Re: [users@httpd] Weird connection issues with mod_proxy_wstunnel
Hello Marc, On Wed, Apr 15, 2015 at 10:50 AM, Marc Hörsken i...@marc-hoersken.de wrote: Now once a browser has upgraded a connection from HTTP to WebSocket traffic, all traffic is proxied to the WebSocket-server at 127.0.0.1:9001. The problem is that the browser continues to use that upgraded WebSocket-connection for further HTTP-requests, for example to load the next page. But since all traffic is forwarded to the WebSocket-server, the browser receives a 404 from there. So for some reason HTTP- and WebSocket-connections are not isolated properly. And Apache2 forwards URLs not beginning with /data or /settings.js to the Web-Socket-server. Any ideas why this might happen? Once the connection is upgraded, mod_proxy_wstunnel (as its name suggests) creates a tunnel between the browser and the application. It will not check requests boundaries anymore, this is not HTTP but application data now, and hence application's responsability to not (make the browser) reuse the same connection for further HTTP requests. Regards, Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] apache 2.4 allow by IP
On Thu, Mar 19, 2015 at 9:51 PM, Tim Dunphy bluethu...@gmail.com wrote: mod_status loaded? Yep! [root@uszwsls00015la apache2]# apachectl -M | grep status status_module (shared) And so are mod_authz_host: [root@uszwsls00015la apache2]# apachectl -M | grep authz_host authz_host_module (shared) Do you also have the corresponding LoadModule directives in your config file? (shared modules need it to be effectively loaded). - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Location directive not working when using php-fpm (via mod_fastcgi)
On Tue, Mar 17, 2015 at 11:40 AM, Theo Belder t.bel...@trends.nl wrote: Please could someone give a good regular expression that would match /Public and /php-fcgi/Public? Maybe: (/php-fcgi)?/Public Regards, Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] deny announce.php torrent requests
On Thu, Mar 12, 2015 at 9:59 AM, Yann Ylavic ylavic@gmail.com wrote: I think you need either an action that drops the connection (deny = drop, without any response!), or a status code that implies Connection: close (deny,status=503 for example, whereas the default 403 keeps the connection alive). Maybe status 400 or 501 would be more suitable since they would not allow fail over by proxy frontend (if any). - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] deny announce.php torrent requests
Hi, On Thu, Mar 12, 2015 at 4:13 AM, el kalin ka...@el.net wrote: so far i have tried this: with mod_security (within modsecurity.conf): SecRule REQUEST_URI \?info_hash\= phase:2,id:'1002',t:none,rev:1,severity:2,log,deny,msg:'Torrent Announce Hit Detected' here i can see in the audit log that Connection: closed but i can still see all the request in the virtual domain's log (vs the mod sec_audit log). and still see the http ESTABLISHED connections (via netstat) just lingering. I think you need either an action that drops the connection (deny = drop, without any response!), or a status code that implies Connection: close (deny,status=503 for example, whereas the default 403 keeps the connection alive). with mod_rewrite (in global context): IfModule mod_rewrite.c RewriteEngine on RewriteRule ^/announce$ - [F] RewriteRule ^/announce\.php$ - [F] /IfModule also Directory /path/to/affected/virtual/domain/document/root RewriteEngine On RewriteRule ^/announce$ - [F] RewriteRule ^/announce\.php$ - [F] /Directory Same here with [R=503] (and prossibly the L flag too). Regards, Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Help with wilcards SSL certificates and virtual hosts
Hi Quentin, On Thu, Mar 12, 2015 at 3:51 PM, Quentin CHARRAUT quentin.charr...@inova-software.com wrote: My question is, how can I have both *.example.com and *.rc.example.com vhost working together without any bad certificate errors ? Maybe I missed something ? or maybe it’s not possible ? I think you missed ServerAlias, wildcards are not valid ServerNames (though legal in 2.2.x, not anymore in 2.4.x). Your configuation should look like: VirtualHost 192.168.0.10:443 ServerName example.com:443 ServerAlias *.example.com:443 ... /VirtualHost VirtualHost 192.168.0.10:443 ServerName dev.example.com:443 ServerAlias *.dev.example.com:443 ... /VirtualHost ... Please also note that the vhosts above are the defaults for requests on 192.168.0.10:443 only (firsts on that IP:port), and hence requests on 172.17.0.11:443 may still reach: VirtualHost 172.17.0.11:443 ServerName toto.example.com:443 ... /VirtualHost if this is the first one on that IP:port (and the requested host is not a declared vhost). Moreover requests for toto.example.com on 192.168.0.10:443 have no chance to reach this vhost. So I think you should declare all the related vhosts on the same IP:port (and the selection will be based on the SNI given by the client), otherwise you'll have to declare a default for each IP:port. Regards, Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] CustomLog fails when piped to sed
On Wed, Mar 11, 2015 at 11:10 PM, Debajit Adhikary deba...@outlook.com wrote: CustomLog |/bin/sed -r s/pass/REDACTED/g /workplace/tmp/access.log common However, when I make a request to Apache, I get an error saying /bin/sed: can't read : No such file or directory How can I get this working? (It seems others have been able to use piped CustomLog like this) With Apache 2.4.x, you probably have to use : CustomLog $|/bin/sed -r s/pass/REDACTED/g /workplace/tmp/access.log common Note the leading $ so that a shell is used (see http://httpd.apache.org/docs/2.4/logs.html#piped). Regards, Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] CustomLog fails when piped to sed
On Thu, Mar 12, 2015 at 12:03 AM, Yann Ylavic ylavic@gmail.com wrote: With Apache 2.4.x, you probably have to use : CustomLog $|/bin/sed -r s/pass/REDACTED/g /workplace/tmp/access.log common Oups, I meant |$..., with the $ *after* the |. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Decompress requests using mod_deflate and uset Content-Encoding header
On Tue, Mar 10, 2015 at 10:25 AM, Yann Ylavic ylavic@gmail.com wrote: Hi Dennis, On Tue, Mar 10, 2015 at 10:07 AM, dennis.luna...@t-systems.com wrote: But my current problem is that I can't get the decompression of the requests working. SetInputFilter INFLATE (instead of DEFLATE)? No, it's an output filter only, the right one is indeed DEFLATE (which inflates). Sorry for the noise. Regards, Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Decompress requests using mod_deflate and uset Content-Encoding header
Hi Dennis, On Tue, Mar 10, 2015 at 10:07 AM, dennis.luna...@t-systems.com wrote: But my current problem is that I can't get the decompression of the requests working. SetInputFilter INFLATE (instead of DEFLATE)? Regards, Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Apache 2.4 create a huge amount of shared memory segments
Hi Sylvain, On Fri, Dec 19, 2014 at 11:04 AM, Sylvain Goulmy sygou...@gmail.com wrote: My configuration is currently defining 338 virtual hosts and 169 proxy balancers. The balancers are defined in the main section. Each virtual host refers only one balancer. Here what i notice : - Apache creates one shm for each balancer - Each virtual hosts creates one shm for each balancer even if it doesn't refer it... in 2.4, each vhost's balancer needs it own SHM plus as much SHMs as the balancer's members (the dynamic balancer-manager manages per vhost). By declaring all the balancers in the main config (and using BalancerInherit on to make them *all* available in *all* the vhosts), you multiply that number by the number of balancers and the number of of vhosts... Am i missing a directive that could avoid that behaviour or do i have to redesign my all configuration by moving each balancer definition at the virtual host level ? You can't set BalancerInherit off since the main balancers won't be usable in the vhosts anymore. Since moreover each virtual host refers only one balancer in your configuration, you'd better declare each balancer in the corresponding vhost, and see that no more shared-memory than needed will be created (depending on the number of balancer members used by each vhost). Regards, Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Apache 2.4 create a huge amount of shared memory segments
If you can manage to recompile the APR library used by your Apache 2.4 (you probably did that already since 2.4 does not seem to be the version packaged with RHEL 6.4), you can use ./configure --enable-posix-shm ... to use another shared memory mechanism than the default one (IPC SysV) which is limited to 32K segments (system wide). The number of segments would then be limited by the usual number of file descriptors per process (ulimit -n). Unfortunately, there no equivalent to the Mutex directive for shared memories, this can't be changed by httpd's configuration (as far as I know). On Thu, Dec 18, 2014 at 2:30 PM, Sylvain Goulmy sygou...@gmail.com wrote: I also noticed that a single proxy_balancer creates almost 350 shm on the system. Is it normal that a single proxy_balancer creates so many shm ? How many VirtualHost(s) do you use in your configuration? Also, how do you declare the balancer(s), in each VirtualHost or in the main section using BalancerInherit on? Do i really have to increase the memory segment on my system in huge proportion to handle all my proxy_balancers ? The number of IPC SysV shared-memory segments is limited to 32768 on linux (system wide), and you are already above with 100 * 350, so you would need to use another SHM mechanism. Unfortunately, there no equivalent to the Mutex directive for shared memories, AFAIK this can't be changed by httpd's configuration. So you would have to recompile the APR library used by your Apache 2.4 (you probably did that already since RHEL 6.4 does not seem to package 2.4 by default), and do for example ./configure --enable-posix-shm ... to use another shared-memory mechanism. The number of segments would then be limited by the usual number of file descriptors per process (ulimit -n). However 350 shm per balancer looks weird to me, your configuration may do something not optimal... Regards, Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Apache 2.4 create a huge amount of shared memory segments
On Fri, Dec 19, 2014 at 12:06 AM, Yann Ylavic ylavic@gmail.com wrote: If you can manage to recompile the APR library used by your Apache 2.4 (you probably did that already since 2.4 does not seem to be the version packaged with RHEL 6.4), you can use ./configure --enable-posix-shm ... to use another shared memory mechanism than the default one (IPC SysV) which is limited to 32K segments (system wide). The number of segments would then be limited by the usual number of file descriptors per process (ulimit -n). Unfortunately, there no equivalent to the Mutex directive for shared memories, this can't be changed by httpd's configuration (as far as I know). Oups, this leading part was not meant to be sent, and is rephrased anyway below according to message, more accurately. Please ignore it... On Thu, Dec 18, 2014 at 2:30 PM, Sylvain Goulmy sygou...@gmail.com wrote: I also noticed that a single proxy_balancer creates almost 350 shm on the system. Is it normal that a single proxy_balancer creates so many shm ? How many VirtualHost(s) do you use in your configuration? Also, how do you declare the balancer(s), in each VirtualHost or in the main section using BalancerInherit on? Do i really have to increase the memory segment on my system in huge proportion to handle all my proxy_balancers ? The number of IPC SysV shared-memory segments is limited to 32768 on linux (system wide), and you are already above with 100 * 350, so you would need to use another SHM mechanism. Unfortunately, there no equivalent to the Mutex directive for shared memories, AFAIK this can't be changed by httpd's configuration. So you would have to recompile the APR library used by your Apache 2.4 (you probably did that already since RHEL 6.4 does not seem to package 2.4 by default), and do for example ./configure --enable-posix-shm ... to use another shared-memory mechanism. The number of segments would then be limited by the usual number of file descriptors per process (ulimit -n). However 350 shm per balancer looks weird to me, your configuration may do something not optimal... Regards, Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Trouble upgrading to 2.2.29 from 2.2.8 - mod_deflate error
Hello Christopher, there seem to be an old APR library ( v1.3.0) installed on your system (/usr/local/apache2/include?). What ./configure options did you use? You probably need to compile (and run) with the APR embedded in the httpd-2.2.29 archive using: ./configure --with-included-apr At runtime, it might also be necessary to link with this newly installed APR using something like LD_LIBRARY. Regards, Yann. On Thu, Oct 30, 2014 at 8:10 PM, Christopher Stanley ch...@stanleynetworks.net wrote: Hey guys! I am having trouble upgrading from Apache 2.2.8 - 2.2.29 with the following error occurring after running 'make' /usr/local/apache2/build/libtool --silent --mode=compile gcc -g -O2 -pthread -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -I/opt/vignette/software/apache/srclib/pcre -I. -I/opt/vignette/software/apache/os/unix -I/opt/vignette/software/apache/server/mpm/prefork -I/opt/vignette/software/apache/modules/http -I/opt/vignette/software/apache/modules/filters -I/opt/vignette/software/apache/modules/proxy -I/opt/vignette/software/apache/include -I/opt/vignette/software/apache/modules/generators -I/opt/vignette/software/apache/modules/mappers -I/opt/vignette/software/apache/modules/database -I/usr/local/apache2/include -I/opt/vignette/software/apache/modules/proxy/../generators -I/usr/kerberos/include -I/opt/vignette/software/apache/modules/ssl -I/opt/vignette/software/apache/modules/dav/main -prefer-non-pic -static -c mod_deflate.c touch mod_deflate.lo mod_deflate.c: In function `deflate_out_filter': mod_deflate.c:790: error: `APR_INT32_MAX' undeclared (first use in this function) mod_deflate.c:790: error: (Each undeclared identifier is reported only once mod_deflate.c:790: error: for each function it appears in.) mod_deflate.c: In function `deflate_in_filter': mod_deflate.c:1165: error: `APR_INT32_MAX' undeclared (first use in this function) mod_deflate.c: In function `inflate_out_filter': mod_deflate.c:1550: error: `APR_INT32_MAX' undeclared (first use in this function) make[3]: *** [mod_deflate.lo] Error 1 make[3]: Leaving directory `/opt/vignette/software/httpd-2.2.29/modules/filters' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/opt/vignette/software/httpd-2.2.29/modules/filters' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/opt/vignette/software/httpd-2.2.29/modules' make: *** [all-recursive] Error 1 I am running RHEL4 (I know it's bad) Any help would be much appreciated! Thanks! - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Trouble upgrading to 2.2.29 from 2.2.8 - mod_deflate error
On Sat, Nov 1, 2014 at 10:47 PM, Yann Ylavic ylavic@gmail.com wrote: At runtime, it might also be necessary to link with this newly installed APR using something like LD_LIBRARY. I meant LD_LIBRARY_PATH=/path/to/httpd-2.2.29/lib /path/to/httpd-2.2.29/bin/httpd - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Interrupted system call: Failed to acquire SSL session cache lock
On Wed, Jul 16, 2014 at 12:49 PM, Jeff Trawick traw...@gmail.com wrote: On Jul 15, 2014 8:46 PM, Tomlinson, Stuart st0...@intl.att.com wrote: Are there any expected negative impacts from using sysvsem instead of sem (which I understand defaults to posixsem - described in the documentation as elegant, whereas sysvsem is merely somewhat elegant)? Funny developers... There is safety in numbers (i.e., use what other people on your platform use, unless you have a specific problem). sysvsem is the default on Linux. (I assume you are using Linux, but maybe that is not the case.) Using sysvsem on Solaris with the prefork MPM, you would likely have to increase the number of semaphore undo structures (at least in the old days; I can't find my normal go-to reference for AcceptMutex oddities; Eric?) SSLMutex/AcceptMutex pthread work very well on Linux, and have the advantage to be robust against children crashing while holding the lock (like sysvsem, unlike posixsem AFAICT), without system limits (unlike sysvsem). This is probably true for all unixes that HAVE_PTHREAD_MUTEX_ROBUST (ie. pthread_mutexattr_setrobust_np), but I can't verify that. Regards, Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Interrupted system call: Failed to acquire SSL session cache lock
On Wed, Jul 16, 2014 at 1:30 PM, Jeff Trawick traw...@gmail.com wrote: I won't disagree with you at all Yann, but in the interest of promoting the idea that you don't actually have to use all the configuration httpd offers: If the poster had not made a change from the default based on some developer's silly comment in the documentation, they wouldn't have encountered a problem. It is best to leave the mutex type alone unless you have a specific issue. I agree of course, the default is the most used/tested configuration. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] 200 OK for a network error?
Hello, I think this has been fixed in 2.4.8 with this changelog: *) core: Detect incomplete request and response bodies, log an error and forward it to the underlying filters. PR 55475 [Yann Ylavic] A backport is proposed for next 2.2.x release and is waiting for approvals. I will update the bugzilla https://issues.apache.org/bugzilla/show_bug.cgi?id=55475 about this. Please note that with this fix the HTTP status returned to the client (and logued) will be 408 (Request Timeout). On Tue, Jul 15, 2014 at 8:22 AM, Nozomi Anzai an...@sraoss.co.jp wrote: Does anyone have some comments? Hi, I have a question about HTTP status codes. - I use Apache 2.2.15 + mod_proxy_ajp + Tomcat 6.0.35. - Apache's Timeout is 90 sec, and Tomcat AJP connector's connectionTimeout is 1 (10 sec). - Apache's keepAlive is off. - While uploading a large-sized file and waiting the resoponse, I switched off network of the client machine. - The Tomcat returned a status code which depended on the application (500 internal server error, 200 OK and so on), but Apache always wrote 200 OK in its access log. I'm wondering if it is by design or not that Apache returns 200 OK in such network error. I don't expect that Apache has to return Tomcat's status codes, but expect a kind of 50x error. Any ideas? The log messages about this are as follows: [12:00:26] A user starts file uploading. == httpd-2.2.15/logs/error_log == [Tue Jul 01 12:00:26 2014] [debug] mod_proxy_ajp.c(45): proxy: AJP: canonicalising URL //localhost:8009/upload/ultest : [Tue Jul 01 12:00:26 2014] [debug] mod_proxy_ajp.c(270): proxy: data to read (max 8186 at 4) [Tue Jul 01 12:00:26 2014] [debug] mod_proxy_ajp.c(285): proxy: got 952 bytes of data [12:00:30] A user disconnects the client's network. (There are no log messages about this.) [12:00:50] Tomcat regognizes the timeout. (20 sec after disconnecting) == tomcat-6.0.35/logs/catalina.out == org.apache.commons.fileupload.FileUploadBase$IOFileUploadException:Processing of multipart/form-data request failed. Read timed out : Caused by: java.net.SocketTimeoutException: Read timed out : == tomcat-6.0.35/logs/localhost.2014-07-01.log == Jul 01, 2014 12:00:50 PM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet uploadtest threw exception javax.servlet.ServletException: FOR DEBUG servlet : == tomcat-6.0.35/logs/localhost_access_log.2014-07-01.txt == 133.137.177.172 - - [01/Jul/2014:12:00:50 +0900] POST /upload/ultest HTTP/1.1 500 1362 23396 [12:02:00] Apache recognizes the timeout. (90 sec after disconnecting) == httpd-2.2.15/logs/error_log == [Tue Jul 01 12:02:00 2014] [debug] mod_proxy_ajp.c(379): (70007)The timeout specified has expired: ap_get_brigade failed [Tue Jul 01 12:02:00 2014] [debug] mod_proxy_ajp.c(545): proxy: Processing of request failed backend: 0, output: 1, data_sent: 0 [Tue Jul 01 12:02:00 2014] [debug] proxy_util.c(2029): proxy: AJP: has released connection for (localhost) [12:03:30] Apache recognizes the timeout. (180 sec after disconnecting) == httpd-2.2.15/logs/access_log == 133.137.177.172 - - [01/Jul/2014:12:00:26 +0900] POST /upload/ultest HTTP/1.1 200 - 183547381 - Regards, -- Nozomi Anzai - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org -- Nozomi Anzai - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org