RE: [users@httpd] RE: Is there any compatibility issue with apache httpd 2.2.22 with OpenSSL 1.0.1c
I had the problem with httpd 2.2.22 and OpenSSL 1.0.1c on Redhat. I don't have problem with httpd 2.4.x and OpenSSL 1.0.1c on Redhat. -Original Message- From: Eric Covener [mailto:cove...@gmail.com] Sent: Thursday, August 30, 2012 10:41 AM To: users@httpd.apache.org Subject: Re: [users@httpd] RE: Is there any compatibility issue with apache httpd 2.2.22 with OpenSSL 1.0.1c On Thu, Aug 30, 2012 at 10:08 AM, Thakur, Praveen Kumar wrote: > Any update on this ? You'll have to try it and see. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Pass Phrase encrypted private key and certificate and FIPS enabled mod_ssl
Hi, Last week I posted a message that I had problem with FIPS enabled openssl and httpd v2.4.3. I did a little bit test today and here is what I found. The original key and certificate was generated by openssl without FIPS enabled and the key was encrypted by AES 256. When I started httpd, it prompted me for the pass phrase. I typed in correct pass phrase but it kept prompting me that the pass phrase is not correct. If I disable FIPS for the mod_ssl, I don't have problem to provide the same pass phrase and start httpd. I striped out the pass phrase from the original private key without any other changes and I can start httpd with FIPS enabled mod_ssl no problem. I recreated private key with AES 256 encrypted and a pass phrase (I have to provide a pass phrase) with FIPS enabled OpenSSL (v1.0.1c) and regenerated the certificate from my CA. When I started httpd, I got pass phrase prompt and I provided the correct pass phrase and it says the pass phrase is incorrect. My question is whether FIPS enabled mod_ssl supports pass phrase? It seems to me it does not. Thanks. Ryan Jiang This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [users@httpd] FIPS disabled by httpd 2.4.3
Hi, When I tried to start Apache with FIPS on now, I was prompted for the pass phrase which is normal. After I typed in pass phrase, I got a message: Apache: mod_ssl:Error: Pass phrase incorrect (5 more retries permitted). When I ctrl-c to exist, I got another message: Apache:mod_ssl:Error: Private key not found. Which is not correct since the private key is there. The key and certificate was generated before FIPS is enabled. The key and certificate was used by my Apache 2.2.22 (FIPS disabled) and I just copied them for the new httpd to use. Once I disabled FIPS in the configuration file, I typed in the same pass phrase and I can start httpd v2.4.3. What else do I need to do or check? Thanks. Ryan Jiang -Original Message- From: Ruiyuan Jiang [mailto:rji...@fnpc.com] Sent: Thursday, August 23, 2012 11:04 AM To: users@httpd.apache.org Subject: RE: [users@httpd] FIPS disabled by httpd 2.4.3 Thanks Rainer, I put the statement "SSLFIPS on" in the global context section of httpd-ssl.conf file. When I started apache, I got a message in error_log: # cat error_log [Thu Aug 23 10:30:03.014417 2012] [ssl:emerg] [pid 3190:tid 139842618164992] AH01885: FIPS mode failed [Thu Aug 23 10:30:03.014546 2012] [ssl:emerg] [pid 3190:tid 139842618164992] SSL Library Error: error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match [Thu Aug 23 10:30:03.014564 2012] [ssl:emerg] [pid 3190:tid 139842618164992] AH02312: Fatal error initialising mod_ssl, exiting. Ryan Jiang -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Wednesday, August 22, 2012 6:15 PM To: users@httpd.apache.org Subject: Re: [users@httpd] FIPS disabled by httpd 2.4.3 On 22.08.2012 20:47, Ruiyuan Jiang wrote: > Hi, > > My OpenSSL v1.0.1c was compiled as FIPS enabled. > > # /usr/local/ssl/bin/openssl > OpenSSL> version > OpenSSL 1.0.1c-fips 10 May 2012 > OpenSSL> > > I did compilation httpd v2.4.2 and v2.4.3 to use the above version of > openssl. After I started httpd v2.4.3, I noticed in the error_log that FIPS > is being disabled. Why or is there something that I did wrong for the mod_ssl > option in the "configure" period? Thanks. > > # cat error_log > [Wed Aug 22 14:37:24.561183 2012] [ssl:notice] [pid 23557:tid > 140125173548800] AH01886: SSL FIPS mode disabled > [Wed Aug 22 14:37:28.603319 2012] [:notice] [pid 23557:tid 140125173548800] > ModSecurity for Apache/2.6.7 (http://www.modsecurity.org/) configured. > [Wed Aug 22 14:37:28.603331 2012] [:notice] [pid 23557:tid 140125173548800] > ModSecurity: APR compiled version="1.4.6"; loaded version="1.4.6" > [Wed Aug 22 14:37:28.603336 2012] [:notice] [pid 23557:tid 140125173548800] > ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05" > [Wed Aug 22 14:37:28.603340 2012] [:notice] [pid 23557:tid 140125173548800] > ModSecurity: LIBXML compiled version="2.7.6" > [Wed Aug 22 14:37:28.603343 2012] [:notice] [pid 23557:tid 140125173548800] > Original server signature: Apache/2.4.3 (Unix) OpenSSL/1.0.1c-fips > [Wed Aug 22 14:37:28.686133 2012] [ssl:notice] [pid 23568:tid > 140125173548800] AH01886: SSL FIPS mode disabled > [Wed Aug 22 14:37:28.724620 2012] [lbmethod_heartbeat:notice] [pid 23568:tid > 140125173548800] AH02282: No slotmem from mod_heartmonitor > [Wed Aug 22 14:37:29.011086 2012] [mpm_worker:notice] [pid 23568:tid > 140125173548800] AH00292: Apache/2.4.3 (Unix) OpenSSL/1.0.1c-fips > rproxynj.fifthandpacific.com configured -- resuming normal operations > [Wed Aug 22 14:37:29.011208 2012] [core:notice] [pid 23568:tid > 140125173548800] AH00094: Command line: '/opt/apache2.4.3/bin/httpd' http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslfips No difference between 2.4.2 and 2.4.3 though. In order for the message to be written, your build needs support for the directive. This is included in 2.4.2 and 2.4.3 by default, but could be disabled if during the build HAVE_FIPS is not defined. This define in turn is set if the OpenSSl detected during configure is of version >= 0.9.8a and has FIPS support built in. I would first check for differences between your builds of 2.4.2 and 2.4.3 by adding SSLFips Off to the config. If FIPS support is not compiled into Apache, then it will fail to start and complain about an unknown directive SSLFips. If adding the directive works for both, try setting it to On in both cases and check the startup messages for FIPS mode messages. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message (including any attachments) is intended solely for the specific individual(s) or en
RE: [users@httpd] FIPS disabled by httpd 2.4.3
Hi, I am trying to recompile httpd. The output of ldd shows my httpd uses libcryto.so.1 from /lib64 directory which is built in from Redhat. My Redhat is RHEL v6.3. I can't delete Redhat's openssl since a lot of programs uses it. In the "configure" phase of httpd, I added LDFLAGS=-L/usr/local/ssl/lib. After installation, ldd shows that httpd still uses Redhat's /lib64/libcrypt.so.1. How do I force httpd to use my own compiled OpenSSL in /usr/local/ssl instead of Redhat's built-in libcrypt.so? Thanks. Ryan Jiang -----Original Message- From: Ruiyuan Jiang [mailto:rji...@fnpc.com] Sent: Thursday, August 23, 2012 11:04 AM To: users@httpd.apache.org Subject: RE: [users@httpd] FIPS disabled by httpd 2.4.3 Thanks Rainer, I put the statement "SSLFIPS on" in the global context section of httpd-ssl.conf file. When I started apache, I got a message in error_log: # cat error_log [Thu Aug 23 10:30:03.014417 2012] [ssl:emerg] [pid 3190:tid 139842618164992] AH01885: FIPS mode failed [Thu Aug 23 10:30:03.014546 2012] [ssl:emerg] [pid 3190:tid 139842618164992] SSL Library Error: error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match [Thu Aug 23 10:30:03.014564 2012] [ssl:emerg] [pid 3190:tid 139842618164992] AH02312: Fatal error initialising mod_ssl, exiting. Ryan Jiang -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Wednesday, August 22, 2012 6:15 PM To: users@httpd.apache.org Subject: Re: [users@httpd] FIPS disabled by httpd 2.4.3 On 22.08.2012 20:47, Ruiyuan Jiang wrote: > Hi, > > My OpenSSL v1.0.1c was compiled as FIPS enabled. > > # /usr/local/ssl/bin/openssl > OpenSSL> version > OpenSSL 1.0.1c-fips 10 May 2012 > OpenSSL> > > I did compilation httpd v2.4.2 and v2.4.3 to use the above version of > openssl. After I started httpd v2.4.3, I noticed in the error_log that FIPS > is being disabled. Why or is there something that I did wrong for the mod_ssl > option in the "configure" period? Thanks. > > # cat error_log > [Wed Aug 22 14:37:24.561183 2012] [ssl:notice] [pid 23557:tid > 140125173548800] AH01886: SSL FIPS mode disabled > [Wed Aug 22 14:37:28.603319 2012] [:notice] [pid 23557:tid 140125173548800] > ModSecurity for Apache/2.6.7 (http://www.modsecurity.org/) configured. > [Wed Aug 22 14:37:28.603331 2012] [:notice] [pid 23557:tid 140125173548800] > ModSecurity: APR compiled version="1.4.6"; loaded version="1.4.6" > [Wed Aug 22 14:37:28.603336 2012] [:notice] [pid 23557:tid 140125173548800] > ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05" > [Wed Aug 22 14:37:28.603340 2012] [:notice] [pid 23557:tid 140125173548800] > ModSecurity: LIBXML compiled version="2.7.6" > [Wed Aug 22 14:37:28.603343 2012] [:notice] [pid 23557:tid 140125173548800] > Original server signature: Apache/2.4.3 (Unix) OpenSSL/1.0.1c-fips > [Wed Aug 22 14:37:28.686133 2012] [ssl:notice] [pid 23568:tid > 140125173548800] AH01886: SSL FIPS mode disabled > [Wed Aug 22 14:37:28.724620 2012] [lbmethod_heartbeat:notice] [pid 23568:tid > 140125173548800] AH02282: No slotmem from mod_heartmonitor > [Wed Aug 22 14:37:29.011086 2012] [mpm_worker:notice] [pid 23568:tid > 140125173548800] AH00292: Apache/2.4.3 (Unix) OpenSSL/1.0.1c-fips > rproxynj.fifthandpacific.com configured -- resuming normal operations > [Wed Aug 22 14:37:29.011208 2012] [core:notice] [pid 23568:tid > 140125173548800] AH00094: Command line: '/opt/apache2.4.3/bin/httpd' http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslfips No difference between 2.4.2 and 2.4.3 though. In order for the message to be written, your build needs support for the directive. This is included in 2.4.2 and 2.4.3 by default, but could be disabled if during the build HAVE_FIPS is not defined. This define in turn is set if the OpenSSl detected during configure is of version >= 0.9.8a and has FIPS support built in. I would first check for differences between your builds of 2.4.2 and 2.4.3 by adding SSLFips Off to the config. If FIPS support is not compiled into Apache, then it will fail to start and complain about an unknown directive SSLFips. If adding the directive works for both, try setting it to On in both cases and check the startup messages for FIPS mode messages. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the
RE: [users@httpd] mod_extract_forwarded or mod_rpaf for Apache 2.2/2.4?
You can get the module for 2.2 from http://people.apache.org/~wrowe/httpd-2.2-ports/ Ruiyuan Jiang -Original Message- From: Marten Lehmann [mailto:lehm...@cnm.de] Sent: Thursday, August 23, 2012 8:33 PM To: users@httpd.apache.org Subject: Re: [users@httpd] mod_extract_forwarded or mod_rpaf for Apache 2.2/2.4? Thanks. Is anything like that available for Apache 2.2? Ubuntu 12.04 LTS only ships with Apache 2.2.22. I would have to build my own Apache with all dependencies just for this single module. On 24.08.2012 00:19, Jeff Trawick wrote: > On Thu, Aug 23, 2012 at 5:57 PM, Marten Lehmann wrote: >> Hello, >> >> is there any module like mod_extract_forwarded or mod_rpaf available for >> Apache 2.2 or Apache 2.4? >> >> These modules change the value of REMOTE_ADDR to the original client IP >> address behind a proxy request, that is given by the X-Forwarded-for header >> - only if the request comes from trusted hosts of course. It makes rewriting >> scripts to check for both REMOTE_ADDR and X-Forwarded-For head obsolete and >> means you can continue to use .htaccess access permissions (Allow and Deny >> from). > > httpd 2.4 has mod_remoteip for that purpose: > > http://httpd.apache.org/docs/2.4/mod/mod_remoteip.html > >> >> Kind regards >> Marten - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [users@httpd] FIPS disabled by httpd 2.4.3
Thanks Rainer, I put the statement "SSLFIPS on" in the global context section of httpd-ssl.conf file. When I started apache, I got a message in error_log: # cat error_log [Thu Aug 23 10:30:03.014417 2012] [ssl:emerg] [pid 3190:tid 139842618164992] AH01885: FIPS mode failed [Thu Aug 23 10:30:03.014546 2012] [ssl:emerg] [pid 3190:tid 139842618164992] SSL Library Error: error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match [Thu Aug 23 10:30:03.014564 2012] [ssl:emerg] [pid 3190:tid 139842618164992] AH02312: Fatal error initialising mod_ssl, exiting. Ryan Jiang -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Wednesday, August 22, 2012 6:15 PM To: users@httpd.apache.org Subject: Re: [users@httpd] FIPS disabled by httpd 2.4.3 On 22.08.2012 20:47, Ruiyuan Jiang wrote: > Hi, > > My OpenSSL v1.0.1c was compiled as FIPS enabled. > > # /usr/local/ssl/bin/openssl > OpenSSL> version > OpenSSL 1.0.1c-fips 10 May 2012 > OpenSSL> > > I did compilation httpd v2.4.2 and v2.4.3 to use the above version of > openssl. After I started httpd v2.4.3, I noticed in the error_log that FIPS > is being disabled. Why or is there something that I did wrong for the mod_ssl > option in the "configure" period? Thanks. > > # cat error_log > [Wed Aug 22 14:37:24.561183 2012] [ssl:notice] [pid 23557:tid > 140125173548800] AH01886: SSL FIPS mode disabled > [Wed Aug 22 14:37:28.603319 2012] [:notice] [pid 23557:tid 140125173548800] > ModSecurity for Apache/2.6.7 (http://www.modsecurity.org/) configured. > [Wed Aug 22 14:37:28.603331 2012] [:notice] [pid 23557:tid 140125173548800] > ModSecurity: APR compiled version="1.4.6"; loaded version="1.4.6" > [Wed Aug 22 14:37:28.603336 2012] [:notice] [pid 23557:tid 140125173548800] > ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05" > [Wed Aug 22 14:37:28.603340 2012] [:notice] [pid 23557:tid 140125173548800] > ModSecurity: LIBXML compiled version="2.7.6" > [Wed Aug 22 14:37:28.603343 2012] [:notice] [pid 23557:tid 140125173548800] > Original server signature: Apache/2.4.3 (Unix) OpenSSL/1.0.1c-fips > [Wed Aug 22 14:37:28.686133 2012] [ssl:notice] [pid 23568:tid > 140125173548800] AH01886: SSL FIPS mode disabled > [Wed Aug 22 14:37:28.724620 2012] [lbmethod_heartbeat:notice] [pid 23568:tid > 140125173548800] AH02282: No slotmem from mod_heartmonitor > [Wed Aug 22 14:37:29.011086 2012] [mpm_worker:notice] [pid 23568:tid > 140125173548800] AH00292: Apache/2.4.3 (Unix) OpenSSL/1.0.1c-fips > rproxynj.fifthandpacific.com configured -- resuming normal operations > [Wed Aug 22 14:37:29.011208 2012] [core:notice] [pid 23568:tid > 140125173548800] AH00094: Command line: '/opt/apache2.4.3/bin/httpd' http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslfips No difference between 2.4.2 and 2.4.3 though. In order for the message to be written, your build needs support for the directive. This is included in 2.4.2 and 2.4.3 by default, but could be disabled if during the build HAVE_FIPS is not defined. This define in turn is set if the OpenSSl detected during configure is of version >= 0.9.8a and has FIPS support built in. I would first check for differences between your builds of 2.4.2 and 2.4.3 by adding SSLFips Off to the config. If FIPS support is not compiled into Apache, then it will fail to start and complain about an unknown directive SSLFips. If adding the directive works for both, try setting it to On in both cases and check the startup messages for FIPS mode messages. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] FIPS disabled by httpd 2.4.3
Hi, My OpenSSL v1.0.1c was compiled as FIPS enabled. # /usr/local/ssl/bin/openssl OpenSSL> version OpenSSL 1.0.1c-fips 10 May 2012 OpenSSL> I did compilation httpd v2.4.2 and v2.4.3 to use the above version of openssl. After I started httpd v2.4.3, I noticed in the error_log that FIPS is being disabled. Why or is there something that I did wrong for the mod_ssl option in the "configure" period? Thanks. # cat error_log [Wed Aug 22 14:37:24.561183 2012] [ssl:notice] [pid 23557:tid 140125173548800] AH01886: SSL FIPS mode disabled [Wed Aug 22 14:37:28.603319 2012] [:notice] [pid 23557:tid 140125173548800] ModSecurity for Apache/2.6.7 (http://www.modsecurity.org/) configured. [Wed Aug 22 14:37:28.603331 2012] [:notice] [pid 23557:tid 140125173548800] ModSecurity: APR compiled version="1.4.6"; loaded version="1.4.6" [Wed Aug 22 14:37:28.603336 2012] [:notice] [pid 23557:tid 140125173548800] ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05" [Wed Aug 22 14:37:28.603340 2012] [:notice] [pid 23557:tid 140125173548800] ModSecurity: LIBXML compiled version="2.7.6" [Wed Aug 22 14:37:28.603343 2012] [:notice] [pid 23557:tid 140125173548800] Original server signature: Apache/2.4.3 (Unix) OpenSSL/1.0.1c-fips [Wed Aug 22 14:37:28.686133 2012] [ssl:notice] [pid 23568:tid 140125173548800] AH01886: SSL FIPS mode disabled [Wed Aug 22 14:37:28.724620 2012] [lbmethod_heartbeat:notice] [pid 23568:tid 140125173548800] AH02282: No slotmem from mod_heartmonitor [Wed Aug 22 14:37:29.011086 2012] [mpm_worker:notice] [pid 23568:tid 140125173548800] AH00292: Apache/2.4.3 (Unix) OpenSSL/1.0.1c-fips rproxynj.fifthandpacific.com configured -- resuming normal operations [Wed Aug 22 14:37:29.011208 2012] [core:notice] [pid 23568:tid 140125173548800] AH00094: Command line: '/opt/apache2.4.3/bin/httpd' Ryan Jiang This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] httpd 2.4.2 with FIPS enabled OpenSSL 1.0.1c
Hi, I am trying to compile source code of httpd v2.4.2 with FIPS v2.0.1 enabled OpenSSL v1.0.1c and I got error messages in the "make" phase. I did the same compilation with the same options with regular OpenSSL and it was a success. Here is the error message that I got: make[4]: Leaving directory `/home/rc6/httpd-2.4.2/modules/slotmem' make[3]: Leaving directory `/home/rc6/httpd-2.4.2/modules/slotmem' make[3]: Entering directory `/home/rc6/httpd-2.4.2/modules/ssl' Building shared: mod_ssl.la make[4]: Entering directory `/home/rc6/httpd-2.4.2/modules/ssl' /home/rc6/httpd-2.4.2/srclib/apr/libtool --silent --mode=compile gcc -std=gnu99 -g -O2 -pthread -I/usr/include/libxml2 -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -I. -I/home/rc6/httpd-2.4.2/os/unix -I/home/rc6/httpd-2.4.2/include -I/home/rc6/httpd-2.4.2/srclib/apr/include -I/home/rc6/httpd-2.4.2/srclib/apr-util/include -I/home/rc6/httpd-2.4.2/srclib/apr-util/xml/expat/lib -I/home/rc6/httpd-2.4.2/modules/aaa -I/home/rc6/httpd-2.4.2/modules/cache -I/home/rc6/httpd-2.4.2/modules/core -I/home/rc6/httpd-2.4.2/modules/database -I/home/rc6/httpd-2.4.2/modules/filters -I/home/rc6/httpd-2.4.2/modules/ldap -I/home/rc6/httpd-2.4.2/server -I/home/rc6/httpd-2.4.2/modules/loggers -I/home/rc6/httpd-2.4.2/modules/lua -I/home/rc6/httpd-2.4.2/modules/proxy -I/home/rc6/httpd-2.4.2/modules/session -I/usr/local/ssl/include -I/home/rc6/httpd-2.4.2/modules/ssl -I/home/rc6/httpd-2.4.2/modules/test -I/home/rc6/httpd-2.4.2/server -I/home/rc6/httpd-2.4.2/modules/arch/unix -I/home/rc6/httpd-2.4.2/modules/dav/main -I/home/rc6/httpd-2.4.2/modules/generators -I/home/rc6/httpd-2.4.2/modules/mappers -prefer-pic -c mod_ssl.c && touch mod_ssl.slo /home/rc6/httpd-2.4.2/srclib/apr/libtool --silent --mode=compile gcc -std=gnu99 -g -O2 -pthread -I/usr/include/libxml2 -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -I. -I/home/rc6/httpd-2.4.2/os/unix -I/home/rc6/httpd-2.4.2/include -I/home/rc6/httpd-2.4.2/srclib/apr/include -I/home/rc6/httpd-2.4.2/srclib/apr-util/include -I/home/rc6/httpd-2.4.2/srclib/apr-util/xml/expat/lib -I/home/rc6/httpd-2.4.2/modules/aaa -I/home/rc6/httpd-2.4.2/modules/cache -I/home/rc6/httpd-2.4.2/modules/core -I/home/rc6/httpd-2.4.2/modules/database -I/home/rc6/httpd-2.4.2/modules/filters -I/home/rc6/httpd-2.4.2/modules/ldap -I/home/rc6/httpd-2.4.2/server -I/home/rc6/httpd-2.4.2/modules/loggers -I/home/rc6/httpd-2.4.2/modules/lua -I/home/rc6/httpd-2.4.2/modules/proxy -I/home/rc6/httpd-2.4.2/modules/session -I/usr/local/ssl/include -I/home/rc6/httpd-2.4.2/modules/ssl -I/home/rc6/httpd-2.4.2/modules/test -I/home/rc6/httpd-2.4.2/server -I/home/rc6/httpd-2.4.2/modules/arch/unix -I/home/rc6/httpd-2.4.2/modules/dav/main -I/home/rc6/httpd-2.4.2/modules/generators -I/home/rc6/httpd-2.4.2/modules/mappers -prefer-pic -c ssl_engine_config.c && touch ssl_engine_config.slo /home/rc6/httpd-2.4.2/srclib/apr/libtool --silent --mode=compile gcc -std=gnu99 -g -O2 -pthread -I/usr/include/libxml2 -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -I. -I/home/rc6/httpd-2.4.2/os/unix -I/home/rc6/httpd-2.4.2/include -I/home/rc6/httpd-2.4.2/srclib/apr/include -I/home/rc6/httpd-2.4.2/srclib/apr-util/include -I/home/rc6/httpd-2.4.2/srclib/apr-util/xml/expat/lib -I/home/rc6/httpd-2.4.2/modules/aaa -I/home/rc6/httpd-2.4.2/modules/cache -I/home/rc6/httpd-2.4.2/modules/core -I/home/rc6/httpd-2.4.2/modules/database -I/home/rc6/httpd-2.4.2/modules/filters -I/home/rc6/httpd-2.4.2/modules/ldap -I/home/rc6/httpd-2.4.2/server -I/home/rc6/httpd-2.4.2/modules/loggers -I/home/rc6/httpd-2.4.2/modules/lua -I/home/rc6/httpd-2.4.2/modules/proxy -I/home/rc6/httpd-2.4.2/modules/session -I/usr/local/ssl/include -I/home/rc6/httpd-2.4.2/modules/ssl -I/home/rc6/httpd-2.4.2/modules/test -I/home/rc6/httpd-2.4.2/server -I/home/rc6/httpd-2.4.2/modules/arch/unix -I/home/rc6/httpd-2.4.2/modules/dav/main -I/home/rc6/httpd-2.4.2/modules/generators -I/home/rc6/httpd-2.4.2/modules/mappers -prefer-pic -c ssl_engine_dh.c && touch ssl_engine_dh.slo /home/rc6/httpd-2.4.2/srclib/apr/libtool --silent --mode=compile gcc -std=gnu99 -g -O2 -pthread -I/usr/include/libxml2 -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -I. -I/home/rc6/httpd-2.4.2/os/unix -I/home/rc6/httpd-2.4.2/include -I/home/rc6/httpd-2.4.2/srclib/apr/include -I/home/rc6/httpd-2.4.2/srclib/apr-util/include -I/home/rc6/httpd-2.4.2/srclib/apr-util/xml/expat/lib -I/home/rc6/httpd-2.4.2/modules/aaa -I/home/rc6/httpd-2.4.2/modules/cache -I/home/rc6/httpd-2.4.2/modules/core -I/home/rc6/httpd-2.4.2/modules/database -I/home/rc6/httpd-2.4.2/modules/filters -I/home/rc6/httpd-2.4.2/modules/ldap -I/home/rc6/httpd-2.4.2/server -I/home/rc6/httpd-2.4.2/modules/loggers -I/home/rc6/httpd-2.4.2/modules/lua -I/home/rc6/httpd-2.4.2/modules/proxy -I/home/rc6/httpd-2.4.2/modules/session -I/usr/local/ssl/include -I/home/rc6/httpd-2.4.2/modules/ssl -I/home/rc6/httpd-2.4.2/modules/test -I/home/rc6/httpd-2.4.2/server -I/home/rc6/httpd-2
[users@httpd] httpd v2.2.22 with openssl 1.0.1c
Hi, all Last month, I posted a problem that httpd v2.2.22 did not work with openssl v1.0.1c. For me, it worked with openssl v1.0.0g with the same "configure" options for httpd and openssl. So far I did not hear anything. I am re-post my message here and hopefully I can get response this time. Thanks. # ./configure --enable-ssl=shared --enable-ssl --with-ssl=/usr/local/ssl ... checking whether to enable mod_ssl... checking dependencies checking for SSL/TLS toolkit base... /usr/local/ssl adding "-I/usr/local/ssl/include" to CPPFLAGS adding "-I/usr/local/ssl/include" to INCLUDES adding "-L/usr/local/ssl/lib" to LDFLAGS checking for OpenSSL version... checking openssl/opensslv.h usability... yes checking openssl/opensslv.h presence... yes checking for openssl/opensslv.h... yes checking openssl/ssl.h usability... yes checking openssl/ssl.h presence... yes checking for openssl/ssl.h... yes OK forcing SSL_LIBS to "-lssl -lcrypto " adding "-lssl" to LIBS adding "-lcrypto" to LIBS checking openssl/engine.h usability... yes checking openssl/engine.h presence... yes checking for openssl/engine.h... yes checking for SSLeay_version... yes checking for SSL_CTX_new... no checking for ENGINE_init... no checking for ENGINE_load_builtin_engines... no checking for SSL_set_cert_store... no configure: error: ... Error, SSL/TLS libraries were missing or unusable [root@server httpd-2.2.22]# Ryan Jiang This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] "configure" error on openssl v1.0.1c for apache 2.2.22
Hi, all I am trying to upgrade my Openssl for Apache httpd to the latest version v1.0.1c on RHEL v6.2 (64 bit). Openssl compiled and installed no problem. I then tried to configure httpd v2.2.22 and got error message: checking for library containing crypt... -lcrypt checking for getpwnam... yes checking for getgrnam... yes checking for initgroups... yes checking for bindprocessor... no checking for prctl... yes checking for timegm... yes checking for getpgid... yes checking for void pointer length... no checking for tm_gmtoff in struct tm... yes checking whether to enable mod_authn_file... shared (all) checking whether to enable mod_authn_dbm... shared (all) checking whether to enable mod_authn_anon... shared (all) checking whether to enable mod_authn_dbd... shared (all) checking whether to enable mod_authn_default... shared (all) checking whether to enable mod_authn_alias... no checking whether to enable mod_authz_host... shared (all) checking whether to enable mod_authz_groupfile... shared (all) checking whether to enable mod_authz_user... shared (all) checking whether to enable mod_authz_dbm... shared (all) checking whether to enable mod_authz_owner... shared (all) checking whether to enable mod_authnz_ldap... checking dependencies checking whether to enable mod_authnz_ldap... shared (all) checking whether to enable mod_authz_default... shared (all) checking whether to enable mod_auth_basic... shared (all) checking whether to enable mod_auth_digest... checking dependencies checking whether to enable mod_auth_digest... shared (all) checking whether to enable mod_isapi... no checking whether to enable mod_file_cache... no checking whether to enable mod_cache... no checking whether to enable mod_disk_cache... no checking whether to enable mod_mem_cache... no checking whether to enable mod_dbd... shared (all) checking whether to enable mod_bucketeer... no checking whether to enable mod_dumpio... shared (all) checking whether to enable mod_echo... no checking whether to enable mod_example... no checking whether to enable mod_case_filter... no checking whether to enable mod_case_filter_in... no checking whether to enable mod_reqtimeout... shared (all) checking whether to enable mod_ext_filter... shared (all) checking whether to enable mod_include... shared (all) checking whether to enable mod_filter... shared (all) checking whether to enable mod_substitute... shared (all) checking whether to enable mod_charset_lite... no checking whether to enable mod_deflate... checking dependencies checking for zlib location... /usr adding "-lz" to LIBS checking for zlib library... found forcing MOD_DEFLATE_LDADD to "-lz" removed "-lz" from LIBS checking whether to enable mod_deflate... shared (all) checking whether to enable mod_ldap... checking dependencies checking whether to enable mod_ldap... shared (all) checking whether to enable mod_log_config... shared (all) checking whether to enable mod_log_forensic... shared (all) adding "-I$(top_builddir)/server" to INCLUDES checking whether to enable mod_logio... shared (all) checking whether to enable mod_env... shared (all) checking whether to enable mod_mime_magic... shared (all) checking whether to enable mod_cern_meta... shared (all) checking whether to enable mod_expires... shared (all) checking whether to enable mod_headers... shared (all) checking whether to enable mod_ident... shared (all) checking whether to enable mod_usertrack... checking dependencies checking sys/times.h usability... yes checking sys/times.h presence... yes checking for sys/times.h... yes checking for times... yes checking whether to enable mod_usertrack... shared (all) checking whether to enable mod_unique_id... shared (all) checking whether to enable mod_setenvif... shared (all) checking whether to enable mod_version... shared (all) checking whether to enable mod_proxy... shared (all) checking whether to enable mod_proxy_connect... shared (all) checking whether to enable mod_proxy_ftp... shared (all) checking whether to enable mod_proxy_http... shared (all) checking whether to enable mod_proxy_scgi... shared (all) checking whether to enable mod_proxy_ajp... shared (all) checking whether to enable mod_proxy_balancer... shared (all) adding "-I$(top_srcdir)/modules/proxy/../generators" to INCLUDES checking whether to enable mod_ssl... checking dependencies checking for SSL/TLS toolkit base... /usr/local/ssl-1.0.1c adding "-I/usr/local/ssl-1.0.1c/include" to CPPFLAGS adding "-I/usr/local/ssl-1.0.1c/include" to INCLUDES adding "-L/usr/local/ssl-1.0.1c/lib" to LDFLAGS checking for OpenSSL version... checking openssl/opensslv.h usability... yes checking openssl/opensslv.h presence... yes checking for openssl/opensslv.h... yes checking openssl/ssl.h usability... yes checking openssl/ssl.h presence... yes checking for openssl/ssl.h... yes OK forcing SSL_LIBS to "-lssl -lcrypto " adding "-lssl" to LIBS adding "-lcrypto" to LIBS checking openssl/engine.h usability... yes checking
RE: [users@httpd] Attack on my reverse proxy server
Thanks Matus Actually we see a lot of POST command from lots different IPs around the world and our site was took down (very slow). -Original Message- From: Matus UHLAR - fantomas [mailto:uh...@fantomas.sk] Sent: Tuesday, June 12, 2012 7:05 AM To: users@httpd.apache.org Subject: Re: [users@httpd] Attack on my reverse proxy server On 12.06.12 00:42, Ruiyuan Jiang wrote: >We see some attack on our apache reverse proxy server. > >180.211.101.213 - - [11/Jun/2012:11:30:00 -400] "POST / HTTP/1.0" 301 324 >201.243.47.144 - - [11/Jun/2012:11:30:00 -400] "POST / HTTP/1.0" 400 226 >113.162.230.163 - - [11/Jun/2012:11:30:00 -400] "POST / HTTP/1.0" 503 323 > >How can we block those activities on the apache server? Thanks. if your server is accessible from the internet, such attacks _will_ come. you should make sure that such attacks won't affect its functionality. you can watch logs for that kind of activities and e.g. block source IPs in firewall (a.g. using fail2ban). There apparently are apache modules that can to something similar internally. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. A day without sunshine is like, night. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Attack on my reverse proxy server
Hi, all We see some attack on our apache reverse proxy server. 180.211.101.213 - - [11/Jun/2012:11:30:00 -400] "POST / HTTP/1.0" 301 324 201.243.47.144 - - [11/Jun/2012:11:30:00 -400] "POST / HTTP/1.0" 400 226 113.162.230.163 - - [11/Jun/2012:11:30:00 -400] "POST / HTTP/1.0" 503 323 How can we block those activities on the apache server? Thanks. Ryan Jiang This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Apache does not release semaphore after shutdown
Hi, I have two Apache reverse proxy servers (v2.2.22, Redhat RHEL v6.2, X86_64) running on the same system for different purposes (I have no choice). When I shutdown the smaller (less resources such as maximum users, etc.) Apache reverse proxy server on the host and tried to start it last week, I got a message stating that it can't get lock and could not start. We then increased semaphore to 512 from 256. The default on Redhat is 128. We have increased it before. Earlier today after I shutdown and started the smaller Apache, it happened again that Apache could not get lock. I then increased the semaphore again from 512 to 1024. I got a chance to shutdown both Apache instance later today and the semaphore did not get released. I have to manually remove semaphores from the system. Is this a bug or what else? Thanks. Ryan Jiang This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Default Time out value for https connection to backend https server
Hi, all I have an Apache reverse proxy server (v2.2.22, Redhat EL v6.2, x86_64). The reverse proxy server connects to backend MS Exchange server for webmail through https connection. On the proxy server, I configured proxy balancer with HA mode for two backend Exchange server in the Apache configuration. It ran for over years no problem. Recently we migrated one of the backend Exchange server to VMware based virtual server which is also primary backend server configured in Apache. Now we see a lot of backend server switching on the Apache server with the message and people get logged out from the MS webmail session from their browser: [Tue May 08 23:50:14 2012] [error] [client 166.137.138.75] (70007)The timeout specified has expired: proxy: error reading status line from remote server int_ex.corp.com:443 [Tue May 08 23:50:14 2012] [error] [client 166.137.138.75] proxy: Error reading from remote server returned by /Microsoft-Server-ActiveSync [Tue May 08 23:50:25 2012] [error] [client 113.28.152.94] (70007)The timeout specified has expired: proxy: error reading status line from remote server int_ex.corp.com:443 [Tue May 08 23:50:25 2012] [error] [client 113.28.152.94] proxy: Error reading from remote server returned by /Microsoft-Server-ActiveSync [Tue May 08 23:50:27 2012] [error] [client 24.152.245.33] (70007)The timeout specified has expired: proxy: error reading status line from remote server int_ex.corp.com:443 [Tue May 08 23:50:27 2012] [error] [client 24.152.245.33] proxy: Error reading from remote server returned by /Microsoft-Server-ActiveSync [Tue May 08 23:50:32 2012] [error] [client 198.228.199.206] (70007)The timeout specified has expired: proxy: error reading status line from remote server int_ex.corp.com:443 [Tue May 08 23:50:32 2012] [error] [client 198.228.199.206] proxy: Error reading from remote server returned by /Microsoft-Server-ActiveSync [Tue May 08 23:50:33 2012] [error] [client 208.54.37.175] (70007)The timeout specified has expired: proxy: error reading status line from remote server int_ex.corp.com:443 [Tue May 08 23:50:33 2012] [error] [client 208.54.37.175] proxy: Error reading from remote server returned by /Microsoft-Server-ActiveSync In the proxypass statement of the Apache httpd-ssl.conf to the backend server, I use default value. What is the default timeout value that Apache reverse proxy server connects to backend server for https for "proxypass" statement? How can I extend the timeout value? What could be the reason or wrong here so I can modify the configuration? We have hundreds mobile devices get emails from the Apache reverse proxy server. Thanks. Ryan Jiang This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd]
Hi, all I have an apache2.2.22 reverse proxy server running. On the reverse proxy server, it has multiple virtual hosts. Some of them are https connections besides http connection. The backend servers behind the reverse proxy server have either https or http connection with the Apache reverse proxy server. Currently Apache does not authenticate external users. The authentication prompt comes from backend servers if authentication is required. There is one application which is the same from users point view when they access the site either they are in the office or home to login to the server through https authentication which is Microsoft Active Directory based. Now there is a request for the application that for some users when they are in the office, they access the site as usual. When those users are at home, they are not allowed to access the internal site through Apache reverse proxy server. I am thinking adding mod_ldap support on the Apache reverse proxy server to authenticate those users. We can create a group, i.e. deny_access on the Microsoft Active Directory so when the users authenticate through Apache reverse proxy server and if users belong to that group then the access is denied. Is this possible? Thanks. Ryan Jiang This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited.
RE: [users@httpd] Apache 2.2.21 SSL on RHEL v5.7
Hi, Mr. Jung It is the problem from /dev/random. Thanks. Ryan Jiang -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Monday, January 23, 2012 2:43 PM To: users@httpd.apache.org Subject: Re: [users@httpd] Apache 2.2.21 SSL on RHEL v5.7 On 23.01.2012 20:02, Ruiyuan Jiang wrote: > Hi, > > I have two Apache 2.2.21 reverse proxy servers on Solaris 10 (SPARC) and > additional modules that not in the Apache distribution. They are running fine > so far. Now we want to migrate Apache to Redhat Enterprise server v5.7. I > compiled Apache the same way and same option as on the Solaris through a > script that I saved. I copied all the modified necessary configuration files > from Solaris and certificates from Solaris to Redhat and made necessary > changes such as IP addresses. The syntax check is OK. When I start Apache on > the Redhat, "apachectl start" just sits there without giving back the shell > prompt. The access log and error log are empty so I don't know the reason. If > I disable httpd-ssl.conf file which will not start https, Apache starts fine. > Does anyone know what could be for ssl problem on Redhat? Maybe not enough entropy on /den/random or /dev/urandom whatever is used? > Also I first compiled openssl 1.0.0f on Redhat, I then downloaded openssl > 1.0.0g once it became available and compiled it at the same location. On > Solaris if I restart Apache, the error log will show the new version of > Openssl but on Redhat, Apache shows the old version (1.0.0f) of OpenSSL. Why? > Thanks. Solaris doesn't have OpenSSL 1.0 linbs installed in the default lib directories, so mod_ssl will find your custom build one. RedHat comes with OpenSSL 1.0 installed, so you have to set LD_LIBRARY_PATH or link statically into mod_ssl in order to let mod_ssl find the right OpenSSL lib. If there is other stuff in your Apache which also has dependencies to OpenSSL, like e.g. something doing ldaps, then things will become quite tricky :( Regards, Rainer - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [users@httpd] Apache 2.2.21 SSL on RHEL v5.7
Hi, One more piece of information, Apache never prompts me for the Pass Phrase when it starts with https enabled on Redhat which it supposed to. It prompts me to enter pass phrase on my Solaris Apache reverse proxy server. Ryan Jiang -Original Message- From: Ruiyuan Jiang [mailto:ruiyuan_ji...@liz.com] Sent: Monday, January 23, 2012 6:00 PM To: users@httpd.apache.org Subject: RE: [users@httpd] Apache 2.2.21 SSL on RHEL v5.7 HI, I modified Apache's LD_LIBRARY_PATH to first check /usr/local/ssl/lib before I recompiled Apache and modified envvars in the bin directory to have /usr/local/ssl/lib directory listed but no help. Any reason why? Thanks. Ryan -Original Message- From: Ruiyuan Jiang [mailto:ruiyuan_ji...@liz.com] Sent: Monday, January 23, 2012 3:12 PM To: users@httpd.apache.org Subject: RE: [users@httpd] Apache 2.2.21 SSL on RHEL v5.7 Thanks for the reply, Rainer. I checked that Redhat comes with openssl v0.9.8e not 1.x. When I compiled Apache, one of the option that I used is "--with-ssl=/usr/local/ssl" which is the one I compiled myself. This time I think I waited long enough so I got some messages from one of two https virtual servers: [Mon Jan 23 14:31:12 2012] [error] Init: Unable to read pass phrase [Hint: key introduced or changed before restart?] [Mon Jan 23 14:31:12 2012] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Mon Jan 23 14:31:12 2012] [error] SSL Library Error: 218640442 error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error [Mon Jan 23 14:31:12 2012] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Mon Jan 23 14:31:12 2012] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error [Mon Jan 23 14:31:12 2012] [error] SSL Library Error: 67710980 error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib [Mon Jan 23 14:31:12 2012] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Mon Jan 23 14:31:12 2012] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error Can I copy keys and certs from Solaris to Redhat through sftp? Maybe not enough entropy on /den/random or /dev/urandom whatever is used? Can you explain a little bit more and what should I do to fix it? Thanks. Ryan Jiang -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Monday, January 23, 2012 2:43 PM To: users@httpd.apache.org Subject: Re: [users@httpd] Apache 2.2.21 SSL on RHEL v5.7 On 23.01.2012 20:02, Ruiyuan Jiang wrote: > Hi, > > I have two Apache 2.2.21 reverse proxy servers on Solaris 10 (SPARC) and > additional modules that not in the Apache distribution. They are running fine > so far. Now we want to migrate Apache to Redhat Enterprise server v5.7. I > compiled Apache the same way and same option as on the Solaris through a > script that I saved. I copied all the modified necessary configuration files > from Solaris and certificates from Solaris to Redhat and made necessary > changes such as IP addresses. The syntax check is OK. When I start Apache on > the Redhat, "apachectl start" just sits there without giving back the shell > prompt. The access log and error log are empty so I don't know the reason. If > I disable httpd-ssl.conf file which will not start https, Apache starts fine. > Does anyone know what could be for ssl problem on Redhat? Maybe not enough entropy on /den/random or /dev/urandom whatever is used? > Also I first compiled openssl 1.0.0f on Redhat, I then downloaded openssl > 1.0.0g once it became available and compiled it at the same location. On > Solaris if I restart Apache, the error log will show the new version of > Openssl but on Redhat, Apache shows the old version (1.0.0f) of OpenSSL. Why? > Thanks. Solaris doesn't have OpenSSL 1.0 linbs installed in the default lib directories, so mod_ssl will find your custom build one. RedHat comes with OpenSSL 1.0 installed, so you have to set LD_LIBRARY_PATH or link statically into mod_ssl in order to let mod_ssl find the right OpenSSL lib. If there is other stuff in your Apache which also has dependencies to OpenSSL, like e.g. something doing ldaps, then things will become quite tricky :( Regards, Rainer - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message (including any attachments) is intended solely for the speci
RE: [users@httpd] Apache 2.2.21 SSL on RHEL v5.7
HI, I modified Apache's LD_LIBRARY_PATH to first check /usr/local/ssl/lib before I recompiled Apache and modified envvars in the bin directory to have /usr/local/ssl/lib directory listed but no help. Any reason why? Thanks. Ryan -Original Message- From: Ruiyuan Jiang [mailto:ruiyuan_ji...@liz.com] Sent: Monday, January 23, 2012 3:12 PM To: users@httpd.apache.org Subject: RE: [users@httpd] Apache 2.2.21 SSL on RHEL v5.7 Thanks for the reply, Rainer. I checked that Redhat comes with openssl v0.9.8e not 1.x. When I compiled Apache, one of the option that I used is "--with-ssl=/usr/local/ssl" which is the one I compiled myself. This time I think I waited long enough so I got some messages from one of two https virtual servers: [Mon Jan 23 14:31:12 2012] [error] Init: Unable to read pass phrase [Hint: key introduced or changed before restart?] [Mon Jan 23 14:31:12 2012] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Mon Jan 23 14:31:12 2012] [error] SSL Library Error: 218640442 error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error [Mon Jan 23 14:31:12 2012] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Mon Jan 23 14:31:12 2012] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error [Mon Jan 23 14:31:12 2012] [error] SSL Library Error: 67710980 error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib [Mon Jan 23 14:31:12 2012] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Mon Jan 23 14:31:12 2012] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error Can I copy keys and certs from Solaris to Redhat through sftp? Maybe not enough entropy on /den/random or /dev/urandom whatever is used? Can you explain a little bit more and what should I do to fix it? Thanks. Ryan Jiang -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Monday, January 23, 2012 2:43 PM To: users@httpd.apache.org Subject: Re: [users@httpd] Apache 2.2.21 SSL on RHEL v5.7 On 23.01.2012 20:02, Ruiyuan Jiang wrote: > Hi, > > I have two Apache 2.2.21 reverse proxy servers on Solaris 10 (SPARC) and > additional modules that not in the Apache distribution. They are running fine > so far. Now we want to migrate Apache to Redhat Enterprise server v5.7. I > compiled Apache the same way and same option as on the Solaris through a > script that I saved. I copied all the modified necessary configuration files > from Solaris and certificates from Solaris to Redhat and made necessary > changes such as IP addresses. The syntax check is OK. When I start Apache on > the Redhat, "apachectl start" just sits there without giving back the shell > prompt. The access log and error log are empty so I don't know the reason. If > I disable httpd-ssl.conf file which will not start https, Apache starts fine. > Does anyone know what could be for ssl problem on Redhat? Maybe not enough entropy on /den/random or /dev/urandom whatever is used? > Also I first compiled openssl 1.0.0f on Redhat, I then downloaded openssl > 1.0.0g once it became available and compiled it at the same location. On > Solaris if I restart Apache, the error log will show the new version of > Openssl but on Redhat, Apache shows the old version (1.0.0f) of OpenSSL. Why? > Thanks. Solaris doesn't have OpenSSL 1.0 linbs installed in the default lib directories, so mod_ssl will find your custom build one. RedHat comes with OpenSSL 1.0 installed, so you have to set LD_LIBRARY_PATH or link statically into mod_ssl in order to let mod_ssl find the right OpenSSL lib. If there is other stuff in your Apache which also has dependencies to OpenSSL, like e.g. something doing ldaps, then things will become quite tricky :( Regards, Rainer - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. --
RE: [users@httpd] Apache 2.2.21 SSL on RHEL v5.7
Thanks for the reply, Rainer. I checked that Redhat comes with openssl v0.9.8e not 1.x. When I compiled Apache, one of the option that I used is "--with-ssl=/usr/local/ssl" which is the one I compiled myself. This time I think I waited long enough so I got some messages from one of two https virtual servers: [Mon Jan 23 14:31:12 2012] [error] Init: Unable to read pass phrase [Hint: key introduced or changed before restart?] [Mon Jan 23 14:31:12 2012] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Mon Jan 23 14:31:12 2012] [error] SSL Library Error: 218640442 error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error [Mon Jan 23 14:31:12 2012] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Mon Jan 23 14:31:12 2012] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error [Mon Jan 23 14:31:12 2012] [error] SSL Library Error: 67710980 error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib [Mon Jan 23 14:31:12 2012] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Mon Jan 23 14:31:12 2012] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error Can I copy keys and certs from Solaris to Redhat through sftp? Maybe not enough entropy on /den/random or /dev/urandom whatever is used? Can you explain a little bit more and what should I do to fix it? Thanks. Ryan Jiang -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Monday, January 23, 2012 2:43 PM To: users@httpd.apache.org Subject: Re: [users@httpd] Apache 2.2.21 SSL on RHEL v5.7 On 23.01.2012 20:02, Ruiyuan Jiang wrote: > Hi, > > I have two Apache 2.2.21 reverse proxy servers on Solaris 10 (SPARC) and > additional modules that not in the Apache distribution. They are running fine > so far. Now we want to migrate Apache to Redhat Enterprise server v5.7. I > compiled Apache the same way and same option as on the Solaris through a > script that I saved. I copied all the modified necessary configuration files > from Solaris and certificates from Solaris to Redhat and made necessary > changes such as IP addresses. The syntax check is OK. When I start Apache on > the Redhat, "apachectl start" just sits there without giving back the shell > prompt. The access log and error log are empty so I don't know the reason. If > I disable httpd-ssl.conf file which will not start https, Apache starts fine. > Does anyone know what could be for ssl problem on Redhat? Maybe not enough entropy on /den/random or /dev/urandom whatever is used? > Also I first compiled openssl 1.0.0f on Redhat, I then downloaded openssl > 1.0.0g once it became available and compiled it at the same location. On > Solaris if I restart Apache, the error log will show the new version of > Openssl but on Redhat, Apache shows the old version (1.0.0f) of OpenSSL. Why? > Thanks. Solaris doesn't have OpenSSL 1.0 linbs installed in the default lib directories, so mod_ssl will find your custom build one. RedHat comes with OpenSSL 1.0 installed, so you have to set LD_LIBRARY_PATH or link statically into mod_ssl in order to let mod_ssl find the right OpenSSL lib. If there is other stuff in your Apache which also has dependencies to OpenSSL, like e.g. something doing ldaps, then things will become quite tricky :( Regards, Rainer - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Apache 2.2.21 SSL on RHEL v5.7
Hi, I have two Apache 2.2.21 reverse proxy servers on Solaris 10 (SPARC) and additional modules that not in the Apache distribution. They are running fine so far. Now we want to migrate Apache to Redhat Enterprise server v5.7. I compiled Apache the same way and same option as on the Solaris through a script that I saved. I copied all the modified necessary configuration files from Solaris and certificates from Solaris to Redhat and made necessary changes such as IP addresses. The syntax check is OK. When I start Apache on the Redhat, "apachectl start" just sits there without giving back the shell prompt. The access log and error log are empty so I don't know the reason. If I disable httpd-ssl.conf file which will not start https, Apache starts fine. Does anyone know what could be for ssl problem on Redhat? Also I first compiled openssl 1.0.0f on Redhat, I then downloaded openssl 1.0.0g once it became available and compiled it at the same location. On Solaris if I restart Apache, the error log will show the new version of Openssl but on Redhat, Apache shows the old version (1.0.0f) of OpenSSL. Why? Thanks. Ryan Jiang This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [users@httpd] Apache httpd Range header remote DoS
Thanks for the answer, Tom Ryan -Original Message- From: Tom Evans [mailto:tevans...@googlemail.com] Sent: Friday, November 04, 2011 11:19 AM To: users@httpd.apache.org Subject: Re: [users@httpd] Apache httpd Range header remote DoS On Fri, Nov 4, 2011 at 2:59 PM, Ruiyuan Jiang wrote: > Hi, all > > I have an Apache reverse proxy server (v2.2.21) redirects traffic from http > to https for a back end web server. I don’t know the exact version of the > back end Apache web server because Oracle changed the version number but I > am sure it is below v2.2.21. Our vulnerability scan shows that the web site > has: > > Apache httpd Range header remote DoS (CVE-2011-3192) > (apache-httpd-cve-2011-3192) > > My question is that front end of Apache reverse proxy hide the back end web > server problem, isn’t it? If not, how do I fix the problem besides to > upgrade the version of back end Apache web server? Thanks. > > Ryan Jiang > Liz Claiborne, Inc. > > Did you read the CVE? It explained the issues and how to work around them… http://httpd.apache.org/security/CVE-2011-3192.txt Upgrading the reverse proxy will not protect the back end servers. The range headers are passed through to the back end, and so they must be capable of determining whether it is malicious or not - the proxy cannot really decide this. If you cannot upgrade the back ends, there are several mitigations listed in the CVE. Cheers Tom - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited.
[users@httpd] Apache httpd Range header remote DoS
Hi, all I have an Apache reverse proxy server (v2.2.21) redirects traffic from http to https for a back end web server. I don't know the exact version of the back end Apache web server because Oracle changed the version number but I am sure it is below v2.2.21. Our vulnerability scan shows that the web site has: Apache httpd Range header remote DoS (CVE-2011-3192) (apache-httpd-cve-2011-3192) My question is that front end of Apache reverse proxy hide the back end web server problem, isn't it? If not, how do I fix the problem besides to upgrade the version of back end Apache web server? Thanks. Ryan Jiang Liz Claiborne, Inc. This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited.
[users@httpd] Proxy for TLS connection
Hi, I have a Apache reverse proxy server for both multiple http and https connection setup (v2.2.19). Right now there is a request to proxy TLS connection which is not on port 443. Does Apache reverse proxy server can accomplish that? Thanks. Ruiyuan This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [users@httpd] Apache Reverse Proxy Server Accessing backend https through front https server
Hi, Igov I tried that. In httpd-vhosts.conf, change to: ServerName sitename Redirect / https://sitename/ In httpd-ssl.conf: ... ProxyPass/dir1/dir2/loginhttps://backend/ Redirect/ https://sitename/dir1/dir2/login ProxyPassReverse / https://backend/ It is the same result with or without trailing "/" at https://backend<https://backend/>. From the log, I saw http traffic redirected to https but afterwards got 403 error code for https traffic. GET / HTTP/1.1 302 245 GET /dir1/dir2/login HTTP/1.1 403 On the backend server, the log is "directory listing forbidden". The backend server seems to have the subdirectories in the URL. Ryan From: Igor Cicimov [mailto:icici...@gmail.com] Sent: Friday, April 01, 2011 10:33 PM To: users@httpd.apache.org Subject: Re: [users@httpd] Apache Reverse Proxy Server Accessing backend https through front https server What if you change Redirect / https://backend/ to Redirect / https://sitename/ On Apr 2, 2011 5:56 AM, "Ruiyuan Jiang" mailto:ruiyuan_ji...@liz.com>> wrote: Hi, all I have a Apache reverse proxy server (v2.2.17). There is a web server with backend https server. When internet users access the sit, they use http://sitename and then get redirected to https://sitename. The configuration is in the httpd-vhosts.conf ServerName sitename Redirect / https://sitename/dir1/dir2/login In my httpd-ssl.conf, for the same site I have: ServerName sitename SSLEngine on SSLProxyEngine on Proxypass / https://backend/ ProxyPassReverse / https://backend/ Now I get a new request that when the internet users use https://sitename besides http://sitename, users should be able to access the site too. I modified the virtual server in httpd-vhosts.conf: ServerName sitename Redirect / https://backend/ In httpd-ssl.conf: ServerName sitename SSLEngine on SSLProxyEngine on ... Proxypass / https://backend/ dir1/dir2/login ProxyPassReverse / https://backend/ dir1/dir2/login When I accessed the site through either http or https, I saw in error log: GET / HTTP/1.1" 302 178 GET /dir1/dir2/login HTTP/1.1" 404 - On my IE browser, when I accessed the site through http and https, I saw the same message: The error (HTTP 404 Not Found) was able to connect to the website, but the page you wanted was not found. Thanks. Ryan Jiang This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org<mailto:users-unsubscr...@httpd.apache.org> " from the digest: users-digest-unsubscr...@httpd.apache.org<mailto:users-digest-unsubscr...@httpd.apache.org> For additional commands, e-mail: users-h...@httpd.apache.org<mailto:users-h...@httpd.apache.org> This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited.
[users@httpd] Apache Reverse Proxy Server Accessing backend https through front https server
Hi, all I have a Apache reverse proxy server (v2.2.17). There is a web server with backend https server. When internet users access the sit, they use http://sitename and then get redirected to https://sitename. The configuration is in the httpd-vhosts.conf ServerName sitename Redirect / https://sitename/dir1/dir2/login In my httpd-ssl.conf, for the same site I have: ServerName sitename SSLEngine on SSLProxyEngine on Proxypass / https://backend/ ProxyPassReverse / https://backend/ Now I get a new request that when the internet users use https://sitename besides http://sitename, users should be able to access the site too. I modified the virtual server in httpd-vhosts.conf: ServerName sitename Redirect / https://backend/ In httpd-ssl.conf: ServerName sitename SSLEngine on SSLProxyEngine on ... Proxypass / https://backend/ dir1/dir2/login ProxyPassReverse / https://backend/ dir1/dir2/login When I accessed the site through either http or https, I saw in error log: GET / HTTP/1.1" 302 178 GET /dir1/dir2/login HTTP/1.1" 404 - On my IE browser, when I accessed the site through http and https, I saw the same message: The error (HTTP 404 Not Found) was able to connect to the website, but the page you wanted was not found. Thanks. Ryan Jiang This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] Betr.: Re: [us...@httpd] Apache Reverse Proxy for Citrix MetaFrame Presentation Server
Hi, I tested and I got "ssl error code 47" error. It seems to me that Apache wants to terminate any port 443 traffic. The Citrix presentation server does not allow termination of the traffic at port 443. Otherwise Citrix will have an error. Is there a way to let Apache proxy server passing port 443 traffic without doing anything like a firewall does? Thanks. Ryan -Original Message- From: Joost Heer, de [mailto:j.d.h...@atriummc.nl] Sent: Wednesday, June 02, 2010 6:08 AM To: users@httpd.apache.org Subject: [us...@httpd] Betr.: Re: [us...@httpd] Apache Reverse Proxy for Citrix MetaFrame Presentation Server >>> Igor Cicimov 2-6-2010 2:11 >>> >Maybe this will work: > > Servername citrix.example.com > ProxyRequests Off > AllowCONNECT 443 > ProxyPass / backendserver > ProxyPassReverse / backendserver > AllowCONNECT is for forward proxies. You need SSLProxyEngine on, and then ProxyPass / https://backend/ (the ProxyPassReverse line is probably unnecessary because it's not https-traffic, but it won't kill you to add it anyway). Joost - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] Betr.: Re: [us...@httpd] Apache Reverse Proxy for Citrix MetaFrame Presentation Server
So I should treat tcp tunneling through https port to backend server the way same as regular https backend server, Joost? I do have SSLProxyEngine on statement. Thanks. Ruiyuan -Original Message- From: Joost Heer, de [mailto:j.d.h...@atriummc.nl] Sent: Wednesday, June 02, 2010 6:08 AM To: users@httpd.apache.org Subject: [us...@httpd] Betr.: Re: [us...@httpd] Apache Reverse Proxy for Citrix MetaFrame Presentation Server >>> Igor Cicimov 2-6-2010 2:11 >>> >Maybe this will work: > > Servername citrix.example.com > ProxyRequests Off > AllowCONNECT 443 > ProxyPass / backendserver > ProxyPassReverse / backendserver > AllowCONNECT is for forward proxies. You need SSLProxyEngine on, and then ProxyPass / https://backend/ (the ProxyPassReverse line is probably unnecessary because it's not https-traffic, but it won't kill you to add it anyway). Joost - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Apache Reverse Proxy for Citrix MetaFrame Presentation Server
Hi, I need to setup a Reverse Proxy server for Citrix MetaFrame Presentation server for people to access internal resources. My Apache reverse proxy server is running and it proxies http and https requests. The Citrix backend server uses port 443 for TCP tunnel not https. Should I use mod_proxy_connect to do this? In my https-ssl.conf file, I created a new virtual host: Servername citrix.example.com AllowCONNECT / backendserver:443 The syntax check gives me an error that 'AllowCONNECT': port number must be numberic. It seems that it does not take the server name besides the port number since I need to forward the request to a backend server. Does anyone know how to do this? Thanks. Ryan This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] RE: Wield problem with a reverse proxy server
Hi, Justin The request is when people type the URL www.survey.juicycouture.com with or without trailing tellus, the client request needs to be redirected to the site survery.juicycouture.com/tellus which is hosted by an outside ISP. I host the URL www.survey.juicycouture.com and www.survey.juicycouture.com/tellus through Apache reverse proxy server. I will test your suggestion. Thanks. Ryan -Original Message- From: Justin Pasher [mailto:just...@newmediagateway.com] Sent: Wednesday, April 28, 2010 10:37 AM To: users@httpd.apache.org Subject: Re: [us...@httpd] RE: Wield problem with a reverse proxy server - Original Message - > From: Ruiyuan Jiang > Date: Tue, 27 Apr 2010 15:54:24 -0400 > Subject: [us...@httpd] RE: Wield problem with a reverse proxy server > To: users@httpd.apache.org > > > Hi, all > > I posted below email but got no answer. Now I found that my Apache 2.2.15 > stopped working. It behaves the same way as Apache 2.2.14. > As a test, I switched the order on Apache 2.2.15 for these two virtual host > statements: > > > > > > > > ServerName www.survey.juicycouture.com > Redirect/ http://survey.juicycouture.com/tellus > > > > ServerName www.survey.juicycouture.com > Redirect/tellus http://survey.juicycouture.com/tellus > > You have two VirtualHost containers with the exact same settings (same IP:port and same ServerName). There's no way for Apache to distinguish between the two (it can only do so based upon the IP:port or ServerName). What are you expecting to happen when someone visits a URL that is NOT http://www.survey.juicycouture.com or http://www.survey.juicycouture.com/tellus? Where should it go? Depending on the answer to this, why not just create one VirtualHost with a simple RewriteRule to push all requests to the new URL? RewriteEngine on RewriteRule . http://survey.juicycouture.com/tellus Otherwise, just handle the two special cases RewriteEngine on RewriteRule ^/$ http://survey.juicycouture.com/tellus RewriteRule ^/tellus$ http://survey.juicycouture.com/tellus -- Justin Pasher - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] RE: Wield problem with a reverse proxy server
Hi, all I posted below email but got no answer. Now I found that my Apache 2.2.15 stopped working. It behaves the same way as Apache 2.2.14. As a test, I switched the order on Apache 2.2.15 for these two virtual host statements: ServerName www.survey.juicycouture.com Redirect/ http://survey.juicycouture.com/tellus ServerName www.survey.juicycouture.com Redirect/tellus http://survey.juicycouture.com/tellus It seems the first virtual host working but the second virtual host for the site no longer working. Sounds to me that for the same site for redirect, Apache takes the first virtual host. The requirement for the site is if the remote user uses either the URL http://www.survey.juicycouture.com or http://www.survey.juicycouture.com/tellus, Apache needs to redirect the traffic to the remotely hosted site http://survey.juicycouture.com/tellus from my reverse proxy server. I thought about rewrite engine but not that good about it. Can anyone help to figure out the best way? Thanks. Ryan -Original Message- From: Ruiyuan Jiang [mailto:ruiyuan_ji...@liz.com] Sent: Thursday, April 22, 2010 5:41 PM To: users@httpd.apache.org Subject: [us...@httpd] Wield problem with a reverse proxy server Hi, all I have two reverse proxy servers, one is v2.2.15 (mpm=worker) and the other is v2.2.14 (prefork). They both run on Solaris 10. Now I have a request to redirct traffic for an additional web site which is outsourced by another party. What I have done on a reverse proxy (httpd-vhosts.conf) is to append: ServerName www.survey.juicycouture.com Redirect/tellus http://survey.juicycouture.com/tellus ServerName www.survey.juicycouture.com Redirect/ http://survey.juicycouture.com/tellus On the other reverse proxy server, I did the same: ServerName www.survey.juicycouture.com Redirect/tellus http://survey.juicycouture.com/tellus ServerName www.survey.juicycouture.com Redirect/ http://survey.juicycouture.com/tellus On the Apache 2.2.15 (ie 10.10.10.10), it works as the way I want. Apache redirect the traffic to the site from URL that I typed in the browser (http://www.survey.juicycouture.com and http://www.survey.juicycouture.com/tellus). On the Apache 2.2.14 (ie 20.20.20.20), it redirects the URL (http://www.survey.juicycouture.com/tellus) correctly. When I typed http://www.survey.juicycouture.com, it shows me the local document root directory list which has Apache's default index.html file. If I click index.html, it says "It Works!" from Apache and it did redirect the traffic. I have put trailing "/" after "tellus", Redirect/ http://survey.juicycouture.com/tellus/ But it does not work also. What is wrong here? Thanks. Ryan Jiang This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Wield problem with a reverse proxy server
Hi, all I have two reverse proxy servers, one is v2.2.15 (mpm=worker) and the other is v2.2.14 (prefork). They both run on Solaris 10. Now I have a request to redirct traffic for an additional web site which is outsourced by another party. What I have done on a reverse proxy (httpd-vhosts.conf) is to append: ServerName www.survey.juicycouture.com Redirect/tellus http://survey.juicycouture.com/tellus ServerName www.survey.juicycouture.com Redirect/ http://survey.juicycouture.com/tellus On the other reverse proxy server, I did the same: ServerName www.survey.juicycouture.com Redirect/tellus http://survey.juicycouture.com/tellus ServerName www.survey.juicycouture.com Redirect/ http://survey.juicycouture.com/tellus On the Apache 2.2.15 (ie 10.10.10.10), it works as the way I want. Apache redirect the traffic to the site from URL that I typed in the browser (http://www.survey.juicycouture.com and http://www.survey.juicycouture.com/tellus). On the Apache 2.2.14 (ie 20.20.20.20), it redirects the URL (http://www.survey.juicycouture.com/tellus) correctly. When I typed http://www.survey.juicycouture.com, it shows me the local document root directory list which has Apache's default index.html file. If I click index.html, it says "It Works!" from Apache and it did redirect the traffic. I have put trailing "/" after "tellus", Redirect/ http://survey.juicycouture.com/tellus/ But it does not work also. What is wrong here? Thanks. Ryan Jiang This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] Number of https virtual hosts support under v2.0.59
Thanks, Emmanuel. Interesting test site. Ryan -Original Message- From: Emmanuel Bailleul [mailto:emmanuel.baill...@telindus.fr] Sent: Friday, March 12, 2010 1:49 PM To: users@httpd.apache.org Subject: RE: [us...@httpd] Number of https virtual hosts support under v2.0.59 > -Message d'origine- > De : Ruiyuan Jiang [mailto:ruiyuan_ji...@liz.com] > Envoyé : vendredi 12 mars 2010 19:40 > À : users@httpd.apache.org > Objet : RE: [us...@httpd] Number of https virtual hosts support under > v2.0.59 > > Hi, Philip > > I don't know how to configure SNI on Apache since I don't see anything > from mod_ssl's document that Krist replied to me before. I assume it > automatically works. I just configured ssl virtualhost the same way as > http virtualhost plus ssl's unique requirements. > I use Windows XP. I tested IE 8 with Vista on a MacBook and it works since > that is what I have at the moment. > I was planning to have live sites on the internet by unknown users. Now I > guess I need to have second thought. > I tested on v2.0.59. It needs a lot of IPs for certs that I'd like to > migrate to. > > Ryan > > > > -Original Message- > From: Philip Wigg [mailto:p...@philipwigg.co.uk] > Sent: Friday, March 12, 2010 11:58 AM > To: users@httpd.apache.org > Subject: Re: [us...@httpd] Number of https virtual hosts support under > v2.0.59 > > On 12 March 2010 16:43, Ruiyuan Jiang wrote: > > Hi, Krist > > > > I tested with Apache 2.2.15 reverse proxy with two certs on the Apache, > one is real cert and the other is self-signed. The configuration is > virtualhosts for ssl. > > The results that I got are: > > > > On PC client: > > > > Firefox v3.5.8 showed correct certs, one real and the other is not. > > IE 8 showed incorrect when I viewed the certs. The self-signed cert site > used the real cert. > > > > On MAC client: > > > > Both Safari 4.0.4 and Firefox 3.5.2 showed correctly, one real and one > self-signed cert. > > > > My question is eventually both sites will have real certs when I am done > testing. Will IE 6 and above uses the correct certs or only uses one cert, > may be the first virtual host listed in ssl configuration file of Apache? > > Presuming you've configured SNI correctly, what operating system are > you using? Note that SNI only works with IE 7 and 8 only work when > running on Vista or higher, not with Windows XP. IE6 doesn't support > SNI at all and never will to my knowledge. > > Are you putting this on a live site to be accessed by unknown users on > the internet? If so, basically, don't. Most users on the internet will > not be running an SNI-capable browser. > > -- Phil. > Hi, You have a short desc here : http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI and indeed, it should "just work". You also have interesting test sites here : https://sni.velox.ch/ Regards Emmanuel - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] Number of https virtual hosts support under v2.0.59
Hi, Philip I don't know how to configure SNI on Apache since I don't see anything from mod_ssl's document that Krist replied to me before. I assume it automatically works. I just configured ssl virtualhost the same way as http virtualhost plus ssl's unique requirements. I use Windows XP. I tested IE 8 with Vista on a MacBook and it works since that is what I have at the moment. I was planning to have live sites on the internet by unknown users. Now I guess I need to have second thought. I tested on v2.0.59. It needs a lot of IPs for certs that I'd like to migrate to. Ryan -Original Message- From: Philip Wigg [mailto:p...@philipwigg.co.uk] Sent: Friday, March 12, 2010 11:58 AM To: users@httpd.apache.org Subject: Re: [us...@httpd] Number of https virtual hosts support under v2.0.59 On 12 March 2010 16:43, Ruiyuan Jiang wrote: > Hi, Krist > > I tested with Apache 2.2.15 reverse proxy with two certs on the Apache, one > is real cert and the other is self-signed. The configuration is virtualhosts > for ssl. > The results that I got are: > > On PC client: > > Firefox v3.5.8 showed correct certs, one real and the other is not. > IE 8 showed incorrect when I viewed the certs. The self-signed cert site used > the real cert. > > On MAC client: > > Both Safari 4.0.4 and Firefox 3.5.2 showed correctly, one real and one > self-signed cert. > > My question is eventually both sites will have real certs when I am done > testing. Will IE 6 and above uses the correct certs or only uses one cert, > may be the first virtual host listed in ssl configuration file of Apache? Presuming you've configured SNI correctly, what operating system are you using? Note that SNI only works with IE 7 and 8 only work when running on Vista or higher, not with Windows XP. IE6 doesn't support SNI at all and never will to my knowledge. Are you putting this on a live site to be accessed by unknown users on the internet? If so, basically, don't. Most users on the internet will not be running an SNI-capable browser. -- Phil. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] Number of https virtual hosts support under v2.0.59
Hi, Krist I tested with Apache 2.2.15 reverse proxy with two certs on the Apache, one is real cert and the other is self-signed. The configuration is virtualhosts for ssl. The results that I got are: On PC client: Firefox v3.5.8 showed correct certs, one real and the other is not. IE 8 showed incorrect when I viewed the certs. The self-signed cert site used the real cert. On MAC client: Both Safari 4.0.4 and Firefox 3.5.2 showed correctly, one real and one self-signed cert. My question is eventually both sites will have real certs when I am done testing. Will IE 6 and above uses the correct certs or only uses one cert, may be the first virtual host listed in ssl configuration file of Apache? Thanks. Ryan -Original Message- From: Krist van Besien [mailto:krist.vanbes...@gmail.com] Sent: Wednesday, March 03, 2010 5:36 AM To: users@httpd.apache.org Subject: Re: [us...@httpd] Number of https virtual hosts support under v2.0.59 On Mon, Mar 1, 2010 at 4:30 PM, Ruiyuan Jiang wrote: > Thanks for the response, Krist. > The version of openssl that I am using is good 0.98l. The problem is the > Apache since I can't use 2.2.14 because the bug it has. See my another post > about the page does not refresh automatically after user logs in. I guess I > have to try to use work around. > By the way, you stated "only works with recent browsers though." What > browsers and versions work with that, Firefox or IE or both? (from wikipedia) Browsers Browsers with support for TLS server name indication: * Mozilla Firefox 2.0 or later * Opera 8.0 or later (the TLS 1.1 protocol must be enabled) * Internet Explorer 7 (Vista or higher, not XP) or later * Google Chrome (Vista or higher, not XP) * Safari Safari 3.2.1 and newer on Mac OS X 10.5.6 and Windows Vista or higher, not XP Krist -- krist.vanbes...@gmail.com kr...@vanbesien.org Bremgarten b. Bern, Switzerland -- A: It reverses the normal flow of conversation. Q: What's wrong with top-posting? A: Top-posting. Q: What's the biggest scourge on plain text email discussions? - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] [Announce] Apache HTTP Server (httpd) 2.2.15 Released
No, I did not. I just tried again and it failed again. But I found that one download at my hard disk was good but rest downloads are not good. Thanks anyway. -Original Message- From: Eric Covener [mailto:cove...@gmail.com] Sent: Wednesday, March 10, 2010 12:05 PM To: users@httpd.apache.org Subject: Re: [us...@httpd] [Announce] Apache HTTP Server (httpd) 2.2.15 Released On Wed, Mar 10, 2010 at 11:57 AM, Ruiyuan Jiang wrote: > Hi, > > Has anyone downloaded the .tar.gz format file for v2.2.15? I tried to gunzip > the file on Solaris, HPUX and Windows and all having problem? I downloaded > multiple times on multiple days but got the same thing. Thanks. Worked fine for me on Linux and Solaris. Did you validate the checksum? Which mirror did you use? -- Eric Covener cove...@gmail.com - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] [Announce] Apache HTTP Server (httpd) 2.2.15 Released
Hi,
Has anyone downloaded the .tar.gz format file for v2.2.15? I tried to gunzip
the file on Solaris, HPUX and Windows and all having problem? I downloaded
multiple times on multiple days but got the same thing. Thanks.
Ryan
-Original Message-
From: William A. Rowe Jr. [mailto:wr...@rowe-clan.net]
Sent: Saturday, March 06, 2010 3:47 PM
To: users@httpd.apache.org
Subject: [us...@httpd] [Announce] Apache HTTP Server (httpd) 2.2.15 Released
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release and immediate availability of version
2.2.15 of the Apache HTTP Server ("httpd"). This version of httpd is
principally a security and bug fix release.
Notably, this release was updated to reflect the OpenSSL Project's
release 0.9.8m of the openssl library, and addresses CVE-2009-3555
(cve.mitre.org), the TLS renegotiation prefix injection attack.
This release further addresses the issues CVE-2010-0408, CVE-2010-0425
and CVE-2010-0434 within mod_proxy_ajp, mod_isapi and mod_headers
respectively.
We consider this release to be the best version of httpd available, and
encourage users of all prior versions to upgrade.
Apache HTTP Server 2.2.15 is available for download from:
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.2 file, linked from the download page, for a
full list of changes. A condensed list, CHANGES_2.2.15 provides the
complete list of changes since 2.2.14. A summary of security
vulnerabilities which were addressed in the previous 2.2.14 and earlier
releases is available:
http://httpd.apache.org/security/vulnerabilities_22.html
Apache HTTP Server 2.2.15 is compatible with Apache Portable Runtime
(APR) versions 1.3 and 1.4, APR-util library version 1.3, and
APR-iconv library version 1.2. The most current releases should
be used to address known security and platform bugs. At the time of
this httpd release, the recommended APR releases are:
* Apache Portable Runtime (APR) library version 1.4.2 (bundled),
or at minimum, version 1.3.12
* ARR-util library version 1.3.9 (bundled)
* APR-iconv library version 1.2.1 (only bundled in win32-src.zip)
Older releases of these libraries have known vulnerabilities or other
defects affecting httpd. For further information and downloads, visit:
http://apr.apache.org/
Apache HTTP Server 2.2 offers numerous enhancements, bug fixes, and
performance enhancements over the 2.0 codebase. For an overview of
new features introduced since 2.0 please see:
http://httpd.apache.org/docs/2.2/new_features_2_2.html
This release builds upon and extends the httpd 2.0 API. Modules written
for httpd 2.0 will need to be recompiled in order to run with httpd 2.2,
and may require minimal or no source code changes.
When upgrading or installing this version of httpd, please bear in mind
that if you intend to use httpd with one of the threaded MPMs (other
than the Prefork MPM), you must ensure that any modules you will be
using (and the libraries they depend on) are thread-safe.
-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
This message (including any attachments) is intended
solely for the specific individual(s) or entity(ies) named
above, and may contain legally privileged and
confidential information. If you are not the intended
recipient, please notify the sender immediately by
replying to this message and then delete it.
Any disclosure, copying, or distribution of this message,
or the taking of any action based on it, by other than the
intended recipient, is strictly prohibited.
-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] [Announce] Apache HTTP Server (httpd) 2.2.15 Released
Hi, William
Does v2.2.15 fix the problem that I reported "BUG 48819" that happens on
v2.2.14? Thanks.
Ryan
-Original Message-
From: William A. Rowe Jr. [mailto:wr...@rowe-clan.net]
Sent: Saturday, March 06, 2010 3:47 PM
To: users@httpd.apache.org
Subject: [us...@httpd] [Announce] Apache HTTP Server (httpd) 2.2.15 Released
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release and immediate availability of version
2.2.15 of the Apache HTTP Server ("httpd"). This version of httpd is
principally a security and bug fix release.
Notably, this release was updated to reflect the OpenSSL Project's
release 0.9.8m of the openssl library, and addresses CVE-2009-3555
(cve.mitre.org), the TLS renegotiation prefix injection attack.
This release further addresses the issues CVE-2010-0408, CVE-2010-0425
and CVE-2010-0434 within mod_proxy_ajp, mod_isapi and mod_headers
respectively.
We consider this release to be the best version of httpd available, and
encourage users of all prior versions to upgrade.
Apache HTTP Server 2.2.15 is available for download from:
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.2 file, linked from the download page, for a
full list of changes. A condensed list, CHANGES_2.2.15 provides the
complete list of changes since 2.2.14. A summary of security
vulnerabilities which were addressed in the previous 2.2.14 and earlier
releases is available:
http://httpd.apache.org/security/vulnerabilities_22.html
Apache HTTP Server 2.2.15 is compatible with Apache Portable Runtime
(APR) versions 1.3 and 1.4, APR-util library version 1.3, and
APR-iconv library version 1.2. The most current releases should
be used to address known security and platform bugs. At the time of
this httpd release, the recommended APR releases are:
* Apache Portable Runtime (APR) library version 1.4.2 (bundled),
or at minimum, version 1.3.12
* ARR-util library version 1.3.9 (bundled)
* APR-iconv library version 1.2.1 (only bundled in win32-src.zip)
Older releases of these libraries have known vulnerabilities or other
defects affecting httpd. For further information and downloads, visit:
http://apr.apache.org/
Apache HTTP Server 2.2 offers numerous enhancements, bug fixes, and
performance enhancements over the 2.0 codebase. For an overview of
new features introduced since 2.0 please see:
http://httpd.apache.org/docs/2.2/new_features_2_2.html
This release builds upon and extends the httpd 2.0 API. Modules written
for httpd 2.0 will need to be recompiled in order to run with httpd 2.2,
and may require minimal or no source code changes.
When upgrading or installing this version of httpd, please bear in mind
that if you intend to use httpd with one of the threaded MPMs (other
than the Prefork MPM), you must ensure that any modules you will be
using (and the libraries they depend on) are thread-safe.
-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
This message (including any attachments) is intended
solely for the specific individual(s) or entity(ies) named
above, and may contain legally privileged and
confidential information. If you are not the intended
recipient, please notify the sender immediately by
replying to this message and then delete it.
Any disclosure, copying, or distribution of this message,
or the taking of any action based on it, by other than the
intended recipient, is strictly prohibited.
-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] Number of https virtual hosts support under v2.0.59
Thanks for the response, Krist. The version of openssl that I am using is good 0.98l. The problem is the Apache since I can't use 2.2.14 because the bug it has. See my another post about the page does not refresh automatically after user logs in. I guess I have to try to use work around. By the way, you stated "only works with recent browsers though." What browsers and versions work with that, Firefox or IE or both? Ryan -Original Message- From: Krist van Besien [mailto:krist.vanbes...@gmail.com] Sent: Monday, March 01, 2010 4:13 AM To: users@httpd.apache.org Subject: Re: [us...@httpd] Number of https virtual hosts support under v2.0.59 On Fri, Feb 26, 2010 at 9:55 PM, Ruiyuan Jiang wrote: > So I wonder whether Apache 2.0.59 supports more than one https reverse proxy > setup? Thanks in advance. You probably are trying to use name based https vertual posts. This used to be impossible, not due to limitations in apache, but due to limitations in the SSL protocol. More background to this problem you can find here: http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts When I'm saying "it used to be impossible" I am indeed implaying that nowadays this can be made to function, due an extension to the SSL protocol, named SNI. This requires a bleeding edge apache and only works with recent browsers though. Krist -- krist.vanbes...@gmail.com kr...@vanbesien.org Bremgarten b. Bern, Switzerland -- A: It reverses the normal flow of conversation. Q: What's wrong with top-posting? A: Top-posting. Q: What's the biggest scourge on plain text email discussions? - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Number of https virtual hosts support under v2.0.59
Hi, all How many https virtual hosts supported under Apache v2.0.59? I can't test with v2.2.14 since the bug I just filed. On my Solaris 10, Apache 2.0.59 reverse proxy server, I have a https virtual host defined with a real certificate from a CA and forward https traffic to a backend server (different server). I have multiple http reverse proxy servers defined but only one https reverse proxy server defined. The https session is redirected from http session and it works. Now I'd like to add another test https reverse proxy server with a self signed certificate which the traffic will be redirected from internet client's http session and communicate with the backend server (different server) with http traffic. In my ssl.conf file, I basically did copy and paste the configuration from the one that works, append the configuration at the bottom of the ssl.conf and made necessary changes. The configuration test passed fine. When I started "apachectl startssl", it prompts me for the pass phrase with the self signed one and it never prompts for the real certificate's pass phrase. I was expecting two pass phrase prompts, one for each https server. I used Firefox to access self-signed site and it prompts that certificate does not match. The detail of the certificate shows the certificate used for the session is the real certificate not self-signed one. When I access the site that has real certificate and it works correct. The problem happens on IE 6 also. So I wonder whether Apache 2.0.59 supports more than one https reverse proxy setup? Thanks in advance. Ryan This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] Bugs or problem?
Hi, Tom In the Solaris box, I use proxypass, proxypassreverse, mod_proxy and mod_proxy_http. On the HP box, I use mod_proxy_ajp. Ryan -Original Message- From: Tom Evans [mailto:tevans...@googlemail.com] Sent: Thursday, February 25, 2010 11:10 AM To: users@httpd.apache.org Subject: Re: [us...@httpd] Bugs or problem? On Thu, Feb 25, 2010 at 4:00 PM, Ruiyuan Jiang wrote: > Yes, Rich > > I do use proxypass, proxypassreverse, mod_proxy and mod_proxy_http. > > Ryan > I thought you were using mod_proxy_ajp? Tom - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] Bugs or problem?
Yes, Rich I do use proxypass, proxypassreverse, mod_proxy and mod_proxy_http. Ryan -Original Message- From: Rich Bowen [mailto:rbo...@rcbowen.com] Sent: Thursday, February 25, 2010 10:49 AM To: users@httpd.apache.org Subject: Re: [us...@httpd] Bugs or problem? On Feb 25, 2010, at 10:30 AM, Ruiyuan Jiang wrote: > Hi, Rich > > Yes the login page for the user authentication comes from Tomcat server. The > traffic between Solaris Apache and HPUX Apache server are strictly 'http', > HPUX Apache redirect traffic to AJP port of Tomcat through mod_jk. In my > Apache 2.2.14 test, except downgraded Apache from v2.2.14 to 2.0.15 on > Solaris and its related configuration changes in httpd.conf, there is no > other changes made. That is why I think there is a problem in Apache v2.2.14. > > I should make it clear. In my previous HPUX Apache v2.2.8 problem, the Apache > on HPUX had two separate virtual servers. At the time, one virtual web server > had strictly static html web pages and served by Apache directly. The other > virtual web server uses mod_jk for the communication between Apache and > Tomcat. When the problem happened, clients could access web server with > static web pages no problem. Clients could not access the web server with > Apache and Tomcat. Restart Tomcat did not help. Restart Apache helped. It > could last for several days no problem. After that, the problem happened > again and needed to restart Apache again. Once I downgraded Apache from > v2.2.8 to v2.0.59 without other changes, the problem is gone. Ruiyuan, I'm sorry to have wasted your time assuming that this was a problem that could be easily resolved. It seems like maybe this is a difference in how mod_proxy handles stuff - I assume you're using ProxyPass and mod_proxy_http. I would suggest that you post your situation on https://issues.apache.org/bugzilla/ , with as much detail as possible, including your ProxyPass configuration. --Rich - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] Bugs or problem?
Thanks, Rich. Ryan -Original Message- From: Rich Bowen [mailto:rbo...@rcbowen.com] Sent: Thursday, February 25, 2010 10:49 AM To: users@httpd.apache.org Subject: Re: [us...@httpd] Bugs or problem? On Feb 25, 2010, at 10:30 AM, Ruiyuan Jiang wrote: > Hi, Rich > > Yes the login page for the user authentication comes from Tomcat server. The > traffic between Solaris Apache and HPUX Apache server are strictly 'http', > HPUX Apache redirect traffic to AJP port of Tomcat through mod_jk. In my > Apache 2.2.14 test, except downgraded Apache from v2.2.14 to 2.0.15 on > Solaris and its related configuration changes in httpd.conf, there is no > other changes made. That is why I think there is a problem in Apache v2.2.14. > > I should make it clear. In my previous HPUX Apache v2.2.8 problem, the Apache > on HPUX had two separate virtual servers. At the time, one virtual web server > had strictly static html web pages and served by Apache directly. The other > virtual web server uses mod_jk for the communication between Apache and > Tomcat. When the problem happened, clients could access web server with > static web pages no problem. Clients could not access the web server with > Apache and Tomcat. Restart Tomcat did not help. Restart Apache helped. It > could last for several days no problem. After that, the problem happened > again and needed to restart Apache again. Once I downgraded Apache from > v2.2.8 to v2.0.59 without other changes, the problem is gone. Ruiyuan, I'm sorry to have wasted your time assuming that this was a problem that could be easily resolved. It seems like maybe this is a difference in how mod_proxy handles stuff - I assume you're using ProxyPass and mod_proxy_http. I would suggest that you post your situation on https://issues.apache.org/bugzilla/ , with as much detail as possible, including your ProxyPass configuration. --Rich - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] Bugs or problem?
Hi, Rich Yes the login page for the user authentication comes from Tomcat server. The traffic between Solaris Apache and HPUX Apache server are strictly 'http', HPUX Apache redirect traffic to AJP port of Tomcat through mod_jk. In my Apache 2.2.14 test, except downgraded Apache from v2.2.14 to 2.0.15 on Solaris and its related configuration changes in httpd.conf, there is no other changes made. That is why I think there is a problem in Apache v2.2.14. I should make it clear. In my previous HPUX Apache v2.2.8 problem, the Apache on HPUX had two separate virtual servers. At the time, one virtual web server had strictly static html web pages and served by Apache directly. The other virtual web server uses mod_jk for the communication between Apache and Tomcat. When the problem happened, clients could access web server with static web pages no problem. Clients could not access the web server with Apache and Tomcat. Restart Tomcat did not help. Restart Apache helped. It could last for several days no problem. After that, the problem happened again and needed to restart Apache again. Once I downgraded Apache from v2.2.8 to v2.0.59 without other changes, the problem is gone. Ryan -Original Message- From: Rich Bowen [mailto:rbo...@rcbowen.com] Sent: Thursday, February 25, 2010 8:49 AM To: users@httpd.apache.org Subject: Re: [us...@httpd] Bugs or problem? On Feb 24, 2010, at 4:45 PM, Ruiyuan Jiang wrote: > Well, I posted the problem two weeks ago and nobody responded. I will do it > again. I'm sorry. I missed that. > > 2. The problem that I have now is: > > Solaris 10, Apache 2.2.14 reverse proxy --> HPUX 11.23, Apache 2.0.59, Tomcat > 5.5 AJP --> Oracle DB > > The web sites are having user login page. Once the users enter their user > names and passwords, the page does not refresh itself to tell the users that > they have logged in. Rather the web page still shows login page until the > users click F5 to refresh the web page and then the web page shows the users > are logged in. The same happened when the users logged out. > > Now I tested with this setup: > > Solaris 10, Apache 2.0.59 reverse proxy --> HPUX 11.23, Apache 2.0.59, Tomcat > 5.5 AJP --> Oracle DB > > The problem went away. > > Note those Apache are pre-compiled either by HP or internet, I did not > compile myself although I can. At the time the latest version compiled by HP > was Apache 2.2.8. The use of the term "login page" makes me wonder if maybe the error lies at some higher layer than Apache. Apache implements authentication in ways that don't involve a "login page", and so presumably this login page is from some third-party application, or something you have coded yourself, Is there a HTTP Redirect involved in this page refresh, or is it a AJAX action? Can you watch the traffic (either something like Firebug, or something on the server) to observe what's happening, and where the message is getting dropped? - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] Bugs or problem?
Well, I posted the problem two weeks ago and nobody responded. I will do it again. 1. First problem was with Apache 2.2.8 which it is fixed in 2.2.14. When I used HP precompiled Apache 2.2.8 (HPUX 11.23), the web sites are migrated from HPUX 11.11, Apache 2.0.59 to HPUX 11.23, Apache 2.2.8. The web sites are configured with Apache virtual hosts which redirects to Tomcat 5.5 AJP which installed on the same host. For the Apache virtual hosts, it also has static web pages for a web site. When the problem happened, Apache did not re-direct to Tomcat AJP so the web site couldn't be accessed. Meanwhile the static web pages could be accessed by that web site. We restarted Tomcat but no help until Apache was restarted. Once I down graded to HPUX 11.23, Apache 2.0.59 the problem went away. I called HP support but no help. 2. The problem that I have now is: Solaris 10, Apache 2.2.14 reverse proxy --> HPUX 11.23, Apache 2.0.59, Tomcat 5.5 AJP --> Oracle DB The web sites are having user login page. Once the users enter their user names and passwords, the page does not refresh itself to tell the users that they have logged in. Rather the web page still shows login page until the users click F5 to refresh the web page and then the web page shows the users are logged in. The same happened when the users logged out. Now I tested with this setup: Solaris 10, Apache 2.0.59 reverse proxy --> HPUX 11.23, Apache 2.0.59, Tomcat 5.5 AJP --> Oracle DB The problem went away. Note those Apache are pre-compiled either by HP or internet, I did not compile myself although I can. At the time the latest version compiled by HP was Apache 2.2.8. Ryan -Original Message- From: Rich Bowen [mailto:rbo...@rcbowen.com] Sent: Wednesday, February 24, 2010 4:08 PM To: users@httpd.apache.org Subject: Re: [us...@httpd] Bugs or problem? On Feb 24, 2010, at 2:18 PM, Ruiyuan Jiang wrote: > Hi, all > > Hi, all > > I found a problem on Apache v2.2.14. I down graded my Apache to v2.0.59 and > tested. The problem does not exist on Apache v2.0.59. How do I file a bug > report or fix request? Thanks. You start by telling us what the problem is, and seeing if it's something for which there's a well-known solution. --Rich - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Bugs or problem?
Hi, all Hi, all I found a problem on Apache v2.2.14. I down graded my Apache to v2.0.59 and tested. The problem does not exist on Apache v2.0.59. How do I file a bug report or fix request? Thanks. Ryan This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Page not updating after login
Hi, all We have a web server which uses Tomcat AJP. The setup is: Internet PCs --> Solaris 10, SPARC, Apache v2.2.14 reverse proxy server --> HPUX Apache server v.2.0.59, Tomcat AJP server v5.5.26 --> HPUX Oracle database. HPUX Apache (HP pre-compiled Apache) and Tomcat are installed on the same host. HPUX Oracle database is on a separate server. Apache on Solaris is pre-compiled and I downloaded from the Internet. >From the internet, I went to my home page and went to a sign in page. After I >signed in, the page did not get refreshed and it seems that I did not login or >typed wrong user name and password and re-prompt me to login. If it is working >correctly, it should show the page that I logged in. If I hit F5 to refresh the page, it shows me that I logged in to the site. I tested that if I bypass the Solaris Apache reverse proxy and goes directly to HP Apache server from the client, it shows the correct page that I logged in. In the Solaris Apache configuration, I am not sure which Apache module or directive caused that problem. It seems to us there is some caching happening here. I am out of idea and I thought I have disabled all the caching on the Apache side. Thanks in advance. Ryan This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] Passing remote client IP address to backend server and session stickness
Hi, Haroon and Tom
I think I found the problem but I have to wait for backend Oracle DB to make a
change to test.
But it seems nobody answers my question 2.
Ryan
-Original Message-
From: Haroon Rafique [mailto:haroon.rafi...@utoronto.ca]
Sent: Tuesday, December 01, 2009 10:57 AM
To: users@httpd.apache.org
Subject: RE: [us...@httpd] Passing remote client IP address to backend server
and session stickness
On Today at 10:29am, RJ=>Ruiyuan Jiang wrote:
RJ> Hi, Haroon
RJ>
RJ> Thanks for the reply. Do you mean they are automatically activated for
RJ> reverse proxy?
Yes.
RJ>
RJ> Unfortunately it does not work for me if they are activated.
RJ>
What does not work? The X-Forwarded-For header *is* there and that's where
the automatic part ends. Is your application looking for it? Looking for
it in what way?
RJ>
RJ> My backend server will be Oracle 9iAS or Oracle 10gAS.
RJ>
Seems like you are on the java platform. How about deploying a test
servlet? or a jsp as follows:
<%= request.getHeader("X-Forwarded-For") %>
On an aside, mod_remoteip does all of the address figuring out in apache
land. AFAIK, it is only bundled with apache 2.3. I see that you are asking
on another thread about how to include mod_remoteip in apache 2.2 land.
Again, I can only tell you about my experiences. I use apache 2.2.x with
mod_proxy in a reverse-proxy configruation. For my java app, I use
xebia-france XForwardedFilter (which is a java port of mod_remoteip).
RJ>
RJ> Ryan
RJ>
Cheers,
--
Haroon Rafique
-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
This message (including any attachments) is intended
solely for the specific individual(s) or entity(ies) named
above, and may contain legally privileged and
confidential information. If you are not the intended
recipient, please notify the sender immediately by
replying to this message and then delete it.
Any disclosure, copying, or distribution of this message,
or the taking of any action based on it, by other than the
intended recipient, is strictly prohibited.
-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] Passing remote client IP address to backend server and session stickness
Thanks, Tom
I will check with my developers here. By the way, is apache done differently
for X-Forwarded-For than the rest reverse proxy vendors?
Ryan
-Original Message-
From: Tom Evans [mailto:tevans...@googlemail.com]
Sent: Tuesday, December 01, 2009 11:51 AM
To: users@httpd.apache.org
Subject: Re: [us...@httpd] Passing remote client IP address to backend server
and session stickness
On Tue, Dec 1, 2009 at 4:29 PM, Ruiyuan Jiang wrote:
> Hi, Haroon
>
> Where do you see Apache 2.3? I don't see on the office Apache web site.
> Also where should I apply:
>
> <%= request.getHeader("X-Forwarded-For") %>
>
> In my Apache reverse proxy server? Thanks.
>
> Ryan
>
Apache 2.3 is apache development branch.
When apache acts as a reverse proxy it automatically adds the
X-Forwarded-For header to the incoming request. It does this
automatically, it is part of what reverse proxies do.
Your application server can see this header and update itself to use
the IP address in this header as the 'real' IP address of the
connection.
mod_remoteip is an apache module in apache 2.3 that does this. For you
to use this, your application server must be apache.
It seems like your application server is not apache, it is some sort
of java application server. mod_remoteip would not be a solution for
that. Simply stfw for 'x-forwarded-for ' for
potential solutions:
http://lmgtfy.com/?q=oracle+10+x-forwarded-for
http://lmgtfy.com/?q=oracle+9+x-forwarded-for
Tom
-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
This message (including any attachments) is intended
solely for the specific individual(s) or entity(ies) named
above, and may contain legally privileged and
confidential information. If you are not the intended
recipient, please notify the sender immediately by
replying to this message and then delete it.
Any disclosure, copying, or distribution of this message,
or the taking of any action based on it, by other than the
intended recipient, is strictly prohibited.
-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] Passing remote client IP address to backend server and session stickness
I am a sysadmin, Haroon. Thanks.
-Original Message-
From: Haroon Rafique [mailto:haroon.rafi...@utoronto.ca]
Sent: Tuesday, December 01, 2009 11:55 AM
To: users@httpd.apache.org
Subject: RE: [us...@httpd] Passing remote client IP address to backend server
and session stickness
On Today at 11:29am, RJ=>Ruiyuan Jiang wrote:
RJ> Hi, Haroon
RJ>
RJ> Where do you see Apache 2.3? I don't see on the office Apache web site.
As of yet unreleased. If I remember correctly, 2.3 will be the unstable
branch and 2.4 (when released) will be the stable version.
RJ> Also where should I apply:
RJ>
RJ> <%= request.getHeader("X-Forwarded-For") %>
RJ>
RJ> In my Apache reverse proxy server? Thanks.
RJ>
No, that is the content of .jsp which you could deploy on your Oracle app
server. Are you a java developer or sysadmin? If not a java developer,
then ask your java devs for some help.
RJ> Ryan
RJ>
Later,
--
Haroon Rafique
-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
This message (including any attachments) is intended
solely for the specific individual(s) or entity(ies) named
above, and may contain legally privileged and
confidential information. If you are not the intended
recipient, please notify the sender immediately by
replying to this message and then delete it.
Any disclosure, copying, or distribution of this message,
or the taking of any action based on it, by other than the
intended recipient, is strictly prohibited.
-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] Passing remote client IP address to backend server and session stickness
Hi, Haroon
Where do you see Apache 2.3? I don't see on the office Apache web site.
Also where should I apply:
<%= request.getHeader("X-Forwarded-For") %>
In my Apache reverse proxy server? Thanks.
Ryan
-Original Message-
From: Haroon Rafique [mailto:haroon.rafi...@utoronto.ca]
Sent: Tuesday, December 01, 2009 10:57 AM
To: users@httpd.apache.org
Subject: RE: [us...@httpd] Passing remote client IP address to backend server
and session stickness
On Today at 10:29am, RJ=>Ruiyuan Jiang wrote:
RJ> Hi, Haroon
RJ>
RJ> Thanks for the reply. Do you mean they are automatically activated for
RJ> reverse proxy?
Yes.
RJ>
RJ> Unfortunately it does not work for me if they are activated.
RJ>
What does not work? The X-Forwarded-For header *is* there and that's where
the automatic part ends. Is your application looking for it? Looking for
it in what way?
RJ>
RJ> My backend server will be Oracle 9iAS or Oracle 10gAS.
RJ>
Seems like you are on the java platform. How about deploying a test
servlet? or a jsp as follows:
<%= request.getHeader("X-Forwarded-For") %>
On an aside, mod_remoteip does all of the address figuring out in apache
land. AFAIK, it is only bundled with apache 2.3. I see that you are asking
on another thread about how to include mod_remoteip in apache 2.2 land.
Again, I can only tell you about my experiences. I use apache 2.2.x with
mod_proxy in a reverse-proxy configruation. For my java app, I use
xebia-france XForwardedFilter (which is a java port of mod_remoteip).
RJ>
RJ> Ryan
RJ>
Cheers,
--
Haroon Rafique
-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
This message (including any attachments) is intended
solely for the specific individual(s) or entity(ies) named
above, and may contain legally privileged and
confidential information. If you are not the intended
recipient, please notify the sender immediately by
replying to this message and then delete it.
Any disclosure, copying, or distribution of this message,
or the taking of any action based on it, by other than the
intended recipient, is strictly prohibited.
-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] Passing remote client IP address to backend server and session stickness
Hi, Haroon I read http://en.wikipedia.org/wiki/X-Forwarded-For yesterday and I did not see Apache listed there. I saw squid, bluecoat, etc. listed there so I was thinking to test squid with the feature. What is your suggestion? Thanks. Ryan -Original Message- From: Haroon Rafique [mailto:haroon.rafi...@utoronto.ca] Sent: Tuesday, December 01, 2009 10:23 AM To: users@httpd.apache.org Subject: RE: [us...@httpd] Passing remote client IP address to backend server and session stickness On Today at 10:09am, RJ=>Ruiyuan Jiang wrote: RJ> Hi, Haroon RJ> RJ> I see that also but I don't know how to use them. I put the statement RJ> into my vhost of Apache reverse proxy and the apache complaining they RJ> are wrong statement, etc. RJ> Hi Ryan, X-Forwarded-For is not a statement that goes inside the httpd.conf. The documentation page is just telling you that these headers are already available to you, if you are using reverse-proxy. RJ> RJ> RJ> RJ> ... RJ> Proxyrequst off RJ> . RJ> X-Forwarded-For RJ> RJ> RJ> So, don't put the X-Forwarded-For statement there. RJ> RJ> Is above the correct way to use it? I am not much care about the RJ> remote IP being logged in the Apache log but I am care about the RJ> remote client IP being forwarded to the backend server since our RJ> backend server will decide what to do based on the remote client IP. RJ> Thanks. RJ> For the backend server to be able to "see" the remote client IP, as if it was the real client IP, your application will have to be aware of the X-Forwarded-For. Depending on what technology you are using on the backend, the answer may be different about how to make your backend be aware of X-Forwarded-For header. Regardless of the technology, you probably should read up on the XFF entry at wikipedia: http://en.wikipedia.org/wiki/X-Forwarded-For And again, regardless of the tech, the HTTP request will contain the X-Forwarded-For header. On my java projects, I use xebia-france XForwardedFilter at: http://code.google.com/p/xebia-france/wiki/XForwardedFilter YMMV, RJ> RJ> Ryan RJ> Cheers, -- Haroon Rafique - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] Passing remote client IP address to backend server and session stickness
Hi, Haroon Thanks for the reply. Do you mean they are automatically activated for reverse proxy? Unfortunately it does not work for me if they are activated. My backend server will be Oracle 9iAS or Oracle 10gAS. Ryan -Original Message- From: Haroon Rafique [mailto:haroon.rafi...@utoronto.ca] Sent: Tuesday, December 01, 2009 10:23 AM To: users@httpd.apache.org Subject: RE: [us...@httpd] Passing remote client IP address to backend server and session stickness On Today at 10:09am, RJ=>Ruiyuan Jiang wrote: RJ> Hi, Haroon RJ> RJ> I see that also but I don't know how to use them. I put the statement RJ> into my vhost of Apache reverse proxy and the apache complaining they RJ> are wrong statement, etc. RJ> Hi Ryan, X-Forwarded-For is not a statement that goes inside the httpd.conf. The documentation page is just telling you that these headers are already available to you, if you are using reverse-proxy. RJ> RJ> RJ> RJ> ... RJ> Proxyrequst off RJ> . RJ> X-Forwarded-For RJ> RJ> RJ> So, don't put the X-Forwarded-For statement there. RJ> RJ> Is above the correct way to use it? I am not much care about the RJ> remote IP being logged in the Apache log but I am care about the RJ> remote client IP being forwarded to the backend server since our RJ> backend server will decide what to do based on the remote client IP. RJ> Thanks. RJ> For the backend server to be able to "see" the remote client IP, as if it was the real client IP, your application will have to be aware of the X-Forwarded-For. Depending on what technology you are using on the backend, the answer may be different about how to make your backend be aware of X-Forwarded-For header. Regardless of the technology, you probably should read up on the XFF entry at wikipedia: http://en.wikipedia.org/wiki/X-Forwarded-For And again, regardless of the tech, the HTTP request will contain the X-Forwarded-For header. On my java projects, I use xebia-france XForwardedFilter at: http://code.google.com/p/xebia-france/wiki/XForwardedFilter YMMV, RJ> RJ> Ryan RJ> Cheers, -- Haroon Rafique - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] Passing remote client IP address to backend server and session stickness
Hi, William For your answer to my question 1, current I use BlueCoat reverse proxy which is passing internet remote client IP to the backend server. We'd like to migrate the reverse proxy server to Apache server. The rest network setup has not been changed. For your answer to my question2, it is my fault that I did not post all the related statements. Here they are: BalancerMember https://backend1:443 keepalive=on BalancerMember https://backend2:443 keepalive=on ProxyPass / balancer://backend/ ProxyPassReverse/ balancer://backend/ stickysession=JSESSIONID|jsessionid Like I said, the Apache does not stick the https session to one particular server for the session. Ryan Jiang -Original Message- From: William A. Rowe Jr. [mailto:wr...@rowe-clan.net] Sent: Monday, November 30, 2009 9:14 PM To: users@httpd.apache.org Subject: Re: [us...@httpd] Passing remote client IP address to backend server and session stickness I realize I just answered you, but in response to your explicit and specific questions; Ruiyuan Jiang wrote: > > Question 1: Is there a way to pass Internet users' IP address to backend > server through Apache reverse proxy server? I am testing that feature so far > no luck. My backend server gets Apache proxy server's IP address. But I'd > like to have Internet users' IP being passed through Apache. This is http > request. Only if this information has been shared with you by the upstream proxy or router/gateway/forward proxy. E.g. - what mod_remoteip is designed to decode, ---when the information is presented---. > Question 2: I am testing another Apache reverse proxy which proxies two > backend https servers. I am trying to use mod_proxy_balancer. > > > Balancermember https://192.168.1.1:443 keepalive=on > Balancermember https://192.168.1.2:443 keepalive=on > > > Proxypass /test balancer:mycluster/ > > When I test to access the site, I got login prompt from first server which I > saw from access log. I typed in login name and password. I got the login > prompt back but from the log I saw the connectivity was back from server 2. > It seems to me like round robin connection to backend server by Apache. I > tried with keyword "JSESSION" but no luck. Does anyone know how to configure > Apache so the same connection always goes through the same backend https > (http) server. Thanks in advance. Are you forgetting your ProxyPassReverse statements? As of the current version, the syntax above (but wtf happened to your // before mycluster???) would work just fine for a ProxyPassReverse rule. > This message (including any attachments) is intended > solely for the specific individual(s) or entity(ies) named > above, and may contain legally privileged and > confidential information. If you are not the intended > recipient, please notify the sender immediately by > replying to this message and then delete it. > Any disclosure, copying, or distribution of this message, > or the taking of any action based on it, by other than the > intended recipient, is strictly prohibited. You have emailed a public list. Your intended individuals are the world. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] Adding module to Apache-httpd
Hi, William
Can you give me more details:
There is the %{Header-Name}i syntax of the custom log, so you could easily
verify which header is actually in use. X-Forwarded-For is the usual 'public'
method,
I will use Apache as reverse proxy not forward proxy. So the IPs are from
Internet user not internal private IP users. The remote internal IP is not
suitable for me in my case. Thanks.
Ryan
-Original Message-
From: William A. Rowe Jr. [mailto:wr...@rowe-clan.net]
Sent: Monday, November 30, 2009 8:39 PM
To: users@httpd.apache.org
Subject: Re: [us...@httpd] Adding module to Apache-httpd
Ruiyuan Jiang wrote:
> I compiled remoteip module and loaded it without problem.
> In one of my virtualhost of Apache reverse proxy, I added and tested:
>
> RemoteIPHeader X-Client-IP
> Or
> RemoteIPHeader X-Forwarded-For
>
> Or both
>
> I don't see the remote client IP is being forwarded to the backend server
> from Apache as it supposed to be. Does anyone know why or what I did wrong?
> Thanks.
There is the %{Header-Name}i syntax of the custom log, so you could easily
verify which header is actually in use. X-Forwarded-For is the usual 'public'
method, but nobody promises you'll have such information assigned. The other
example would entirely depend on your load balancer/router which picks up the
requests and has redispatched them. Usually such devices will *not* share any
info over the web, but replace that particular header unilaterally.
Also note the module will only set the IP address as 'authentic' when the remote
machine is trusted, see
http://httpd.apache.org/docs/trunk/mod/mod_remoteip.html#remoteipinternalproxy
and the commentary at the top of that page.
[I'm thinking about a RemoteIPTrustedHeader directive that wouldn't deal with
that scrutiny, but I'm a bit hesitant. You know your own IP's of your own
infrastructure to trust such proxies, right?]
-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
This message (including any attachments) is intended
solely for the specific individual(s) or entity(ies) named
above, and may contain legally privileged and
confidential information. If you are not the intended
recipient, please notify the sender immediately by
replying to this message and then delete it.
Any disclosure, copying, or distribution of this message,
or the taking of any action based on it, by other than the
intended recipient, is strictly prohibited.
-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] Passing remote client IP address to backend server and session stickness
Hi, Haroon I see that also but I don't know how to use them. I put the statement into my vhost of Apache reverse proxy and the apache complaining they are wrong statement, etc. ... Proxyrequst off . X-Forwarded-For Is above the correct way to use it? I am not much care about the remote IP being logged in the Apache log but I am care about the remote client IP being forwarded to the backend server since our backend server will decide what to do based on the remote client IP. Thanks. Ryan -Original Message- From: Haroon Rafique [mailto:haroon.rafi...@utoronto.ca] Sent: Monday, November 30, 2009 7:54 PM To: users@httpd.apache.org Subject: Re: [us...@httpd] Passing remote client IP address to backend server and session stickness On Today at 4:37pm, RJ=>Ruiyuan Jiang wrote: RJ> Hi, all RJ> RJ> Question 1: Is there a way to pass Internet users' IP address to RJ> backend server through Apache reverse proxy server? I am testing that RJ> feature so far no luck. My backend server gets Apache proxy server's RJ> IP address. But I'd like to have Internet users' IP being passed RJ> through Apache. This is http request. RJ> Hi Ruiyan, See: http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#x-headers you are interested in the X-Forwarde-For header. Once you get it to your backend server, then you will need to figure out how to get the information from that header into your logs (or whereever else). You may need to take extra care as multiple proxies can be in the path, so only trust this information if coming straight from your own reverse proxy. RJ> RJ> [..snip..] RJ> Later, -- Haroon Rafique - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Passing remote client IP address to backend server and session stickness
Hi, all Question 1: Is there a way to pass Internet users' IP address to backend server through Apache reverse proxy server? I am testing that feature so far no luck. My backend server gets Apache proxy server's IP address. But I'd like to have Internet users' IP being passed through Apache. This is http request. Question 2: I am testing another Apache reverse proxy which proxies two backend https servers. I am trying to use mod_proxy_balancer. Balancermember https://192.168.1.1:443 keepalive=on Balancermember https://192.168.1.2:443 keepalive=on Proxypass /test balancer:mycluster/ When I test to access the site, I got login prompt from first server which I saw from access log. I typed in login name and password. I got the login prompt back but from the log I saw the connectivity was back from server 2. It seems to me like round robin connection to backend server by Apache. I tried with keyword "JSESSION" but no luck. Does anyone know how to configure Apache so the same connection always goes through the same backend https (http) server. Thanks in advance. Ryan Jiang This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] Adding module to Apache-httpd
I compiled remoteip module and loaded it without problem. In one of my virtualhost of Apache reverse proxy, I added and tested: RemoteIPHeader X-Client-IP Or RemoteIPHeader X-Forwarded-For Or both I don't see the remote client IP is being forwarded to the backend server from Apache as it supposed to be. Does anyone know why or what I did wrong? Thanks. Ryan -Original Message- From: nicholas@sun.com [mailto:nicholas@sun.com] On Behalf Of Nick Kew Sent: Friday, November 20, 2009 5:48 PM To: users@httpd.apache.org Subject: Re: [us...@httpd] Adding module to Apache-httpd Ruiyuan Jiang wrote: > Hi, > > I need the module "mod_remoteip" which is not included in the standard > httpd-2.2.14 distribution. http://httpd.apache.org/docs/2.2/programs/apxs.html -- Nick Kew - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Adding module to Apache-httpd
Hi, I need the module "mod_remoteip" which is not included in the standard httpd-2.2.14 distribution. I downloaded the source code from people.apache.org/~wrowe/mod_remoteip.c. There is no instruction for the source code as how to compile the module. On the Apache's web site, the document shows that after httpd v1.3, to add additional module, simply add a line to the 'configure' file in the source directory and then compile: AddModule modules/extra/mod_remoteip.c and I copied the file to the location. The compilation went through no problem as I included some other modules such as ssl, proxy, etc. but I don't think Apache compiled the module for me. Does anyone know how to add module to Apache-httpd compilation or maybe simply compile the module and then load the module to the httpd? Thanks in advance. Ryan Jiang This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
