Re: [users@httpd] Optimal way to trigger logging if certain URL is accessed

On Wed, Oct 23, 2019 at 12:41 PM Martin T wrote: > > Hi, > > I have a following Apache virtual host configuration where custom > call_Google_MP_API script receives the IP address and HTTP User-Agent > string as standard input if https://www.example.com/doc.pdf is > downloaded: > > > >

Re: [users@httpd] Optimal way to trigger logging if certain URL is accessed

Nope only on server and vhost levels. Thanks, Anil > On Oct 23, 2019, at 11:52 AM, Colin 't Hart wrote: > > Are logging directives allowed inside a Location or LocationMatch directive? > > /Colin > > Sent from my iPhone > >> On 23 Oct 2019, at 18:41, Martin T wrote: >> >> Hi, >> >> I ha

Re: [users@httpd] Enabling SHA1 for client certificates

On 23 Oct 2019, at 09:38, Stefan Eissing wrote: > "WARNING at this time setting the security level higher than 1 for general > internet use is likely to cause considerable interoperability issues and is > not recommended. This is because the SHA1 algorithm is very widely used in > certificates

Re: [users@httpd] Optimal way to trigger logging if certain URL is accessed

Are logging directives allowed inside a Location or LocationMatch directive? /Colin Sent from my iPhone > On 23 Oct 2019, at 18:41, Martin T wrote: > > Hi, > > I have a following Apache virtual host configuration where custom > call_Google_MP_API script receives the IP address and HTTP User-

[users@httpd] Optimal way to trigger logging if certain URL is accessed

Hi, I have a following Apache virtual host configuration where custom call_Google_MP_API script receives the IP address and HTTP User-Agent string as standard input if https://www.example.com/doc.pdf is downloaded: /* configuration removed for brevity */ SetEnvIf Request_URI

Re: [users@httpd] Adding a proprietary 2-step authentication method that only does the 2nd step

On Wed, Oct 23, 2019 at 11:54 AM Andy Gutman wrote: > > I want to add a proprietary 2-factor authentication method to an Apache Web > Server that only does the 2nd step. The first challenge (username & password) > is handled by whatever mechanism exists & is configured for that user or > direct

[users@httpd] Adding a proprietary 2-step authentication method that only does the 2nd step

I want to add a proprietary 2-factor authentication method to an Apache Web Server that only does the 2nd step. The first challenge (username & password) is handled by whatever mechanism exists & is configured for that user or directory (e.g., basic, digest) I have built a module that handles both

Re: [users@httpd] Enabling SHA1 for client certificates

mod_ssl does no special SHA-1 check. What you see is the error message from openssl itself (wrapped in a log number thing for tracability). So, the question is why your openssl is ok with what your apache linked openssl denies. I found at https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_

Re: [users@httpd] Enabling SHA1 for client certificates

Hi Stefan, Stefan Eissing schreef op wo 23-10-2019 om 16:33 [+0200]: I assume you have tried openssl standalone on such a certificate? https://stackoverflow.com/questions/25482199/verify-a-certificate-chain-using-openssl-verify#26520714 Thanks for pointing that out. I hadn't tried it yet, but

Re: [users@httpd] Enabling SHA1 for client certificates

@lbutlr schreef op wo 23-10-2019 om 07:48 [-0600]: On 23 Oct 2019, at 03:49, Wouter Verhelst < wouter.verhe...@zetes.com > wrote: I know that SHA1 is insecure these days, but I have no control over the algorithms used in this particular CA, and I need to be

Re: [users@httpd] Enabling SHA1 for client certificates

I assume you have tried openssl standalone on such a certificate? https://stackoverflow.com/questions/25482199/verify-a-certificate-chain-using-openssl-verify#26520714 Since, I do not know of any specific checks added for this in Apache, I assume that openssl updated its verification implementa

RE: [users@httpd] SentEnvIf and multiple X-Fowarded-For headers

I asked a similar question some weeks ago (in respect of -ipmatch and X-Forwarded-For) , but received no response. Original question reproduced here: --- I am certain I’m missing something important about the directive and the -ipmatch operator whe

Re: [users@httpd] SentEnvIf and multiple X-Fowarded-For headers

On Wed, Oct 23, 2019 at 01:25:57PM +0200, Maxime VEROONE wrote: > Hi, > > This question was previously sent to StackOverflow (ID 57206362), but > I believe it belongs here more than there. > > We are using this kind of configuration to grant access to one of our > sites (here with RFC1918 CIDR ra

Re: [users@httpd] Enabling SHA1 for client certificates

On 23 Oct 2019, at 03:49, Wouter Verhelst wrote: > I know that SHA1 is insecure these days, but I have no control over the > algorithms used in this particular CA, and I need to be able to use it. This is a case of pushing back to get the incompetent CA to update. Even if you manage to get Apac

[users@httpd] SentEnvIf and multiple X-Fowarded-For headers

Hi, This question was previously sent to StackOverflow (ID 57206362), but I believe it belongs here more than there. We are using this kind of configuration to grant access to one of our sites (here with RFC1918 CIDR ranges as an example, but you may imagine different restrictions using public IP

[users@httpd] Enabling SHA1 for client certificates

Hi, For reasons beyond my control, I need to allow client certificate authentication with certificates that are signed with SHA1 (I know -- don't ask). Upon installing Apache from Debian 10 "buster" and installing the CA certificate under SSLCACertificateFile, however, I get the following: [We