from:"Thomas Eckert"

Re: [users@httpd] ReverseProxy Exchange 2013

2014-02-17 Thread Thomas Eckert

> So i finally got apache2-devel installed... However, when running
./configure for mod_proxy_msrpc, i get an error due to the absence of
ap_socache.h. It appears this file is included n apache 2.4. Now, will
mod_proxy_msrpc only work in apache 2.4? If not, can i just get the
ap_socache.h file and copy it to the correct folder and it work or will
this break things?

I really doubt that will do you any good. Since mod_proxy_msrpc was
developed against 2.4 you will need httpd-2.4.x to (compile and) run it.
With lower versions it's sure to break at some point so don't bother. So
far we haven't done any backport and I don't think we will.


On Mon, Feb 17, 2014 at 12:36 AM, Chris Arnold
wrote:

> >Chris, if you encounter any issues with mod_proxy_msrpc please report
> them at https://github.com/bombadil/mod_proxy_msrpc/issues. Note that
> OAB, OWA, Autodiscover, ActiveSync, etc. all use ">normal" HTTP/S (and not
> MSRPC like OA) so they should work without mod_proxy_msrpc. There is an
> open issue with Ex2013 (
> https://github.com/bombadil/mod_proxy_msrpc/issues/14) which I >hope >to
> get some time for next week.
>
> So i finally got apache2-devel installed... However, when running
> ./configure for mod_proxy_msrpc, i get an error due to the absence of
> ap_socache.h. It appears this file is included in apache 2.4. Now, will
> mod_proxy_msrpc only work in apache 2.4? If not, can i just get the
> ap_socache.h file and copy it to the correct folder and it work or will
> this break things?
>

Re: [users@httpd] ReverseProxy Exchange 2013

2014-02-16 Thread Thomas Eckert

Chris, if you encounter any issues with mod_proxy_msrpc please report them
at https://github.com/bombadil/mod_proxy_msrpc/issues. Note that OAB, OWA,
Autodiscover, ActiveSync, etc. all use "normal" HTTP/S (and not MSRPC like
OA) so they should work without mod_proxy_msrpc. There is an open issue
with Ex2013 (https://github.com/bombadil/mod_proxy_msrpc/issues/14) which I
hope to get some time for next week.

On Sun, Feb 16, 2014 at 1:41 AM, Chris Arnold
wrote:

> >Chris, are you trying to use webmail or Outlook Anywhere (or both)?
> >I have heard the RPC module works but never used it myself.
> >As for OWA, I will try it on one of my systems and see what happens.
>
> Hey Yehuda,
>
> Both. I will also need OAB and all the other things that come with
> exchange 2013. I will give the msrpc module a try and report back. I would
> like to hear your results aslo.
>

Re: [users@httpd] port redirecting mapping

2014-02-13 Thread Thomas Eckert

The problem with your vhost is that it responds to requests on port 80 and
if a request hits your server on port 3030 that vhost is simply not used.
That's what ** does. Can't help you with the Rewrite
stuff, I've kept my distance from it so far. You would need someone else to
look over that, in case you still wanted to use it.


On Thu, Feb 13, 2014 at 11:24 AM, Varun Bhuvanendran <
varun.bhuvanend...@gmail.com> wrote:

> Thomas
> This was what i am looking for. Thnaks thomas.
> what i was trying to do is, allow access to *http://domain_name
> <http://domain_name> *,
> if a request like *http://domain_name:3030 <http://domain_name:3030>  *comes
> it should be
> redirected/mapped to another link. From the above help i could
> redirect a request with :3030 to http://domain_name
>
> I tried the *RewriteRule *with the intention to replace the :3030 with 80
> from the url* http://domain_name:3030 <http://domain_name:3030>* like this
> **
>
>
> *RewriteEngine on  RewriteCond %{QUERY_STRING} ^(.*):3030(.*)$
> RewriteRule ^(.*)$ $%?:80% [L,R=301]*
> **
> this seems not working. Is there any syntax error or something. Does this
> rewrite part be inside <*VirtualHost *:3030*> ... <*/VirtualHost*>
>
>
>
> On Thu, Feb 13, 2014 at 3:16 PM, Thomas Eckert <
> thomas.r.w.eck...@gmail.com> wrote:
>
>> I'm confused as to what your setup and intention is. From your original
>> message I assumed you were talking about a "normal" server but your
>> configuration example looks like a
>> reverse proxy. Also, I assumed you wanted requests to
>> http://domain_name:3030/ to be redirected but then you said *all*
>> requests to port 3030.
>>
>> Does this suit your problem ?
>>
>> Listen 10.10.10.10:3030 http
>> 
>>   ServerName my_redirect_host
>>   Redirect permanent / http://domain_name/
>> 
>>
>>
>> On Mon, Feb 10, 2014 at 2:57 PM, varun wrote:
>>
>>>  I am trying to redirect a link with a port number to another link. I
>>> had tried this with the intention
>>> that all requests ending with :3030/ should be mapped to
>>> http://domain_name/
>>>
>>>* *
>>> *Order allow,deny*
>>> *Allow from all*
>>> **
>>> *ProxyPass :3030/ http://domain_name/ <http://domain_name/>*
>>> *ProxyPassReverse :3030/ http://domain_name/ <http://domain_name/>*
>>> This is not working, as a request like http://domain:3030 is not
>>> redirecting.
>>>
>>> But when i tries
>>> ProxyPass / http://domain_name:3030/
>>> ProxyPassReverse / http://domain_name:3030/
>>> A request like this *http://domain_name <http://domain_name>* redirects
>>> to *http://domain_name:3030 <http://domain_name:3030>*
>>>
>>> Also tries "Redirect"
>>> *Redirect :3030 http://domain_name <http://domain_name>*
>>>
>>> rewrite_module is enabled.
>>>
>>> Is there any config error or the approach is bad.
>>>
>>>
>>> On Monday 10 February 2014 06:21 PM, Thomas Eckert wrote:
>>>
>>>   Assuming you have a working config for a server/vhost on
>>> domain_name:3030, then how about
>>>   Redirect permanent / http://domain_name:3000/
>>> ? See http://httpd.apache.org/docs/current/mod/mod_alias.html#redirectand 
>>> friends.
>>>
>>>  "Restricted" access is a bit vague but
>>> http://httpd.apache.org/docs/current/howto/access.html is a good start.
>>>
>>>
>>>
>>> On Mon, Feb 10, 2014 at 12:58 PM, varun wrote:
>>>
>>>>  Is it possible to redirect a request for one port to another one.
>>>> Say a request like *http://domain_name:3030 <http://domain_name:3030>*be 
>>>> accepted and
>>>> redirected/mapped, so that the server should be able to process the
>>>> request like* http://domain_name:3000 <http://domain_name:3000>*. And
>>>> a direct request like *http://domain_name:3000
>>>> <http://domain_name:3000>*
>>>> should be restricted.
>>>> Is there any modules, directive in apache. I am new to apache. On
>>>> Ubuntu 12.04.
>>>>
>>>
>>>
>>> --
>>> kind regards
>>> varun <http://varun.bounceme.net/>
>>>
>>
>>
>
>
> --
> kind regards
> varun <http://varun.bounceme.net>
>
>

Re: [users@httpd] port redirecting mapping

2014-02-13 Thread Thomas Eckert

I'm confused as to what your setup and intention is. From your original
message I assumed you were talking about a "normal" server but your
configuration example looks like a
reverse proxy. Also, I assumed you wanted requests to
http://domain_name:3030/ to be redirected but then you said *all* requests
to port 3030.

Does this suit your problem ?

Listen 10.10.10.10:3030 http

  ServerName my_redirect_host
  Redirect permanent / http://domain_name/



On Mon, Feb 10, 2014 at 2:57 PM, varun  wrote:

>  I am trying to redirect a link with a port number to another link. I had
> tried this with the intention
> that all requests ending with :3030/ should be mapped to
> http://domain_name/
>
>* *
> *Order allow,deny*
> *Allow from all*
> **
> *ProxyPass :3030/ http://domain_name/ <http://domain_name/>*
> *ProxyPassReverse :3030/ http://domain_name/ <http://domain_name/>*
> This is not working, as a request like http://domain:3030 is not
> redirecting.
>
> But when i tries
> ProxyPass / http://domain_name:3030/
> ProxyPassReverse / http://domain_name:3030/
> A request like this *http://domain_name <http://domain_name>* redirects
> to *http://domain_name:3030 <http://domain_name:3030>*
>
> Also tries "Redirect"
> *Redirect :3030 http://domain_name <http://domain_name>*
>
> rewrite_module is enabled.
>
> Is there any config error or the approach is bad.
>
>
> On Monday 10 February 2014 06:21 PM, Thomas Eckert wrote:
>
>   Assuming you have a working config for a server/vhost on
> domain_name:3030, then how about
>   Redirect permanent / http://domain_name:3000/
> ? See http://httpd.apache.org/docs/current/mod/mod_alias.html#redirectand 
> friends.
>
>  "Restricted" access is a bit vague but
> http://httpd.apache.org/docs/current/howto/access.html is a good start.
>
>
>
> On Mon, Feb 10, 2014 at 12:58 PM, varun wrote:
>
>>  Is it possible to redirect a request for one port to another one.
>> Say a request like *http://domain_name:3030 <http://domain_name:3030>*be 
>> accepted and
>> redirected/mapped, so that the server should be able to process the
>> request like* http://domain_name:3000 <http://domain_name:3000>*. And a
>> direct request like *http://domain_name:3000 <http://domain_name:3000>*
>> should be restricted.
>> Is there any modules, directive in apache. I am new to apache. On Ubuntu
>> 12.04.
>>
>
>
> --
> kind regards
> varun <http://varun.bounceme.net/>
>

Re: [users@httpd] Re: reverse proxy choice to origin servers: https->https or https->http

2014-02-13 Thread Thomas Eckert

If you use httpd as reverse proxy then clients will perform SSL handshakes
with your reverse proxy. In SSL there is no distinction between decrypting
the HTTP headers only or decrypting the full HTTP request - it's simply
"payload" and it will be decrypted as a whole. If you want to understand
how all of this works I suggest reading up on it as this list is simply the
wrong place for it.

I suggest you use the reverse proxy as suggested in the docs and do not
worry about whether the body is decrypted or not. Unless you have specific
reasons for it, you simply shouldn't care. Just give it a try.

On Mon, Feb 10, 2014 at 3:15 PM, Jakub Moscicki wrote:

>
>   Is it true that if proxy is setup https->http then it only has to
>  decrypt/encrypt the headers and the body is encrypted/decrypted on the
> backend?
>  What ? Eh, no. If you configure your frontend with https and your
> backends with http, then you just told apache to NOT use SSL between
> mod_proxy and the backend servers. Only your frontends will do SSL
> handshakes in this setup. That's pretty much SSL Offloading, maybe you got
> that confused ?
>
>
>  Sorry, it was a typo of course. I mean: https->https. So if a proxy
> forwards https to the backend which accepts https - then would the proxy
> decrypt the headers only or the entire request? I am adding cookies at the
> proxy for stickyness so the proxy must be handling the headers.
>
>  In my case http at the backend could be an option inside a trusted
> network.
>
>  kuba
>
>  --
>
>

Re: [users@httpd] port redirecting mapping

2014-02-10 Thread Thomas Eckert

Assuming you have a working config for a server/vhost on domain_name:3030,
then how about
  Redirect permanent / http://domain_name:3000/
? See http://httpd.apache.org/docs/current/mod/mod_alias.html#redirect and
friends.

"Restricted" access is a bit vague but
http://httpd.apache.org/docs/current/howto/access.html is a good start.

On Mon, Feb 10, 2014 at 12:58 PM, varun wrote:

>  Is it possible to redirect a request for one port to another one.
> Say a request like *http://domain_name:3030 * be
> accepted and
> redirected/mapped, so that the server should be able to process the
> request like* http://domain_name:3000 *. And a
> direct request like *http://domain_name:3000 *
> should be restricted.
> Is there any modules, directive in apache. I am new to apache. On Ubuntu
> 12.04.
>

Re: [users@httpd] Generating a gzip response from multiple pre-gzipped files on disk

2014-02-07 Thread Thomas Eckert

Can you post the headers, from sending the request(s) up to and including
the response(s) ?

I think you might be hitting the same spot as I recently did in (1). In
short, most (if not all) popular clients do not unpack responses if they
think they shouldn't even if the headers tell them to. So for example,
"Content-Encoding: gzip, deflate" will not have my Firefox run gunzip on a
file like "data.gz". At this point I can only speculate because I did not
dig deeper with the client behaviour but I *think* this is because they
sniff in on the content or at least on the file ending.

(1)
http://mail-archives.apache.org/mod_mbox/httpd-dev/201401.mbox/%3CCAPV0b06Z6Yey7Wa6gACCyrxui36WnB5gvJxQwCSWiZMahgnynQ%40mail.gmail.com%3E


On Thu, Feb 6, 2014 at 6:54 PM, Tom Evans  wrote:

> Hi all
>
> At $JOB we have a web app that generates XML for another web app to
> use. Each complete XML document is a list of individual items, and
> each item is stored on disk, in gzip format to save space - the format
> is overly verbose, and compression is highly effective, and gzip is
> nicely transparent to lots of utilities (vim mainly).
>
> Currently, a django app assembles the document together (it also
> generates them if they are missing, but lets ignore that for now). It
> first reads each file off disk, decompresses it, assembles one large
> string (sometimes 100MB+ XML), compresses it again (sigh) and then
> hands it off to apache.
>
> As a naive attempt, I modified the django app to simply load the file
> from disk, pre- and append a compressed header and footer, and then
> hand that off to apache with the appropriate content type.
>
> This "worked" in some respects - downloading the file to disk using
> fetch, then gzcat+md5 confirmed that the uncompressed response was
> bit-for-bit, but all "real" web clients I gave it to (firefox, chrome,
> libcurl) would only see the first chunk - the header, where as gzcat
> sees all the chunks.
>
> So, my questions are two-fold:
>
> 1) Is there something in the gzip file header which makes this approach a
> no-go
> 2) Is there any approach in stock httpd that could assemble docs like
> this (if it is even possible), or would I be looking at a custom
> module?
>
> I appreciate only the second one is really on topic here :)
>
> Cheers
>
> Tom
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] reverse proxy: connect to origin servers via http or https?

2014-02-07 Thread Thomas Eckert

> The question is: from the proxy performance/scalability point of view is
it better to configure backends (origin servers) with http or with https?

"Better" depends on what you want to achieve. Do you want to securely
deliver simple html content with no fancy stuff ? Do you want to have
authentication internally ? If so, do you care if your users can see other
user's authentication data (if they are knowledgeable on how to do it) ?

> Is it true that if proxy is setup https->http then it only has to
decrypt/encrypt the headers and the body is encrypted/decrypted on the
backend?

What ? Eh, no. If you configure your frontend with https and your backends
with http, then you just told apache to NOT use SSL between mod_proxy and
the backend servers. Only your frontends will do SSL handshakes in this
setup. That's pretty much SSL Offloading, maybe you got that confused ?

> How either setup affects latency of handling requests?

Involving SSL as opposed to not involving SSL will always slow things down.
How much ? Depends on your settings, on your hardware (SSL accelerators),
etc. Are you going to deal with large amounts of users ? If so you might
want to consider using SSL only for some parts of your page(s).

It all boils down to writing down your requirements. First you should get a
hold on what you actually want, then worry about how to do it. Secondly,
seeing how easy it is to set up basic configurations using the docs you
should start there and dig into specific issues later.

On Fri, Feb 7, 2014 at 4:20 AM, Jakub Moscicki wrote:

> Hello,
>
> I have a reverse proxy (apache 2.2) with mod_proxy_balancer with https
> visible to the outside world.
>
> The question is: from the proxy performance/scalability point of view is
> it better to configure backends (origin servers) with http or with https?
>
> Is it true that if proxy is setup https->http then it only has to
> decrypt/encrypt the headers and the body is encrypted/decrypted on the
> backend? I do not use mod_proxy_html (but maybe there are other modules
> which affect this behaviour on the proxy?.
>
> How either setup affects latency of handling requests? With https->https
> do I have to do two handshakes (on the proxy and on the backend) for every
> connection? I have KeepAlive both on the proxy and the backends.
>
> Many thanks.
>
> Best regards,
>
> kuba
>
> --
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

[users@httpd] Using form based authentication sessions across locations

2014-01-20 Thread Thomas Eckert

Using form based auth, e.g.


AuthName "forms_foo"
AuthFormProvider my_provider
AuthType form
AuthFormLoginRequiredLocation "/foo_form"
Session On
SessionCookieName foo_cookie path=/foo/;httponly
SessionCryptoPassphrase somereallyneatandnicepassphrase
SessionCookieRemove On
Require valid-user


is it possible to "reuse" that session cookie for another path, e.g. /bar ?
With "reuse" I think of sending out a session cookie for /bar as well as
for /foo. This way, users logging in through form based auth on /foo  will
not have to log in on /bar as well.

HTTP cookies do not allow for multiple paths, so if at all one would have
to use multiple cookies. Since the cookies should carry session information
I reckon they ought to be configured via mod_session_cookie but that module
has no fitting directive. The only thing in mod_session_cookie close to
what I'm looking for is AuthFormSitePassphrase but I do need auth checks in
my custom provider to run (timeouts involved).

Any suggestions on how to go about this ?

Re: [users@httpd] #error mod_ssl requires OpenSSL 0.9.8a or later

2013-12-16 Thread Thomas Eckert

Actually, I was referring to the openssl-dev package (and whatever other
-dev package you might need to build).



On Mon, Dec 16, 2013 at 10:53 AM, Abdul Anshad  wrote:

>  yes, i have httpd-devel-2.2.26 package installed. FYI i'm trying to
> build httpd-2.4.7. is it necessary to install 2.4.x dev ?
>
> Regards,
> Abdul
>
> On 12/16/2013 2:48 PM, Thomas Eckert wrote:
>
> Did you make sure to have the -dev package(s) installed ?
>
>
> On Mon, Dec 16, 2013 at 10:10 AM, Abdul Anshad  wrote:
>
>>  I have made sure that the --with-ssl points to the 1.0.1e, FYI i also
>> have another system binary installed which is openssl-0.9.7d.
>>
>> I have included the source of apr and apr-utils under apache srclib.
>> Apache-2.4.6 builds fine but Apache-2.4.7 throws out that error.
>>
>> when i compared both version ssl_private.h file, this is what i found.
>>
>> 108,109c108,109
>> < #if (OPENSSL_VERSION_NUMBER < 0x0090700f)
>> < #error mod_ssl requires OpenSSL 0.9.7 or later
>> ---
>> > #if (OPENSSL_VERSION_NUMBER < 0x0090801f)
>>
>> > #error mod_ssl requires OpenSSL 0.9.8a or later
>>
>>  So, why is the configure taking openssl-0.9.7d even though i have
>> specified --with-ssl option to openssl-1.0.1e ? i have double checked the
>> directory path for openssl-1.0.1e and it returns OpenSSL 1.0.1e-fips 11 Feb
>> 2013.
>>
>> Regards,
>> Abdul
>>
>>  On 12/16/2013 2:18 PM, Otis Dewitt - NOAA Affiliate wrote:
>>
>>   Try:
>>
>>  First make sure openssl-devel-1.0.1e is installed.
>>
>>  --with-ssl=
>>
>>  Example:
>>
>> --with-ssl=/usr/include/openssl
>>
>>
>>  Thanks,
>>  Otis
>>
>>
>>
>> On Mon, Dec 16, 2013 at 1:58 AM, Abdul Anshad  wrote:
>>
>>> Hello All,
>>>
>>> I'm trying to compile httpd-2.4.7 from source, but i get the following
>>> error "#error mod_ssl requires OpenSSL 0.9.8a or later".
>>>
>>> But my installed openssl version is openssl-1.0.1e and i have specified
>>> it --with-ssl option.
>>>
>>> Could anyone please help me on this ?
>>>
>>> --
>>> Regards,
>>> Abdul
>>>
>>>
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>>> For additional commands, e-mail: users-h...@httpd.apache.org
>>>
>>>
>>
>>
>
>

Re: [users@httpd] #error mod_ssl requires OpenSSL 0.9.8a or later

2013-12-16 Thread Thomas Eckert

Did you make sure to have the -dev package(s) installed ?


On Mon, Dec 16, 2013 at 10:10 AM, Abdul Anshad  wrote:

>  I have made sure that the --with-ssl points to the 1.0.1e, FYI i also
> have another system binary installed which is openssl-0.9.7d.
>
> I have included the source of apr and apr-utils under apache srclib.
> Apache-2.4.6 builds fine but Apache-2.4.7 throws out that error.
>
> when i compared both version ssl_private.h file, this is what i found.
>
> 108,109c108,109
> < #if (OPENSSL_VERSION_NUMBER < 0x0090700f)
> < #error mod_ssl requires OpenSSL 0.9.7 or later
> ---
> > #if (OPENSSL_VERSION_NUMBER < 0x0090801f)
>
> > #error mod_ssl requires OpenSSL 0.9.8a or later
>
> So, why is the configure taking openssl-0.9.7d even though i have
> specified --with-ssl option to openssl-1.0.1e ? i have double checked the
> directory path for openssl-1.0.1e and it returns OpenSSL 1.0.1e-fips 11 Feb
> 2013.
>
> Regards,
> Abdul
>
> On 12/16/2013 2:18 PM, Otis Dewitt - NOAA Affiliate wrote:
>
>   Try:
>
>  First make sure openssl-devel-1.0.1e is installed.
>
>  --with-ssl=
>
>  Example:
>
> --with-ssl=/usr/include/openssl
>
>
>  Thanks,
>  Otis
>
>
>
> On Mon, Dec 16, 2013 at 1:58 AM, Abdul Anshad  wrote:
>
>> Hello All,
>>
>> I'm trying to compile httpd-2.4.7 from source, but i get the following
>> error "#error mod_ssl requires OpenSSL 0.9.8a or later".
>>
>> But my installed openssl version is openssl-1.0.1e and i have specified
>> it --with-ssl option.
>>
>> Could anyone please help me on this ?
>>
>> --
>> Regards,
>> Abdul
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>>
>>
>
>

Re: [users@httpd] Automatic OWA Form Based Authentication thru reverse proxy

2013-12-05 Thread Thomas Eckert

I've tried something simliar but didn't get it working. I would be
interested in how your attempts on automatic-form-filling-in worked out -
and if they did also in the "how" ;-)


On Thu, Nov 28, 2013 at 11:48 AM, iridium1191  wrote:

>  Hi Apache users,
>
> I'm running Apache 2.2.22 on Ubuntu server 12.04 as a reverse proxy to
> some internal services, including Exchange/OWA 2003. I have setup a site
> login page where users authenticate before they can access these services.
> This works fine, but now I want to avoid users having to authenticate a
> second time to access their OWA mailbox.
>
> To do this I've setup a form which is pre-filled with the User ID,
> password and some other details. This works if I post it directly to the
> Exchange server, eg.
>
>  "https://ExchangeServer/exchweb/bin/auth/owaauth.dll";method="post">
>
>"https://ExchangeServer/exchange";  />
>
>  But fails if I post via the reverse proxy, eg.
>
>   action="/exchange/bin/auth/owaauth.dll" method="post">
>   
>
>  The relevant section of the virtual host file is:
>
>  # OWA links
> 
> ProxyPass https://ExchangeServer/exchange
> ProxyPassReverse https://ExchangeServer/exchange
> SSLRequireSSL
> 
>
> 
> ProxyPass https://ExchangeServer/exchweb
> ProxyPassReverse https://ExchangeServer/exchweb
> SSLRequireSSL
> 
>
> The only error I receive is a "440 Login Timeout" from the Exchange
> server. I suspect it may be a cookie issue but I'm not really sure. As I
> said the form auto login works fine if I use the Exchange server directly
> rather than through the reverse proxy so I think it is an issue with my
> mod_rewrite config.
>
> Any suggestions or advice would be much appreciated
>

[users@httpd] Re: unsetting encrypted cookies when encryption key changes

2013-11-18 Thread Thomas Eckert

Ideas, anyone ?


On Mon, Nov 11, 2013 at 5:26 PM, Thomas Eckert
wrote:

> Trying to figure out how to unset encrypted cookies for which the
> encryption key was changed. Docs at
>
>   http://httpd.apache.org/docs/current/mod/mod_session_crypto.html
>
> say
>
>   "If the encryption key is changed, sessions will be invalidated
> automatically."
>
> but using a config like
>
>   
> AuthName "my_auth"
> AuthFormProvider custom_provider
> AuthType form
> AuthFormLoginRequiredLocation "/form_login"
> Session On
> SessionCookieName example_cookie path=/;httponly
> SessionCryptoPassphrase aaadGJ0c3BwWWRqTktzQmZQcERGYk0=
> Require valid-user
>   
>
>   
> SetHandler form-login-handler
> AuthFormLoginRequiredLocation "/form_login"
> AuthFormLoginSuccessLocation "/"
> AuthFormProvider custom_provider
> AuthType form
> AuthName "my_auth"
> Session On
> SessionCookieName example_cookie path=/;httponly
> SessionCryptoPassphrase aaadGJ0c3BwWWRqTktzQmZQcERGYk0=
> Require valid-user
>   
>
> and changing the encryption secret after a user has logged on succesfully
> will give me
>
> [session_crypto:error] [pid 22437:tid 3024407408] (16)Error string
> not specified yet: [client 10.10.10.10:57469] AH01842: decrypt session
> failed, wrong passphrase?
> [session:error] [pid 22437:tid 3024407408] (16)Error string not
> specified yet: [client 10.10.10.10:57469] AH01817: error while decoding
> the session, session not loaded: /form_login
> [session_crypto:error] [pid 22437:tid 3024407408] (16)Error string
> not specified yet: [client 10.10.10.10:57469] AH01842: decrypt session
> failed, wrong passphrase?
> [session:error] [pid 22437:tid 3024407408] (16)Error string not
> specified yet: [client 10.10.10.10:57469] AH01817: error while decoding
> the session, session not loaded: /form_login
>
> and redirecting the user back to the form page again and again. I don't
> see a directive to deal with this in mod_cookie, mod_session or
> mod_session_crypto so I guess this is meant to work out of the box.
>
> What am I missing here ?
>

[users@httpd] mod_auth_form and proper redirection after login

2013-11-14 Thread Thomas Eckert

Using mod_auth_form, when a user tries to access a URL and is 'interrupted'
by the form based login, how do I pass on the original URL to the form html
or to the AuthFormLoginSuccessLocation directive, so I can redirect the
client - upon successful login - to the URL where she wanted to go to.

At


http://httpd.apache.org/docs/current/mod/mod_auth_form.html#authformlocation

I didn't find info on dynamically setting the value of
AuthFormLoginSuccessLocation or using AuthFormLocation for this purpose. Is
there a way to do this with 2.4.4 (or possibly 2.4.6) ?

[users@httpd] unsetting encrypted cookies when encryption key changes

2013-11-11 Thread Thomas Eckert

Trying to figure out how to unset encrypted cookies for which the
encryption key was changed. Docs at

  http://httpd.apache.org/docs/current/mod/mod_session_crypto.html

say

  "If the encryption key is changed, sessions will be invalidated
automatically."

but using a config like

  
AuthName "my_auth"
AuthFormProvider custom_provider
AuthType form
AuthFormLoginRequiredLocation "/form_login"
Session On
SessionCookieName example_cookie path=/;httponly
SessionCryptoPassphrase aaadGJ0c3BwWWRqTktzQmZQcERGYk0=
Require valid-user
  

  
SetHandler form-login-handler
AuthFormLoginRequiredLocation "/form_login"
AuthFormLoginSuccessLocation "/"
AuthFormProvider custom_provider
AuthType form
AuthName "my_auth"
Session On
SessionCookieName example_cookie path=/;httponly
SessionCryptoPassphrase aaadGJ0c3BwWWRqTktzQmZQcERGYk0=
Require valid-user
  

and changing the encryption secret after a user has logged on succesfully
will give me

[session_crypto:error] [pid 22437:tid 3024407408] (16)Error string not
specified yet: [client 10.10.10.10:57469] AH01842: decrypt session failed,
wrong passphrase?
[session:error] [pid 22437:tid 3024407408] (16)Error string not
specified yet: [client 10.10.10.10:57469] AH01817: error while decoding the
session, session not loaded: /form_login
[session_crypto:error] [pid 22437:tid 3024407408] (16)Error string not
specified yet: [client 10.10.10.10:57469] AH01842: decrypt session failed,
wrong passphrase?
[session:error] [pid 22437:tid 3024407408] (16)Error string not
specified yet: [client 10.10.10.10:57469] AH01817: error while decoding the
session, session not loaded: /form_login

and redirecting the user back to the form page again and again. I don't see
a directive to deal with this in mod_cookie, mod_session or
mod_session_crypto so I guess this is meant to work out of the box.

What am I missing here ?

Re: [users@httpd] Reverse Proxy Questions

2013-10-18 Thread Thomas Eckert

Try setting the proxy-initial-not-pooled flag with mod_proxy_http, see
http://httpd.apache.org/docs/current/mod/mod_proxy_http.html

Apache 2.4 has an issue with the HTTP keep-alive time out which happens
quite frequently with ActiveSync. There is an ongoing discussion
("mod_proxy, oooled backend connections and the keep-alive race condition")
regarding this problem on the dev list.

Do you happen to use NTLM between the reverse proxy and exchange server ?
If you do I would be very much interested in the impact of the above
mentioned mod_proxy_http flag with the authentication procedure.


On Thu, Oct 17, 2013 at 10:03 PM, Shawn Cannon wrote:

> Yes it is getting there.  I do not know how long it would take.  my test
> box only has one machine using Windows RT connecting via ActiveSync through
> the reverse proxy.  It is working despite seeing the error.  When I tried
> this in production we had multiple complaints from phone users and I saw
> these errors so I thought something must have changed from 2.2 to 2.4.
>
>
> Shawn Cannon
> IT Professional
> EMC Elect 2013 | Dell TechCenter Rockstar 2013 | VMware vExpert 2013
>
>
> --
> From: yeh...@ymkatz.net
> Date: Thu, 17 Oct 2013 15:57:33 -0400
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Reverse Proxy Questions
>
>
> There is a timeout, but I don't think it has changed in this version:
> http://httpd.apache.org/docs/2.4/mod/mod_proxy.html
> How long do you expect the response to take?
>
> Do you know if the request is getting to the Exchange server?
>
> - Y
>
>
> On Thu, Oct 17, 2013 at 3:48 PM, Shawn Cannon wrote:
>
> We have been using Apache 2.2.x with reverse proxy modules for our clients
> to access their OWA servers for over a year. I want to get us to Apache
> 2.4.x so I setup a test box with latest 2.4 on it. I fixed the config file
> issues since 2.4 has changes in it. OWA proxy is working on my test server
> with Apache 2.4. But with 2.4 I do have an issue I cannot figure out. Note
> that this does NOT occur with Apache 2.2. I get the following errors when
> using ActiveSync through reverse proxy:
>
> [Thu Oct 17 12:19:11.670665 2013] [proxy_http:error] [pid 748:tid 8440]
> (OS 10060)A connection attempt failed because the connected party did not
> properly respond after a period of time, or established connection failed
> because connected host has failed to respond. : [client x.x.x.x:20311]
> AH01102: error reading status line from remote server
> mail.nameredacted.net:443
>
> [Thu Oct 17 12:19:11.670665 2013] [proxy:error] [pid 748:tid 8440] [client
> x.x.x.x:20311] AH00898: Error reading from remote server returned by
> /Microsoft-Server-ActiveSync
>
> So somehow with Apache 2.4 there is some sort of timeout that was not
> there with 2.2. Any ideas?
>
> Shawn Cannon
> IT Professional
> EMC Elect 2013 | Dell TechCenter Rockstar 2013 | VMware vExpert 2013
>
>
>

[users@httpd] Question regarding ProxyPass and "!"

2013-09-26 Thread Thomas Eckert

Using a config like this


BalancerMember http://backend.example.local status=-SE


ServerName frontend.example.local
SSLProxyEngine On
RequestHeader set X-Forwarded-Proto http

ProxyPass !
ProxyPassReverse !


ProxyPass balancer://cd107d9706d71153bafd4ab15f1c6b5d
ProxyPassReverse balancer://cd107d9706d71153bafd4ab15f1c6b5d



should I not expect requests to /helloworld/ to be mapped to the files
being served directly from frontend.example.local instead of being proxied
away to backend.example.local ? In other words, backend.example.local
should not even see that request.

[users@httpd] 302 endless loop with mod_auth_form config

2013-07-29 Thread Thomas Eckert

I'm looking for the erorr in this config :

KeepAlive OnServerName server1.domain1.localServerAdmin
me@domain1.localListen 10.10.10.10:80 http
BalancerMember http://server1.domain2.local
status=-SE
ServerName secured.domain1.local
SSLProxyEngine On
RequestHeader set X-Forwarded-Proto http

DocumentRoot /var/www/login_example/

SetHandler form-login-handler
AuthFormLoginRequiredLocation
http://secured.domain1.org/login/example_form_template
AuthFormLoginSuccessLocation http://secured.domain1.org/
AuthFormProvider myprovider
AuthType form
AuthName realm
Session On
SessionCookieName session path=/



ProxyPass balancer://cd107d9706d71153bafd4ab15f1c6b5d/
lbmethod=bybusyness
ProxyPassReverse balancer://cd107d9706d71153bafd4ab15f1c6b5d/

AuthFormProvider myprovider
AuthType form
AuthName realm
AuthFormLoginRequiredLocation
http://secured.domain1.org/login/example_form_template
Session On
SessionCookieName session path=/
Require valid-user


Accessing / results in an endless loop of 302s to /login/. Putting

on the second block did not change anything.

Re: [users@httpd] Mod_proxy Slow After a Week

2013-06-26 Thread Thomas Eckert

This is interesting. I'm seeing similar events at one of my reverse proxy.
After fixing a DNS infrastructure problem I started seeing lots of 304s
with processing times well above 5 seconds. For header-only requests that's
a lot of time. If there is any news here please let us know. At the very
least it would help me.

On Mon, Jun 24, 2013 at 6:43 PM, Robert Gabriel  wrote:

>
>
>
> On 24 June 2013 18:27, Tom Evans  wrote:
>
>> On Mon, Jun 24, 2013 at 2:03 PM, Robert Gabriel 
>> wrote:
>> > Hello all,
>> >
>> > We have:
>> >
>> > Apache 2.2.3
>> > CentOS 5.5 x86_64
>> > Splunk 5.0.2
>> >
>> > I only know the basics but Apache has been serving us very well with the
>> > below config
>> >
>> > and only after about a week did pages refresh very slowly, up to a
>> minute to
>> > reload
>> >
>> > sometimes.
>> >
>> > I tailed both httpd and splunkd logs and saw a consistent delay of 30s
>> > between proxy
>> >
>> > and origin server (both on same host) along with plenty of 304s,
>> followed by
>> > what
>> >
>> > appeared to be some timeout and then slowly the 200s started coming
>> back in.
>> >
>> > A restart of httpd cleared up the issue.
>> >
>> > I'm lost, please help.
>> >
>> > Could this be a caching problem?
>> >
>> > Thank you.
>> >
>> > 
>> > SSLEngine on
>> > SSLCertificateFile  /etc/httpd/conf/server.crt
>> > SSLCertificateKeyFile   /etc/httpd/conf/server.key
>> >   SSLProxyEngine On
>> >   SSLCACertificateFile/etc/httpd/conf/gsoc.pem
>> >   SSLProtocol all -SSLv2
>> >   SSLVerifyClient require
>> >   SSLVerifyDepth 1
>> >   SSLOptions +StrictRequire
>> >
>> >   RequestHeader set X-Remote-User %{REMOTE_USER}s
>> >
>> > ServerName  dashboards.gsoc.co.za:443
>> >   ServerAdmin ad...@gsoc.co.za
>> > DocumentRoot/srv/http/gdf/
>> > CustomLog   /var/log/httpd/gdf/access combined
>> > ErrorLog/var/log/httpd/gdf/error
>> >   LogLeveldebug
>> >
>> >   ProxyRequests Off
>> >   ProxyPreserveHost Off
>> >   ProxyPass /gdf https://172.20.67.2:8000/gdf
>> >   ProxyPassReverse /gdf https://172.20.67.2:8000/gdf
>> >
>> >
>> >   SSLRequireSSL
>> >   AllowOverride none
>> >   AuthName "GDF"
>> >   AuthType Basic
>> >   AuthDigestProvider file
>> >   AuthUserFile /etc/httpd/conf/passwd
>> >   Require ssl-verify-client
>> >   Require valid-user
>> >   Require ssl
>> >   Satisfy All
>> > 
>> >
>> > 
>> >   SSLRequireSSL
>> >   AuthName "GDF"
>> >   AuthType Basic
>> >   AuthDigestProvider file
>> >   AuthUserFile /etc/httpd/conf/passwd
>> >   Require ssl-verify-client
>> >   Require valid-user
>> >   Require ssl
>> >   Satisfy All
>> > 
>> > 
>>
>> 30 seconds is the length of the default timeout in apache.
>> Unfortunately, that timeout is used in all sorts of cases, so it does
>> not tell us what is timing out.
>>
>> As a rank guess, I would be going for DNS timeout myself. Do you have
>> HostnameLookups set to "On" or "Double", or using host names in ACLs?
>>
>> Cheers
>>
>> Tom
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>>
>>
> We are not doing any hostname ACLs.
>
> Forgive my limited knowledge, I did RTFM before replying to make sure I
> understood
> the intended config and no, we are not doing any.
>
> "HostnameLookups Off"
>
> How come a restart "fixes" the problem?
>
> Thank you.
>

[users@httpd] Reverse proxying and specific output filter chain manipulation

2013-06-13 Thread Thomas Eckert

In a simple reverse proxy setup, such as


BalancerMember http://mydomain.org
status=-SE
ServerName secure.mydomain.local
SSLProxyEngine On

RequestHeader set X-Forwarded-Proto http

ProxyPass balancer://cd107d9706d71153bafd4ab15f1c6b5d/ 
lbmethod=bybusyness
ProxyPassReverse balancer://cd107d9706d71153bafd4ab15f1c6b5d/
ProxyPassReverseCookieDomain 
balancer://cd107d9706d71153bafd4ab15f1c6b5d/
Include conf/proxyhtml.conf
SetOutputfilter INFLATE;xml2enc;proxy-html;DEFLATE
Require all granted


how do I manipulate the output filter chain from the reverse proxy to
the backend ? E.g. I want to discard the Accept-Encoding
header when talking to the backend but I don't want to use
RequestHeader unset Accept-Encoding globally since that kills
compression support to the external clients as well.

Cheers,
  Thomas

[users@httpd] SSL, SNI and SSLStrictSNIVHostCheck

2013-01-04 Thread Thomas Eckert


Is the directive
SSLStrictSNIVHostCheck On
meant to block connections  to a virtual host if the connecting client 
uses an IP literal as URL ? RFC 6066 states that

Literal IPv4 and IPv6 addresses are not permitted in "HostName".
since a SNI doesn't make sense at all for an IP literal and this 
(https://bugzilla.mozilla.org/show_bug.cgi?id=421634) bug report/patch 
for FF does exactly what I would expect for such a client request, which 
is to not send any SNI at all.


The docs don't mention this corner case 
(http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslstrictsnivhostcheck) 
and I think the "issue" traces to

httpd-2.4.3/modules/ssl/ssl_engine_kernel.c:166
where there is no check if the SNI is necessary at all, only it if present:
if ((servername = SSL_get_servername(ssl, 
TLSEXT_NAMETYPE_host_name))) {


So if this is not working as intended I suggest adding an IP literal 
detection at this place and if it is working as intended I would like to 
know the reasoning behind it.


Cheers,
  Thomas

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] mod_proxy_html, HTML rewrite and content compression

2013-01-04 Thread Thomas Eckert


On 11/16/2012 05:12 PM, Nick Kew wrote:

On Fri, 16 Nov 2012 11:31:38 +0100
Thomas Eckert  wrote:


Thanks for the hint but unfortunately "manually" adding xml2enc to the
filtering chain does not help.

Looks like you've got problems over and above anything to do with
your configuration!


  "SetOutputFilter INFLATE;proxy-html" gets the page displayed correctly

I thought you said it had charset issues?



[pid 15039:tid 3007834992] mod_xml2enc.c(259): [client
10.10.10.10:40388] AH01434: Charset ISO-8859-1 not supported by libxml2;
trying apr_xlate

That seems implausible.  How do you get a libxml2 install that
doesn't natively support ISO-8859-1 (latin1)?


[pid 15039:tid 3007834992] mod_xml2enc.c(490): (22)Invalid argument:
[client 10.10.10.10:40388] AH01441: xml2enc: converted 1/1 bytes
[pid 15039:tid 3007834992] [client 10.10.10.10:40388] AH01444: Skipping
invalid byte(s) in input stream!
(and more conversion errors)

It looks as if your backend incorrectly identifies the charset
of the page in question.  Either that or you found a bug.
Do you have a URL where your unprocessed page could be viewed?

Sorry for the delay on this. The basic problem remains: If I enable html 
rewriting and connect with a client requesting content compression the 
reverse proxy will fail with a message pointing at libxml2/encoding. I 
can also see different log entries depending on whether I set the 
charset of the page.


So if I just send the page with "Content-Type: text/html" this is what I get

mod_deflate.c(1283): [client 10.10.10.10:39771] AH01398: Zlib: Inflated 
348 to 682 : URL /
mod_xml2enc.c(183): [client 10.10.10.10:39771] AH01430: Content-Type is 
text/html
mod_xml2enc.c(259): [client 10.10.10.10:39771] AH01434: Charset 
ISO-8859-1 not supported by libxml2; trying apr_xlate
mod_xml2enc.c(463): [client 10.10.10.10:39771] AH01439: xml2enc: 
consuming 682 bytes from bucket
mod_xml2enc.c(490): [client 10.10.10.10:39771] AH01441: xml2enc: 
converted 682/682 bytes
mod_deflate.c(763): [client 10.10.10.10:39771] AH01384: Zlib: Compressed 
668 to 344 : URL /
mod_xml2enc.c(463): [client 10.10.10.10:39771] AH01439: xml2enc: 
consuming 10 bytes from bucket
[client 10.10.10.10:39771] xml2enc_html_entity_fixups(): Transcoder 
failure (rv=-2)
mod_xml2enc.c(490): (22)Invalid argument: [client 10.10.10.10:39771] 
AH01441: xml2enc: converted 1/1 bytes
[client 10.10.10.10:39771] AH01444: Skipping invalid byte(s) in input 
stream!
mod_xml2enc.c(490): [client 10.10.10.10:39771] AH01441: xml2enc: 
converted 9/8 bytes
mod_xml2enc.c(463): [client 10.10.10.10:39771] AH01439: xml2enc: 
consuming 344 bytes from bucket
[client 10.10.10.10:39771] xml2enc_html_entity_fixups(): Transcoder 
failure (rv=-2)
mod_xml2enc.c(490): (22)Invalid argument: [client 10.10.10.10:39771] 
AH01441: xml2enc: converted 4/4 bytes
[client 10.10.10.10:39771] AH01444: Skipping invalid byte(s) in input 
stream!
mod_xml2enc.c(490): (22)Invalid argument: [client 10.10.10.10:39771] 
AH01441: xml2enc: converted 4/3 bytes
[client 10.10.10.10:39771] AH01444: Skipping invalid byte(s) in input 
stream!
mod_xml2enc.c(490): (22)Invalid argument: [client 10.10.10.10:39771] 
AH01441: xml2enc: converted 1/0 bytes
[client 10.10.10.10:39771] AH01444: Skipping invalid byte(s) in input 
stream!
mod_xml2enc.c(481): [client 10.10.10.10:39771] AH01440: xml2enc: 
reinserting 334 unconsumed bytes from bucket
[client 10.10.10.10:39771] AH01385: Zlib error -2 flushing zlib output 
buffer ((null))



But if "Content-Type: text/html; charset=ISO-8859-1" is sent this is 
what I get


mod_deflate.c(1283): [client 10.10.10.10:40040] AH01398: Zlib: Inflated 
348 to 682 : URL /
mod_xml2enc.c(183): [client 10.10.10.10:40040] AH01430: Content-Type is 
text/html;charset=ISO-8859-1

[client 10.10.10.10:40040] AH01431: Got charset ISO-8859-1 from HTTP headers
mod_deflate.c(763): [client 10.10.10.10:40040] AH01384: Zlib: Compressed 
668 to 344 : URL /
mod_xml2enc.c(463): [client 10.10.10.10:40040] AH01439: xml2enc: 
consuming 10 bytes from bucket
[client 10.10.10.10:40040] xml2enc_html_entity_fixups(): Transcoder 
failure (rv=-2)
mod_xml2enc.c(490): (22)Invalid argument: [client 10.10.10.10:40040] 
AH01441: xml2enc: converted 1/1 bytes
[client 10.10.10.10:40040] AH01444: Skipping invalid byte(s) in input 
stream!
mod_xml2enc.c(490): [client 10.10.10.10:40040] AH01441: xml2enc: 
converted 9/8 bytes
mod_xml2enc.c(463): [client 10.10.10.10:40040] AH01439: xml2enc: 
consuming 344 bytes from bucket
[client 10.10.10.10:40040] xml2enc_html_entity_fixups(): Transcoder 
failure (rv=-2)
mod_xml2enc.c(490): (22)Invalid argument: [client 10.10.10.10:40040] 
AH01441: xml2enc: converted 4/4 bytes
[client 10.10.10.10:40040] AH01444: Skipping invalid byte(s) in input 
stream!
mod_xml2enc.c(490): (22)Invalid argument: [client 10.10.10.10:40040] 
AH01441: xml2enc: converted 4/3 bytes
[client 10.10.10.10:40040] AH01444: Skipping invalid byte(s) in input 
stream!

Re: [users@httpd] mod_proxy_html, HTML rewrite and content compression

2012-11-16 Thread Thomas Eckert


On 11/14/2012 06:12 PM, Nick Kew wrote:

On 14 Nov 2012, at 15:53, Thomas Eckert wrote:


Is there a way to work around this ? I do want the call to mod_xml2enc to 
happen but I also want the reverse proxy to support content compression.

That's a lot of correct analysis.

The output chain you want is INFLATE;xml2enc;proxy-html;DEFLATE .
What problems do you encounter (apart from processing overhead)
when you set all that?

I guess ideally ProxyHTMLEnable should detect compressed content
and insert INFLATE where necessary.  Maybe even have an option to
set DEFLATE.  But as of now it doesn't: I got the impression most
users prefer to disable compression, and avoid the substantial
processing overhead of zipping in a proxy.

Thanks for the hint but unfortunately "manually" adding xml2enc to the 
filtering chain does not help. The output is still broken. One thing I 
noticed was the "DEFLATE" filter is not necessary, since apache will do 
the compression anyway (even though I removed "AddOutputFilter text/html 
DEFLATE" from my global config). That's why it's not present below.


Here are some debug log extracts which confuse me. Note, I patched 
mod_proxy_html.c with a one-liner to get me "Running proxy_html_filter" 
into the log, otherwise mod_proxy_html only gives feedback in error 
situations and I wouldn't be able to defer from the log when 
mod_proxy_html is running.



"SetOutputFilter INFLATE;proxy-html" gets the page displayed correctly

[pid 14245:tid 2714090352] proxy_util.c(1998): AH00943: http: has 
released connection for (vhost01.backend03.local)
[pid 14245:tid 2714090352] mod_deflate.c(1283): [client 
10.10.10.10:40375] AH01398: Zlib: Inflated 348 to 674 : URL /
[pid 14245:tid 2714090352] [client 10.128.128.60:40375] Running 
proxy_html_filter
[pid 14245:tid 2714090352] mod_deflate.c(763): [client 
10.10.10.60:40375] AH01384: Zlib: Compressed 655 to 342 : URL /

< customized log message from LogFormat+CustomLog appears here >


"SetOutputFilter INFLATE;xml2enc;proxy-html" results in "curl: (52) 
Empty reply from server"


[pid 15039:tid 3007834992] proxy_util.c(1998): AH00943: http: has 
released connection for (vhost01.backend03.local)
[pid 15039:tid 3007834992] mod_deflate.c(1283): [client 
10.10.10.10:40388] AH01398: Zlib: Inflated 348 to 674 : URL /
[pid 15039:tid 3007834992] mod_xml2enc.c(183): [client 
10.10.10.10:40388] AH01430: Content-Type is text/html
[pid 15039:tid 3007834992] mod_xml2enc.c(259): [client 
10.10.10.10:40388] AH01434: Charset ISO-8859-1 not supported by libxml2; 
trying apr_xlate
[pid 15039:tid 3007834992] mod_xml2enc.c(463): [client 
10.10.10.10:40388] AH01439: xml2enc: consuming 674 bytes from bucket
[pid 15039:tid 3007834992] mod_xml2enc.c(490): [client 
10.10.10.10:40388] AH01441: xml2enc: converted 674/674 bytes
[pid 15039:tid 3007834992] [client 10.10.10.10:40388] Running 
proxy_html_filter
[pid 15039:tid 3007834992] mod_deflate.c(763): [client 
10.10.10.10:40388] AH01384: Zlib: Compressed 655 to 342 : URL /
[pid 15039:tid 3007834992] mod_xml2enc.c(463): [client 
10.10.10.10:40388] AH01439: xml2enc: consuming 10 bytes from bucket
[pid 15039:tid 3007834992] mod_xml2enc.c(490): (22)Invalid argument: 
[client 10.10.10.10:40388] AH01441: xml2enc: converted 1/1 bytes
[pid 15039:tid 3007834992] [client 10.10.10.10:40388] AH01444: Skipping 
invalid byte(s) in input stream!
[pid 15039:tid 3007834992] mod_xml2enc.c(490): [client 
10.10.10.10:40388] AH01441: xml2enc: converted 9/8 bytes
[pid 15039:tid 3007834992] mod_xml2enc.c(463): [client 
10.10.10.10:40388] AH01439: xml2enc: consuming 342 bytes from bucket

< customized log message from LogFormat+CustomLog appears here >
[pid 15039:tid 3007834992] mod_xml2enc.c(490): (22)Invalid argument: 
[client 10.10.10.10:40388] AH01441: xml2enc: converted 2/2 bytes
[pid 15039:tid 3007834992] [client 10.10.10.10:40388] AH01444: Skipping 
invalid byte(s) in input stream!
[pid 15039:tid 3007834992] mod_xml2enc.c(490): (22)Invalid argument: 
[client 10.10.10.10:40388] AH01441: xml2enc: converted 2/1 bytes
[pid 15039:tid 3007834992] [client 10.10.10.10:40388] AH01444: Skipping 
invalid byte(s) in input stream!
[pid 15039:tid 3007834992] mod_xml2enc.c(490): (22)Invalid argument: 
[client 10.10.10.10:40388] AH01441: xml2enc: converted 4/3 bytes
[pid 15039:tid 3007834992] [client 10.10.10.10:40388] AH01444: Skipping 
invalid byte(s) in input stream!
[pid 15039:tid 3007834992] mod_xml2enc.c(490): (22)Invalid argument: 
[client 10.10.10.10:40388] AH01441: xml2enc: converted 1/0 bytes
[pid 15039:tid 3007834992] [client 10.10.10.100:40388] AH01444: Skipping 
invalid byte(s) in input stream!
[pid 15039:tid 3007834992] mod_xml2enc.c(481): [client 
10.10.10.10:40388] AH01440: xml2enc: reinserting 332 unconsumed bytes 
from bucket
[pid 15039:tid 3007834992] [client 10.10.10.10:40388] AH01385: Zlib 
error -2 flushing zlib output buf

[users@httpd] mod_proxy_html, HTML rewrite and content compression

2012-11-14 Thread Thomas Eckert


Hi folks

I'm using apache (2.4.3) as reverse proxy with mod_proxy_html (as 
delivered with 2.4.3) and encountered an issue using HTML rewriting in 
combination with content compression, as with the "Accept-Encoding" and 
"Content-Encoding" HTTP headers.


This issue has been encountered by numerous people and the solution 
presented always comes down to setting the output filters "manually" 
instead of using the mod_proxy_html directive to do it (e.g. see 
http://forums.gentoo.org/viewtopic-t-908890-start-0.html). So it boils 
down to setting


SetOutputFilter INFLATE;proxy-html;DEFLATE
instead of
ProxyHTMLEnable On

In my test setup this actually solved the problem but it has a side 
effect which I am worried about.


In file modules/filters/mod_proxy_html.c function proxy_html_insert() 
it's clearly visible the xml2enc function is only called if cfg->enabled 
is set - which in turn is set via the ProxyHTMLEnable directive as 
declared with


AP_INIT_FLAG("ProxyHTMLEnable", ap_set_flag_slot,
 (void*)APR_OFFSETOF(proxy_html_conf, enabled),
 RSRC_CONF|ACCESS_CONF,
 "Enable proxy-html and xml2enc filters")

I took a look at mod_xml2enc to see if there was a directive which I 
could use to establish the filtering in a way that matches the 
ProxyHTMLEnable directive but I could fine none.


Is there a way to work around this ? I do want the call to mod_xml2enc 
to happen but I also want the reverse proxy to support content compression.


Any suggestions on how to go forward/where to dig on this issue ?

Regards,
  Thomas


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] ReverseProxy Exchange 2013

Re: [users@httpd] ReverseProxy Exchange 2013

Re: [users@httpd] port redirecting mapping

Re: [users@httpd] port redirecting mapping

Re: [users@httpd] Re: reverse proxy choice to origin servers: https->https or https->http

Re: [users@httpd] port redirecting mapping

Re: [users@httpd] Generating a gzip response from multiple pre-gzipped files on disk

Re: [users@httpd] reverse proxy: connect to origin servers via http or https?

[users@httpd] Using form based authentication sessions across locations

Re: [users@httpd] #error mod_ssl requires OpenSSL 0.9.8a or later

Re: [users@httpd] #error mod_ssl requires OpenSSL 0.9.8a or later

Re: [users@httpd] Automatic OWA Form Based Authentication thru reverse proxy

[users@httpd] Re: unsetting encrypted cookies when encryption key changes

[users@httpd] mod_auth_form and proper redirection after login

[users@httpd] unsetting encrypted cookies when encryption key changes

Re: [users@httpd] Reverse Proxy Questions

[users@httpd] Question regarding ProxyPass and "!"

[users@httpd] 302 endless loop with mod_auth_form config

Re: [users@httpd] Mod_proxy Slow After a Week

[users@httpd] Reverse proxying and specific output filter chain manipulation

[users@httpd] SSL, SNI and SSLStrictSNIVHostCheck

Re: [users@httpd] mod_proxy_html, HTML rewrite and content compression

Re: [users@httpd] mod_proxy_html, HTML rewrite and content compression

[users@httpd] mod_proxy_html, HTML rewrite and content compression

24 matches

Site Navigation

Mail list logo

Footer information