Re: [users@httpd] CSP nonces in apache

As per the original article from Scott Helme that you intially referred to, you will need to generate a random string yourself. Something like this might help you in the right direction -  https://gist.github.com/earthgecko/3089509 From: Luis Speciale Reply: 

Re: [users@httpd] Problem with Redirect

01:03:45 GMT ETag: "1748-54f0ced6b7e40" Accept-Ranges: bytes Content-Length: 5960 Vary: Accept-Encoding Connection: close Content-Type: text/html On Sat, Jul 8, 2017 at 9:44 AM, Mitchell Krog Photography <mitchellk...@gmail.com> wrote: I agree use this tool - http://w

Re: [users@httpd] Problem with Redirect

I agree use this tool - http://www.redirect-checker.org/index.php It’s one of the best and doesn’t cache anything so any updates you make when working with redirects are picked up instantly. Kind Regards Mitchell From: Nick Kew Reply: users@httpd.apache.org

Re: [users@httpd] Problem with Redirect

(.*) https://def.com%{REQUEST_URI} [END,QSA,R=permanent] Kind Regards Mitchell Krog ** Visit me at https://mitchellkrog.com ** From: Blake McBride <blake1...@gmail.com> Reply: users@httpd.apac

Re: [users@httpd] mod_lua and subprocess_env

Yes as it addresses a number of vulnerabilities discovered. Check mailing list for CVE messages sent earlier today. Kind Regards Mitchell Krog ** Visit me at https://mitchellkrog.com ** License My

Re: [users@httpd] Problem with Apache2 after upgrade from Ubuntu14.04 to 16.04

Ugh the things we have to do to survive in this game!! LOL. On 18/04/17 12:59, Mitchell Krog Photography wrote: My experience with upgrading from 14.04 to 16.04 is apache does not upgrade well at all, had it happen on several servers already in the past. I would suggest backup your entire etc/apache2

Re: [users@httpd] Problem with Apache2 after upgrade from Ubuntu14.04 to 16.04

My experience with upgrading from 14.04 to 16.04 is apache does not upgrade well at all, had it happen on several servers already in the past. I would suggest backup your entire etc/apache2 folder or rename it /etc/apache_backup/ Then uninstall apache and purge it, uninstall PHP and purge it and

Re: [users@httpd] What is preferred PHP interface?

+1 php-fpm From: Lester Caine Reply: users@httpd.apache.org Date: 30 March 2017 at 11:14:57 AM To: users@httpd.apache.org Subject: Re: [users@httpd]

Re: [users@httpd] Run Control for Apache in Fedora 25

Brilliant, so glad you got it sorted :) Cheers Mitch From: John Iliffe Reply: users@httpd.apache.org Date: 28 March 2017 at 6:08:33 PM To: users@httpd.apache.org

Re: [users@httpd] Run Control for Apache in Fedora 25

What does sudo systemctl edit --full httpd show you ??? From: John Iliffe Reply: users@httpd.apache.org Date: 28 March 2017 at 4:35:52 PM To: users@httpd.apache.org

Re: [users@httpd] ServerAlias limit and conflicts?

Actually to clarify point 3. That error I stated was due to something else. However I tested the following config and the first virtualhost completely over-rides the second one due to the wildcard. ServerAdmin webmaster@centos.local DocumentRoot /var/www/html/centos ServerName

Re: [users@httpd] ServerAlias limit and conflicts?

1. I have always stuck to one ServerAlias line but for fun I tested this config this morning and it works just fine ServerName centos.local ServerAlias centos2.local centos3.local ServerAlias centos4.local ServerAlias centos5.local centos6.local centos7.local 2. Not that I am

RE: [users@httpd] Hiding Apache version info on the Aix server for Apache.

I’ve tested on CentOS 6.8, Apache 2.2.15 Both *ServerTokens PROD* *ServerSignature Off* Work perfectly and do not affect the starting of the server. Secondly have you actually ever run a configtest? *apachectl configtest* If you copy and paste the the ServerTokens and ServerSignature lines

Re: [users@httpd] Hiding Apache version info on the Aix server for Apache.

Sorry typo …. /etc/apache2/conf-available/security.conf From: Chunduru, Krishnachaithanya Reply: users@httpd.apache.org Date: 14 March 2017 at 1:56:04 PM

Re: [users@httpd] Hiding Apache version info on the Aix server for Apache.

yeh...@ymkatz.net> <yeh...@ymkatz.net> Reply: Yehuda Katz <yeh...@ymkatz.net> <yeh...@ymkatz.net> Date: 14 March 2017 at 3:58:48 PM To: users@httpd.apache.org <users@httpd.apache.org> <users@httpd.apache.org> Cc: Mitchell Krog Photography <mitchellk...@gmail.com> <

Re: [users@httpd] Hiding Apache version info on the Aix server for Apache.

Not sure what version of apache you are using but in versions 2.4.x the modification is done in /etc/conf-available/security.conf and not in the http.conf or apache2.conf file. From: Chunduru, Krishnachaithanya

Re: [users@httpd] Webserver intranet https categorized for insecure for broesers.

That’s because you have generated your own certificates, they are not trusted by any browser. Get yourself a fully trusted free SSL certificate using the Certbot client from Let’s Encrypt. https://letsencrypt.org / https://community.letsencrypt.org From: Rodrigo Cunha

Re: [users@httpd] apache2 config test failed

Line 219 of your .conf file reads "IncludeOptional sites-enabled/*.conf” that’s where it starts loading the sites you have configured and that’s where it is failing. So start looking for errors on line 32 on one of your enabled-sites conf files and not for an error in your apache2.conf which

Re: [users@httpd] apache 2.4.10 sslv3 not offering when tls is enabled

Your SSL config for Apache 2.4.10 should be as follows ... SSLEngine on SSLCertificateFile /path/to/signed_certificate_followed_by_intermediate_certs SSLCertificateKeyFile /path/to/private/key # Uncomment the following directive when using client certificate authentication

Re: [users@httpd] am i hacked ?

I see these type of attack strings all the time on Nginx except Nginx gives a 403. Apache is notoriously bad with security and giving 200 ok responses makes you yourself. A reason I and many other people have switched. User support on this list was also non existent when I ran into serious

Re: [users@httpd] Unknown accepted traffic to my site

Thanks Spork for the detailed reply you got from Berkeley, I got a similar one, though not quite as detailed. I think the problem with Apache is that it is simply an index.html sending a 200 “OK” and not actually replying to say yes I am infected with whatever it is they are looking for. At the

RE: [users@httpd] Unknown accepted traffic to my site

ttpd.apache.org>, tawaso...@gmail.com <tawaso...@gmail.com> Subject:  RE: [users@httpd] Unknown accepted traffic to my site From the looks of it I would say it is targeting servers running SSL.  Are you serving up HTTP or HTTPS ?   From: Mitchell Krog Photography Sent: Wednesday, Oct

Re: [users@httpd] Unknown accepted traffic to my site

It’s some kind of buffer overflow attempt. I’ve been seeing this in logs for months. It started a few months back with the Berkeley University Scanner who are researching by sending out a string like that and then seeing what response they get. It’s to check for some kind of exploit. Their IP

[users@httpd] mod_socache_shmcb

Hi all I am hoping someone can please give me a more concise description of what the socache_shmcb module is and what it actually does. The documentation at https://httpd.apache.org/docs/2.4/mod/mod_socache_shmcb.html is very vague and in 2 years has not changed. Google searches do not