Re: [us...@httpd] (internal app) --http-->apache---https--->(external app)
On Sun, Aug 23, 2009 at 8:30 PM, pe uni wrote: > Hi Eric, below is the excerpt from the apache log > -- > [Sun Aug 23 12:24:39 2009] [debug] mod_proxy_http.c(56): proxy: HTTP: > canonicalising URL //www.techmed.com/VENDOR/vendor.asmx > [Sun Aug 23 12:24:39 2009] [debug] proxy_util.c(1507): [client > interapp_ipaddr] proxy: *: found reverse proxy worker for > https://www.techmed.com/VENDOR/vendor.asmx > [Sun Aug 23 12:24:39 2009] [debug] mod_proxy.c(966): Running scheme https > handler (attempt 0) > [Sun Aug 23 12:24:39 2009] [debug] mod_proxy_http.c(1960): proxy: HTTP: > serving URL https://www.techmed.com/VENDOR/vendor.asmx > [Sun Aug 23 12:24:39 2009] [debug] proxy_util.c(2044): proxy: HTTPS: has > acquired connection for (*) > [Sun Aug 23 12:24:39 2009] [debug] proxy_util.c(2102): proxy: connecting > https://www.techmed.com/VENDOR/vendor.asmx to www.techmed.com:443 > [Sun Aug 23 12:24:39 2009] [debug] proxy_util.c(2195): proxy: connected > /VENDOR/vendor.asmx to www.techmed.com:443 > [Sun Aug 23 12:24:39 2009] [debug] proxy_util.c(2347): proxy: HTTPS: fam 2 > socket created to connect to * > [Sun Aug 23 12:24:39 2009] [error] [client 73.155.40.73] SSL Proxy requested > for my_proxyserver:80 but not enabled [Hint: SSLProxyEngine] > [Sun Aug 23 12:24:39 2009] [error] proxy: HTTPS: failed to enable ssl support > for 73.155.40.73:443 (www.techmed.com) > [Sun Aug 23 12:24:39 2009] [debug] proxy_util.c(2062): proxy: HTTPS: has > released connection for (*) > -- When proxying http to https you need to configure apache as an ssl _client_. Apache will not function as an SSL client out of the box. This question comes up regularly, and this is what I answered last time it came up: You need to add the following to your config. # turn on SSL proxying. SSLProxyEngine On # to tell Apache where to find CA certificates to check remote server certificates with: # (You can choose yourself where you put these certificates) SSLProxyCACertificatePath /path/to/ca/certificates. Then in this path you need to put the CA certificate(s) used to sign the certificate(s) used by the server(s) you communicate with. If you want to talk to a server that uses a "self signed" certificate you will need to put it in this dir too. Once you've done that you need to run "c_rehash" in that directory. c_rehash is part of a standard openssl distribution. c_rehash creates hashed aliases in this dir. Apache needs these. In order to test if everything is there you can do the following: openssl s_client -CApath /path/to/ca/certificates -connect remoteserver:8443 if the conenction succeeds just try to do a GET /abc/ and see if you get something. If this test is succesfull apache should work too. You can now add the ReWriteRule or Proxy statements to forward the connections to your https server. Krist -- krist.vanbes...@gmail.com kr...@vanbesien.org Bremgarten b. Bern, Switzerland -- A: It reverses the normal flow of conversation. Q: What's wrong with top-posting? A: Top-posting. Q: What's the biggest scourge on plain text email discussions? - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Proposal to Optionally Block DNS
On Sun, 2009-08-23 at 00:31 +, Mike -- EMAIL IGNORED wrote: > I propose this upgrade to Apache: > > Options +NoDNS > > Prevents Apache from initiating DNS activity for > any reason. > > I am now running my server with all DNS blocked > by iptables. Performance is thereby substantially > improved. Fortunately, I usually don't need DNS > for anything else on that box. > > Mike. > > I think your mailer dropped your patch, can you resend? Cheers Tom - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] AddOutputFilterByType vs. SSI/php-cgi
linux, apache 2.2.10 Hello, my situation is as follows. i have activated mod_deflate by: LoadModule deflate_module /usr/lib/apache/mod_deflate.so AddOutputFilterByType DEFLATE text/html text/plain text/xml application/x-javascript text/x-js text/javascript In test.shtml Page (SSI) i do an include of an php-file. significant line of shtml is: test.php just echos "test test test". This works if php runs as mod_php. If i switch to php-cgi by Addhandler directive no page is displayed. In this case Browsers have problems to decompress. lynx shows: HTTP-Verbindung zu example.com wird aufgebaut. HTTP Request wird geschickt. HTTP Request geschickt; warten auf Antwort. HTTP/1.1 200 OK Übertragung komplett. /usr/bin/gzip -d --no-name /tmp/yy8RKi/L19458-597TMP.html.gz Obacht: Temporäre Datei konnte nicht dekomprimiert werden! Last line means that Temp-File could not decompressed. I have no idea why. I tried with RemoveOutputFilter shtml after the AddOutputFilterByType but was not working. How to avoid this without deactivating mod_deflate? Thanks, Andre - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] File does not exist error in my error log
Hi, I recently upgraded from apache 1.3.37 to 1.3.41 ,I didn't change any of the configuration parameter. When I am using the apache 1.3.37 ,my http logs contain only 404 request, but there is no equivalent error line in error_log file ,provided LogLevel equals error . Even with same LogLevel under apache 1.3.41 we are getting 404 request in our http log ,along with these we are also getting the error [Mon Aug 24 05:00:29 2009] [error] [client 85.185.96.194] File does not exist in our error_logs. How to suppress only this error 'File does not exist ' not appear in my error log ? If possible provide me the reason why it is getting logged in apache 1.3.41 but not in 1.3.37 . Thanks, Jai - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] File does not exist error in my error log
Kamaraj, Jayakumar wrote: Hi, I recently upgraded from apache 1.3.37 to 1.3.41 , on which kind of platform ? I didn't change any of the configuration parameter. mmm. Maybe you did not, but maybe the update did ? When I am using the apache 1.3.37 ,my http logs which exact file name is this ? contain only 404 request, please show the exact line from the logfile but there is no equivalent error line in error_log file which exact filename is this ? ,provided LogLevel equals error . Even with same LogLevel under apache 1.3.41 we are getting 404 request in our http log ,along with these we are also getting the error [Mon Aug 24 05:00:29 2009] [error] [client 85.185.96.194] File does not exist in our error_logs. please show the exact line, as it appears in the logfile How to suppress only this error 'File does not exist ' not appear in my error log ? You should probably find the reason for the error itself, not just trying to suppress the error message. If possible provide me the reason why it is getting logged in apache 1.3.41 but not in 1.3.37 . Not without the information requested above, and the following : - which URL is the client trying to access ? - if this is a file, does that file exist ? please provide the complete path - where is your Apache configuration file ? (complete path) - what is the value of "DocumentRoot" in that configuration file ? - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] File does not exist error in my error log
Hi, For your questions here are my possible answers Which kind of platform ? Linux fw01 2.6.18-1.2798.fc6PAE #1 SMP Mon Oct 16 14:54:22 EDT 2006 i686 i686 i386 GNU/Linux Error line in http access log : 2009-08-24~05:28:22~10.181.4.3~-~test123.com~pw12~10.183.22.42~GET~/2.jpg~~404~0~19910~-~0~Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2~s_cc=true/***truncated**/ Error line in error_log : [Mon Aug 24 05:28:22 2009] [error] [client 10.180.4.3] File does not exist: /data/*/www/2.jpg . The url tried is http://jkamarajfree.9f.com/2.jpg That file is not existing in the server also .We expected the 404 error in http access log but not the equivalent file doesnot exist error in error_log. The DocumentRoot directive is not defined in the conf file ,since it is shared host type. The conf file is located in /home/free/conf/httpd.conf. Please let me know if you want any more details. Thanks, Jai -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Monday, August 24, 2009 6:05 PM To: users@httpd.apache.org Subject: Re: [us...@httpd] File does not exist error in my error log Kamaraj, Jayakumar wrote: > Hi, > > I recently upgraded from apache 1.3.37 to 1.3.41 , on which kind of platform ? I didn't change > any of the configuration parameter. mmm. Maybe you did not, but maybe the update did ? > When I am using the apache 1.3.37 ,my http logs which exact file name is this ? contain only 404 > request, please show the exact line from the logfile but there is no equivalent error line in error_log file which exact filename is this ? > ,provided LogLevel equals error . > > Even with same LogLevel under apache 1.3.41 we are getting 404 > request in our http log ,along with these we are also getting the > error [Mon Aug 24 05:00:29 2009] [error] [client 85.185.96.194] File > does not exist in our error_logs. please show the exact line, as it appears in the logfile > How to suppress only this error 'File does not exist ' not appear > in my error log ? You should probably find the reason for the error itself, not just trying to suppress the error message. > If possible provide me the reason why it is getting logged in > apache 1.3.41 but not in 1.3.37 . Not without the information requested above, and the following : - which URL is the client trying to access ? - if this is a file, does that file exist ? please provide the complete path - where is your Apache configuration file ? (complete path) - what is the value of "DocumentRoot" in that configuration file ? - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] File does not exist error in my error log
Kamaraj, Jayakumar wrote: Hi, For your questions here are my possible answers Which kind of platform ? Linux fw01 2.6.18-1.2798.fc6PAE #1 SMP Mon Oct 16 14:54:22 EDT 2006 i686 i686 i386 GNU/Linux Error line in http access log : 2009-08-24~05:28:22~10.181.4.3~-~test123.com~pw12~10.183.22.42~GET~/2.jpg~~404~0~19910~-~0~Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2~s_cc=true/***truncated**/ Error line in error_log : [Mon Aug 24 05:28:22 2009] [error] [client 10.180.4.3] File does not exist: /data/*/www/2.jpg . The url tried is http://jkamarajfree.9f.com/2.jpg That file is not existing in the server also .We expected the 404 error in http access log but not the equivalent file doesnot exist error in error_log. Well, basically if the file does not exist, and a client is trying to access it, you will get such an error line in the error log. That is how Apache works, and it is the case in all Apache versions which I know, including 2.x. It is, after all, an error. Now the question is, why does that client try to access a file that does not exist ? Is it one of your own pages that has a bad link in it ? > The DocumentRoot directive is not defined in the conf file, since it is shared host type. That is something I do not really understand. But I guess that the hosting organisation must be doing some heavy URL-rewriting, to accomodate many "virtual" sites. You could also ask them if they do not know a trick to hide these error messages, if that is what you really want. I personally would advise against it, because you would also not see whenever someone is really trying to scan your site for security weaknesses etc.. Now another purely personal opinion : this kind of "web server sharing" is ok if this is your own personal website, for non-professional use. But if you intend to do any serious professional stuff on this website, then you really want your own full webserver, with full control over the configuration. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] File does not exist error in my error log
On Mon, 2009-08-24 at 17:28 +0530, Kamaraj, Jayakumar wrote: > Hi, > > I recently upgraded from apache 1.3.37 to 1.3.41 ,I didn't change > any of the configuration parameter. > When I am using the apache 1.3.37 ,my http logs contain only 404 > request, but there is no equivalent error line in error_log file > ,provided LogLevel equals error . > > Even with same LogLevel under apache 1.3.41 we are getting 404 > request in our http log ,along with these we are also getting the error > [Mon Aug 24 05:00:29 2009] [error] [client 85.185.96.194] File does not > exist in our error_logs. > How to suppress only this error 'File does not exist ' not appear in > my error log ? > If possible provide me the reason why it is getting logged in > apache 1.3.41 but not in 1.3.37 . > > Thanks, > Jai > > This code hasn't changed between 1.3.37 and 1.3.41, so any effect you are seeing is misidentified. Are you sure that you didn't get them with the earlier version, or that you are logging at the exact same log level? To answer your question, this error is logged at APLOG_ERR (in both versions), so you would see it in 'error' and higher LogLevels. If you want to suppress it, you must log at a lower level if you do not want to see it, eg 'crit', 'alert' or 'emerg'. See http://httpd.apache.org/docs/1.3/mod/core.html#loglevel for more details. Cheers Tom - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Proposal to Optionally Block DNS
On Mon, Aug 24, 2009 at 4:25 AM, Tom Evans wrote: > On Sun, 2009-08-23 at 00:31 +, Mike -- EMAIL IGNORED wrote: >> I propose this upgrade to Apache: >> >> Options +NoDNS > > I think your mailer dropped your patch, can you resend? golf-clapping this one. -- Eric Covener cove...@gmail.com - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Re: Proposal to Optionally Block DNS
On Mon, 24 Aug 2009 11:32:17 -0400, Eric Covener wrote: > On Mon, Aug 24, 2009 at 4:25 AM, Tom Evans > wrote: >> On Sun, 2009-08-23 at 00:31 +, Mike -- EMAIL IGNORED wrote: >>> I propose this upgrade to Apache: >>> >>> Options +NoDNS >> >> I think your mailer dropped your patch, can you resend? > > golf-clapping this one. So far, this is the only response I have received even though the indents indicate that there was another. It could be one of my banned authors. In any case: I do not know what "patch" is meant. I am not familiar with the term "golf-clap", so I looked it up. I found two meanings: one would indicate support, and the other would indicate disdain. Nothing like lucid communication. Mike. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Apache 2.2.9 known vulnerabilities?
Hello, Iam still a user of apache 2.2.9 and wish to know what vulnerabilites this version is exposed to aisde from: CVE-2008-2939 Is there any site, where I can get an accurate listing? CVE site seems confusing and I just wonder if there is something more practical. Thank you. Daniel
Re: [us...@httpd] Re: Proposal to Optionally Block DNS
On Mon, Aug 24, 2009 at 9:36 AM, Mike -- EMAIL IGNORED wrote: > On Mon, 24 Aug 2009 11:32:17 -0400, Eric Covener wrote: > >> On Mon, Aug 24, 2009 at 4:25 AM, Tom Evans >> wrote: >>> On Sun, 2009-08-23 at 00:31 +, Mike -- EMAIL IGNORED wrote: I propose this upgrade to Apache: Options +NoDNS >>> >>> I think your mailer dropped your patch, can you resend? >> >> golf-clapping this one. > > So far, this is the only response I have received even though > the indents indicate that there was another. It could be one > of my banned authors. If you read the email, it should be clear Eric was replying to Tom who replied to you. I don't know your list of banned authors. > In any case: > > I do not know what "patch" is meant. I found this via Google: http://en.wikipedia.org/wiki/Patch_(computing) > I am not familiar with the term "golf-clap", so I > looked it up. I found two meanings: one would > indicate support, and the other would indicate > disdain. > > Nothing like lucid communication. I believe Eric was agreeing with Tom's sentiment. Ie: If you think this is worthwhile, please feel free to submit a patch adding this feature. -- Aaron Turner http://synfin.net/ http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Re: Proposal to Optionally Block DNS
On Mon, 24 Aug 2009 10:57:45 -0700, Aaron Turner wrote: [...] > I believe Eric was agreeing with Tom's sentiment. Ie: If you think > this is worthwhile, please feel free to submit a patch adding this > feature. Since I have not looked at Apache source code, for me this would be at least several hours work, if not several days. For someone into the source code, I expect it to take a few minutes, to an hour or two, depending on structure. I would hope that such a person might submit a patch. Mike. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] (internal app) --http-->apache---https--->(external app)
Hi Eric, I tried the hint - SSLProxyEngine On. The https connection works with websites/applications that don't require a certificate. For websites/applications that require a certificate, it fails. Please verify if the below config makes sense? I included the following SSL directives in the virtualhost port. --- SSLProxyEngine On SSLEngine On SSLCertificateFile /etc/httpd/ssl/servercerts/server.CRT SSLCertificateKeyFile /etc/httpd/ssl/servercerts/server.KEY SSLProxyMachineCertificateFile /etc/httpd/ssl/clientcerts/client-cert.p12 -- -- [Mon Aug 24 10:31:11 2009] [debug] ssl_engine_kernel.c(1765): OpenSSL: Read: SSLv3 read finished A [Mon Aug 24 10:31:11 2009] [debug] ssl_engine_kernel.c(1784): OpenSSL: Exit: failed in SSLv3 read finished A [Mon Aug 24 10:31:11 2009] [info] [client ip_addr1] SSL library error 1 reading data [Mon Aug 24 10:31:11 2009] [info] SSL Library Error: 336151568 error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure [Mon Aug 24 10:31:11 2009] [info] SSL Library Error: 336150757 error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure [Mon Aug 24 10:31:11 2009] [error] [client ip_addr2] (20014)Internal error: proxy: error reading status line from remote server webapplication_server [Mon Aug 24 10:31:11 2009] [debug] mod_proxy_http.c(1466): [client 199.130.193.102] proxy: NOT Closing connection to client although reading from backend server webapplication_server failed. - --- On Sun, 8/23/09, Eric Covener wrote: > From: Eric Covener > Subject: Re: [us...@httpd] (internal app) > --http-->apache---https--->(external app) > To: users@httpd.apache.org > Date: Sunday, August 23, 2009, 9:17 PM > > [Sun Aug 23 12:24:39 2009] > [error] [client 73.155.40.73] SSL Proxy requested for > my_proxyserver:80 but not enabled [Hint: SSLProxyEngine] > > Tried the hint? > > -- > Eric Covener > cove...@gmail.com > > - > The official User-To-User support forum of the Apache HTTP > Server Project. > See http://httpd.apache.org/userslist.html> for more > info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > " from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] memory growth of httpd
Centos 5 Apache version 2.2.3 when I first started up the server each httpd thread was about 50 MB Now when i restart apache it comes in at about 80mb. I have not changed anything that I know of. is there a way to see what is using memory in httpd? thanks - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Re: Proposal to Optionally Block DNS
Mike -- EMAIL IGNORED wrote: On Mon, 24 Aug 2009 10:57:45 -0700, Aaron Turner wrote: [...] I believe Eric was agreeing with Tom's sentiment. Ie: If you think this is worthwhile, please feel free to submit a patch adding this feature. Since I have not looked at Apache source code, for me this would be at least several hours work, if not several days. For someone into the source code, I expect it to take a few minutes, to an hour or two, depending on structure. I would hope that such a person might submit a patch. Some elements maybe to enlighten you, from someone who is, like you, a grateful (?) user of Apache httpd, and not a contributor of code. As you probably know, Apache httpd is an open source project, and also free software. Basically it means that it is being written by people who are not being paid for the time they spend writing it. Considering that Apache httpd is being used succesfully on literally hundreds of thousands of websites worldwide, one would also have to admit that these people are competent and know what they are doing. It also means that you get the result, a piece of software that manages hundreds of thousands of websites worlwide and has cost thousands of man-hours of work, entirely for free. Apache httpd is being improved somewhat over time by people who submit suggestions, but mainly by people who follow-up these suggestions by contributing what is known as a "patch" (a code modification) implementing their suggestion. Such a suggestion, when accompanied by a patch, tends to be taken more seriously by the Apache httpd code contributors, than a mere (relatively gratuitious) suggestion on a user's mailing list. It is taken more seriously, because it shows that the person who made the suggestion, at least looked at the code, understood it to some extent, made some change, tested it, and found it to have some benefit and no obvious nefarious consequences. If you are really a programmer, you will understand the world of difference between this, and merely making a suggestion on a mailing list, based on one particular situation, unverified and uncorroborated by anyone else. The way I personally understand your last paragraph above however, it seems to imply that based on the inherent worth of your insight, you somehow expect everyone to be in awe, and someone else to do the rest of the work for you. That is not how open source projects work, and certainly not Apache httpd, where any apparently harmless change could ruin the day of 10,000 website administrators. I am not saying that your suggestion is without merit. But although I am a mere Apache user, knowing how central DNS is to the entire fabric and function of the WWW, I would myself expect quite a bit more "backup" to such a suggestion, before I even spent some time trying to figure out what benefits it could bring, and what other consequences it might have. Wow, if this option was set in the Apache main configuration, should it automatically be inherited by all Virtual Hosts ? does it mean that SSL would not work anymore ? what about "Allow from mycompany.com" ? what if some embedded mod_perl or mod_php application tries to do a DNS lookup via an Apache library call ? Does the above provide some insight as to the tongue-in-cheek answers you have been getting so far ? - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Re: Proposal to Optionally Block DNS
At 11:37 AM 8/24/2009, you wrote: Since I have not looked at Apache source code, for me this would be at least several hours work, if not several days. For someone into the source code, I expect it to take a few minutes, to an hour or two, depending on structure. I would hope that such a person might submit a patch. I can say with almost 100% certainty, from a few years of QA work and 12+ years of end user support, 2nd level support, and above, that a small change never takes 'just a few minutes' or 'just an hour'. And said change almost NEVER can be made without breaking 4 or 5 other things. Unfortunately, you never really realize the small change you made broke those 5 other things until months later. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Re: Proposal to Optionally Block DNS
André Warnier wrote: Mike -- EMAIL IGNORED wrote: I would hope that such a person might submit a patch. Some elements maybe to enlighten you, from someone who is, like you, a grateful (?) user of Apache httpd, and not a contributor of code. It's fair enough that he makes a request for enhancement. There are lots of them in Bugzilla, and sometimes one gets implemented. Very occasionally a mailinglist or IRC request leads to a new feature! If you want it more urgently than that, you have the option to pay a developer to do the work for you. I used to be available for that kind of task myself, and implemented Apache changes ranging from tiny fixes up to substantial modules for a range of clients. -- Nick Kew - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] downstream server wanted client certificate but none are configured
I see the following message in the error_log Proxy client certificate callback: downstream server wanted client certificate but none are configured I have the following directives in my proxy virtual host... --- SSLProxyCACertificateFile /etc/httpd/ssl/CA/CA-bundle.crt SSLCertificateFile /etc/httpd/ssl/servercerts/server.CRT SSLCertificateKeyFile /etc/httpd/ssl/servercerts/server.KEY SSLProxyMachineCertificateFile /etc/httpd/ssl/clientcerts/client.p12 SSLProxyCACertificatePath /etc/httpd/ssl/CA - For some some reason apache is unable to pickup the client certificate and send it to the server. Please advise. Regards, Pe - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] downstream server wanted client certificate but none are configured
On Mon, Aug 24, 2009 at 7:47 PM, pe uni wrote: > I see the following message in the error_log > > Proxy client certificate callback: downstream server wanted client > certificate but none are configured > > I have the following directives in my proxy virtual host... > --- > SSLProxyCACertificateFile /etc/httpd/ssl/CA/CA-bundle.crt > SSLCertificateFile /etc/httpd/ssl/servercerts/server.CRT > SSLCertificateKeyFile /etc/httpd/ssl/servercerts/server.KEY > SSLProxyMachineCertificateFile /etc/httpd/ssl/clientcerts/client.p12 > SSLProxyCACertificatePath /etc/httpd/ssl/CA > - > For some some reason apache is unable to pickup the client certificate and > send it to the server. > Please advise. > Regards, > Pe > Is PKCS12 legit there? Example has a pem-formatted file -- try splitting yours? -- Eric Covener cove...@gmail.com - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Proposal to Optionally Block DNS
Mike -- EMAIL IGNORED wrote: > I propose this upgrade to Apache: > > Options +NoDNS > > Prevents Apache from initiating DNS activity for > any reason. > > I am now running my server with all DNS blocked > by iptables. Performance is thereby substantially > improved. Fortunately, I usually don't need DNS > for anything else on that box. > > Mike. and using: # # HostnameLookups: Log the names of clients or just their IP addresses # e.g., www.apache.org (on) or 204.62.129.132 (off). # The default is off because it'd be overall better for the net if people # had to knowingly turn this feature on, since enabling it means that # each client request will result in AT LEAST one lookup request to the # nameserver. # HostnameLookups Off that is already supported fails to meet your needs how? Jaqui - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Apache 2.2.9 known vulnerabilities?
On Mon, Aug 24, 2009 at 8:38 PM, David Taveras wrote: > Hello, > > Iam still a user of apache 2.2.9 and wish to know what vulnerabilites this > version is exposed to aisde from: CVE-2008-2939 > > Is there any site, where I can get an accurate listing? CVE site seems > confusing and I just wonder if there is something more practical. > > Thank you. > > > Daniel > Hi, All vulnerabilities are listed on the website - http://httpd.apache.org/security/vulnerabilities_22.html - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] File does not exist error in my error log
Hi, Thanks for your reply. I will try once more comparing this with my old apache version error logs and will inform you. Thanks, Jai -Original Message- From: Tom Evans [mailto:tevans...@googlemail.com] Sent: Monday, August 24, 2009 7:20 PM To: users@httpd.apache.org Subject: Re: [us...@httpd] File does not exist error in my error log On Mon, 2009-08-24 at 17:28 +0530, Kamaraj, Jayakumar wrote: > Hi, > > I recently upgraded from apache 1.3.37 to 1.3.41 ,I didn't change > any of the configuration parameter. > When I am using the apache 1.3.37 ,my http logs contain only 404 > request, but there is no equivalent error line in error_log file > ,provided LogLevel equals error . > > Even with same LogLevel under apache 1.3.41 we are getting 404 > request in our http log ,along with these we are also getting the > error [Mon Aug 24 05:00:29 2009] [error] [client 85.185.96.194] File > does not exist in our error_logs. > How to suppress only this error 'File does not exist ' not appear > in my error log ? > If possible provide me the reason why it is getting logged in > apache 1.3.41 but not in 1.3.37 . > > Thanks, > Jai > > This code hasn't changed between 1.3.37 and 1.3.41, so any effect you are seeing is misidentified. Are you sure that you didn't get them with the earlier version, or that you are logging at the exact same log level? To answer your question, this error is logged at APLOG_ERR (in both versions), so you would see it in 'error' and higher LogLevels. If you want to suppress it, you must log at a lower level if you do not want to see it, eg 'crit', 'alert' or 'emerg'. See http://httpd.apache.org/docs/1.3/mod/core.html#loglevel for more details. Cheers Tom - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] File does not exist error in my error log
Hi, Basically this many errors comes for just favicon.ico .Anyway we will compare with our old apache logs and will inform you . Thanks, Jai -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Monday, August 24, 2009 6:47 PM To: users@httpd.apache.org Subject: Re: [us...@httpd] File does not exist error in my error log Kamaraj, Jayakumar wrote: > Hi, > > For your questions here are my possible answers > > Which kind of platform ? > > Linux fw01 2.6.18-1.2798.fc6PAE #1 SMP Mon Oct 16 14:54:22 EDT 2006 > i686 i686 i386 GNU/Linux > > Error line in http access log : > > 2009-08-24~05:28:22~10.*.*.*~-~test123.com~pw12~10.183.22.42~GET~/2. > jpg~~404~0~19910~-~0~Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; > rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2~s_cc=true/***truncated**/ > > Error line in error_log : > > [Mon Aug 24 05:28:22 2009] [error] [client 10.180.4.3] File does not exist: > /data/*/www/2.jpg . > > The url tried is http://jkamarajfree.9f.com/2.jpg That file is not > existing in the server also .We expected the 404 error in http access log but > not the equivalent file doesnot exist error in error_log. > Well, basically if the file does not exist, and a client is trying to access it, you will get such an error line in the error log. That is how Apache works, and it is the case in all Apache versions which I know, including 2.x. It is, after all, an error. Now the question is, why does that client try to access a file that does not exist ? Is it one of your own pages that has a bad link in it ? > The DocumentRoot directive is not defined in the conf file, since it is > shared host type. That is something I do not really understand. But I guess that the hosting organisation must be doing some heavy URL-rewriting, to accomodate many "virtual" sites. You could also ask them if they do not know a trick to hide these error messages, if that is what you really want. I personally would advise against it, because you would also not see whenever someone is really trying to scan your site for security weaknesses etc.. Now another purely personal opinion : this kind of "web server sharing" is ok if this is your own personal website, for non-professional use. But if you intend to do any serious professional stuff on this website, then you really want your own full webserver, with full control over the configuration. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
