comes with ApacheTomcat
> 7.0.33. I am using Java 7.0.5 64-bit on Windows 7 64-bit.
> 
> I have noticed in the logs that the %D looks like it gives me
> milliseconds when compared to the %T seconds. For example:
> 
> %D%T
> 72  0.072
> 1030.103
> 32  0.032
> 
> The Apache documention seems to indicate %D is microseconds not
> milliseconds.

%T is seconds, %D in the Tomcat access logs is milliseconds, %D in the
Apache web server access logs is microseconds.

Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache 2.4 ReverseProxy Issue

[Rainer Jung]

On 21.08.2013 13:42, Womann, Sven wrote:
> Sorry, I meant to write example.com...
> 
> I use include my RP-Rules in a dedicated file.
> There I work with RewriteRule ^/(.*)$ http://internal.example.com/$1 [P,QSA,L]
> ProxyPassReverse is used in a Location directive like
> 
> 
>   ProxyPassReverse /
> 
> 
> The 302 Location is full qualified, so normaly the ProxyPassReverse shouldn' 
> t match...

A standards conforming Location header always if a full URL.
The only reason for a ProxyPassReverse is fixing Location headers, so
your assumptions are not valid here ;)

If your backend already provides the correct Location headers for any
redirect, then remove the ProxyPassReverse.

> The header is set correctly, but the 302 changes in front of the RP.

Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Problems with mod_proxy_balancer / slotmem_create @ apache 2.4.4

[Rainer Jung]

On 12.08.2013 13:19, andre.wen...@bmw.de wrote:
> since apache version 2.4.4 I have a problem by running multiple apache
> instances on my server. Normally we run multiple apaches, under
> different users, on one machine, but since 2.4.4 we have often the
> problem that apache is not able to reserve shared memory, because some
> other instance is using the same shared memory block.
> 
>  
> 
> The failure in the logs:
> 
>  
> 
> [Fri Aug 09 09:24:31.160654 2013] [:emerg] [pid 23958:tid
> 139658191218496] AH00020: Configuration Failed, exiting
> 
> [Fri Aug 09 11:09:46.919038 2013] [proxy_balancer:emerg] [pid 6549:tid
> 139675464337216] (17)File exists: AH01179: balancer slotmem_create failed
> 
>  
> 
> Also seen from another failure
> 
> 6989  shmget(0x1038007, 537, IPC_CREAT|IPC_EXCL|0600) = -1 EEXIST (File
> exists)
> 
>  
> 
> If I now check the shared memory with "ipcs -a" I see that the segment
> is reserverd by another instance of another user. After waiting a couple
> of minutes (up to hours) the apache is then able to start, but waiting
> is currently not really an option!?
> 
>  
> 
> Currently, I’m using apache 2.4.4 with the newest open ssl and and
> openldap version on Suse Linux 11 SP1/2.
> 
>  
> 
> Is there any work around or solution available, or an idea to solve this
> issue?

Can you try DefaultRuntimeDir ?

Regards,

Rainer

-- 
kippdata
informationstechnologie GmbH   Tel: 0228 98549 -0
Bornheimer Str. 33aFax: 0228 98549 -50
53111 Bonn www.kippdata.de

HRB 8018 Amtsgericht Bonn / USt.-IdNr. DE 196 457 417
Geschäftsführer: Dr. Thomas Höfer, Rainer Jung, Sven Maurmann

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Strange Problem with POST + mod_jk

[Rainer Jung]

On 08.08.2013 17:32, Nick Tkach wrote:
> Not quite sure if this needs to wind up in this group or the tomcat list
> since it kind of involves both.  I'm fairly sure it involves an Apache
> misconfig, so thought I'd start here.
> 
> We've got an Apache facing the Internet with some Java app servers (both
> jboss and tomcat), pretty standard thing.  It's got the jk status worker
> locked down to only the internal IP addresses as usual.  That much seems
> to work fine.  The weirdness is that if you do a "blank" POST to the
> root context in the Apache it returns the jk status page *regardless of
> where you are*.
> 
> So for instance, let's say my external site is http://baseco.com.  If
> I've got the status worker mounted as /status, then
> http://baseco.com/status is correctly *not* reachable from the outside
> (403 denied) and correctly *is* reachable from the inside.
> 
>  However if I do a POST of blank lines:
> 
> POST / HTTP/1.0
> Host:baseco.com 
> 
> 
> (there are two carriage returns here)
> 
> It acts as though you made a call to http://baseco.com/status (in the
> contents-not the url).
> 
> Not sure what all parts of the config to include, but this is the
> general outline
> 
> --
> DirectoryIndex index.html index.html.var
> 
> 
> Options FollowSymLinks
> AllowOverride None
> 
> Order allow,deny
> Allow from all
> 
> 
> Order deny,allow
> Deny from all
> 
> 
> 
> JkMount /status mystatus
> 
> JkMount mystatus
> Order allow,deny
> Allow from all
> Deny from xx.yy.zz aa.bb.cc  (subnets for
> external-facing firewalls)
> 
> 
> 
> 
> --
> 
> Then the really strange (to me) follow-up is that it seems to be related
> to not having anything for an index page in the DocumentRoot directory
> (even though we're blocking access to /).  As soon as you put an
> index.html file out there in the DocumentRoot (even with just a blank
> line in it) the problem goes away.
> 
> I'm trying to figure out how a request for / can "become" a call to
> /status.  Any ideas?  I'm guessing it's something subtle about the
> config and not an actual bug.


The shown config obviously is not complete. You should also tell us
about the versions of Apache and mod_jk used.

I would clean up by removing "JkMount mystatus" from inside the
Location. The JkMount above the Location is sufficient.

The problem does not happen if you request "GET /"?

Then I would switch JkLogLevel to "debug" on an idle system, reproduce
the problem and post the log here. Clean the log from any info that you
don't want to expose publicly.

Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] concerns about requirements for Apache 2.4.6 release

[Rainer Jung]

On 30.07.2013 16:13, Dennis Clarke wrote:
> Not to be a completely obsessive compulsive nit pick, but being OCD
> helps greatly when writing software. Any chance we could fix the
> typo?
> 
> - Higher performant shm-based cache implementation
> 
> Probably should be "performance" there.
> 
> dc
> 
> ps: good to see PR 54735 was fixed. That drove me nuts for a while.

It is not in a typical dictionary but there exist several discussions
whether the word can be used or not. So it's a matter of style and I'll
leave it to Jim whether he wants to change it.

I hope that doesn't put you in a dangerous mental state ;)

Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] concerns about requirements for Apache 2.4.6 release

[Rainer Jung]

On 30.07.2013 10:27, Rainer Jung wrote:
> On 30.07.2013 05:08, Dennis Clarke wrote:
>>
>> I'm a bit confused about the requirements for Apache 2.4.6.  This page
>> seems
>> very clear :
>>
>> http://www.apache.org/dist/httpd/Announcement2.4.html
>>
>> There is states that "This release requires the Apache Portable Runtime
>> (APR)
>> version 1.4.x and APR-Util version 1.4.x"
>>
>> The page for the Apache Portable Runtime project shows APR-util at 1.5.2 :
>>
>> http://apr.apache.org/
>>
>> My most recent build of Apache 2.4.4 seemss to run fine built thus :
>>
>> ( from my servers /server-info page )
>> Server Version: Apache/2.4.4 (Unix) OpenSSL/1.0.1e PHP/5.4.16 Server
>> Built: Feb 28 2013 10:46:58
>> Server loaded APR Version: 1.4.6
>> Compiled with APR Version: 1.4.6
>> Server loaded APU Version: 1.5.1
>> Compiled with APU Version: 1.5.1
>>
>> However this most recent release 2.4.6 seems to require apr and apu
>> 1.4.x only.
>>
>> Is this a firm requirement ?
> 
> It should say 1.4.x or higher. That's implied by the APR/APU versioning
> and compatibility rules but of course not obvious to our users.

... and was just fixed by Jim in the announcement text.

Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] concerns about requirements for Apache 2.4.6 release

[Rainer Jung]

On 30.07.2013 05:08, Dennis Clarke wrote:
> 
> I'm a bit confused about the requirements for Apache 2.4.6.  This page
> seems
> very clear :
> 
> http://www.apache.org/dist/httpd/Announcement2.4.html
> 
> There is states that "This release requires the Apache Portable Runtime
> (APR)
> version 1.4.x and APR-Util version 1.4.x"
> 
> The page for the Apache Portable Runtime project shows APR-util at 1.5.2 :
> 
> http://apr.apache.org/
> 
> My most recent build of Apache 2.4.4 seemss to run fine built thus :
> 
> ( from my servers /server-info page )
> Server Version: Apache/2.4.4 (Unix) OpenSSL/1.0.1e PHP/5.4.16 Server
> Built: Feb 28 2013 10:46:58
> Server loaded APR Version: 1.4.6
> Compiled with APR Version: 1.4.6
> Server loaded APU Version: 1.5.1
> Compiled with APU Version: 1.5.1
> 
> However this most recent release 2.4.6 seems to require apr and apu
> 1.4.x only.
> 
> Is this a firm requirement ?

It should say 1.4.x or higher. That's implied by the APR/APU versioning
and compatibility rules but of course not obvious to our users.

Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Logging Base64 decoded info in access_log

[Rainer Jung]

On 27.07.2013 10:29, Pete Houston wrote:
> On Fri, Jul 26, 2013 at 12:39:37PM -0700, Jignesh Badani wrote:
>> Thanks Pete, yes, post processing the log file nightly is the option I was
>> considering. I am doing it currently on a per request basis. But I was
>> hoping to avoid it if I could do it in real time by calling on B64 decode
>> on the cookie.
> 
> I do not see the advantage in doing it in real time over
> post-processing. The docs are pretty clear on this too.
> 
> http://httpd.apache.org/docs/2.4/logs.html#piped says
> 
>   As with conditional logging, piped logs are a very powerful tool,
>   but they should not be used where a simpler solution like off-line
>   post-processing is available.
> 
> which is good advice.
> 
>> Piped logs is an option I did not consider even though I am currently using
>> it for logs rotation. Can you suggest how I can achieve what you are
>> proposing w/o loosing out on the log rotation functionality.
>>
>> I have the following in my httpd config:
>>
>> ---
>> CustomLog "|/opt/apache/bin/rotatelogs /opt/apache/logs/access_log 86400"
>> combined env=!dontlog
>>
>> #where dontlog are a couple of load balancers IP address I want to keep out
>> of the access logs.
>>
>> ---
> 
> If you go against the advice in the documentation and decide to do it
> with piped logs just use something like 
> 
>   CustomLog "|/path/to/filterprog | /opt/apache/bin/rotatelogs 
> /opt/apache/logs/access_log 86400" combined env=!dontlog
> 
> And remember the docs also say:
> 
>   Piped log processes are spawned by the parent Apache httpd process,
>   and inherit the userid of that process. This means that piped log
>   programs usually run as root. It is therefore very important to keep
>   the programs simple and secure.

... and handle the signals issued during Apache (graceful) restart to
all children including such piped filters.

Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] FIPS disabled by httpd 2.4.3

[Rainer Jung]

On 22.08.2012 20:47, Ruiyuan Jiang wrote:

Hi,

My OpenSSL v1.0.1c was compiled as FIPS enabled.

# /usr/local/ssl/bin/openssl
OpenSSL> version
OpenSSL 1.0.1c-fips 10 May 2012
OpenSSL>

I did compilation httpd v2.4.2 and v2.4.3 to use the above version of openssl. After I 
started httpd v2.4.3, I noticed in the error_log that FIPS is being disabled. Why or is 
there something that I did wrong for the mod_ssl option in the "configure" 
period? Thanks.

# cat  error_log
[Wed Aug 22 14:37:24.561183 2012] [ssl:notice] [pid 23557:tid 140125173548800] 
AH01886: SSL FIPS mode disabled
[Wed Aug 22 14:37:28.603319 2012] [:notice] [pid 23557:tid 140125173548800] 
ModSecurity for Apache/2.6.7 (http://www.modsecurity.org/) configured.
[Wed Aug 22 14:37:28.603331 2012] [:notice] [pid 23557:tid 140125173548800] ModSecurity: APR 
compiled version="1.4.6"; loaded version="1.4.6"
[Wed Aug 22 14:37:28.603336 2012] [:notice] [pid 23557:tid 140125173548800] ModSecurity: PCRE 
compiled version="7.8 "; loaded version="7.8 2008-09-05"
[Wed Aug 22 14:37:28.603340 2012] [:notice] [pid 23557:tid 140125173548800] ModSecurity: 
LIBXML compiled version="2.7.6"
[Wed Aug 22 14:37:28.603343 2012] [:notice] [pid 23557:tid 140125173548800] 
Original server signature: Apache/2.4.3 (Unix) OpenSSL/1.0.1c-fips
[Wed Aug 22 14:37:28.686133 2012] [ssl:notice] [pid 23568:tid 140125173548800] 
AH01886: SSL FIPS mode disabled
[Wed Aug 22 14:37:28.724620 2012] [lbmethod_heartbeat:notice] [pid 23568:tid 
140125173548800] AH02282: No slotmem from mod_heartmonitor
[Wed Aug 22 14:37:29.011086 2012] [mpm_worker:notice] [pid 23568:tid 
140125173548800] AH00292: Apache/2.4.3 (Unix) OpenSSL/1.0.1c-fips 
rproxynj.fifthandpacific.com configured -- resuming normal operations
[Wed Aug 22 14:37:29.011208 2012] [core:notice] [pid 23568:tid 140125173548800] 
AH00094: Command line: '/opt/apache2.4.3/bin/httpd'


http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslfips

No difference between 2.4.2 and 2.4.3 though.

In order for the message to be written, your build needs support for the 
directive. This is included in 2.4.2 and 2.4.3 by default, but could be 
disabled if during the build HAVE_FIPS is not defined. This define in 
turn is set if the OpenSSl detected during configure is of version >= 
0.9.8a and has FIPS support built in.


I would first check for differences between your builds of 2.4.2 and 
2.4.3 by adding SSLFips Off to the config. If FIPS support is not 
compiled into Apache, then it will fail to start and complain about an 
unknown directive SSLFips.


If adding the directive works for both, try setting it to On in both 
cases and check the startup messages for FIPS mode messages.


Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] problems installing mod_ldap when compliing httpd 2.2.22

[Rainer Jung]

On 21.08.2012 19:45, John Adamski wrote:

Apache 2.22 on HPUX 11v3 Integrity (Itanium) server

Our ERP is updating which version of apache httpd they use from 2.2.15 to 2.2.22.  
We have a local process that uses mod_ldap & mod_authnz.  The ERP provides a 
script that does all the setup and compiling for us.  I'm trying to get httpd to 
compile on our test/dr server prior to doing it on our production server.

Last time when we upgraded to 2.2.15 I just had to add these three lines into 
the script to get things to compile with the added modules.

  set config_options="${config_options} --enable-ldap=static"
  set config_options="${config_options} --enable-authnz-ldap=static"
  set config_options="${config_options} --with-ldap=ldap"


when the script runs I get this:

./apache2_install | & tee install4.Out
"/home/carsids/adamski/.redo" 1 line, 40 characters

Directory: /opt/apache2/src/httpd-2.2.22

Command: ./configure --prefix=/opt/apache2 --enable-authn-dbm=shared 
--with-mpm=prefork --with-included-apr --without-berkeley-db --enable-expires=shared 
--enable-headers=shared --enable-rewrite=shared --enable-mime-magic=shared 
--enable-info=shared --enable-status=shared --enable-userdir=shared --enable-http 
--enable-so --enable-ssl=shared --with-ssl=/opt/openssl101 --with-perl=/opt/perl514 
--with-ndbm --with-expat=/opt/gnu --enable-dumpio=shared --enable-ldap=static 
--enable-authnz-ldap=static --with-ldap=ldap >& config.out
Command: make >& make.out

./apache2_install: Error: See errors in the .out file.

The make.out file has this at the end:

/bin/sh /opt/apache2/src/httpd-2.2.22/srclib/apr/libtool --silent --mode=link 
cc  +Onoprocelim +DD32 -Ae +Z -mt  +Onoprocelim +DD32   -Wl,+b -Wl,/opt/apache2
/lib:/opt/openssl101/lib:/opt/openssl101/lib/hpux32:/opt/gnu/lib:/opt/apache2/src/httpd-2.2.22/srclib/apr/.libs
 -L/opt/gnu/lib -release 1 -module -rpath /opt
/apache2/lib/apr-util-1 -o dbm/apr_dbm_ndbm.la dbm/apr_dbm_ndbm.lo -lc
/bin/sh /opt/apache2/src/httpd-2.2.22/srclib/apr/libtool --silent 
--mode=compile cc +Onoprocelim +DD32 -Ae +Z -mt  +Onoprocelim +DD32 
-DHAVE_CONFIG_H -DHPUX1
1 -D_REENTRANT -D_HPUX_SOURCE -D_LARGEFILE64_SOURCE   
-I/opt/apache2/src/httpd-2.2.22/srclib/apr-util/include 
-I/opt/apache2/src/httpd-2.2.22/srclib/apr-util
/include/private  -I/opt/apache2/src/httpd-2.2.22/srclib/apr/include  
-I/opt/gnu/include  -o ldap/apr_ldap_init.lo -c ldap/apr_ldap_init.c && touch 
ldap/apr_
ldap_init.lo
"ldap/apr_ldap_init.c", line 168: warning #2223-D: function "ldapssl_init" 
declared implicitly
   *ldap = ldapssl_init(hostname, portno, 0);
   ^

"ldap/apr_ldap_init.c", line 168: warning #2513-D: a value of type "int" cannot be 
assigned to an entity of type "LDAP *"
   *ldap = ldapssl_init(hostname, portno, 0);
 ^

/bin/sh /opt/apache2/src/httpd-2.2.22/srclib/apr/libtool --silent 
--mode=compile cc +Onoprocelim +DD32 -Ae +Z -mt  +Onoprocelim +DD32 
-DHAVE_CONFIG_H -DHPUX1
1 -D_REENTRANT -D_HPUX_SOURCE -D_LARGEFILE64_SOURCE   
-I/opt/apache2/src/httpd-2.2.22/srclib/apr-util/include 
-I/opt/apache2/src/httpd-2.2.22/srclib/apr-util
/include/private  -I/opt/apache2/src/httpd-2.2.22/srclib/apr/include  
-I/opt/gnu/include  -o ldap/apr_ldap_option.lo -c ldap/apr_ldap_option.c && 
touch ldap/
apr_ldap_option.lo
"ldap/apr_ldap_option.c", line 446: warning #2223-D: function 
"ldapssl_enable_clientauth" declared implicitly
   result->rc = ldapssl_enable_clientauth(ldap, "",
^

"ldap/apr_ldap_option.c", line 456: warning #2223-D: function 
"ldapssl_advclientauth_init" declared implicitly
   result->rc = ldapssl_advclientauth_init(cert7db, NULL,
^

"ldap/apr_ldap_option.c", line 458: error #2020: identifier 
"LDAPSSL_AUTH_CNCHECK" is undefined
   1, secmod, 
LDAPSSL_AUTH_CNCHECK);
  ^

"ldap/apr_ldap_option.c", line 465: warning #2223-D: function 
"ldapssl_clientauth_init" declared implicitly
   result->rc = ldapssl_clientauth_init(cert7db, NULL,
^

"ldap/apr_ldap_option.c", line 473: warning #2223-D: function 
"ldapssl_client_init" declared implicitly
   result->rc = ldapssl_client_init(cert7db, NULL);
^

1 error detected in the compilation of "ldap/apr_ldap_option.c".
make[3]: *** [ldap/apr_ldap_option.lo] Error 1
make[3]: Leaving directory `/opt/apache2/src/httpd-2.2.22/srclib/apr-util'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/opt/apache2/src/httpd-2.2.22/srclib/apr-util'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/opt/apache2/src/httpd-2.2.22/srclib'
make: *** [all-recursive] Error 1

Since I now get this 2020 error, I assume I don't have some other mod_* that I 
need to add to get it to compile.

I have also removed the '=static' and '=ldap' on the lin

Re: [users@httpd] Apache authentication - require group AND (not OR) user

[Rainer Jung]

On 14.08.2012 23:30, Ben Johnson wrote:

Hello,

I've scoured the Internet for examples of how to implement logical
operators where the "require" directive is concerned.

The dearth of documentation and discussion regarding this subject leads
me to believe that it has not been implemented, or was implemented at
one time and then removed.

This is the most thorough discussion I can find on the subject, which
dead-ends:
http://www.mombu.com/programming/linux/t-apache-22-both-require-user-and-require-group-739013.html

My location block, which, at present, only allows one group
("programmers"), looks something like this:


AuthType Basic
AuthName "SVN Repository"
AuthBasicProvider dbm
AuthDBMType DB
AuthDBMUserFile "/var/www/apache-users"
AuthDBMGroupFile "/var/www/apache-users"
require group programmers
DAV svn
AuthzSVNAccessFile /var/www/projects/svn-access-control.cfg
SVNPath /var/www/svn/project


Ideally, I wish to do something like the following (I'm using
pseudo-code here, because it's probably easier to understand than plain
English):

if ($group === 'programmers' || ($group === 'clients && $user === 'joe')) {
  //Allow access.
}
else {
  //Deny access.
}

Is this possible? Or do I need to give-up on controlling authentication
at this level and instead focus on authorization within
"svn-access-control.cfg"?

Thanks for any help!


You might be looking for the RequireAny and RequireAll container directives:

http://httpd.apache.org/docs/2.4/en/mod/mod_authz_core.html#requireall

See also

httpd.apache.org/docs/2.4/en/mod/mod_authz_core.html#requireall

and finally the How To

http://httpd.apache.org/docs/2.4/en/howto/auth.html

Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How to debug 70014 and 70007 errors

[Rainer Jung]

On 08.08.2012 16:20, ivan Gouin wrote:

Hi,

Here's more information about my issue:

Here i will call
user : the application  who post the request.
apache : the httpd server who receive request from the client and send
them to tomcat
tomcat: the web server tomcat, a Web Service application

Versions
user : Apache CXF client 2.2.9
apache: httpd 2.2.17 (tried a 2.2.22 too)
tomcat: 6.0.26 (jdk1.6.0_24)

Here's the post request send by user ( * are for anonymise)

POST /***/***/ws/v2?test HTTP/1.1
Content-Type: text/xml; charset=UTF-8
SOAPAction: ""
Authorization: Basic Z3ZkMHRhb2FwcDpkbmVlc3cyYQ==
Accept: */*
User-Agent: Apache CXF 2.2.9
Content-Length: 304
Host: ***
Connection: Keep-Alive

http://schemas.xmlsoap.org/soap/envelope/";>

Start at 11:56:57
Between 11:56:57.5357 and 11:56:58:4784: 4 request pass OK

Here's the sequence after that : (Time is of tomcat seem too be a little
shifted, user and apache are on the same host)

11:56:58.4817user : POST request
*11:56:58.459722tomcatTCP55150300 > 41323 [PSH, ACK] Seq=3187 Ack=3818
Win=22400 Len=485 TSval=345704305 TSecr=749474400 (HTTP 200)*
11:56:58.491981apacheTCP55150300 > 41323 [PSH, ACK] Seq=3187 Ack=3818
Win=22400 Len=485 TSval=345704305 TSecr=749474400 (HTTP 200)
11:56:58.492251userHTTP/XML594HTTP/1.1 200 OK


Did this packet contain the full response?


*11:56:58.501457tomcatTCP6641323 > 50300 [ACK] Seq=3818 Ack=3672
Win=15872 Len=0 TSval=749474449 TSecr=345704305*
11:56:58.531503apacheTCP6641323 > 50300 [ACK] Seq=3818 Ack=3672
Win=15872 Len=0 TSval=749474449 TSecr=345704305
11:56:58.585937userTCP6045501 > 80 [ACK] Seq=2893 Ack=3948 Win=49640 Len=0


5 seconds pause


*11:57:03.492499userTCP5480 > 45501 [FIN, ACK] Seq=3948 Ack=2893
Win=16640 Len=0*


KeepAlive Timeout 5 seconds configured for Apache?


11:57:03.494663userTCP6045501 > 80 [ACK] Seq=2893 Ack=3949 Win=49640 Len=0
11:57:08.694657userTCP335[TCP segment of a reassembled PDU]
11:57:08.694703userTCP5480 > 45501 [RST] Seq=3949 Win=0 Len=0
11:57:08.694661userHTTP/XML358POST /*/*/ws/v2?test HTTP/1.1
11:57:08.694763userTCP5480 > 45501 [RST] Seq=3949 Win=0 Len=0
*11:57:18.466178tomcatTCP6650300 > 41323 [FIN, ACK] Seq=3672 Ack=3818
Win=22400 Len=0 TSval=345724311 TSecr=749474449*
11:57:18.498510apacheTCP6650300 > 41323 [FIN, ACK] Seq=3672 Ack=3818
Win=22400 Len=0 TSval=345724311 TSecr=749474449
*11:57:18.508720tomcatTCP6641323 > 50300 [ACK] Seq=3818 Ack=3673
Win=15872 Len=0 TSval=749494456 TSecr=345724311*
11:57:18.538771apacheTCP6641323 > 50300 [ACK] Seq=3818 Ack=3673
Win=15872 Len=0 TSval=749494456 TSecr=345724311

What make me mad is why apache send a FIN/ACK closing the communication??
Is there a time out somewhere?
This seems to happen about 5 second after the last ACK
Or  6 second the opening of the socket ( at 11:56:57.53)


I guess its the Keep Alive Timeout of 5 seconds configured for Apache. 
Check configuration.


This should not produce a problem in itself. A client that observes a 
closed connection when trying to send a follow on request should 
transparently start a new connection.


Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How to debug 70014 and 70007 errors

[Rainer Jung]

Hi Ivan,

On 03.08.2012 17:23, ivan Gouin wrote:

Here's what i see on the tcpdump:

Got a TCP connect  3-way handshake. (SYN/SYN-ACK/ACK)
Got 7 POST request who got a return code 200

After the 7 POST, got a [ FIN, ACK] from th server.
Then RST from the server

Then the 8th request who goes in time out

Is there some kind of timeout in a tcp keep alive?


Your information is a bit to short. AFAIR we have three communication 
nodes, client, proxy and origin server. In addition there was a timeout 
happening suspected.


Your info on packets doesn't contain enough about who is communicating 
("return code 200", "the server") not about the timing (what time 
intervals are between packets.


Regards,

Rainer


On 25 July 2012 11:29, ivan Gouin mailto:gouin.i...@gmail.com>> wrote:

Hi rainer,
For case 70007,  the timeout expired, in access log , i've got a 300
second timeout
In the same time, tomcat's access log haven't any trace of the
corresponding request.

For these request, response time is about 30-100ms

Apache is Apache/2.2.17
Tomcat is 6.0.26 (jdk1.6.0_24)

I'm preparing a tcpdump on each side to see if i can see something
received by tomcat .

Ivan


On 25 July 2012 11:02, Rainer Jung mailto:rainer.j...@kippdata.de>> wrote:

On 25.07.2012 09 :52, ivan Gouin wrote:

Hi,

I've got those error in my httpd error log:

[Wed Jul 25 08:10:55 2012] [error] (70014)End of file found:
proxy:
prefetch request body failed to *.*.*.*:50300 (...) from
. ()
[Wed Jul 25 00:13:18 2012] [error] (70007)The timeout
specified has
expired: proxy: prefetch request body failed to  to
*.*.*.*:50300 (...)
from . ()


Maybe the Timeout has expired?


Those error occurs with client accessing a tomcat WS through
mod_proxy .

Not all the requests are rejected for today, 416 out of 2194
got one of
these errors.

don't really know how to proceed to debug this error.
thanks for your help


Add %D to your Tomcat and Apache Access Logs. It is the response
time in milloiseconds (Tomcat) resp. microseconds (Apache). If
the number is e.g. slightly above 6000 for Apache and you
had set a timeout of 60 seconds, then you know the problem is
that the response takes to long. You can then check Tomcats
Access Log to see how long it actually took. If it really takes
to long in Tomcat, then take thread dumps to analyze and switch
to the Tomcat users mailing list.

HTH.

Rainer



--__--__-
To unsubscribe, e-mail: users-unsubscribe@httpd.__apache.org
<mailto:users-unsubscr...@httpd.apache.org>
For additional commands, e-mail: users-h...@httpd.apache.org
<mailto:users-h...@httpd.apache.org>




--
*Ivan GOUIN**
*

***Mob (Suisse**)* : +41 (0)79 94107 90

*Mail* : gouin.i...@gmail.com <mailto:gouin.i...@gmail.com>




--
*Ivan GOUIN**
*

***Mob (Suisse**)* : +41 (0)79 94107 90

*Mail* : gouin.i...@gmail.com <mailto:gouin.i...@gmail.com>


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache server returned a lots Continuation or non-HTTP traffic packages instead of full package

[Rainer Jung]

On 27.07.2012 08:11, shuoshi chen wrote:

Hi, all

I recently use apache server to provide mp3 stream for playing. The
content type is specified as audio/mpeg, and everything is ok when I use
a test server( Apache/2.2.22 (Unix)), it returned an HTTP/1.1 200
(audio/mpeg) package. But when I put my code to a VPS server, I can't
get a full package as normal. The VPS server returned a
lots Continuation or non-HTTP traffic packages. Is it because of some
wrong configuration in httpd.conf?


What is a VPS server? How is the production VPS server related to your 
test Apache server? I guess you need to give more details ...


Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] httpd v2.2.22 with openssl 1.0.1c

[Rainer Jung]

On 25.07.2012 16:31, Ruiyuan Jiang wrote:

Hi, all

Last month, I posted a problem that httpd v2.2.22 did not work with openssl v1.0.1c. For 
me, it worked with openssl v1.0.0g with the same "configure" options for httpd 
and openssl. So far I did not hear anything. I am re-post my message here and hopefully I 
can get response this time. Thanks.

# ./configure --enable-ssl=shared --enable-ssl --with-ssl=/usr/local/ssl

...
checking whether to enable mod_ssl... checking dependencies
checking for SSL/TLS toolkit base... /usr/local/ssl
   adding "-I/usr/local/ssl/include" to CPPFLAGS
   adding "-I/usr/local/ssl/include" to INCLUDES
   adding "-L/usr/local/ssl/lib" to LDFLAGS
checking for OpenSSL version... checking openssl/opensslv.h usability... yes
checking openssl/opensslv.h presence... yes
checking for openssl/opensslv.h... yes
checking openssl/ssl.h usability... yes
checking openssl/ssl.h presence... yes
checking for openssl/ssl.h... yes
OK
   forcing SSL_LIBS to "-lssl -lcrypto  "
   adding "-lssl" to LIBS
   adding "-lcrypto" to LIBS
checking openssl/engine.h usability... yes
checking openssl/engine.h presence... yes
checking for openssl/engine.h... yes
checking for SSLeay_version... yes
checking for SSL_CTX_new... no
checking for ENGINE_init... no
checking for ENGINE_load_builtin_engines... no
checking for SSL_set_cert_store... no
configure: error: ... Error, SSL/TLS libraries were missing or unusable
[root@server httpd-2.2.22]#


Usually more detailed error infomration can be found in the file 
config.log in the build directory. The information we are looking for is 
not at the end of the file, but directly before the long list of 
variables and values that ends the file.


Especialy we are looking for the detailed error messages leading to:

> checking for SSL_CTX_new... no
> checking for ENGINE_init... no
> checking for ENGINE_load_builtin_engines... no
> checking for SSL_set_cert_store... no

Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How to debug 70014 and 70007 errors

[Rainer Jung]

On 25.07.2012 09:52, ivan Gouin wrote:

Hi,

I've got those error in my httpd error log:

[Wed Jul 25 08:10:55 2012] [error] (70014)End of file found: proxy:
prefetch request body failed to *.*.*.*:50300 (...) from . ()
[Wed Jul 25 00:13:18 2012] [error] (70007)The timeout specified has
expired: proxy: prefetch request body failed to  to *.*.*.*:50300 (...)
from . ()


Maybe the Timeout has expired?


Those error occurs with client accessing a tomcat WS through mod_proxy .

Not all the requests are rejected for today, 416 out of 2194 got one of
these errors.

don't really know how to proceed to debug this error.
thanks for your help


Add %D to your Tomcat and Apache Access Logs. It is the response time in 
milloiseconds (Tomcat) resp. microseconds (Apache). If the number is 
e.g. slightly above 6000 for Apache and you had set a timeout of 60 
seconds, then you know the problem is that the response takes to long. 
You can then check Tomcats Access Log to see how long it actually took. 
If it really takes to long in Tomcat, then take thread dumps to analyze 
and switch to the Tomcat users mailing list.


HTH.

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Intermittent mod_proxy_ajp error - APR does not understand this error code: proxy: dialog

[Rainer Jung]

On 23.07.2012 20:36, Carlucci, Tony wrote:

Hello, I’ve been trying to track down an intermittent problem with a
Java web application that is running on tcServer fronted by Apache HTTP
Server.We get intermittent “Server Unavailable / HTTP 500” errors,
and when we do see them, there is the same set of log statements written
to the Apache HTTP Server error log:

[Mon Jul 23 10:03:15 2012] [error] (70014)End of file found:
ajp_ilink_receive() can't receive header

[Mon Jul 23 10:03:15 2012] [error] ajp_read_header: ajp_ilink_receive failed

[Mon Jul 23 10:03:15 2012] [error] (120006)APR does not understand this
error code: proxy: dialog to 127.0.0.1:7071 (127.0.0.1) failed

We are not seeing any error messages in the tcServer logs.

I believe the issue is with the mod_proxy_ajp module but it’s been very
difficult tracking down what exactly the problem is.   What’s
interesting is that this Apache / tcServer configuration is used with
other applications that work just fine and never have the intermittent
500 error.   We also can run our application strictly in Tomcat (no
Apache front) without any intermittent errors.

We haven’t ruled out that there could be something in our Java
application code that is causing this, in combination with the
mod_proxy_ajp module, but we have hit a wall as to what this issue could
be.  Has anyone else experienced a similar intermittent issue combined
with the above error messages?  Below is a copy of the error log and
some configuration settings.


You might want to check the following discussion thread:

   http://marc.info/?t=12390526557&r=1&w=2

To actually narrow down the cause I would:

- use ping as mentioned in the thread
- check whether the timeout you have set on the Tomcat connector is 
roughly the same as used by mod_proxy_ajp
- check whether it looks like happening mostly for the same URL, then it 
is more likely a servlet issue
- if it happens often enough sniff the traffic between Apache and Tomcat 
and then check the packet details for one of the broken requests. For 
this to work you might need to move Tomcat away from localhost.


Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Still showing 2.3.16, etc. as the latest release.

[Rainer Jung]

On 24.07.2012 18:17, Michael Felt wrote:

FYI: I navigated from the page: http://http://projects.apache.org/ ,
clicked on Alaphabetical, clicked on H, clicked on "Apache HTTP Server"
and see (on http://projects.apache.org/projects/http_server.html)

Most recent releases:
Release Version Date
Recommended current 2.2 release 2.2.22 2012-01-31
Development 2.3 beta release 2.3.16-beta 2011-12-20
Legacy 2.0 release 2.0.64 2010-10-19

I am sure there is a better place to be, but just thought what seems to
be a default path is giving outdated info.


Thanks for the heads up. Fixed by Eric Covener.

Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org