subject:"RE\: \[users@httpd\] "

Re: [users@httpd] reverse proxy setup

2024-07-11 Thread bruce

right..

and that appears to be from sending the "berat" to the PM2 server...

when I test  -- curl http://127.0.0.1:3001/berat
 throws a "Internal Server Error"

and when I examine the
 /root/.pm2/logs/waitlist-landing-page-error.log
 there appears to be a stacktrace/error data..

so this might be due to screwed up berat.conf config file... which is
my expectation.


On Thu, Jul 11, 2024 at 2:59 PM Frank Gingras  wrote:
>
>
>
> On Thu, Jul 11, 2024 at 2:55 PM bruce  wrote:
>>
>> on the options.. ok. But I have no clue if they're the right options,
>> as I'm looking over numerous sites, and copious testing -- trial/error
>> to understand.
>>
>> there is no php involved, and the apache error log data I pasted
>> appears to be the relevant data
>>
>> On Thu, Jul 11, 2024 at 2:50 PM Frank Gingras  wrote:
>> >
>> >
>> >
>> > On Thu, Jul 11, 2024 at 2:41 PM bruce  wrote:
>> >>
>> >> Hi Frank!
>> >>
>> >> Again, thanks for all your replies... Hopefully, I'll eventually have
>> >> the "light" turn on!
>> >>
>> >> Here's updated information
>> >>  -updated berat,conf  -- for the virthost/config
>> >> -output from the  --  /var/logs/apache/error.log
>> >> -output from the ---  apachectl -S
>> >> and the display from the browser/url
>> >>
>> >> cat /etc/apache2/sites-available/berat.conf
>> >> 
>> >> ServerAdmin f...@yahoo.com
>> >> ServerName  temp22
>> >> ServerAlias temp
>> >>
>> >> DocumentRoot   /var/www/html/berat
>> >>
>> >>  ProxyPass / http://127.0.0.1:3000/
>> >>
>> >>  ProxyPassReverse / http://127.0.0.1:3000/
>> >>
>> >>
>> >> 
>> >>
>> >> Options +FollowSymLinks
>> >>
>> >> AllowOverride All
>> >> Options -MultiViews
>> >>
>> >> Require all granted
>> >> ##Options -Indexes +FollowSymLinks +MultiViews
>> >> AllowOverride All Require all granted
>> >>
>> >>
>> >> 
>> >>
>> >> LogLevel debug
>> >> ErrorLog ${APACHE_LOG_DIR}/error.log
>> >> CustomLog ${APACHE_LOG_DIR}/access.log combined
>> >> 
>> >>
>> >> 
>> >> apachectl -S
>> >> AH00558: apache2: Could not reliably determine the server's fully
>> >> qualified domain name, using 10.10.0.9. Set the 'ServerName' directive
>> >> globally to suppress this message
>> >> VirtualHost configuration:
>> >> *:80   is a NameVirtualHost
>> >>  default server temp22
>> >> (/etc/apache2/sites-enabled/berat.conf:1)
>> >>  port 80 namevhost temp22
>> >> (/etc/apache2/sites-enabled/berat.conf:1) 
>> >>  alias temp
>> >>  port 80 namevhost temp22 
>> >> (/etc/apache2/sites-enabled/dolibarr.conf:1)
>> >>  alias temp
>> >>  port 80 namevhost temp22 
>> >> (/etc/apache2/sites-enabled/domainmod.conf:1)
>> >>  alias temp
>> >>  port 80 namevhost temp22 
>> >> (/etc/apache2/sites-enabled/drougnov.conf:1)
>> >>  alias temp
>> >>  port 80 namevhost temp22 
>> >> (/etc/apache2/sites-enabled/filgeary.conf:1)
>> >>  alias temp
>> >>  port 80 namevhost temp22 
>> >> (/etc/apache2/sites-enabled/flatpress.conf:1)
>> >>  alias temp
>> >>  port 80 namevhost temp22 
>> >> (/etc/apache2/sites-enabled/freescout.conf:1)
>> >>  alias temp
>> >>  port 80 namevhost temp22 
>> >> (/etc/apache2/sites-enabled/glozzome.conf:1)
>> >>  alias temp
>> >>  port 80 namevhost temp22
>> >> (/etc/apache2/sites-enabled/invoiceninja.conf:1)
>> >>  alias temp
>> >>  port 80 namevhost temp22
>> >> (/etc/apache2/sites-enabled/invoiceplane.conf:1)
>> >>  alias temp
>> >>  port 80 namevhost temp22 
>> >> (/etc/apache2/sites-enabled/larap.conf:1)
>> >>  alias temp
>> >>  port 80 namevhost temp22 
>> >> (/etc/apache2/sites-enabled/mantisbt.conf:1)
>> >>  alias temp
>> >>  port 80 namevhost temp22 
>> >> (/etc/apache2/sites-enabled/matomo.conf:1)
>> >>  alias temp
>> >>  port 80 namevhost temp22 
>> >> (/etc/apache2/sites-enabled/minthcm.conf:1)
>> >>  alias temp
>> >>  port 80 namevhost temp22 
>> >> (/etc/apache2/sites-enabled/petronius.conf:1)
>> >>  alias temp
>> >>  port 80 namevhost temp22 
>> >> (/etc/apache2/sites-enabled/priyansh.conf:1)
>> >>  alias temp
>> >>  port 80 namevhost temp22 
>> >> (/etc/apache2/sites-enabled/sendportal.conf:1)
>> >>  alias temp
>> >>  port 80 namevhost temp22 
>> >> (/etc/apache2/sites-enabled/snipe.conf:1)
>> >>  alias temp
>> >>  port 80 namevhost temp22 
>> >> (/etc/apache2/sites-enabled/uideck.conf:1)
>> >>  alias temp
>> >>  port 80 namevhost temp22 
>> >>

Re: [users@httpd] reverse proxy setup

2024-07-11 Thread Frank Gingras

On Thu, Jul 11, 2024 at 2:55 PM bruce  wrote:

> on the options.. ok. But I have no clue if they're the right options,
> as I'm looking over numerous sites, and copious testing -- trial/error
> to understand.
>
> there is no php involved, and the apache error log data I pasted
> appears to be the relevant data
>
> On Thu, Jul 11, 2024 at 2:50 PM Frank Gingras  wrote:
> >
> >
> >
> > On Thu, Jul 11, 2024 at 2:41 PM bruce  wrote:
> >>
> >> Hi Frank!
> >>
> >> Again, thanks for all your replies... Hopefully, I'll eventually have
> >> the "light" turn on!
> >>
> >> Here's updated information
> >>  -updated berat,conf  -- for the virthost/config
> >> -output from the  --  /var/logs/apache/error.log
> >> -output from the ---  apachectl -S
> >> and the display from the browser/url
> >>
> >> cat /etc/apache2/sites-available/berat.conf
> >> 
> >> ServerAdmin f...@yahoo.com
> >> ServerName  temp22
> >> ServerAlias temp
> >>
> >> DocumentRoot   /var/www/html/berat
> >>
> >>  ProxyPass / http://127.0.0.1:3000/
> >>
> >>  ProxyPassReverse / http://127.0.0.1:3000/
> >>
> >>
> >> 
> >>
> >> Options +FollowSymLinks
> >>
> >> AllowOverride All
> >> Options -MultiViews
> >>
> >> Require all granted
> >> ##Options -Indexes +FollowSymLinks +MultiViews
> >> AllowOverride All Require all granted
> >>
> >>
> >> 
> >>
> >> LogLevel debug
> >> ErrorLog ${APACHE_LOG_DIR}/error.log
> >> CustomLog ${APACHE_LOG_DIR}/access.log combined
> >> 
> >>
> >> 
> >> apachectl -S
> >> AH00558: apache2: Could not reliably determine the server's fully
> >> qualified domain name, using 10.10.0.9. Set the 'ServerName' directive
> >> globally to suppress this message
> >> VirtualHost configuration:
> >> *:80   is a NameVirtualHost
> >>  default server temp22
> >> (/etc/apache2/sites-enabled/berat.conf:1)
> >>  port 80 namevhost temp22
> >> (/etc/apache2/sites-enabled/berat.conf:1) 
> >>  alias temp
> >>  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/dolibarr.conf:1)
> >>  alias temp
> >>  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/domainmod.conf:1)
> >>  alias temp
> >>  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/drougnov.conf:1)
> >>  alias temp
> >>  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/filgeary.conf:1)
> >>  alias temp
> >>  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/flatpress.conf:1)
> >>  alias temp
> >>  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/freescout.conf:1)
> >>  alias temp
> >>  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/glozzome.conf:1)
> >>  alias temp
> >>  port 80 namevhost temp22
> >> (/etc/apache2/sites-enabled/invoiceninja.conf:1)
> >>  alias temp
> >>  port 80 namevhost temp22
> >> (/etc/apache2/sites-enabled/invoiceplane.conf:1)
> >>  alias temp
> >>  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/larap.conf:1)
> >>  alias temp
> >>  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/mantisbt.conf:1)
> >>  alias temp
> >>  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/matomo.conf:1)
> >>  alias temp
> >>  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/minthcm.conf:1)
> >>  alias temp
> >>  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/petronius.conf:1)
> >>  alias temp
> >>  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/priyansh.conf:1)
> >>  alias temp
> >>  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/sendportal.conf:1)
> >>  alias temp
> >>  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/snipe.conf:1)
> >>  alias temp
> >>  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/uideck.conf:1)
> >>  alias temp
> >>  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/userlp.conf:1)
> >>  alias temp
> >>  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/wave.conf:1)
> >>  alias temp
> >>  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/zentaopms.conf:1)
> >>  alias temp
> >> ServerRoot: "/etc/apache2"
> >> Main DocumentRoot: "/var/www/html"
> >> Main ErrorLog: "/var/log/apache2/error.log"
> >> Mutex default: dir="/var/run/apache2/" mechanism=default
> >> Mutex mpm-accept: using_defaults
> >> Mutex watchdog-callback: using_defaults
> >> Mutex rewrite-map: using_defaults
> >> Mutex proxy: using_defaults
> >>

Re: [users@httpd] reverse proxy setup

2024-07-11 Thread Frank Gingras

On Thu, Jul 11, 2024 at 2:52 PM bruce  wrote:

> Hi Frank...
>
> update..
>
> just discovered that the erris is from
>
> curl http://127.0.0.1:3000/berat
> "Internal Server Error"
>
> aha.. just tested it on a whim...
> but the internal curl without the "berat" returns data.
>
> ..so how/what's happening hmm
>
> On Thu, Jul 11, 2024 at 2:41 PM bruce  wrote:
> >
> > Hi Frank!
> >
> > Again, thanks for all your replies... Hopefully, I'll eventually have
> > the "light" turn on!
> >
> > Here's updated information
> >  -updated berat,conf  -- for the virthost/config
> > -output from the  --  /var/logs/apache/error.log
> > -output from the ---  apachectl -S
> > and the display from the browser/url
> >
> > cat /etc/apache2/sites-available/berat.conf
> > 
> > ServerAdmin f...@yahoo.com
> > ServerName  temp22
> > ServerAlias temp
> >
> > DocumentRoot   /var/www/html/berat
> >
> >  ProxyPass / http://127.0.0.1:3000/
> >
> >  ProxyPassReverse / http://127.0.0.1:3000/
> >
> >
> > 
> >
> > Options +FollowSymLinks
> >
> > AllowOverride All
> > Options -MultiViews
> >
> > Require all granted
> > ##Options -Indexes +FollowSymLinks +MultiViews
> > AllowOverride All Require all granted
> >
> >
> > 
> >
> > LogLevel debug
> > ErrorLog ${APACHE_LOG_DIR}/error.log
> > CustomLog ${APACHE_LOG_DIR}/access.log combined
> > 
> >
> > 
> > apachectl -S
> > AH00558: apache2: Could not reliably determine the server's fully
> > qualified domain name, using 10.10.0.9. Set the 'ServerName' directive
> > globally to suppress this message
> > VirtualHost configuration:
> > *:80   is a NameVirtualHost
> >  default server temp22
> > (/etc/apache2/sites-enabled/berat.conf:1)
> >  port 80 namevhost temp22
> > (/etc/apache2/sites-enabled/berat.conf:1) 
> >  alias temp
> >  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/dolibarr.conf:1)
> >  alias temp
> >  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/domainmod.conf:1)
> >  alias temp
> >  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/drougnov.conf:1)
> >  alias temp
> >  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/filgeary.conf:1)
> >  alias temp
> >  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/flatpress.conf:1)
> >  alias temp
> >  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/freescout.conf:1)
> >  alias temp
> >  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/glozzome.conf:1)
> >  alias temp
> >  port 80 namevhost temp22
> > (/etc/apache2/sites-enabled/invoiceninja.conf:1)
> >  alias temp
> >  port 80 namevhost temp22
> > (/etc/apache2/sites-enabled/invoiceplane.conf:1)
> >  alias temp
> >  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/larap.conf:1)
> >  alias temp
> >  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/mantisbt.conf:1)
> >  alias temp
> >  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/matomo.conf:1)
> >  alias temp
> >  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/minthcm.conf:1)
> >  alias temp
> >  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/petronius.conf:1)
> >  alias temp
> >  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/priyansh.conf:1)
> >  alias temp
> >  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/sendportal.conf:1)
> >  alias temp
> >  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/snipe.conf:1)
> >  alias temp
> >  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/uideck.conf:1)
> >  alias temp
> >  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/userlp.conf:1)
> >  alias temp
> >  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/wave.conf:1)
> >  alias temp
> >  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/zentaopms.conf:1)
> >  alias temp
> > ServerRoot: "/etc/apache2"
> > Main DocumentRoot: "/var/www/html"
> > Main ErrorLog: "/var/log/apache2/error.log"
> > Mutex default: dir="/var/run/apache2/" mechanism=default
> > Mutex mpm-accept: using_defaults
> > Mutex watchdog-callback: using_defaults
> > Mutex rewrite-map: using_defaults
> > Mutex proxy: using_defaults
> > PidFile: "/var/run/apache2/apache2.pid"
> > Define: DUMP_VHOSTS
> > Define: DUMP_RUN_CFG
> > User: name="www-data" id=33
> > Group: name="www-data" id=33
> >

Re: [users@httpd] reverse proxy setup

2024-07-11 Thread bruce

on the options.. ok. But I have no clue if they're the right options,
as I'm looking over numerous sites, and copious testing -- trial/error
to understand.

there is no php involved, and the apache error log data I pasted
appears to be the relevant data

On Thu, Jul 11, 2024 at 2:50 PM Frank Gingras  wrote:
>
>
>
> On Thu, Jul 11, 2024 at 2:41 PM bruce  wrote:
>>
>> Hi Frank!
>>
>> Again, thanks for all your replies... Hopefully, I'll eventually have
>> the "light" turn on!
>>
>> Here's updated information
>>  -updated berat,conf  -- for the virthost/config
>> -output from the  --  /var/logs/apache/error.log
>> -output from the ---  apachectl -S
>> and the display from the browser/url
>>
>> cat /etc/apache2/sites-available/berat.conf
>> 
>> ServerAdmin f...@yahoo.com
>> ServerName  temp22
>> ServerAlias temp
>>
>> DocumentRoot   /var/www/html/berat
>>
>>  ProxyPass / http://127.0.0.1:3000/
>>
>>  ProxyPassReverse / http://127.0.0.1:3000/
>>
>>
>> 
>>
>> Options +FollowSymLinks
>>
>> AllowOverride All
>> Options -MultiViews
>>
>> Require all granted
>> ##Options -Indexes +FollowSymLinks +MultiViews
>> AllowOverride All Require all granted
>>
>>
>> 
>>
>> LogLevel debug
>> ErrorLog ${APACHE_LOG_DIR}/error.log
>> CustomLog ${APACHE_LOG_DIR}/access.log combined
>> 
>>
>> 
>> apachectl -S
>> AH00558: apache2: Could not reliably determine the server's fully
>> qualified domain name, using 10.10.0.9. Set the 'ServerName' directive
>> globally to suppress this message
>> VirtualHost configuration:
>> *:80   is a NameVirtualHost
>>  default server temp22
>> (/etc/apache2/sites-enabled/berat.conf:1)
>>  port 80 namevhost temp22
>> (/etc/apache2/sites-enabled/berat.conf:1) 
>>  alias temp
>>  port 80 namevhost temp22 
>> (/etc/apache2/sites-enabled/dolibarr.conf:1)
>>  alias temp
>>  port 80 namevhost temp22 
>> (/etc/apache2/sites-enabled/domainmod.conf:1)
>>  alias temp
>>  port 80 namevhost temp22 
>> (/etc/apache2/sites-enabled/drougnov.conf:1)
>>  alias temp
>>  port 80 namevhost temp22 
>> (/etc/apache2/sites-enabled/filgeary.conf:1)
>>  alias temp
>>  port 80 namevhost temp22 
>> (/etc/apache2/sites-enabled/flatpress.conf:1)
>>  alias temp
>>  port 80 namevhost temp22 
>> (/etc/apache2/sites-enabled/freescout.conf:1)
>>  alias temp
>>  port 80 namevhost temp22 
>> (/etc/apache2/sites-enabled/glozzome.conf:1)
>>  alias temp
>>  port 80 namevhost temp22
>> (/etc/apache2/sites-enabled/invoiceninja.conf:1)
>>  alias temp
>>  port 80 namevhost temp22
>> (/etc/apache2/sites-enabled/invoiceplane.conf:1)
>>  alias temp
>>  port 80 namevhost temp22 (/etc/apache2/sites-enabled/larap.conf:1)
>>  alias temp
>>  port 80 namevhost temp22 
>> (/etc/apache2/sites-enabled/mantisbt.conf:1)
>>  alias temp
>>  port 80 namevhost temp22 (/etc/apache2/sites-enabled/matomo.conf:1)
>>  alias temp
>>  port 80 namevhost temp22 (/etc/apache2/sites-enabled/minthcm.conf:1)
>>  alias temp
>>  port 80 namevhost temp22 
>> (/etc/apache2/sites-enabled/petronius.conf:1)
>>  alias temp
>>  port 80 namevhost temp22 
>> (/etc/apache2/sites-enabled/priyansh.conf:1)
>>  alias temp
>>  port 80 namevhost temp22 
>> (/etc/apache2/sites-enabled/sendportal.conf:1)
>>  alias temp
>>  port 80 namevhost temp22 (/etc/apache2/sites-enabled/snipe.conf:1)
>>  alias temp
>>  port 80 namevhost temp22 (/etc/apache2/sites-enabled/uideck.conf:1)
>>  alias temp
>>  port 80 namevhost temp22 (/etc/apache2/sites-enabled/userlp.conf:1)
>>  alias temp
>>  port 80 namevhost temp22 (/etc/apache2/sites-enabled/wave.conf:1)
>>  alias temp
>>  port 80 namevhost temp22 
>> (/etc/apache2/sites-enabled/zentaopms.conf:1)
>>  alias temp
>> ServerRoot: "/etc/apache2"
>> Main DocumentRoot: "/var/www/html"
>> Main ErrorLog: "/var/log/apache2/error.log"
>> Mutex default: dir="/var/run/apache2/" mechanism=default
>> Mutex mpm-accept: using_defaults
>> Mutex watchdog-callback: using_defaults
>> Mutex rewrite-map: using_defaults
>> Mutex proxy: using_defaults
>> PidFile: "/var/run/apache2/apache2.pid"
>> Define: DUMP_VHOSTS
>> Define: DUMP_RUN_CFG
>> User: name="www-data" id=33
>> Group: name="www-data" id=33
>> //
>>
>> more /var/logs/apache2/error.log
>> [Thu Jul 11

Re: [users@httpd] reverse proxy setup

2024-07-11 Thread bruce

Hi Frank...

update..

just discovered that the erris is from

curl http://127.0.0.1:3000/berat
"Internal Server Error"

aha.. just tested it on a whim...
but the internal curl without the "berat" returns data.

..so how/what's happening hmm

On Thu, Jul 11, 2024 at 2:41 PM bruce  wrote:
>
> Hi Frank!
>
> Again, thanks for all your replies... Hopefully, I'll eventually have
> the "light" turn on!
>
> Here's updated information
>  -updated berat,conf  -- for the virthost/config
> -output from the  --  /var/logs/apache/error.log
> -output from the ---  apachectl -S
> and the display from the browser/url
>
> cat /etc/apache2/sites-available/berat.conf
> 
> ServerAdmin f...@yahoo.com
> ServerName  temp22
> ServerAlias temp
>
> DocumentRoot   /var/www/html/berat
>
>  ProxyPass / http://127.0.0.1:3000/
>
>  ProxyPassReverse / http://127.0.0.1:3000/
>
>
> 
>
> Options +FollowSymLinks
>
> AllowOverride All
> Options -MultiViews
>
> Require all granted
> ##Options -Indexes +FollowSymLinks +MultiViews
> AllowOverride All Require all granted
>
>
> 
>
> LogLevel debug
> ErrorLog ${APACHE_LOG_DIR}/error.log
> CustomLog ${APACHE_LOG_DIR}/access.log combined
> 
>
> 
> apachectl -S
> AH00558: apache2: Could not reliably determine the server's fully
> qualified domain name, using 10.10.0.9. Set the 'ServerName' directive
> globally to suppress this message
> VirtualHost configuration:
> *:80   is a NameVirtualHost
>  default server temp22
> (/etc/apache2/sites-enabled/berat.conf:1)
>  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/berat.conf:1) 
>  alias temp
>  port 80 namevhost temp22 (/etc/apache2/sites-enabled/dolibarr.conf:1)
>  alias temp
>  port 80 namevhost temp22 
> (/etc/apache2/sites-enabled/domainmod.conf:1)
>  alias temp
>  port 80 namevhost temp22 (/etc/apache2/sites-enabled/drougnov.conf:1)
>  alias temp
>  port 80 namevhost temp22 (/etc/apache2/sites-enabled/filgeary.conf:1)
>  alias temp
>  port 80 namevhost temp22 
> (/etc/apache2/sites-enabled/flatpress.conf:1)
>  alias temp
>  port 80 namevhost temp22 
> (/etc/apache2/sites-enabled/freescout.conf:1)
>  alias temp
>  port 80 namevhost temp22 (/etc/apache2/sites-enabled/glozzome.conf:1)
>  alias temp
>  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/invoiceninja.conf:1)
>  alias temp
>  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/invoiceplane.conf:1)
>  alias temp
>  port 80 namevhost temp22 (/etc/apache2/sites-enabled/larap.conf:1)
>  alias temp
>  port 80 namevhost temp22 (/etc/apache2/sites-enabled/mantisbt.conf:1)
>  alias temp
>  port 80 namevhost temp22 (/etc/apache2/sites-enabled/matomo.conf:1)
>  alias temp
>  port 80 namevhost temp22 (/etc/apache2/sites-enabled/minthcm.conf:1)
>  alias temp
>  port 80 namevhost temp22 
> (/etc/apache2/sites-enabled/petronius.conf:1)
>  alias temp
>  port 80 namevhost temp22 (/etc/apache2/sites-enabled/priyansh.conf:1)
>  alias temp
>  port 80 namevhost temp22 
> (/etc/apache2/sites-enabled/sendportal.conf:1)
>  alias temp
>  port 80 namevhost temp22 (/etc/apache2/sites-enabled/snipe.conf:1)
>  alias temp
>  port 80 namevhost temp22 (/etc/apache2/sites-enabled/uideck.conf:1)
>  alias temp
>  port 80 namevhost temp22 (/etc/apache2/sites-enabled/userlp.conf:1)
>  alias temp
>  port 80 namevhost temp22 (/etc/apache2/sites-enabled/wave.conf:1)
>  alias temp
>  port 80 namevhost temp22 
> (/etc/apache2/sites-enabled/zentaopms.conf:1)
>  alias temp
> ServerRoot: "/etc/apache2"
> Main DocumentRoot: "/var/www/html"
> Main ErrorLog: "/var/log/apache2/error.log"
> Mutex default: dir="/var/run/apache2/" mechanism=default
> Mutex mpm-accept: using_defaults
> Mutex watchdog-callback: using_defaults
> Mutex rewrite-map: using_defaults
> Mutex proxy: using_defaults
> PidFile: "/var/run/apache2/apache2.pid"
> Define: DUMP_VHOSTS
> Define: DUMP_RUN_CFG
> User: name="www-data" id=33
> Group: name="www-data" id=33
> //
>
> more /var/logs/apache2/error.log
> [Thu Jul 11 18:34:26.962982 2024] [proxy:debug] [pid 75271]
> proxy_util.c(2154): AH00925: initializing worker
> http://127.0.0.1:3000/ shared
> [Thu Jul 11 18:34:26.963057 2024] [proxy:debug] [pid 75271]
> proxy_util.c(2214):

Re: [users@httpd] reverse proxy setup

2024-07-11 Thread Frank Gingras

On Thu, Jul 11, 2024 at 2:41 PM bruce  wrote:

> Hi Frank!
>
> Again, thanks for all your replies... Hopefully, I'll eventually have
> the "light" turn on!
>
> Here's updated information
>  -updated berat,conf  -- for the virthost/config
> -output from the  --  /var/logs/apache/error.log
> -output from the ---  apachectl -S
> and the display from the browser/url
>
> cat /etc/apache2/sites-available/berat.conf
> 
> ServerAdmin f...@yahoo.com
> ServerName  temp22
> ServerAlias temp
>
> DocumentRoot   /var/www/html/berat
>
>  ProxyPass / http://127.0.0.1:3000/
>
>  ProxyPassReverse / http://127.0.0.1:3000/
>
>
> 
>
> Options +FollowSymLinks
>
> AllowOverride All
> Options -MultiViews
>
> Require all granted
> ##Options -Indexes +FollowSymLinks +MultiViews
> AllowOverride All Require all granted
>
>
> 
>
> LogLevel debug
> ErrorLog ${APACHE_LOG_DIR}/error.log
> CustomLog ${APACHE_LOG_DIR}/access.log combined
> 
>
> 
> apachectl -S
> AH00558: apache2: Could not reliably determine the server's fully
> qualified domain name, using 10.10.0.9. Set the 'ServerName' directive
> globally to suppress this message
> VirtualHost configuration:
> *:80   is a NameVirtualHost
>  default server temp22
> (/etc/apache2/sites-enabled/berat.conf:1)
>  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/berat.conf:1) 
>  alias temp
>  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/dolibarr.conf:1)
>  alias temp
>  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/domainmod.conf:1)
>  alias temp
>  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/drougnov.conf:1)
>  alias temp
>  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/filgeary.conf:1)
>  alias temp
>  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/flatpress.conf:1)
>  alias temp
>  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/freescout.conf:1)
>  alias temp
>  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/glozzome.conf:1)
>  alias temp
>  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/invoiceninja.conf:1)
>  alias temp
>  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/invoiceplane.conf:1)
>  alias temp
>  port 80 namevhost temp22 (/etc/apache2/sites-enabled/larap.conf:1)
>  alias temp
>  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/mantisbt.conf:1)
>  alias temp
>  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/matomo.conf:1)
>  alias temp
>  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/minthcm.conf:1)
>  alias temp
>  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/petronius.conf:1)
>  alias temp
>  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/priyansh.conf:1)
>  alias temp
>  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/sendportal.conf:1)
>  alias temp
>  port 80 namevhost temp22 (/etc/apache2/sites-enabled/snipe.conf:1)
>  alias temp
>  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/uideck.conf:1)
>  alias temp
>  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/userlp.conf:1)
>  alias temp
>  port 80 namevhost temp22 (/etc/apache2/sites-enabled/wave.conf:1)
>  alias temp
>  port 80 namevhost temp22
> (/etc/apache2/sites-enabled/zentaopms.conf:1)
>  alias temp
> ServerRoot: "/etc/apache2"
> Main DocumentRoot: "/var/www/html"
> Main ErrorLog: "/var/log/apache2/error.log"
> Mutex default: dir="/var/run/apache2/" mechanism=default
> Mutex mpm-accept: using_defaults
> Mutex watchdog-callback: using_defaults
> Mutex rewrite-map: using_defaults
> Mutex proxy: using_defaults
> PidFile: "/var/run/apache2/apache2.pid"
> Define: DUMP_VHOSTS
> Define: DUMP_RUN_CFG
> User: name="www-data" id=33
> Group: name="www-data" id=33
> //
>
> more /var/logs/apache2/error.log
> [Thu Jul 11 18:34:26.962982 2024] [proxy:debug] [pid 75271]
> proxy_util.c(2154): AH00925: initializing worker
> http://127.0.0.1:3000/ shared
> [Thu Jul 11 18:34:26.963057 2024] [proxy:debug] [pid 75271]
> proxy_util.c(2214): AH00927: initializing worker
> http://127.0.0.1:3000/ local
> [Thu Jul 11 18:34:26.963128 2024] [proxy:debug] [pid 75271]
> proxy_util.c(2262): AH00931: initialized single connection worker in
> child 75271 for (127.0.0.1:3000)
> [Thu Jul

Re: [users@httpd] reverse proxy setup

2024-07-11 Thread bruce

Hi Frank!

Again, thanks for all your replies... Hopefully, I'll eventually have
the "light" turn on!

Here's updated information
 -updated berat,conf  -- for the virthost/config
-output from the  --  /var/logs/apache/error.log
-output from the ---  apachectl -S
and the display from the browser/url

cat /etc/apache2/sites-available/berat.conf

ServerAdmin f...@yahoo.com
ServerName  temp22
ServerAlias temp

DocumentRoot   /var/www/html/berat

 ProxyPass / http://127.0.0.1:3000/

 ProxyPassReverse / http://127.0.0.1:3000/




Options +FollowSymLinks

AllowOverride All
Options -MultiViews

Require all granted
##Options -Indexes +FollowSymLinks +MultiViews
AllowOverride All Require all granted




LogLevel debug
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined



apachectl -S
AH00558: apache2: Could not reliably determine the server's fully
qualified domain name, using 10.10.0.9. Set the 'ServerName' directive
globally to suppress this message
VirtualHost configuration:
*:80   is a NameVirtualHost
 default server temp22
(/etc/apache2/sites-enabled/berat.conf:1)
 port 80 namevhost temp22
(/etc/apache2/sites-enabled/berat.conf:1) 
 alias temp
 port 80 namevhost temp22 (/etc/apache2/sites-enabled/dolibarr.conf:1)
 alias temp
 port 80 namevhost temp22 (/etc/apache2/sites-enabled/domainmod.conf:1)
 alias temp
 port 80 namevhost temp22 (/etc/apache2/sites-enabled/drougnov.conf:1)
 alias temp
 port 80 namevhost temp22 (/etc/apache2/sites-enabled/filgeary.conf:1)
 alias temp
 port 80 namevhost temp22 (/etc/apache2/sites-enabled/flatpress.conf:1)
 alias temp
 port 80 namevhost temp22 (/etc/apache2/sites-enabled/freescout.conf:1)
 alias temp
 port 80 namevhost temp22 (/etc/apache2/sites-enabled/glozzome.conf:1)
 alias temp
 port 80 namevhost temp22
(/etc/apache2/sites-enabled/invoiceninja.conf:1)
 alias temp
 port 80 namevhost temp22
(/etc/apache2/sites-enabled/invoiceplane.conf:1)
 alias temp
 port 80 namevhost temp22 (/etc/apache2/sites-enabled/larap.conf:1)
 alias temp
 port 80 namevhost temp22 (/etc/apache2/sites-enabled/mantisbt.conf:1)
 alias temp
 port 80 namevhost temp22 (/etc/apache2/sites-enabled/matomo.conf:1)
 alias temp
 port 80 namevhost temp22 (/etc/apache2/sites-enabled/minthcm.conf:1)
 alias temp
 port 80 namevhost temp22 (/etc/apache2/sites-enabled/petronius.conf:1)
 alias temp
 port 80 namevhost temp22 (/etc/apache2/sites-enabled/priyansh.conf:1)
 alias temp
 port 80 namevhost temp22 (/etc/apache2/sites-enabled/sendportal.conf:1)
 alias temp
 port 80 namevhost temp22 (/etc/apache2/sites-enabled/snipe.conf:1)
 alias temp
 port 80 namevhost temp22 (/etc/apache2/sites-enabled/uideck.conf:1)
 alias temp
 port 80 namevhost temp22 (/etc/apache2/sites-enabled/userlp.conf:1)
 alias temp
 port 80 namevhost temp22 (/etc/apache2/sites-enabled/wave.conf:1)
 alias temp
 port 80 namevhost temp22 (/etc/apache2/sites-enabled/zentaopms.conf:1)
 alias temp
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex proxy: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33
//

more /var/logs/apache2/error.log
[Thu Jul 11 18:34:26.962982 2024] [proxy:debug] [pid 75271]
proxy_util.c(2154): AH00925: initializing worker
http://127.0.0.1:3000/ shared
[Thu Jul 11 18:34:26.963057 2024] [proxy:debug] [pid 75271]
proxy_util.c(2214): AH00927: initializing worker
http://127.0.0.1:3000/ local
[Thu Jul 11 18:34:26.963128 2024] [proxy:debug] [pid 75271]
proxy_util.c(2262): AH00931: initialized single connection worker in
child 75271 for (127.0.0.1:3000)
[Thu Jul 11 18:34:36.463332 2024] [authz_core:debug] [pid 75267]
mod_authz_core.c(843): [client 162.234.196.167:60276] AH01628:
authorization result: granted (no directives)
[Thu Jul 11 18:34:36.463485 2024] [proxy:debug] [pid 75267]
mod_proxy.c(1521): [client 162.234.196.167:60276] AH01143: Running
scheme http handler

Re: [users@httpd] reverse proxy setup

2024-07-11 Thread Frank Gingras

On Thu, Jul 11, 2024 at 12:43 PM bruce  wrote:

> updated typo..
>
> weird thing now.. based on the current/listed apache conf file...
> i get the"Internal Server Error" page now..
>
> On Thu, Jul 11, 2024 at 12:39 PM bruce  wrote:
> >
> > Hi Frank,
> >
> > Thanks for the reply.
> >
> > I'm still going through suggestions, as well as information from other
> > sites. I'm still confused, and think I might be making things worse.
> >
> > Not sure if this is accepted as a question, but if you have
> > apache/proxy skills, are you up for making a few $$!
> >
> > I'm thinking this is reasonably simple, but I'm missing something.
> >
> > The test server has multiple test apps, running off subfolders
> > /var/www/html/test1
> > /var/www/html/test2
> > /var/www/html/berat
> >
> > Right now, for the test "berat" app, the changes I made are generating
> > an internal 500 server error.
> >
> > The test url -- http://161.35.5.174/berat
> >
> > Thanks for your pointers/insight!
> >
> > weird thing now.. based on the current/listed apache conf file...
> > i get the base "ubuntu/apache" default page now..
> >  --the "berat" is trimed...
> >
> > =
> > cat /etc/apache2/sites-available/berat.conf
> > 
> > ServerAdmin f...@yahoo.com
> > ServerName  temp22
> > ServerAlias temp
> >
> > DocumentRoot   /var/www/html/berat
> >
> >  ProxyPass / http://127.0.0.1:3000/
> >
> >  ProxyPassReverse / http://127.0.0.1:3000/
> >
> >
> > #DocumentRoot   /var/www/html/berat
> >
> >
> > 
> >
> > #ProxyRequests Off
> > #ProxyPreserveHost On
> > #
> > #  Require all granted
> > #
> >
> > #ProxyPass / http://127.0.0.1:3000/
> >
> > #ProxyPassReverse / http://127.0.0.1:3000/
> >
> > #DirectoryIndex index.html index.php
> >
> > #Options -Indexes +FollowSymLinks +MultiViews
> > Options +FollowSymLinks
> >
> > AllowOverride All
> > Options -MultiViews
> > Order allow,deny
> > Allow from all
> >
> > #Require all granted
> > ##Options -Indexes +FollowSymLinks +MultiViews
> > AllowOverride All Require all granted
> >
> >
> > ##Options Indexes FollowSymLinks MultiViews
> > ##Options -Indexes FollowSymlinks
> > #Options FollowSymlinks
> > #AllowOverride All
> > ##Order allow,deny
> > ##allow from all
> > #Require all granted
> > 
> >
> > ##Alias "/berat" "/var/www/html/berat/"
> >
> >
> > LogLevel debug
> > ErrorLog ${APACHE_LOG_DIR}/error.log
> > CustomLog ${APACHE_LOG_DIR}/access.log combined
> > 
> >
> > On Thu, Jul 11, 2024 at 9:40 AM Frank Gingras  wrote:
> > >
> > >
> > >
> > > On Thu, Jul 11, 2024 at 8:02 AM Marc  wrote:
> > >>
> > >>  I am testing a bit with this:
> > >>
> > >>  32 
> > >>  33 # files are still loaded from default host
> > >>  34 Define defaulthost ""
> > >>  35 Define proxyhost ""
> > >>  36
> > >>  37 ProxyPreserveHost Off
> > >>  38 ProxyAddHeaders On
> > >>  39 SetOutputFilter  proxy-html
> > >>  40 ProxyHTMLEnable On
> > >>  41 ProxyHTMLExtended On
> > >>  42
> > >>  43 ProxyPass"https://${proxyhost}/;
> > >>  44 ProxyPassReverse "https://${proxyhost}/;
> > >>  45
> > >>  46 ProxyPassReverseCookieDomain "${proxyhost}"
> "${defaulthost}"
> > >>  47 ProxyPassReverseCookiePath   "/" "//"
> > >>  48
> > >>  49 Header edit Set-Cookie ^(.*)$
> $1;HttpOnly;Secure;SameSite=None
> > >>  50
> > >>  51 ProxyHTMLURLMap https://${proxyhost}/ https://
> ${defaulthost}/
> > >>  52
> > >>  53 Options +ExecCGI +FollowSymLinks -MultiViews
> > >>  54 
> > >>
> > >> > -Original Message-
> > >> > From: bruce 
> > >> > Sent: Thursday, 11 July 2024 13:20
> > >> > To: users@httpd.apache.org
> > >> > Subject: [users@httpd] reverse proxy setup
> > >> >
> > >> > Hi.
> > >> >
> > >> > Testing a github app that appears to use/require reverse proxy to
> > >> > display results on the browser.
> > >> >
> > >> > The basic app uses npm/nextjs to generate content, Per different
> > >> > sites, the process uses PM2 to run the process, and to be able to
> show
> > >> > the content via an internal/local "server". This is accessed via  --
> > >> > http://127.0.0.1:3000.
> > >> >
> > >> > Using curl on the local/test server, content can be accessed via
> the site
> > >> >  curl  http://127.0.0.1:3000.
> > >> >
> > >> > My issue now, is how to create the Apache conf to be able to have
> the
> > >> > user at http://1.2.3.4/berat, be able to display the content. This
> > >> > requires somehow setting up the reverse proxy process, in the
> VirtHost
> > >> > of the config file. The test site is

Re: [users@httpd] reverse proxy setup

2024-07-11 Thread bruce

updated typo..

weird thing now.. based on the current/listed apache conf file...
i get the"Internal Server Error" page now..

On Thu, Jul 11, 2024 at 12:39 PM bruce  wrote:
>
> Hi Frank,
>
> Thanks for the reply.
>
> I'm still going through suggestions, as well as information from other
> sites. I'm still confused, and think I might be making things worse.
>
> Not sure if this is accepted as a question, but if you have
> apache/proxy skills, are you up for making a few $$!
>
> I'm thinking this is reasonably simple, but I'm missing something.
>
> The test server has multiple test apps, running off subfolders
> /var/www/html/test1
> /var/www/html/test2
> /var/www/html/berat
>
> Right now, for the test "berat" app, the changes I made are generating
> an internal 500 server error.
>
> The test url -- http://161.35.5.174/berat
>
> Thanks for your pointers/insight!
>
> weird thing now.. based on the current/listed apache conf file...
> i get the base "ubuntu/apache" default page now..
>  --the "berat" is trimed...
>
> =
> cat /etc/apache2/sites-available/berat.conf
> 
> ServerAdmin f...@yahoo.com
> ServerName  temp22
> ServerAlias temp
>
> DocumentRoot   /var/www/html/berat
>
>  ProxyPass / http://127.0.0.1:3000/
>
>  ProxyPassReverse / http://127.0.0.1:3000/
>
>
> #DocumentRoot   /var/www/html/berat
>
>
> 
>
> #ProxyRequests Off
> #ProxyPreserveHost On
> #
> #  Require all granted
> #
>
> #ProxyPass / http://127.0.0.1:3000/
>
> #ProxyPassReverse / http://127.0.0.1:3000/
>
> #DirectoryIndex index.html index.php
>
> #Options -Indexes +FollowSymLinks +MultiViews
> Options +FollowSymLinks
>
> AllowOverride All
> Options -MultiViews
> Order allow,deny
> Allow from all
>
> #Require all granted
> ##Options -Indexes +FollowSymLinks +MultiViews
> AllowOverride All Require all granted
>
>
> ##Options Indexes FollowSymLinks MultiViews
> ##Options -Indexes FollowSymlinks
> #Options FollowSymlinks
> #AllowOverride All
> ##Order allow,deny
> ##allow from all
> #Require all granted
> 
>
> ##Alias "/berat" "/var/www/html/berat/"
>
>
> LogLevel debug
> ErrorLog ${APACHE_LOG_DIR}/error.log
> CustomLog ${APACHE_LOG_DIR}/access.log combined
> 
>
> On Thu, Jul 11, 2024 at 9:40 AM Frank Gingras  wrote:
> >
> >
> >
> > On Thu, Jul 11, 2024 at 8:02 AM Marc  wrote:
> >>
> >>  I am testing a bit with this:
> >>
> >>  32 
> >>  33 # files are still loaded from default host
> >>  34 Define defaulthost ""
> >>  35 Define proxyhost ""
> >>  36
> >>  37 ProxyPreserveHost Off
> >>  38 ProxyAddHeaders On
> >>  39 SetOutputFilter  proxy-html
> >>  40 ProxyHTMLEnable On
> >>  41 ProxyHTMLExtended On
> >>  42
> >>  43 ProxyPass"https://${proxyhost}/;
> >>  44 ProxyPassReverse "https://${proxyhost}/;
> >>  45
> >>  46 ProxyPassReverseCookieDomain "${proxyhost}" "${defaulthost}"
> >>  47 ProxyPassReverseCookiePath   "/" "//"
> >>  48
> >>  49 Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=None
> >>  50
> >>  51 ProxyHTMLURLMap https://${proxyhost}/ 
> >> https://${defaulthost}/
> >>  52
> >>  53 Options +ExecCGI +FollowSymLinks -MultiViews
> >>  54 
> >>
> >> > -Original Message-
> >> > From: bruce 
> >> > Sent: Thursday, 11 July 2024 13:20
> >> > To: users@httpd.apache.org
> >> > Subject: [users@httpd] reverse proxy setup
> >> >
> >> > Hi.
> >> >
> >> > Testing a github app that appears to use/require reverse proxy to
> >> > display results on the browser.
> >> >
> >> > The basic app uses npm/nextjs to generate content, Per different
> >> > sites, the process uses PM2 to run the process, and to be able to show
> >> > the content via an internal/local "server". This is accessed via  --
> >> > http://127.0.0.1:3000.
> >> >
> >> > Using curl on the local/test server, content can be accessed via the site
> >> >  curl  http://127.0.0.1:3000.
> >> >
> >> > My issue now, is how to create the Apache conf to be able to have the
> >> > user at http://1.2.3.4/berat, be able to display the content. This
> >> > requires somehow setting up the reverse proxy process, in the VirtHost
> >> > of the config file. The test site is being run from a subdir
> >> >   /var/www/html/berat <<<
> >> >
> >> > Researching/testing hasn't had the light go off yet!
> >> >
> >> > Here's what I've got, but it's not correct.
> >> >
> >> > Pointers would be useful. (and possible explanation!)
> >> >
> >> > cat /etc/apache2/sites-available/berat.conf
> >> > 
> >> > ServerAdmin f...@yahoo.com
> >> >

Re: [users@httpd] reverse proxy setup

2024-07-11 Thread bruce

Hi Frank,

Thanks for the reply.

I'm still going through suggestions, as well as information from other
sites. I'm still confused, and think I might be making things worse.

Not sure if this is accepted as a question, but if you have
apache/proxy skills, are you up for making a few $$!

I'm thinking this is reasonably simple, but I'm missing something.

The test server has multiple test apps, running off subfolders
/var/www/html/test1
/var/www/html/test2
/var/www/html/berat

Right now, for the test "berat" app, the changes I made are generating
an internal 500 server error.

The test url -- http://161.35.5.174/berat

Thanks for your pointers/insight!

weird thing now.. based on the current/listed apache conf file...
i get the base "ubuntu/apache" default page now..
 --the "berat" is trimed...

=
cat /etc/apache2/sites-available/berat.conf

ServerAdmin f...@yahoo.com
ServerName  temp22
ServerAlias temp

DocumentRoot   /var/www/html/berat

 ProxyPass / http://127.0.0.1:3000/

 ProxyPassReverse / http://127.0.0.1:3000/


#DocumentRoot   /var/www/html/berat




#ProxyRequests Off
#ProxyPreserveHost On
#
#  Require all granted
#

#ProxyPass / http://127.0.0.1:3000/

#ProxyPassReverse / http://127.0.0.1:3000/

#DirectoryIndex index.html index.php

#Options -Indexes +FollowSymLinks +MultiViews
Options +FollowSymLinks

AllowOverride All
Options -MultiViews
Order allow,deny
Allow from all

#Require all granted
##Options -Indexes +FollowSymLinks +MultiViews
AllowOverride All Require all granted


##Options Indexes FollowSymLinks MultiViews
##Options -Indexes FollowSymlinks
#Options FollowSymlinks
#AllowOverride All
##Order allow,deny
##allow from all
#Require all granted


##Alias "/berat" "/var/www/html/berat/"


LogLevel debug
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined


On Thu, Jul 11, 2024 at 9:40 AM Frank Gingras  wrote:
>
>
>
> On Thu, Jul 11, 2024 at 8:02 AM Marc  wrote:
>>
>>  I am testing a bit with this:
>>
>>  32 
>>  33 # files are still loaded from default host
>>  34 Define defaulthost ""
>>  35 Define proxyhost ""
>>  36
>>  37 ProxyPreserveHost Off
>>  38 ProxyAddHeaders On
>>  39 SetOutputFilter  proxy-html
>>  40 ProxyHTMLEnable On
>>  41 ProxyHTMLExtended On
>>  42
>>  43 ProxyPass"https://${proxyhost}/;
>>  44 ProxyPassReverse "https://${proxyhost}/;
>>  45
>>  46 ProxyPassReverseCookieDomain "${proxyhost}" "${defaulthost}"
>>  47 ProxyPassReverseCookiePath   "/" "//"
>>  48
>>  49 Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=None
>>  50
>>  51 ProxyHTMLURLMap https://${proxyhost}/ 
>> https://${defaulthost}/
>>  52
>>  53 Options +ExecCGI +FollowSymLinks -MultiViews
>>  54 
>>
>> > -Original Message-
>> > From: bruce 
>> > Sent: Thursday, 11 July 2024 13:20
>> > To: users@httpd.apache.org
>> > Subject: [users@httpd] reverse proxy setup
>> >
>> > Hi.
>> >
>> > Testing a github app that appears to use/require reverse proxy to
>> > display results on the browser.
>> >
>> > The basic app uses npm/nextjs to generate content, Per different
>> > sites, the process uses PM2 to run the process, and to be able to show
>> > the content via an internal/local "server". This is accessed via  --
>> > http://127.0.0.1:3000.
>> >
>> > Using curl on the local/test server, content can be accessed via the site
>> >  curl  http://127.0.0.1:3000.
>> >
>> > My issue now, is how to create the Apache conf to be able to have the
>> > user at http://1.2.3.4/berat, be able to display the content. This
>> > requires somehow setting up the reverse proxy process, in the VirtHost
>> > of the config file. The test site is being run from a subdir
>> >   /var/www/html/berat <<<
>> >
>> > Researching/testing hasn't had the light go off yet!
>> >
>> > Here's what I've got, but it's not correct.
>> >
>> > Pointers would be useful. (and possible explanation!)
>> >
>> > cat /etc/apache2/sites-available/berat.conf
>> > 
>> > ServerAdmin f...@yahoo.com
>> > ServerName  temp22
>> > ServerAlias temp
>> >
>> > DocumentRoot   /var/www/html/berat
>> >
>> > ProxyRequests Off
>> > ProxyPreserveHost On
>> > 
>> > Require all granted
>> > 
>> >
>> > ProxyPreserveHost On
>> >
>> > 
>> >   ProxyPreserveHost Off
>> >   ProxyErrorOverride Off
>> > 
>> >
>> >  #ProxyPass/api/system-a/
>> > https://external-domain.example2.org/system-a/
>> >
>> >

Re: [users@httpd] Simulating rewrite rules?

2024-07-11 Thread Frank Gingras

On Thu, Jul 11, 2024 at 4:49 AM Marc  wrote:

> >
> > RewriteCond %{HTTP_USER_AGENT} ^$
> > [OR]
> > RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).*
> > [NC,OR]
> > RewriteCond %{HTTP_USER_AGENT}
> > ^.*(HTTrack|clshttp|archiver|loader|email|nikto|miner|python).* [NC,OR]
> > RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|libwww\-
> > perl|curl|wget|harvest|scan|grab|extract).* [NC,OR]
> > RewriteCond %{HTTP_USER_AGENT}
> > ^.*(Googlebot|SemrushBot|PetalBot|Bytespider|bingbot).* [NC]
> > RewriteRule (.*)https://guardiandigital.com/$1 [L,R=301]
> >
> >
> > SetEnvIf user-agent "(?i:GoogleBot)" googlebot=1
> > SetEnvIf user-agent "(?i:SemrushBot)" googlebot=1
> > SetEnvIf user-agent "(?i:PetalBot)" googlebot=1
> > SetEnvIf user-agent "(?i:Bytespider)" googlebot=1
> > SetEnvIf user-agent "(?i:bingbot)" googlebot=1
> >
> >
> >   
> > Require ip 1.2.3.4
> > Require env googlebot
> >   
> >
>
> I would think that mod_security is more efficient for this
> SecRule REQUEST_HEADERS:User-Agent ""
> "id:'13006',phase:2,log,deny,status:200"
>
> Why allow SemrushBot, PetalBot and Bytespider? If they don't give you
> traffic, block them. Better add things for yandex and duckduckgo.
> Duckduckgo is getting better than google. Maybe start looking for ai
> crawlers also.
>
> > I was also originally trying to associate the rewriterules with the
> > requireany using  but then realized I didn't even have to do that -
> > it would just automatically get processed independently. It looks so
> > simple now, but took me a while to make it this simple.
> >
> >
>
> What also helps is blocking these clouds, just get their ip ranges
>
> - amazon
> - googleusercontent
> - digital ocean
> - ovh
>
>
>
> PS. Don't give google the credit to have bot variable named after them ;).
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org


The follow bit:

"has to appear in .htaccess because it's processed after the virtualhost
config and any requireall/requireany entries are overridden that already
appear there"

Makes no sense.  You can just create your vhost properly to produce the
expected behaviour.

Re: [users@httpd] Stripping trailing slashes (again)

2024-07-11 Thread Frank Gingras

On Thu, Jul 11, 2024 at 6:55 AM Konstantin Kolinko 
wrote:

> чт, 13 июн. 2024 г. в 17:41, Dave Wreski  .invalid>:
> >
> > Hi,
> >
> > Some time ago I requested help with a rewrite rule to strip trailing
> slash(es) from all URLs in our joomla website, but I'm still having
> problems. This is the rule I am currently working with:
> >
> > RewriteRule ^(.*)/+$ https://linuxsecurity.com$1 [R=301,L]
> >
> > It works fine for any URL other than the homepage. Somehow for the
> homepage it creates an infinite loop, despite using "L", so perhaps I don't
> understand what it's doing. The (.*) is supposed to match any character,
> but there wouldn't be any preceding elements for the homepage.
> >
> > The problem as I see it is that, for the homepage, (.*) would be null,
> so $1 would also be null? This then creates the same URL as the one we're
> trying to fix.
>
> (.*) means "any character, 0 or more times".
> "0 times" here means that it matches an empty string. (Technically, it
> is an empty string, not null).
>
> URL for the home page is "/".
>
> (The first line of an HTTP 1.x request will be "GET / HTTP/1.1".
> By definition of the protocol, there has to be some text between the
> verb (GET) and the version.)
>
> A possible solution that I see is to make the first '/' explicit.
> adding it both to the regexp and to the replacement string:
>
>   RewriteRule ^/(.*)/+$ https://linuxsecurity.com/$1 [R=301,L]
>
> Alternatively, use '+' instead of '*' (meaning 1 or more times):
>
>   RewriteRule ^(.+)/+$ https://linuxsecurity.com$1 [R=301,L]
>
> Best regards,
> Konstantin Kolinko
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
You're missing a key part of the engine here; in the per-directory context,
the leading / cannot be matched.  Per-directory means either .htaccess,
 or .  To make the rule work in both server and
per-directory context, use the conditional modifier:

^/?()

To stop loops, add a proper RewriteCond directive prior, and exclude
whatever URI you need.

Re: [users@httpd] reverse proxy setup

2024-07-11 Thread Frank Gingras

On Thu, Jul 11, 2024 at 8:02 AM Marc  wrote:

>  I am testing a bit with this:
>
>  32 
>  33 # files are still loaded from default host
>  34 Define defaulthost ""
>  35 Define proxyhost ""
>  36
>  37 ProxyPreserveHost Off
>  38 ProxyAddHeaders On
>  39 SetOutputFilter  proxy-html
>  40 ProxyHTMLEnable On
>  41 ProxyHTMLExtended On
>  42
>  43 ProxyPass"https://${proxyhost}/;
>  44 ProxyPassReverse "https://${proxyhost}/;
>  45
>  46 ProxyPassReverseCookieDomain "${proxyhost}" "${defaulthost}"
>  47 ProxyPassReverseCookiePath   "/" "//"
>  48
>  49 Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=None
>  50
>  51 ProxyHTMLURLMap https://${proxyhost}/ https://
> ${defaulthost}/
>  52
>  53 Options +ExecCGI +FollowSymLinks -MultiViews
>  54 
>
> > -Original Message-
> > From: bruce 
> > Sent: Thursday, 11 July 2024 13:20
> > To: users@httpd.apache.org
> > Subject: [users@httpd] reverse proxy setup
> >
> > Hi.
> >
> > Testing a github app that appears to use/require reverse proxy to
> > display results on the browser.
> >
> > The basic app uses npm/nextjs to generate content, Per different
> > sites, the process uses PM2 to run the process, and to be able to show
> > the content via an internal/local "server". This is accessed via  --
> > http://127.0.0.1:3000.
> >
> > Using curl on the local/test server, content can be accessed via the site
> >  curl  http://127.0.0.1:3000.
> >
> > My issue now, is how to create the Apache conf to be able to have the
> > user at http://1.2.3.4/berat, be able to display the content. This
> > requires somehow setting up the reverse proxy process, in the VirtHost
> > of the config file. The test site is being run from a subdir
> >   /var/www/html/berat <<<
> >
> > Researching/testing hasn't had the light go off yet!
> >
> > Here's what I've got, but it's not correct.
> >
> > Pointers would be useful. (and possible explanation!)
> >
> > cat /etc/apache2/sites-available/berat.conf
> > 
> > ServerAdmin f...@yahoo.com
> > ServerName  temp22
> > ServerAlias temp
> >
> > DocumentRoot   /var/www/html/berat
> >
> > ProxyRequests Off
> > ProxyPreserveHost On
> > 
> > Require all granted
> > 
> >
> > ProxyPreserveHost On
> >
> > 
> >   ProxyPreserveHost Off
> >   ProxyErrorOverride Off
> > 
> >
> >  #ProxyPass/api/system-a/
> > https://external-domain.example2.org/system-a/
> >
> >  ProxyPass /berat http://127.0.0.1:3000/
> >
> >  ProxyPassReverse /berat http://127.0.0.1:3000/
> >
> >
> > #DocumentRoot   /var/www/html/berat
> >
> >
> > 
> >
> > #ProxyRequests Off
> > #ProxyPreserveHost On
> > #
> > #  Require all granted
> > #
> >
> > #ProxyPass / http://127.0.0.1:3000/
> >
> > #ProxyPassReverse / http://127.0.0.1:3000/
> >
> > #DirectoryIndex index.html index.php
> >
> > #Options -Indexes +FollowSymLinks +MultiViews
> > Options +FollowSymLinks
> >
> > AllowOverride All
> > Require all granted
> > ##Options -Indexes +FollowSymLinks +MultiViews
> > AllowOverride All Require all granted
> >
> >
> > ##Options Indexes FollowSymLinks MultiViews
> > ##Options -Indexes FollowSymlinks
> > #Options FollowSymlinks
> > #AllowOverride All
> > ##Order allow,deny
> > ##allow from all
> > #Require all granted
> > 
> >
> > ##Alias "/berat" "/var/www/html/berat/"
> >
> >
> > LogLevel debug
> > ErrorLog ${APACHE_LOG_DIR}/error.log
> > CustomLog ${APACHE_LOG_DIR}/access.log combined
> > 
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org
>
>
A couple points here:

1) Avoid proxying from  blocks, unless you have a good reason to
2) Always match the trailing slashes when proxying or redirecting, i.e.
/foo -> /foo and /foo/ -> /foo/
3)  is for forward proxies, so remove that

RE: [users@httpd] reverse proxy setup

2024-07-11 Thread Marc

 I am testing a bit with this:

 32 
 33 # files are still loaded from default host
 34 Define defaulthost ""
 35 Define proxyhost ""
 36
 37 ProxyPreserveHost Off
 38 ProxyAddHeaders On
 39 SetOutputFilter  proxy-html
 40 ProxyHTMLEnable On
 41 ProxyHTMLExtended On
 42
 43 ProxyPass"https://${proxyhost}/;
 44 ProxyPassReverse "https://${proxyhost}/;
 45
 46 ProxyPassReverseCookieDomain "${proxyhost}" "${defaulthost}"
 47 ProxyPassReverseCookiePath   "/" "//"
 48
 49 Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=None
 50
 51 ProxyHTMLURLMap https://${proxyhost}/ 
https://${defaulthost}/
 52
 53 Options +ExecCGI +FollowSymLinks -MultiViews
 54 

> -Original Message-
> From: bruce 
> Sent: Thursday, 11 July 2024 13:20
> To: users@httpd.apache.org
> Subject: [users@httpd] reverse proxy setup
> 
> Hi.
> 
> Testing a github app that appears to use/require reverse proxy to
> display results on the browser.
> 
> The basic app uses npm/nextjs to generate content, Per different
> sites, the process uses PM2 to run the process, and to be able to show
> the content via an internal/local "server". This is accessed via  --
> http://127.0.0.1:3000.
> 
> Using curl on the local/test server, content can be accessed via the site
>  curl  http://127.0.0.1:3000.
> 
> My issue now, is how to create the Apache conf to be able to have the
> user at http://1.2.3.4/berat, be able to display the content. This
> requires somehow setting up the reverse proxy process, in the VirtHost
> of the config file. The test site is being run from a subdir
>   /var/www/html/berat <<<
> 
> Researching/testing hasn't had the light go off yet!
> 
> Here's what I've got, but it's not correct.
> 
> Pointers would be useful. (and possible explanation!)
> 
> cat /etc/apache2/sites-available/berat.conf
> 
> ServerAdmin f...@yahoo.com
> ServerName  temp22
> ServerAlias temp
> 
> DocumentRoot   /var/www/html/berat
> 
> ProxyRequests Off
> ProxyPreserveHost On
> 
> Require all granted
> 
> 
> ProxyPreserveHost On
> 
> 
>   ProxyPreserveHost Off
>   ProxyErrorOverride Off
> 
> 
>  #ProxyPass/api/system-a/
> https://external-domain.example2.org/system-a/
> 
>  ProxyPass /berat http://127.0.0.1:3000/
> 
>  ProxyPassReverse /berat http://127.0.0.1:3000/
> 
> 
> #DocumentRoot   /var/www/html/berat
> 
> 
> 
> 
> #ProxyRequests Off
> #ProxyPreserveHost On
> #
> #  Require all granted
> #
> 
> #ProxyPass / http://127.0.0.1:3000/
> 
> #ProxyPassReverse / http://127.0.0.1:3000/
> 
> #DirectoryIndex index.html index.php
> 
> #Options -Indexes +FollowSymLinks +MultiViews
> Options +FollowSymLinks
> 
> AllowOverride All
> Require all granted
> ##Options -Indexes +FollowSymLinks +MultiViews
> AllowOverride All Require all granted
> 
> 
> ##Options Indexes FollowSymLinks MultiViews
> ##Options -Indexes FollowSymlinks
> #Options FollowSymlinks
> #AllowOverride All
> ##Order allow,deny
> ##allow from all
> #Require all granted
> 
> 
> ##Alias "/berat" "/var/www/html/berat/"
> 
> 
> LogLevel debug
> ErrorLog ${APACHE_LOG_DIR}/error.log
> CustomLog ${APACHE_LOG_DIR}/access.log combined
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Stripping trailing slashes (again)

2024-07-11 Thread Konstantin Kolinko

чт, 13 июн. 2024 г. в 17:41, Dave Wreski :
>
> Hi,
>
> Some time ago I requested help with a rewrite rule to strip trailing 
> slash(es) from all URLs in our joomla website, but I'm still having problems. 
> This is the rule I am currently working with:
>
> RewriteRule ^(.*)/+$ https://linuxsecurity.com$1 [R=301,L]
>
> It works fine for any URL other than the homepage. Somehow for the homepage 
> it creates an infinite loop, despite using "L", so perhaps I don't understand 
> what it's doing. The (.*) is supposed to match any character, but there 
> wouldn't be any preceding elements for the homepage.
>
> The problem as I see it is that, for the homepage, (.*) would be null, so $1 
> would also be null? This then creates the same URL as the one we're trying to 
> fix.

(.*) means "any character, 0 or more times".
"0 times" here means that it matches an empty string. (Technically, it
is an empty string, not null).

URL for the home page is "/".

(The first line of an HTTP 1.x request will be "GET / HTTP/1.1".
By definition of the protocol, there has to be some text between the
verb (GET) and the version.)

A possible solution that I see is to make the first '/' explicit.
adding it both to the regexp and to the replacement string:

  RewriteRule ^/(.*)/+$ https://linuxsecurity.com/$1 [R=301,L]

Alternatively, use '+' instead of '*' (meaning 1 or more times):

  RewriteRule ^(.+)/+$ https://linuxsecurity.com$1 [R=301,L]

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] Simulating rewrite rules?

2024-07-11 Thread Marc

> 
> RewriteCond %{HTTP_USER_AGENT} ^$
> [OR]
> RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).*
> [NC,OR]
> RewriteCond %{HTTP_USER_AGENT}
> ^.*(HTTrack|clshttp|archiver|loader|email|nikto|miner|python).* [NC,OR]
> RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|libwww\-
> perl|curl|wget|harvest|scan|grab|extract).* [NC,OR]
> RewriteCond %{HTTP_USER_AGENT}
> ^.*(Googlebot|SemrushBot|PetalBot|Bytespider|bingbot).* [NC]
> RewriteRule (.*)https://guardiandigital.com/$1 [L,R=301]
> 
> 
> SetEnvIf user-agent "(?i:GoogleBot)" googlebot=1
> SetEnvIf user-agent "(?i:SemrushBot)" googlebot=1
> SetEnvIf user-agent "(?i:PetalBot)" googlebot=1
> SetEnvIf user-agent "(?i:Bytespider)" googlebot=1
> SetEnvIf user-agent "(?i:bingbot)" googlebot=1
> 
> 
>   
> Require ip 1.2.3.4
> Require env googlebot
>   
> 

I would think that mod_security is more efficient for this
SecRule REQUEST_HEADERS:User-Agent "" 
"id:'13006',phase:2,log,deny,status:200"

Why allow SemrushBot, PetalBot and Bytespider? If they don't give you traffic, 
block them. Better add things for yandex and duckduckgo. Duckduckgo is getting 
better than google. Maybe start looking for ai crawlers also.

> I was also originally trying to associate the rewriterules with the
> requireany using  but then realized I didn't even have to do that -
> it would just automatically get processed independently. It looks so
> simple now, but took me a while to make it this simple.
> 
> 

What also helps is blocking these clouds, just get their ip ranges

- amazon
- googleusercontent
- digital ocean
- ovh



PS. Don't give google the credit to have bot variable named after them ;).


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Simulating rewrite rules?

2024-07-10 Thread Dave Wreski


Hi,


Hi, I have the following rewrite rule in place on one of our
staging sites to redirect bots and malicious scripts to our
corporate page:

  RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
  RewriteCond %{HTTP_USER_AGENT}
^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
  RewriteCond %{HTTP_USER_AGENT}
^.*(HTTrack|clshttp|archiver|loader|email|nikto|miner|python).*
[NC,OR]
  RewriteCond %{HTTP_USER_AGENT}
^.*(winhttp|libwww\-perl|curl|wget|harvest|scan|grab|extract).*
[NC,OR]
  RewriteCond %{HTTP_USER_AGENT}
^.*(Googlebot|SemrushBot|PetalBot|Bytespider|bingbot).* [NC]
  RewriteRule (.*) https://guardiandigital.com$1 [L,R=301]

However, it doesn't appear to always work properly:

66.249.68.6 - - [08/Jul/2024:11:43:41 -0400] "GET /robots.txt
HTTP/1.1" 200 343 r:"-" "Mozilla/5.0 (compatible; Googlebot/2.1;
+http://www.google.com/bot.html)" 0/5493 1145/6615/343 H:HTTP/1.1
U:/robots.txt s:200

Instead of making changes to my rules then having to wait until
the condition is met (Googlebot scans the site again), I'd like to
simulate the above request against my ruleset to see if it
matches. Is this possible?


For the user agent, just install an extension in your browser to 
"fake" the value, and make a HTTP request. Alternatively, you can use 
curl as well.


I should have mentioned that this was part of a larger effort to 
redirect bots while also blocking access to others altogether as well as 
allowing authorized users. Here's what I've come up with, which seems to 
work quite well. This also all has to appear in .htaccess because it's 
processed after the virtualhost config and any requireall/requireany 
entries are overridden that already appear there. I also learned that 
RequireAny is default deny.


RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} 
^.*(HTTrack|clshttp|archiver|loader|email|nikto|miner|python).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} 
^.*(winhttp|libwww\-perl|curl|wget|harvest|scan|grab|extract).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} 
^.*(Googlebot|SemrushBot|PetalBot|Bytespider|bingbot).* [NC]

RewriteRule (.*) https://guardiandigital.com/$1 [L,R=301]

SetEnvIf user-agent "(?i:GoogleBot)" googlebot=1
SetEnvIf user-agent "(?i:SemrushBot)" googlebot=1
SetEnvIf user-agent "(?i:PetalBot)" googlebot=1
SetEnvIf user-agent "(?i:Bytespider)" googlebot=1
SetEnvIf user-agent "(?i:bingbot)" googlebot=1

  
    Require ip 1.2.3.4
    Require env googlebot
  

I was also originally trying to associate the rewriterules with the 
requireany using  but then realized I didn't even have to do that - 
it would just automatically get processed independently. It looks so 
simple now, but took me a while to make it this simple.

Re: [users@httpd] Simulating rewrite rules?

2024-07-09 Thread mwood

On Tue, Jul 09, 2024 at 01:10:34PM +, Dave Wreski wrote:
> Instead of making changes to my rules then having to wait until the condition 
> is met (Googlebot scans the site again), I'd like to simulate the above 
> request against my ruleset to see if it matches. Is this possible?

curl --user-agent=Googlebot

-- 
Mark H. Wood
Lead Technology Analyst

University Library
Indiana University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
library.indianapolis.iu.edu


signature.asc
Description: PGP signature

Re: [users@httpd] Simulating rewrite rules?

2024-07-09 Thread Frank Gingras

On Tue, Jul 9, 2024 at 9:11 AM Dave Wreski
 wrote:

> Hi, I have the following rewrite rule in place on one of our staging sites
> to redirect bots and malicious scripts to our corporate page:
>
>   RewriteCond %{HTTP_USER_AGENT}
> ^$  [OR]
>   RewriteCond %{HTTP_USER_AGENT}
> ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).*[NC,OR]
>   RewriteCond %{HTTP_USER_AGENT}
> ^.*(HTTrack|clshttp|archiver|loader|email|nikto|miner|python).* [NC,OR]
>   RewriteCond %{HTTP_USER_AGENT}
> ^.*(winhttp|libwww\-perl|curl|wget|harvest|scan|grab|extract).* [NC,OR]
>   RewriteCond %{HTTP_USER_AGENT}
> ^.*(Googlebot|SemrushBot|PetalBot|Bytespider|bingbot).* [NC]
>   RewriteRule (.*)https://guardiandigital.com$1 [L,R=301]
>
> However, it doesn't appear to always work properly:
>
> 66.249.68.6 - - [08/Jul/2024:11:43:41 -0400] "GET /robots.txt HTTP/1.1"
> 200 343 r:"-" "Mozilla/5.0 (compatible; Googlebot/2.1; +
> http://www.google.com/bot.html)" 0/5493 1145/6615/343 H:HTTP/1.1
> U:/robots.txt s:200
>
> Instead of making changes to my rules then having to wait until the
> condition is met (Googlebot scans the site again), I'd like to simulate the
> above request against my ruleset to see if it matches. Is this possible?
>
> Thanks,
> Dave
>
>
>
For the user agent, just install an extension in your browser to "fake" the
value, and make a HTTP request.  Alternatively, you can use curl as well.

Re: [users@httpd] VirtualHost with ServerAlias and SSLCertificateFile no friends?

2024-07-08 Thread Frank Gingras

On Mon, Jul 8, 2024 at 4:18 AM Michael Osipov  wrote:

> On 2024/07/04 13:57:06 Frank Gingras wrote:
> > On Thu, Jul 4, 2024 at 8:44 AM Michael Osipov 
> wrote:
> >
> > > Folks,
> > >
> > > please consider the following example:
> > > > 
> > > > ServerAdmin m...@example.com
> > > > ServerName foo.example.com
> > > > ServerAlias foo.sub.example.net
> > > > DocumentRoot /usr/local/www/apache24/data
> > > > ErrorLog "/var/log/apache/foo-ssl-errors.log"
> > > > CustomLog "/var/log/apache/foo-ssl-access.log" common
> > > >
> > > > SSLEngine On
> > > > SSLCertificateFile /etc/ssl/foo.example.com/cert.crt
> > > > SSLCertificateKeyFile /etc/ssl/foo.example.com/key.crt
> > > > SSLCertificateFile /etc/ssl/foo.sub.example.net/cert.crt
> > > > SSLCertificateKeyFile /etc/ssl/foo.sub.example.net/key.crt
> > > >
> > > > Include "..."
> > > > 
> > >
> > > I'd like to run a single vhost serving the same content under multiple
> > > FQDNs to the users
> > >
> > > As far as I understand mod_ssl it does not seem to support to have SNI
> on
> > > a single vhost with multiple hostnames. I get error messages in the log
> > > file.
> > > I am running "Apache/2.4.59 (FreeBSD) OpenSSL/1.1.1w-freebsd".
> > > FWIW: the same concept is support with Tomcat: One connector, one
> default
> > > host, aliases and several SSLHostConfig elements.
> > > Is the approach to run two vhosts here? I am sure that a SAN
> certificate
> > > will do the trick, but for €€€ reasons I won' able to order one.
> > >
> > > Michael
> > >
> > > -
> > > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > > For additional commands, e-mail: users-h...@httpd.apache.org
> > >
> > >
> > In that case, define separate :443 vhosts for each name, and redirect to
> > the main one.
>
> As sad it is sounds and also looking into the source code there is no
> alternative to duplicate it.
> There is a long standing issue open in Bugzilla:
> https://bz.apache.org/bugzilla/show_bug.cgi?id=61081
>
> At least the docs should tell that using ServerAlias requires a SAN
> certificate to function properly.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
Your options were always to use a wildcard certificate, or a SAN.  This
falls more into the common knowledge of TLS and certificates.

mod_ssl does tie in to openssl, sure, but explaining every concept isn't
the role of the docs.

That being said, a small note to that effect should not be harmful, I will
see if the docs team can come up with some alteration.

Re: [users@httpd] VirtualHost with ServerAlias and SSLCertificateFile no friends?

2024-07-08 Thread Michael Osipov

On 2024/07/04 13:57:06 Frank Gingras wrote:
> On Thu, Jul 4, 2024 at 8:44 AM Michael Osipov  wrote:
> 
> > Folks,
> >
> > please consider the following example:
> > > 
> > > ServerAdmin m...@example.com
> > > ServerName foo.example.com
> > > ServerAlias foo.sub.example.net
> > > DocumentRoot /usr/local/www/apache24/data
> > > ErrorLog "/var/log/apache/foo-ssl-errors.log"
> > > CustomLog "/var/log/apache/foo-ssl-access.log" common
> > >
> > > SSLEngine On
> > > SSLCertificateFile /etc/ssl/foo.example.com/cert.crt
> > > SSLCertificateKeyFile /etc/ssl/foo.example.com/key.crt
> > > SSLCertificateFile /etc/ssl/foo.sub.example.net/cert.crt
> > > SSLCertificateKeyFile /etc/ssl/foo.sub.example.net/key.crt
> > >
> > > Include "..."
> > > 
> >
> > I'd like to run a single vhost serving the same content under multiple
> > FQDNs to the users
> >
> > As far as I understand mod_ssl it does not seem to support to have SNI on
> > a single vhost with multiple hostnames. I get error messages in the log
> > file.
> > I am running "Apache/2.4.59 (FreeBSD) OpenSSL/1.1.1w-freebsd".
> > FWIW: the same concept is support with Tomcat: One connector, one default
> > host, aliases and several SSLHostConfig elements.
> > Is the approach to run two vhosts here? I am sure that a SAN certificate
> > will do the trick, but for €€€ reasons I won' able to order one.
> >
> > Michael
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org
> >
> >
> In that case, define separate :443 vhosts for each name, and redirect to
> the main one.

As sad it is sounds and also looking into the source code there is no 
alternative to duplicate it.
There is a long standing issue open in Bugzilla: 
https://bz.apache.org/bugzilla/show_bug.cgi?id=61081

At least the docs should tell that using ServerAlias requires a SAN certificate 
to function properly.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] VirtualHost with ServerAlias and SSLCertificateFile no friends?

2024-07-07 Thread Frank Gingras

On Sun, Jul 7, 2024 at 5:09 AM rexkogit...@gmx.at.INVALID
 wrote:

> Hi,
>
> well, Apache httpd uses SNI to decide which vhost to use. Otherwise, it
> would not even be possible to have multiple TLS secured domains on the same
> port. However, this is indeed possible, but you have to put the into
> multiple vhosts. These vhosts can be as similar as they share everything
> but the TLS certificate files and ServerNames. They can have the same
> DocumentRoot and so on.
>
> Otherwise, you could also try Haproxy infront of Apache.  Haproxy supports
> SNI and can perform TLS offloading, so that the Apache webserver is to be
> configured with HTTP only.
>
> Kind regards,
> rexkogitans.
> Am 05.07.24 um 16:28 schrieb Frank Gingras:
>
>
>
> On Fri, Jul 5, 2024 at 10:23 AM rexkogit...@gmx.at.INVALID
>   wrote:
>
>> Hi Michael,
>>
>>
>> you can add any number of domain names to a TLS certificate. These
>> entries are known as  SAN (Subject Alternative Name). So, you want a single
>> TLS certificate with multiple domain names instead of multiple TLS
>> certificates each with a single domain name.
>>
>>
>> Kind regards,
>> rexkogitans
>> Am 04.07.24 um 15:57 schrieb Frank Gingras:
>>
>>
>>
>> On Thu, Jul 4, 2024 at 8:44 AM Michael Osipov 
>> wrote:
>>
>>> Folks,
>>>
>>> please consider the following example:
>>> > 
>>> > ServerAdmin m...@example.com
>>> > ServerName foo.example.com
>>> > ServerAlias foo.sub.example.net
>>> > DocumentRoot /usr/local/www/apache24/data
>>> > ErrorLog "/var/log/apache/foo-ssl-errors.log"
>>> > CustomLog "/var/log/apache/foo-ssl-access.log" common
>>> >
>>> > SSLEngine On
>>> > SSLCertificateFile /etc/ssl/foo.example.com/cert.crt
>>> > SSLCertificateKeyFile /etc/ssl/foo.example.com/key.crt
>>> > SSLCertificateFile /etc/ssl/foo.sub.example.net/cert.crt
>>> > SSLCertificateKeyFile /etc/ssl/foo.sub.example.net/key.crt
>>> >
>>> > Include "..."
>>> > 
>>>
>>> I'd like to run a single vhost serving the same content under multiple
>>> FQDNs to the users
>>>
>>> As far as I understand mod_ssl it does not seem to support to have SNI
>>> on a single vhost with multiple hostnames. I get error messages in the log
>>> file.
>>> I am running "Apache/2.4.59 (FreeBSD) OpenSSL/1.1.1w-freebsd".
>>> FWIW: the same concept is support with Tomcat: One connector, one
>>> default host, aliases and several SSLHostConfig elements.
>>> Is the approach to run two vhosts here? I am sure that a SAN certificate
>>> will do the trick, but for €€€ reasons I won' able to order one.
>>>
>>> Michael
>>>
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>>> For additional commands, e-mail: users-h...@httpd.apache.org
>>>
>>>
>> In that case, define separate :443 vhosts for each name, and redirect to
>> the main one.
>>
>>
>
> They already said that for price reasons, that consideration is not on the
> table.
>
>
That was literally was I suggested prior.

Re: [users@httpd] VirtualHost with ServerAlias and SSLCertificateFile no friends?

2024-07-07 Thread rexkogit...@gmx.at.INVALID

Hi,

well, Apache httpd uses SNI to decide which vhost to use. Otherwise, it
would not even be possible to have multiple TLS secured domains on the
same port. However, this is indeed possible, but you have to put the
into multiple vhosts. These vhosts can be as similar as they share
everything but the TLS certificate files and ServerNames. They can have
the same DocumentRoot and so on.

Otherwise, you could also try Haproxy infront of Apache.  Haproxy
supports SNI and can perform TLS offloading, so that the Apache
webserver is to be configured with HTTP only.

Kind regards,
rexkogitans.

Am 05.07.24 um 16:28 schrieb Frank Gingras:

On Fri, Jul 5, 2024 at 10:23 AM rexkogit...@gmx.at.INVALID
 wrote:

Hi Michael,

you can add any number of domain names to a TLS certificate. These
entries are known as  SAN (Subject Alternative Name). So, you want
a single TLS certificate with multiple domain names instead of
multiple TLS certificates each with a single domain name.

Kind regards,
rexkogitans

Am 04.07.24 um 15:57 schrieb Frank Gingras:

On Thu, Jul 4, 2024 at 8:44 AM Michael Osipov
 wrote:

Folks,

please consider the following example:
> 
>     ServerAdmin m...@example.com
>     ServerName foo.example.com 
>     ServerAlias foo.sub.example.net

>     DocumentRoot /usr/local/www/apache24/data
>     ErrorLog "/var/log/apache/foo-ssl-errors.log"
>     CustomLog "/var/log/apache/foo-ssl-access.log" common
>
>     SSLEngine On
>     SSLCertificateFile /etc/ssl/foo.example.com/cert.crt

>     SSLCertificateKeyFile /etc/ssl/foo.example.com/key.crt

>     SSLCertificateFile
/etc/ssl/foo.sub.example.net/cert.crt

>     SSLCertificateKeyFile
/etc/ssl/foo.sub.example.net/key.crt

>
>     Include "..."
> 

I'd like to run a single vhost serving the same content under
multiple FQDNs to the users

As far as I understand mod_ssl it does not seem to support to
have SNI on a single vhost with multiple hostnames. I get
error messages in the log file.
I am running "Apache/2.4.59 (FreeBSD) OpenSSL/1.1.1w-freebsd".
FWIW: the same concept is support with Tomcat: One connector,
one default host, aliases and several SSLHostConfig elements.
Is the approach to run two vhosts here? I am sure that a SAN
certificate will do the trick, but for €€€ reasons I won'
able to order one.

Michael

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

In that case, define separate :443 vhosts for each name, and
redirect to the main one.

They already said that for price reasons, that consideration is not on
the table.

Re: [users@httpd] Javascript xmlhttprequest send error

2024-07-05 Thread Ted Hickox

I found a Javascript forum.  I regret to say that though they gave it their
best effort, they were unable to help me find my problem.  So here is what
I'm going to do.  Just in case someone is investigating this message, I
will share the solution I finally found.

In my XHTML code I forgot to include the XML SVG namespace.  This was most
of my error.  The rest of my error came from excessive } symbols.  I had to
completely disassemble my code and reassemble it piece by piece just to
find the error.  It took me several days to accomplish this task.
Apparently XHTML and Javascript are very picky when it comes to coding
them.  In a future video I will demonstrate all of these problems on
YouTube.

On Wed, Jul 3, 2024 at 9:43 PM Frank Gingras  wrote:

>
>
> On Wed, Jul 3, 2024 at 7:49 PM Ted Hickox  wrote:
>
>> And a hearty good evening everyone.  Here is my Javascript code.
>>
>> var SVG_Data;
>> var Retrieved_Data;
>> var Attribute_List;
>> var Coordinate_List;
>> var Counter;
>> function Setup() {
>>  SVG_Data = new XMLHttpRequest();
>>  SVG_Data.open("GET","
>> http://localhost:8080/exist/rest/db/apps/HTML_Student/SVG_Ellipse.xq;,
>> true);
>>  SVG_Data.onreadystatechange = function () {
>>  if (SVG_Data.readyState == 4) {
>> Retrieved_Data = SVG_Data.responseText;
>> Retrieved_Data = Retrieved_Data.split("*");
>> Attribute_List = "";
>> Coordinate_List = "";
>> for (Counter = 0; Counter < 8; Counter++) {
>>   Attribute_List = Attribute_List + Retrieved_Data[Counter] + "*";
>>   Counter = Counter + 1;
>>   Coordinate_List = Coordinate_List + Retrieved_Data[Counter] + "*";}
>>   Attribute_List = Attribute_List.split("*");
>>   Coordinate_List = Coordinate_List.split("*");
>>   Coordinate = "> for (Counter = 0; Counter < 4; Counter++) {
>>  Coordinate = Coordinate + " " + Attribute_List[Counter] + " = '"
>> + Coordinate_List[Counter] + "'";}
>> Coordinate = Coordinate + ">";
>>  document.getElementById("Image_Box").innerHTML = Coordinate;
>>  }
>>  };
>>
>>SVG_Data.send();}
>>
>> When I run this code, I get the following error:
>>
>> uncaught typeerror.  cannot read properties of undefined reading send.
>>
>> I know this has to do with SVG_Data.send().  But I don't know what I've
>> done wrong.  Can anyone here assist me with this problem?
>>
>>
>>
>>
> You should ask a JavaScript mailing list / support forum instead.
>

Re: [users@httpd] VirtualHost with ServerAlias and SSLCertificateFile no friends?

2024-07-05 Thread Frank Gingras

On Fri, Jul 5, 2024 at 10:23 AM rexkogit...@gmx.at.INVALID
 wrote:

> Hi Michael,
>
>
> you can add any number of domain names to a TLS certificate. These entries
> are known as  SAN (Subject Alternative Name). So, you want a single TLS
> certificate with multiple domain names instead of multiple TLS certificates
> each with a single domain name.
>
>
> Kind regards,
> rexkogitans
> Am 04.07.24 um 15:57 schrieb Frank Gingras:
>
>
>
> On Thu, Jul 4, 2024 at 8:44 AM Michael Osipov  wrote:
>
>> Folks,
>>
>> please consider the following example:
>> > 
>> > ServerAdmin m...@example.com
>> > ServerName foo.example.com
>> > ServerAlias foo.sub.example.net
>> > DocumentRoot /usr/local/www/apache24/data
>> > ErrorLog "/var/log/apache/foo-ssl-errors.log"
>> > CustomLog "/var/log/apache/foo-ssl-access.log" common
>> >
>> > SSLEngine On
>> > SSLCertificateFile /etc/ssl/foo.example.com/cert.crt
>> > SSLCertificateKeyFile /etc/ssl/foo.example.com/key.crt
>> > SSLCertificateFile /etc/ssl/foo.sub.example.net/cert.crt
>> > SSLCertificateKeyFile /etc/ssl/foo.sub.example.net/key.crt
>> >
>> > Include "..."
>> > 
>>
>> I'd like to run a single vhost serving the same content under multiple
>> FQDNs to the users
>>
>> As far as I understand mod_ssl it does not seem to support to have SNI on
>> a single vhost with multiple hostnames. I get error messages in the log
>> file.
>> I am running "Apache/2.4.59 (FreeBSD) OpenSSL/1.1.1w-freebsd".
>> FWIW: the same concept is support with Tomcat: One connector, one default
>> host, aliases and several SSLHostConfig elements.
>> Is the approach to run two vhosts here? I am sure that a SAN certificate
>> will do the trick, but for €€€ reasons I won' able to order one.
>>
>> Michael
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>>
>>
> In that case, define separate :443 vhosts for each name, and redirect to
> the main one.
>
>

They already said that for price reasons, that consideration is not on the
table.

Re: [users@httpd] VirtualHost with ServerAlias and SSLCertificateFile no friends?

2024-07-05 Thread rexkogit...@gmx.at.INVALID

Hi Michael,

you can add any number of domain names to a TLS certificate. These
entries are known as  SAN (Subject Alternative Name). So, you want a
single TLS certificate with multiple domain names instead of multiple
TLS certificates each with a single domain name.

Kind regards,
rexkogitans

Am 04.07.24 um 15:57 schrieb Frank Gingras:

On Thu, Jul 4, 2024 at 8:44 AM Michael Osipov  wrote:

Folks,

please consider the following example:
> 
>     ServerAdmin m...@example.com
>     ServerName foo.example.com 
>     ServerAlias foo.sub.example.net 
>     DocumentRoot /usr/local/www/apache24/data
>     ErrorLog "/var/log/apache/foo-ssl-errors.log"
>     CustomLog "/var/log/apache/foo-ssl-access.log" common
>
>     SSLEngine On
>     SSLCertificateFile /etc/ssl/foo.example.com/cert.crt

>     SSLCertificateKeyFile /etc/ssl/foo.example.com/key.crt

>     SSLCertificateFile /etc/ssl/foo.sub.example.net/cert.crt

>     SSLCertificateKeyFile /etc/ssl/foo.sub.example.net/key.crt

>
>     Include "..."
> 

I'd like to run a single vhost serving the same content under
multiple FQDNs to the users

As far as I understand mod_ssl it does not seem to support to have
SNI on a single vhost with multiple hostnames. I get error
messages in the log file.
I am running "Apache/2.4.59 (FreeBSD) OpenSSL/1.1.1w-freebsd".
FWIW: the same concept is support with Tomcat: One connector, one
default host, aliases and several SSLHostConfig elements.
Is the approach to run two vhosts here? I am sure that a SAN
certificate will do the trick, but for €€€ reasons I won' able to
order one.

Michael

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

In that case, define separate :443 vhosts for each name, and redirect
to the main one.

Re: [users@httpd] VirtualHost with ServerAlias and SSLCertificateFile no friends?

2024-07-04 Thread Frank Gingras

On Thu, Jul 4, 2024 at 8:44 AM Michael Osipov  wrote:

> Folks,
>
> please consider the following example:
> > 
> > ServerAdmin m...@example.com
> > ServerName foo.example.com
> > ServerAlias foo.sub.example.net
> > DocumentRoot /usr/local/www/apache24/data
> > ErrorLog "/var/log/apache/foo-ssl-errors.log"
> > CustomLog "/var/log/apache/foo-ssl-access.log" common
> >
> > SSLEngine On
> > SSLCertificateFile /etc/ssl/foo.example.com/cert.crt
> > SSLCertificateKeyFile /etc/ssl/foo.example.com/key.crt
> > SSLCertificateFile /etc/ssl/foo.sub.example.net/cert.crt
> > SSLCertificateKeyFile /etc/ssl/foo.sub.example.net/key.crt
> >
> > Include "..."
> > 
>
> I'd like to run a single vhost serving the same content under multiple
> FQDNs to the users
>
> As far as I understand mod_ssl it does not seem to support to have SNI on
> a single vhost with multiple hostnames. I get error messages in the log
> file.
> I am running "Apache/2.4.59 (FreeBSD) OpenSSL/1.1.1w-freebsd".
> FWIW: the same concept is support with Tomcat: One connector, one default
> host, aliases and several SSLHostConfig elements.
> Is the approach to run two vhosts here? I am sure that a SAN certificate
> will do the trick, but for €€€ reasons I won' able to order one.
>
> Michael
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
In that case, define separate :443 vhosts for each name, and redirect to
the main one.

Re: [users@httpd] Javascript xmlhttprequest send error

2024-07-03 Thread Frank Gingras

On Wed, Jul 3, 2024 at 7:49 PM Ted Hickox  wrote:

> And a hearty good evening everyone.  Here is my Javascript code.
>
> var SVG_Data;
> var Retrieved_Data;
> var Attribute_List;
> var Coordinate_List;
> var Counter;
> function Setup() {
>  SVG_Data = new XMLHttpRequest();
>  SVG_Data.open("GET","
> http://localhost:8080/exist/rest/db/apps/HTML_Student/SVG_Ellipse.xq;,
> true);
>  SVG_Data.onreadystatechange = function () {
>  if (SVG_Data.readyState == 4) {
> Retrieved_Data = SVG_Data.responseText;
> Retrieved_Data = Retrieved_Data.split("*");
> Attribute_List = "";
> Coordinate_List = "";
> for (Counter = 0; Counter < 8; Counter++) {
>   Attribute_List = Attribute_List + Retrieved_Data[Counter] + "*";
>   Counter = Counter + 1;
>   Coordinate_List = Coordinate_List + Retrieved_Data[Counter] + "*";}
>   Attribute_List = Attribute_List.split("*");
>   Coordinate_List = Coordinate_List.split("*");
>   Coordinate = " for (Counter = 0; Counter < 4; Counter++) {
>  Coordinate = Coordinate + " " + Attribute_List[Counter] + " = '"
> + Coordinate_List[Counter] + "'";}
> Coordinate = Coordinate + ">";
>  document.getElementById("Image_Box").innerHTML = Coordinate;
>  }
>  };
>
>SVG_Data.send();}
>
> When I run this code, I get the following error:
>
> uncaught typeerror.  cannot read properties of undefined reading send.
>
> I know this has to do with SVG_Data.send().  But I don't know what I've
> done wrong.  Can anyone here assist me with this problem?
>
>
>
>
You should ask a JavaScript mailing list / support forum instead.

Re: [users@httpd] weird/basic issue/question

2024-07-03 Thread Frank Gingras

On Wed, Jul 3, 2024 at 1:02 PM bruce  wrote:

> Hi frank.
>
> I know apache doesn't maintain php apps.
>
> pretty sure this isn't a php app issue, unless there's been something
> cut/copy/paste in the diff apps.
>
> I'm actually thinking that there's something in apache configs causing
> this.. given that i'm getting the issue in apache err logs, from diff
> apps..
>
> On Wed, Jul 3, 2024 at 12:54 PM Frank Gingras  wrote:
> >
> >
> >
> > On Wed, Jul 3, 2024 at 12:45 PM bruce  wrote:
> >>
> >> Hi Frank.
> >>
> >> It does.
> >>
> >> I also tried an additional test app
> >> http://161.35.5.174/invoiceninja/
> >>
> >> it also shows the "minthcm" in the error.log..
> >>
> >> I've been researching this, and as of yet, haven't found a aha moment.
> >>
> >> I've got plenty of other test apps in the /var/www/html dirtree.. and
> >> they aren't showing..
> >> I did a quick search/find in the /etc/sites-available and only find
> >> "minthcm" in the disabled conf file.
> >>
> >> any pointers as to where I might look?
> >>
> >> thanks
> >>
> >>
> >> On Wed, Jul 3, 2024 at 12:20 PM Frank Gingras 
> wrote:
> >> >
> >> >
> >> >
> >> > On Wed, Jul 3, 2024 at 12:15 PM bruce  wrote:
> >> >>
> >> >> I have a test/local apache server - digitalocean instance.
> >> >>
> >> >> Testing a php app. I have the
> >> >>  /etc/sites-available
> >> >>  /etc/mods-available
> >> >>
> >> >> I stopped the service, and restarted it.
> >> >>
> >> >> I tested the url:
> >> >>  http://161.35.5.174/invoiceplane/sessions/login
> >> >>  I then examined the
> >> >>   tail -50 /var/log/apache/error.log
> >> >>
> >> >>  and I expected to see something with the above url...
> >> >>
> >> >> instead, I get lines like..
> >> >> [Wed Jul 03 15:56:00.454162 2024] [deflate:debug] [pid 23847]
> >> >> mod_deflate.c(869): [client 162.234.196.167:39160] AH01384: Zlib:
> >> >> Compressed 595 to 276 : URL /minthcm/install/index.php, referer:
> >> >> http://161.35.5.174/minthcm/
> >> >>
> >> >> now... the minthcm is a disabled test app.. but I don't get why I'm
> >> >> seeing it in the err log when/right after testing the "invoiceplane"
> >> >> url.
> >> >>
> >> >> Haven't found anything yet via searching.
> >> >>
> >> >> thoughts/comments would be helpful.
> >> >>
> >> >> thanks
> >> >>
> >> >> -
> >> >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> >> >> For additional commands, e-mail: users-h...@httpd.apache.org
> >> >>
> >> >
> >> > Your php application is redirecting / loading additional resources.
> Does invoiceplane have a mailing list or other support venues?
> >>
> >> -
> >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> >> For additional commands, e-mail: users-h...@httpd.apache.org
> >>
> >
> > I still recommend asking the invoiceplane folks, preferably on their
> mailing list, or most active support venue.
> >
> > Apache HTTPd doesn't maintain that php application.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
Bruce, if a redirect was involved, you would see a 3xx entry in the logs.
If mod_rewrite is involved, use the rewrite log to debug.

Re: [users@httpd] weird/basic issue/question

2024-07-03 Thread bruce

Hi frank.

I know apache doesn't maintain php apps.

pretty sure this isn't a php app issue, unless there's been something
cut/copy/paste in the diff apps.

I'm actually thinking that there's something in apache configs causing
this.. given that i'm getting the issue in apache err logs, from diff
apps..

On Wed, Jul 3, 2024 at 12:54 PM Frank Gingras  wrote:
>
>
>
> On Wed, Jul 3, 2024 at 12:45 PM bruce  wrote:
>>
>> Hi Frank.
>>
>> It does.
>>
>> I also tried an additional test app
>> http://161.35.5.174/invoiceninja/
>>
>> it also shows the "minthcm" in the error.log..
>>
>> I've been researching this, and as of yet, haven't found a aha moment.
>>
>> I've got plenty of other test apps in the /var/www/html dirtree.. and
>> they aren't showing..
>> I did a quick search/find in the /etc/sites-available and only find
>> "minthcm" in the disabled conf file.
>>
>> any pointers as to where I might look?
>>
>> thanks
>>
>>
>> On Wed, Jul 3, 2024 at 12:20 PM Frank Gingras  wrote:
>> >
>> >
>> >
>> > On Wed, Jul 3, 2024 at 12:15 PM bruce  wrote:
>> >>
>> >> I have a test/local apache server - digitalocean instance.
>> >>
>> >> Testing a php app. I have the
>> >>  /etc/sites-available
>> >>  /etc/mods-available
>> >>
>> >> I stopped the service, and restarted it.
>> >>
>> >> I tested the url:
>> >>  http://161.35.5.174/invoiceplane/sessions/login
>> >>  I then examined the
>> >>   tail -50 /var/log/apache/error.log
>> >>
>> >>  and I expected to see something with the above url...
>> >>
>> >> instead, I get lines like..
>> >> [Wed Jul 03 15:56:00.454162 2024] [deflate:debug] [pid 23847]
>> >> mod_deflate.c(869): [client 162.234.196.167:39160] AH01384: Zlib:
>> >> Compressed 595 to 276 : URL /minthcm/install/index.php, referer:
>> >> http://161.35.5.174/minthcm/
>> >>
>> >> now... the minthcm is a disabled test app.. but I don't get why I'm
>> >> seeing it in the err log when/right after testing the "invoiceplane"
>> >> url.
>> >>
>> >> Haven't found anything yet via searching.
>> >>
>> >> thoughts/comments would be helpful.
>> >>
>> >> thanks
>> >>
>> >> -
>> >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> >> For additional commands, e-mail: users-h...@httpd.apache.org
>> >>
>> >
>> > Your php application is redirecting / loading additional resources.  Does 
>> > invoiceplane have a mailing list or other support venues?
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>>
>
> I still recommend asking the invoiceplane folks, preferably on their mailing 
> list, or most active support venue.
>
> Apache HTTPd doesn't maintain that php application.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] weird/basic issue/question

2024-07-03 Thread Frank Gingras

On Wed, Jul 3, 2024 at 12:45 PM bruce  wrote:

> Hi Frank.
>
> It does.
>
> I also tried an additional test app
> http://161.35.5.174/invoiceninja/
>
> it also shows the "minthcm" in the error.log..
>
> I've been researching this, and as of yet, haven't found a aha moment.
>
> I've got plenty of other test apps in the /var/www/html dirtree.. and
> they aren't showing..
> I did a quick search/find in the /etc/sites-available and only find
> "minthcm" in the disabled conf file.
>
> any pointers as to where I might look?
>
> thanks
>
>
> On Wed, Jul 3, 2024 at 12:20 PM Frank Gingras  wrote:
> >
> >
> >
> > On Wed, Jul 3, 2024 at 12:15 PM bruce  wrote:
> >>
> >> I have a test/local apache server - digitalocean instance.
> >>
> >> Testing a php app. I have the
> >>  /etc/sites-available
> >>  /etc/mods-available
> >>
> >> I stopped the service, and restarted it.
> >>
> >> I tested the url:
> >>  http://161.35.5.174/invoiceplane/sessions/login
> >>  I then examined the
> >>   tail -50 /var/log/apache/error.log
> >>
> >>  and I expected to see something with the above url...
> >>
> >> instead, I get lines like..
> >> [Wed Jul 03 15:56:00.454162 2024] [deflate:debug] [pid 23847]
> >> mod_deflate.c(869): [client 162.234.196.167:39160] AH01384: Zlib:
> >> Compressed 595 to 276 : URL /minthcm/install/index.php, referer:
> >> http://161.35.5.174/minthcm/
> >>
> >> now... the minthcm is a disabled test app.. but I don't get why I'm
> >> seeing it in the err log when/right after testing the "invoiceplane"
> >> url.
> >>
> >> Haven't found anything yet via searching.
> >>
> >> thoughts/comments would be helpful.
> >>
> >> thanks
> >>
> >> -
> >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> >> For additional commands, e-mail: users-h...@httpd.apache.org
> >>
> >
> > Your php application is redirecting / loading additional resources.
> Does invoiceplane have a mailing list or other support venues?
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
I still recommend asking the invoiceplane folks, preferably on their
mailing list, or most active support venue.

Apache HTTPd doesn't maintain that php application.

Re: [users@httpd] weird/basic issue/question

2024-07-03 Thread bruce

Hi Frank.

It does.

I also tried an additional test app
http://161.35.5.174/invoiceninja/

it also shows the "minthcm" in the error.log..

I've been researching this, and as of yet, haven't found a aha moment.

I've got plenty of other test apps in the /var/www/html dirtree.. and
they aren't showing..
I did a quick search/find in the /etc/sites-available and only find
"minthcm" in the disabled conf file.

any pointers as to where I might look?

thanks


On Wed, Jul 3, 2024 at 12:20 PM Frank Gingras  wrote:
>
>
>
> On Wed, Jul 3, 2024 at 12:15 PM bruce  wrote:
>>
>> I have a test/local apache server - digitalocean instance.
>>
>> Testing a php app. I have the
>>  /etc/sites-available
>>  /etc/mods-available
>>
>> I stopped the service, and restarted it.
>>
>> I tested the url:
>>  http://161.35.5.174/invoiceplane/sessions/login
>>  I then examined the
>>   tail -50 /var/log/apache/error.log
>>
>>  and I expected to see something with the above url...
>>
>> instead, I get lines like..
>> [Wed Jul 03 15:56:00.454162 2024] [deflate:debug] [pid 23847]
>> mod_deflate.c(869): [client 162.234.196.167:39160] AH01384: Zlib:
>> Compressed 595 to 276 : URL /minthcm/install/index.php, referer:
>> http://161.35.5.174/minthcm/
>>
>> now... the minthcm is a disabled test app.. but I don't get why I'm
>> seeing it in the err log when/right after testing the "invoiceplane"
>> url.
>>
>> Haven't found anything yet via searching.
>>
>> thoughts/comments would be helpful.
>>
>> thanks
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>>
>
> Your php application is redirecting / loading additional resources.  Does 
> invoiceplane have a mailing list or other support venues?

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] weird/basic issue/question

2024-07-03 Thread Frank Gingras

On Wed, Jul 3, 2024 at 12:15 PM bruce  wrote:

> I have a test/local apache server - digitalocean instance.
>
> Testing a php app. I have the
>  /etc/sites-available
>  /etc/mods-available
>
> I stopped the service, and restarted it.
>
> I tested the url:
>  http://161.35.5.174/invoiceplane/sessions/login
>  I then examined the
>   tail -50 /var/log/apache/error.log
>
>  and I expected to see something with the above url...
>
> instead, I get lines like..
> [Wed Jul 03 15:56:00.454162 2024] [deflate:debug] [pid 23847]
> mod_deflate.c(869): [client 162.234.196.167:39160] AH01384: Zlib:
> Compressed 595 to 276 : URL /minthcm/install/index.php, referer:
> http://161.35.5.174/minthcm/
>
> now... the minthcm is a disabled test app.. but I don't get why I'm
> seeing it in the err log when/right after testing the "invoiceplane"
> url.
>
> Haven't found anything yet via searching.
>
> thoughts/comments would be helpful.
>
> thanks
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
Your php application is redirecting / loading additional resources.  Does
invoiceplane have a mailing list or other support venues?

Re: [users@httpd] Hexadecimal representation of special characters breaking JSON logs

2024-07-03 Thread Rainer Canavan

On Tue, Jul 2, 2024 at 6:54 PM Dominic Humphries
 wrote:
>
> As per 
> https://httpd.apache.org/docs/current/mod/mod_log_config.html#format-notes we 
> see special characters getting represented in our logs by their hexadecimal 
> representation - \xhh
>
> However, we output our logs in a json format, and this representation results 
> in invalid JSON, which gives us problems when we forward them to Logstash.
>
> A path of /abc gives us the expected output: "@message": "GET /abc HTTP/1.1"
> which is valid JSON
> But a path of e.g. /abcé results in: "@message": "GET /abc\xc3\xa9 HTTP/1.1"
> which results in jq reporting parse error: Invalid escape
>
> Ideally, we'd like to disable the hex representation and just have the 
> original string in our logs. Failing that, adding additional backslashes to 
> escape the inserted hex seems like it should work, and I thought piping the 
> log via sed would allow for this, but for some reason
>
> CustomLog "|$/usr/bin/sed 's/old/new/g' >> logfile" logstash_ext_json
>
> just results in nothing being logged to the file - no errors anywhere, just 
> no logging happening.

sed may buffer input/output, so it might take a while before anything
is written to the logfile.

> Any advice on how to fix the logging so every special character doesn't break 
> JSON parsing would be appreciated!

The correct solution - proper JSON-style escaping is currently stuck
in this Pull request:

https://github.com/apache/httpd/pull/429

If you build httpd yourself anyway, you can just apply that patch
locally, test it, and report your resuts in the pull request. That may
help it move towards getting merged into the 2.4 branch.

As a workaround, substitute \x with % in your log pipeline.

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: [External] : Re: [users@httpd] DirectoryIndex broken in Apache 2.4.60?

2024-07-01 Thread Jack Swan

thank you everyone.  Changes made and they work.

Point taken about being invalid for 15 years.  I inherited an old 
application/setup.

Again, thank you all.

From: Frank Gingras 
Sent: Monday, July 1, 2024 3:03 PM
To: users@httpd.apache.org 
Subject: [External] : Re: [users@httpd] DirectoryIndex broken in Apache 2.4.60?

On Mon, Jul 1, 2024 at 2:53 PM Eric Covener 
mailto:cove...@gmail.com>> wrote:
On Mon, Jul 1, 2024 at 2:51 PM Matthew Goebel  wrote:
>
> Going from 2.4.59 to 2.5.60 I had to make the following change in my 
> httpd.conf file.
>
> AddType application/x-httpd-php .php
>
> to
>
> AddHandler application/x-httpd-php .php

Thanks Matthew, this makes perfect sense. I will add this to the changelogs.

-
To unsubscribe, e-mail: 
users-unsubscr...@httpd.apache.org<mailto:users-unsubscr...@httpd.apache.org>
For additional commands, e-mail: 
users-h...@httpd.apache.org<mailto:users-h...@httpd.apache.org>

To be fair, this has been invalid for at least 15 years:

AddType application/x-httpd-php .php

Re: [users@httpd] DirectoryIndex broken in Apache 2.4.60?

2024-07-01 Thread Frank Gingras

On Mon, Jul 1, 2024 at 2:53 PM Eric Covener  wrote:

> On Mon, Jul 1, 2024 at 2:51 PM Matthew Goebel 
> wrote:
> >
> > Going from 2.4.59 to 2.5.60 I had to make the following change in my
> httpd.conf file.
> >
> > AddType application/x-httpd-php .php
> >
> > to
> >
> > AddHandler application/x-httpd-php .php
>
> Thanks Matthew, this makes perfect sense. I will add this to the
> changelogs.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
To be fair, this has been invalid for at least 15 years:

AddType application/x-httpd-php .php

Re: [users@httpd] DirectoryIndex broken in Apache 2.4.60?

2024-07-01 Thread Eric Covener

On Mon, Jul 1, 2024 at 2:51 PM Matthew Goebel  wrote:
>
> Going from 2.4.59 to 2.5.60 I had to make the following change in my 
> httpd.conf file.
>
> AddType application/x-httpd-php .php
>
> to
>
> AddHandler application/x-httpd-php .php

Thanks Matthew, this makes perfect sense. I will add this to the changelogs.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] DirectoryIndex broken in Apache 2.4.60?

2024-07-01 Thread Eric Covener

On Mon, Jul 1, 2024 at 2:45 PM Jack Swan  wrote:
>
> Have an existing application and Apache installation (have been using Apache 
> for years).
>
> Upgraded Apache from 2.4.59 to 2.4.60 today and the browser prompts to save 
> the index.php file instead of
> serving/processing it when just entering https:// as the URL.  
> This had been working fine for years
> up until upgrading to 2.4.60.
>
> The change notes for 2.4.60 reference some new rewrite rule flags, 
> specifically  UnsafeAllow3F and UnsafePrefixStat
> could these now be needed or there some other configuration change needed?
>
> Do I need a simple Rewrite rule and can someone suggest one?

Do you have existing rewrites applying here? Or SetHandler or AddType
related to PHP?
Please share what you can from the config.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] DirectoryIndex broken in Apache 2.4.60?

2024-07-01 Thread Matthew Goebel

Going from 2.4.59 to 2.5.60 I had to make the following change in my
httpd.conf file.

AddType application/x-httpd-php .php

to

AddHandler application/x-httpd-php .php


Thanks,

Matt



On Mon, Jul 1, 2024 at 2:45 PM Jack Swan 
wrote:

> Have an existing application and Apache installation (have been using
> Apache for years).
>
> Upgraded Apache from 2.4.59 to 2.4.60 today and the browser prompts to
> save the index.php file instead of
> serving/processing it when just entering https:// as the
> URL.  This had been working fine for years
> up until upgrading to 2.4.60.
>
> The change notes for 2.4.60 reference some new rewrite rule flags,
> specifically  UnsafeAllow3F and UnsafePrefixStat
> could these now be needed or there some other configuration change needed?
>
> Do I need a simple Rewrite rule and can someone suggest one?
>
> Thanks,
>
> John Swan
>


-- 
Matthew Goebel : m goe...@emich.edu : Unix Jockey
@ EMU : Hail Eris
Neo-Student, Net Lurker, Donut consumer, and procrastinating medher...
 "Always with the negative waves, Moriarty" - Oddball
 "Comfort the troubled, and trouble the comfortable." - Dietrich Bonhoeffer

Re: [users@httpd] Removing single question mark?

2024-06-20 Thread Eric Covener

On Thu, Jun 20, 2024 at 7:08 PM Dave Wreski
 wrote:

> Hi, I should add that I wrote the following to remove an errant question
> mark from the end of another URL, but it doesn't appear to work for the
> homepage.
>
> RewriteCond %{THE_REQUEST} /features\? [NC]
>
RewriteRule ^ %{REQUEST_URI} [L,R=302,NE,QSD]
>

I think %{THE_REQUEST} is the way to go. But what do you mean about "the
homepage" and how does it relate to /features in your regex?
Maybe you want something closer to this for a request with a trailing ?
and no actual query:
RewriteCond %{THE_REQUEST} "? HTTP/" [NC]

If it doesn't work, post rewrite:trace8 output.

Re: [users@httpd] Removing single question mark?

2024-06-20 Thread Dave Wreski

Hi, I should add that I wrote the following to remove an errant question 
mark from the end of another URL, but it doesn't appear to work for the 
homepage.


RewriteCond %{THE_REQUEST} /features\? [NC]
RewriteRule ^ %{REQUEST_URI} [L,R=302,NE,QSD]

Thanks,
Dave

On 6/20/24 7:01 PM, Dave Wreski wrote:


Hi,

I have another challenging rewrite rule request, please. I'm trying to 
remove a single question mark from a URL:


https://example.com/?

I've tried the following:

RewriteRule ^/\?$ / [L,R=301,QSD]
RewriteRule ^/\? /? [L,R=301]

RewriteCond %{REQUEST_URI} ^$
RewriteRule ^ /? [L,R=301,QSD]

But it seems to ignore all of them. Ideas greatly appreciated.

Thanks,
Dave



--

Profile Photo



Dave Wreski

Chief Executive Officer



Guardian Digital Logo 

*We Make Email Safe For Business*



Guardian Digital Facebook  Guardian 
Digital Twitter  Guardian Digital Linkedin 



Phone Icon 



(640)-800-9446 



Email Security

Web Icon 



www.guardiandigital.com 



Sender Fraud Protection

Email Icon 



dwre...@guardiandigital.com



Training & Awareness

Location Icon 



103 Godwin Ave, Suite 314, Midland Park, NJ 07432

Re: [users@httpd] Authentication in Location blocks for reverse proxy seems to take precedence in routes

2024-06-14 Thread M Foster

Ah, that works! Great suggestion. I've never encountered this behavior
before because previous iterations had the backends for each ProxyPass
directive pointing to the same (Docker) host.

Thank you so much!

On Fri, Jun 14, 2024 at 12:25 PM Daniel Gruno  wrote:

> On 6/14/24 12:41, M Foster wrote:
> > Hello,
> >
> > I'm struggling a bit with an issue when using Apache as a reverse proxy
> > when needing to use differing Authentication. I've searched for a couple
> > of days now, but nothing matching what I'm seeing has come up.
> >
> > The scenario is that I am using Apache as a reverse proxy, but sending a
> > sub-path to different backend like so (extremely simplified):
> >
> > 
> >ProxyPass http://host2:8080/foo/bar 
> > 
> > 
> >ProxyPass http://host1.example.com/foo 
> > 
>
> One is overriding the other, so you get an arbitrary result. You can
> exclude /foo/bar from your second pass by using something like
> LocationMatch instead:
>
> 
>.. things here for /foo/bar
> 
> 
>  .. things here for /foo/baz but not /foo/bar
>  ProxyPass "http://host1.example.com/$1;
> 
>
> Do note that if the Auth realm is the same, you can get the wrong
> credentials showing up if they differ. These should be unique if the
> credentials are.
>
> >
> > This works without issue. However, as soon as I try to put
> > authentication on the second location (or more accurately different
> > authentication directives), any request to "/foo/bar" triggers auth:
> >
> > Example:
> > 
> >ProxyPass http://host2:8080/foo/bar 
> > 
> > 
> >AuthType basic
> >AuthName "Restricted"
> >AuthUserFile /usr/local/apache2/.htpasswd
> >Require valid-user
> >ProxyPass http://host1.example.com/foo 
> > 
> >
> > In the logs, set to trace8, I see that now apache is matching the
> > REQUEST_URI to the wrong proxy handler:
> >
> > "attempting to match URI path '/foo/bar' against prefix '/foo' for
> proxying
> > "URI path /foo/bar' matches proxy handler 'proxy:http://
> > host1.example.com/foo/bar '"
> > "authorization result of Require valid-user : denied (no authenticated
> > user)"
> >
> > Without any auth, the logs correctly show the request to `/foo/bar`
> > being routed to the correct proxy handler 'proxy:http://host2:8080/foo/
> > bar '.
> >
> > If anyone has any ideas on why adding auth completely blows up the proxy
> > routing, I'd appreciate it. Otherwise, I'll have to create two proxy
> > servers, just to handle each case.
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] Authentication in Location blocks for reverse proxy seems to take precedence in routes

2024-06-14 Thread Daniel Gruno


On 6/14/24 12:41, M Foster wrote:

Hello,

I'm struggling a bit with an issue when using Apache as a reverse proxy 
when needing to use differing Authentication. I've searched for a couple 
of days now, but nothing matching what I'm seeing has come up.


The scenario is that I am using Apache as a reverse proxy, but sending a 
sub-path to different backend like so (extremely simplified):



   ProxyPass http://host2:8080/foo/bar 


   ProxyPass http://host1.example.com/foo 



One is overriding the other, so you get an arbitrary result. You can 
exclude /foo/bar from your second pass by using something like 
LocationMatch instead:



  .. things here for /foo/bar


.. things here for /foo/baz but not /foo/bar
ProxyPass "http://host1.example.com/$1;


Do note that if the Auth realm is the same, you can get the wrong 
credentials showing up if they differ. These should be unique if the 
credentials are.




This works without issue. However, as soon as I try to put 
authentication on the second location (or more accurately different 
authentication directives), any request to "/foo/bar" triggers auth:


Example:

   ProxyPass http://host2:8080/foo/bar 


   AuthType basic
   AuthName "Restricted"
   AuthUserFile /usr/local/apache2/.htpasswd
   Require valid-user
   ProxyPass http://host1.example.com/foo 


In the logs, set to trace8, I see that now apache is matching the 
REQUEST_URI to the wrong proxy handler:


"attempting to match URI path '/foo/bar' against prefix '/foo' for proxying
"URI path /foo/bar' matches proxy handler 'proxy:http:// 
host1.example.com/foo/bar '"
"authorization result of Require valid-user : denied (no authenticated 
user)"


Without any auth, the logs correctly show the request to `/foo/bar` 
being routed to the correct proxy handler 'proxy:http://host2:8080/foo/ 
bar '.


If anyone has any ideas on why adding auth completely blows up the proxy 
routing, I'd appreciate it. Otherwise, I'll have to create two proxy 
servers, just to handle each case.





-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Stripping trailing slashes (again)

2024-06-13 Thread Eric Covener

> RewriteRule ^(.*)/+$ https://linuxsecurity.com$1 [R=301,END]
>
> I've also set logging to trace5 (even though none of the entries were above 
> trace4) - shouldn't it provide me with enough info to determine where/why 
> it's looping?

I think it loops because it redirects https://linuxsecurity.com/ to
https://linuxsecurity.com which the browser treats as
https://linuxsecurity.com/

You'll need to handle / with a condition or a slightly different regex.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Stripping trailing slashes (again)

2024-06-13 Thread Dave Wreski




Some time ago I requested help with a rewrite rule to strip
trailing slash(es) from all URLs in our joomla website, but I'm
still having problems. This is the rule I am currently working with:

RewriteRule ^(.*)/+$ https://linuxsecurity.com$1 [R=301,L]

It works fine for any URL other than the homepage. Somehow for the
homepage it creates an infinite loop, despite using "L", so
perhaps I don't understand what it's doing. The (.*) is supposed
to match any character, but there wouldn't be any preceding
elements for the homepage.

The problem as I see it is that, for the homepage, (.*) would be
null, so $1 would also be null? This then creates the same URL as
the one we're trying to fix.

First it appears to work properly (trimmed for legibility):

init rewrite engine with requested uri /
applying pattern '^(.*)/+$' to uri '/'
rewrite '/' -> 'https://linuxsecurity.com'
explicitly forcing redirect with https://linuxsecurity.com
escaping https://linuxsecurity.com for redirect
redirect to https://linuxsecurity.com [REDIRECT/301]

then it looks like it inits the rewrite engine again?

init rewrite engine with requested uri /, referer:
https://linuxsecurity.com/
applying pattern '^(.*)/+$' to uri '/', referer:
https://linuxsecurity.com/
rewrite '/' -> 'https://linuxsecurity.com', referer:
https://linuxsecurity.com/
explicitly forcing redirect with https://linuxsecurity.com,
referer: https://linuxsecurity.com/
escaping https://linuxsecurity.com for redirect, referer:
https://linuxsecurity.com/
redirect to https://linuxsecurity.com [REDIRECT/301], referer:
https://linuxsecurity.com/

This just loops repeatedly until it dies. I've also made sure
there's only one "RewriteEngine on" in the virtual host config and
the .htaccess. Would that even matter?

What am I doing wrong? I've tried a thousand variations of this to
no avail.

You will need to stop using .htaccess files to prevent looping, as a 
first step.  Edit your vhost.


I've removed the .htaccess in the document root and there are no other 
Includes in the vhost. I've also tried adding [END] but none of it has 
made any difference.


RewriteRule ^(.*)/+$ https://linuxsecurity.com$1 [R=301,END]

I've also set logging to trace5 (even though none of the entries were 
above trace4) - shouldn't it provide me with enough info to determine 
where/why it's looping?


If I remove the one RewriteEngine statement in my vhost config, it's 
clear that it does not process any RewriteRules at all.


dave

Re: [users@httpd] Stripping trailing slashes (again)

2024-06-13 Thread Eric Covener

>  despite using "L",

Looked at [END] ?

On Thu, Jun 13, 2024 at 10:41 AM Dave Wreski
 wrote:
>
> Hi,
>
> Some time ago I requested help with a rewrite rule to strip trailing 
> slash(es) from all URLs in our joomla website, but I'm still having problems. 
> This is the rule I am currently working with:
>
> RewriteRule ^(.*)/+$ https://linuxsecurity.com$1 [R=301,L]
>
> It works fine for any URL other than the homepage. Somehow for the homepage 
> it creates an infinite loop, despite using "L", so perhaps I don't understand 
> what it's doing. The (.*) is supposed to match any character, but there 
> wouldn't be any preceding elements for the homepage.
>
> The problem as I see it is that, for the homepage, (.*) would be null, so $1 
> would also be null? This then creates the same URL as the one we're trying to 
> fix.
>
> First it appears to work properly (trimmed for legibility):
>
> init rewrite engine with requested uri /
> applying pattern '^(.*)/+$' to uri '/'
> rewrite '/' -> 'https://linuxsecurity.com'
> explicitly forcing redirect with https://linuxsecurity.com
> escaping https://linuxsecurity.com for redirect
> redirect to https://linuxsecurity.com [REDIRECT/301]
>
> then it looks like it inits the rewrite engine again?
>
> init rewrite engine with requested uri /, referer: https://linuxsecurity.com/
> applying pattern '^(.*)/+$' to uri '/', referer: https://linuxsecurity.com/
> rewrite '/' -> 'https://linuxsecurity.com', referer: 
> https://linuxsecurity.com/
> explicitly forcing redirect with https://linuxsecurity.com, referer: 
> https://linuxsecurity.com/
> escaping https://linuxsecurity.com for redirect, referer: 
> https://linuxsecurity.com/
> redirect to https://linuxsecurity.com [REDIRECT/301], referer: 
> https://linuxsecurity.com/
>
> This just loops repeatedly until it dies. I've also made sure there's only 
> one "RewriteEngine on" in the virtual host config and the .htaccess. Would 
> that even matter?
>
> What am I doing wrong? I've tried a thousand variations of this to no avail.
>
>
>
>


-- 
Eric Covener
cove...@gmail.com

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Stripping trailing slashes (again)

2024-06-13 Thread Frank Gingras

On Thu, Jun 13, 2024 at 10:41 AM Dave Wreski
 wrote:

> Hi,
>
> Some time ago I requested help with a rewrite rule to strip trailing
> slash(es) from all URLs in our joomla website, but I'm still having
> problems. This is the rule I am currently working with:
>
> RewriteRule ^(.*)/+$ https://linuxsecurity.com$1 [R=301,L]
>
> It works fine for any URL other than the homepage. Somehow for the
> homepage it creates an infinite loop, despite using "L", so perhaps I don't
> understand what it's doing. The (.*) is supposed to match any character,
> but there wouldn't be any preceding elements for the homepage.
>
> The problem as I see it is that, for the homepage, (.*) would be null, so
> $1 would also be null? This then creates the same URL as the one we're
> trying to fix.
>
> First it appears to work properly (trimmed for legibility):
>
> init rewrite engine with requested uri /
> applying pattern '^(.*)/+$' to uri '/'
> rewrite '/' -> 'https://linuxsecurity.com'
> explicitly forcing redirect with https://linuxsecurity.com
> escaping https://linuxsecurity.com for redirect
> redirect to https://linuxsecurity.com [REDIRECT/301]
>
> then it looks like it inits the rewrite engine again?
>
> init rewrite engine with requested uri /, referer:
> https://linuxsecurity.com/
> applying pattern '^(.*)/+$' to uri '/', referer:
> https://linuxsecurity.com/
> rewrite '/' -> 'https://linuxsecurity.com', referer:
> https://linuxsecurity.com/
> explicitly forcing redirect with https://linuxsecurity.com, referer:
> https://linuxsecurity.com/
> escaping https://linuxsecurity.com for redirect, referer:
> https://linuxsecurity.com/
> redirect to https://linuxsecurity.com [REDIRECT/301], referer:
> https://linuxsecurity.com/
>
> This just loops repeatedly until it dies. I've also made sure there's only
> one "RewriteEngine on" in the virtual host config and the .htaccess. Would
> that even matter?
>
> What am I doing wrong? I've tried a thousand variations of this to no
> avail.
>
>
>
>
>
You will need to stop using .htaccess files to prevent looping, as a first
step.  Edit your vhost.

Re: [users@httpd] Compatible version with openjdk21

2024-06-10 Thread Eric Covener

https://hc.apache.org/mail.html

On Mon, Jun 10, 2024 at 3:42 AM Sahil Sharma D
 wrote:
>
> Hello team,
>
>
>
> Which version of https client and Core is compatible with openjdk21?
>
>
>
> Regards,
>
> Sahil
>
>



-- 
Eric Covener
cove...@gmail.com

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Redirecting based on IP

2024-06-06 Thread Dave Wreski


Hi,


The next steps I'd like to do is to redirect anyone not in that RequireAll 
statement to be redirected to the production site. Is this possible? Perhaps a 
RewriteCond that depends upon certain IPs, then otherwise redirects to the 
production site?

I don't think relying on the IPs is a good idea, since those will
change, and the proper process to validate them requires 2 DNS
lookups, if I'm not mistaken. Just use a rewriteCond + rewriteRule to
generously check the User-Agent and perform the redirect. You may have
to set an environment variable in the rewrite rule and check that in
your RequireAll statement to permit the 301 response to be sent. You
may want to verify that the Vary:User-Agent response header gets sent
to the client to prevent cache pollution.


I'm back to trying to work on this, and hoped you could assist further. 
Is this along the lines of what I should be doing?


  SetEnvIf user-agent "(?i:Googlebot)" stayout=1
      RewriteCond %{HTTP_USER_AGENT}    Googlebot
      RewriteRule (.*) https://linuxsecurity.com$1 [E=stayout:1]

I'm also not sure about the Vary:User-Agent - we are using cloudflare, 
but that appears related to triggering googlebot to also scan as another 
user agent, such as its mobile bot?


dave

Re: [users@httpd] Require paramater

2024-05-19 Thread Daniel Gruno


On 5/13/24 15:42, Chris me wrote:
The Apache docs recommend dong this to setup a default deny to file 
locations:




     Require all denied



Do I do that in httpd.conf or do I add that to each  entry?



If you do it in httpd.conf (which I assume would be a server-wide scope 
for you), it will be applied globally and thus within every virtualhost 
scope as well. You should then, within each virtualhost scope, 
explicitly allow access to the documentroot and other directories you 
wish to have open for reading.



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Redirecting based on IP

2024-05-17 Thread Dave Wreski


Hi,


The staging site is even protected with a RequireAll statement for the 
DocumentRoot based on the IP, which then results in a 404 and other errors in 
GSC.

That sound wrong. If your RequireAll was working as advertised, should
it not return a 403?


Yes, it does - my mistake.


The next steps I'd like to do is to redirect anyone not in that RequireAll 
statement to be redirected to the production site. Is this possible? Perhaps a 
RewriteCond that depends upon certain IPs, then otherwise redirects to the 
production site?

I don't think relying on the IPs is a good idea, since those will
change, and the proper process to validate them requires 2 DNS
lookups, if I'm not mistaken. Just use a rewriteCond + rewriteRule to
generously check the User-Agent and perform the redirect. You may have
to set an environment variable in the rewrite rule and check that in
your RequireAll statement to permit the 301 response to be sent. You
may want to verify that the Vary:User-Agent response header gets sent
to the client to prevent cache pollution.


I used your rewritecond+rewriterule approach, and it worked perfectly in 
my tests. Thanks so much.

Re: [users@httpd] Directory Trailing Slash When Behind Load Balancer

2024-05-17 Thread Rainer Canavan

On Tue, May 14, 2024 at 6:07 PM Gavin Spomer  wrote:
>
> Hello,
>
> I recently migrated my Apache web server from FreeBSD to Ubuntu Server and 
> found an issue with URLs that point to a directory, but don't include the 
> trailing slash, when going through our institution's load balancer. If I 
> access directly (not going through the load balancer), everything works fine:
>
>http://mywebserver.example.com/application
>
>Above works as, from reading the mod_dir documentation, it redirects to
>http://mywebserver.example.com/application/ (adds the trailing slash) and 
> thus the application's index.php script
>is executed.
>
> My web server is fronted by our institution's load balancer which does SSL 
> termination and then sends the request to my web server on port 81. I am not 
> seeing the same behavior when accessing through our load balancer:
>
>https://loadbalancer.example.com/application
>
>The above doesn't work. It hangs, times out and then redirects to 
> http://loadbalancer.example.com:81/application/
>with a "This site can’t be reached" message. It does work if I explicitly 
> add the slash to the URL in my browser:

That's probably not the order that events are acutally happening. It
most likely redirects to
http://loadbalancer.example.com:81/application/ first.

[...]
> 
>ServerName mywebserver.example.com:81

Redirects require a complete URL, and mod_dir is probably assembling
that using the ServerName. Use the developer tools in your browser or
curl -v to see what's actually going on, particularly the "Location:"
response header, which is the URL the redirect is sending your browser
to.

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Redirecting based on IP

2024-05-16 Thread Rainer Canavan

On Thu, May 16, 2024 at 1:15 AM Dave Wreski
 wrote:
>
> Hi,
>
[...]
> The staging site is even protected with a RequireAll statement for the 
> DocumentRoot based on the IP, which then results in a 404 and other errors in 
> GSC.

That sound wrong. If your RequireAll was working as advertised, should
it not return a 403?

[...]
>
> The next steps I'd like to do is to redirect anyone not in that RequireAll 
> statement to be redirected to the production site. Is this possible? Perhaps 
> a RewriteCond that depends upon certain IPs, then otherwise redirects to the 
> production site?

I don't think relying on the IPs is a good idea, since those will
change, and the proper process to validate them requires 2 DNS
lookups, if I'm not mistaken. Just use a rewriteCond + rewriteRule to
generously check the User-Agent and perform the redirect. You may have
to set an environment variable in the rewrite rule and check that in
your RequireAll statement to permit the 301 response to be sent. You
may want to verify that the Vary:User-Agent response header gets sent
to the client to prevent cache pollution.

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Redirecting based on IP

2024-05-15 Thread gene heskett


On 5/15/24 19:15, Dave Wreski wrote:

Hi,

Google insists that one of our staging sites needs to be indexed despite 
"disallow" in robots.txt and a half-dozen other methods for preventing 
Google from indexing it (including submitting it for removal from their 
index). The staging site is even protected with a RequireAll statement 
for the DocumentRoot based on the IP, which then results in a 404 and 
other errors in GSC. This impacts our SEO and also causes GSC to stop 
processing the rest of our site.


The next steps I'd like to do is to redirect anyone not in that 
RequireAll statement to be redirected to the production site. Is this 
possible? Perhaps a RewriteCond that depends upon certain IPs, then 
otherwise redirects to the production site?


Thanks,
Dave

The last time I ran into this was back in iptables days 20 years ago. 
Based on IP they were denied because my site at the time included my 
photo's and totalled about 13 gigabytes. This was in the days of 
bandwidth per month of 30 gigs. Because google has so many machines they 
used up all my allocation long before the month was up. I wound up 
putting another search engine in that database, mj12, so I wound up with 
an iptables file about 15k lines long. That continued until I had ported 
the whole thing to a couple new Seacrate 1t drives, both of which went 
tits down in the night within 2 weeks, just disappearing off the 
sata-III bus. I was so pi$$ed I didn't even warranty them. SSD's are it 
today. I have only one spinning rust drive in 8 machines here now, a 250 
gig that refuses to die. iptables worked but took about 10 hours a month 
to maintain it cuz they moved the machines to a new address.  Some of 
the iptables rules ended in /16, so I was blocking a goodly share of the 
ipv4 space when I had the gran crash.  I controlled it most of the time 
but it was several hours a week keeping even with them. You never get 
ahead. I still have a registered name but all you get is the apache test 
page.


Cheers, Gene Heskett, CET.
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] http ok, https Forbidden

2024-05-15 Thread Marc

> 
> we have a apache 2.4.59 running on windows for an internal page.
> Now we would like to use https instead of http
> 
> Opening the url via http works,
> when I use https I get
> 
> Forbidden
> You don't have permission to access this resource.
> 
> I activated the debug level and see this lines
> 

Not enough info, maybe you just lack the configuration of a https virtual host 
entry?



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache HTTP Server 2.4 EOL

2024-05-13 Thread Yehuda Katz

There is no planned EOL for 2.4, but you should always be on the most
recently released version - currently 2.4.59 - or possibly on a version
maintained by your OS distribution to keep up with the latest security
patches.

On Mon, May 13, 2024 at 10:50 PM Ehmann G  wrote:

> i tried searching on Google for the end-of-life support information for
> Apache HTTP Server 2.4 but couldn't find any useful results. I also checked
> the Apache website but didn't find any details on this topic. Does anyone
> have any relevant information?
>

Re: [users@httpd] Multi site SSL problems

2024-05-10 Thread Frank Gingras

On Fri, May 10, 2024 at 5:53 PM Tatsuki Makino 
wrote:

> Hello.
>
> By the way, do you have the setting enabled to use the Host header used to
> switch NameVirtualHost during TLS negotiation?
> I don't know how to do that since the Japanese documentation is rarely
> updated :)
> Were those things implemented?
>
> Regards.
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
Tatsuki,

You're thinking of SNI, and it works out of the box with OpenSSL 0.9.8f or
later, and with NameVirtualHost *:443.

So, again, I highly recommend using *:PORT to define all your vhosts,
unless you know exactly what you are doing.

Re: [users@httpd] Multi site SSL problems

2024-05-10 Thread Tatsuki Makino

Hello.

By the way, do you have the setting enabled to use the Host header used to 
switch NameVirtualHost during TLS negotiation?
I don't know how to do that since the Japanese documentation is rarely updated 
:)
Were those things implemented?

Regards.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Multi site SSL problems

2024-05-10 Thread Frank Gingras

On Fri, May 10, 2024 at 4:10 PM John  wrote:

> On Fri, 2024-05-10 at 15:48 -0400, Sean Conner wrote:
> > It was thus said that the Great Chris me once stated:
> > > I set up each entry with  but when I do that, the
> > > second site will complain that the cert is for site1. So if I go to
> > > site2.com, I get a browser error that the cert is for site1. It will
> show
> > > me the content for site1.
> >
> >   On my development server, I have the following:
> >
> > 
> >   ServerName  playground.roswell.area51
> >   SSLEngine   on
> >   SSLCertificateFile  /home/spc/web/playground/cert.pem
> >   SSLCertificateKeyFile   /home/spc/web/playground/key.pem
> >   ...
> > 
> >
> > 
> >   ServerName  wiki.roswell.area51
> >   SSLEngine   on
> >   SSLCertificateFile  /home/spc/web/wiki/cert.pem
> >   SSLCertificateKeyFile   /home/spc/web/wiki/key.pem
> >   ...
> > 
> >
> > > I am not sure how to do this part:
> > > Do not use the 2.2 authz directives (Allow/Deny/Order) and use Require
> instead
> > > I am running Apache 2.2, does it still apply?
> > > It does not look like mod_access_compat is listed under mods-enabled
> >
> >   That I don't remember as I've been running Apache 2.4 for a couple of
> > years now.
> >
> >   -spc
> >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org
> >
> Typo in the 2nd virtual host "1932.168.1.10:"  probably should be
> "192.168.1.10"
>
> John
> ==
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
Show the apachectl -S output, and each vhost.  Make sure that every single
:443 vhost has SSLEngine on and SSLCertificateFile set.

Re: [users@httpd] Multi site SSL problems

2024-05-10 Thread John

On Fri, 2024-05-10 at 15:48 -0400, Sean Conner wrote:
> It was thus said that the Great Chris me once stated:
> > I set up each entry with  but when I do that, the
> > second site will complain that the cert is for site1. So if I go to
> > site2.com, I get a browser error that the cert is for site1. It will show
> > me the content for site1.
> 
>   On my development server, I have the following:
> 
> 
>   ServerName  playground.roswell.area51
>   SSLEngine   on
>   SSLCertificateFile  /home/spc/web/playground/cert.pem
>   SSLCertificateKeyFile   /home/spc/web/playground/key.pem
>   ...
> 
> 
> 
>   ServerName  wiki.roswell.area51
>   SSLEngine   on
>   SSLCertificateFile  /home/spc/web/wiki/cert.pem
>   SSLCertificateKeyFile   /home/spc/web/wiki/key.pem
>   ...
> 
> 
> > I am not sure how to do this part:
> > Do not use the 2.2 authz directives (Allow/Deny/Order) and use Require 
> > instead
> > I am running Apache 2.2, does it still apply?
> > It does not look like mod_access_compat is listed under mods-enabled
> 
>   That I don't remember as I've been running Apache 2.4 for a couple of
> years now.
> 
>   -spc
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 
Typo in the 2nd virtual host "1932.168.1.10:"  probably should be "192.168.1.10"

John
==

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Multi site SSL problems

2024-05-10 Thread Sean Conner

It was thus said that the Great Chris me once stated:
> I set up each entry with  but when I do that, the
> second site will complain that the cert is for site1. So if I go to
> site2.com, I get a browser error that the cert is for site1. It will show
> me the content for site1.

  On my development server, I have the following:


ServerName  playground.roswell.area51
SSLEngine   on
SSLCertificateFile  /home/spc/web/playground/cert.pem
SSLCertificateKeyFile   /home/spc/web/playground/key.pem
...



ServerName  wiki.roswell.area51
SSLEngine   on
SSLCertificateFile  /home/spc/web/wiki/cert.pem
SSLCertificateKeyFile   /home/spc/web/wiki/key.pem
...


> I am not sure how to do this part:
> Do not use the 2.2 authz directives (Allow/Deny/Order) and use Require instead
> I am running Apache 2.2, does it still apply?
> It does not look like mod_access_compat is listed under mods-enabled

  That I don't remember as I've been running Apache 2.4 for a couple of
years now.

  -spc


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] Multi site SSL problems

2024-05-10 Thread Chris me

I found NameVirtualHost *:443 was commented out in ports.conf, I changed that.
Now I am back to the ssl protocol error for the second site.

From: Chris me 
Sent: Friday, May 10, 2024 8:40 AM
To: users@httpd.apache.org
Subject: RE: [users@httpd] Multi site SSL problems

I set up each entry with  but when I do that, the second 
site will complain that the cert is for site1. So if I go to site2.com, I get a 
browser error that the cert is for site1. It will show me the content for site1.

I am not sure why the difference, my non ssl hosts, ie  all 
work fine, each site gives me the correct content, so why does it not work for 
?

The Entries are

ServerName www.site1.com<http://www.site1.com>

ServerName www.site2.com<http://www.site2.com>

I am not sure how to do this part:
Do not use the 2.2 authz directives (Allow/Deny/Order) and use Require instead
I am running Apache 2.2, does it still apply?
It does not look like mod_access_compat is listed under mods-enabled

From: Frank Gingras mailto:thu...@apache.org>>
Sent: Thursday, May 9, 2024 4:12 PM
To: users@httpd.apache.org<mailto:users@httpd.apache.org>
Subject: Re: [users@httpd] Multi site SSL problems

On Thu, May 9, 2024 at 6:54 PM Chris me 
mailto:phunct...@hotmail.com>> wrote:
Hi, I am having an issue trying to get multiple sites with their own SSL cert. 
I purchased AlphaSSL certs for them.
The strange thing, the first cert works, the second gives me an 
ERR_SSL_PROTOCOL_ERROR, but only on some systems.

This is what I am using now:

(
Site1 is fine, Site2 gives me the error.

I originally tried with NameVirtualHost *.443
And then 
But when I go to site2, it complains that the cert is invalid because it is 
using the cert from site1?
)

NameVirtualHost 192.99.9.188:443<http://192.99.9.188:443>

http://www.site1.com:443>>
ServerName www.site1.com<http://www.site1.com>
ServerAdmin webmas...@site1.com<mailto:webmas...@site1.com>
DocumentRoot /home/httpd/sites/site1

Order allow,deny
Allow from all

SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCertificateFile
/etc/ssl/site1.ca/server.crt<http://site1.ca/server.crt>
SSLCertificateKeyFile 
/etc/ssl/site1.ca/server.key<http://site1.ca/server.key>
SSLCertificateChainFile 
/etc/ssl/site1.ca/bundle.crt<http://site1.ca/bundle.crt>

http://www.site2.com:443>>
ServerName www.site2.com<http://www.site2.com>
ServerAdmin webmas...@site2.com<mailto:webmas...@site2.com>
DocumentRoot /home/httpd/sites/site2

Order allow,deny
Allow from all

SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCertificateFile
/etc/ssl/site2.ca/server.crt<http://site2.ca/server.crt>
SSLCertificateKeyFile 
/etc/ssl/site2.ca/server.key<http://site2.ca/server.key>
SSLCertificateChainFile 
/etc/ssl/site2.ca/bundle.crt<http://site2.ca/bundle.crt>

So many red flags here:

- Always use *:PORT when defining a vhost, unless you know exactly what you are 
doing
- Set the ServerName directive in every single vhost
- Do not use the 2.2 authz directives (Allow/Deny/Order) and use Require instead
- Unload the mod_access_compat module when apachectl configtest passes

Lastly, show the output from apachectl -S when the fixes are applied

RE: [users@httpd] Multi site SSL problems

2024-05-10 Thread Chris me

I set up each entry with  but when I do that, the second 
site will complain that the cert is for site1. So if I go to site2.com, I get a 
browser error that the cert is for site1. It will show me the content for site1.

I am not sure why the difference, my non ssl hosts, ie  all 
work fine, each site gives me the correct content, so why does it not work for 
?

The Entries are

ServerName www.site1.com




ServerName www.site2.com



I am not sure how to do this part:
Do not use the 2.2 authz directives (Allow/Deny/Order) and use Require instead
I am running Apache 2.2, does it still apply?
It does not look like mod_access_compat is listed under mods-enabled

From: Frank Gingras 
Sent: Thursday, May 9, 2024 4:12 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Multi site SSL problems



On Thu, May 9, 2024 at 6:54 PM Chris me 
mailto:phunct...@hotmail.com>> wrote:
Hi, I am having an issue trying to get multiple sites with their own SSL cert. 
I purchased AlphaSSL certs for them.
The strange thing, the first cert works, the second gives me an 
ERR_SSL_PROTOCOL_ERROR, but only on some systems.

This is what I am using now:

(
Site1 is fine, Site2 gives me the error.

I originally tried with NameVirtualHost *.443
And then 
But when I go to site2, it complains that the cert is invalid because it is 
using the cert from site1?
)



NameVirtualHost 192.99.9.188:443<http://192.99.9.188:443>

http://www.site1.com:443>>
ServerName www.site1.com<http://www.site1.com>
ServerAdmin webmas...@site1.com<mailto:webmas...@site1.com>
DocumentRoot /home/httpd/sites/site1


Order allow,deny
Allow from all


SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCertificateFile
/etc/ssl/site1.ca/server.crt<http://site1.ca/server.crt>
SSLCertificateKeyFile 
/etc/ssl/site1.ca/server.key<http://site1.ca/server.key>
SSLCertificateChainFile 
/etc/ssl/site1.ca/bundle.crt<http://site1.ca/bundle.crt>


http://www.site2.com:443>>
ServerName www.site2.com<http://www.site2.com>
ServerAdmin webmas...@site2.com<mailto:webmas...@site2.com>
DocumentRoot /home/httpd/sites/site2


Order allow,deny
Allow from all


SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCertificateFile
/etc/ssl/site2.ca/server.crt<http://site2.ca/server.crt>
SSLCertificateKeyFile 
/etc/ssl/site2.ca/server.key<http://site2.ca/server.key>
SSLCertificateChainFile 
/etc/ssl/site2.ca/bundle.crt<http://site2.ca/bundle.crt>



So many red flags here:

- Always use *:PORT when defining a vhost, unless you know exactly what you are 
doing
- Set the ServerName directive in every single vhost
- Do not use the 2.2 authz directives (Allow/Deny/Order) and use Require instead
- Unload the mod_access_compat module when apachectl configtest passes

Lastly, show the output from apachectl -S when the fixes are applied

Re: [users@httpd] Multi site SSL problems

2024-05-09 Thread Frank Gingras

On Thu, May 9, 2024 at 6:54 PM Chris me  wrote:

> Hi, I am having an issue trying to get multiple sites with their own SSL
> cert. I purchased AlphaSSL certs for them.
>
> The strange thing, the first cert works, the second gives me an
> ERR_SSL_PROTOCOL_ERROR, but only on some systems.
>
>
>
> This is what I am using now:
>
>
>
> (
>
> Site1 is fine, Site2 gives me the error.
>
>
>
> I originally tried with NameVirtualHost *.443
>
> And then 
>
> But when I go to site2, it complains that the cert is invalid because it
> is using the cert from site1?
>
> )
>
>
>
>
>
> 
>
> NameVirtualHost 192.99.9.188:443
>
>
>
> 
>
> ServerName www.site1.com
>
> ServerAdmin webmas...@site1.com
>
> DocumentRoot /home/httpd/sites/site1
>
> 
>
>
>
> Order allow,deny
>
> Allow from all
>
> 
>
>
>
> SSLEngine on
>
> SSLProtocol all -SSLv2 -SSLv3
>
> SSLCertificateFile/etc/ssl/site1.ca/server.crt
>
> SSLCertificateKeyFile /etc/ssl/site1.ca/server.key
>
> SSLCertificateChainFile /etc/ssl/site1.ca/bundle.crt
>
> 
>
>
>
> 
>
> ServerName www.site2.com
>
> ServerAdmin webmas...@site2.com
>
> DocumentRoot /home/httpd/sites/site2
>
> 
>
>
>
> Order allow,deny
>
> Allow from all
>
> 
>
>
>
> SSLEngine on
>
> SSLProtocol all -SSLv2 -SSLv3
>
> SSLCertificateFile/etc/ssl/site2.ca/server.crt
>
> SSLCertificateKeyFile /etc/ssl/site2.ca/server.key
>
> SSLCertificateChainFile /etc/ssl/site2.ca/bundle.crt
>
> 
>
> 
>

So many red flags here:

- Always use *:PORT when defining a vhost, unless you know exactly what you
are doing
- Set the ServerName directive in every single vhost
- Do not use the 2.2 authz directives (Allow/Deny/Order) and use Require
instead
- Unload the mod_access_compat module when apachectl configtest passes

Lastly, show the output from apachectl -S when the fixes are applied

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-05-05 Thread General Email

On Wed, 17 Apr 2024 at 15:36, General Email
 wrote:
>
>
> Anyways, I looked more on google and I think that I have found what I was 
> looking for on this page:
> https://gist.github.com/taoyuan/39d9bc24bafc8cc45663683eae36eb1a
>

Few days ago, I configured SSL and enabled HTTPS on Apache 2.4. It is
working fine.

I am listing the steps below, in case it helps someone.

--
Enabling HTTPS and Configuring SSL in Apache 2.4 on Windows 10
Date: April, 2024
--

VERY IMPORTANT:

You should not follow this process for a production environment because
self-signed SSL certificate (that is being generated here) is a security risk.
You should follow this process only for the local development environment.

-
Please follow the steps listed below:
-

Step 1: Stop Apache web server if it is already running.

Step 2: Add "absolute_path_to_apache24_dir\bin" to the system environment
variable "Path". openssl.exe is in this folder.

Step 3: Open the Windows command prompt and change directory to
"absolute_path_to_apache24_dir\conf".

Step 4: On the command prompt, execute the following command:

set OPENSSL_CONF=absolute_path_to_apache24_dir\conf\openssl.cnf

If "absolute_path_to_apache24_dir" contains spaces then enclose the
path in quotes.

Step 5: Check that the OPENSSL_CONF variable is set to correct directory by
executing the following command on the command prompt:

echo %OPENSSL_CONF%

Step 6: On the command prompt, execute the following command
(openssl.exe is in "absolute_path_to_apache24_dir\bin" folder):

openssl genrsa -out cert.key 2048

Step 7: On the command prompt, execute the following command:

openssl req -new -key cert.key -out cert.csr

When you execute this command, you will be asked to give input for
some fields. I had given input for only one field (and for other fields,
I just hit "Enter" key):

Common Name (e.g. server FQDN or YOUR name) []:localhost

Step 8: On the command prompt, execute the following command:

openssl x509 -req -days 3650 -in cert.csr -signkey cert.key -out cert.crt

Step 9: Change a few lines in the
"absolute_path_to_apache24_dir\conf\httpd.conf"
file. I am listing the lines after the changes. I am not listing the
original lines. You can search and change/replace the
original lines.

The changed lines are:

Define SRVROOT "absolute_path_to_apache24_dir"
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule ssl_module modules/mod_ssl.so
ServerName localhost:80
Include conf/extra/httpd-ssl.conf

Step 10: Change a few lines in the
  "absolute_path_to_apache24_dir\conf\extra\httpd-ssl.conf" file.
  I am listing the lines after the changes. I am not listing the
  original lines. You can search and change/replace the
original lines.

 The changed lines are:

 ServerName localhost:443
 ServerAdmin ad...@localhost.localdomain.com
 SSLCertificateFile "${SRVROOT}/conf/cert.crt"
 SSLCertificateKeyFile "${SRVROOT}/conf/cert.key"

Step 11 (Last Step): Now, you can start Apache web server and test.

 Since the security certificate that was generated here is self-signed,
 the browser may show you a warning that the connection/certificate,
 etc. is not trusted. But since this is your local development
 environment, you can ignore this warning and accept the risk and
 go ahead with the testing/development, etc.

 I do the same (ignore the warning and accept the risk).

 End 

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Stripping query string except from specific URL

2024-04-28 Thread Dave Wreski




RewriteCond %{REQUEST_URI} !/resources/blog
RewriteCond %{QUERY_STRING} ^start=\d+$
RewriteRule (.*)   /$1?    [L,R=301,QSD]

[Sun Apr 28 15:40:02.614893 2024] ... rewrite 'resources/blog' ->
'index.php'
[Sun Apr 28 15:40:02.614921 2024] ... internal redirect with
/index.php [INTERNAL REDIRECT]

If I don't involve the first RewriteCond, it successfully strips
off the start= from every URL I tried.

What does "INTERNAL REDIRECT" mean? Is that something done outside
of apache? Perhaps by joomla? I believe there are other relevant
redirects after these, but it's very difficult to isolate what's
relevant.

The internal redirect is the result of your rewrite rule, without a 
fully qualified URL as a target.


Side note: the "rewrite 'resources/blog' -> 'index.php'" line seems to 
contradict your RewriteCond logic, so increasing the verbosity of the 
logging and looking at the previous lines will help fix that.


I increased it to trace5, and it did reveal more useful info.

[Sun Apr 28 21:55:36.542349 2024] ...  RewriteCond: 
input='/resources/blog' pattern='!/resources/blog' => not-matched


It looks like after this it just moved on to the next rewriterule, not 
the next rewritecond as part of this block, of sorts. I was assuming it 
was more of an AND statement, like "if URI is NOT /resources/blog AND 
query string contains start=..., then apply the following rewrite rule, 
but that's apparently not how it works.


I only want the rewrite rule above to apply to URLs that don't involve 
our blog.


And because the first RewriteCond isn't matched, it doesn't check the 
second RewriteCond, and therefore treats the RewriteRule as a standalone 
and not part of the previous RewriteRule, so then just redirects to the 
root, apparently still with the start= query string attached.


How do I write the logic such that it applies to every URL EXCEPT those 
I specify?

Re: [users@httpd] Stripping query string except from specific URL

2024-04-28 Thread Frank Gingras

On Sun, Apr 28, 2024 at 4:05 PM Dave Wreski
 wrote:

> Hi,
>
> I'm really quite stuck and hoped you could help.
>
> My apologies - the output was from wget, as that's what I typically use.
>>
>> $ curl 'https://guardiandigital.com/resources/blog?start=48'
>> 
>> 
>> 301 Moved Permanently
>> 
>> Moved Permanently
>> The document has moved https://guardiandigital.com/index.php;
>> >here.
>> 
>>
>>
>>
> The next step is to find out where the 301 is coming from - your rules
> will generate a 302.
>
> That may have been the result of me trying many different things and
> getting a bit confused (again). Here's what I know - when I insert the
> following code into my virtual host config, it strips the query string off
> the pages that don't involve /resources/blog, but redirects to a 404 when
> attempting to access a page involving "/resources/blog" and the "?start="
> query string.
>
> RewriteCond %{REQUEST_URI} !/resources/blog
> RewriteCond %{QUERY_STRING} ^start=\d+$
> RewriteRule (.*)   /$1?[L,R=301,QSD]
>
> [Sun Apr 28 15:40:02.614893 2024] ... rewrite 'resources/blog' ->
> 'index.php'
> [Sun Apr 28 15:40:02.614921 2024] ... internal redirect with /index.php
> [INTERNAL REDIRECT]
>
> If I don't involve the first RewriteCond, it successfully strips off the
> start= from every URL I tried.
>
> What does "INTERNAL REDIRECT" mean? Is that something done outside of
> apache? Perhaps by joomla? I believe there are other relevant redirects
> after these, but it's very difficult to isolate what's relevant.
>
>
>
The internal redirect is the result of your rewrite rule, without a fully
qualified URL as a target.

Side note: the "rewrite 'resources/blog' -> 'index.php'" line seems to
contradict your RewriteCond logic, so increasing the verbosity of the
logging and looking at the previous lines will help fix that.

Re: [users@httpd] Stripping query string except from specific URL

2024-04-28 Thread Dave Wreski


Hi,

I'm really quite stuck and hoped you could help.


My apologies - the output was from wget, as that's what I
typically use.

$ curl 'https://guardiandigital.com/resources/blog?start=48'


301 Moved Permanently

Moved Permanently
The document has moved https://guardiandigital.com/index.php;
>here.




The next step is to find out where the 301 is coming from - your rules 
will generate a 302.


That may have been the result of me trying many different things and 
getting a bit confused (again). Here's what I know - when I insert the 
following code into my virtual host config, it strips the query string 
off the pages that don't involve /resources/blog, but redirects to a 404 
when attempting to access a page involving "/resources/blog" and the 
"?start=" query string.


RewriteCond %{REQUEST_URI} !/resources/blog
RewriteCond %{QUERY_STRING} ^start=\d+$
RewriteRule (.*)   /$1?    [L,R=301,QSD]

[Sun Apr 28 15:40:02.614893 2024] ... rewrite 'resources/blog' -> 
'index.php'
[Sun Apr 28 15:40:02.614921 2024] ... internal redirect with /index.php 
[INTERNAL REDIRECT]


If I don't involve the first RewriteCond, it successfully strips off the 
start= from every URL I tried.


What does "INTERNAL REDIRECT" mean? Is that something done outside of 
apache? Perhaps by joomla? I believe there are other relevant redirects 
after these, but it's very difficult to isolate what's relevant.

Re: [users@httpd] Flexible Worker Configuration for Dynamic Shared Object (DSO) Deployment

2024-04-27 Thread Daniel Ferradal Márquez


On 18/04/2024 16:50, Sarkar Tarun Kumar (ETAS-SEC/XPC-Bo1) wrote:

Hello,
...

My requirement is treating one of the services, specifically Service4, 
differently.


Apache should only spawn a single instance of Service4 and refrain from 
terminating the process until Apache server restarts.


Meanwhile, the remaining three services should continue behaving as 
before, initially spawning five instances and adjusting based on load.


My question is whether it is feasible to achieve this mixed treatment 
within a single Apache server through configuration changes.

>...

Only achievable with two different service instances, as in an Apache Farm.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache error logs of module "proxy_ajp" is not converting to JSON format

2024-04-24 Thread Priyanshi Shah

Hi,

We have defined this pattern in httpd.conf file globally. And all other
access logs and error logs are converting properly with the defined format.
Only below log is not converting to JSON

*[Tue Apr 16 06:06:20.902697 2024] [proxy_ajp:error] [pid 11056:tid 38644]
(OS 10054)An existing connection was forcibly closed by the remote host. :
AH01030: ajp_ilink_receive() can't receive header*

Thanks,
Priyanshi Pancholi

On Sun, Apr 21, 2024 at 5:42 PM Eric Covener  wrote:

> On Sun, Apr 21, 2024 at 7:57 AM Priyanshi Shah
>  wrote:
> >
> > Hi,
> >
> > We have converted our Apache error logs to JSON format by defining the
> format in httpd.conf file
> >
> > ErrorLogFormat "{"timestamp":"%{u}t", "ApacheModule": "%m",
> "level":"%l", "ApacheProcessId": "%P", "ApacheThreadId": "%T",
> "ApacheSourceFile":"%7F", "ErrorKind":"%E", "ClientIp":"%a", "ErrorMessage"
> : "%M"}"
>
> Is it defined globally or in a virtual host?
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

-- 
Thanks,
Priyanshi Shah

Re: [users@httpd] Stripping query string except from specific URL

2024-04-24 Thread Frank Gingras

On Wed, Apr 24, 2024 at 7:05 PM Dave Wreski
 wrote:

>
> 13 62.111.193.42 - - [24/Apr/2024:15:19:36 -0400] "GET /index.php
>> HTTP/1.1" 200 33921 r:"-" "Wget/1.21.4" X:"SAMEORIGIN" 0/129431
>> 573/35481/33921 H:HTTP/1.1 U:/index.php gd443 s:200
>>
>
> It did exactly what you asked, yes.
>
> Further, I asked you to use curl to see if you get redirected from
> https://guardiandigital.com/index.php to another URL, but you seem to
> have ignored that part of the answer.
>
> My apologies - the output was from wget, as that's what I typically use.
>
> $ curl 'https://guardiandigital.com/resources/blog?start=48'
> 
> 
> 301 Moved Permanently
> 
> Moved Permanently
> The document has moved https://guardiandigital.com/index.php;
> >here.
> 
>
>
>
The next step is to find out where the 301 is coming from - your rules will
generate a 302.

Re: [users@httpd] Stripping query string except from specific URL

2024-04-24 Thread Dave Wreski




13 62.111.193.42 - - [24/Apr/2024:15:19:36 -0400] "GET /index.php
HTTP/1.1" 200 33921 r:"-" "Wget/1.21.4" X:"SAMEORIGIN" 0/129431
573/35481/33921 H:HTTP/1.1 U:/index.php gd443 s:200


It did exactly what you asked, yes.

Further, I asked you to use curl to see if you get redirected from 
https://guardiandigital.com/index.php to another URL, but you seem to 
have ignored that part of the answer.


My apologies - the output was from wget, as that's what I typically use.

$ curl 'https://guardiandigital.com/resources/blog?start=48'


301 Moved Permanently

Moved Permanently
The document has moved href="https://guardiandigital.com/index.php;>here.

Re: [users@httpd] Stripping query string except from specific URL

2024-04-24 Thread Frank Gingras

On Wed, Apr 24, 2024 at 4:58 PM Dave Wreski
 wrote:

> Hi,
>
> We have a situation where we need to strip a query string from all URLs
>>> except ones matching a particular pattern. However, when I try the rules
>>> below, it redirects to the homepage for some reason.
>>>
>>> In this example, I'd like to strip off the query string from all URLs
>>> except those involving /resources/blog:
>>>
>>> RewriteCond %{REQUEST_URI} !/resources/blog
>>> RewriteCond %{QUERY_STRING} ^start=
>>> RewriteRule (.*)   https://guardiandigital.com$1[L,QSD]
>>>
>>> What am I missing?
>>>
>>> Thanks,
>>> Dave
>>>
>>>
>>>
>> To remove the query string, see the QSD flag, or append a ? at the end of
>> the target.
>>
>> That's what I'm doing, I think. What am I missing? It just redirects to
>> the homepage somehow.
>>
>> Shouldn't I be able to stack RewriteConds in this way, followed by a
>> RewriteRule?
>>
>> I have no idea what could be wrong.
>>
>
> Test with curl, and see if you get redirected after the fact.
>
> I've enabled trace3 to try and figure this out. But line 8 says
> "discarding query string, no parse from substitution" and I don't know why
> or what really that means.
>
> 1 [Wed Apr 24 15:19:36.440500 2024] [rewrite:trace2] [pid 748062:tid
> 748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - [
> guardiandigital.com/sid#55743f0bbb58][rid#7f9cd4016af0/initial
> ]
> init rewrite engine with requested uri /resources/blog
>
> 2 [Wed Apr 24 15:19:36.445306 2024] [rewrite:trace1] [pid 748062:tid
> 748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - [
> guardiandigital.com/sid#55743f0bbb58][rid#7f9cd4016af0/initial
> ]
> pass through /resources/blog
>
> 3 [Wed Apr 24 15:19:36.449369 2024] [rewrite:trace3] [pid 748062:tid
> 748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - [
> guardiandigital.com/sid#55743f0bbb58][rid#7f9cd4016af0/initial
> ]
> [perdir /home/docroot/] applying pattern '.*' to uri 'resources/blog'
>
> 4 [Wed Apr 24 15:19:36.449413 2024] [rewrite:trace2] [pid 748062:tid
> 748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - [
> guardiandigital.com/sid#55743f0bbb58][rid#7f9cd4016af0/initial
> ]
> [perdir /home/docroot/] rewrite 'resources/blog' -> 'index.php'
>
> 5 [Wed Apr 24 15:19:36.449453 2024] [rewrite:trace1] [pid 748062:tid
> 748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - [
> guardiandigital.com/sid#55743f0bbb58][rid#7f9cd4016af0/initial
> ]
> [perdir /home/docroot/] internal redirect with /index.php [INTERNAL
> REDIRECT]
>
> 6 [Wed Apr 24 15:19:36.449830 2024] [rewrite:trace3] [pid 748062:tid
> 748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - [
> guardiandigital.com/sid#55743f0bbb58][rid#7f9ccc0e6000/initial/redir#1
> ]
> applying pattern '(.*)' to uri '/index.php'
>
> 7 [Wed Apr 24 15:19:36.449848 2024] [rewrite:trace2] [pid 748062:tid
> 748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - [
> guardiandigital.com/sid#55743f0bbb58][rid#7f9ccc0e6000/initial/redir#1
> ]
> rewrite '/index.php' -> 'https://guardiandigital.com/index.php'
>
> 8 [Wed Apr 24 15:19:36.449857 2024] [rewrite:trace2] [pid 748062:tid
> 748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - [
> guardiandigital.com/sid#55743f0bbb58][rid#7f9ccc0e6000/initial/redir#1
> ]
> discarding query string, no parse from substitution
>
> 9 [Wed Apr 24 15:19:36.449864 2024] [rewrite:trace2] [pid 748062:tid
> 748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - [
> guardiandigital.com/sid#55743f0bbb58][rid#7f9ccc0e6000/initial/redir#1
> ]
> explicitly forcing redirect with https://guardiandigital.com/index.php
>
> 10 [Wed Apr 24 15:19:36.449871 2024] [rewrite:trace1] [pid 748062:tid
> 748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - [
> guardiandigital.com/sid#55743f0bbb58][rid#7f9ccc0e6000/initial/redir#1
> ]
> escaping https://guardiandigital.com/index.php for redirect
>
> 11 [Wed Apr 24 15:19:36.449880 2024] [rewrite:trace1] [pid 748062:tid
> 748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - [
>

Re: [users@httpd] Stripping query string except from specific URL

2024-04-24 Thread Dave Wreski


Hi,


We have a situation where we need to strip a query string
from all URLs except ones matching a particular pattern.
However, when I try the rules below, it redirects to the
homepage for some reason.

In this example, I'd like to strip off the query string from
all URLs except those involving /resources/blog:

RewriteCond %{REQUEST_URI} !/resources/blog
RewriteCond %{QUERY_STRING} ^start=
RewriteRule (.*) https://guardiandigital.com$1 [L,QSD]

What am I missing?

Thanks,
Dave



To remove the query string, see the QSD flag, or append a ? at
the end of the target.


That's what I'm doing, I think. What am I missing? It just
redirects to the homepage somehow.

Shouldn't I be able to stack RewriteConds in this way, followed by
a RewriteRule?

I have no idea what could be wrong.


Test with curl, and see if you get redirected after the fact.


I've enabled trace3 to try and figure this out. But line 8 says 
"discarding query string, no parse from substitution" and I don't know 
why or what really that means.


1 [Wed Apr 24 15:19:36.440500 2024] [rewrite:trace2] [pid 748062:tid 
748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - 
[guardiandigital.com/sid#55743f0bbb58][rid#7f9cd4016af0/initial] init 
rewrite engine with requested uri /resources/blog


2 [Wed Apr 24 15:19:36.445306 2024] [rewrite:trace1] [pid 748062:tid 
748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - 
[guardiandigital.com/sid#55743f0bbb58][rid#7f9cd4016af0/initial] pass 
through /resources/blog


3 [Wed Apr 24 15:19:36.449369 2024] [rewrite:trace3] [pid 748062:tid 
748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - 
[guardiandigital.com/sid#55743f0bbb58][rid#7f9cd4016af0/initial] [perdir 
/home/docroot/] applying pattern '.*' to uri 'resources/blog'


4 [Wed Apr 24 15:19:36.449413 2024] [rewrite:trace2] [pid 748062:tid 
748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - 
[guardiandigital.com/sid#55743f0bbb58][rid#7f9cd4016af0/initial] [perdir 
/home/docroot/] rewrite 'resources/blog' -> 'index.php'


5 [Wed Apr 24 15:19:36.449453 2024] [rewrite:trace1] [pid 748062:tid 
748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - 
[guardiandigital.com/sid#55743f0bbb58][rid#7f9cd4016af0/initial] [perdir 
/home/docroot/] internal redirect with /index.php [INTERNAL REDIRECT]


6 [Wed Apr 24 15:19:36.449830 2024] [rewrite:trace3] [pid 748062:tid 
748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - 
[guardiandigital.com/sid#55743f0bbb58][rid#7f9ccc0e6000/initial/redir#1] 
applying pattern '(.*)' to uri '/index.php'


7 [Wed Apr 24 15:19:36.449848 2024] [rewrite:trace2] [pid 748062:tid 
748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - 
[guardiandigital.com/sid#55743f0bbb58][rid#7f9ccc0e6000/initial/redir#1] 
rewrite '/index.php' -> 'https://guardiandigital.com/index.php'


8 [Wed Apr 24 15:19:36.449857 2024] [rewrite:trace2] [pid 748062:tid 
748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - 
[guardiandigital.com/sid#55743f0bbb58][rid#7f9ccc0e6000/initial/redir#1] 
discarding query string, no parse from substitution


9 [Wed Apr 24 15:19:36.449864 2024] [rewrite:trace2] [pid 748062:tid 
748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - 
[guardiandigital.com/sid#55743f0bbb58][rid#7f9ccc0e6000/initial/redir#1] 
explicitly forcing redirect with https://guardiandigital.com/index.php


10 [Wed Apr 24 15:19:36.449871 2024] [rewrite:trace1] [pid 748062:tid 
748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - 
[guardiandigital.com/sid#55743f0bbb58][rid#7f9ccc0e6000/initial/redir#1] 
escaping https://guardiandigital.com/index.php for redirect


11 [Wed Apr 24 15:19:36.449880 2024] [rewrite:trace1] [pid 748062:tid 
748212] mod_rewrite.c(493): [client 62.111.193.42:0] 62.111.193.42 - - 
[guardiandigital.com/sid#55743f0bbb58][rid#7f9ccc0e6000/initial/redir#1] 
redirect to https://guardiandigital.com/index.php [REDIRECT/301]


12 62.111.193.42 - - [24/Apr/2024:15:19:36 -0400] "GET 
/resources/blog?start=48 HTTP/1.1" 301 245 r:"-" "Wget/1.21.4" 
X:"SAMEORIGIN" 0/9647 1183/6254/245 H:HTTP/1.1 U:/resources/blog gd443 s:301


... more checks against our rewrites ...

13 62.111.193.42 - - [24/Apr/2024:15:19:36 -0400] "GET /index.php 
HTTP/1.1" 200 33921 r:"-" "Wget/1.21.4" X:"SAMEORIGIN" 0/129431 
573/35481/33921 H:HTTP/1.1 U:/index.php gd443 s:200

Re: [users@httpd] Stripping query string except from specific URL

2024-04-24 Thread Frank Gingras

On Wed, Apr 24, 2024 at 12:43 PM Dave Wreski
 wrote:

> Hi,
>
> We have a situation where we need to strip a query string from all URLs
>> except ones matching a particular pattern. However, when I try the rules
>> below, it redirects to the homepage for some reason.
>>
>> In this example, I'd like to strip off the query string from all URLs
>> except those involving /resources/blog:
>>
>> RewriteCond %{REQUEST_URI} !/resources/blog
>> RewriteCond %{QUERY_STRING} ^start=
>> RewriteRule (.*)   https://guardiandigital.com$1[L,QSD]
>>
>> What am I missing?
>>
>> Thanks,
>> Dave
>>
>>
>>
> To remove the query string, see the QSD flag, or append a ? at the end of
> the target.
>
> That's what I'm doing, I think. What am I missing? It just redirects to
> the homepage somehow.
>
> Shouldn't I be able to stack RewriteConds in this way, followed by a
> RewriteRule?
>
> I have no idea what could be wrong.
>
>
>
Test with curl, and see if you get redirected after the fact.

Re: [users@httpd] Stripping query string except from specific URL

2024-04-24 Thread Dave Wreski


Hi,


We have a situation where we need to strip a query string from all
URLs except ones matching a particular pattern. However, when I
try the rules below, it redirects to the homepage for some reason.

In this example, I'd like to strip off the query string from all
URLs except those involving /resources/blog:

RewriteCond %{REQUEST_URI} !/resources/blog
RewriteCond %{QUERY_STRING} ^start=
RewriteRule (.*) https://guardiandigital.com$1 [L,QSD]

What am I missing?

Thanks,
Dave



To remove the query string, see the QSD flag, or append a ? at the end 
of the target.


That's what I'm doing, I think. What am I missing? It just redirects to 
the homepage somehow.


Shouldn't I be able to stack RewriteConds in this way, followed by a 
RewriteRule?


I have no idea what could be wrong.

Re: [users@httpd] MTLS Setup issue - Apache HTTP Server and Weblogic

2024-04-23 Thread Yann Ylavic

On Mon, Apr 22, 2024 at 3:51 PM Daiya, Devendra singh
 wrote:
>
> SSLVerifyCLient require
> SSLVerifyDepth 10

These directives apply to the client/browser connection, so you are
effectively enabling mtls on the client side too, hence the error
messages ("AH02008: SSL library error 1 in handshake (server
hostname:port)" and "SSL Library Error: error:1417C0C7:SSL
routines:tls_process_client_certificate:peer did not return a
certificate") if the client isn't providing a certificate.

You should probably remove them if you only want mtls with the backend server.

Regards;
Yann.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] MTLS Setup issue - Apache HTTP Server and Weblogic

2024-04-22 Thread Daiya, Devendra singh

Hi Frank,

My vhost looks as below. Anything incorrect set? I do have proxy.conf file but 
nothing related to SSL set in there. I will test apachectl -S and share you the 
result.



SSLEngine on
ProxyRequests Off
RewriteEngine on
SSLProxyEngine on
SSLProxyVerify on
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLVerifyCLient require
SSLVerifyDepth 10
SSLProxyVerifyDepth 10
SSLOptions +ExportCertData
SSLProxyMachineCertificateFile "/path/to/certs/Appcert.pem"
SSLProxyCACertificateFile "/path/to/certs/trustedca.pem"
SSLCertificateFile "/path/to/hostname.crt"
SSLCertificateKeyFile "/path/to/hostname.key"
SSLCertificateChainFile "/path/to/hostname.crt"
SSLCACertificateFile "/path/to/trustedca.pem"


SSLProtocol -All +TLSv1.2 +TLSv1.1


SSLOptions +StdEnvVars


BrowserMatch "MSIE [2-5]" \
 nokeepalive ssl-unclean-shutdown \
 downgrade-1.0 force-response-1.0



Regards,
Devendra


From: Frank Gingras 
Sent: Thursday, April 18, 2024 7:19 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] MTLS Setup issue - Apache HTTP Server and Weblogic

On Thu, Apr 18, 2024 at 3: 22 AM Daiya, Devendra singh  wrote: Hi Team, Need help in setting up MTLS between 
Apache HTTP server and Weblogic server (App Server). I have gone through few 
links but



On Thu, Apr 18, 2024 at 3:22 AM Daiya, Devendra singh 
mailto:devendra.s.da...@wellsfargo.com.invalid>>
 wrote:
Hi Team,

Need help in setting up MTLS between Apache HTTP server and Weblogic server 
(App Server).

I have gone through few links but those are not working. Post following 
suggested steps I was able to start Apache HTTP server but Application is not 
working. Getting below messages in the Error while accessing the application.

Could anyone please look at it and share some suggestion on how we should setup 
MTLS b/w Web and App server. Please let me know if any additional info needed.

Error message: -

"message" : "AH02645: Server name not provided via TLS extension (using 
default/first virtual host)" , "referer" : },
"message" : "AH02008: SSL library error 1 in handshake (server hostname:port)" 
, "referer" : }
"message" : "SSL Library Error: error:1417C0C7:SSL 
routines:tls_process_client_certificate:peer did not return a certificate -- No 
CAs known to server for verification?" , "referer" : }
"message" : "AH01998: Connection closed to child 138 with abortive shutdown 
(server hostname:port , "referer" : }
"message" : "AH01964: Connection to child 24 established (server 
hostname:port)" , "referer" : }
"message" : "AH02645: Server name not provided via TLS extension (using 
default/first virtual host)" , "referer" : }
"message" : "AH02008: SSL library error 1 in handshake (server hostname:port)" 
, "referer" : }
"message" : "SSL Library Error: error:1417C0C7:SSL 
routines:tls_process_client_certificate:peer did not return a certificate -- No 
CAs known to server for verification?" , "referer" : }

SSL.conf file has below directives set.


SSLEngine on

ProxyRequests Off

RewriteEngine on

SSLProxyEngine on

SSLProxyVerify on

SSLProxyCheckPeerCN off

SSLProxyCheckPeerName off

SSLProxyCheckPeerExpire off

SSLVerifyCLient require

SSLVerifyDepth 10

SSLProxyVerifyDepth 10



SSLOptions +ExportCertData



SSLProxyMachineCertificateFile "/apps/certs/Appcert.pem"

SSLProxyCACertificateFile "/apps/certs/trustedca.pem"



SSLCertificateFile "/path/to/hostname.crt"

SSLCertificateKeyFile "/path/to/hostname.key"

SSLCertificateChainFile "/path/to/hostname.crt"

SSLCACertificateFile "/path/to/trustedca.pem"


Thanks.

Regards,
Devendra

Rough guess:

 
http://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypreservehost<https://urldefense.com/v3/__http:/httpd.apache.org/docs/current/mod/mod_proxy.html*proxypreservehost__;Iw!!F9svGWnIaVPGSwU!sVWv6DLdgjadPqzGD4Ud11pz4_vSBNt67dxHJCeLMZjSt_GUyGv62vgN_DRp6iHDNgIf9-q7_VVeyVaKME94UHFD$>

Otherwise, we would need to see the full vhost.

Might be worth running apachectl -S to make sure you don't have misconfigured / 
overlapping vhosts, as well.

Re: [users@httpd] No more message

2024-04-21 Thread Gillis J. de Nijs

To unsubscribe, please follow the steps outlined here:
https://httpd.apache.org/userslist.html

On Sun, Apr 21, 2024 at 9:44 PM Dalibor Medvedović <
dalibor.medvedo...@gmail.com> wrote:

> I'm out of discussion
>

Re: [users@httpd] Apache error logs of module "proxy_ajp" is not converting to JSON format

2024-04-21 Thread Eric Covener

On Sun, Apr 21, 2024 at 7:57 AM Priyanshi Shah
 wrote:
>
> Hi,
>
> We have converted our Apache error logs to JSON format by defining the format 
> in httpd.conf file
>
> ErrorLogFormat "{"timestamp":"%{u}t", "ApacheModule": "%m", "level":"%l", 
> "ApacheProcessId": "%P", "ApacheThreadId": "%T", "ApacheSourceFile":"%7F", 
> "ErrorKind":"%E", "ClientIp":"%a", "ErrorMessage" : "%M"}"

Is it defined globally or in a virtual host?

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Stripping query string except from specific URL

2024-04-19 Thread Frank Gingras

On Fri, Apr 19, 2024 at 11:16 AM Dave Wreski
 wrote:

> Hi,
>
> We have a situation where we need to strip a query string from all URLs
> except ones matching a particular pattern. However, when I try the rules
> below, it redirects to the homepage for some reason.
>
> In this example, I'd like to strip off the query string from all URLs
> except those involving /resources/blog:
>
> RewriteCond %{REQUEST_URI} !/resources/blog
> RewriteCond %{QUERY_STRING} ^start=
> RewriteRule (.*)   https://guardiandigital.com$1[L,QSD]
>
> What am I missing?
>
> Thanks,
> Dave
>
>
>
To remove the query string, see the QSD flag, or append a ? at the end of
the target.

Re: [users@httpd] MTLS Setup issue - Apache HTTP Server and Weblogic

2024-04-18 Thread Frank Gingras

On Thu, Apr 18, 2024 at 3:22 AM Daiya, Devendra singh
 wrote:

> Hi Team,
>
>
>
> Need help in setting up MTLS between Apache HTTP server and Weblogic
> server (App Server).
>
>
>
> I have gone through few links but those are not working. Post following
> suggested steps I was able to start Apache HTTP server but Application is
> not working. Getting below messages in the Error while accessing the
> application.
>
>
>
> *Could anyone please look at it and share some suggestion on how we should
> setup MTLS b/w Web and App server. Please let me know if any additional
> info needed.*
>
>
>
> *Error message: -*
>
>
>
> "message" : "AH02645: Server name not provided via TLS extension (using
> default/first virtual host)" , "referer" : },
>
> "message" : "AH02008: SSL library error 1 in handshake (server
> hostname:port)" , "referer" : }
>
> "message" : "SSL Library Error: error:1417C0C7:SSL
> routines:tls_process_client_certificate:peer did not return a certificate
> -- No CAs known to server for verification?" , "referer" : }
>
> "message" : "AH01998: Connection closed to child 138 with abortive
> shutdown (server hostname:port , "referer" : }
>
> "message" : "AH01964: Connection to child 24 established (server
> hostname:port)" , "referer" : }
>
> "message" : "AH02645: Server name not provided via TLS extension (using
> default/first virtual host)" , "referer" : }
>
> "message" : "AH02008: SSL library error 1 in handshake (server
> hostname:port)" , "referer" : }
>
> "message" : "SSL Library Error: error:1417C0C7:SSL
> routines:tls_process_client_certificate:peer did not return a certificate
> -- No CAs known to server for verification?" , "referer" : }
>
>
>
> *SSL.conf file has below directives set.*
>
>
>
> SSLEngine on
>
> ProxyRequests Off
>
> RewriteEngine on
>
> SSLProxyEngine on
>
> SSLProxyVerify on
>
> SSLProxyCheckPeerCN off
>
> SSLProxyCheckPeerName off
>
> SSLProxyCheckPeerExpire off
>
> SSLVerifyCLient require
>
> SSLVerifyDepth 10
>
> SSLProxyVerifyDepth 10
>
>
>
> SSLOptions +ExportCertData
>
>
>
> SSLProxyMachineCertificateFile "/apps/certs/Appcert.pem"
>
> SSLProxyCACertificateFile "/apps/certs/trustedca.pem"
>
>
>
> SSLCertificateFile "/path/to/hostname.crt"
>
> SSLCertificateKeyFile "/path/to/hostname.key"
>
> SSLCertificateChainFile "/path/to/hostname.crt"
>
> SSLCACertificateFile "/path/to/trustedca.pem"
>
>
>
>
>
> Thanks.
>
>
>
> *Regards,*
>
> *Devendra*
>

Rough guess:

 http://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypreservehost

Otherwise, we would need to see the full vhost.

Might be worth running apachectl -S to make sure you don't have
misconfigured / overlapping vhosts, as well.

Re: [users@httpd] better configtest

2024-04-17 Thread Eric Covener

> What is the point of not starting httpd if there is an issue with a single 
> virtual host?

This gives the best feedback to the user that the config couldn't be honored.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] better configtest

2024-04-17 Thread Marc

> >
> > 1.
> > what is the point of having a apachectl configtest, when a restart can
> still fail? It can't be to difficult to include cert checks here, can it?
> This is now becoming a significant part.
> 
> The bar is useful, not perfect.  configtest checks for _syntax_ validity.
> 
> > 2.
> > AH00016: Configuration Failed
> > AH00016: Configuration Failed
> > AH00016: Configuration Failed
> > AH00016: Configuration Failed
> > AH00016: Configuration Failed
> > AH00016: Configuration Failed
> > AH00016: Configuration Failed
> >
> > This is useless, why not list config line or cert name?
> 
> This error means post-configuration failed. This is when the collected
> config is acted upon, which is not really within line-by-line mode.
> Normally there's a preceding error message with more details, maybe in
> a vhost-specific error log?

Maybe, I would have to look through quite a lot. 

Can't the development team re-think about this? What is the point of not 
starting httpd if there is an issue with a single virtual host? Why not have 
that specific virtual host fail only? I would like to have this config syntax 
check expanded to cert content or some other way of validating that I can test 
if I can restart httpd safely.






-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-17 Thread General Email

On Wed, Apr 17, 2024, 3:27 PM General Email <
general.email.12341...@gmail.com> wrote:

>
>
>> > If people are asking for advice on PHP then advise them on PHP or don't
>> say anything.
>> > Don't start advising them about Java.
>>
>> Please... I am not even making remarks about you asking openssl questions
>> at httpd.
>>
>
>
> So, is this wrong forum for asking about openssl commands required for
> generating certificates for enabling https on apache?
>
> I can easily look at openssl website or other websites and look how to
> create self signed certificates. However, I was not sure if that would work
> on apache. That's why I asked here.
>
> Most of the websites showed how to generate .pem certificates, but after
> reading about ssl/https on apache website, I saw that apache requires .crt
> certificates.
>
> Obviously, I can figure out this whole thing if I read whole openssl
> manual and apache ssl configs, etc. but I don't want to invest time in that
> and I was looking for a quick solution and that's why I posted here.
>
>
>
>> I think most people will understand that I try to make you see the
>> difference between developing an application and how it is hosted/used what
>> ever, operate within your area of expertise.
>>
>
> I know this and I told you that I want to hard code https. Now, please
> tell me how can my idea go wrong?
>
> Please don't tell me how other people's unrelated ideas went wrong.
>
> Let's have a meaningful discussion.
>
> I don't work for any company.
>
> I do freelancing. I am doing this project for a real estate client. So,
> its only me who will do everything and decide everything - development,
> testing, maintenance hosting, hard coding, migration, https, ssl, etc.
>
> I would really like to know how my idea of hardcoding https can go wrong?
>

Anyways, I looked more on google and I think that I have found what I was
looking for on this page:
https://gist.github.com/taoyuan/39d9bc24bafc8cc45663683eae36eb1a

RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-17 Thread Marc


> 
>   So, is this wrong forum for asking about openssl commands required
> for generating certificates for enabling https on apache?
>

Mostly you will be notified. The only thing you need to add to your virtual 
host for https is this:

SSLEngine on
SSLCertificateFile 
SSLCertificateChainFile 
SSLCertificateKeyFile 

It really does not matter how keys / crts have been generated. Just choose 
something that is quick and easy. 

> 
>   Most of the websites showed how to generate .pem certificates, but
> after reading about ssl/https on apache website, I saw that apache
> requires .crt certificates.

pem, crt, cer check if they start like this

-BEGIN CERTIFICATE-

check apache log file for start up errors.

>   Obviously, I can figure out this whole thing if I read whole
> openssl manual and apache ssl configs, etc. but I don't want to invest
> time in that and I was looking for a quick solution and that's why I
> posted here.
> 

Just choose a tool that can quickly generate key and crt. Does not matter which 
tool. Someone send you already reply to something.


>   I would really like to know how my idea of hardcoding https can go
> wrong?
> 

It can be anything, it is just unexpected application behaviour to someone who 
might work with it in the future. Maybe internal health check url? Cron? 
Debugging? Personally I find it sometimes annoying with testing container 
images. In my own development environment I am constantly switching between 
development and production certs.

I would always opt for having this at least configured as an option.

> 
> Anyways, I looked more on google and I think that I have found what I was
> looking for on this page:
> https://gist.github.com/taoyuan/39d9bc24bafc8cc45663683eae36eb1a
> 

Forget about going specific for openssl, it is just a tool. Choose the simplest 
solution for your development environment. If you are doing hosting yourself. 
Your going to end up with automated certs on your hosting environment any way, 
you will never see an openssl command.

RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-17 Thread Marc

> I don't know what you are trying to prove by your points + you are
> insulting people for no reason.

I am insulting no one, mostly stating what is common.


> If you insult people, they may insult you back.
> 
> Russia attacked Ukraine and Ukraine/NATO hit Russia back.

I think you are the only one on this planet that would dare to summarize this 
conflict like this. But it proves my point, stick just to what you know, with 
development.


> The original discussion was about openssl commands and I think that since
> you don't know openssl commands, you should not have said anything.
> 

You wrote it was for a local development environment. I just thought why bother 
with the openssl? Obviously I should not have made assumptions. You could also 
be cryptographer working on mod_ssl.


> Let other people do what they want to do. If they want to hardcode
> something, why are you bothered.

I am just pointing out there multiple roads that lead to Rome. Some of which 
are known to be less troublesome than others. If you get stuck on some dirt 
track to Rome, others will be required to come and help.


> I will hard code https, its my choice. It has nothing to do with you.
> 

Obviously, I am just stating it is not really what most experienced 
professionals do. 


> Now, you are saying to hard code root name servers, etc. which doesn't
> make sense.

Because you do not know about it. That is the point I am trying to make. Just 
separate it from application development.


> You are taking this discussion in all sorts of directions and I don't
> know what you want to prove.

Really? I thought I made my point numerous times.


> If people are asking for advice on PHP then advise them on PHP or don't say 
> anything.
> Don't start advising them about Java.

Please... I am not even making remarks about you asking openssl questions at 
httpd.


> 
> By the way, if you insult me, I will insult you back.
> 

I think most people will understand that I try to make you see the difference 
between developing an application and how it is hosted/used what ever, operate 
within your area of expertise.

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-17 Thread General Email

>
> > If people are asking for advice on PHP then advise them on PHP or don't
> say anything.
> > Don't start advising them about Java.
>
> Please... I am not even making remarks about you asking openssl questions
> at httpd.
>


So, is this wrong forum for asking about openssl commands required for
generating certificates for enabling https on apache?

I can easily look at openssl website or other websites and look how to
create self signed certificates. However, I was not sure if that would work
on apache. That's why I asked here.

Most of the websites showed how to generate .pem certificates, but after
reading about ssl/https on apache website, I saw that apache requires .crt
certificates.

Obviously, I can figure out this whole thing if I read whole openssl manual
and apache ssl configs, etc. but I don't want to invest time in that and I
was looking for a quick solution and that's why I posted here.



> I think most people will understand that I try to make you see the
> difference between developing an application and how it is hosted/used what
> ever, operate within your area of expertise.
>

I know this and I told you that I want to hard code https. Now, please tell
me how can my idea go wrong?

Please don't tell me how other people's unrelated ideas went wrong.

Let's have a meaningful discussion.

I don't work for any company.

I do freelancing. I am doing this project for a real estate client. So, its
only me who will do everything and decide everything - development,
testing, maintenance hosting, hard coding, migration, https, ssl, etc.

I would really like to know how my idea of hardcoding https can go wrong?

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-17 Thread General Email

On Wed, Apr 17, 2024, 1:17 PM Marc  wrote:

>
> >
> >   http is an insecure protocol. I don't want my website to run on
> > http. So, I am hardcoding https in links in my website that refer to
> > pages in my website.
> >
> >
> >   Now, I know that you will write why not redirect http to https by
> > default.
>
> No because that is not relevant to me and what I would like to address. I
> am even deploying https on tasks in private air-gapped environments. This
> is not a discussion about whether or not https should be used and when.
>
>
> > The problem with this is that if the website gets migrated to
> > different provider and if people forget to redirect http to https in new
> > setup then it will become a security problem.
>
> I know there are many idiots out there and your concern is very valid.
> Most of the security breaches you read about is about such issues.
> However, can you imagine the apache dev team thinking like you? Hard
> coding everything to https? Can you imagine all http ports of tomcat,
> httpd, jboss etc. being dropped? These people have been making rock solid
> applications for decades they don't lecture others how to use or not use
> https.
> You will never match them in any way, why not follow their lead?
>
>
> >   Hardcoding https solves all issues.
> >
>
> A few years back I had an argument with apple developers. They were having
> in the build process of the calendar server openssl. The developers thought
> for security purposes it would be better to include it in the build. This
> resulted in that calenderservers were always having an old insecure
> openssl, because the openssl updated by the distribution was not used. (and
> nobody is going to build the application frequently) This is what happens
> when application developers think they are security geniuses.
>
> The point I am trying to make is that you as an application developer
> should be focussed on developing your application it is not your business
> how this application is hosted. You should not concern yourself with things
> you are not experienced in/with. Especially when it comes to something as
> crucial as security. You are not removing ca certs from the trust store,
> your are not setting secure ciphers, you are not setting limits on key
> sizes etc. Why would you then even bother with https or http?
>
> With your argument you might as well hard code the domain name in your
> application (like wordpress) and hardcode root name servers etc.
> If you buy an egg in the store, it does not come with any requirement that
> it should be used only for making cakes. Grasp this concept.
>

Marc,

I don't know what you are trying to prove by your points + you are
insulting people for no reason.

If you insult people, they may insult you back.

Russia attacked Ukraine and Ukraine/NATO hit Russia back.

The original discussion was about openssl commands and I think that since
you don't know openssl commands, you should not have said anything.

Let other people do what they want to do. If they want to hardcode
something, why are you bothered.

I will hard code https, its my choice. It has nothing to do with you.

Now, you are saying to hard code root name servers, etc. which doesn't make
sense.

You are taking this discussion in all sorts of directions and I don't know
what you want to prove.

If you want to prove that you are a very smart person and other people are
fools then for that you need to play chess with all other people and win
all the games. You can invite wordpress idiots to play chess with you and
then if you win then probably you can tell that person that he/she is an
idiot.

There are many people in this world who are very smart but they don't say
that other people are fools - for example, Steve Wozniak, Larry Page,
Knuth, etc.

If people are asking for advice on PHP then advise them on PHP or don't say
anything. Don't start advising them about Java.

By the way, if you insult me, I will insult you back.

GE

RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-17 Thread Marc


> 
>   http is an insecure protocol. I don't want my website to run on
> http. So, I am hardcoding https in links in my website that refer to
> pages in my website.
>
>
>   Now, I know that you will write why not redirect http to https by
> default. 

No because that is not relevant to me and what I would like to address. I am 
even deploying https on tasks in private air-gapped environments. This is not a 
discussion about whether or not https should be used and when.


> The problem with this is that if the website gets migrated to
> different provider and if people forget to redirect http to https in new
> setup then it will become a security problem.

I know there are many idiots out there and your concern is very valid. Most of 
the security breaches you read about is about such issues. 
However, can you imagine the apache dev team thinking like you? Hard coding 
everything to https? Can you imagine all http ports of tomcat, httpd, jboss 
etc. being dropped? These people have been making rock solid applications for 
decades they don't lecture others how to use or not use https. 
You will never match them in any way, why not follow their lead?


>   Hardcoding https solves all issues.
> 

A few years back I had an argument with apple developers. They were having in 
the build process of the calendar server openssl. The developers thought for 
security purposes it would be better to include it in the build. This resulted 
in that calenderservers were always having an old insecure openssl, because the 
openssl updated by the distribution was not used. (and nobody is going to build 
the application frequently) This is what happens when application developers 
think they are security geniuses.

The point I am trying to make is that you as an application developer should be 
focussed on developing your application it is not your business how this 
application is hosted. You should not concern yourself with things you are not 
experienced in/with. Especially when it comes to something as crucial as 
security. You are not removing ca certs from the trust store, your are not 
setting secure ciphers, you are not setting limits on key sizes etc. Why would 
you then even bother with https or http?

With your argument you might as well hard code the domain name in your 
application (like wordpress) and hardcode root name servers etc. 
If you buy an egg in the store, it does not come with any requirement that it 
should be used only for making cakes. Grasp this concept.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread Yehuda Katz

I have always had issues with OpenSSL on Windows, so I gave up and started
using xca (https://hohnstaedt.de/xca/). I created a root certificate that I
imported into the Windows trust store and I create new certificates for
each website in my dev environment.

- Y

On Tue, Apr 16, 2024 at 9:26 PM General Email <
general.email.12341...@gmail.com> wrote:

>
> This is also not relevant to what I am stating. If you develop, do it
>> regardless of http/https that is convenient for everyone. It will be to
>> your own benefit. If you have to host the application on your own server,
>> so be it. It will be easier with choosing your https solution. You could
>> already be developing it now, and later you can check how to use openssl.
>> Last thing you want, is an application that forces https or http.
>>
>
>
> http is an insecure protocol. I don't want my website to run on http. So,
> I am hardcoding https in links in my website that refer to pages in my
> website.
>
> Now, I know that you will write why not redirect http to https by default.
> The problem with this is that if the website gets migrated to different
> provider and if people forget to redirect http to https in new setup then
> it will become a security problem.
>
> Hardcoding https solves all issues.
>
>
>

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread General Email

> This is also not relevant to what I am stating. If you develop, do it
> regardless of http/https that is convenient for everyone. It will be to
> your own benefit. If you have to host the application on your own server,
> so be it. It will be easier with choosing your https solution. You could
> already be developing it now, and later you can check how to use openssl.
> Last thing you want, is an application that forces https or http.
>


http is an insecure protocol. I don't want my website to run on http. So, I
am hardcoding https in links in my website that refer to pages in my
website.

Now, I know that you will write why not redirect http to https by default.
The problem with this is that if the website gets migrated to different
provider and if people forget to redirect http to https in new setup then
it will become a security problem.

Hardcoding https solves all issues.

RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread Marc

> 
> On Tuesday 16 April 2024 at 18:42:09, Marc wrote:
> 
> > This is more about the ability to host an application regardless if it
> is
> > on http or https. How https is enforced/applied is up to the manager of
> > the server, why would you even care as a developer of an application?
> 
> I often develop applications on servers which I manage.

How is this relevant?

> Please stop trying to enforce your opinion of the demarcation between
> disciplines on other people.
> 
> Not every developer is only a developer.
> 

This is also not relevant to what I am stating. If you develop, do it 
regardless of http/https that is convenient for everyone. It will be to your 
own benefit. If you have to host the application on your own server, so be it. 
It will be easier with choosing your https solution. You could already be 
developing it now, and later you can check how to use openssl. Last thing you 
want, is an application that forces https or http.

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread Antony Stone

On Tuesday 16 April 2024 at 18:57:13, Marc wrote:

> 15 years ago people were not writing about gays.
>
> Maybe it takes another 15 years to be allowed to write about idiots.

Don't be silly.

Gay people identify themselves as gay, and talking about them as such is not a 
pejorative term.

If you can find someone who identifies themselves as an idiot, then perhaps 
you're allowed to refer to them as such, but if it's just your own opinion 
that they're an idiot, you're being anti-social and unpleasant.

I think all Frank was trying to say was "please let's keep to the technical 
support of people who are trying to use Apache, and stop throwing insults at 
them, because it's not constructive to the conversation".

Antony.

-- 
Software development can be quick, high quality, or low cost.

The customer gets to pick any two out of three.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread Marc

>   >
>   >   But should your development be not protocol independent? If
> your
>   > code works on http it should also work on https. I am getting
> sick of
>   > these wordpress idiots where they still have hardcoded links
> everywhere
>   > and I can't even convert a website from http to https.
>   >
>   >
>   >
>   > Are you saying that I am a wordpress idiot?
>   >
> 
>   No :) Development/management team of wordpress are idiots. They are
> still advising people incorrectly to upgrade eg while distributions are
> backporting security stuff. A developer should just do developing. A
> dentist is also not telling an ophthalmologist what to do. Why do you
> care if you are using http or https? Unless you are developing something
> specific to the https protocol (eg. sni) forget about it.
> 
> 
> 
> Marc, let's try to be friendly towards users and adopt a more neutral
> tone.  New users have questions, and it's normal. Calling folks "idiots"
> isn't helping here.
> 

And I am trying so hard to be part of the woke movement. 15 years ago people 
were not writing about gays. Maybe it takes another 15 years to be allowed to 
write about idiots. They already are officially mentioned in the dictionary. ;)


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread Antony Stone

On Tuesday 16 April 2024 at 18:42:09, Marc wrote:

> This is more about the ability to host an application regardless if it is
> on http or https. How https is enforced/applied is up to the manager of
> the server, why would you even care as a developer of an application?

I often develop applications on servers which I manage.

Please stop trying to enforce your opinion of the demarcation between 
disciplines on other people.

Not every developer is only a developer.

Antony.

-- 
"Can you keep a secret?"
"Well, I shouldn't really tell you this, but... no."

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread Marc

> 
> Pardon me- have 443 redirect to 80 of the environment variable is true.
> Alternatively, have a completely different 443 vhost declared for
> development purposes
> 
> On Tue, Apr 16, 2024 at 11:30 AM Will Fatherley   > wrote:
> 
> 
> 
>   But should your development be not protocol independent? If
> your code works on http it should also work on https. I am getting sick
> of these wordpress idiots where they still have hardcoded links
> everywhere and I can't even convert a website from http to https.
> 
> 
>   TLS is not in the application layer as HTTP is, so it’s just a
> complication that has to be managed in development. I don’t know how
> Wordpress works, but there are solutions beyond its configuration.

You are writting it is not application layer and then write it needs to be 
addressed in development?

>   For example, if you just need to verify your HTTP-based application
> functions as desired, but there is commingling of HTTPS and HTTP in
> application HREFs then use the `if` directive with a development-only
> environment variable in your virtual hosts. If the client follows a HTTPS
> link that isn’t going to work for keying material reasons, have the 443
> virtual host redirect to 80 if the development variable in the
> development environment
> 

This is more about the ability to host an application regardless if it is on 
http or https. How https is enforced/applied is up to the manager of the 
server, why would you even care as a developer of an application?

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread Will Fatherley

Pardon me- have 443 redirect to 80 of the environment variable is true.
Alternatively, have a completely different 443 vhost declared for
development purposes

On Tue, Apr 16, 2024 at 11:30 AM Will Fatherley 
wrote:

>
> But should your development be not protocol independent? If your code
>> works on http it should also work on https. I am getting sick of these
>> wordpress idiots where they still have hardcoded links everywhere and I
>> can't even convert a website from http to https.
>>
> TLS is not in the application layer as HTTP is, so it’s just a
> complication that has to be managed in development. I don’t know how
> Wordpress works, but there are solutions beyond its configuration.
>
> For example, if you just need to verify your HTTP-based application
> functions as desired, but there is commingling of HTTPS and HTTP in
> application HREFs then use the `if` directive with a development-only
> environment variable in your virtual hosts. If the client follows a HTTPS
> link that isn’t going to work for keying material reasons, have the 443
> virtual host redirect to 80 if the development variable in the development
> environment
>

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread Will Fatherley

> But should your development be not protocol independent? If your code
> works on http it should also work on https. I am getting sick of these
> wordpress idiots where they still have hardcoded links everywhere and I
> can't even convert a website from http to https.
>
TLS is not in the application layer as HTTP is, so it’s just a complication
that has to be managed in development. I don’t know how Wordpress works,
but there are solutions beyond its configuration.

For example, if you just need to verify your HTTP-based application
functions as desired, but there is commingling of HTTPS and HTTP in
application HREFs then use the `if` directive with a development-only
environment variable in your virtual hosts. If the client follows a HTTPS
link that isn’t going to work for keying material reasons, have the 443
virtual host redirect to 80 if the development variable in the development
environment

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread Frank Gingras

On Tue, Apr 16, 2024 at 11:11 AM Marc  wrote:

> >
> >
> >   But should your development be not protocol independent? If your
> > code works on http it should also work on https. I am getting sick of
> > these wordpress idiots where they still have hardcoded links everywhere
> > and I can't even convert a website from http to https.
> >
> >
> >
> > Are you saying that I am a wordpress idiot?
> >
>
> No :) Development/management team of wordpress are idiots. They are still
> advising people incorrectly to upgrade eg while distributions are
> backporting security stuff. A developer should just do developing. A
> dentist is also not telling an ophthalmologist what to do. Why do you care
> if you are using http or https? Unless you are developing something
> specific to the https protocol (eg. sni) forget about it.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org


Marc, let's try to be friendly towards users and adopt a more neutral
tone.  New users have questions, and it's normal. Calling folks "idiots"
isn't helping here.

Thanks.

1 2 3 4 5 6 7 8 9 10 >

1 - 100 of 16824 matches

Mail list logo