Hello everyone.
I've an apache 2.2.4 up and running!
I've this configuration in my ssl.conf file:
Listen xxx.xxx.xxx.xxx:443
<VirtualHost xxx.xxx.xxx.xxx:443>
ServerName xxx.xxx.xxx.xxx:443
ErrorLog /opt/CHROOT/HTTPD-2.2.4/logs/error_log
TransferLog /opt/CHROOT/HTTPD-2.2.4/logs/access_log
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /opt/CHROOT/HTTPD-2.2.4/conf/cert/smactest.cert.temp
SSLCertificateKeyFile /opt/CHROOT/HTTPD-2.2.4/conf/cert/smactest.key.temp
SSLCACertificateFile
/opt/CHROOT/HTTPD-2.2.4/conf/cert/ProgettieServizi.cer
<Location />
SSLVerifyClient require
SSLVerifyDepth 10
SSLRequire %{SSL_CLIENT_I_DN_CN} eq "manuciao"
</Location>
</VirtualHost>
As you can see I want client authentication but with this configuration
the server doesn't ask certificate for the browser.
If I move SSLVerifyClient and SSLVerifyDepth out of the location
directive the server ask client cert but then it seems that the filter
doesn't work.
And the server ask me a cert I select it from my browser list and it is
not signed from a CA with a common name "manuciao" but the server doesn't
stop me from serving a page.
How Can I see SSL_CLIENT_I_DN_CN value?
I've turn the debug on but I can't see anything for this variable.
If I want a configuration where the server asks for client certificates
for specific url and accepts only the one with a specific CA or a specific
common name what have I to do????
What is the configuration in my ssl.conf file?
Pleas let me know!
Thanks in advance
Manuela Vorazzo
"Dale Ogilvie" <[EMAIL PROTECTED]>
31/05/2007 04.15
Please respond to
users@httpd.apache.org
To
<users@httpd.apache.org>
cc
Subject
[EMAIL PROTECTED] mod_proxy_balance never recovers from a worker error with
stickysession
Hello,
I am running Apache 2.2.3 on RedHat EL 5. I am trying to use Apache to
load balance between two local instances of tomcat in order to utilize
the vast quantities of RAM on our production server.
My httpd setup looks like this:
<Proxy balancer://tomcat>
BalancerMember ajp://localhost:8009 min=10 max=100 route=tomcat1
loadfactor=1 retry=120
BalancerMember ajp://localhost:8010 min=10 max=100 route=tomcat2
loadfactor=1 retry=120
</Proxy>
<Location /balancer-manager>
SetHandler balancer-manager
Order deny,allow
Deny from all
Allow from .trimblecorp.net
</Location>
ProxyPass /dscgi/ds.py/ balancer://tomcat/docushare/dsweb/
stickysession=JSESSIONID nofailover=On
ProxyPass /docushare balancer://tomcat/docushare
stickysession=JSESSIONID nofailover=On
ProxyPass /docushare/ balancer://tomcat/docushare/
stickysession=JSESSIONID nofailover=On
The problem is that if one of the workers gets into error status, any
client with a JSESSIONID referencing that route is never able to receive
a reply, Apache *always* responds with a 503 - Temporarily unavailable,
*until* another request is successful. I expected with "retry=120" that
after 120 seconds the client would be able to use the errored out
worker, but this is *not* the case.
Test case:
1. Start tomcats
2. Access /docushare, this succeeds and returns a JSESSIONID cookie
referencing the member e.g.
JSESSIONID=BC90C156669FDF0194657FF27EC3AF99.tomcat2
3. Stop tomcats to simulate a backend failure
4. Access /docushare again in the same browser session, this fails with
a 503 error (as expected). Balance-manager shows tomcat1 is OK, and
tomcat2 is Err
Error_log shows: All workers are in error state for route (tomcat2)
5. Start tomcats again
6. Wait for 120+ seconds to allow retry=120 to take effect
7. Access /docushare *using the session with the tomcat2 cookie*, expect
success, get 503 error. I can repeat this step ad nauseam without ever
getting a successful response.
Error_log shows: All workers are in error state for route (tomcat2)
8. To resolve the issue, delete the JSESSIONID cookie from the client or
open up a new browser and access /docushare. Either of these seem to
solve the problem for the "cookied" browser session.
9. Access /docushare, this succeeds, balance-manager shows both tomcat1
and tomcat2 are now OK even though the cookie returned to this request
is for *tomcat1*.
So I would expect that the balance would retry the errored path
successfully "retry" seconds after the failure. Is this a bug or do I
have some misunderstanding and/or misconfiguration?
Regards
--
Dale Ogilvie
Senior Software Engineer
Trimble Navigation NZ Ltd
P O Box 8729
Riccarton
Christchurch
Ph: +64 3 9635344
Fax: +64 3 9635317
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
*******************Internet Email Confidentiality
Footer*******************
Qualsiasi utilizzo non autorizzato del presente messaggio nonché dei suoi
allegati è vietato e potrebbe costituire reato. Se ha ricevuto per errore
il presente messaggio, Le saremmo grati se ci inviasse, via e-mail, una
comunicazione al riguardo e provvedesse nel contempo alla distruzione del
messaggio stesso e dei suoi eventuali allegati. Le dichiarazioni contenute
nel presente messaggio nonche' nei suoi eventuali allegati devono essere
attribuite al mittente e non possono essere necessariamente considerate
come autorizzate da SIA-SSB S.p.A.; le medesime dichiarazioni non
impegnano SIA-SSB S.p.A. nei confronti del destinatario o di terzi.
SIA-SSB S.p.A. non si assume alcuna responsabilita' per eventuali
intercettazioni, modifiche o danneggiamenti del presente messaggio e-mail.
Any unauthorized use of this e-mail or any of its attachments is
prohibited and could constitute an offence. If you are not the intended
addressee please advise immediately the sender by using the reply facility
in your e-mail software and destroy the message and its attachments. The
statements and opinions expressed in this e-mail message are those of the
author of the message and do not necessarily represent those of SIA-SSB
S.p.A. Besides, The contents of this message shall be understood as
neither given nor endorsed by SIA-SSB S.p.A.. SIA-SSB S.p.A. does not
accept liability for corruption, interception or amendment, if any, or the
consequences thereof.
