Re: [EMAIL PROTECTED] Performance on mod_proxy?

[Sander Temme]

On Jan 22, 2007, at 10:00 AM, Octavian Rasnita wrote:


Hi,

Of course the back end server is working. It was working without a  
proxy, and I haven't changed anything on it. I've just put it to  
run on another port, and without a named virtual host, but an IP- 
based one on localhost:83.


I've made a telnet connection to it on port 83, and it is working  
fine. I can even see it using a browser on http://localhost:83/.


So it must be something bad with my proxy settings. I have read the  
mod_proxy details on Apache's site, but I think I still do  
something wrong, or something...


However, under Windows it doesn't work at all, and it shows that  
error that the header doesn't contain a ":".


Try connecting with a client that shows you exactly the response  
headers, like Curl or IE with IEWatch.


Have you considered the ProxyBadHeader directive?

http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxybadheader

S.



Thanks.

Octavian

From: "Lucas Brasilino" <[EMAIL PROTECTED]>


Hi,


Hi

Very strange. Looks like your backend server's response is not
starting with a HTTP status line[1], like:

HTTP/1.x 200 OK

[1]http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html

Even if proxy instance is making an bad request (due a bug or  
something,

which I don't think so), the backend one should answer with:

HTTP/1.1 400 Bad Request

For instance.

Try telneting (or use netcat) to your backend server's HTTP port and
make a simple request, like:

GET / HTTP/1.1
Host: put.your.hostname.here
Connection: close


And investigate it's response.


Regards
Lucas Brasilino



Do you have any idea what these error lines in the error log means?
(Apache 2.24 under Linux)

in the error log of the reverse proxy (mod_proxy):

[Mon Jan 22 14:11:26 2007] [error] [client 82.208.146.70] proxy:  
error

reading status line from remote server localhost, referer:
http://www.site.ro/prg

and in the error log of the backend server (using mod_perl):

[Mon Jan 22 17:35:22 2007] [error] [client 127.0.0.1] request  
failed:

error reading the headers

Under Apache 2.23 on Windows it appears an error message in the  
browser
telling that the header doesn't contain a ":" character, and it  
shows

the line:

GET / HTTP/1.1

Do you have any idea how I could make mod_proxy to work without  
showing

these errors?
(Can you share a sample httpd.conf mod_proxy configuration that  
works?)


Or maybe those errors are not important and they can be ignored?

Thank you.

Octavian

- Original Message - From: "Lucas Brasilino"
<[EMAIL PROTECTED]>
To: 
Sent: Monday, January 22, 2007 4:35 PM
Subject: Re: [EMAIL PROTECTED] Performance on mod_proxy?



Hi,


Hi:



  I am not sure how good Apache mod_proxy on its
Load-Balance and Failover, in regarding its
Performance, Capacity Limit, Security, etc?  Can
someone help me?

Thx, Q.Xie


As 2.2 mod_proxy is production stable, it's surely
reliable.
I'm testing and it's almost OK. The unique gotcha
is that looks like it does not set a 'HTTP response
timeout' from backend server. I'm looking around
source code.

regards
Lucas Brasilino


--- 
--

The official User-To-User support forum of the Apache HTTP Server
Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




 
-
The official User-To-User support forum of the Apache HTTP Server  
Project.

See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
The official User-To-User support forum of the Apache HTTP Server  
Project.

See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
The official User-To-User support forum of the Apache HTTP Server  
Project.

See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] is it possible ? (ssl-tunneling)

[Sander Temme]

On Jan 22, 2007, at 2:57 PM, [EMAIL PROTECTED] wrote:

is it possible to have the connection between the client and the  
reverse proxy

encrypted with ssl and authorization basic ? smth like ssh-tunneling ?

example :

  client < SSL  >  Apache  <-> origin  
server

 reversed
 proxy


Absolutely. Set the Apache up to handle SSL, and protect the proxied  
location(s) with whatever authentication scheme you like. Then set up  
the reverse proxy in the usual way.


S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Apache + Tomcat = no session management

[Sander Temme]

On Jan 23, 2007, at 6:51 AM, Wm.A.Stafford wrote:


Since the application works normally on Tomcat only, it seems pretty
certain that Apache needs to be configured to handle Tomcat session
management either by cookies or url rewriting or both.


You're probably losing the session cookie somehow, possibly through a  
path or hostname mismatch.



Can someone describe what is going on and what needs to be done?


May I ask how Apache and Tomcat interact? HTTP proxy, AJP proxy or  
olde mod_jk?


S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Multiple worker pools?

[Sander Temme]

On Jan 23, 2007, at 8:57 AM, Greg Cox wrote:

I've got a cluster of 3 machines running Apache 2.0.52 (hello,  
stuck-on-RHEL4!) as a front-end to 2 Weblogic apps.  One app (A)  
runs fine all the time; one app (B) will hold open weblogic  
connections to an outside vendor when said vendor explodes.  When B  
blocks, it starts sucking up spare worker threads on apache (since  
it's proxying to weblogic) until there aren't any left, and both A  
and B become unreachable from the web for even calls to server-status.


We can't really speak to the WebLogic plugin, but don't they have a  
timeout tunable that you could use to reap hung connections?  
Alternatively, what happens when you play with the timeout value on  
the front-end?


Are you using the WebLogic plugin? If you are using our own  
mod_proxy, it does have ways to time out the backend.


A and B have separate names and are IP-differentiated (not name- 
based) VirtualHosts.  Is there a way to make one Apache daemon  
handle separate thread pools for the separate virtualhosts and  
their proxies?  I'd rather not set up separate daemons, since the  
people who would administer it could easily get confused over the  
maintenance upgrades down the line, but I'm coming up blank.


You can easily set up two instances of httpd running from the same  
code.  Just set up two server root directories and start both with  
the -d flag from your init.d scripts.  As you are binding to separate  
IP addresses, you should have no problems there.


S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Apache + Tomcat = no session management

[Sander Temme]

On Jan 23, 2007, at 1:30 PM, Wm.A.Stafford wrote:

   Thanks for replying to my query.  I don't really know anything  
about Apache.  How would I go about determining how Apache and  
Tomcat interact?  I have the httpd.conf file for the Apache in  
question, can  I  tell from that?
   I have looked through the file and I do not see mod_jk being  
loaded so I think we can rule out that.


   I see the lines below in httpd.conf does this mean communication  
is  via HTTPProxy? (our app is OBISDEV)

   ProxyPass /OBISBETA http://localhost:8082/OBISDEV
   ProxyPassReverse /OBISBETA localhost:8082/OBISDEV


Yes, that looks promising. So, when you connect to your application,  
you type in the browser something like:


http://yourhostname/OBISBETA/somewebapppath

Any request that starts with /OBISBETA will be forwarded to the  
latter URL, with whatever came after /OBISBETA (/somewebappath in  
this case) tacked on.


If the web app decides to write a cookie to the browser, it may  
choose to include a path.  Tomcat thinks it's running at /OBISDEV,  
which is different from the path seen by the browser.


When the browser sends the next request, it'll send any cookie along  
that it has cached for the hostname and path under consideration.  
Since the browser connects to a different path (/OBISBETA instead of / 
OBISDEV), your cookie wont't get sent which your Tomcat will see as  
an opportunity to create a brand new session all over again.  If you  
open your browser's cookie cache, you should find the orphaned cookie  
that you received but didn't send back.


Which version of Apache are you using? As of Apache 2.2, we have a  
configuration directive 'ProxyPassReverseCookiePath' that can rewrite  
such a Cookie path on the proxy. If you are running Apache 2.2.x,  
have a look at


http://httpd.apache.org/docs/2.2/mod/ 
mod_proxy.html#proxypassreversecookiepath


(hint: put ProxyPassReverseCookiePath /OBISDEV /OBISBETA next to the  
ProxyPassReverse directive and restart your Apache)


   I'm sorry to be so clueless but I have absolutely no experience  
with Apache.


That's OK, we're here to help.  If you need any more info, perhaps  
you can paste us the contents of such an orphaned cookie... don't  
worry about the contents (a session ID is just random data as far as  
we are concerned), but the cookie name (probably JSESSIONID), domain  
and path would be good info.  If you can't find it, clear your  
browser cache (on your test machine, don't want you to lose all your  
saved logins), access your app and then look what the cat dragged in.


S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
Open Source Software Consultant
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Turning Off Access Log

[Sander Temme]

On Jan 24, 2007, at 10:38 AM, Arthur Kreitman wrote:


I don’t see an option to stop logging http requests.  Is there one?


Just omit, remove or comment out any TransferLog or CustomLog  
directives from your Apache configuration file.  If I recall  
correctly, ErrorLog is required for the server to start, but you can  
set the LogLevel to something conservative like 'emerg'.


S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Apache + Tomcat = no session management

[Sander Temme]

On Jan 24, 2007, at 11:00 AM, Wm.A.Stafford wrote:

   A bit more info has emerged, the admin believes  the Apache  
version is  1.3.20.


Running httpd -v will take away any shred of doubt.

   I'll see if there is any interest in moving to the latest  
Apache but at this point I think that is probably not an option  
because there are a lot of other users of this system and they  
would all have to buy in.  So I will need to proceed with  
configuration of the existing version.


Apache has made great strides since 1.3.20.  For starters, any 1.3  
version after that contains security fixes that you might want.  As  
no other changes are made to that branch, an upgrade should not cause  
you any problems.


The proxy module that came with Apache 1.3 did not have the  
ProxyReverseCookiePath directive that I talked about earlier. See


http://httpd.apache.org/docs/1.3/mod/mod_proxy.html

for documentation on the 1.3 mod_proxy module.

Before we make any more guesses about the nature of your problem, I  
would like to learn from you whether the Cookie path mismatch is  
actually causing your issue.  Could you run the following test on  
your application:


1) Clear your browser cache and cookie store
2) Connect to your application through the Apache proxy and log in
3) Go back to your cookie store, see if anything emerged and send us the
   contents of any JSESSIONID cookies. Feel free to obfuscate as you  
see
   fit, as long as we have enough information to work with (domain  
and path

   are of paramount interest, as well as the complete URL you used to
   access your application in step 2.

Thanks,

S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Apache + Tomcat = no session management

[Sander Temme]

On Jan 25, 2007, at 1:20 PM, Wm.A.Stafford wrote:


Sander,

Here is a cookie copied from Firefox cookie viewer when
the Apache+Tomcat machine was accessed from another machine.

Name: JSESSIONID
Content: 10FA6EB4F5B24CBA716A7F5DAD1F4B3F
Host: iobis.marine.rutgers.edu
Path: /OBISDEV



Send For: Any type  of connecion
Expires: at end of session

The URL to access the Apache+Tomcat application is:
http://iobis.marine.rutgers.edu/OBISBETA/OBIS.jsp

 ^


Just a reminder of the mapping from httpd.conf
ProxyPass /OBISBETA http://localhost:8082/OBISDEV
ProxyPassReverse /OBISBETA localhost:8082/OBISDEV

   ^   

As you can see, the Path: in the cookie does not match the URL path,  
so the session cookie will not get sent back to the server.


Since the mod_proxy of Apache 1.3 doesn't support rewriting Cookie  
paths, your only option is to change the ProxyPass local path to  
match the back-end (and connect to that), or have Tomcat match its  
mount path to what the front-end thinks it is.


That's really all I can think of right now.

S.




Thanks,
-=bill


Sander Temme wrote:


On Jan 24, 2007, at 11:00 AM, Wm.A.Stafford wrote:

   A bit more info has emerged, the admin believes  the Apache  
version is  1.3.20.


Running httpd -v will take away any shred of doubt.

   I'll see if there is any interest in moving to the latest  
Apache but at this point I think that is probably not an option  
because there are a lot of other users of this system and they  
would all have to buy in.  So I will need to proceed with  
configuration of the existing version.


Apache has made great strides since 1.3.20.  For starters, any 1.3  
version after that contains security fixes that you might want.   
As no other changes are made to that branch, an upgrade should not  
cause you any problems.


The proxy module that came with Apache 1.3 did not have the  
ProxyReverseCookiePath directive that I talked about earlier. See


http://httpd.apache.org/docs/1.3/mod/mod_proxy.html

for documentation on the 1.3 mod_proxy module.

Before we make any more guesses about the nature of your problem,  
I would like to learn from you whether the Cookie path mismatch is  
actually causing your issue.  Could you run the following test on  
your application:


1) Clear your browser cache and cookie store
2) Connect to your application through the Apache proxy and log in
3) Go back to your cookie store, see if anything emerged and send  
us the
   contents of any JSESSIONID cookies. Feel free to obfuscate as  
you see
   fit, as long as we have enough information to work with (domain  
and path

   are of paramount interest, as well as the complete URL you used to
   access your application in step 2.

Thanks,

S.

[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





-
The official User-To-User support forum of the Apache HTTP Server  
Project.

See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Re: piping logs in apache2.2 on windows 2003/XP

[Sander Temme]

On Jan 25, 2007, at 3:30 PM, Alex Castro wrote:

Perhaps a better test for you would be to pipe your access log to  
rotate
log and keep a continuous load on your site for the next 10  
minutes, you

should see two logs created.


Yes the log file doesn't get turned over if there is no traffic.

S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Apache on Sun 10

[Sander Temme]

On Jan 25, 2007, at 5:49 PM, Stefan Cobb wrote:


hey, newb here.  Can Apache give me internet access on a sun 10 Os?


Absolutely. You can build it from source, or get a binary package at:

http://www.sunfreeware.com/programlistsparc10.html#apache22

For x86:
http://www.sunfreeware.com/programlistintel10.html#apache22

S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Apache 2.0.58 + Solaris 5.9: status "...reading..." & TCP state "FIN_WAIT_2"

[Sander Temme]

Chirouze,

On Jan 26, 2007, at 8:41 AM, Chirouze Olivier wrote:


Thanks for your prompt reply. We will definitively upgrade soon, just
"to be up to date"... But because nothing is said about that point in
docs I'm wondering if that will make any difference...


I doubt it. The Apache 2.0.x branch at this moment mainly gets  
security fixes, and not a lot else.  The difference between  
subsequent versions tends to be fairly small, and we tend to tell you  
what the fixes are.


You tell us that you are seeing an unusually high number of children  
sitting in 'R' stage, which means they are attempting to read a full  
request.  Reading requests *should* not take very long (this also  
depends on the kind of requests you expect to get), and it may be  
that you are under attack.  This may be deliberate or accidental.


Do you have something like a Firewall in front of your server that  
drops idle TCP connections?  If this happens, your Apache server will  
not notice this and keep trying to read the incoming data.


In any case, you may try to reduce the value of the Timeout directive  
in your configuration file.


The high number of FIN_WAIT_2 connections you observe may be normal,  
but it may be the result of the situation sketched above.  Once  
Apache is done with a connection, it'll close that and forget about  
it.  The Apache child will then get ready to accept a new connection,  
and the kernel takes care of closing the TCP connection.  It does  
this by sending a FIN packet to the client, who sends an ACK back.   
Then the client is supposed to send its own FIN, and while this  
happens the server will have that socket in FIN_WAIT_2 state.  After  
the client sends its FIN, the server ACKnowledges and puts the socket  
into TIME_WAIT before it can be re-used.  You can see a full diagram  
of this process in Figure 18.12 in TCP Illustrated, Volume 1 by W.  
Richard Stevens.


If you are dealing with clients that don't bother sending their FIN,  
or have something in-between that messes with the connection and its  
termination, you may be stuck with this.  You can use kernel tunables  
like the ones you mention below to reduce the overhead.


Once again, Apache has nothing to do with the TCP handshake process.   
However, you may be able to reduce the effect of these 'R'  
connections by reducing the timeout and raising the number of  
available child processes (if your log file tells you that the server  
reached MaxClients).


Regards,

Sander

Anyway, we're providing both HTTP and HTTPS. Might be interesting  
to try

recognize if this happens on both? I will have a look at it.

Do you think you might give me the values of the following Unix params
on your Solaris 9 installs?

tcp_fin_wait_2_flush_interval
tcp_keepalive_interval
tcp_ip_abort_interval

Thanks in advance,

Olivier

Olivier CHIROUZE
I&0 Infrastructure
Volvo Information Technology

-Original Message-
From: Richard de Vries [mailto:[EMAIL PROTECTED]
Sent: 26 January 2007 17:35
To: users@httpd.apache.org
Subject: Re: [EMAIL PROTECTED] Apache 2.0.58 + Solaris 5.9: status
"...reading..." & TCP state "FIN_WAIT_2"

Interesting problem.

I am running Apache 2.0.59 as a reverse proxy on multiple Solaris 9  
and

AIX servers and have never encountered these types of issues. Perhaps
you should try upgrading to 2.0.59 on one of your development machines
and see if that makes a difference. If not, it is most likely an OS
and/or configuration issue.

What other plugins are you running? Also, is this HTTP proxying, or
HTTPS?

- Original Message 
From: Chirouze Olivier <[EMAIL PROTECTED]>
To: users@httpd.apache.org
Sent: Friday, January 26, 2007 9:56:46 AM
Subject: [EMAIL PROTECTED] Apache 2.0.58 + Solaris 5.9: status
"...reading..." & TCP state "FIN_WAIT_2"


Hi all,

I'm facing a quite tricky situation with Apache 2.0.58 running on
Solaris 5.9.

Apache is running as a reverse proxy (mod_proxy + mod_rewrite).
The maximum concurrent connections is set to 150.

Because we reached the maximum a few times and got the reverse proxy
saturated, we started monitoring the Apache status page (/status).
We noticed that many requests were in the "..reading.." state (up to
40!), and they block a lot of slots.

At first, we upgraded from 2.0.47 to 2.0.58 because it seemed there  
was

a security hole in the earlier, fixed in 2.0.48.
I found some explanation here:
http://www.monkeybrains.net/~rudy/example/server_busy_state.html.

The thing is, the situation is starting to appear again with 2.0.58.

We've gone down to Unix and found that most of these requests were in
"FIN_WAIT_2" TCP state, and for a while (approx. 8min!!).

We found this: http://httpd.apache.org/docs/2.0/misc/fin_wait_2.html.
What it says, in a word, is that these things can happen and are
"normal": the connection stays in "FIN_WAIT_2" state until the  
timeout,

if clients do not close it properly. They just say it can be a problem
on the Unix point of view because.
I don't

Re: [EMAIL PROTECTED] apache + ssl: client denied by server configuration

[Sander Temme]

Your VirtualHost has a DocumentRoot, but your main server doesn't.  
This means that when requests are not matched to your virtual host,  
the main server will use the compiled-in default.


Your problem is that your VirtualHost has port number 433: that needs  
to be 443.


S.

On Jan 26, 2007, at 9:04 AM, Sam Carleton wrote:


I am trying to get SSL up and running on my new apache server.  The
server starts up just fine and serves up regular pages on port 80, but
when I direct it towards the SSL port, Firefox give me an error:

"bv..com has sent an incorrect or unexpected message.
Error Code: -12263"

When I look at the apache error log, I get this:

client denied by server configuration: /usr/local/apache2/htdocs/

what is strange is that I am not using /usr/local/apache2/htdocs/
anywhere in the httpd.conf file. I have searched and searched the
config file for htdocs and it simply is not there.  Any thoughts?

Sam

P.S.  Here is my complete httpd.conf file:

ServerRoot /usr/local/apache2
PidFile /usr/local/apache2/logs/httpd.pid

Listen 80
ServerAdmin scarleton@.com
ServerSignature Off
User httpd
Group httpd
HostNameLookups Off
TimeOut 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
MinSpareServers 5
MaxSpareServers 10
StartServers 5
MaxClients 150
MaxRequestsPerChild 1000
ServerTokens ProductOnly

LoadModule php5_modulemodules/libphp5.so

AddHandler application/x-httpd-php .php
AddHandler application/x-httpd-php .inc
AddHandler application/x-httpd-php .class
AddHandler application/x-httpd-php .module

DefaultType text/plain


  TypesConfig conf/mime.types
  AddType application/x-compress .Z
  AddType application/x-gzip .gz .tgz


DirectoryIndex index.html index.php


  Order Allow,Deny
  Deny from all



  Order Allow,Deny
  Deny from all



  Order Deny,Allow
  Deny from all
  Options None
  AllowOverride None



  Order Allow,Deny
  Allow from all


LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\"" combined
CustomLog /var/log/httpd/access_log combined

LogLevel info
ErrorLog /var/log/httpd/error_log


  DocumentRoot /home/www/mainroot


Listen 443


  AddType application/x-x509-ca-cert  .crt
  AddType application/x-pkcs7-crl .crl


SSLPassPhraseDialog builtin
SSLSessionCache shm:/usr/local/apache2/logs/ssl_cache_shm
SSLSessionCacheTimeout 600
SSLMutex file:/usr/local/apache2/logs/ssl_mutex
SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect file:/dev/urandom 1024


  DocumentRoot "/home/www/subversion"
  ServerName bv..com
  SSLEngine on
  #SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
  #SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
  SSLCipherSuite HIGH:MEDIUM
  SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt
  SSLCertificateKeyFile /usr/local/apache2/conf/ssl.crt/server.key
  SSLOptions +StrictRequire
  SSLProtocol -all +TLSv1 +SSLv3
  SetEnvIf User-Agent ".*MSIE.*" \
  nokeepalive ssl-unclean-shutdown \
  downgrade-1.0 force-response-1.0


-
The official User-To-User support forum of the Apache HTTP Server  
Project.

See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Apache + Tomcat = no session management

[Sander Temme]

On Jan 26, 2007, at 10:48 AM, Wm.A.Stafford wrote:

   I forgot to ask about one more aspect of this situation.  When  
we first realized that session cookies were not coming in to the  
app we tried url rewriting and that did not resolve the problem.   
Does Apache 1.3 do something to urls that have an explicit session id?

ex. ip_and_context ;jsessionid=blah de blah de blah ¶ms.


This is not ringing a bell for me: mod_proxy should just forward the  
request query string unaltered.


   While searching for the solution to this I saw a web page that  
said a rewrite rule was required if url rewriting is used.  Is this  
the case and, if so, could you give me an example rule or direct me  
to a source for this rule.


Perhaps someone else has any direct experience with this.

S.


Sander Temme wrote:


On Jan 25, 2007, at 1:20 PM, Wm.A.Stafford wrote:


Sander,

Here is a cookie copied from Firefox cookie viewer when
the Apache+Tomcat machine was accessed from another machine.

Name: JSESSIONID
Content: 10FA6EB4F5B24CBA716A7F5DAD1F4B3F
Host: iobis.marine.rutgers.edu
Path: /OBISDEV



Send For: Any type  of connecion
Expires: at end of session

The URL to access the Apache+Tomcat application is:
http://iobis.marine.rutgers.edu/OBISBETA/OBIS.jsp

 ^


Just a reminder of the mapping from httpd.conf
ProxyPass /OBISBETA http://localhost:8082/OBISDEV
ProxyPassReverse /OBISBETA localhost:8082/OBISDEV

   ^   

As you can see, the Path: in the cookie does not match the URL  
path, so the session cookie will not get sent back to the server.


Since the mod_proxy of Apache 1.3 doesn't support rewriting Cookie  
paths, your only option is to change the ProxyPass local path to  
match the back-end (and connect to that), or have Tomcat match its  
mount path to what the front-end thinks it is.


That's really all I can think of right now.

S.




Thanks,
-=bill


Sander Temme wrote:


On Jan 24, 2007, at 11:00 AM, Wm.A.Stafford wrote:

   A bit more info has emerged, the admin believes  the Apache  
version is  1.3.20.


Running httpd -v will take away any shred of doubt.

   I'll see if there is any interest in moving to the latest  
Apache but at this point I think that is probably not an  
option because there are a lot of other users of this system  
and they would all have to buy in.  So I will need to proceed  
with configuration of the existing version.


Apache has made great strides since 1.3.20.  For starters, any  
1.3 version after that contains security fixes that you might  
want.  As no other changes are made to that branch, an upgrade  
should not cause you any problems.


The proxy module that came with Apache 1.3 did not have the  
ProxyReverseCookiePath directive that I talked about earlier. See


http://httpd.apache.org/docs/1.3/mod/mod_proxy.html

for documentation on the 1.3 mod_proxy module.

Before we make any more guesses about the nature of your  
problem, I would like to learn from you whether the Cookie path  
mismatch is actually causing your issue.  Could you run the  
following test on your application:


1) Clear your browser cache and cookie store
2) Connect to your application through the Apache proxy and log in
3) Go back to your cookie store, see if anything emerged and  
send us the
   contents of any JSESSIONID cookies. Feel free to obfuscate as  
you see
   fit, as long as we have enough information to work with  
(domain and path
   are of paramount interest, as well as the complete URL you  
used to

   access your application in step 2.

Thanks,

S.

[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





 
-
The official User-To-User support forum of the Apache HTTP Server  
Project.

See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





-
The official User-To-User support forum of the Apache HTTP Server  
Project.

See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] SSL on IP Address

[Sander Temme]

On Jan 26, 2007, at 9:42 PM, <[EMAIL PROTECTED]>  
wrote:


Please how do I install SSL certificate on a server that would be  
accessed by IP only? I mean something like https://10.l.10.241/.


Put the IP address instead of the hostname in the CN field of the  
certificate.


S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Internal Dummy Connection

[Sander Temme]

On Jan 27, 2007, at 10:41 AM, Nilesh Bansal wrote:


In our apache httpd access log there are many entries like
::1 - - [27/Jan/2007:13:40:03 -0500] "GET / HTTP/1.0" 200 8761 "-"
"Apache/2.2.3 (Unix) (internal dummy connection)"

I am not sure what is this internal dummy connection. We have around
1 such entries for each day. Is there any bug? We are using httpd
as a forward proxy server for load balancing using mod_rewrite.


It's away for Apache to signal its children that it's time to die.   
This is usually nothing to be worried about.  Which MPM are you using?


If you are seeing many child processes spawn and die, you may want to  
have a look at your MinSpareServers and MaxSpareServers directives,  
and your MaxRequestsPerChild.


S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
Open Source Software Consultant
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] using Apache module

[Sander Temme]

On Jan 29, 2007, at 6:00 AM, Garnier, Jeremie wrote:


How can I use an apache module in a C application?


Why would you want to do such a thing?

Is it possible to use mod_dbd? Actually there are some undefined  
references (ap_hook_post_config, ap_hook_child_init…).


You would have to provide all of the functions from the Apache core  
that the module calls, including all of the callback hooks.


I quickly browsed through the module, and it looks to me like a  
fairly thin glue layer on top of APR's DBD. If you want DBD  
functionality in your application, you're probably better off calling  
APR directly.


Since the Apache code is released under the Apache license, you  
should find no problem re-using some of it in your own application,  
outside the context of Apache.  Note: this does not constitute legal  
advice; read the Apache License  and make sure you agree to its terms.


Why the APR/APU in srclib of httpd 2.x are old versions and not APR/ 
APU 1.3?

Thanks for your help…


Apache 2.0.x and 2.2.x use branches of APR: 0.9 and 1.2  
respectively.  This is done because we require that the APR API we  
use is stable.  The development trunk of Apache builds against the  
trunk of APR, and when we do the next major release we will likely  
use a new branch of APR.


S.


--
[EMAIL PROTECTED]http://www.temme.net/sander/
Open Source Software Consultant
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] make error (embryo state user)

[Sander Temme]

On Jan 29, 2007, at 7:45 AM, herauthon wrote:


include/apr_portable.h:46:23: #if with no expression


Looks like APR_HAVE_PTHREAD_H is not set, and it's all pear-shaped  
from there.  This should not happen as it is defined in include/ 
apr.h, which is generated from include/apr.h.in by ./configure.


To re-ask Krist's questions, which platform, which C compiler and  
what were the arguments you gave to ./configure?


Thanks,

S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] make error (embryo state user)

[Sander Temme]

On Jan 29, 2007, at 10:12 AM, herauthon wrote:


- On what OS you are trying to compile.

** NetBSD 3.1 i386 on P-II MMX 333


Unfortunately, I haven ever had the chance to try compiling Apache on  
netbsd.



- What options you gave the "configure" command.

** --enable-so


When you run ./configure, it'll first do APR. Could you re-run it and  
look for the section where it configures thread support (look for  
"Checking for Threads..." in the output). Please paste us that  
portion of the ./configure output.


Also, look for the config.log file generated by APR configure (this  
may be in srclib/apr), and search for "checking pthread.h usability".  
Could you paste us the config.log contents from that point up to  
where it says "checking for library containing shm_open"?


That will allow us to investigate what is going wrong on your system.  
Now for a potential quick fix: could you try passing --enable- 
threads=no to ./configure and tell us if that makes your problem go  
away?


Thanks,

Sander

--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Question about ProxyPass

[Sander Temme]

On Jan 30, 2007, at 2:33 PM, Phill Edwards wrote:


When I go to this URL now I get this error back:
Directory Listing Denied
This Virtual Directory does not allow contents to be listed


That sounds like what IIS says. Are you running IIS?

S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Question about ProxyPass

[Sander Temme]

On Jan 30, 2007, at 2:46 PM, Phill Edwards wrote:


> When I go to this URL now I get this error back:
> Directory Listing Denied
> This Virtual Directory does not allow contents to be listed

That sounds like what IIS says. Are you running IIS?


No but the server where I'm ProxyPass'ing to is (ie where I'm
redirecting to from my apache server).


Make sure its notion of a Default Document matches the content  
actually on the server. Also, make sure your proxied connections end  
up at the correct virtual server.


S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] How can my code determine which MPM is being use without looking at the httpd.conf

[Sander Temme]

On Jan 30, 2007, at 4:24 PM, Khai Doan wrote:

How can my code determine which MPM is being use without looking at  
the httpd.conf ?  Does apache export an environment variable for  
this ?


You can call ap_mpm_query(). See:

http://docx.itscales.com/ 
group___a_p_a_c_h_e___c_o_r_e___m_p_m.html#g8c45e017c7d305ba830ac517c830 
d1e8


Or run make dox and look in docs/dox/html/ap__mpm_8h.html

S. (you need doxygen installed to run make dox)

--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] best apache config for joomla site

[Sander Temme]

On Jan 30, 2007, at 3:43 PM, Noah wrote:


apache-2.0.0.1


That's not something we have ever released... We have 2.0.58 or (even  
better) 2.2.4.



joomla-1.0.12


As you are probably aware, Joomla! has its own support structure with  
many web forums, some dedicated to security.  This mailinglist is not  
a Joomla! support resource.


So I want to keep the joomla directory in a path that has nothing  
to do with the site's DocumentRoot.  I am assuming this brings more  
security.


I don't see a reason why this would be the case.  Any way your Apache  
serves Joomla! pages, it'll have to execute those PHP scripts.  Some  
of the PHP scripts have to write to directories under the Joomla!  
installation hierarchy. Theoretically, these directories could be  
accessed through the web server, although the Joomla! folks by and  
large made them inaccessible to access other than what they require.


Joomla! uses these directories for ongoing tasks like caching, and  
for once-only things like installing Mambots etc.  If I recall  
correctly, the next version of Joomla! will allow you to put those  
writable directories outside the DocumentRoot and I personally think  
this is a good idea.


If you browse the Joomla! security support forum, there are post(s)  
about how much exactly needs to be writable.  Definitely don't make  
your configuration.php writable by the web server...


Which platform are you using? On Windows, the web server can write to  
its DocumentRoot unless you specifically tell it not to. On any other  
platform, it's exactly the other way around.


But what I'd like to do is take out the need for joomla to be  
nested in the http://www.site.com/main URL


I'd like joomla to appear without 'main' in the URL - like http:// 
www.site.com/


how would I configure my httpd.conf file to allow this behavior.


Just plonk the Joomla! files in your DocumentRoot.  No configuration  
magic necessary.  Alternatively, put them wherever you want and  
configure that directory to be your DocumentRoot.


S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Upgrade Question

[Sander Temme]

On Jan 31, 2007, at 7:49 AM, Bob Cohen wrote:


I need to upgrade two servers to 2.2.x, one is running 2.0.49


http://httpd.apache.org/docs/2.2/upgrading.html


the other 1.3.29.


http://httpd.apache.org/docs/2.0/upgrading.html

Will I be able to use the httpd.conf files from the original server  
configurations or will I have to do those from scratch?


Largely, yes.  See the above for instructions.  As someone suggests,  
start by just firing up a  test server (you have a test server, don't  
you? You can install one on your desktop if necessary) and see what  
bombs.


Also what other issues do I have to deal with to make the  
transition smooth?


Should be fairly straightforward.

S.


--
[EMAIL PROTECTED]http://www.temme.net/sander/
Open Source Software Consultant
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Upgrade Question

[Sander Temme]

On Jan 31, 2007, at 8:25 AM, Bob Cohen wrote:

Start just by trying it - fire up 2.2.4 with each of the configs  
and see

what complaints you get...


Thanks Owen.  How do I preserve the ability to retreat to the  
original set ups should it be necessary?


Save your new config in a separate file, and start httpd 2.2.4 with  
the -f  option.  You can even specify an alternative Listen  
port number in that new file so you can run the two concurrently.


S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] httpd.conf for Alias and DocumentRoot usage

[Sander Temme]

On Jan 31, 2007, at 10:58 AM, Noah wrote:


Reposting since I have not received specifc help for my situation.


Yes you have:

http://mail-archives.apache.org/mod_mbox/httpd-users/200701.mbox/% 
[EMAIL PROTECTED]


S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] FAVICO.ICO

[Sander Temme]

On Feb 4, 2007, at 4:41 AM, Bashiro wrote:


I have this virtual hosts setup. I tested and was working fine.
Suddenly I started getting this error page cannot be displayed.
I checke the error log and found cannot find "favico.ico".
why do I need this file.
Any suggestion on how to solve this ?


The favicon or Favorites Icon is the little icon that shows up to the  
left of the URL in the location bar of the browser.  I believe  
Internet Explorer started this, but all modern browsers now try to  
retrieve this file along with the page.  If it doesn't exist, you'll  
get a generic browser-defined icon in the location bar, and a line in  
the error log on your server.


There is a favicon.ico in your Apache installation, under manual/ 
images . Copy that to the DocumentRoot of your virtual host. It has a  
little Apache feather logo, if you want to serve a favicon that  
corresponds to your site content, design your own. Google for the  
exact format.


A missing favicon.ico does not cause errors displaying the page. If  
that were the case, half the websites on the planet wouldn't work.   
Find out what exactly the error is: turn off 'Friendly Error  
Messages' in IE or use a real browser that'll tell you what goes wrong.


S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Upgrading from 2.0.49 to 2.0.59

[Sander Temme]

On Feb 4, 2007, at 8:33 PM, [EMAIL PROTECTED] wrote:


Hi all,

I'm planning to upgrade from 2.0.49 to 2.0.59 for securities.
Apache is configured SSL with openssl-0.9.7d.
What I want to know is that openssl-0.9.7d is compatible with 2.0.59.


Answer 1) can't see why not.
Answer 2) both openssl and Apache are freely available, so you can
  download them and ensure yourself that they interoperate.


As far as I looked into doc files in openssl source , I could not find
any information regarding compatibility.


It's not up to OpenSSL to be compatible with Apache, but the other  
way around.  I am not personally very familiar with the mod_ssl code,  
but you may see the file modules/ssl/ssl_toolkit_compat.h which  
contains some definitions that differ based on OpenSSL version.



Somebody knows that ?


If 2.0.49 was compatible with a particular OpenSSL version, it is  
highly likely that newer versions will also be compatible with the  
same version.


S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Upgrading from 2.0.49 to 2.0.59

[Sander Temme]

On Feb 4, 2007, at 10:14 PM, [EMAIL PROTECTED] wrote:


Additionally, do I have to generate new key after upgrading Apache ?


No, the information in your key and certificate exists entirely  
separately from Apache. You can use the same key and certificate. In  
fact, you can use the same configuration file.


At the moment, the 2.0.x branch only receives security updates.  
Differences between individual versions on the branch are minimal.


S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] MAX_HOST_CONNECTIONS

[Sander Temme]

Geoff,

On Feb 5, 2007, at 11:41 AM, Geoff Hartman wrote:

Where can I set the max number of connections? What is the default?  
Is it set in the httpd.comf file?


Yes. MaxClients is your friend.

http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxclients

This directive sets the maximum number of Apache workers, not the  
maximum number of connections.  Depending on your operating system  
and its configuration, sockets may be lined up by the kernel waiting  
for a worker to handle them. See also ListenBacklog:


http://httpd.apache.org/docs/2.2/mod/mpm_common.html#listenbacklog

S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Apache 2.0 access.log locks

[Sander Temme]

On Feb 6, 2007, at 10:39 AM, Rui Pedro Duarte Pinge ((SSI)) wrote:

Any ideas on how to overcome this issue? Did anyone noticed the  
same behaviour?


Pipe the log into a program using the | operator in the httpd.conf  
file. That program can do with the data whatever it wants, including  
monitoring, writing to a file, etc.


Note that there are some issues with this functionality on Windows on  
the 2.2.x branch. I don't know if the 2.0.x branch is affected by this.


S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] 2 questions

[Sander Temme]

On Feb 6, 2007, at 3:45 PM, Geoff Hartman wrote:

Q1: Is there any way to optimize apache for the highest number of  
possible connections?


Your main tunable is the MaxClients directive, which you can tune to  
maximize the number of workers Apache will have available. You should  
tune this always in relation to your available RAM (so your server  
never has to resort to virtual memory during operation) and available  
CPU cores. More than several hundred worker threads or processes per  
CPU core can be counterproductive and do you more harm than good!


In general, it is best to have Apache take care of process  
management, and use MaxClients as the absolute highest number.


Because TCP connection sockets are handled by the kernel, even the  
MaxClients number is not an absolute upper limit. Connections can  
back up in the kernel to a limit that could be determined by the  
ListenBacklog directive.


If you don't need to listen on multiple IP addresses or listening  
ports, make sure you don't have more than one Listen statement in  
your configuration file. This causes Apache to operate without an  
accept() mutes, which may make it more efficient on certain platforms.


See the httpd documentation: http://httpd.apache.org/docs/2.2/ and/or  
attend my Performance Tuning sessions at ApacheCon Europe 2007, May  
1-4 in Amsterdam.


Q2: I seem to have a high number of active connections with a state  
of TIME_WAIT when I run netstat. Is that bad? or normal?


Yes, this is normal.  The operating system places sockets in  
TIME_WAIT for a certain period of time (usually two minutes) after  
the server has completed a three-way TCP closure handshake.  Various  
operating systems (you don't tell us what you're using) have  
different ways of tuning kernel limits related to how many  
connections it'll keep around and for how long.


If your site is so busy that you run out of resources on your server,  
you need more servers to spread the load.  I also talk about this at  
ApacheCon.


S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Apache management and benchmark/test tools

[Sander Temme]

On Feb 7, 2007, at 3:36 AM, Nando Ronsisvalle wrote:

I'm looking for a tool or a set of tools to test (performances),  
benchmark and manage this web server.


There are many, from simple and free (ab, http_load, siege) to not-so- 
simple and free (flood, jmeter) all the way to very sophisticated and  
expensive (LoadRunner).



i have to manage some virtual hosts, htaccess files.
Usually i prefer to edit .conf files by hand, but in this case i'm  
not the only one that manage this pc.

What do you use manage apache?


Unix groups, and Subversion.

Place everyone that can edit the configuration in one unix group.  
Make sure their umask is 002 and make the configuration files group- 
writable.  Same story for the content. You can keep the configuration  
and content in Subversion, like we do at the ASF, so it's easy to  
track who changes what, and to roll out changes you just run svn  
update and give Apache a graceful restart if you change the  
configuration.


If you have a hierarchy where some people can edit the general  
configuration, and others only have access to certain vhosts, place  
the virtual host configuration in separate files and use Include to  
pull them into the main file.  You can then make multiple unix  
groups, like 'webmaster' and 'webminions', make the main config  
writable by the former and the vhost configurations by the latter.


Unix groups are fairly simple compared to some access control  
schemes, but they can work really well for this kind of stuff.


S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Re: apache/linux newbie has Test Page that won't die

[Sander Temme]

On Feb 8, 2007, at 2:50 PM, Urijah Kaplan wrote:


208.109dot216.147


 curl -i http://208.109.216.147/
HTTP/1.1 403 Forbidden
Date: Thu, 08 Feb 2007 22:56:45 GMT
Server: Apache/2.0.52 (CentOS)
Accept-Ranges: bytes
Content-Length: 5044
Connection: close
Content-Type: text/html; charset=UTF-8

http://www.w3.org/ 
TR/xhtml11/DTD/xhtml11.dtd">


Apache HTTP Server Test Page powered by  
CentOS

(...)

As you can see, the actual response you get is a 403 Forbidden.  This  
is the way Red Hat and its derivatives serve the default test page:  
in absence of an actual /var/www/html/index.html, Apache would serve  
the directory index, which is forbidden by /etc/httpd/conf.d/ 
welcome.conf.  The corresponding line in the error log file is:


[Tue Jan 16 11:40:08 2007] [error] [client 10.11.0.103] Directory  
index forbidden by rule: /var/www/html/


You say that you commented out the welcome.conf stuff (and restarted  
Apache, right?), and yet you are still sending out 403s.  What error  
log entries are you getting when you try to access / on your server?


S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Re: apache/linux newbie has Test Page that won't die

[Sander Temme]

On Feb 8, 2007, at 3:56 PM, Urijah Kaplan wrote:


That worked! I restarted (I didn't know I had to do that--when am I
supposed to restart?) and the folder from /home//public_html
popped up. Seizing the opportunity, I put in my website there
(changing the default.htm to index.html) and it worked! So, this
experience leaves me with a few questions

1.When should I know to restart the server?


When you change the configuration file(s). Usually, a 'graceful'  
restart is enough.



2. Why aren't the pages being served from /var/www/html/ like the
DocumentRoot says? Is there another configuration file that's
overriding it somewhere?


As soon as you define  containers, they take over from  
the 'Main Server' configuration. The first virtual host in your  
configuration is the Default and receives non-matching requests (that  
don't contain a matching Host: header).



3) Why can't I use default.htm (not a big deal obviously)


Add it to the DirectoryIndex directive. You can do this per virtual  
host.



4) Since I clearly don't know what I'm doing, what would be a good
resource/book to use to teach me more about Apache/Linux?


The Apache documentation:

http://httpd.apache.org/docs/2.2/

I have always liked "Apache: the Definitive Guide" by Ben and Peter  
Laurie:


http://www.amazon.com/dp/0596002033? 
tag=sandersweblog-20&camp=14573&creative=327641&linkCode=as1&creativeASI 
N=0596002033&adid=0H8M3S43QATSYC94MFXZ&


Also, hang out on this list and you'll be helping other people in no  
time!


S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Re: apache/linux newbie has Test Page that won't die

[Sander Temme]

On Feb 8, 2007, at 5:35 PM, Urijah Kaplan wrote:


Okay, at first glance what you said was just a lot of jargon. I'm
slowly trying to translate, so please tell me if I'm on the right
track.

1) What's a "graceful" restart? Right now, I'm just pressing restart
on the simple control panel godaddy gives me. When I ssh in, what
should I type in? (I'm guessing you mean restarting Apache and not the
whole server--right? How do you do that?)


Godaddy?  I thought we were talking about your server?  Or do you  
lease your server from Godaddy?


Anyway, from our preceding conversation I assume that your Apache is  
installed from a Centos (or Red Hat Enterprise) RPM package.  This  
package typically installs a startup script /etc/init.d/httpd:  
execute this without arguments to see what it can do:


[EMAIL PROTECTED] root]# /etc/init.d/httpd
Usage: httpd {start|stop|restart|condrestart|reload|status|fullstatus| 
graceful|help|configtest}


These are far more options than Apache provides by default, and most  
of them have to do with Red Hat specific stuff, but note the presence  
of 'restart' and 'graceful'.


restart makes Apache re-read its configuration file. All child  
processes are terminated, and users currently being served a page  
will be cut off.


graceful makes Apache re-read its configuration file, but the child  
processes are allowed to finish serving their current requests before  
dying.



2)  Where are these VirtualHost Settings stored? I don't see them in
/etc/httpd/conf/welcome.conf I don't really need a VirtualHost (I
think), because this server will be for only one site. Is there any
downside to using a Virtual Host?


The Red Hat package, which is NOT a standard configuration of Apache,  
is configured through /etc/httpd/conf/httpd.conf, which includes all  
the files /etc/httpd/conf.d/*.conf . If you have any VirtualHost  
declarations for a listening port, the first of those in the list  
will get all requests on that port, except if there is a  
NameVirtualHost and the client is accessing sites by name. The  
default configuration has one virtual host, for SSL.


The matching algorithm is complicated and occasionally trips me up,  
too.  You can find information about it on:


http://httpd.apache.org/docs/2.0/vhosts/


3) What does "non-matching requests (that don't contain a matching
Host: header)" mean?


Most web sites today operate as name-based virtual hosts, where a web  
server on one IP addres serves many sites, whose hostnames all  
resolve to the same IP address.  So how does Apache know with which  
virtual host configuration to handle each incoming request?  The  
solution is that all modern browsers send a "Host: hostname" header  
along with its requests.  The server uses that information to route  
the incoming requests.  Requests without that Host: header (like  
Internet Explorer 2 used to send) arrive at a default virtual host,  
which is the first listed in your configuration file that listens on  
the Port that receives the request.



4)Where is the DirectoryIndex directive? What does it do?


http://httpd.apache.org/docs/2.0/mod/mod_dir.html#directoryindex


5)I sense a lot of reading coming up for me...


Enjoy.  The advantage of a steep learning curve is that you get to  
learn a lot in a very short time.


Keep in mind that Apache is free, and you can install a copy on your  
own machine to experiment.


S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] remove the http server info banner

[Sander Temme]

On Feb 8, 2007, at 7:35 PM, Fauziah Mahdan wrote:


Sorry because I did not find any search column to find either already
being posted or not. The threads show and list by month. It  
difficult to

go one by one.


I believe Google keeps pretty good tabs on our mail archives.

S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] remove the http server info banner

[Sander Temme]

On Feb 8, 2007, at 10:07 PM, Fauziah Mahdan wrote:


Pls help me how to search the thread by topics
Latest page I go is here
http://mail-archives.apache.org/mod_mbox/httpd-users/200610.mbox/ 
thread


http://www.google.com/search?client=safari&rls=en&q=site:mail- 
archives.apache.org+ServerTokens+disable&ie=UTF-8&oe=UTF-8


S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Apache 2.0 access.log locks

[Sander Temme]

On Feb 8, 2007, at 3:01 AM, Rui Pedro Duarte Pinge ((SSI)) wrote:


By the way, do you have any idea why version 1.3 did not had an
exclusive lock over the access.log?


Absolutely no clue whatsoever.

S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Timeouts with Threaded Apache 2.2.3

[Sander Temme]

On Feb 8, 2007, at 3:08 AM, Neil Martin wrote:

so we retested with a dummy module call mod_foo ( attached ) but we  
still get timeouts.

Is this a know issue is the module api in threaded Apache ?


You clearly based your mod_foo on mod_example, and just about the  
only thing you deleted was the comment atop the file that warns the  
mod_example code is not thread-safe.  You should at least remove the  
call to trace_add() from the handler function, because that uses  
global variables and can't be used in a threaded server.


I'm trying to clean this up for the mod_example.c in our development  
trunk, but this has not been done for 2.2.x.


In a typical module (I think most if not all of your magic is in the  
handler function?), you don't need to implement any of the handlers  
unless you're actually using them to do something. You might override  
child_init to set up your database connection pool, but won't need  
stuff like post_read_request or http_scheme.


You can generate a very small, functional sample module by calling  
apxs -g -n foo


When running your benchmarks, you should make sure that you tune  
Apache in relation to the load you are sending it. The default worker  
mpm configuration tops out at 150 concurrent requests, and you are  
running ab at 200... that may not be a problem given the connection  
backlog in the kernel, but especially if your module takes some time  
to do its database thing, you may run out of resources and render ab  
confused. See conf/extra/httpd-mpm.conf to get an idea of the  
tunables for the worker MPM.


S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Any sites allow FTP of latest mod_auth_mysql?

[Sander Temme]

On Feb 12, 2007, at 11:25 AM, Jonathan Mangin wrote:


Does anyone know where I can FTP the latest version
of mod_auth_mysql?


How about http://modauthmysql.sourceforge.net/ ?


File downloads are enabled in IE but refuse to work.


That's between you (and IE) and Sourceforge... unfortunately we can't  
help you out with that.


S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Trying to install Apache 2.2.4 on AIX 5.3

[Sander Temme]

Sushant,

Great to hear that your server is working. Congratulations!

On Feb 14, 2007, at 3:30 AM, Desai, Sushant wrote:

Now my other doubt is that, http server is running with a  
particular IP

address, but if my machine has various IP addresses, and I want to
change the default IP address used by Apache server, how would I do  
it?


Use the Listen directive in the Apache configuration file:

http://httpd.apache.org/docs/2.2/mod/mpm_common.html#listen

You can listen on a specific IP address:

Listen 1.2.3.4:80

Or on all IPv4 addresses:

Listen 0.0.0.0:80

Or on a specific IPv6 address:

Listen [2001:db8::a00:20ff:fea7:ccea]:80

Or on all addresses:

Listen 80

You mentioned that you are running Apache on a cluster. You might  
consider using a specific configuration file on each machine that has  
the correct IP address information for that box, and writing your  
startup script to start Apache with the -d option, like


/oradata/httpd-2.2.4/bin/httpd -d /etc/httpd

Or, if you want to use the same configuration file, you can write a  
simple machine-specific file with JUST the information that is  
different for each machine, and use the Include directive to suck  
that into the configuration. So, in /oradata/httpd-2.2.4/conf/ 
httpd.conf, you would have no Listen directive, but instead:


Include /etc/httpd/conf/listen.conf

(assuming the /etc directory is specific to each cluster member)

Finally, you can use the -c and -C command-line options to httpd from  
your startup script to specify  the listening address:


(on the machine with IP address 1.2.3.4)

/oradata/httpd-2.2.4/bin/httpd -c "Listen 1.2.3.4:80"

It's a wealth of options, really.

S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] setting up and apache and php.

[Sander Temme]

On Feb 25, 2007, at 1:51 PM, Steve R Burrus wrote:

can anyone please tell me where the direcive goes in apache's  
httpd.conf file :


# configure the path to php.ini
PHPIniDir "C:/php"


It can go absolutely anywhere in the configuration file.

I am trying [again] to integrate apache with php and it is still  
not the most intuitive thing for me to do I must admit!


I do the following four things:

LoadModule php5_module "d:/php-5.2.0/php5apache2_2.dll"
PHPIniDir "d:/myApacheServer/conf"
AddHandler php5-script php

DirectoryIndex index.html index.htm index.php

There should already be a DirectoryIndex directive in your  
configuration file, just add index.php to it if you want the  
index.php files to be considered for serving when the user requests  
a /directory/ on your server.


S. (wonder if we shouldn't include the AddHandler sample directives  
in the

default httpd.conf, commented out)

--
[EMAIL PROTECTED]http://www.temme.net/sander/
Open Source Software Consultant
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF

ApacheCon 2007 Europe Early Bird Rate extended through March 1!
http://www.eu.apachecon.com/





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] getting source via subversion

[Sander Temme]

Hi Sam,

On Feb 25, 2007, at 7:35 PM, Sam Carleton wrote:


Execute: Checkout
Error: Error while performing action: REPORT request failed on
'/repos/asf/!svn/vcc/default'
REPORT of '/repos/asf/!svn/vcc/default': 400 Bad Request (http:// 
svn.apache.org)

Ready


Don't check out the top of the repository.  If we didn't have  
measures in place to prevent you from doing that (a module called  
mod_dontdothat), you would end up with a copy of every development  
branch and tag of every project of the foundation.  To check out the  
trunk or a development branch of the httpd source, use the URLs  
listed on the following page:


http://httpd.apache.org/dev/devnotes.html

S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Apache 2.2.4 installl

[Sander Temme]

On Feb 27, 2007, at 6:37 AM, Brian McCann wrote:


running on my system. I installed to /usr/local/apache2.

when I run check the version httpd -version it is still 2.2.3


which httpd

tells you where your httpd binary is. Bet you're not running the one  
in /usr/local/apache2/bin... what if you put that directory ath the  
front of your PATH?


There probably is a script in /etc/init.d that starts and stops your  
httpd when the server boots and shuts down. You could replace that  
script by one that calls your installation, or add a script of your  
own. Remember that you have to call the full path of your own  
installed binary: what's on your PATH is likely the RPM install.


S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
Open Source Software Consultant
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF

ApacheCon 2007 Europe Early Bird Rate extended through March 1!
http://www.eu.apachecon.com/




-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Lotus Quickplace / Apache Reverse Proxy

[Sander Temme]

On Mar 1, 2007, at 8:49 PM, Jack Saunders wrote:


I am still not able to login, it seems the redirect gets puked on.


I have limited experience with the Lotus software: perhaps you can  
talk to your IBM people.  However, when I did a job last year  
involving Workplace Services, there was a setting that made the app  
not send the Redirect response upon login.


That said, mod_proxy should rewrite outgoing 30x redirects when you  
use the ProxyPassReverse directive with the same parameters as the  
corresponding ProxyPass.  Do you have that directive in place?


S.


--
[EMAIL PROTECTED]http://www.temme.net/sander/
Open Source Software Consultant
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF

ApacheCon 2007 Europe Early Bird Rate extended through March 1!
http://www.eu.apachecon.com/





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Re: mercurial cannot be loaded, is there any difference when going from 2.0.0 to 2.2.x?

[Sander Temme]

On Mar 2, 2007, at 11:26 AM, solo turn wrote:


i tried to gather additional information concerning mercurial not
working on solaris10 called via cgi script in apache-2.2.4. what could
be the reason ?


I see you are running mod_python. Are you sure your app is being run  
as a CGI and not through mod_python?


Having never used mod_python, I can't help you configura that.

S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] using Apache server as proxy.

[Sander Temme]

On Mar 4, 2007, at 6:36 AM, Rostislav Khaskin wrote:

Everything works, except when I try to read remotehost address in  
my app, I get 92.168.2.100.


How can I make it keep the original address?


The proxy server stores it in the X-Forwarded-For header. Your app  
should have access to that.


S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Failing redirects

[Sander Temme]

On Mar 4, 2007, at 2:52 PM, Jonathan Mangin wrote:


Hi,
I've installed 2.0.59 with mod_perl.
I have several CGI::Application scripts running under
ModPerl::Registry.  They were previously working
perfectly with 2.0.55/mod_perl.  Now, whenever the
scripts perform a redirect, I get:

OK
The document has moved here.

Googling doesn't really get me any definitive answers.
Possibly a browser problem, perhaps not.  I'm using
the same browser with no changes.  (I did delete the
cache.)  Can anyone tell me why this happens, instead
of just going where it's told?


No idea (but I'm not a mod_perl buff).  Could you perhaps find out  
what the exact response is to the offending request?  Please check  
this with a client that can display you the full headers, i.e. curl - 
i, Firefox with the liveHttpHeaders plugin or Explorer with IEWatch.


I would hazard that the differences between httpd 2.0.55 and 2.0.59  
are so small as to not have a significant impact on your CGIs.  Did  
you also upgrade mod_perl?


S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
Open Source Software Consultant
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF

ApacheCon 2007 Europe, May 1-4 in Amsterdam
http://www.eu.apachecon.com/





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Re: Tried to restart Appache service after edit of Httpd.conf in Vista please Help

[Sander Temme]

On Mar 5, 2007, at 9:51 AM, [EMAIL PROTECTED] wrote:


Ok guys and gals I need some help,

  I finally got Apache 2.2 installed on my Vista machine and it  
looked like all was going well, edited HTTPD.CONF so I could use  
PHP when I went to restart the service it gave me an ERROR Code 1  
and refuses to restart it. Can someone please tell me what I might  
have done wrong or how I can fix it? Any help would be greatly  
appreciated


I don't know what ERROR code 1 means.  What happens if you comment  
out the PHP directives in httpd.conf and try again?  Does the PHP  
module have the right ownership and access priviliges?


It seems to me that Vista enforces practices that were available, and  
would have been a good idea under XP anyway.  I'm thinking of running  
as an unprivileged user as a matter of course (which nobody does  
under XP because it's too much of a pain, and you CAN run as admin  
all the time), and stricter enforcement of who can execute what where  
in which way.


S. (not having actually used Vista of course)

--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] HTTPD and SSL Certs

[Sander Temme]

Ian,

On Mar 9, 2007, at 11:01 AM, Ian Johnson wrote:


Is there anyone out there that can answer the following set of
questions for me (or point me to where I may find the information)?


If you're in Europe, you may consider attending my Practical SSL  
Implementation with Apache Training at ApacheCon EU 2007:


http://www.eu.apachecon.com/program/talk/120


Any and all help/responses is greatly appreciated.

While setting up ssl and apache 2 employing name servers I noticed
that you may only have one cert per httpd server rather than, what I
would consider desired, one per name.


You need to run every SSL-enabled virtual host on its own IP  
address.  This is necessary because the SSL handshake happens before  
the HTTP request (and its Host: header which drives name-based  
virtual hosting) is available to the server, and Apache needs to  
present the correct certificate for the server name under consideration.



Be that as it may, having set up a self signed cert, I am getting
certificate validation error that I don't believe I should be getting.
That is:

"Could not verify this certificate for unknown reasons"


What are you using for a client? A self-signed certificate cannot be  
verified by the browser unless you install that certificate in your  
browser's SSL certificate store as a trusted cert. You will get  
either of these errors, or both:


1) Your browser doesn't trust the certificate because it doesn't know  
the entity that issued it (which in your case is the certificate itself)


2) The browser connected to hostname A, but got a certificate for  
hostname B. This ties back to the issue you raised above: SSL hosts  
need to have their own IP, and for the browser to make the correct  
connection these need to resolve correctly in your DNS.



My Questions then:

1.  Is there something wrong with my cert?


From the above error message above, it's impossible to tell. I'll  
take a wild guess and say that your certificate is fine. Do make sure  
that the cert matches the private key:


$ openssl x509 -in yourcert.pem -noout -modulus | openssl md5
$ openssl rsa  -in yourkey.pem  -noout -modulus | openssl md5

should yield the same output. You should also be able to connect to  
the server by running openssl s_client -connect yourserver:443, type  
an HTTP request and get an HTTP response.


2.  Must my cert be signed by a registered authority to be  
considered valid?


Yes, it has to be signed by an authority that your browser recognizes  
as valid.  Note that you can install your own authority (the cert  
itself if you have self-signed) in your browser as trusted entity.


If your site is an internal website and you have control over all  
your clients, you can install your own CA cert on those machines and  
be done. If your website is accessible to the general public and you  
don't want to saddle them with the burden of clicking through dialogs  
or installing your CA cert, give money to a CA already recognized by  
your users' browsers.



3.  What verifications are actually performed?


Depends on the client, but the following checks are generally performed:

1) Validity period of the certificate against the client system clock

2) Hostname to which the client connected vs. the Common Name (CN)
   attribute of the certificate Subject.  This is why your DNS records
   need to be in place and your server needs to present the correct
   certificate for a particular IP address

3) Certificate signature and chain of authority as presented by the
   server against the root CA certificates stored by the client or
   operating system

4) The client could check a Certificate Revocation List (CRL) or Online
   Certificate Status Protocol (OCSP) server to see whether the  
certificate
   is revoked, but no browser generally deployed in the field today  
does

   this by default.


When using the 'testing purposes' cert that installs with the app I do
not get this message.


I can't speak to your application or its installation, since you  
don't tell us what they are.


Hope the above gives you some idea of what is going wrong.

S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
Open Source Software Consultant
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF

ApacheCon 2007 Europe, May 1-4 in Amsterdam
http://www.eu.apachecon.com/





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Vista Ultimate - 403 Forbidden by Options directive

[Sander Temme]

On Mar 18, 2007, at 8:57 AM, Shane Arnold wrote:



   Options FollowSymLinks


<..>

[Sun Mar 18 23:53:15 2007] [error] [client 203.59.68.203] Directory  
index forbidden by Options directive: C:/www/docs/ftp/


You need to add the Indexes option to Options and restart your service.

Every single Options directive I could find is set to order  
allow,deny - allow all. As you can see I have set the relevant  
 directive for the virtualhost too (the path is correct  
and contains a basic txt document)


You're requesting the / path, which will cause Apache to serve  
whatever is set in DirectoryIndex (usually index.html) or, in its  
absence, construct a directory listing IF it is allowed to (see above).


If the operating system doesn't allow httpd to read a file, you'll  
get a different error in the log.  The error.log is exactly the right  
place to look for that kind of stuff.


S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

[EMAIL PROTECTED] Request for Input: ApacheCon SSL Training

[Sander Temme]

Dear list,

As I prepare my training session title "Practical SSL Implementation  
with Apache" for the upcoming ApacheCon EU conference, I would like  
to take a moment and request your feedback.


http://www.eu.apachecon.com/program/talk/120

If you were to attend a half day training session on SSL and Apache,  
what would you like to see covered?  I will be discussing, among  
other topics:


*) Configuring Apache httpd as an SSL server, starting with a
   practical configuration and building from there
*) A concise discussion of the cryptography behind the whole
   thing, to provide context
*) Working with Certificate Authorities and Public Key Infrastructure
*) Client-side Certificate Authentication
*) Integration of SSL with application code

In doing my research I see that there is a lot of half-valid, well  
hidden information out there on the various topics and I'd love to  
present it all in one place at the training.  I'll have to see what I  
can squeeze into a half day--I could talk for days about this stuff  
and still not be done.  Any recommendations regarding the material or  
where the emphasis should be?  Holes I need to fill?  Suggestions are  
welcome privately or to the list.


Thanks,

Sander

--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Xampp Apache on win 2003. Problem with setting up a Virtual Host

[Sander Temme]

On Mar 20, 2007, at 7:39 PM, Richard Luckhurst wrote:

When I try and start Apache it fails and refuses to start with  
nothing in the log files.


Look in the Applications section in the Windows Event Viewer. That is  
where Apache logs before it opens its own log files.




[Wed Mar 21 13:09:54 2007] [crit] (22)Invalid argument: unable to  
replace stderr with error_log


What is your ServerRoot? Does the logs directory exist under that  
ServerRoot?


Am I correct in assuming that if an access or error file does not  
exist then it

will be created, just like in a linux Apache installation?


If their directory exists.  Apache won't make the logs directory.


I do not understand the no VirtualHosts message in the error log.


Your VirtualHost header needs to match the NameVirtualHosts  
directive.  Try



  ServerName print.book.resmaster.com
  ...



I also do not understand the client denied message.


Once you commented out the  stanza, the Options Indexes  
went away, and if directories higher in the hierarchy don't have  
Indexes defined, it'll deny a request for the generated directory  
index.  I would serve index.html, were there one.


S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Segmentation fault on an Intel based Mac

[Sander Temme]

On Mar 20, 2007, at 9:04 PM, Andre-John Mas wrote:


Hi,

I have just downloaded Apache 2.2.4, compiled it, installed it
and the tried running it. What I get when I call:

./apachectl start

is:

./apachectl: line 102: 12799 Segmentation fault  $HTTPD -k $ARGV

and if I call:

./httpd

directly, then I get:

Bus Error


Could you run

ulimit -c unlimited

before you start the server? It should dump core in /cores. Then, run

gdb httpd -core `ls -t /cores | head -1`

and when gdb has finished loading, execute the bt command (bt ==  
backtrace). Send us the output of the bt command (#0 all the way  
through the line that says 'in main ()').


./configure --enable-layout=ServLog --enable-mods-shared=all -- 
enable-dav --enable-cache --enable-shared --disable-static -- 
disable-unique-id --enable-ipv6 --with-included-apr


I think it's --with-layout=Something. Anyway, I don't think we have a  
layout called ServLog in config.layout. What are you trying to  
achieve there?


Otherwise I don't see anything wrong with your configure, other than  
I think we turn IPv6 off on the platform because it doesn't behave  
quite right.


S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
Open Source Software Consultant
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF

ApacheCon 2007 Europe, May 1-4 in Amsterdam
http://www.eu.apachecon.com/





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Where is libphp5.so?

[Sander Temme]

Hey Jeff,

On Mar 21, 2007, at 4:58 PM, jekillen wrote:


I was hoping for someone with enough knowledge of the development
side of php that they could give me some specific suggestions about
what to look for in scripts used in the configure, build and  
install process.


This is not a PHP list... you may find people more closely tied to  
PHP on their support fora.


It's weird. make install should install the PHP module under your  
Apache installation.  It did for me the last time I built PHP.   
Please take it to the PHP folks directly.


S.


--
[EMAIL PROTECTED]http://www.temme.net/sander/
Open Source Software Consultant
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF

ApacheCon 2007 Europe, May 1-4 in Amsterdam
http://www.eu.apachecon.com/





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] mod_ssl question

[Sander Temme]

On Mar 29, 2007, at 1:25 PM, Rodman wrote:

A, that makes so much more sense.  I didn't even think to have  
two virtual hosts of the same site but have one of them SSL while  
the other is standard port 80.  Redirecting should be easy then.


Yes, if you put your Redirect in the main server config, your SSL  
virtual host will inherit it and create a redirect loop.


S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
Open Source Software Consultant
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF

ApacheCon 2007 Europe, May 1-4 in Amsterdam
http://www.eu.apachecon.com/





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Help on MaxClients setting, consider raising the MaxClients setting

[Sander Temme]

Arnab,

On Mar 30, 2007, at 11:21 PM, Arnab Ganguly wrote:

What I saw was the ServerLimit value = 2 when I kept I saw one root  
and two daemon process.And among the two daemon it is the only one  
daemon handles all my request.So my requirement is met.But when I  
replace the value of ServerLimit = 1 the above behavior is also same.


ServerLimit has no impact on the number of processes actually  
created: it governs the size of some data structures Apache creates  
when it starts up. The actual limiting value is MaxClients and while  
it is true that MaxClients / ThreadsPerChild <= ServerLimit, I  
wouldn't worry about it too much.



The other config was followed was same as below

StartServers 1
MaxClients 25
MinSpareThreads 25


As Joshua points out this is a confusing value since you don't allow  
the server to spawn more children to satisfy the idle thread  
requirement.  Zero would be a more adequate value but I don't know if  
Apache supports that.



MaxSpareThreads  25
ThreadsPerChild  25
MaxRequestsPerChild 0.

The minspare threads I will reduce it to 5 or to some lower  
value.But I still get the error as "MaxClients setting, consider  
raising the MaxClients setting ".


Apache logs this when it reaches the MaxClients value.  Your setting  
are such that this will always happen (since it'll spawn one child of  
25 threads on startup).  The line in the error log has no other  
implication: since you are consciously configuring for this situation  
it is completely harmless.


I can't increase the value of MaxClients ad the number of active  
child process has to be one also the Threadsperchild has to be 25  
as this is the max value in Unix.


I don't think this is the case.  Our compile-time default maximum is  
64, but you can change that using the ThreadLimit directive:


http://httpd.apache.org/docs/2.2/mod/mpm_common.html#threadlimit

So is there any other way I can subside the error also my  
requirement is met.I am new to apache and sorry for some basic  
qustions.


Don't worry about the MaxClients error: it is harmless and attends  
you to a condition that you explicitly create.


S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
Open Source Software Consultant
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF

ApacheCon 2007 Europe, May 1-4 in Amsterdam
http://www.eu.apachecon.com/





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Info when the MaxClient is reached

[Sander Temme]

Hi Arnab,

On Apr 1, 2007, at 9:53 PM, Arnab Ganguly wrote:

Want some info when the MaxClient value is reached, what would  
happen to Apache webserver?Is that particular of time if we ping  
apache it will time out.How long will it take to recover or the  
requests will be queued?
Can you tell me is there any configurable parameter in NES similar  
to MaxClient settings in Apache.ie the max simulatenous request it  
can handle?


The MaxClients directive dictates the maximum number of child  
processes (prefork) or worker threads (other MPMs) Apache can spawn.   
Its name is slightly misleading: MaxClients does not actually dictate  
the maximum number of clients that can connect to the web server.  It  
does, however, dictate the maximum number of requests Apache can  
handle concurrently.


As TCP connections arrive on Apache's listening socket, they are  
queued by the kernel.  All the Apache workers receive these TCP  
connections in the order in which they arrived.  If Apache handles  
the requests fast enough, the queue will be mostly empty and any new  
connection will be received by an Apache worker immediately.  If the  
server is busy, requests may queue up and the client's browser will  
say 'Connecting to... ' in the status bar.  The number of connections  
that can queue up is platform-specific, but you can manipulate it  
using the ListenBacklog directive:


http://httpd.apache.org/docs/2.2/mod/mpm_common.html#listenbacklog

Only when the kernel's queue is full, and all Apache children are  
busy will the server refuse new incoming connections, and the way in  
which this happens also depends on the server platform.


Of course all of this happens on the Apache listening socket, and has  
nothing to do with ping (ICMP) which is handled completely inside the  
kernel.


S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
Open Source Software Consultant
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF

ApacheCon 2007 Europe, May 1-4 in Amsterdam
http://www.eu.apachecon.com/





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] ECDSA Certificate use in mod_ssl

[Sander Temme]

Takurou,

On Apr 6, 2007, at 12:59 AM, Takurou Saitou wrote:


The use of CipherSuite of ECDSA is already enabled in OpenSSL,
but will there be a plan to support in the future in mod_ssl?


Just to make sure that we are talking about the same thing, how does  
this cipher show up when you run 'openssl ciphers'?  What version of  
openssl is in use?



The following error occurred when I was going to use a certificate
of ECDSA in mod_ssl of Apache2.2.4 for trial.


What is the value of your SSLCipherSuite directive in your  
configuration file?


Thanks,

S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
Open Source Software Consultant
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF

ApacheCon 2007 Europe, May 1-4 in Amsterdam
http://www.eu.apachecon.com/





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Problems with Vista

[Sander Temme]

On Apr 6, 2007, at 8:24 AM, Conor Kerr wrote:


Anyway... no one here cares I'm sure. :)


We do care, but we're always happiest when you fix your own issues  
especially on operating systems many of us are not running yet.



(But just in case anyone else has the same problem... that's how I
fixed it).


Excellent, that will make its way to the archives and will in due  
course be indexed by the search engines.


S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
Open Source Software Consultant
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF

ApacheCon 2007 Europe, May 1-4 in Amsterdam
http://www.eu.apachecon.com/





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] ust upgraded from 2.0 to 2.2 and keep getting this error message

[Sander Temme]

On Mar 28, 2007, at 4:38 AM, [EMAIL PROTECTED] wrote:

httpd.exe: Syntax error on line 134 of C:/Program Files/Apache  
Software Foundation/Apache2.2/conf/httpd.conf:API module structure  
`access_module' in file
C:/Program Files/Apache Software Foundation/Apache2.2/modules/ 
mod_access.so is garble - perhaps this is not an Apache module DSO?


mod_access no longer exists in 2.2, so what you have is probably a  
copy left over from 2.0.  Remove it.


The functionality of mod_access has been replaced by mod_authz_host.  
See:


http://httpd.apache.org/docs/2.2/upgrading.html

for more information.

S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
Open Source Software Consultant
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF

ApacheCon 2007 Europe, May 1-4 in Amsterdam
http://www.eu.apachecon.com/





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Help ! Optimize Apache2 and PHP

[Sander Temme]

Hi Alex,

On Apr 8, 2007, at 10:17 AM, Alejandro Decchi wrote:

I need to optimize my Apache and my PHP and Mysql. Now my apache  
uses 90 % of CPU when i run a query by the apliaction webpage.But  
when i make the same query by mysql command it is very fastest.

Why my apache use 90% of CPU when i run a query by my webpage ??
Someone can help me???


The fact that no one has reacted to your repeatedly asking the same  
question over the past couple of days usually indicates that no one  
here truly understands your question, or knows the answer to it.


When you say Apache uses 90% CPU, is that out of the ordinary?  I  
would expect the kernel to grant all available CPU power to a process  
that has work to do.  Are you seeing unacceptable delays in page  
display when you run your web app?


If I were you, I'd concentrate on the PHP code in your application.   
Apache by itself is pretty fast, and you have already established  
that executing the query in MySQL is not the problem (good  
troubleshooting skill there).


So, that leaves the application code.  Could you possibly be doing  
something inefficient with the data once fetched from the database?   
Unfortunately, this is not a forum for help with PHP optimization: if  
you need more help with that please check php.net.


S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
Open Source Software Consultant
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF

ApacheCon 2007 Europe, May 1-4 in Amsterdam
http://www.eu.apachecon.com/





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] ECDSA Certificate use in mod_ssl

[Sander Temme]

On Apr 8, 2007, at 7:47 PM, Takurou Saitou wrote:


$ ./openssl ciphers -v ECDHE-ECDSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256)   
Mac=SHA1
-- 


--

A version of OpenSSL using is 0.9.8e.


See, that's strange.  Without a thorough look at the actual code, I  
don't know which call we make to get the list of CipherSuites from  
OpenSSL.  However, I wouldn't be surprised if we (Apache) would not  
pick up a cipher that was not in the list.


If this is the case, the fact that your cipher is not in the list is  
a bug in OpenSSL and should be brought to their attention.





The following error occurred when I was going to use a certificate
of ECDSA in mod_ssl of Apache2.2.4 for trial.


What is the value of your SSLCipherSuite directive in your
configuration file?


I appoint 'ECDHE-ECDSA-AES256-SHA' in 'SSLCipherSuite' directive
experimentally.

The error that I showed by a previous email is given right after I  
execute 'httpd -k

start'.
Therefore I think that it is a previous problem with CipherSuite of  
ECDSA.


Could you make sure that your Apache is linked against a library that  
supports the cipher, for instance on unix systems you could run


ldd /path/to/your/apache/bin/httpd

and look at the entries for libcrypto.so.(...) and libssl.so.(...),  
and make sure they resolve to the right OpenSSL installation if you  
have more than one on your machine.


How did you generate this certificate? If you could paste me the  
command sequence you used to generate the key and certificate, I can  
do some experimentation and see if I can reproduce your issue.


Also, are you able to print the certificate using

openssl x509 -in yourcert.file -noout -text

?

S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] How to protect awstats page

[Sander Temme]

On Apr 9, 2007, at 4:38 AM, Mário Gamito wrote:


awstats.pl is located outside Apache's DocumentRoot in
/usr/local/awstats/wwwroot/cgi-bin

I put there a .htaccess file with the following contents:
"AuthUserFile /usr/local/awstats/wwwroot/cgi-bin/.htpasswd
AuthName "stats"
AuthType Basic
require valid-user"

but it doesn't work, the page is unprotected.


You'll need to have AllowOverride set to (at least) AuthConfig for  
the directory. For instance, the default configuration file has a



  Options FollowSymLinks
  AllowOverride None


Change that AllowOverride None to AllowOverride AuthConfig, and  
you're good.  Alternatively, you can put the configuration language  
in a  block in your httpd.conf, which takes away the need  
for .htaccess altogether.


S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
Open Source Software Consultant
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF

ApacheCon 2007 Europe, May 1-4 in Amsterdam
http://www.eu.apachecon.com/





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Apache2.2 php5 with sessions

[Sander Temme]

Hey Ofloo,

On Apr 14, 2007, at 5:47 AM, Ofloo wrote:

This might be an ignorant question, but it bothers me, I have  
created a
session I left my browser open for a week and yet the session still  
exists.
Is this normal !? I checked session_cache_expire and this is set to  
180

(default) but after one week all variables still exist..


You have reached the [EMAIL PROTECTED] list.  We're not very  
good at PHP here, so we can't really answer your question.  You may  
look into the PHP documentation to see if there are any php.ini  
settings that affect session lifetime.  Please ask any additional PHP  
questions on a PHP support forum.


S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
Open Source Software Consultant
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF

ApacheCon 2007 Europe, May 1-4 in Amsterdam
http://www.eu.apachecon.com/





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] http connection hangs when -DSSL option is used.

[Sander Temme]

Pranav Choudhary wrote:

> I have cross-compiled apache 2.0.59 for arm (with mod_ssl). I started

> After a few experiments i found that even if i don't start with -DSSL
> and just Listen on one more port (other than 80), i am not able to
> connect to the server using http. ie. if i add a directive "Listen 443"
> to http.conf file, i cannot connect using http.

So your problem more likely has to do with the presence of the second
listener than the SSL bits. What locking method are you using, how did
your build process arrive at the available locking methods and is the
result something supported on the CPU/OS?

Could you paste us the relevant lines from your ./configure output, and
the output of httpd -V?

Thanks,

S.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [EMAIL PROTECTED] (13)Permission denied: exec of ... failed

[Sander Temme]

Scott Dudley wrote:
> 
> 
> Steve Swift wrote:
>> Does the file which failed to execute contain a #! (shebang) pointing
>> at an executable that apache cannot execute?
> No.  It's a static HTML.

Looks like your web server is trying to execute the file, possibly
because it's under your ScriptAlias directory.

Put static HTML outside your ScriptAlias.

S.

>>
>> On 19/04/07, *Scott Dudley* < [EMAIL PROTECTED]
>> > wrote:
>>
>>
>> I'm working on a friend's FC 3 server running Apache/2.0.54.
>>
>> We're getting the following error accessing
>> http://domain/cgi-bin/subdir/index.html:
>>
>> (13)Permission denied: exec of
>> '/www/docs/domain/cgi-bin/subdir/index.html' failed
>>
>> Permissions all appear correct:
>>
>> drwxr-xr-x  20 apache apache 4096 Apr 19 01:07 cgi-bin/
>> drwxr-xr-x  10 apache apache 4096 Apr 19 00:35 cgi-bin/subdir/
>> -rw-r--r--  1 apache apache 15 Apr 19 00:43 cgi-bin/subdir/index.html
>>
>> No suExec and SELinux is disabled.
>>
>> We can execute CGI's placed in the top-most cgi-bin directory but
>> cannot
>> seem to access any contents located deeper in that tree.
>>
>> What am I missing?
>>
>> --
>> Regards,
>>
>> Scott Dudley
>>
>>
>> -
>> The official User-To-User support forum of the Apache HTTP Server
>> Project.
>> See http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> 
>>"   from the digest: [EMAIL PROTECTED]
>> 
>> For additional commands, e-mail: [EMAIL PROTECTED]
>> 
>>
>>
>>
>>
>> -- 
>> Steve Swift
>> http://www.swiftys.org.uk 
> 



smime.p7s
Description: S/MIME Cryptographic Signature

Re: [EMAIL PROTECTED] Memory occupied and number of files open

[Sander Temme]

Arnab,

Arnab Ganguly wrote:

> How much Apache occupies memory and number of files it opens for each
> client request of the MaxClient value?

Depends on your configuration and the extra bells and whistles.

One for each listener.
One each for ErrorLog, TransferLog, CustomLog etc.
One or more (depending on mod_include) for each request served from the
file system, as it is served
One for each back-end connection through mod_proxy, mod_jk if you use that.
One for each connection to MySQL from PHP if you use that.

The prefork MPM has the above per process.

The Worker MPM shares open log files and listener file descriptors, but
might run into limitations regarding the number of files it opens to
serve requests.

See ulimit -n.

> If it is dependent on the system ,
> how do we find out?Looking forward for your response.

That depends on your operating system.  On unix-like platforms, lsof
should be able to give you that information but I can't tell you how
(because I don't know how... I'd run lsof and grep for the name of the
process).

S.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [EMAIL PROTECTED] My apache server attacked

[Sander Temme]

On Apr 23, 2007, at 2:31 AM, Jacky wrote:

In our production environment, we have 2 apache servers firewalled  
to accept port 80 and 443 only.
These apache servers will load balanced to 2 of our resin servlet  
container. Recently we checked from our logs and verified that  
there are certain unwelcomed individuals that did a mass posting to  
our apache servers causing our normal operations nearly to a halt.


I would like to ask for advice from the experienced individuals  
from this mailing list, what you guys normally do to counter this?
What we are doing right now is blocking them from firewall. Wish to  
get some suggestions from this list.


Blocking attacks at the firewall is an excellent and very efficient  
approach, if the attacks come from only one or a few IP addresses.


For distributed attacks, you might consider mod_dosevasive and/or  
mod_security


http://www.modsecurity.org/

I'm not sure where the current home for dosevasive is.

S.

--
Sander Temme
[EMAIL PROTECTED]
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] any luck using shared memory for mod_ssl SSLSessionCache ?

[Sander Temme]

On Apr 23, 2007, at 8:12 AM, Yannick Mercier wrote:


[Mon Mar 19 08:45:28 2007] [notice] child pid 27827 exit signal Bus
error (10), possible coredump in /opt/apache


If the httpd child can write to /opt/apache, you're likely to find a  
core file there.  We'd be hugely interested in a backtrace of that.  
That'd give us the state of the system when the crash occurred, and  
would give us insight into what went wrong.


If you don't find that core file, manipulate the core location to be  
a directory to which the httpd children have write access. See the  
CoreDumpDirectory directive and coreadm(1M).


What's your SSLMutex? Have you tried different settings for that?


Anyone can help fixing this ? any suggestions ? I built apache with
Sun Studio 11 under Solaris 8 with mod_authnz_ldap/openldap in 64bit
with these flags to the compiler -fast -xarch=v9b -xcode=pic32 , I
then compiled mod_perl and mod_evasive using apxs


I'm not sure how you take backtraces with the debugger that comes  
with Sun Studio.  I have it installed on a VMWare image, but before I  
can try figure this out I have a lot of bears to cook, so if you, or  
someone else, beats me to it that'd be better for all.


S.

--
Sander Temme
[EMAIL PROTECTED]
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] apache reverse proxy query

[Sander Temme]

On Apr 25, 2007, at 3:21 PM, Fred Sanfrod wrote:

the inbound requests are to the ASP page i'm protecting and usually  
carry query data in the uri, e.g.,http://foo.domain.org/foo.asp? 
name=&addy=&etc ...which does NOT seem to be passed along to the  
back end web server. This is true with either a GET or POST method.


Can you post us the pertinent part of your Apache configuration?  I  
have a server that does a bunch of reverse proxy stuff and I have  
never given the query string or the POST data any thought, so it must  
be working if all you do is something like



  ProxyPass http://backend/foo
  ProxyPassReverse http://backend/foo


Are you doing something more elaborate or different?

S.

--
Sander Temme
[EMAIL PROTECTED]
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Running one website via two apache running boxes (windows)

[Sander Temme]

On Apr 28, 2007, at 7:18 PM, hydn79 wrote:



I've mirrored the htdocs to the 2nd server. And they file sync  
every 15 mins.


Problem:
server 1 is www.mysite.com with ip 123.123.123.1
server 2 is simply a different ip eg 123.123.123.2

What is the best method to share the load across the two apache  
servers?


Two main approaches:

1) Use round robin DNS to alternately have www.mysite.com resolve to
   either of your IP addresses
2) Put a load balancer box in front of your servers

Option 1 is very easy to implement: just put a second A record for  
your site in the dns zone configuration.  If you're using bind (which  
most people do), it'll resolve to both in rotation, sending roughly  
half your users to either server


Option 2 will cost you an extra box, and introduce a new single point  
of failure.


If you're on Windows Server, you could use NLB

I notice in the apache console there's a button "Connect" where you  
can

"connect to a remote server". Can that be used to access the htdocs on
Server 1 by apache web service on server 2?


I'm not familiar with an Apache Console.  Perhaps you are using an  
administration console someone else wrote?


Or even better, suggest the best way to lower some of the load on  
my web
server as the 2nd box (mysql server) is almost idle. I've install  
apache on

it but don't know how to connect the two.


Same as above, assuming the MySQL box can see the net.

Alternatively, you may choose to split up your site and have certain  
portions handled by the MySQL box. For instance, use mod_proxy to  
send part of your traffic to the back-end, and/or running your  
application server there.


S.


--
Sander Temme
[EMAIL PROTECTED]
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Resolve issue

[Sander Temme]

Hey Glen,

On May 12, 2007, at 9:39 PM, Glen Vickers wrote:


Someone please tell me what I’m missing.  I need to get paid! lol


That's great, can we have some too? lol


Heres my resolv.conf



search buddistpalm.net

search sillumutah.com

search sillumutah.net

nameserver 192.168.1.10

nameserver 198.60.22.2 (ISP name server)


Are these two in agreement over the zone data?  Do you have your own  
definitions for those domains in your own DNS, or does it just query  
the root servers for that like (I assume) your ISP's DNS would?


From here:

[EMAIL PROTECTED] sctemme $ dig a buddistpalm.net.
<..>
;; ANSWER SECTION:
buddistpalm.net.3582IN  CNAME   shaolin.buddistpalm.net.
shaolin.buddistpalm.net. 3582   IN  A   199.104.125.190
<..>
[EMAIL PROTECTED] sctemme $ dig a sillumutah.com
<..>
;; ANSWER SECTION:
sillumutah.com. 3600IN  CNAME   shaolin.sillumutah.com.
shaolin.sillumutah.com. 3600IN  A   199.104.125.190
<..>

sillumutah.net does not resolve.


 Here’s my hosts file



192.168.1.10   shaolin  buddistpalm.net sillumutah.com  
sillumutah.net localhost.localdomain localhost


What has precedence on your client machine?

Seems to work OK from here, if Sil Lum Utah is indeed a club of  
serious looking dudes in pajamas sporting hardware, and the other one  
has Tigger holding up an Under Construction sign.


Your Apache config looks good, although you didn't have to post the  
whole thing. The two VirtualHost declarations mean that all requests  
with a corresponding Host: header end up at the respective vhost, and  
requests that don't have a (matching) Host: header tend to land at  
the top one.


How the client got to your server is really between it and the DNS,  
or it and /etc/hosts if that has precedence. Apache has nothing to do  
with that, it just responds to whatever arrives on its doorstep,  
according to how the incoming requests express their destination  
(using the Host: header).


S.


--
Sander Temme
[EMAIL PROTECTED]
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Apache mods not working after upgrade...

[Sander Temme]

Hi Jan,

Jan van der Merwe wrote:

> I upgraded our Web Server from Fedora Core 2 to Fedora Core 6. This
> meant an upgrade for Apache from 2.0.54 - 2.2.3  After the upgrade
> Apache wouldn't start because of library problems, eg:
> 
> Starting httpd: httpd: Syntax error on line 209 of
> /etc/httpd/conf/httpd.conf: Syntax error on line 5 of
> /etc/httpd/conf.d/jk2.conf: Cannot load /etc/httpd/modules/mod_jk2.so
> into server: /etc/httpd/modules/mod_jk2.so: undefined symbol:
> apr_pool_get_parent

Sounds like a botched upgrade. In this case it looks like mod_jk2.so is
linked against a different version of APR than you ended up with.

Mod_jk2 is abandoned, and mod_jk is being replaced with mod_proxy_ajp in
the httpd core. Perhaps it wasn't upgraded properly because it's no
longer needed?

> There were also problems with mod_php, mod_ssl... In certain
> circumstances I could start mods by simple making soft links with ln to
> previous library names - this of course is a terrible solution :D

No.  You are right, that is a terrible solution.

> So, my question is: What is the quickest most painless way to fix this
> problem? mod_ssl is fairly important, is there a way to simply install
> the mod again with out having to remove HTTPd first?

Can't really speak to Red Hat's packaging policies and the (lack of)
dependency follow-through in the upgrade procedure.  Your best bet would
probably be to list all the RPM on which httpd and your other modules
depend, and make sure they were upgraded properly, and their
dependencies, etc.

Core 2 to Core 6 sounds like an enormous leap.  Personally I tend to be
suspicious of even a one version upgrade, and start with a clean install
 instead.  You might want to save yourself the pain involved with fixing
your broken OS and install from scratch. You can of course save stuff
like /etc/*most*, most of your httpd config (but look at the upgrade
instructions), site content etc. Just tar that up and move back onto the
new system judiciously.

S.



smime.p7s
Description: S/MIME Cryptographic Signature

Re: [EMAIL PROTECTED] apr-util-1.2.8

[Sander Temme]

On May 20, 2007, at 1:59 PM, Christopher S Arnold wrote:

Hello! Not sure if this is the right list to ask this question but  
i did not see one for apr-util. Forgive me if this is not the right  
list.


Forgiven, but I don't think we can be of much help over here.

I am trying to install svn on my SLES10 box and have placed apr- 
util-1.2.8 in the svn directory and run configure --with-apr- 
util-1.2.8/configure and get this error from apr-util:


Look at the Subversion build instructions, they are pretty clear.   
Worked for me and if I can do it you certainly can.


If you're installing server side SVN with its Apache module, you  
probably want to use the APR and APR-Util that came with your web   
server installation.


S.

--
[EMAIL PROTECTED]http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Blank page with Apache and PHP running

[Sander Temme]

On May 23, 2007, at 9:46 AM, Alexei wrote:


Is anybody out there that can help me out?


What does the error log say?

S.

--
Sander Temme
[EMAIL PROTECTED]
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Undefined symbol ap_run_http_method

[Sander Temme]

Sashi,

On May 30, 2007, at 12:54 PM, Malladi, Sasikanth wrote:


httpd: Syntax error on line 39 of /usr/local/apache2/conf/httpd.conf:
Cannot load /export/opt/SiteMinder/webagent5QMR7/lib/libmod_sm20.so
into server: ld.so.1: httpd: fatal: relocation error: file /export/
opt/
SiteMinder/webagent5QMR7/lib/libmod_sm20.so: symbol
ap_run_http_method: referenced symbol not found


This hook was renamed to ap_hook_http_scheme in 2.2.  It looks like  
you're running an Apache 2.2 server using an Apache 2.0 module, and  
it calls ap_http_method() which is a #define for that hook to run.


Even if there was no symbol conflict, the 2.2 server would refuse to  
load the 2.0 module at a later point in the server startup cycle.



How do I fix this?


Ask Netegrity for an Apache 2.2 compatible module, or downgrade  
(unfortunately) to Apache 2.0.


S.

--
Sander Temme
[EMAIL PROTECTED]
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] WAMP stack

[Sander Temme]

Nat,

On May 31, 2007, at 11:34 AM, Nat Colley wrote:

That should really do the trick.  However, you mentioned before that  
your client arrives at the wrong virtual host, so we'll need to find  
out what exactly happens and why.



# Use name-based virtual hosting.
#
NameVirtualHost *:80
#VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for all requests that do not
# match a ServerName or ServerAlias in any  block.

ServerAdmin [EMAIL PROTECTED]
DocumentRoot /www/webapps/wordpress
ServerName mydomain1.com
ServerAlias www.mydomain1.com
ErrorLog logs/mydomain1.com-error_log
CustomLog logs/mydomain1.com-access_log common



As it says above, the first virtual host in the list is a special  
beast because it receives HTTP requests that don't match any virtual  
hosts in the list.  Matching is done through the Host: header that  
the browser sends, which is in turn filled in by the browser with the  
hostname you typed into its Location bar.


Apache will serve any request that arrives, and anything that is not  
matched to a particular virtual host will be served by the first one  
in the list.


To make a match, you'll need to make sure that you type the correct  
hostname into the browser, and that your system is set up to resolve  
that hostname to the correct IP address.  You can do this through DNS  
or through a local HOSTS file on your system, but that kind of falls  
outside the scope of this list.




ServerAdmin [EMAIL PROTECTED]
DocumentRoot /www/webapps/joomla
ServerName mydomain2.com
ServerAlias www.mydomain2.com
ErrorLog logs/mydomain2.com-error_log
CustomLog logs/mydomain2.com-access_log common




> > notice that in this configuration he has changed
> the files the web is served
> > content from htdocs to something else, and further
> aliased that to yet
> > another directory where the applications are. So
> mydomain1 and mydomain2
> > both go to the same page, and mydomain1/app2 comes
> up even though app2 is
> > supposed to be the content for mydomain2. I asked


I'm not really seeing that in the configuration above. It looks like  
your DocumentRoot is /www/webapps/wordpress and /www/webapps/joomla  
respectively, which are perfectly separate. These may be symbolic  
links to somewhere else on the file system level, but we can't see  
that from here and if you have Options FollowSymLinks there's no  
problem with that.


The only problem with a forest of symbolic links is that it becomes  
hard to see the trees... better to keep things simple, and in the  
case of the above you might change DocumentRoot to the actual  
location of the content, and put in an appropriate  block  
to control access.


S.

--
Sander Temme
[EMAIL PROTECTED]
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Tomcat + htaccess

[Sander Temme]

On Jun 10, 2007, at 11:30 AM, reym wrote:



Hi All,

I am trying to use a .htaccess file with tomcat, so that when a  
user types

in http://mywebsite.com in their browser, they will get directed to
https://mywebsite.com

it's not working :( what am i doing wrong??


Does Tomcat, the Application Server, read and process .htaccess  
files?  I always thought they were a construct unique to the Apache  
HTTP Server.


I'm sure Tomcat has ways to do per-directory configuration, but  
you'll have to read its documentation or refer to its support list.


S.


Please advise. Thank you for your time, and thanks in advance. I look
forward to hearing from you someone soon.

Kind regards,
reym
--
View this message in context: http://www.nabble.com/Tomcat-%2B- 
htaccess-tf3898282.html#a11051079
Sent from the Apache HTTP Server - Users mailing list archive at  
Nabble.com.



-
The official User-To-User support forum of the Apache HTTP Server  
Project.

See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]






--
Sander Temme
[EMAIL PROTECTED]
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Apache ssl certs

[Sander Temme]

On Jun 11, 2007, at 12:42 PM, Kirthi Narayan wrote:

When i browse for https i get certification error. Could any one  
guide me on this.


./openssl rsa -in privkey.pem -out new.cert.key
./openssl x509 -in new.cert.csr -out new.cert.cert \
-req -signkey new.cert.key -days 999


When you say 'certification error' do you mean that your browser does  
not recognize the entity that signed the certificate?  That is to be  
expected since you generated a self-signed certificate.  Unless you  
install the certificate in your browser (Accept Permanently or  
whatever the equivalent is for your browser), you'll get this every  
time and it is essentially harmless.


S.

--
Sander Temme
[EMAIL PROTECTED]
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Apache ssl certs

[Sander Temme]

On Jun 11, 2007, at 1:12 PM, Kirthi Narayan wrote:




This is the following error i am getting, i have given the cn name  
as the same system hostname.


MIsmatched address
The security certificate issued was issued for a different website  
address


the probelm maybe indicate to fool you or intercept any data you  
send to the server.


We recommand you to close the web browser


When your browser makes an SSL connection, it checks the Common Name  
field of the Distinguished Name string in the certificate and  
compares that against the hostname you typed into the browser  
location bar. If those two don't match, you get that error message.


For instance, if you gave a hostname when your openssl req call asked  
for Common Name information, but you're accessing your server by IP  
address the browser will conclude that the two don't match.


Again totally harmless in a testing situation, but as Joshua reminds  
us would greatly diminish the trust your users could be expected to  
place in your production server.  I recommend that you have your  
hostname setup sorted out before you pay money for a certificate.


S.

--
Sander Temme
[EMAIL PROTECTED]
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] RE: Load Balancer Results in File Does Not Exist Errors

[Sander Temme]

On Jun 13, 2007, at 6:09 AM, Stuart, Ed wrote:


So how do we modify the config files to correct this?


Pull the language that forwards /appname requests to WebSphere into  
the plaintext virtual host, or into the main server config if you  
don't have a virtual host to handle plaintext requests.


S.

--
Sander Temme
[EMAIL PROTECTED]
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Can't view SSL-enabled pages using Firefox

[Sander Temme]

On Jun 6, 2007, at 12:37 PM, Salcedo, Simon wrote:

I recently installed SSL certificates on our Apache 2.0 server.   
Prior to that, I have been successful in viewing our pages via  
Firefox and Internet Explorer.  After installing the certificates,  
I can still view the pages using IE, not with Firefox.  I am  
getting a connection timeout error message.  Any ideas on what may  
be happening here?


No, no idea.

What does the error log say?  And what does the error log of the SSL  
vhost say when you crank its log level up to debug?


S.

--
Sander Temme
[EMAIL PROTECTED]
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] setting MaxClients locally?

[Sander Temme]

Tony Stevenson wrote:
> An alternative to changing all your links, could be for you to use
> reverse proxy.
> 
> i.e.
> 
>ProxyPass / http://localhost:8080/
>ProxyPassReverse / http://localhost:8080/
> 
> 
> This way you could ensure that the change is transparent to the end
> user, and they remain on your server under your control.
> However doing it this way you will only limit connections from the front
> end server to the back end server.

And you'll be serving up 502s once that back-end httpd has all its
twenty children tied up.  Is that what you want?  You might consider
cutting excess access off at the network layer, by limiting the number
of concurrent connections from any given IP to a
large-but-not-destructive number.

S.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [EMAIL PROTECTED] Can't view SSL-enabled pages using Firefox

[Sander Temme]

On Jun 13, 2007, at 10:08 AM, Salcedo, Simon wrote:

The apache logs do not even show that any kind of connection  
between my

web server and the PC running FF.  I am looking at the access_log and
the error_log.

Please tell me how to change the log level to debug.


http://httpd.apache.org/docs/2.2/mod/core.html#loglevel

Raise it to debug and mod_ssl will give you dumps at the BIO level.   
More info than you want, but you should see what goes on before the  
server gets to speak HTTP.


S.

--
Sander Temme
[EMAIL PROTECTED]
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Can't view SSL-enabled pages using Firefox

[Sander Temme]

On Jun 13, 2007, at 12:25 PM, Salcedo, Simon wrote:

OK...I made a small step forward.  Turned LogLevel to debug and had  
this

entry in my error_log, before it closed connection with the requesting
PC:

[Wed Jun 13 14:09:58 2007] [info] SSL Library Error: 336187530
error:1409D08A:SSL routines:SSL3_SETUP_KEY_BLOCK:cipher or hash
unavailable


Sounds as if the client does not offer any CipherSuites that the  
server recognizes. Comment out SSLCipherSuite


http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite

and go with the default, then narrow it down from there.

S.

--
Sander Temme
[EMAIL PROTECTED]
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Can't view SSL-enabled pages using Firefox

[Sander Temme]

ons through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company.

-
The official User-To-User support forum of the Apache HTTP Server
Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
The official User-To-User support forum of the Apache HTTP Server  
Project.

See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]







--
Sander Temme
[EMAIL PROTECTED]
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Security settings in apache

[Sander Temme]

Hey Makhan,

On Jun 17, 2007, at 5:47 PM, makhan wrote:

Thanks man, I did just that , but i am not getting anything in my  
browser,
even running simple commands like date or dir isn't working. I  
think there

is something wrong with my php. What it is i can't find out.


You need to go to a PHP support forum or mailinglist.  Asking the  
Apache list for help on PHP is a waste of your time, because this is  
simply not where the experts are.


S.

--
Sander Temme
[EMAIL PROTECTED]
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] build mod_ssl with Apache 2.2.4

[Sander Temme]

On Jun 18, 2007, at 9:12 AM, Kader Ben wrote:


Could someone tell me what I'm missing?


What operating system? /export/home suggests Solaris. x86 or Sparc?  
Which compiler, gcc or Sun Workshop?


Also, could you paste us the line immediately preceding the error?

S.

--
Sander Temme
[EMAIL PROTECTED]
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Does Apache Support Piped Logs On Windows Platform

[Sander Temme]

Frank,

On Jun 28, 2007, at 9:22 AM, Frank Misa wrote:

I've seen many references to Apache issues with logging to piped  
processes on the forums;  but no clear answer on whether this is  
supported or not.

Can someone here please confirm -- Yes/No...
Do the latest versions of Apache 2.0.x  OR Apache 2.2.x support  
piped logs on Windows ?


Piped logs are currently effectively broken on Windows, due to the  
way we do or don't pass valid file descriptors to the called process  
for stdout and stderr.  Others more knowledgeable than myself can  
elucidate on this more eloquently than I can.


We're trying to fix it, but that hasn't happened so far.  If you want  
to rotate your log files, the best approach is currently to rename  
them and then send your httpd service a restart signal using


\path\to\httpd -n Apache2 -k restart

with the name of the Windows Service as argument to the -n  
parameter.  You can script this in any language that pleases you, and  
run it periodically in the Windows Scripting Host.


>>SecAuditLog "|C:/Perl/bin/perl.exe C:/fmm/ApacheSSL224/bin/modsec- 
auditlog-collector.pl"


I haven't reviewed mod_security to this extent but does it use the  
Apache logging APIs?  Or does it do its own thing?


S.

--
Sander Temme
[EMAIL PROTECTED]
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Two sessions or one session when connect to two load-balanced webServers?

[Sander Temme]

On Jun 28, 2007, at 10:23 AM, Qingshan Xie wrote:


I have two questions on Sessions and Connections.

1. If a browser sends multiple requests and
establishes Two Connections with an Apache server, how
many sessions it will be generated, one or two?


The answer is None. HTTP is stateless, and Apache does not generate  
sessions.


Perhaps your back-end application does preserve state in some way, by  
generating session cookies or encoding session information into the URL.


In the latter case, the browser should send the session cookie along  
with the second request, or access session-encoded URLs to load  
additional resources (images, JavaScript, ...).  Such secondary  
requests are always based on information obtained from the first  
request, even if they appear to occur simultaneously.


Use HTTPWatch or IEWatch to find out what exactly happens when your  
browser makes a request, and what cookies get passed back and forth.



2. If a browser sends multiple HTTPS requests to two
load-balanced Apache servers, how many sessions will
be generated?  I guess it will generate at least two
sessions with two different sessionKeys, sessionIDs.
If this is true, will there be a session conflict
occurring?


HTTPS is HTTP piped over SSL. At the HTTP protocol level, the answer  
is exactly the same as above.


At the SSL level, an SSL session is generated and likely re-used for  
subsequent requests IF you have SSL Session Caching set up  
correctly.  However, this is completely transparent to the protocol  
on top of SSL and has no impact on the state of your application.


To troubleshoot session problems, load up IEWatch or HTTPWatch or  
some other protocol inspection tool and look at things like:


1) What cookies get set by the server in the initial response?
2) What path value comes with the session cookie?
3) Does the cookie get passed back to the server by subsequent requests?
4) Does the server respect the cookie from 3), or does it try to set  
a new

   session cookie?

Once again, this is application level troubleshooting, and has little  
to do with Apache itself.


Regards,

Sander

--
Sander Temme
[EMAIL PROTECTED]
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Problem Getting Apache2 script to run

[Sander Temme]

Robert,

On Jun 29, 2007, at 11:02 AM, Robert A. Rawlinson wrote:

I have Apache2 set up and running on a system I only use for  
testing. In trying to access a script that is an html and only  
points to a Perl script. When it reaches the Perl script I get this  
message:
You have chosen to open filename.pl which is a perl script from  
--- What should I do with this file?


I assume you want the script to Execute on the server, instead of  
having the server send it to you as text?


Look at ScriptAlias and Options ExecCGI.  Also, make sure that your  
#! paths, associations etc. are set correctly on the server.  I have  
no clue but ActiveState has some good docs on that.


S.

--
Sander Temme
[EMAIL PROTECTED]
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Apache using AD autentication

[Sander Temme]

On Jun 29, 2007, at 11:33 AM, Mauricio Cavalcanti wrote:


installed apr and apr-util (tgz)


Was apr-util compiled with LDAP support?  That's not on by default.   
APR-util has to be compiled with --enable-ldap and if you use the  
bundled apr-util, it'll be passed that flag from httpd ./configure.



httpd-2.2.4:
./configure \
--prefix=/usr/local/httpd-2.2.4 \
--enable-so \
--enable-cgi \
--enable-info \
--enable-rewrite \
--enable-speling \
--enable-usertrack \
--enable-deflate \
--enable-ssl \
--enable-mime-magic \
--enable-authnz-ldap \
--enable-ldap \
--with-apr-util=/usr/local/apr-util

<..>
I tryied to find where can i get or how can i create the modules  
mod_auth_ldap.so and util_ldap.so, but i didn´t find any info about.


Looking through your ./configure output for httpd, what does it say  
when it tries to enable the LDAP stuff?


According to the above you're using the bundled apr and an external  
apr-util.  That just seems like it'll all end in tears.


S.

--
Sander Temme
[EMAIL PROTECTED]
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Hardware Based Apache Cluster - help!

[Sander Temme]

On Jul 12, 2007, at 5:49 PM, Matt M. wrote:


Hi,

I've got a small cluster (5) of Apache servers. I've got lots of  
questions about this but I'll just start with one for now! :)


It's a hardware balancer.

I'm wondering if I can sym link each Apache "conf" directory to the  
shared NFS mount:


Sure! Make sure that you put the server-specific files on a local  
mount, like PidFile, ErrorLog etc., and any lock/mutex file. NFS  
doesn't do well for those because of locking problems.


It would allow me to have one set of config files for easier  
maintenance. I've tried sharing the conf/httpd.conf file and it  
seems to work fine. I was curious about the ServerName though,  
should it be the server name of the balancer, or the actual name of  
the node?


That should be the hostname of the web site you're serving.  In any  
case, with the default setting of UseCanonicalName (Off in 2.2), it  
doesn't really matter because Apache will use the Host: header from  
the client as input.


S.

--
Sander Temme
[EMAIL PROTECTED]
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] installing Apache under X86_64 Linux

[Sander Temme]

On Jul 13, 2007, at 8:51 AM, Octavian Rasnita wrote:

Please tell me, should I do something special than using the  
defaults for compiling and installing Apache 2.2 under SuSE Linux  
X86_64?
I have installed it and it works, but I am not able to install  
mod_perl, and perl appear to be installed correctly with support  
for 64 bit machines.


What goes wrong?

S.

--
Sander Temme
[EMAIL PROTECTED]
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Apache Tomcat Load Balancing

[Sander Temme]

Nehal,

On Jul 15, 2007, at 9:22 AM, Sangoi, Nehal (Gexpro, consultant) wrote:

<..>


worker.loadbalancer.balanced_workers=worker1,worker2

And, in httpd.conf

JkMount /servlet/* loadbalancer



I have another application that also needs to be load balanced  
using worker3 and worker4. Hence, how can I include the same in my  
existing configuration of loadbalancer in worker.properties file?


Can't you just define worker3 and worker4, and then define a new  
balancer?


worker.worker3.port=...
...
worker.worker4.port=...
...
worker.balancer2.type=lb
worker.balancer2.balanced_workers=worker3,worker4

and

JKMount /servlet2/* balancer2

Not tested, but that's how I'd approach this.

S.

--
Sander Temme
[EMAIL PROTECTED]
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] im stuck, plz help...

[Sander Temme]

Harvey,

On Aug 6, 2007, at 2:58 PM, Harvey Saayman wrote:

should i then configure the Listen directive to "Listen  
255.255.255.255:80"?...


If you use "Listen 80", Apache will bind to all IP addresses on the  
box, whatever those happen to be.


i asume if this is the case i hav to change this IP every time a  
dail cuz the IP is dynamic? this isnt a perminant thing... i just  
need to get it working before i spend money on a fast line and a  
proper server


Yes, if you bind to a specific IP address, you'll have to change that  
and restart your httpd service every time the IP changes on your dial- 
up line.


we just swiched over our gateway to mandriva 2007 spring free linux  
over the weekend and set it up to dail and file share over our home  
network... i cant seem to locate my internet IP... how can i get it  
from my linux gateway?


That doesn't really touch the Apache service so it falls outside the  
scope of this list, but it should be the IP address on your ppp0  
interface.  ifconfig -a on the Linux box should tell you.


Are you running Apache on the Linux box or on your own Windows  
station behind the gateway?  In the latter case you'll need a port  
forward from the Linux router to your Windows box to make your Apache  
server visible from the Internet.  Again, outside the scope of this  
list, but you should be able to Google for a Howto document.


and how exactly do i get a DNS set up? i hav "BIND DNS sever"  
installed on my linux gateway... will this sort out my DNS problem?


Only if you configure it and use it.  This stuff has a steep learning  
curve, but the advantage of this is that you get to learn a lot in a  
very short time!


Once again, setting up a DNS service falls outside the scope of this  
list.  However, what I do for my home network is I have bind running  
on my server (running FreeBSD, but Linux is also a great choice), and  
my DHCP service tells all clients to use that server as DNS.  I have  
defined a Zone for my local network, using a fictional domain name  
and giving all boxes a name that maps onto their IP address.  I have  
also configured bind to go directly to the Root servers for queries  
outside my network, so the clients can see the whole Internet and are  
not stuck on my local domain.  Of course if you are just  
experimenting locally, you could start with simple HOSTS files on  
your local network to give names to machines.


On my bookshelf are copies of:

* TCP/IP Network Administration by Craig Hunt

http://www.amazon.com/dp/0596002971? 
tag=sandersweblog-20&camp=14573&creative=327641&linkCode=as1&creativeASI 
N=0596002971&adid=0E7CWE859MK4BF0GB65T&


* DNS & Bind by Cricket Liu and Paul Albitz

http://www.amazon.com/dp/0596100574? 
tag=sandersweblog-20&camp=0&creative=0&linkCode=as1&creativeASIN=0596100 
574&adid=1VEJXZGT2CE4BQTAGKFK&


* The Unix Systems Administration Handbook

http://www.amazon.com/dp/0130206016? 
tag=sandersweblog-20&camp=14573&creative=327641&linkCode=as1&creativeASI 
N=0130206016&adid=1CQ73RXJTDMQGCZQZJC1&


* Apache: The Definitive Guide

http://www.amazon.com/dp/0596002033? 
tag=sandersweblog-20&camp=14573&creative=327641&linkCode=as1&creativeASI 
N=0596002033&adid=10H3WE4SXZ1Q1KP9E8E8&


... and many more.

S.

--
Sander Temme
[EMAIL PROTECTED]
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Problem while installaing mod_prox_html via apxs

[Sander Temme]

On Aug 12, 2007, at 11:15 AM, [EMAIL PROTECTED] wrote:

I'm on Debian Etch with apache debian package installed, i'm trying  
to install mod_proxy_html with the following command:


apxs -c -I/usr/include/libxml2/libxml/ -i mod_proxy_html.c


As Vincent already mentioned, this module does not work with 1.3.  Do  
yourself a favor and upgrade to 2.2, which comes with a much more  
modern mod_proxy.


S.

--
Sander Temme
[EMAIL PROTECTED]
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Please Help

[Sander Temme]

On Aug 12, 2007, at 10:46 PM, Shakeel Ahmad wrote:

But still when i try to open http://localhost or MailScanner  
warning: numerical links are often malicious: http://127.0.0.1 it  
continuously searches but does'nt show any page or error.


Perhaps you have a firewall that blocks access to httpd?

Please don't repeat questions if there is no immediate answer.  Many  
of us don't check e-mail as often during the weekend.


S.

--
Sander Temme
[EMAIL PROTECTED]
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





smime.p7s
Description: S/MIME cryptographic signature

Re: [EMAIL PROTECTED] Apache 2.4 & Tomcat 6 (JBoss 4.2)

[Sander Temme]

On Aug 13, 2007, at 1:57 PM, Tony Anecito wrote:


I cannot get Apache 2.4 to communicate via ajp 1.3 to
Tomcat 6 (inside JBoss 4.2.1 GA). I can communicate
from Apache 2.4 (the same Apache install) to JBoss
4.0.5 GA which uses Tomcat 5.x. I am using Windows
2000 Professional and web services inside of Tomcat.

Any ideas?


What are the differences in configuration?  Is the other Tomcat  
running on a different port? Does the newer Tomcat have an ajp13  
listener running? Which module are you using?  What configuration  
have you tried?


And, last but certainly not least:

What does the error log say?

S.

--
Sander Temme
[EMAIL PROTECTED]
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF





smime.p7s
Description: S/MIME cryptographic signature