Re: [EMAIL PROTECTED] Different security based on network interface

2005-09-13 Thread Davide Bianchi 
AragonX wrote:
> and external users (customers).  There are some web applications that I
> would like to have available to internal users but require external users
> to have a password to access the directory

Can you distinguish internal user from external ones? If so, you can
use the 'Satisfy' directive to let internal user in without asking for
a password.

> I'm afraid someone will spoof the IP addresses of the internal network
> to bypass this security measure.

So, if you don't trust the IP address how do you distinguish the two?

Davide

-- 
Linux: Because rebooting is for adding new hardware

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[EMAIL PROTECTED] New authentication framework in Apache 2.1

2005-09-13 Thread Julien ALLANOS 
Hello,

>From what I've read, the authentication API has been rewritten in Apache 2.1. 
>As
there is not many docs at http://mod-auth.sourceforge.net/docs/ (link to
"Changes from 2.0" is broken), I want to know more. One of the things I've been
disappointed with in Apache 1.3 or 2.0 is that authentication backends and
authentication types aren't clearly separated. Note: by auth backends I
understand users/groups referentials (where is users and groups information
stored?).

As an example, let's look at 2.0 authentication modules:

 * mod_auth: offers Basic Auth auth type, using a file-based users and groups
referential.
 * mod_auth_anon: I've never tried that, but it looks like a Basic Auth where
the authorized set of users is hard-coded within an Apache directive. No group
notion.
 * mod_auth_dbm: offered auth type is Basic Auth, users and groups referential:
DBM type database.
 * mod_auth_digest: offers Digest Auth, using a file-based users and groups
refential.
 * mod_auth_ldap: offers Basic Auth, using an LDAP-based users and groups
referential.
 * mod_ssl: offers strong authentication using X509 certificates. No users or
groups referential, only valid (issued by a known CA) certificates are allowed
to access a protected resource.

Some third-party modules:

 * mod_auth_mysql: offers Basic Auth, using a MySQL-based users and groups
referential.
 * mod_auth_sspi: offers NTLM authentication, using a Windows Domain Controller
for the users and groups referential.
 * mod_auth_kerb: offers Kerberos authentication, using a Windows Domain
Controller for the users and groups referential.

I believe each time you want a new combination of auth type and auth backend,
you need to create a new module. What if, for a protected resource, I want to
auth users with X509 certificates and then check if the cn value of the
presented Subject DN exists in the users referential I use, which is stored on
a SQLite database? Or if I want to combine Digest authentication and a
LDAP-based users referential? Is it really to do so possible without developing
new modules?

In case multiple auth types or backends are used, there should be a way to
delegate the authentication phase to another module (the "Authoritative"
thingie most of the modules implement). We should be able to try
AuthType1/AuthBackend1, then AuthType2/AuthBackend1 and finally
AuthType3/AuthBackend2.

Does the new API brings solutions to this? Or can anyone enlight me about the
new features introduced by the auth API in 2.1?

Thanks for your feedback,
-- 
Julien ALLANOS

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[EMAIL PROTECTED] Backup Apache web servers

2005-09-13 Thread Jojo Solis 



Hi 
everyone,
 
i wanted to backup web 
files, and configuration files from my apache server, mysql server and 
mailmain server. is there any other scripts to automate this process. I wanted 
to tar the whole directory especially the web files, zip it and upload to the 
windows FTP server.
 
Please 
help!.
 
 
Thanks!
 
 
JOJO
 
 

Re: [EMAIL PROTECTED] Different security based on network interface

2005-09-13 Thread Krist van Besien 
On 9/13/05, AragonX <[EMAIL PROTECTED]> wrote:
> Hello all,
> 
> I am trying to secure my web server.  It serves internal users (employees)
> and external users (customers).  There are some web applications that I
> would like to have available to internal users but require external users
> to have a password to access the directory (the applications have their
> own security but I don't want any of the scripts or files visible to the
> internet at all.  They are all under the /internal directory).  Can this
> be done?
> 
> The server has two NICS, one serving the internal network and one serving
> the external.  Is there a module that will allow different security levels
> based in this information?
> 
> I know that mod_access and I think mod_security will allow me to do this
> but they do it based on IP address.  I'm afraid someone will spoof the IP
> addresses of the internal network to bypass this security measure.
> 
> What I'm trying to avoid is having the employees log in twice to access
> the web apps.  They would be most unhappy.

What you could  do ishave  two virtual hosts, one atached to the IP
address of the external interface and another attached to the IP
address of the internal interface. Put the common config outside of
the  containers, and the security config inside them.

Krist


-- 
[EMAIL PROTECTED]
Solothurn, Switzerland

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [EMAIL PROTECTED] Different security based on network interface

2005-09-13 Thread Administrator 
This may be a stupid answer, but isn't it easily possible to set up the
interfaces (or firewall, or both) so they reject source IP addresses in the
wrong I/F?  Or am I missing the point?

David

| On 9/13/05, AragonX <[EMAIL PROTECTED]> wrote:
| > Hello all,
| >
| > I am trying to secure my web server.  It serves internal users
| > (employees) and external users (customers).  There are some web
| > applications that I would like to have available to
| internal users but
| > require external users to have a password to access the
| directory (the
| > applications have their own security but I don't want any of the
| > scripts or files visible to the internet at all.  They are
| all under
| > the /internal directory).  Can this be done?
| >
| > The server has two NICS, one serving the internal network and one
| > serving the external.  Is there a module that will allow different
| > security levels based in this information?
| >
| > I know that mod_access and I think mod_security will allow me to do
| > this but they do it based on IP address.  I'm afraid someone will
| > spoof the IP addresses of the internal network to bypass
| this security measure.
| >
| > What I'm trying to avoid is having the employees log in twice to
| > access the web apps.  They would be most unhappy.



-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[EMAIL PROTECTED] Both IP based and name based virtual host on same server.

2005-09-13 Thread Arun G Nair 
Hi list,

   We have Apache 1.3 running on debian (172.16.2.0). We have
several name based virtual hosts that we use for development. Now we
need a virtualhost with SSL support. After going through the docs I
found that SSL with Name based virtual host is not possible. So I'll
need an IP based virtualhost config. I created a virtual alias
(172.16.2.10) for this. Now how do i setup both name based and IP based
(with SSL) virtual hosts ?



I have added the below parts for mod_ssl . 



-httpd.conf



LoadModule ssl_module /usr/lib/apache/1.3/mod_ssl.so





 AddType application/x-x509-ca-cert .crt

 AddType application/x-pkcs7-crl .crl







    SSLCACertificateFile /etc/apache/ssl.crt/ca-bundle.crt

    SSLPassPhraseDialog builtin

    SSLSessionCache dbm:/var/run/ssl_scache

    SSLSessionCacheTimeout 300

    SSLMutex file:/var/run/ssl_mutex

    SSLRandomSeed startup builtin

    SSLRandomSeed connect builtin





-httpd.conf



Below is the virtual host that I need :



-httpd.conf



NameVirtualHost *





    ServerName abc.com

    DocumentRoot /var/www/abc





# Below is the virtual host that I need :



172.16.2.10:443>

    ServerName 
secure.abc.com

    DocumentRoot /var/www/abc



-httpd.conf



Now what all things do I need for this. Will I need :



- Listen 443

 OR

- Listen 172.16.2.0:80 

- Listen 172.16.2.10:443

 (172.16.2.0 is the address for name based virtual hosts. They use Port 80)

 (Now, Listen is commented out and 'Port 80' is enabled. )



- NameVirtualHost 172.16.2.0:80

  (Now its NameVirtualHost * )





Regards,

Arun

Re: [EMAIL PROTECTED] Both IP based and name based virtual host on same server.

2005-09-13 Thread Davide Bianchi 
Arun G Nair wrote:
> use for development. Now we need a virtualhost with SSL support. After
> going through the docs I found that SSL with Name based virtual host is
> not possible.

Who said so? It is possible, the only problem is that all the
SSL-enabled virtual hosts will use the same certificate. This means
that connecting to 'https://www.somehost.com' the browser will complain
that the certificate is for 'www.someotherhost.com'. Of course you could
get away with it by having only sub-domains, like thishost.domain.com,
anotherhost.domain.com and so on, and the certificate having
*.domain.com.

But if you need ONE virtual host it will work fine.

Also, it will work fine if you don't really care about the 'warning'
message.

Davide

-- 
Windows: The answer to a question nobody has ever asked.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Both IP based and name based virtual host on same server.

2005-09-13 Thread Arun G Nair 
If its possible, how ? I haven't created any certs, just used that came default.On 9/13/05, Davide Bianchi <[EMAIL PROTECTED]
> wrote:Arun G Nair wrote:> use for development. Now we need a virtualhost with SSL support. After
> going through the docs I found that SSL with Name based virtual host is> not possible.Who said so? It is possible, the only problem is that all theSSL-enabled virtual hosts will use the same certificate. This means
that connecting to 'https://www.somehost.com' the browser will complainthat the certificate is for 'www.someotherhost.com'. Of course you could
get away with it by having only sub-domains, like thishost.domain.com,anotherhost.domain.com and so on, and the certificate having
*.domain.com.But if you need ONE virtual host it will work fine.Also, it will work fine if you don't really care about the 'warning'message.Davide--Windows: The answer to a question nobody has ever asked.
-The official User-To-User support forum of the Apache HTTP Server Project.See http://httpd.apache.org/userslist.html
> for more info.To unsubscribe, e-mail: [EMAIL PROTECTED]   "   from the digest: 
[EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]-- ...Keep Smiling...

Re: [EMAIL PROTECTED] Both IP based and name based virtual host on same server.

2005-09-13 Thread Davide Bianchi 
Arun G Nair wrote:
> If its possible, how ?

You need to have both the 'Listen' directives, one for port 80
and one for port 443, then you need two 'NameVirtualHost'
directives, one for port 80 and one for port 443, then you need
to specify which VHosts respond on port 80 and which on port
443, these need to have the related SSL* options in them to
enable SSL.

The example configuration file shipped with Apache does work,
mostly out-of-the-box.

Davide

-- 
Remember men, we're fighting for this woman's honor, which is
probably more than she ever did!
-- Julius Henry "Groucho" Marx (http://en.wikiquote.org/wiki/Groucho_Marx)

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[EMAIL PROTECTED] htpasswd -c -m -b validation

2005-09-13 Thread iyappans 

hi

i ve the http password file  which is encrypted using htpasswd -c -m
-b command  i.e the password which is encrypted using md5 algorithm .i
want to validate the user input password against the stored encrypted
password

thank u
iyappan

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[EMAIL PROTECTED] Reg htpasswd

2005-09-13 Thread iyappans 
hi

i ve the http password file  which is encrypted using htpasswd -c -m
-b command  i.e the password which is encrypted using md5 algorithm .i
want to validate the user input password against the stored encrypted
password

thank u
iyappan

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Both IP based and name based virtual host on same server.

2005-09-13 Thread Jérôme Tytgat 
> Of course you could
> get away with it by having only sub-domains, like thishost.domain.com,
> anotherhost.domain.com and so on, and the certificate having
> *.domain.com.
> 

Interesting.

and how do you generate a certifcate for a whole domain.com ?

As far as I know CA like verisign does not support things like this :

from 
"http://www.verisign.com/support/ssl-certificates-support/page_dev019500.html";

--Common Name

The Common Name is the Host + Domain Name. It looks like "www.company.com" or 
"company.com".

VeriSign certificates can only be used on Web servers using the Common Name 
specified during
enrollment. For example, a certificate for the domain "domain.com" will receive 
a warning if
accessing a site named "www.domain.com" or "secure.domain.com", because 
"www.domain.com" and
"secure.domain.com" are different from "domain.com".--

Maybe some other CA supports it...

I wonder if CACERT.org do...

Can you point on some more informations about this ?

Thanks.

Jerome

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Both IP based and name based virtual host on same server.

2005-09-13 Thread Davide Bianchi 
Jérôme Tytgat wrote:
> and how do you generate a certifcate for a whole domain.com ?
> As far as I know CA like verisign does not support things like this :

No they don't, I was referring to a self-signed certificate, since
(AFAIU) we were talking about testing/development.

Davide

-- 
NT is the only OS that has caused me to beat a piece of hardware to death
with my bare hands. --Derry Hamilton

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Both IP based and name based virtual host on sameserver.

2005-09-13 Thread iyappans 
hi,

  Thanks for your input.

What we are facing is
1. I have encrypted file using the command

htpasswd -c -m -b filename username password

The output was stored in file.

admin:$apr1$g3X.i/..$NZYMsYERfm1obRrWUy9aq.

I found out admin is username.

I want to validate the user admin.

I am getting the input as

username
password (which is plain text like "linux")

can I know How to   validate in perl or  c?.

Thanks and regards,
Iyappan


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[EMAIL PROTECTED] Windows Server 2003 SP 1 and Apache 2.0.52

2005-09-13 Thread louis 
Hi guys

After I installed Service Pack 1 for Win 2003, I keep on getting the
following errors when trying to access one of my ISAPI dll's on Apache
2.0.52. I assume it's got something to do with incompatibility between
mod_isapi and Win 2003 SP 1:

---
Apache.exe - Application Error
---
The instruction at "0x05bb3397" referenced memory at "0x". The
memory could not be "written".

Click on OK to terminate the program
Click on CANCEL to debug the program
---
OK   Cancel
---

Anybody ever encountered this before? Is there a fix or workaround for
this? If I uninstall the service pack, everything works fine again, but
there are some critical security updates in this service pack.

Any ideas?


Regards,
Louis Young
Systems Administrator
Kwikpay SA (Pty) Ltd.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Both IP based and name based virtual host on same server.

2005-09-13 Thread Jérôme Tytgat 

> 
> No they don't, I was referring to a self-signed certificate, since
> (AFAIU) we were talking about testing/development.
> 
> Davide
> 

Oh.

Ok.

Is there any reasons about that as cacert.org is free, there's no restrictive
idea about "how many certificate I can generate" ?

Jerome.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Both IP based and name based virtual host on same server.

2005-09-13 Thread Jérôme Tytgat 
I think I've found a good answer :

http://wiki.cacert.org/wiki/VhostTaskForce#head-7d528898908190ce2585e6a8158d07ce42230724

Jérôme Tytgat a écrit :
>>No they don't, I was referring to a self-signed certificate, since
>>(AFAIU) we were talking about testing/development.
>>
>>Davide
>>
> 
> 
> Oh.
> 
> Ok.
> 
> Is there any reasons about that as cacert.org is free, there's no restrictive
> idea about "how many certificate I can generate" ?
> 
> Jerome.
> 
> -
> The official User-To-User support forum of the Apache HTTP Server Project.
> See http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: [EMAIL PROTECTED]
>"   from the digest: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
> 

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Both IP based and name based virtual host on same server.

2005-09-13 Thread Davide Bianchi 
Jérôme Tytgat wrote:
> Is there any reasons about that as cacert.org is free, there's no restrictive
> idea about "how many certificate I can generate" ?

Well, the whole point of the 'certificate' is to guarantee that you are
whoever you claim to be (actually, not you but your system). So a self-
signed certificate, is fine for encryption, it will work as well as a
priced Verisign or Thawte certificate, but there is no guarantee.

While a certificate given from Verisign or Thawte should mean that the
owner took his time to request it to a third-party that is supposed to
be trustworthy.

Is the same as asking for an ID proof and being shown a passport or
a letter with your name and address on.

Davide

-- 
If only more employers realized that people join companies, but leave
bosses. A boss should be an insulator, not a conductor or an amplifier.
-- Geoff Kinnel on alt.sysadmin.recovery

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Both IP based and name based virtual host on same server.

2005-09-13 Thread Arun G Nair 
For certificates - http://slacksite.com/apache/certificate.html

BTW, I have a spare IP. But can't get ssl to work. Relevant parts from httpd.conf include:

httpd.conf-
Listen 172.16.2.0:80Listen 172.16.2.10:443skip## mod_ssl ## AddType application/x-x509-ca-cert .crt
 AddType application/x-pkcs7-crl .crl## mod_ssl ##-skip-## mod_ssl ##SSLCACertificateFile /etc/apache/ssl.crt/ca-
bundle.crtSSLPassPhraseDialog builtinSSLSessionCache dbm:/var/run/ssl_scacheSSLSessionCacheTimeout 300SSLMutex file:/var/run/ssl_mutexSSLRandomSeed startup builtin
SSLRandomSeed connect builtin## mod_ssl ##---skipNameVirtualHost 172.16.2.0:80 ServerName devsrv
DocumentRoot /var/www ServerName www.abcnew.comDocumentRoot /var/www/newabc
 ServerName abcn.comDocumentRoot /var/www/abc skip # SSL Virtual Hosts
 172.16.2.10:443>DocumentRoot /var/www/abcServerName secure.abcn.comSSLEngine onSSLCertificateFile/etc/apache/ssl.crt/server.crt
SSLCertificateKeyFile /etc/apache/ssl.key/server.pemCustomLog /var/log/ssl_request_log \"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" 

httpd.conf-
Regards,
Arun

Re: [EMAIL PROTECTED] Both IP based and name based virtual host on same server.

2005-09-13 Thread Davide Bianchi 
Arun G Nair wrote:
> NameVirtualHost 172.16.2.0:80 
>  
> 

If you used 172.16.2.0:80 in the NameVirtualHost directive, you need
to repeat it in all the VirtualHost blocks.

> # SSL Virtual Hosts
> 
> http://172.16.2.10:443>>

And I hope those http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[EMAIL PROTECTED] Regarding htpasswd

2005-09-13 Thread iyappans 
hi,



What we are facing is
1. I have encrypted file  created by using this command

htpasswd -c -m -b filename username password

The output was stored in file.

admin:$apr1$g3X.i/..$NZYMsYERfm1obRrWUy9aq.

I found out admin is username.

I want to validate the user admin and encrypted password against my
plaintext password

I am getting the input as

username xxx
password (which is plain text like "linux")

can I know How to   validate in perl or  c?.

Thanks and regards,
Iyappan




-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Both IP based and name based virtual host on same server.

2005-09-13 Thread Arun G Nair 
On 9/13/05, Davide Bianchi <[EMAIL PROTECTED]> wrote:
Arun G Nair wrote:> NameVirtualHost 172.16.2.0:80 >> If you used 
172.16.2.0:80 in the NameVirtualHost directive, you needto repeat it in all the VirtualHost blocks.
 Ok changed it, 'n restarted. Now it says
connection refused. posrt 80 is not listening ? 'netstat -an' shows
172.16.2.0.80 . Should i change the "Listen 172.16.2.0" to "Listen
127.0.0.1" ?
 > # SSL Virtual Hosts> > 
172.16.2.10:443 >And I hope those part of the config file.
    Didn't do any such thing.   I think all those "*" got converted to 's. Maybe your client.
What's httpd -t shows?
   Syntax OK .

Now what ?

-Arun

Re: [EMAIL PROTECTED] Both IP based and name based virtual host on same server.

2005-09-13 Thread Davide Bianchi 
Arun G Nair wrote:
>  Ok changed it, 'n restarted. Now it says connection refused. posrt
> 80 is not listening ? 'netstat -an' shows 172.16.2.0.80

No it is listening, but you need to connect to THAT ip address, not
127.0.0.1 (or localhost). So adjust your host file to map
your various server names to the correct Ip.

> Didn't do any such thing.  I think all those "*" got converted to
> 's. Maybe your client.

I'm afraid is your client, try to force it to post plain text instead
of html or something.

Davide

-- 
Q: Why is Microsoft's Product Support a failure?
A: Because Microsoft needs a Support Group instead.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Both IP based and name based virtual host on same server.

2005-09-13 Thread Arun G Nair 
On 9/13/05, Davide Bianchi <[EMAIL PROTECTED]> wrote:
Arun G Nair wrote:>  Ok changed it, 'n restarted. Now it says connection refused. posrt> 80 is not listening ? 'netstat -an' shows 172.16.2.0.80No it is listening, but you need to connect to THAT ip address, not
127.0.0.1 (or localhost). So adjust your host file to mapyour various server names to the correct Ip.
    I tried connecting to 172.16.2.0 and 172.16.2.10:443 .
 > Didn't do any such thing.  I think all those "*" got converted to
> 's. Maybe your client.I'm afraid is your client, try to force it to post plain text insteadof html or something.
 Maybe its Gmail. its crap, but i use it for ML's . 

-Arun

Re: [EMAIL PROTECTED] New authentication framework in Apache 2.1

2005-09-13 Thread Nick Kew 
On Tuesday 13 September 2005 08:26, Julien ALLANOS wrote:
> Hello,
>
> From what I've read, the authentication API has been rewritten in Apache
> 2.1. As there is not many docs at http://mod-auth.sourceforge.net/docs/
> (link to "Changes from 2.0" is broken), I want to know more.

Have you written to the maintainers of that page?

> One of the 
> things I've been disappointed with in Apache 1.3 or 2.0 is that
> authentication backends and authentication types aren't clearly separated.

That's exactly what's been fixed in 2.1+.

-- 
Nick Kew

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[EMAIL PROTECTED] High memory usage on new server

2005-09-13 Thread Marc Perkel 

I'm having a memory usage problem and hoping I can find a solution.

I'm moving from 32 bit Fedora Core 4 to 64 bit Fedora Core 4 on a new 
server. The problem is that the individual servers on the 64 bit box are 
using a LOT more memory that they did on the 32 bit box. and I need to 
figure out how to fix it and I don't know where to start.


Looping at "top" them memory usange on the 64 bit server shows:

SHR = 10M
RES = 37M
VIRT = 177M

Whereas on the 32 bit server 

SHR = 12M
RES = 36M
VIRT = 57372 - bytes

I think I have the same settings - but probably I don't. Anyone have a 
clue what I'm doing wrong or what tools I need to use to figure out what 
I'm doing wrong?


Thanks in Advance.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Windows Server 2003 SP 1 and Apache 2.0.52

2005-09-13 Thread William A. Rowe, Jr. 

louis, you really need to download the apache_2.0.52-win32-x86-symbols.zip
file from http://archive.apache.org/dist/httpd/binaries/win32/

Unpack it in your top level Apache2 directory (e.g. somewhere like
c:\program files\apache group\apache2\) and expand directories.

Next Application error, if you click 'cancel to debug', it will either
drill you into the debugger, or bring up Dr. Watson's results, including
a full backtrace of which functions were called when the fault occured.

Upgrading to 2.0.54 wouldn't be a bad idea, either.  Just because it
-seems- this is an Apache error related to SP1, remember that is could
be the lingering flaw in the ISAPI module you loaded, and this is just
its side effect.  But if you get more detailed info, please share.


louis wrote:

Hi guys

After I installed Service Pack 1 for Win 2003, I keep on getting the
following errors when trying to access one of my ISAPI dll's on Apache
2.0.52. I assume it's got something to do with incompatibility between
mod_isapi and Win 2003 SP 1:

---
Apache.exe - Application Error
---
The instruction at "0x05bb3397" referenced memory at "0x". The
memory could not be "written".

Click on OK to terminate the program
Click on CANCEL to debug the program
---
OK   Cancel
---

Anybody ever encountered this before? Is there a fix or workaround for
this? If I uninstall the service pack, everything works fine again, but
there are some critical security updates in this service pack.

Any ideas?


Regards,
Louis Young
Systems Administrator
Kwikpay SA (Pty) Ltd.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] block empty referrer?

2005-09-13 Thread Joshua Slive 
On 9/12/05, Erik Svensson <[EMAIL PROTECTED]> wrote:
> How can I block hits like this:
> 
> xx.xxx.xxx.xxx - - [04/Sep/2005:20:03:48 +0200] "GET / HTTP/1.0" 200
> 5109 "-" "-" "-"
> 
> I´m geting about 50-70 hits a day from different ip-numbers and there is
> constantly new ones, so blocking the ip-numbers in my firewall seems to
> be a hopless task.
> I´ve searched for and tried a lot of different ide´s for .htaccess files
> but not found anyone that worked for me.
> 
> By the way, does anyone know what is causing these hits?

SetEnvIf Referer ^$ empty_referer
Deny from env=empty_referer

But this will also deny some legitimate requests that have an empty
referer.  It would be a little safer to deny only if both Referer and
User-Agent were empty, but you would still block some good requests.

In general, 50-70 requests per day is just background noise for most
sites and should simply be ignored.

Joshua.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] New authentication framework in Apache 2.1

2005-09-13 Thread Julien ALLANOS 

Quoting Nick Kew <[EMAIL PROTECTED]>:


On Tuesday 13 September 2005 08:26, Julien ALLANOS wrote:

Hello,

From what I've read, the authentication API has been rewritten in Apache
2.1. As there is not many docs at http://mod-auth.sourceforge.net/docs/
(link to "Changes from 2.0" is broken), I want to know more.


Have you written to the maintainers of that page?


Not yet, but I will do.


One of the
things I've been disappointed with in Apache 1.3 or 2.0 is that
authentication backends and authentication types aren't clearly separated.


That's exactly what's been fixed in 2.1+.



Great! Thanks Nick for the information.
--
Julien ALLANOS

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [EMAIL PROTECTED] Windows Server 2003 SP 1 and Apache 2.0.52

2005-09-13 Thread louis 

> louis, you really need to download the 
> apache_2.0.52-win32-x86-symbols.zip
> file from http://archive.apache.org/dist/httpd/binaries/win32/
> 
> Unpack it in your top level Apache2 directory (e.g. somewhere 
> like c:\program files\apache group\apache2\) and expand directories.
> 
> Next Application error, if you click 'cancel to debug', it 
> will either drill you into the debugger, or bring up Dr. 
> Watson's results, including a full backtrace of which 
> functions were called when the fault occured.

Cool. Thanks

> 
> Upgrading to 2.0.54 wouldn't be a bad idea, either.  Just because it
> -seems- this is an Apache error related to SP1, remember that 
> is could be the lingering flaw in the ISAPI module you 
> loaded, and this is just its side effect.  But if you get 
> more detailed info, please share.

I think I'll try the upgrade first. Let's see how it goes.

Cheers
Louis

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[EMAIL PROTECTED] Apache and Active Directory

2005-09-13 Thread Marcos R. Cardoso 
Hi, here where I work we have the following configuration for our web 
server:


Windows 2003
Apache 2.0.54
PHP 4.4.0
MySQL 4.0.20

This server also connects to a database server with Oracle 9i through a 
Oracle 8i Client, otherwise the PHP wouldn't connect to the database 
properly.


There is also a separated domain server (Windows 2003 Server) which 
contains some folders used by the web server (these separated folders 
are defined in the Alias/Directory section in the httpd.conf file).


The questions are:
- How can I make one of these separated folders be seen only by the 
users contained in the Windows 2003 Server domain?
- How can I make one of these separated folders be seen only by some 
users picked out in the Windows 2003 Server domain?



TIA,
Marcos R. Cardoso
Brazil



-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[EMAIL PROTECTED] Memory leak on Windows 2003

2005-09-13 Thread Marcos R. Cardoso 
Hi, here where I work we have the following configuration for our web 
server:


Windows 2003
Apache 2.0.54
PHP 4.4.0
MySQL 4.0.20

This server also connects to a database server with Oracle 9i through a 
Oracle 8i Client, otherwise the PHP wouldn't connect to the database 
properly.


There is also a separated domain server (Windows 2003 Server) which 
contains some folders used by the web server (these separated folders 
are defined in the Alias/Directory section in the httpd.conf file).


Unfortunately we are experiencing some huge problems concerning memory 
usage by the Apache child process: after 8 hours since the Apache 
service has started, the child process has already allocated about 300 
Mb from the server memory, being necessary a restart for this process 
otherwise the service fails.


The solution I've found so far is to schedule restarts for the Apache 
service every 8 hours, but I'd like to know if there is a proper 
solution for this behaviour.



TIA,
Marcos R. Cardoso
Brazil



-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[EMAIL PROTECTED] Re: Regarding htpasswd

2005-09-13 Thread Michael Wallner 
Hi [EMAIL PROTECTED], you wrote:


> 1. I have encrypted file  created by using this command
> 
> htpasswd -c -m -b filename username password
> 
> The output was stored in file.
> 
> admin:$apr1$g3X.i/..$NZYMsYERfm1obRrWUy9aq.

> can I know How to   validate in perl or  c?.

There should be something like Crypt::APR in CPAN,
and there's PEAR::File_Passwd for PHP.

Regards,
Michael


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Different security based on network interface

2005-09-13 Thread Jean-Christophe Montigny 

Hello,

Administrator wrote:

This may be a stupid answer, but isn't it easily possible to set up the
interfaces (or firewall, or both) so they reject source IP addresses in the
wrong I/F?  Or am I missing the point?


Just drop packets coming in the external interface that claim to have an 
IP of your internal network.


I mean, if your local network has ips in the 192.168.1.0 range, and eth0 
is your external interface, eth1 your internal interface, then an 
incoming connexion coming on the external interface (eth0) with an ip in 
the 192.168.1.0 range is clearly spoofed. Just drop them. But that's 
REALLY a standard security feature to set up a firewall like that. Then 
you can distinguish people with their IPs in apache's configuration. But 
if there's a security breach, it'll be your firewall's fault, not apache's.


--
Jean-Christophe Montigny
Responsable Commission Web, Association Planètes
Responsable serveurs assoces.com, Association Planètes
Etudiant de deuxième année à Grenoble Ecole de Management
Majeure Conseil en Organisation des Systèmes d'Information
begin:vcard
fn:Jean-Christophe Montigny
n:Montigny;Jean-Christophe
org;quoted-printable:Association [EMAIL PROTECTED]
adr;quoted-printable:;;12, rue Pierre S=C3=A9mard;Grenoble;FR;38000;France
email;internet:[EMAIL PROTECTED]
title:Responsable Com Web
x-mozilla-html:FALSE
url:http://planetes.assoces.com/
version:2.1
end:vcard


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[EMAIL PROTECTED] SetEnvIf[NoCase] and url get attributes

2005-09-13 Thread sven buerger 
Hi,

i've tried many things to get a setenvif working with GET-parameters in
a url. The problem, i can only use the url till the ? marker. I will
explain by example


http://locahost/index.php?test=1

i want to check the existence of test. i tried

setenvifnocase Request_URI test test=1

but this doens't work. i've tried

setenvifnocase query_string test test=1

it also doesn't work, so many other things i've tried.

setenvifnocase Request_URI index.php test=1

works fine, but is useless for me,  i need to get the parameterchek
working. Is there any solution? Or can anyone test this, if this is only
a problem on my system...

thanks in advance

the system is apache 2.0.54 on win32.

bye


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] SetEnvIf[NoCase] and url get attributes

2005-09-13 Thread Joshua Slive 
On 9/13/05, sven buerger <[EMAIL PROTECTED]> wrote:
> Hi,
> 
> i've tried many things to get a setenvif working with GET-parameters in
> a url. The problem, i can only use the url till the ? marker. I will
> explain by example
> 
> 
> http://locahost/index.php?test=1
> 
> i want to check the existence of test. i tried
> 
> setenvifnocase Request_URI test test=1
> 
> but this doens't work. i've tried

As the docs say, Request_URI does not include the query string.  I
believe you'd need to use mod_rewrite for this:

RewriteEngine On
RewriteCond %{QUERY_STRING} ^test=1$
RewriteRule .* - [E=test:1]

Be sure to use the RewriteLog for debugging.

Joshua.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[EMAIL PROTECTED] Re: SetEnvIf[NoCase] and url get attributes

2005-09-13 Thread sven buerger 
hi,

13.09.2005 17:55 Joshua Slive wrote:
> As the docs say, Request_URI does not include the query string.  I
> believe you'd need to use mod_rewrite for this:

But then query_string should work?

and for example http://www.tolatsga.org/info.php?test=1 under
environment the request_uri includes the ?test=1 and I didn't find any
document that described anything other.

I don't like the mod_rewrite for this "little" problem.  hope there is
any other solution.

bye


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Re: SetEnvIf[NoCase] and url get attributes

2005-09-13 Thread Joshua Slive 
On 9/13/05, sven buerger <[EMAIL PROTECTED]> wrote:
> hi,
> 
> 13.09.2005 17:55 Joshua Slive wrote:
> > As the docs say, Request_URI does not include the query string.  I
> > believe you'd need to use mod_rewrite for this:
> 
> But then query_string should work?
> 
> and for example http://www.tolatsga.org/info.php?test=1 under
> environment the request_uri includes the ?test=1 and I didn't find any
> document that described anything other.

No.  See:
http://httpd.apache.org/docs/2.0/mod/mod_setenvif.html#setenvif
and
http://httpd.apache.org/docs/2.0/env.html

SetEnvIf matches only against the specific things listed in the docs. 
One of those things is "environment variables", but you'll note that
QUERY_STRING is not a variable in the apache environment.  It is added
to the environment only when launching CGI and SSI scripts.

Yes, it would be nicer if apache were more consistent about what
variables are available where.  But the environment variables docs do
try to be explicit about it.

Joshua.

> 
> I don't like the mod_rewrite for this "little" problem.  hope there is
> any other solution.
> 
> bye
> 
> 
> -
> The official User-To-User support forum of the Apache HTTP Server Project.
> See http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: [EMAIL PROTECTED]
>"   from the digest: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
>

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[EMAIL PROTECTED] Httpd processes are not dying

2005-09-13 Thread Mishra, Pawan 
Hi Joshua,

I am not sure you remember the problem I stated last time so I am
listing it here again. You had asked me to run mod_status. I have
attached the output of the mod_status too.

Problem: The httpd processes keep getting accumulated in the memory and
are not dying timely as expected. This happens even when there is no use
of the application for hours. There are times when we see more that 70
such processes even when application has not been used for 6-7 hours.
Since these processes donot dye in timely manner, they keep getting
accumulated till the MaxClient limit is reached and at that point I.H.S.
stops responding and thus site becomes down. We then need to restart the
I.H.S. server. We have been experiencing this problem since we migrated
to WAS 5.0.2 / I.H.S. 1.3.26.2 combination.

Following are some of the parameters in the httpd.conf file that you
would like to know -

Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
MinSpareServers 1
MaxSpareServers 5
StartServers 1
MaxClients 300
MaxRequestsPerChild 0

==output of the mod_status =

Current Time: Tuesday, 13-Sep-2005 11:26:04 EDT
Restart Time: Sunday, 11-Sep-2005 02:24:38 EDT
Parent Server Generation: 0 
Server uptime: 2 days 9 hours 1 minute 26 seconds
1 requests currently being processed, 57 idle servers 
___W__..















Scoreboard Key: 
"_" Waiting for Connection, "S" Starting up, "R" Reading Request,
"W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup,
"L" Logging, "G" Gracefully finishing, "." Open slot with no current
process

PID Key: 


   19972 in state: _ ,   69642 in state: _ ,   94152 in state: _ 
   159652 in state: _ ,   172316 in state: _ ,   77052 in state: _ 
   151708 in state: _ ,   50758 in state: _ ,   104702 in state: _ 
   157318 in state: _ ,   143690 in state: _ ,   109128 in state: _ 
   84380 in state: _ ,   27462 in state: _ ,   106204 in state: _ 
   170624 in state: _ ,   161496 in state: _ ,   176190 in state: _ 
   57200 in state: _ ,   213774 in state: _ ,   49488 in state: _ 
   28340 in state: _ ,   101816 in state: _ ,   107496 in state: _ 
   43352 in state: _ ,   59180 in state: _ ,   122486 in state: _ 
   83326 in state: _ ,   93660 in state: _ ,   168358 in state: _ 
   113868 in state: _ ,   168926 in state: W ,   29210 in state: _ 
   110248 in state: _ ,   72730 in state: _ ,   95176 in state: _ 
   175118 in state: _ ,   209070 in state: _ ,   214254 in state: _ 
   162294 in state: _ ,   98460 in state: _ ,   114494 in state: _ 
   70688 in state: _ ,   22722 in state: _ ,   131592 in state: _ 
   142580 in state: _ ,   125746 in state: _ ,   59776 in state: _ 
   166792 in state: _ ,   117284 in state: _ ,   201148 in state: _ 
   133420 in state: _ ,   65854 in state: _ ,   200116 in state: _ 
   158392 in state: _ ,   47286 in state: _ ,   156884 in state: _ 
   130534 in state: _ ,

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Httpd processes are not dying

2005-09-13 Thread Joshua Slive 
On 9/13/05, Mishra, Pawan <[EMAIL PROTECTED]> wrote:
> Hi Joshua,
> 
> I am not sure you remember the problem I stated last time so I am
> listing it here again. You had asked me to run mod_status. I have
> attached the output of the mod_status too.
> 
> Problem: The httpd processes keep getting accumulated in the memory and
> are not dying timely as expected. This happens even when there is no use
> of the application for hours. There are times when we see more that 70
> such processes even when application has not been used for 6-7 hours.
> Since these processes donot dye in timely manner, they keep getting
> accumulated till the MaxClient limit is reached and at that point I.H.S.
> stops responding and thus site becomes down. We then need to restart the
> I.H.S. server. We have been experiencing this problem since we migrated
> to WAS 5.0.2 / I.H.S. 1.3.26.2 combination.

Well, the server-status looks completely normal except that
MaxSpareServers is not being honored.  So the first thing I'd do is
triple-check that you are editting the correct config-file, and that
MaxSpareServers occurs only once in that config.

Other than that, I'd really suggest reporting this to IBM, since it
appears you are using an IBM-modified version of the server.

Joshua.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [EMAIL PROTECTED] Httpd processes are not dying

2005-09-13 Thread PINNI, BALANAND \(SBCSI\) 
 
Just an FYI IBM does not recommend this combination:
to WAS 5.0.2 / I.H.S. 1.3.26.2 combination.
For WAS 5.0 YOU NEED TO install HIS 2.0.42.X

Thank

Balanand Pinni
23-H-4
SBC Services Inc
OBC ,Stl MO
*   314-206-5911
* [EMAIL PROTECTED]




-Original Message-
From: Joshua Slive [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, September 13, 2005 12:22 PM
To: users@httpd.apache.org
Subject: Re: [EMAIL PROTECTED] Httpd processes are not dying

On 9/13/05, Mishra, Pawan <[EMAIL PROTECTED]> wrote:
> Hi Joshua,
> 
> I am not sure you remember the problem I stated last time so I am
> listing it here again. You had asked me to run mod_status. I have
> attached the output of the mod_status too.
> 
> Problem: The httpd processes keep getting accumulated in the memory
and
> are not dying timely as expected. This happens even when there is no
use
> of the application for hours. There are times when we see more that 70
> such processes even when application has not been used for 6-7 hours.
> Since these processes donot dye in timely manner, they keep getting
> accumulated till the MaxClient limit is reached and at that point
I.H.S.
> stops responding and thus site becomes down. We then need to restart
the
> I.H.S. server. We have been experiencing this problem since we
migrated
> to WAS 5.0.2 / I.H.S. 1.3.26.2 combination.

Well, the server-status looks completely normal except that
MaxSpareServers is not being honored.  So the first thing I'd do is
triple-check that you are editting the correct config-file, and that
MaxSpareServers occurs only once in that config.

Other than that, I'd really suggest reporting this to IBM, since it
appears you are using an IBM-modified version of the server.

Joshua.

-
The official User-To-User support forum of the Apache HTTP Server
Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [EMAIL PROTECTED] Httpd processes are not dying

2005-09-13 Thread Mishra, Pawan 
Thanks. I have checked to see that there is no duplicate entry for
MaxSpareServers.

-Original Message-
From: Joshua Slive [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, September 13, 2005 10:52 PM
To: users@httpd.apache.org
Subject: Re: [EMAIL PROTECTED] Httpd processes are not dying


On 9/13/05, Mishra, Pawan <[EMAIL PROTECTED]> wrote:
> Hi Joshua,
> 
> I am not sure you remember the problem I stated last time so I am
> listing it here again. You had asked me to run mod_status. I have
> attached the output of the mod_status too.
> 
> Problem: The httpd processes keep getting accumulated in the memory
and
> are not dying timely as expected. This happens even when there is no
use
> of the application for hours. There are times when we see more that 70
> such processes even when application has not been used for 6-7 hours.
> Since these processes donot dye in timely manner, they keep getting
> accumulated till the MaxClient limit is reached and at that point
I.H.S.
> stops responding and thus site becomes down. We then need to restart
the
> I.H.S. server. We have been experiencing this problem since we
migrated
> to WAS 5.0.2 / I.H.S. 1.3.26.2 combination.

Well, the server-status looks completely normal except that
MaxSpareServers is not being honored.  So the first thing I'd do is
triple-check that you are editting the correct config-file, and that
MaxSpareServers occurs only once in that config.

Other than that, I'd really suggest reporting this to IBM, since it
appears you are using an IBM-modified version of the server.

Joshua.

-
The official User-To-User support forum of the Apache HTTP Server
Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [EMAIL PROTECTED] Backup Apache web servers

2005-09-13 Thread Herb Stein 


-Original Message-
From: Jojo Solis [mailto:[EMAIL PROTECTED]
Sent: Tuesday, September 13, 2005 2:57 AM
To: users@httpd.apache.org
Subject: [EMAIL PROTECTED] Backup Apache web servers


Hi everyone,

i wanted to backup web files, and configuration files from my apache server,
mysql server and mailmain server. is there any other scripts to automate
this process. I wanted to tar the whole directory especially the web files,
zip it and upload to the windows FTP server.

Please help!.


Thanks!


JOJO

Please don't send html messages.

I wrote custom scripts to SPECIFICALLY back up what was important to me. If
you want a copy to modify, let me know.
--
Herb Stein
[EMAIL PROTECTED]
314 952-4601
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.10.24/100 - Release Date: 9/13/2005


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[EMAIL PROTECTED] mod_logio Performance hits?

2005-09-13 Thread Dan 

Hi Folks,

We've encountered a bit of a problem with Apache2.

Apparently to improve performance, when apache2 logs the respose size  
in the access log, it logs the 'expected' file size, not the amount  
of data sent out on the wire. It seems to get this information from  
the filesize of the file being served. Here's where it becomes a  
problem:


* If someone downloads only say 100MB of a 650MB ISO image, apache  
logs the 650MB figure.


* If someone uses a download manager to download a file in chunks,  
apache logs the overall size of the file, not the size of each chunk  
sent.


As you can imagine, this causes havoc with traffic/log analysers.  
They're saying our outbound data is far far greater than we're  
physically capable of pushing.


Now, someone mentioned to me that mod_logio can come closer to  
logging the actual data sent on the wire (albeit with the headers  
included). My query is, what sort of performance hit have people  
encountered when using this module, especially in a large-scale high- 
output environment (we're talking 1000 concurrent connections, many  
of them downloading large - 200MB+ - files).


Would the performance hit be enough to consider back-tracking to  
Apache1.3 (which correctly logs the bytes sent, rather than the  
'expected' bytes to be sent) instead of Apache2?


Cheers,
Dan

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Different security based on network interface

2005-09-13 Thread Sean Conner 

> AragonX wrote:
> 
> > I'm afraid someone will spoof the IP addresses of the internal network
> > to bypass this security measure.

  I don't see how that's possible.  Given the following:

M   - malicious hacker at address M
W   - webserver
I   - internal network machine

  M will send the following packet:

M   ->  SRC I:1234 DST W:80 SYN (ie. establish a connection)

  Assuming the packet makes it through, W will then respond:

W   ->  SRC W:80 DST: I:1234 SYN ACK

  But this will go to I, NOT back to M.  I will get this packet and will
drop it since no connection is actually being made.  Even if M can guess the
TCP sequence numbers to "fake" a connection, it still a one-way connection
where M can send packets to W, but W cannot send packets back to M (since W
thinks they're coming from I and sends its reponses back to I).

  -spc 




-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Different security based on network interface

2005-09-13 Thread Scott Gifford 
"AragonX" <[EMAIL PROTECTED]> writes:

[...]

> I know that mod_access and I think mod_security will allow me to do this
> but they do it based on IP address.  I'm afraid someone will spoof the IP
> addresses of the internal network to bypass this security measure.

The easiest way to do this is with a firewall.  Set up a firewall on
your external interface that blocks all packets claiming to be from
your internal interface.  Your OS should have a tool to do this
(iptables on modern Linux).  It's also smart to do this at your
perimeter router; since lots of random things use IP addresses as
access control it's wise to stop anything fishy before it gets into
your building.

Scott.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[EMAIL PROTECTED] 2 questions with apache2 operation

2005-09-13 Thread Dr. Scott S. Jones 
I am not sure where my system is corrupted, but it is problematic indeed. 

Here's the problem, and then a symptom:

1) I run Mailman 2.5 on my apache 2 installation, system running Debian 3.1.
I can open my mailman database if I enter it like this: 

http://fyrenice.com/cgi-bin/mailman/admin/listname

However, if I leave out the '/cgi-bin' portion of the URL, the site fails to
load. As well, even though I can get one page to load, if I then go to the
page, and make any changes, if I attempt to update the page with the
changes, I get a 404 error, and the URL reverts back to the following: 

http://fyrenice.com/mailman/admin/listname   

... with the cgi-bin reference removed. 

Obviously, this prevents the site from working as it should. To top it off,
when I open mailman, instead of some mailman inspired URL icon, I see the
icon for Sql-ledger, any time I am running Mailman. I have sql-ledger
installed as well but have never opened or used it yet. 

2) When I run apt-get update and then apt-get upgrade I get the following
errors: 

0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
2 not fully installed or removed.
Need to get 0B of archives.
After unpacking 0B of additional disk space will be used.
Do you want to continue? [Y/n] 
Setting up libapache-mod-perl (1.29.0.3-6sarge1) ...
Error: libdav.so does not have a corresponding .info file.
Error: libphp4.so does not have a corresponding .info file.
Error: mod_ssl.so does not have a corresponding .info file.
The above errors might cause apache to not work properly or start
Please refer to the documentation on how to fix it or report it to
Debian Apache Mailing List  if in
doubt
on how to proceed
dpkg: error processing libapache-mod-perl (--configure):
 subprocess post-installation script returned error exit status 128
 dpkg: dependency problems prevent configuration of apache-perl:
  apache-perl depends on libapache-mod-perl (>= 1.29.0.2-9); however:
Package libapache-mod-perl is not configured yet.
 apache-perl depends on libapache-mod-perl (<< 1.30); however:
   Package libapache-mod-perl is not configured yet.
   dpkg: error processing apache-perl (--configure):
dependency problems - leaving unconfigured
Errors were encountered while processing:
 libapache-mod-perl
  apache-perl
  E: Sub-process /usr/bin/dpkg returned an error code (1)


I have tried to update and then upgrade and nothing seems to fix these
errors. 

Thanks for any help!

Scott

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] mod_logio Performance hits?

2005-09-13 Thread Joshua Slive 
On 9/13/05, Dan <[EMAIL PROTECTED]> wrote:
> Hi Folks,
> 
> We've encountered a bit of a problem with Apache2.
> 
> Apparently to improve performance, when apache2 logs the respose size
> in the access log, it logs the 'expected' file size, not the amount
> of data sent out on the wire. It seems to get this information from
> the filesize of the file being served. Here's where it becomes a
> problem:
> 
> * If someone downloads only say 100MB of a 650MB ISO image, apache
> logs the 650MB figure.
> 
> * If someone uses a download manager to download a file in chunks,
> apache logs the overall size of the file, not the size of each chunk
> sent.
> 
> As you can imagine, this causes havoc with traffic/log analysers.
> They're saying our outbound data is far far greater than we're
> physically capable of pushing.
> 
> Now, someone mentioned to me that mod_logio can come closer to
> logging the actual data sent on the wire (albeit with the headers
> included). My query is, what sort of performance hit have people
> encountered when using this module, especially in a large-scale high-
> output environment (we're talking 1000 concurrent connections, many
> of them downloading large - 200MB+ - files).
> 
> Would the performance hit be enough to consider back-tracking to
> Apache1.3 (which correctly logs the bytes sent, rather than the
> 'expected' bytes to be sent) instead of Apache2?

I don't run mod_logio on a busy server, but if you take a look at the
source code:
http://svn.apache.org/viewcvs.cgi/httpd/httpd/branches/2.0.x/modules/loggers/mod_logio.c?rev=151405&view=markup
you'll see that it doesn't do anything complicated.  I would guess
that the performance effect would be too small to measure, except
perhaps in some edge cases.

And the performance benefits you get from sendfile/threading/etc in
2.0 will surely dawrf any cost of mod_logio.

Joshua.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Both IP based and name based virtual host on same server.

2005-09-13 Thread Arun G Nair 
Hi all,
   Atlast I got it working  So name based virtual hosting *is* possible with mod_ssl. 

--httpd.conf-
< IfModule mod_ssl.c > Listen 443 Listen 80 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl< / IfModule >< IfModule mod_ssl.c >
 SSLCACertificateFile /etc/apache/ssl.crt/ca-bundle.crt SSLPassPhraseDialog builtin SSLSessionCache dbm:/var/run/ssl_scache SSLSessionCacheTimeout 300 SSLMutex file:/var/run/ssl_mutex
 SSLRandomSeed startup builtin SSLRandomSeed connect builtin< / IfModule >NameVirtualHost 172.16.2.0:80
172.16.2.0:80>ServerName abcn.comDocumentRoot /var/www/abc# SSL Virtual HostsNameVirtualHost 
172.16.2.0:443< VirtualHost 172.16.2.0:443 >DocumentRoot /var/www/abcServerName secure.abcn.comSSLEngine on
SSLCertificateFile/etc/apache/ssl.crt/server.crtSSLCertificateKeyFile /etc/apache/ssl.key/server.pemSetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdownCustomLog /var/log/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"< / VirtualHost >



	--httpd.conf-

Let me know if this can be trimmed down some more. Thanx everyone, especially Davide. 

Regards, 
Arun

Re: [EMAIL PROTECTED] Different security based on network interface

2005-09-13 Thread Krist van Besien 
On 9/14/05, Scott Gifford <[EMAIL PROTECTED]> wrote:
> "AragonX" <[EMAIL PROTECTED]> writes:
> 
> [...]
> 
> > I know that mod_access and I think mod_security will allow me to do this
> > but they do it based on IP address.  I'm afraid someone will spoof the IP
> > addresses of the internal network to bypass this security measure.
> 
> The easiest way to do this is with a firewall.  Set up a firewall on
> your external interface that blocks all packets claiming to be from
> your internal interface.  Your OS should have a tool to do this
> (iptables on modern Linux).  It's also smart to do this at your
> perimeter router; since lots of random things use IP addresses as
> access control it's wise to stop anything fishy before it gets into
> your building.

On Linux you don't need to add firewall rules. Just enable rp_filter.
On kernels > 2.6 you do this as follows:
   echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter
for eth0... The kernel will now drop all packets on eth0 that should
never have arrived there in the first place.

Most linux distros do this out of the box with all their interfaces.

I asume that most other OS-es have similar facilities.

Krist

-- 
[EMAIL PROTECTED]
Solothurn, Switzerland

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]