[us...@httpd] CGI Apache Directive: LimitRequestLine
Hi, I'm hoping that you can help me with an issue we have come across regarding some new development we're doing around the use of CGI Apache web services. I work in the Systems department for Premier Farnell (Leeds), we had an in-house course a while back that was presented by Paul Tuohy.. this was intended to give us an insight into CGI Apache and what it could do for our business... hence this email now. Our problem is this... we want to provide a web service that will provide a real time data link between our AS400 and web sites... we have achieved this without a problem using a url "get" request to the CGI Apache server on the AS400. However, the problem we have stumbled onto is the maximum size of the query string that we can use... this is limited to 8190 bytes... I believe this is a "Directive" constraint in Apache called: LimitRequestLine We understand that there isn't such a limit using a "post" request but before we re-develop everything we have done we wanted to make sure that there wasn't anything we could do to get around the constraint I have just mentioned. We would be looking at a maximum size more in the region of 32k. I'd be very grateful if you could me what the "correct" course of action should be to resolve this problem please? Regards, Andy. > Andy Martucci > > GIS Back Office Premier Farnell > amartu...@premierfarnell.com > > T: +44 113 279 0101 (ext 4087) > F: +44 113 279 9168 www.farnell.com A Premier Farnell Company ***Disclaimer*** The contents of this e-mail and any file transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. The content may also contain legal, professional or other privileged information. If you received this e-mail in error, please destroy it immediately. You should not copy or use it for any purpose nor disclose its contents to any other person. The views stated herein do not necessarily represent the view of the Company. Please ensure you have adequate virus protection before you open or detach any documents from this transmission. The Company does not accept any liability for viruses. Premier Farnell plc 150 Armley Road Leeds LS12 2QQ Telephone +44 (0) 870 129 8608 Fax +44 (0) 870 129 8610 Registered in England Company Number 876412 Registered Office: Farnell House, Forge Lane, Leeds LS12 2NE
Re: [us...@httpd] CGI Apache Directive: LimitRequestLine
> However, the problem we have stumbled onto is the maximum size of the query > string that we can use... this is limited to 8190 bytes... I believe this is > a "Directive" constraint in Apache called: LimitRequestLine > > We understand that there isn't such a limit using a "post" request but > before we re-develop everything we have done we wanted to make sure that > there wasn't anything we could do to get around the constraint I have just > mentioned. We would be looking at a maximum size more in the region of 32k. 8190 bytes is the default but you increase it by specifying a larger limit in your httpd.conf. Putting something like:- LimitRequestLine 32768 should do it if that's all the problem is. Cheers, Phil. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] CGI Apache Directive: LimitRequestLine
Hi Phil Alas that isn't possible... there is a constraint in Apache that limits this to 8190... see following help text from Apache: Maximum request line: allows you to reduce the limit on the allowed size of a client's HTTP request-line below the normal input buffer size compiled with the server. Since the request-line consists of the HTTP method, URI, and protocol version, this option restricts the length of the request-URI. A server needs this value to be large enough to hold any of its resource names, including any information that might be passed in the QUERY_STRING part of a GET request. This option gives the server administrator greater control over abnormal client request behavior, which may be useful for avoiding some forms of denial-of-service attacks. Under normal conditions, the value should not be changed from the default. Valid values include integers between 0 and 8190. The first drop-down menu specifies units of memory. The second drop-down menu provides the options: Default: places 8190 in the edit field and "Bytes" in the first drop-down menu. Maximum: places 8190 in the edit field and "Bytes" in the first drop-down menu. This field is optional. Directive: LimitRequestLine Regards, Andy. -Original Message- From: Philip Wigg [mailto:p...@philipwigg.co.uk] Sent: 25 November 2009 09:23 To: users@httpd.apache.org Subject: Re: [us...@httpd] CGI Apache Directive: LimitRequestLine > However, the problem we have stumbled onto is the maximum size of the query > string that we can use... this is limited to 8190 bytes... I believe this is > a "Directive" constraint in Apache called: LimitRequestLine > > We understand that there isn't such a limit using a "post" request but > before we re-develop everything we have done we wanted to make sure that > there wasn't anything we could do to get around the constraint I have just > mentioned. We would be looking at a maximum size more in the region of 32k. 8190 bytes is the default but you increase it by specifying a larger limit in your httpd.conf. Putting something like:- LimitRequestLine 32768 should do it if that's all the problem is. Cheers, Phil. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org Click on the link below to report this email as spam. https://www.mailcontrol.com/sr/wQw0zmjPoHdJTZGyOCrrhg== ***Disclaimer*** The contents of this e-mail and any file transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. The content may also contain legal, professional or other privileged information. If you received this e-mail in error, please destroy it immediately. You should not copy or use it for any purpose nor disclose its contents to any other person. The views stated herein do not necessarily represent the view of the Company. Please ensure you have adequate virus protection before you open or detach any documents from this transmission. The Company does not accept any liability for viruses. Premier Farnell plc 150 Armley Road Leeds LS12 2QQ Telephone +44 (0) 870 129 8608 Fax +44 (0) 870 129 8610 Registered in England Company Number 876412 Registered Office: Farnell House, Forge Lane, Leeds LS12 2NE - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] CGI Apache Directive: LimitRequestLine
> Alas that isn't possible... there is a constraint in Apache that limits this > to 8190... see following help text from Apache: > Default: places 8190 in the edit field and "Bytes" in the first drop-down > menu. > Maximum: places 8190 in the edit field and "Bytes" in the first drop-down > menu. Talk of drop-down menus confuses me, I don't think this text is from the Apache Software Foundation. Are you using the IBM HTTP Server or similar? You can certainly increase LimitRequestLine in Apache 2.2:- http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestline but I think you're probably using some repackaged version of 1.3 which does have a compiled in limit as you describe. If so I can't think of any way to increase it. Cheers, Phil. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] CGI Apache Directive: LimitRequestLine
Sorry, yes that snippet was taken from the Server... Directive. OK then I can certainly look into what you have said, I had thought we were on the latest version but maybe we aren't. When I've spoken to our Ops team I'll get back to you. Many thanks for taking the time to respond, very much appreciated. Regards, Andy. -Original Message- From: Philip Wigg [mailto:p...@philipwigg.co.uk] Sent: 25 November 2009 09:39 To: users@httpd.apache.org Subject: Re: [us...@httpd] CGI Apache Directive: LimitRequestLine > Alas that isn't possible... there is a constraint in Apache that limits this > to 8190... see following help text from Apache: > Default: places 8190 in the edit field and "Bytes" in the first drop-down > menu. > Maximum: places 8190 in the edit field and "Bytes" in the first drop-down > menu. Talk of drop-down menus confuses me, I don't think this text is from the Apache Software Foundation. Are you using the IBM HTTP Server or similar? You can certainly increase LimitRequestLine in Apache 2.2:- http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestline but I think you're probably using some repackaged version of 1.3 which does have a compiled in limit as you describe. If so I can't think of any way to increase it. Cheers, Phil. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org Click on the link below to report this email as spam. https://www.mailcontrol.com/sr/wQw0zmjPoHdJTZGyOCrrhg== ***Disclaimer*** The contents of this e-mail and any file transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. The content may also contain legal, professional or other privileged information. If you received this e-mail in error, please destroy it immediately. You should not copy or use it for any purpose nor disclose its contents to any other person. The views stated herein do not necessarily represent the view of the Company. Please ensure you have adequate virus protection before you open or detach any documents from this transmission. The Company does not accept any liability for viruses. Premier Farnell plc 150 Armley Road Leeds LS12 2QQ Telephone +44 (0) 870 129 8608 Fax +44 (0) 870 129 8610 Registered in England Company Number 876412 Registered Office: Farnell House, Forge Lane, Leeds LS12 2NE - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] proxy 502 problem uploading a large file
> -Original Message- > From: Scott Chapman [mailto:schap...@mischko.com] > Sent: Wednesday, November 25, 2009 12:28 AM > To: users@httpd.apache.org > Subject: [us...@httpd] proxy 502 problem uploading a large file > > I have Apache 2.2.11 and a web server behind it (CherryPy). > When I upload a large file to the CherryPy server, I see the file in > /tmp/modrproxy.tmp.FOO > It uploads completely. > Then Apache returns a 502 error without ever hitting the backend (the > first line of code in the handler is to spit out a log line saying it > was reached). 502 is Bad Gateway, which means that apache and back-end had a protocol problem. Probably the back-end didn't handle the upload correctly. What do the back-end logs say? You mention a "large" file without saying what that means 1 Mb? 1 Gb? 1 Tb? what happens with a "small" file (10 b, 1 kb, 10 kb...)? Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. > > The access and error logs are below and my virtual host config. > I can't think what else to try. I was using RewriteRules for this. > Same situation. > > This is a production server and it's having problems. Any > help would be > greatly appreciated. > > Scott > > > access log > - - [24/Nov/2009:16:13:46 -0500] "POST > /lertwfm/addFileToCase HTTP/1.1" 502 422 > > error log > [Tue Nov 24 16:18:23 2009] [error] [client ] (70014)End of > file found: proxy: error reading status line from remote server > 127.0.0.1, referer: > http://lertwfmdev.odc.vzwcorp.com/lertwfm/detail_edit_case?cas e_id=6667 > [Tue Nov 24 16:18:23 2009] [error] [client ] proxy: Error > reading from remote server returned by > /lertwfm/addFileToCase, referer: > http://lertwfmdev.odc.vzwcorp.com/lertwfm/detail_edit_case?cas e_id=6667 > > > > DocumentRoot "/opt/webapp/wfm" > ServerName foo.bar.com > ErrorLog "|/usr/local/apache2/bin/rotatelogs > /usr/local/apache2/logs/lert_wfm-error_log 86400" > CustomLog "|/usr/local/apache2/bin/rotatelogs > /usr/local/apache2/logs/lert_wfm-access_log 86400" common > > > FileETag None > > ExpiresActive On > ExpiresDefault "access plus 2 hours" > > Order allow,deny > allow from all > SetHandler default-handler > > > ProxyPass /static/ ! > ProxyPass /lertwfm/static/js/ ! > ProxyPass /fax/ http://127.0.0.1:9010/fax/ > ProxyPass / http://127.0.0.1:9000/ connectiontimeout=900 timeout=900 > > > Order allow,deny > allow from all > > > > > > > - > The official User-To-User support forum of the Apache HTTP > Server Project. > See http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >" from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. The sender's company reserves the right to monitor all e-mail communications through their networks. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] CGI Apache Directive: LimitRequestLine
I've been reliably informed that 8190 bytes is the maximum size available for the get method and anything over this should be done using the post method. Thanks to all that took the time to look at this for me. Regards, Andy. -Original Message- From: Philip Wigg [mailto:p...@philipwigg.co.uk] Sent: 25 November 2009 09:39 To: users@httpd.apache.org Subject: Re: [us...@httpd] CGI Apache Directive: LimitRequestLine > Alas that isn't possible... there is a constraint in Apache that limits this > to 8190... see following help text from Apache: > Default: places 8190 in the edit field and "Bytes" in the first drop-down > menu. > Maximum: places 8190 in the edit field and "Bytes" in the first drop-down > menu. Talk of drop-down menus confuses me, I don't think this text is from the Apache Software Foundation. Are you using the IBM HTTP Server or similar? You can certainly increase LimitRequestLine in Apache 2.2:- http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestline but I think you're probably using some repackaged version of 1.3 which does have a compiled in limit as you describe. If so I can't think of any way to increase it. Cheers, Phil. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org Click on the link below to report this email as spam. https://www.mailcontrol.com/sr/wQw0zmjPoHdJTZGyOCrrhg== ***Disclaimer*** The contents of this e-mail and any file transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. The content may also contain legal, professional or other privileged information. If you received this e-mail in error, please destroy it immediately. You should not copy or use it for any purpose nor disclose its contents to any other person. The views stated herein do not necessarily represent the view of the Company. Please ensure you have adequate virus protection before you open or detach any documents from this transmission. The Company does not accept any liability for viruses. Premier Farnell plc 150 Armley Road Leeds LS12 2QQ Telephone +44 (0) 870 129 8608 Fax +44 (0) 870 129 8610 Registered in England Company Number 876412 Registered Office: Farnell House, Forge Lane, Leeds LS12 2NE - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] CGI Apache Directive: LimitRequestLine
On 25 Nov 2009, at 10:18, Martucci, Andy wrote: > I've been reliably informed that 8190 bytes is the maximum size available for > the get method and anything over this should be done using the post method. IIRC the HTTP spec limits it to 2kb, so you can't rely on any agent (server, browser or proxy) allowing you more than that. If you want apache to support longer lines (subject to all other agents you use also doing so), build it with your selected value in include/httpd.h, where the limit is defined. But the need to do any such thing smells of a design defect in your application (and how do you deal with logging these huge requests - 8K log for a single request)? -- Nick Kew - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] mod_proxy configuration issue
Hi List, I'm new to mod_proxy and I think my problem is really a newbie problem but I didn't find the answer in the doc or Google. I set up a forward proxy but I can reach only web pages located on this server (any vhost of this server), I can't reach web servers on the local network or the Internet. I set up the simpliest configuration as possible for a forward proxy : ServerAdmin ad...@domain.tld ServerName proxy.domain.tld ProxyRequests On ProxyVia On Order deny,allow Deny from all Allow from a.b.c.d x.y.z.a m.n.o ErrorLog /var/log/httpd-fproxy-error.log LogLevel Info LogFormat "%v %h %l %u %t \"%r\" %>s %b" proxy_common CustomLog /var/log/httpd-fproxy-access.log proxy_common Apache is hosting others vhosts for repositories and a reverse proxy, everything works fine there when I contact them directly. If I try to reach "proxy.domain.tld" from a browser with this proxy config, it works. I reach the default Apache page (/usr/local/www/apache22/data/index.html). If I try to reach another vhost on the same server, it works. If I try to reach a web server on the local network it doesn't work, error 503. If I try to reach a web server on the Internet (Google) it doesn't work, error 503. For pages that works I have a correct message in access.log For pages that doesn't work I don't have any message nor in httpd-fproxy-error.log and httpd-fproxy-access.log $apachectl -t is fine $apachectl -S is fine I can reach any webserver from the server with Lynx. DNS are resolved through a local server, and resolutions are fine. I have freshly installed nothing since mod_proxy was enabled for the reverse proxy yet. I review all the directives given in the basic example from the apache doc. Everything seems fine I'm using Apache/2.2.9 (FreeBSD) mod_ssl/2.2.9 OpenSSL/0.9.7e-p1 DAV/2 SVN/1.5.2 PHP/5.2.6 with Suhosin-Patch configured into a FreeBSD jail from 7.2-RELEASE-p2 Any advice or idea will be helpful, Thanks, -- Bastien Semene Administrateur Réseau & Système ad...@cyanide-studio.com +33 (0)1 47 86 30 80 Cyanide S.A. 5, Boulevard des Bouvets 92000 Nanterre - FRANCE - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] mod_proxy configuration issue
> -Message d'origine- > De : Bastien Semene [mailto:bsem...@cyanide-studio.com] > Envoyé : mercredi 25 novembre 2009 12:12 > À : users@httpd.apache.org > Objet : [us...@httpd] mod_proxy configuration issue > > Hi List, > > I'm new to mod_proxy and I think my problem is really a newbie problem > but I didn't find the answer in the doc or Google. > > I set up a forward proxy but I can reach only web pages located on this > server (any vhost of this server), I can't reach web servers on the > local network or the Internet. > > I set up the simpliest configuration as possible for a forward proxy : > > > ServerAdmin ad...@domain.tld > ServerName proxy.domain.tld > > ProxyRequests On > ProxyVia On > > > Order deny,allow > Deny from all > Allow from a.b.c.d x.y.z.a m.n.o > > > ErrorLog /var/log/httpd-fproxy-error.log > LogLevel Info > > LogFormat "%v %h %l %u %t \"%r\" %>s %b" proxy_common > CustomLog /var/log/httpd-fproxy-access.log proxy_common > > > Apache is hosting others vhosts for repositories and a reverse proxy, > everything works fine there when I contact them directly. > > If I try to reach "proxy.domain.tld" from a browser with this proxy > config, it works. I reach the default Apache page > (/usr/local/www/apache22/data/index.html). > If I try to reach another vhost on the same server, it works. > If I try to reach a web server on the local network it doesn't work, > error 503. > If I try to reach a web server on the Internet (Google) it doesn't work, > error 503. > > For pages that works I have a correct message in access.log > For pages that doesn't work I don't have any message nor in > httpd-fproxy-error.log and httpd-fproxy-access.log > > $apachectl -t is fine > $apachectl -S is fine > I can reach any webserver from the server with Lynx. > DNS are resolved through a local server, and resolutions are fine. > I have freshly installed nothing since mod_proxy was enabled for the > reverse proxy yet. > > I review all the directives given in the basic example from the apache > doc. Everything seems fine > > I'm using Apache/2.2.9 (FreeBSD) mod_ssl/2.2.9 OpenSSL/0.9.7e-p1 DAV/2 > SVN/1.5.2 PHP/5.2.6 with Suhosin-Patch configured > into a FreeBSD jail from 7.2-RELEASE-p2 > > Any advice or idea will be helpful, > Thanks, > > -- > Bastien Semene > Administrateur Réseau & Système > > ad...@cyanide-studio.com > +33 (0)1 47 86 30 80 > > Cyanide S.A. > 5, Boulevard des Bouvets > 92000 Nanterre - FRANCE > > Hi, Are you using NameVirtualHost and where in your config is the snippet you included located in the global conf file (i.e before all the others ?) ? It is not clear to me how you can use a forward proxy defined as a name based vhost in your config file ... unless it's the default one (?). It is either not clear to me whether you did your tests in "proxy mode", i.e. defining your Apache's proxy explicitly in your browser. Regards. Emmanuel - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Invalid command error Load balancer on Solaris 10
Hi, I have compiled and installed apache httpd sources on solaris 10. My configure statement was: I am trying to test load balancing... ./configure -prefix=/export/home0/xxx/httpserver --enable-proxy --enable-proxy-connect --enable-proxy-http I get this error when I start apache: Invalid command '
RE: [us...@httpd] proxy 502 problem uploading a large file
Hi Scott, I recently posted a message to the group about a 502 error I was getting: http://mail-archives.apache.org/mod_mbox/httpd-users/200911.mbox/%3c9a7d6213f32e30428d8c94e8441c8ac85c8a8...@edxmb25.jdnet.deere.com%3e Given the description of your environment, it's not clear if my situation relates. But consider a possible TCP timeout with your back-end server. In my case, I was able to adjust a Linux parameter to increase the number of SYN-ACK packets the OS sent to keep the TCP connection alive - not a great solution, but a verified workaround. > -Original Message- > From: Scott Chapman [mailto:schap...@mischko.com] > Sent: Tuesday, November 24, 2009 5:28 PM > To: users@httpd.apache.org > Subject: [us...@httpd] proxy 502 problem uploading a large file > > I have Apache 2.2.11 and a web server behind it (CherryPy). > When I upload a large file to the CherryPy server, I see the > file in /tmp/modrproxy.tmp.FOO It uploads completely. > Then Apache returns a 502 error without ever hitting the > backend (the first line of code in the handler is to spit out > a log line saying it was reached). > > The access and error logs are below and my virtual host config. > I can't think what else to try. I was using RewriteRules for this. > Same situation. > > This is a production server and it's having problems. Any > help would be greatly appreciated. > > Scott - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Invalid command error Load balancer on Solaris 10
On Wed, Nov 25, 2009 at 1:04 PM, Onur Ağın wrote: > Hi, > > I have compiled and installed apache httpd sources on solaris 10. > My configure statement was: > > I am trying to test load balancing... > ./configure -prefix=/export/home0/xxx/httpserver --enable-proxy > --enable-proxy-connect --enable-proxy-http > > I get this error when I start apache: > Invalid command ' included in the server configuration > > Any ideas how to fix this? > > Thanks. > > Load the proxy modules you require first. Cheers Tom
[us...@httpd] Apache httpd replication / proxy mirror server?
Hi Guys Is it possible somehow to use httpd for replicate files between servers ? We have a use case where a user will place a file on one of the apache servers and then it should get replicated towards the other servers.. regards Nino
Re: [us...@httpd] Apache httpd replication / proxy mirror server?
On Wed, Nov 25, 2009 at 2:09 PM, nino martinez wael < nino.martinez.w...@gmail.com> wrote: > Hi Guys > > Is it possible somehow to use httpd for replicate files between servers ? > > We have a use case where a user will place a file on one of the apache > servers and then it should get replicated towards the other servers.. > > > regards Nino > No, but "man 1 rsync" should get you in the right direction. Cheers Tom
Re: [us...@httpd] Apache httpd replication / proxy mirror server?
hmm yeah I know, but it's on windows :/ Just wanted to know if we could stay withing httpd for this one... 2009/11/25 Tom Evans > On Wed, Nov 25, 2009 at 2:09 PM, nino martinez wael < > nino.martinez.w...@gmail.com> wrote: > >> Hi Guys >> >> Is it possible somehow to use httpd for replicate files between servers ? >> >> We have a use case where a user will place a file on one of the apache >> servers and then it should get replicated towards the other servers.. >> >> >> regards Nino >> > > No, but "man 1 rsync" should get you in the right direction. > > Cheers > > Tom >
Re: [us...@httpd] Apache httpd replication / proxy mirror server?
nino martinez wael wrote: hmm yeah I know, but it's on windows :/ Just wanted to know if we could stay withing httpd for this one... It's not apache's business. But you could add a CMS that manages replication. Or store the data in a replicating database. Or variants on that theme. Or of course you could write (or google for) a replication module. -- Nick Kew - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] proxy 502 problem uploading a large file
Boyle Owen wrote: >> -Original Message- >> From: Scott Chapman [mailto:schap...@mischko.com] >> Sent: Wednesday, November 25, 2009 12:28 AM >> To: users@httpd.apache.org >> Subject: [us...@httpd] proxy 502 problem uploading a large file >> >> I have Apache 2.2.11 and a web server behind it (CherryPy). >> When I upload a large file to the CherryPy server, I see the file in >> /tmp/modrproxy.tmp.FOO >> It uploads completely. >> Then Apache returns a 502 error without ever hitting the backend (the >> first line of code in the handler is to spit out a log line saying it >> was reached). >> > > 502 is Bad Gateway, which means that apache and back-end had a protocol > problem. Probably the back-end didn't handle the upload correctly. What > do the back-end logs say? > > You mention a "large" file without saying what that means 1 Mb? 1 Gb? 1 > Tb? what happens with a "small" file (10 b, 1 kb, 10 kb...)? > > Rgds, > Owen Boyle > Disclaimer: Any disclaimer attached to this message may be ignored. > > Large is 70mb. Small is 20mb. Small files work great. It's some kind of timeout I think. The backend never got hit by Apache at all. The backend handles the uploads fine when I hit it directly, out from behind Apache. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: RE: [us...@httpd] mod_proxy configuration issue
The default vhost was the problem. I renamed the vhost file so it is loaded first and it works like a charm now. Thanks a lot. Emmanuel Bailleul a écrit : -Message d'origine- De : Bastien Semene [mailto:bsem...@cyanide-studio.com] Envoyé : mercredi 25 novembre 2009 12:12 À : users@httpd.apache.org Objet : [us...@httpd] mod_proxy configuration issue Hi List, I'm new to mod_proxy and I think my problem is really a newbie problem but I didn't find the answer in the doc or Google. I set up a forward proxy but I can reach only web pages located on this server (any vhost of this server), I can't reach web servers on the local network or the Internet. I set up the simpliest configuration as possible for a forward proxy : ServerAdmin ad...@domain.tld ServerName proxy.domain.tld ProxyRequests On ProxyVia On Order deny,allow Deny from all Allow from a.b.c.d x.y.z.a m.n.o ErrorLog /var/log/httpd-fproxy-error.log LogLevel Info LogFormat "%v %h %l %u %t \"%r\" %>s %b" proxy_common CustomLog /var/log/httpd-fproxy-access.log proxy_common Apache is hosting others vhosts for repositories and a reverse proxy, everything works fine there when I contact them directly. If I try to reach "proxy.domain.tld" from a browser with this proxy config, it works. I reach the default Apache page (/usr/local/www/apache22/data/index.html). If I try to reach another vhost on the same server, it works. If I try to reach a web server on the local network it doesn't work, error 503. If I try to reach a web server on the Internet (Google) it doesn't work, error 503. For pages that works I have a correct message in access.log For pages that doesn't work I don't have any message nor in httpd-fproxy-error.log and httpd-fproxy-access.log $apachectl -t is fine $apachectl -S is fine I can reach any webserver from the server with Lynx. DNS are resolved through a local server, and resolutions are fine. I have freshly installed nothing since mod_proxy was enabled for the reverse proxy yet. I review all the directives given in the basic example from the apache doc. Everything seems fine I'm using Apache/2.2.9 (FreeBSD) mod_ssl/2.2.9 OpenSSL/0.9.7e-p1 DAV/2 SVN/1.5.2 PHP/5.2.6 with Suhosin-Patch configured into a FreeBSD jail from 7.2-RELEASE-p2 Any advice or idea will be helpful, Thanks, -- Bastien Semene Administrateur Réseau & Système ad...@cyanide-studio.com +33 (0)1 47 86 30 80 Cyanide S.A. 5, Boulevard des Bouvets 92000 Nanterre - FRANCE Hi, Are you using NameVirtualHost and where in your config is the snippet you included located in the global conf file (i.e before all the others ?) ? It is not clear to me how you can use a forward proxy defined as a name based vhost in your config file ... unless it's the default one (?). It is either not clear to me whether you did your tests in "proxy mode", i.e. defining your Apache's proxy explicitly in your browser. Regards. Emmanuel -- Bastien Semene Administrateur Réseau & Système ad...@cyanide-studio.com +33 (0)1 47 86 30 80 Cyanide S.A. 5, Boulevard des Bouvets 92000 Nanterre - FRANCE
Re: [us...@httpd] proxy 502 problem uploading a large file
Your post has the same stuff mine does. I'm using SiteMinder for enterprise single sign on via Apache. I turned it off and the upload worked. Thanks! Prigge Scott wrote: > Hi Scott, I recently posted a message to the group about a 502 error I was > getting: > > http://mail-archives.apache.org/mod_mbox/httpd-users/200911.mbox/%3c9a7d6213f32e30428d8c94e8441c8ac85c8a8...@edxmb25.jdnet.deere.com%3e > > Given the description of your environment, it's not clear if my situation > relates. But consider a possible TCP timeout with your back-end server. In my > case, I was able to adjust a Linux parameter to increase the number of > SYN-ACK packets the OS sent to keep the TCP connection alive - not a great > solution, but a verified workaround. > > >> -Original Message- >> From: Scott Chapman [mailto:schap...@mischko.com] >> Sent: Tuesday, November 24, 2009 5:28 PM >> To: users@httpd.apache.org >> Subject: [us...@httpd] proxy 502 problem uploading a large file >> >> I have Apache 2.2.11 and a web server behind it (CherryPy). >> When I upload a large file to the CherryPy server, I see the >> file in /tmp/modrproxy.tmp.FOO It uploads completely. >> Then Apache returns a 502 error without ever hitting the >> backend (the first line of code in the handler is to spit out >> a log line saying it was reached). >> >> The access and error logs are below and my virtual host config. >> I can't think what else to try. I was using RewriteRules for this. >> Same situation. >> >> This is a production server and it's having problems. Any >> help would be greatly appreciated. >> >> Scott >> > > - > The official User-To-User support forum of the Apache HTTP Server Project. > See http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >" from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > > > - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Apache httpd replication / proxy mirror server?
True it's not apaches business, but would be stupid if it was possible, hence me asking. I did a search for replication module but could'nt find anything, so I figured that I either searched with wrong words or it was not possible. Asking this list was then my best shot. Forgot to say thanks to Tom for the quick answer.. And thanks to you (Nick) for the suggestions. Regards Nino 2009/11/25 Nick Kew > nino martinez wael wrote: > >> hmm yeah I know, but it's on windows :/ Just wanted to know if we could >> stay withing httpd for this one... >> > > It's not apache's business. But you could add a CMS that manages > replication. Or store the data in a replicating database. > Or variants on that theme. > > Or of course you could write (or google for) a replication module. > > -- > Nick Kew > > - > The official User-To-User support forum of the Apache HTTP Server Project. > See http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > " from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >
RE: [us...@httpd] proxy 502 problem uploading a large file
:D I just saved you about a month worth of work... Try adding this directive to your SM policy: LegacyStreamingBehavior = YES > -Original Message- > From: Scott Chapman [mailto:schap...@mischko.com] > Sent: Wednesday, November 25, 2009 8:46 AM > To: users@httpd.apache.org > Subject: Re: [us...@httpd] proxy 502 problem uploading a large file > > Your post has the same stuff mine does. I'm using SiteMinder > for enterprise single sign on via Apache. I turned it off > and the upload worked. > > Thanks! - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Tomcat 6 and Apache2 VS Tomcat 6 alone
Unless you are Amazon or Google, any reason you might find for choosing one vs. the other will probably have little to do with performance. Recent Tomcat versions are not notably slow at serving static content. And remember, with HTTPD/Tomcat, every request and response has to make an extra trip through the local network stack to cross the process boundary -- small wins may be overwhelmed by the additional cost of frontending. Some reasons I have for continuing to run HTTPD in front of Tomcat anyway: o I learned HTTPD first and am still more comfortable with it o I like HTTPD's configuration language better o Lots and lots and LOTS of modules to make HTTPD do all sorts of fancy things, if you want them. o I absolutely *hate* the JKS certificate store. I very much prefer setting up SSL for HTTPD than for Tomcat. o That's the way I set it up originally and I don't want to mess with it. Others will have similar reasons for *not* running an HTTPD frontend. One other reason I can think of: if you need HTTPD anyway for other uses, you might want to keep all the network-related configuration together. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Friends don't let friends publish revisable-form documents. pgpkXhMmvr4EK.pgp Description: PGP signature
Re: [us...@httpd] CGI Apache Directive: LimitRequestLine
Nick Kew schrieb: On 25 Nov 2009, at 10:18, Martucci, Andy wrote: I've been reliably informed that 8190 bytes is the maximum size available for the get method and anything over this should be done using the post method. IIRC the HTTP spec limits it to 2kb, so you can't rely on any agent (server, browser or proxy) allowing you more than that. If you want apache to support longer lines (subject to all other agents you use also doing so), build it with your selected value in include/httpd.h, where the limit is defined. But the need to do any such thing smells of a design defect in your application (and how do you deal with logging these huge requests - 8K log for a single request)? Do you know the rfc number for 'HTTP spec limits it to 2kb' ?. I can't find such a statement in rfc2616. Hendrik - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] CGI Apache Directive: LimitRequestLine
Hendrik Schmieder wrote: Do you know the rfc number for 'HTTP spec limits it to 2kb' ?. I said IIRC, and it's a memory from a long time ago - pre-rfc2616. It may no longer be valid, but it was standard advice in the early days: don't make GET requests bigger than 2k. Of course, no standard limits the size. It just says (said) that an implementation should not impose a lower limit. The rest of what I said stands: if someone presents me with a system where an 8k limit is a problem, my reaction is to question the design decisions that led to it. -- Nick Kew - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Apache httpd replication / proxy mirror server?
nino martinez wael wrote: hmm yeah I know, but it's on windows :/ Just wanted to know if we could stay withing httpd for this one... Well, exactly /how/ do the users put files on this server ? You have not even explained if they put these files there using Apache somehow. There is nothing that I know of in Apache itself that will do that, but it may be possible to add something. Describe your issue a bit more in detail, and it may give ideas to someone. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Configuration change for 2.0
Hi, Configuration below works fine in 2.2 but I have to run it on 2.0 apache 2.0 it says balancer member not found. What is the equal configuration for 2.0 # Proxy ProxyRequests Off Order deny,allow Allow from all BalancerMember http://:7102 BalancerMember http://:7106 ProxyPass / balancer://olb/ Thanks...
Re: [us...@httpd] Memory / Process leak
In users Digest 25 Nov 2009, Issue 3715, Peter N. Lewis wrote:
> Clearly, no one has any particularly helpful suggestions on what to do
> differently.
>
> Apache, even under relatively light load, swallowed up 700+MB over two days.
>
> So the only path forward I can see is to restart apache fairly regularly
> and delve in to switching to nginx.
>
> Thanks to those of you who tried to help. Maybe it is specific to
> slicehost. Maybe its something in how I use MySQL or mod_perl.
> Clearly this is beyond my ability to resolve, and is not some sort
> of well known problem.
>
> Thanks anyway,
> Peter.
I tried to respond to Peter directly, but got:
> 451 4.4.1 reply: read error from proxy.peter.com.au.
> ... while talking to mx2.zoneedit.com.:
> >>> DATA
> <<< 554 5.7.1 : Relay access denied
> 554 5.0.0 Service unavailable
> <<< 554 5.5.1 Error: no valid recipients
Sorry to clutter up the list, but here goes
I'm contacting you "off list", because I'm not sure if anything I have to
say would be relevant to the list. However, when trying to figure out
where memory leaks are, mightn't it be helpful to force a core (if
possible) of the "lost processes", then examine the core to see if
there's any pattern in the memory which might help identify what the
lost process might have been doing ? Even if you only do a "strings"
on the core file, you might see some data that'll give you a clue.
OK, it's a long shot, but after a few examinations, there might be
something in common in all the "lost processes".
>Thanks to those of you who tried to help. Maybe it is specific to slicehost.
>Maybe its something in how I use MySQL or mod_perl. Clearly this is beyond my
>ability to resolve, and is not some sort of well known problem.
Certainly if an SQL query goes unanswered, or your perl script goes OTL
("Out To Lunch"), Apache may time out (i.e., not shown in server status),
but the child may not exit. As you said, I don't think this is a well-
known problem, or EVERYBODY would have to be restarting their servers
periodically. Given all the Apache servers out there, I don't think
that's happening.
>Thanks anyway,
> Peter.
You're welcome, and -- last, but not least -- thanks for NetPresenz. :-)
Regards,
Michael A. Pasek
-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Configuration change for 2.0
On Wed, 2009-11-25 at 17:19 +0200, Onur Ağın wrote: > Hi, > > > Configuration below works fine in 2.2 but I have to run it on 2.0 > apache 2.0 it says balancer member not found. > > What is the equal configuration for 2.0 Apache 2.0.x does not include mod_proxy_balancer. It is a module only available on 2.2.x and later. Mark. -- Mark Watts BSc RHCE MBCS Senior Systems Engineer, Managed Services Manpower www.QinetiQ.com QinetiQ - Delivering customer-focused solutions GPG Key: http://www.linux-corner.info/mwatts.gpg signature.asc Description: This is a digitally signed message part
[us...@httpd] Issue with mod_proxy and customer proxy
Hello, I have changed our main reverse proxy server on our network from an old debian woody server with apache httpd 1 to a debian lenny with apache httpd version 2.2.9-10+lenny6. Before, our customer had no problem with the reverse proxy, but now, some of them can no longer use our proxied website, or it's so slow that the timeout is reached. The problem always happen for user with corporate proxy contacting our own reverse proxy (without a proxy before our reverse proxy, everything works just fine), but when I told those customer that the problem come from their proxy configuration, I have trouble explaining why it worked before and why we are the only website they have trouble with... Bellow is my reverse proxy vhost : (using http or https doesn't matter to have the problem) ServerName support.enterprise.com ServerAdmin supp...@enterprise.com SSLEngine On SSLCertificateFile /etc/apache2/ssl/wildcard-enterprise.crt SSLCertificateKeyFile /etc/apache2/ssl/wildcard-enterprise.key ProxyRequests Off Order Deny,Allow Allow from all ProxyPass / http://srv-53.enterprise.com:1/ ProxyPassReverse / http://srv-53.enterprise.com:1/ ServerName support.enterprise.com ServerAdmin supp...@enterprise.com ProxyRequests Off Order Deny,Allow Allow from all ProxyPass / http://srv-53.enterprise.com:1/ ProxyPassReverse / http://srv-53.enterprise.com:1/ The error I got in the error.log are (http access) : For customer A : [error] (104)Connection reset by peer: proxy: prefetch request body failed to 172.16.15.53:1 (srv-53.enterprise.com) from yy.yy.yy.yy () For customer B & C : [error] (70007)The timeout specified has expired: proxy: prefetch request body failed to 172.16.15.53:1 (srv-53.enterprise.com) from zz.zz.zz.zz () For customer B, they told me they are using "squid/2.5.STABLE7-NT" and customer C is using "squid/2.7.STABLE6" (on Solaris for customer C), I don't know what proxy is used by customer A except that it's not squid. Customer B client side error : - ERROR The requested URL could not be reieved While trying to retrieve the URL: [no URL] The following error was encountered: - Read Timeout The system returned: [No Error] A Timeout occured while waiting to read data from the network. the netwokr or server may be down or congested. Please retry your request. Generated by client-B-squid-server.com (squid/2.5.STABLE7-NT) - Customer C client side error : - Bad Request Your browser sent a request that this server could not understand. Apache/2.2.9 (Debian) proxy_html/3.0.0 mod_ssl/2.2.9 OpenSSL/0.9.8g Server at support.enterprise.com Port 80 - Any idea how to fix this ? Jeremie - The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Apache httpd replication / proxy mirror server?
It's a bit complicated. So I'll try to explain it in a simple way. The user are calling(via phone) an IVR application which in turns interprets vxml. The vxml page then has an option to record and save the recording. When the vxml page saves the recording it saves towards tomcat which then places the file in a repository which then are served by Apache httpd, we have more apache http servers for failover and it's here the need for replication comes. All this we can code our way out of, but if there's something already that does this it would be nice with some recycling. I was thinking that the Apache http server that got the new file could push it to the others. Regards Nino 2009/11/25 André Warnier > nino martinez wael wrote: > >> hmm yeah I know, but it's on windows :/ Just wanted to know if we could >> stay >> withing httpd for this one... >> >> Well, exactly /how/ do the users put files on this server ? > > You have not even explained if they put these files there using Apache > somehow. > There is nothing that I know of in Apache itself that will do that, but it > may be possible to add something. Describe your issue a bit more in detail, > and it may give ideas to someone. > > > > - > The official User-To-User support forum of the Apache HTTP Server Project. > See http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > " from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >
[us...@httpd] SSL on Apache 2.2.14
Hello, Hopefully someone will be able to help, as I've been working on this problem for quite a while and have hit a wall. I'm trying to upgrade Apache 2.0.47 to 2.2.14, and I need SSL support. Everything seems to build and compile okay, but when I try to access my site running on 2.2.14, I get a strange error from Firefox: "Secure connection failed. An error occurred during a connection to xx. SSL peer reports incorrect Message Authentication Code. (Error code: ssl_error_bad_mac_alert)." I've tried compiling with OpenSSL 0.9.8L and 0.9.8G with the same results. This is hosted on a Solaris sparc box. The 2.2.14 server is utilizing all the same files and SSL certificates as the 2.0.47 server. I've called Verisign; I have valid certificates, but they've never heard of this error before. If I self-sign a certificate and test it with the 2.2.14 server, it seems to work (except for the expected error message regarding self-signed certificates). Searching on Google has led me to try forcing Apache to compile with prefork enabled (but it seems to default to that anyway on Solaris). I've also tried statically linking Apache during compile with the same results. If anyone has any ideas or suggestions, I'd very much appreciate them... Thank you, John - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] Adding module to Apache-httpd
I compiled remoteip module and loaded it without problem. In one of my virtualhost of Apache reverse proxy, I added and tested: RemoteIPHeader X-Client-IP Or RemoteIPHeader X-Forwarded-For Or both I don't see the remote client IP is being forwarded to the backend server from Apache as it supposed to be. Does anyone know why or what I did wrong? Thanks. Ryan -Original Message- From: nicholas@sun.com [mailto:nicholas@sun.com] On Behalf Of Nick Kew Sent: Friday, November 20, 2009 5:48 PM To: users@httpd.apache.org Subject: Re: [us...@httpd] Adding module to Apache-httpd Ruiyuan Jiang wrote: > Hi, > > I need the module "mod_remoteip" which is not included in the standard > httpd-2.2.14 distribution. http://httpd.apache.org/docs/2.2/programs/apxs.html -- Nick Kew - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] ProxyPass - mod_proxy
client y is a http server but i dont want to expose client y to client x. I am new to this Apache httpd server so I dont know whether it should be configured as a forward proxy or reverse proxy. Right now i am configuring it as reverse proxy but it doesnt work. Please help. Thanks & Regards, Aruna. --- On Wed, 11/25/09, André Warnier wrote: From: André Warnier Subject: Re: [us...@httpd] ProxyPass - mod_proxy To: users@httpd.apache.org Date: Wednesday, November 25, 2009, 6:23 AM Aruna Gummalla wrote: > client y is on the same host as apache. only client x is on a different host. > it does not matter. The point is that Apache will forward a HTTP *request* to the "client y", and expect it to act like a HTTP server. Unless your "client y" is really a HTTP server, it will not work. And if your "client y" is really a HTTP server, then why don't you have client x talk directly to client y ? - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] ProxyPass - mod_proxy
"It doesn't work" is useless. If you want help, explain what you tried, what happens when you try that, and provide your configuration and logs. Otherwise, the only response anyone can give is "It works just fine for me". Cheers Tom
[us...@httpd] Re: RewriteRule in neither "foo/.htaccess" nor ".htaccess" can match http://example.com/.../foo
> On 11/24/09, Jack Bates freezone.co.uk> wrote:
> > * /foo/ to deliver /foo/index.html, or whatever it would naturally
> deliver
> > * /foo to deliver /foo.html always
>
> IIUC, your problem boils down to:
>
> /.htaccess has your desired behavior
> /foo/.htaccess has some undesired, incompatible catch-all behavior
Almost -
/.htaccess has one desired behaviour,
/foo/.htaccess has another, also desired, compatible behaviour
In my case I don't think it would matter which rules took precedence
The trouble is, when there is any "Rewrite" directive in /foo/.htaccess,
I can't get the rules from /.htaccess to apply - either by using
"RewriteOptions inherit" or by copying the rules from /.htaccess
to /foo/.htaccess
Here's a shorter, hopefully clearer example,
Contents of /.htaccess,
> DirectorySlash Off
>
> RewriteEngine On
> RewriteCond %{REQUEST_FILENAME}.html -f
> RewriteRule . %{REQUEST_FILENAME}.html
With this configuration and no "Rewrite" directives in /foo/.htaccess,
requests for http://example.com/.../foo successfully respond
with /foo.html
- but if I make the contents of /foo/.htaccess,
> RewriteEngine On
> RewriteOptions inherit
Now requests for http://example.com/.../foo no longer respond
with /foo.html : (
So the fact that there are "Rewrite" directives in /foo/.htaccess is
interfering with requests for http://example.com/.../foo, but the rules
in /foo/.htaccess can't match requests for http://example.com/.../foo
(although they can match requests for http://example.com/.../foo/)
I think it's currently impossible for *any* rule in /foo/.htaccess to
match http://example.com/.../foo
I think it should be one or the other - either it should be possible for
a rule in /foo/.htaccess to match http://example.com/.../foo, or rules
in /foo/.htaccess shouldn't disable rules in /.htaccess
-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] ProxyPass - mod_proxy
This is what I am doing and an example of my configuration I am trying to configure mod_proxy. I want Apache to be the proxy server. There is a client x which talks to Apache and Apache in turn passes on this request to other client y. The client y responds to Apache and in turn should send the response to client x. Suppose, client y runs on port and client y and apache are on the same host. I configured the httpd.conf like this: ProxyRequests Off ProxyPass / http://localhost:/ ProxyPassReverse / http://localhost:/ But when the client x tries to connect client y thru Apache it doesnt not get a response. client x says No response from the server. Can somebody please help me configure the httpd. I dont know whether i should configure this as forward or reverse proxy. Please help. Thanks in advance. Thanks & Regards, Aruna. --- On Wed, 11/25/09, Tom Evans wrote: From: Tom Evans Subject: Re: [us...@httpd] ProxyPass - mod_proxy To: users@httpd.apache.org Date: Wednesday, November 25, 2009, 11:10 PM "It doesn't work" is useless. If you want help, explain what you tried, what happens when you try that, and provide your configuration and logs. Otherwise, the only response anyone can give is "It works just fine for me". Cheers Tom
RE: [us...@httpd] SSL on Apache 2.2.14
This sounds like a Solaris bug. Make sure you have a recent version of Solaris or the latest patches installed... What release/patch level are you using? Danny From: "John J. Consolati" [mailto:"John J. Consolati" ] Sent: 25 November 2009 17:23 To: users@httpd.apache.org Subject: [us...@httpd] SSL on Apache 2.2.14 Hello, Hopefully someone will be able to help, as I've been working on this problem for quite a while and have hit a wall. I'm trying to upgrade Apache 2.0.47 to 2.2.14, and I need SSL support. Everything seems to build and compile okay, but when I try to access my site running on 2.2.14, I get a strange error from Firefox: "Secure connection failed. An error occurred during a connection to xx. SSL peer reports incorrect Message Authentication Code. (Error code: ssl_error_bad_mac_alert)." I've tried compiling with OpenSSL 0.9.8L and 0.9.8G with the same results. This is hosted on a Solaris sparc box. The 2.2.14 server is utilizing all the same files and SSL certificates as the 2.0.47 server. I've called Verisign; I have valid certificates, but they've never heard of this error before. If I self-sign a certificate and test it with the 2.2.14 server, it seems to work (except for the expected error message regarding self-signed certificates). Searching on Google has led me to try forcing Apache to compile with prefork enabled (but it seems to default to that anyway on Solaris). I've also tried statically linking Apache during compile with the same results. If anyone has any ideas or suggestions, I'd very much appreciate them... Thank you, John - The official User-To-User support forum of the Apache HTTP Server Project. See < URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ __ This e-mail and any attached files are intended for the named addressee only. It contains information, which may be confidential and legally privileged and also protected by copyright. Unless you are the named addressee (or authorised to receive for the addressee) you may not copy or use it, or disclose it to anyone else. If you received it in error please notify the sender immediately and then delete it from your system. Please be advised that the views and opinions expressed in this e-mail may not reflect the views and opinions of Associated Newspapers Limited or any of its subsidiary companies. We make every effort to keep our network free from viruses. However, you do need to check this e-mail and any attachments to it for viruses as we can take no responsibility for any computer virus which may be transferred by way of this e-mail. Use of this or any other e-mail facility signifies consent to any interception we might lawfully carry out to prevent abuse of these faciliti es. Associated Newspapers Ltd. Registered Office: Northcliffe House, 2 Derry St, Kensington, London, W8 5TT. Registered No 84121 England.
RE: [us...@httpd] SSL on Apache 2.2.14
Also what compiler are you using? Sometimes if you use GCC on Solaris APR gets upset. Try Sun Studio if you're not already using it. From: "John J. Consolati" [mailto:"John J. Consolati" ] Sent: 25 November 2009 17:23 To: users@httpd.apache.org Subject: [us...@httpd] SSL on Apache 2.2.14 Hello, Hopefully someone will be able to help, as I've been working on this problem for quite a while and have hit a wall. I'm trying to upgrade Apache 2.0.47 to 2.2.14, and I need SSL support. Everything seems to build and compile okay, but when I try to access my site running on 2.2.14, I get a strange error from Firefox: "Secure connection failed. An error occurred during a connection to xx. SSL peer reports incorrect Message Authentication Code. (Error code: ssl_error_bad_mac_alert)." I've tried compiling with OpenSSL 0.9.8L and 0.9.8G with the same results. This is hosted on a Solaris sparc box. The 2.2.14 server is utilizing all the same files and SSL certificates as the 2.0.47 server. I've called Verisign; I have valid certificates, but they've never heard of this error before. If I self-sign a certificate and test it with the 2.2.14 server, it seems to work (except for the expected error message regarding self-signed certificates). Searching on Google has led me to try forcing Apache to compile with prefork enabled (but it seems to default to that anyway on Solaris). I've also tried statically linking Apache during compile with the same results. If anyone has any ideas or suggestions, I'd very much appreciate them... Thank you, John - The official User-To-User support forum of the Apache HTTP Server Project. See < URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ __ This e-mail and any attached files are intended for the named addressee only. It contains information, which may be confidential and legally privileged and also protected by copyright. Unless you are the named addressee (or authorised to receive for the addressee) you may not copy or use it, or disclose it to anyone else. If you received it in error please notify the sender immediately and then delete it from your system. Please be advised that the views and opinions expressed in this e-mail may not reflect the views and opinions of Associated Newspapers Limited or any of its subsidiary companies. We make every effort to keep our network free from viruses. However, you do need to check this e-mail and any attachments to it for viruses as we can take no responsibility for any computer virus which may be transferred by way of this e-mail. Use of this or any other e-mail facility signifies consent to any interception we might lawfully carry out to prevent abuse of these faciliti es. Associated Newspapers Ltd. Registered Office: Northcliffe House, 2 Derry St, Kensington, London, W8 5TT. Registered No 84121 England.
Re: [us...@httpd] SSL on Apache 2.2.14
On Nov 25, 2009, at 9:23 AM, John J. Consolati wrote: > Hopefully someone will be able to help, as I've been working on this problem > for quite a while and have hit a wall. I'm trying to upgrade Apache 2.0.47 > to 2.2.14, and I need SSL support. Everything seems to build and compile > okay, but when I try to access my site running on 2.2.14, I get a strange > error from Firefox: "Secure connection failed. An error occurred during a > connection to xx. SSL peer reports incorrect Message Authentication > Code. (Error code: ssl_error_bad_mac_alert)." This means that, after the handshake, the client and server have a different idea of what their session keys are. This happens when the pre-master secret that the client sent was decrypted with a private key that does not belong to the certificate that the server passed to the client. Do you by any chance use a Hardware Security Module to protect the private key? Can you try using your key file and certs with a simple test server included with openssl? Like so: openssl s_server -cert /path/to/yourSSLCertificateFile -key /path/to/yourSSLCertificateKeyFile -CAfile /path/to/yourSSLCertificateChainFile -www and then from a different terminal connect to localhost:4433 curl -i https://localhost:4433/ or openssl s_client -connect localhost:4433 and see if that works. S. > I've tried compiling with OpenSSL 0.9.8L and 0.9.8G with the same results. > This is hosted on a Solaris sparc box. The 2.2.14 server is utilizing all > the same files and SSL certificates as the 2.0.47 server. I've called > Verisign; I have valid certificates, but they've never heard of this error > before. If I self-sign a certificate and test it with the 2.2.14 server, it > seems to work (except for the expected error message regarding self-signed > certificates). > > Searching on Google has led me to try forcing Apache to compile with prefork > enabled (but it seems to default to that anyway on Solaris). I've also tried > statically linking Apache during compile with the same results. > > If anyone has any ideas or suggestions, I'd very much appreciate them... > > Thank you, > John > > - > The official User-To-User support forum of the Apache HTTP Server Project. > See http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > " from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > -- Sander Temme scte...@apache.org PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF smime.p7s Description: S/MIME cryptographic signature
[us...@httpd] Re: webdav and permissions [Solved]
On 23-Nov-2009, at 18:10, LuKreme wrote:
> <
> RewriteEngine On
> RewriteBase /
> RewriteCond %{REQUEST_FILENAME} !-f
> RewriteCond %{REQUEST_FILENAME} !-d
> RewriteRule . /index.php [L]
> RewriteRule ^u/([0-9]+)$ wp-content/plugins/short-url-plugin/u.php?$1|$2
>
I modified the htaccess file hoping I could eliminate the webdav issue. My
webdav mount is webdav.example.com, so I did this:
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{HTTP_HOST} !^webdav
RewriteRule . /index.php [L]
RewriteRule ^u/([0-9]+)$ wp-content/plugins/short-url-plugin/u.php?$1|$2
That has fixed the problem and it is now possible to access the entire web
space via wedbav.
--
I WILL NOT BRIBE PRINCIPAL SKINNER
Bart chalkboard Ep. 8F03
-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] SSL on Apache 2.2.14
Thank you for the reply. Unfortunately, upgrading Solaris isn't an option. Here is the version I have to work with (quite old..): bash-2.05# cat /etc/release Solaris 9 4/04 s9s_u6wos_08a SPARC Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. Use is subject to license terms. Assembled 22 March 2004 bash-2.05# uname -a SunOS lucky 5.9 Generic_118558-17 sun4u sparc SUNW,Sun-Fire-V250 I've been using the Sun cc, not gcc, to compile everything. Here is the output from the openSSL commands: openssl -certsetc etc Using default temp DH parameters Using default temp ECDH parameters ACCEPT -BEGIN SSL SESSION PARAMETERS- MHUCAQECAgMBBAIAOQQgXdTo4sJayMnyXJOOV7YI1JLumr7lqj4Sj+kZZTIeX2wE MO2ne8Ry2DUppChW6xz01mi4gMU+WsyaH6SPREMHpFcSCBYmpX5sD+VVBS3F/Ajy V6EGAgRLDXPAogQCAgEspAYEBAE= -END SSL SESSION PARAMETERS- Shared ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH- RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128- SHA:DHE-DSS-AES128-SHA:AES128-SHA:IDEA-CBC-SHA:RC4-SHA:RC4-MD5:EDH-RSA- DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC- SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5 CIPHER is DHE-RSA-AES256-SHA And on the other terminal: bash-2.05$ openssl s_client -connect localhost:4433 CONNECTED(0003) depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=Livermore/O=Lawrence Livermore National Laboratory/OU=Environmental Restoration Division erdc/CN=www- erdc.llnl.gov i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority --- Server certificate -BEGIN CERTIFICATE- certificate hash... -END CERTIFICATE- subject=/C=US/ST=California/L=Livermore/O=Lawrence Livermore National Laboratory/OU=Environmental Restoration Division erdc/CN=www- erdc.llnl.gov issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA --- No client certificate CA names sent --- SSL handshake has read 2973 bytes and written 258 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: DHE-RSA-AES256-SHA Session-ID: 5DD4E8E2C25AC8C9F25C938E57B608D492EE9ABEE5AA3E128FE91965321E5F6C Session-ID-ctx: Master-Key: EDA77BC472D83529A42856EB1CF4D668B880C53E5ACC9A1FA48F444307A45712081626A57E6C0FE555052DC5FC08F257 Key-Arg : None Start Time: 1259172800 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) --- Looks like there is a problem with one of the certificates, but I'm not sure how to proceed... Again, thank you for your help, I appreciate it. Regards, John On Nov 25, 2009, at 10:00 AM, daniel.goul...@and.co.uk wrote: This sounds like a Solaris bug. Make sure you have a recent version of Solaris or the latest patches installed... What release/patch level are you using? Danny From: "John J. Consolati" [mailto:"John J. Consolati" ] Sent: 25 November 2009 17:23 To: users@httpd.apache.org Subject: [us...@httpd] SSL on Apache 2.2.14 Hello, Hopefully someone will be able to help, as I've been working on this problem for quite a while and have hit a wall. I'm trying to upgrade Apache 2.0.47 to 2.2.14, and I need SSL support. Everything seems to build and compile okay, but when I try to access my site running on 2.2.14, I get a strange error from Firefox: "Secure connection failed. An error occurred during a connection to xx. SSL peer reports incorrect Message Authentication Code. (Error code: ssl_error_bad_mac_alert)." I've tried compiling with OpenSSL 0.9.8L and 0.9.8G with the same results. This is hosted on a Solaris sparc box. The 2.2.14 server is utilizing all the same files and SSL certificates as the 2.0.47 server. I've called Verisign; I have valid certificates, but they've never heard of this error before. If I self-sign a certificate and test it with the 2.2.14 server, it seems to work (except for the expected error message regarding self-signed certificates). Searching on Google has led me to try forcing Apache to compile with prefork enabled (but it seems to default to that anyway on Solaris). I've also tried statically linking Apache during compile with the
Re: [us...@httpd] Apache httpd replication / proxy mirror server?
nino martinez wael wrote: It's a bit complicated. So I'll try to explain it in a simple way. The user are calling(via phone) an IVR application which in turns interprets vxml. The vxml page then has an option to record and save the recording. When the vxml page saves the recording it saves towards tomcat which then places the file in a repository which then are served by Apache httpd, we have more apache http servers for failover and it's here the need for replication comes. All this we can code our way out of, but if there's something already that does this it would be nice with some recycling. I was thinking that the Apache http server that got the new file could push it to the others. Allright. I have no idea what IVR is and no wish to look up another acronym, but I think I get the idea. So, the answer is still no, there isn't a standard Apache module that will do that kind of synchronisation. Specially since the way you explain it, Apache itself has no idea that this file has been loaded in the first place, nor where. So it is either taking care of it at the level of your own code, or use rsync as someone else suggested earlier (and which is probably the best idea overall). rsync also works under Windows, we use it. And if you have trouble setting it up, nowadays setting up a Linux box is really not difficult. You could set up one just to do that, which would take care of synchronising between all your servers. It is very efficient, as it will only copy whatever changes, even within files. As for the ideas I was referring to earlier, it would have been different if the files were uploaded via DAV for example, because then Apache /would/ know. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Re: RewriteRule in neither "foo/.htaccess" nor ".htaccess" can match http://example.com/.../foo
Jack Bates wrote: ... Hi again. I am not saying here that you are necessarily wrong, or that there is not a good justification to what you are trying to do, or to what you asserted at the end of the previous post. But one thing you should be aware of, is that when you place instructions in a .htaccess file, you are in fact asking Apache to walk down the whole directory tree, applying all its configuration rules level by level as it does so, until it gets to the level of the directory where it finds the first .htaccess file. Then, because this .htaccess rewrites the URL, you are basically telling Apache to throw away all the result of its previous work, and to start again at the top with the new URL. Then, in your case and assuming everything works down to that level, it will end up at the level of the subdirectory, and find again a .htaccess with rewrite rules. So it will again rewrite the URL, and again restart at the top. In the best of cases, that is rather inefficient. In the less best case, you have missed an intermediate transformation somewhere, which is leading to a series of rules being applied, that is different from what you expect. My personal point of view is that one should avoid .htaccess files if one can, which is most of the time when one has access and can modify the main server configuration files, as you seem to be able to. .htaccess should be reserved for cases where one does not have access to the server condiguration, and only to one's own directory for instance. I have not followed your rules step by step, and do not really wish to, and do not have access to your full configuration sequence of directives anyway. But given that Apache is being used on hundreds of thousands of sites, many of them using mod_rewrite and .htaccess files, and apparently seems to be doing fine most of the time, my current odds would be in the order of magnitude Apache 10 / Jack 1. It may be so for instance that what is interpreted the first way around as the request filename, is no longer considered as such if there is a subdirectory below the current one. Or some other such apparently obscure side-effect. So anyway, if it does not work the way you want when you have a hierarchical set of rewrite rules in .htaccess files, it may be worth asking yourself if it is not possible to remove one such level and move the corresponding rules into the main part of the configuration, which would probably be more efficient anyway. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] SSL on Apache 2.2.14
On Nov 25, 2009, at 10:17 AM, John J. Consolati wrote: > Thank you for the reply. > > Unfortunately, upgrading Solaris isn't an option. Here is the version I have > to work with (quite old..): > > bash-2.05# cat /etc/release >Solaris 9 4/04 s9s_u6wos_08a SPARC > Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. >Use is subject to license terms. > Assembled 22 March 2004 > bash-2.05# uname -a > SunOS lucky 5.9 Generic_118558-17 sun4u sparc SUNW,Sun-Fire-V250 > > I've been using the Sun cc, not gcc, to compile everything. > > > Here is the output from the openSSL commands: > > openssl -certsetc etc What is your complete command line here? > Using default temp DH parameters > Using default temp ECDH parameters > ACCEPT > -BEGIN SSL SESSION PARAMETERS- > MHUCAQECAgMBBAIAOQQgXdTo4sJayMnyXJOOV7YI1JLumr7lqj4Sj+kZZTIeX2wE > MO2ne8Ry2DUppChW6xz01mi4gMU+WsyaH6SPREMHpFcSCBYmpX5sD+VVBS3F/Ajy > V6EGAgRLDXPAogQCAgEspAYEBAE= > -END SSL SESSION PARAMETERS- > Shared > ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:IDEA-CBC-SHA:RC4-SHA:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5 > CIPHER is DHE-RSA-AES256-SHA > > > > And on the other terminal: > > bash-2.05$ openssl s_client -connect localhost:4433 > CONNECTED(0003) > depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at > https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA > verify error:num=20:unable to get local issuer certificate > verify return:0 That's not a problem, just OpenSSL complaining it can't find the Verisign root cert. If you happen to have a copy of that (like your browser does) and point openssl s_client to it, it can verify all the way to the top. This does not impact the connection itself. > --- > Certificate chain > 0 s:/C=US/ST=California/L=Livermore/O=Lawrence Livermore National > Laboratory/OU=Environmental Restoration Division erdc/CN=www-erdc.llnl.gov > i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at > https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA > 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at > https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA > i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority > --- > Server certificate > -BEGIN CERTIFICATE- > certificate hash... > -END CERTIFICATE- > subject=/C=US/ST=California/L=Livermore/O=Lawrence Livermore National > Laboratory/OU=Environmental Restoration Division erdc/CN=www-erdc.llnl.gov > issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at > https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA > --- > No client certificate CA names sent > --- > SSL handshake has read 2973 bytes and written 258 bytes > --- > New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA > Server public key is 1024 bit > Compression: NONE > Expansion: NONE > SSL-Session: >Protocol : TLSv1 >Cipher: DHE-RSA-AES256-SHA >Session-ID: > 5DD4E8E2C25AC8C9F25C938E57B608D492EE9ABEE5AA3E128FE91965321E5F6C >Session-ID-ctx: >Master-Key: > EDA77BC472D83529A42856EB1CF4D668B880C53E5ACC9A1FA48F444307A45712081626A57E6C0FE555052DC5FC08F257 >Key-Arg : None >Start Time: 1259172800 >Timeout : 300 (sec) >Verify return code: 20 (unable to get local issuer certificate) > --- > > Looks like there is a problem with one of the certificates, but I'm not sure > how to proceed... At this point, you have a valid handshake, and the client and server have exchanged data encrypted and MACed with the session keys. All is well. You could type on the command line 'GET / HTTP/1.0\r\r' (two returns) and you'll get the status page generated by openssl s_server -www. This means you have a configuration problem with Apache. Make sure you're using the ssl and crypto libraries that you think you are by running ldd on the httpd binary and the mod_ssl.so binary. While the Solaris build environment usually gets this right by hardcoding the path to the libraries at link time, make sure this is ok at run time. Then, make sure your server is configured correctly, and that your SSL virtual host(s) use the correct combination of SSLCertificateFile and SSLCertificateKeyFile. S. > Again, thank you for your help, I appreciate it. > > Regards, > John > > > On Nov 25, 2009, at 10:00 AM, daniel.goul...@and.co.uk wrote: > >> This sounds like a Solaris bug. >> >> Make sure you have a recent version of Solaris or the latest patches >> installed... >> >> What release/patch level are you using? >> >> Danny >> >> ___
Re: [us...@httpd] SSL on Apache 2.2.14
Here is the complete command: openssl s_server -cert /erd/www/erd/server/apache/httpd-2.2.14/ installed/conf/ssl.crt/www-erdc.crt -key /erd/www/erd/server/apache/ httpd-2.2.14/installed/conf/ssl.key/www-erdc.secureprivate.key - CAfile /erd/www/erd/server/apache/httpd-2.2.14/installed/conf/ssl.crt/ intermediate.crt -www Your suggested 'GET / HTTP/1.0\r\r' was successful. However, I found something interesting doing an ldd -- a few of them have wrong paths: bash-2.05# ldd httpd libm.so.1 => /usr/lib/libm.so.1 libaprutil-1.so.0 => /wrong/path libexpat.so.0 => /wrong/path libapr-1.so.0 => /wrong/path libuuid.so.1 => /usr/lib/libuuid.so.1 libsendfile.so.1 => /usr/lib/libsendfile.so.1 librt.so.1 =>/usr/lib/librt.so.1 libsocket.so.1 =>/usr/lib/libsocket.so.1 libnsl.so.1 => /usr/lib/libnsl.so.1 libpthread.so.1 => /usr/lib/libpthread.so.1 libdl.so.1 =>/usr/lib/libdl.so.1 libthread.so.1 =>/usr/lib/libthread.so.1 libc.so.1 => /usr/lib/libc.so.1 libucb.so.1 => (file not found) libresolv.so.2 =>/usr/lib/libresolv.so.2 libelf.so.1 => /usr/lib/libelf.so.1 libucb.so.1 => /usr/ucblib/libucb.so.1 libaio.so.1 => /usr/lib/libaio.so.1 libmd5.so.1 => /usr/lib/libmd5.so.1 libmp.so.2 =>/usr/lib/libmp.so.2 /usr/platform/SUNW,Sun-Fire-V250/lib/libc_psr.so.1 /usr/platform/SUNW,Sun-Fire-V250/lib/libmd5_psr.so.1 I wasn't sure where to find mod_ssl.so -- I could only find mod_ssl.h. Is there a way to change the links without rebuilding? Thank you, John On Nov 25, 2009, at 11:21 AM, Sander Temme wrote: On Nov 25, 2009, at 10:17 AM, John J. Consolati wrote: Thank you for the reply. Unfortunately, upgrading Solaris isn't an option. Here is the version I have to work with (quite old..): bash-2.05# cat /etc/release Solaris 9 4/04 s9s_u6wos_08a SPARC Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. Use is subject to license terms. Assembled 22 March 2004 bash-2.05# uname -a SunOS lucky 5.9 Generic_118558-17 sun4u sparc SUNW,Sun-Fire-V250 I've been using the Sun cc, not gcc, to compile everything. Here is the output from the openSSL commands: openssl -certsetc etc What is your complete command line here? Using default temp DH parameters Using default temp ECDH parameters ACCEPT -BEGIN SSL SESSION PARAMETERS- MHUCAQECAgMBBAIAOQQgXdTo4sJayMnyXJOOV7YI1JLumr7lqj4Sj+kZZTIeX2wE MO2ne8Ry2DUppChW6xz01mi4gMU+WsyaH6SPREMHpFcSCBYmpX5sD+VVBS3F/Ajy V6EGAgRLDXPAogQCAgEspAYEBAE= -END SSL SESSION PARAMETERS- Shared ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH- RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128- SHA:DHE-DSS-AES128-SHA:AES128-SHA:IDEA-CBC-SHA:RC4-SHA:RC4-MD5:EDH- RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC- SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4- MD5 CIPHER is DHE-RSA-AES256-SHA And on the other terminal: bash-2.05$ openssl s_client -connect localhost:4433 CONNECTED(0003) depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://*www.*verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA verify error:num=20:unable to get local issuer certificate verify return:0 That's not a problem, just OpenSSL complaining it can't find the Verisign root cert. If you happen to have a copy of that (like your browser does) and point openssl s_client to it, it can verify all the way to the top. This does not impact the connection itself. --- Certificate chain 0 s:/C=US/ST=California/L=Livermore/O=Lawrence Livermore National Laboratory/OU=Environmental Restoration Division erdc/CN=www- erdc.llnl.gov i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://*www.*verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://*www.*verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority --- Server certificate -BEGIN CERTIFICATE- certificate hash... -END CERTIFICATE- subject=/C=US/ST=California/L=Livermore/O=Lawrence Livermore National Laboratory/OU=Environmental Restoration Division erdc/ CN=www-erdc.llnl.gov issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://*www.*verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA --- No client certificate CA names sent --- SSL handshake has read 2973 bytes and written 258 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1
Re: [us...@httpd] SSL on Apache 2.2.14
Just checked into it further, and the ldd might not be a problem (I think?) The LD_LIBRARY_PATH env variable is being set to a location where the / wrong/path files are. Is that a good enough solution? As far as the Apache configuration, it is correct to my knowledge...I followed the appropriate directions on the Apache site. SSLCertificateFile points to my server.crt, SSLCertificateKeyFile points to my private.key, and SSLCACertificateFile points to my intermediate.crt... Thanks, John On Nov 25, 2009, at 11:47 AM, John J. Consolati wrote: Here is the complete command: openssl s_server -cert /erd/www/erd/server/apache/httpd-2.2.14/ installed/conf/ssl.crt/www-erdc.crt -key /erd/www/erd/server/apache/ httpd-2.2.14/installed/conf/ssl.key/www-erdc.secureprivate.key - CAfile /erd/www/erd/server/apache/httpd-2.2.14/installed/conf/ ssl.crt/intermediate.crt -www Your suggested 'GET / HTTP/1.0\r\r' was successful. However, I found something interesting doing an ldd -- a few of them have wrong paths: bash-2.05# ldd httpd libm.so.1 => /usr/lib/libm.so.1 libaprutil-1.so.0 => /wrong/path libexpat.so.0 => /wrong/path libapr-1.so.0 => /wrong/path libuuid.so.1 => /usr/lib/libuuid.so.1 libsendfile.so.1 => /usr/lib/libsendfile.so.1 librt.so.1 =>/usr/lib/librt.so.1 libsocket.so.1 =>/usr/lib/libsocket.so.1 libnsl.so.1 => /usr/lib/libnsl.so.1 libpthread.so.1 => /usr/lib/libpthread.so.1 libdl.so.1 =>/usr/lib/libdl.so.1 libthread.so.1 =>/usr/lib/libthread.so.1 libc.so.1 => /usr/lib/libc.so.1 libucb.so.1 => (file not found) libresolv.so.2 =>/usr/lib/libresolv.so.2 libelf.so.1 => /usr/lib/libelf.so.1 libucb.so.1 => /usr/ucblib/libucb.so.1 libaio.so.1 => /usr/lib/libaio.so.1 libmd5.so.1 => /usr/lib/libmd5.so.1 libmp.so.2 =>/usr/lib/libmp.so.2 /usr/platform/SUNW,Sun-Fire-V250/lib/libc_psr.so.1 /usr/platform/SUNW,Sun-Fire-V250/lib/libmd5_psr.so.1 I wasn't sure where to find mod_ssl.so -- I could only find mod_ssl.h. Is there a way to change the links without rebuilding? Thank you, John On Nov 25, 2009, at 11:21 AM, Sander Temme wrote: On Nov 25, 2009, at 10:17 AM, John J. Consolati wrote: Thank you for the reply. Unfortunately, upgrading Solaris isn't an option. Here is the version I have to work with (quite old..): bash-2.05# cat /etc/release Solaris 9 4/04 s9s_u6wos_08a SPARC Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. Use is subject to license terms. Assembled 22 March 2004 bash-2.05# uname -a SunOS lucky 5.9 Generic_118558-17 sun4u sparc SUNW,Sun-Fire-V250 I've been using the Sun cc, not gcc, to compile everything. Here is the output from the openSSL commands: openssl -certsetc etc What is your complete command line here? Using default temp DH parameters Using default temp ECDH parameters ACCEPT -BEGIN SSL SESSION PARAMETERS- MHUCAQECAgMBBAIAOQQgXdTo4sJayMnyXJOOV7YI1JLumr7lqj4Sj+kZZTIeX2wE MO2ne8Ry2DUppChW6xz01mi4gMU+WsyaH6SPREMHpFcSCBYmpX5sD+VVBS3F/Ajy V6EGAgRLDXPAogQCAgEspAYEBAE= -END SSL SESSION PARAMETERS- Shared ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256- SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA- AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:IDEA-CBC-SHA:RC4-SHA:RC4- MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH- RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2- CBC-MD5:EXP-RC4-MD5 CIPHER is DHE-RSA-AES256-SHA And on the other terminal: bash-2.05$ openssl s_client -connect localhost:4433 CONNECTED(0003) depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://**www.**verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA verify error:num=20:unable to get local issuer certificate verify return:0 That's not a problem, just OpenSSL complaining it can't find the Verisign root cert. If you happen to have a copy of that (like your browser does) and point openssl s_client to it, it can verify all the way to the top. This does not impact the connection itself. --- Certificate chain 0 s:/C=US/ST=California/L=Livermore/O=Lawrence Livermore National Laboratory/OU=Environmental Restoration Division erdc/CN=www- erdc.llnl.gov i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://**www.**verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://**www.**verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority --- Server certificate -BEGIN CERTIFICATE- certificate hash... -END CERTIFICATE- subject=
Re: [us...@httpd] SSL on Apache 2.2.14
John, You should not need to upgrade Solaris. I've got apache running on a solaris 9 box just fine. Your "wrong path" shouldn't be a problem either. Those are just "the last place to look" for an .so. Solaris will use what is in the 'crle' command and the LD_LIBRARY_PATH environment variable first (I'm not sure of the order). You may or may not have a mod_ssl.so, depending on how you compiled apache. If you run: httpd -l (that's an el) It will list out which modules are compiled in. If you see mod_ssl.c, you will not have a mod_ssl.so. Otherwise, mod_ssl.so should normally be in your apache's modules subdirectory. Do you only get the error on Firefox and not IE? Dan Please respond to users@httpd.apache.org To: users@httpd.apache.org cc: (bcc: Dan Mitton/YD/RWDOE) Subject:Re: [us...@httpd] SSL on Apache 2.2.14 LSN: Not Relevant User Filed as: Not a Record Here is the complete command: openssl s_server -cert /erd/www/erd/server/apache/httpd-2.2.14/ installed/conf/ssl.crt/www-erdc.crt -key /erd/www/erd/server/apache/ httpd-2.2.14/installed/conf/ssl.key/www-erdc.secureprivate.key - CAfile /erd/www/erd/server/apache/httpd-2.2.14/installed/conf/ssl.crt/ intermediate.crt -www Your suggested 'GET / HTTP/1.0\r\r' was successful. However, I found something interesting doing an ldd -- a few of them have wrong paths: bash-2.05# ldd httpd libm.so.1 => /usr/lib/libm.so.1 libaprutil-1.so.0 => /wrong/path libexpat.so.0 => /wrong/path libapr-1.so.0 => /wrong/path libuuid.so.1 => /usr/lib/libuuid.so.1 libsendfile.so.1 => /usr/lib/libsendfile.so.1 librt.so.1 =>/usr/lib/librt.so.1 libsocket.so.1 =>/usr/lib/libsocket.so.1 libnsl.so.1 => /usr/lib/libnsl.so.1 libpthread.so.1 => /usr/lib/libpthread.so.1 libdl.so.1 =>/usr/lib/libdl.so.1 libthread.so.1 =>/usr/lib/libthread.so.1 libc.so.1 => /usr/lib/libc.so.1 libucb.so.1 => (file not found) libresolv.so.2 =>/usr/lib/libresolv.so.2 libelf.so.1 => /usr/lib/libelf.so.1 libucb.so.1 => /usr/ucblib/libucb.so.1 libaio.so.1 => /usr/lib/libaio.so.1 libmd5.so.1 => /usr/lib/libmd5.so.1 libmp.so.2 =>/usr/lib/libmp.so.2 /usr/platform/SUNW,Sun-Fire-V250/lib/libc_psr.so.1 /usr/platform/SUNW,Sun-Fire-V250/lib/libmd5_psr.so.1 I wasn't sure where to find mod_ssl.so -- I could only find mod_ssl.h. Is there a way to change the links without rebuilding? Thank you, John On Nov 25, 2009, at 11:21 AM, Sander Temme wrote: > > On Nov 25, 2009, at 10:17 AM, John J. Consolati wrote: > >> Thank you for the reply. >> >> Unfortunately, upgrading Solaris isn't an option. Here is the >> version I have to work with (quite old..): >> >> bash-2.05# cat /etc/release >> Solaris 9 4/04 s9s_u6wos_08a SPARC >> Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. >> Use is subject to license terms. >>Assembled 22 March 2004 >> bash-2.05# uname -a >> SunOS lucky 5.9 Generic_118558-17 sun4u sparc SUNW,Sun-Fire-V250 >> >> I've been using the Sun cc, not gcc, to compile everything. >> >> >> Here is the output from the openSSL commands: >> >> openssl -certsetc etc > > What is your complete command line here? > >> Using default temp DH parameters >> Using default temp ECDH parameters >> ACCEPT >> -BEGIN SSL SESSION PARAMETERS- >> MHUCAQECAgMBBAIAOQQgXdTo4sJayMnyXJOOV7YI1JLumr7lqj4Sj+kZZTIeX2wE >> MO2ne8Ry2DUppChW6xz01mi4gMU+WsyaH6SPREMHpFcSCBYmpX5sD+VVBS3F/Ajy >> V6EGAgRLDXPAogQCAgEspAYEBAE= >> -END SSL SESSION PARAMETERS- >> Shared ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH- >> RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128- >> SHA:DHE-DSS-AES128-SHA:AES128-SHA:IDEA-CBC-SHA:RC4-SHA:RC4-MD5:EDH- >> RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC- >> SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4- >> MD5 >> CIPHER is DHE-RSA-AES256-SHA >> >> >> >> And on the other terminal: >> >> bash-2.05$ openssl s_client -connect localhost:4433 >> CONNECTED(0003) >> depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms >> of use at https://*www.*verisign.com/rpa (c)05/CN=VeriSign Class 3 >> Secure Server CA >> verify error:num=20:unable to get local issuer certificate >> verify return:0 > > That's not a problem, just OpenSSL complaining it can't find the > Verisign root cert. If you happen to have a copy of that (like your > browser does) and point openssl s_client to it, it can verify all > the way to the top. This does not impact the connection itself. > >> --- >> Certificate chain >> 0 s:/C=US/ST=California/L=Livermore/O=Lawrence Livermore National >> Laboratory/OU=Environmental Restorati
Re: [us...@httpd] SSL on Apache 2.2.14
John, This is a (very) short explanation of the error code at: http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html and this one has a possible cause: http://serverfault.com/questions/63167/sslerrorbadmacalert-error-in-firefox You might want to Google the message for more info. Dan Please respond to users@httpd.apache.org To: users@httpd.apache.org cc: (bcc: Dan Mitton/YD/RWDOE) Subject:[us...@httpd] SSL on Apache 2.2.14 LSN: Not Relevant User Filed as: Not a Record Hello, Hopefully someone will be able to help, as I've been working on this problem for quite a while and have hit a wall. I'm trying to upgrade Apache 2.0.47 to 2.2.14, and I need SSL support. Everything seems to build and compile okay, but when I try to access my site running on 2.2.14, I get a strange error from Firefox: "Secure connection failed. An error occurred during a connection to xx. SSL peer reports incorrect Message Authentication Code. (Error code: ssl_error_bad_mac_alert)." I've tried compiling with OpenSSL 0.9.8L and 0.9.8G with the same results. This is hosted on a Solaris sparc box. The 2.2.14 server is utilizing all the same files and SSL certificates as the 2.0.47 server. I've called Verisign; I have valid certificates, but they've never heard of this error before. If I self-sign a certificate and test it with the 2.2.14 server, it seems to work (except for the expected error message regarding self-signed certificates). Searching on Google has led me to try forcing Apache to compile with prefork enabled (but it seems to default to that anyway on Solaris). I've also tried statically linking Apache during compile with the same results. If anyone has any ideas or suggestions, I'd very much appreciate them... Thank you, John - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] name based virtual hosts for multiple domains?
Hi, I have a VPS running Debian and Apache 2.2 and I'd like to setup name based virtual hosts in Apache for several domains and I will have several subdomains for each domain. Is this possible? For example: www.site1.org with subdomains blog.site1.org, wiki.site1.org www.site2.org with subdomains blog.site2.org, wiki.site2.org And if someone only types "site1.org" I want it to automatically serve them the content that "www.site1.org" gets. Any tips appreciated! Zach - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] name based virtual hosts for multiple domains?
On Wed, Nov 25, 2009 at 4:35 PM, Zachary Uram wrote: > Hi, > > I have a VPS running Debian and Apache 2.2 and I'd like to setup name > based virtual hosts in Apache for several domains and I will have > several subdomains for each domain. Is this possible? For example: > > www.site1.org with subdomains blog.site1.org, wiki.site1.org > > www.site2.org with subdomains blog.site2.org, wiki.site2.org > > And if someone only types "site1.org" I want it to automatically > serve them the content that "www.site1.org" gets. > > Any tips appreciated! > > Zach > > - > The official User-To-User support forum of the Apache HTTP Server Project. > See http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > " from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > I really like the documentation provided here: http://httpd.apache.org/docs/2.2/vhosts/examples.html I hope it helps. -r
Re: [us...@httpd] SSL on Apache 2.2.14
Dan, The error occurs on both Safari and Firefox on Apache 2.2.14. We don't have IE in our environment. Both Safari and Firefox work as they should with 2.0.47. It looks like mod_ssl.c is compiled in -- it shows up with httpd -l. I've checked the links you sent me. The description doesn't provide a whole lot of detail, and, according to the other one, I checked to make sure I am using prefork instead of MPM -- it seems to default to prefork anyway, but I specified it in the /config before compilation. I've Googled to my wit's end for several days without finding anything conclusive. Some pages hint at compilation options, others at compilers (I'm using Sun's cc, not gcc), but nothing conclusive. Here is one question I couldn't find the answer to, though: if I requested a server certificate using a specific version of OpenSSL, can I use that same certificate in a different version of Apache with a different version of OpenSSL? Or do I have to re-request if I upgrade OpenSSL? A long shot I know, but I'm running out of options... Thank you for the help, John On Nov 25, 2009, at 12:07 PM, dan_mit...@ymp.gov wrote: John, You should not need to upgrade Solaris. I've got apache running on a solaris 9 box just fine. Your "wrong path" shouldn't be a problem either. Those are just "the last place to look" for an .so. Solaris will use what is in the 'crle' command and the LD_LIBRARY_PATH environment variable first (I'm not sure of the order). You may or may not have a mod_ssl.so, depending on how you compiled apache. If you run: httpd -l (that's an el) It will list out which modules are compiled in. If you see mod_ssl.c, you will not have a mod_ssl.so. Otherwise, mod_ssl.so should normally be in your apache's modules subdirectory. Do you only get the error on Firefox and not IE? Dan Please respond to users@httpd.apache.org To:users@httpd.apache.org cc: (bcc: Dan Mitton/YD/RWDOE) Subject:Re: [us...@httpd] SSL on Apache 2.2.14 LSN: Not Relevant User Filed as: Not a Record Here is the complete command: openssl s_server -cert /erd/www/erd/server/apache/httpd-2.2.14/ installed/conf/ssl.crt/www-erdc.crt -key /erd/www/erd/server/apache/ httpd-2.2.14/installed/conf/ssl.key/www-erdc.secureprivate.key - CAfile /erd/www/erd/server/apache/httpd-2.2.14/installed/conf/ssl.crt/ intermediate.crt -www Your suggested 'GET / HTTP/1.0\r\r' was successful. However, I found something interesting doing an ldd -- a few of them have wrong paths: bash-2.05# ldd httpd libm.so.1 => /usr/lib/libm.so.1 libaprutil-1.so.0 => /wrong/path libexpat.so.0 => /wrong/path libapr-1.so.0 => /wrong/path libuuid.so.1 => /usr/lib/libuuid.so.1 libsendfile.so.1 => /usr/lib/libsendfile.so.1 librt.so.1 =>/usr/lib/librt.so.1 libsocket.so.1 =>/usr/lib/libsocket.so.1 libnsl.so.1 => /usr/lib/libnsl.so.1 libpthread.so.1 => /usr/lib/libpthread.so.1 libdl.so.1 =>/usr/lib/libdl.so.1 libthread.so.1 =>/usr/lib/libthread.so.1 libc.so.1 => /usr/lib/libc.so.1 libucb.so.1 => (file not found) libresolv.so.2 =>/usr/lib/libresolv.so.2 libelf.so.1 => /usr/lib/libelf.so.1 libucb.so.1 => /usr/ucblib/libucb.so.1 libaio.so.1 => /usr/lib/libaio.so.1 libmd5.so.1 => /usr/lib/libmd5.so.1 libmp.so.2 =>/usr/lib/libmp.so.2 /usr/platform/SUNW,Sun-Fire-V250/lib/libc_psr.so.1 /usr/platform/SUNW,Sun-Fire-V250/lib/libmd5_psr.so.1 I wasn't sure where to find mod_ssl.so -- I could only find mod_ssl.h. Is there a way to change the links without rebuilding? Thank you, John On Nov 25, 2009, at 11:21 AM, Sander Temme wrote: > > On Nov 25, 2009, at 10:17 AM, John J. Consolati wrote: > >> Thank you for the reply. >> >> Unfortunately, upgrading Solaris isn't an option. Here is the >> version I have to work with (quite old..): >> >> bash-2.05# cat /etc/release >> Solaris 9 4/04 s9s_u6wos_08a SPARC >> Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. >> Use is subject to license terms. >>Assembled 22 March 2004 >> bash-2.05# uname -a >> SunOS lucky 5.9 Generic_118558-17 sun4u sparc SUNW,Sun-Fire-V250 >> >> I've been using the Sun cc, not gcc, to compile everything. >> >> >> Here is the output from the openSSL commands: >> >> openssl -certsetc etc > > What is your complete command line here? > >> Using default temp DH parameters >> Using default temp ECDH parameters >> ACCEPT >> -BEGIN SSL SESSION PARAMETERS- >> MHUCAQECAgMBBAIAOQQgXdTo4sJayMnyXJOOV7YI1JLumr7lqj4Sj+kZZTIeX2wE >> MO2ne8Ry2DUppChW6xz01mi4gMU+WsyaH6SPREMHpFcSCBYmpX5sD+VVBS3F/Ajy >> V6EGAgRLDXPAogQCAgEspAYEBAE= >> -END SSL SESSION PARAMETERS- >> Shared cipher
[us...@httpd] apache 2.2.13 SSL renegotiation vulnerability
Hello, Ive seen that 2.2.14 comes with a patch for the recent SSL renegotiation vulnerability. Could anybody tell me if there is a patch available for apache 2.2.13 .. iam not ready to update yet. Thank you. David - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] SSL on Apache 2.2.14
We are only at Apache 2.2.9, but don't have any problems. The command I use to build apache with is: ./configure --prefix=/usr/local/apache-2.2.9 --with-ssl=/usr/local/ssl --with-z=/usr/local/lib --enable-ssl --enable-cache --enable-disk-cache --enable-mem-cache --enable-autoindex --enable-mods-shared="rewrite ssl dav dav-fs proxy" of course, this is building a shared mod_ssl.so, and a few other things. We use gcc instead of Sun's. Can you try it with gcc? I can't image that is the problem, but it might be worth a test. We have changed both Apache and OpenSSL versions, several times, and never had any certificate problems. Here is one thing to look into... Looking back at your 'ldd httpd' output, there is no mention of libssl or libcrypt, so I assume that you are statically linking them in. Are you sure that you are picking up the OpenSSL version and not Sun's default installed version in /lib ? Can you post your build command? Personally, I like dynamic linking, so that you can upgrade to a new OpenSSL, without having to redo everything that uses it. Dan Please respond to users@httpd.apache.org To: users@httpd.apache.org cc: (bcc: Dan Mitton/YD/RWDOE) Subject:Re: [us...@httpd] SSL on Apache 2.2.14 LSN: Not Relevant User Filed as: Not a Record Dan, The error occurs on both Safari and Firefox on Apache 2.2.14. We don't have IE in our environment. Both Safari and Firefox work as they should with 2.0.47. It looks like mod_ssl.c is compiled in -- it shows up with httpd -l. I've checked the links you sent me. The description doesn't provide a whole lot of detail, and, according to the other one, I checked to make sure I am using prefork instead of MPM -- it seems to default to prefork anyway, but I specified it in the /config before compilation. I've Googled to my wit's end for several days without finding anything conclusive. Some pages hint at compilation options, others at compilers (I'm using Sun's cc, not gcc), but nothing conclusive. Here is one question I couldn't find the answer to, though: if I requested a server certificate using a specific version of OpenSSL, can I use that same certificate in a different version of Apache with a different version of OpenSSL? Or do I have to re-request if I upgrade OpenSSL? A long shot I know, but I'm running out of options... Thank you for the help, John On Nov 25, 2009, at 12:07 PM, dan_mit...@ymp.gov wrote: > > John, > > You should not need to upgrade Solaris. I've got apache running on > a solaris 9 box just fine. > > Your "wrong path" shouldn't be a problem either. Those are just > "the last place to look" for an .so. Solaris will use what is in > the 'crle' command and the LD_LIBRARY_PATH environment variable > first (I'm not sure of the order). > > You may or may not have a mod_ssl.so, depending on how you compiled > apache. If you run: > > httpd -l (that's an el) > > It will list out which modules are compiled in. If you see > mod_ssl.c, you will not have a mod_ssl.so. Otherwise, mod_ssl.so > should normally be in your apache's modules subdirectory. > > Do you only get the error on Firefox and not IE? > > Dan > > > Please respond to users@httpd.apache.org > > > To:users@httpd.apache.org > cc: (bcc: Dan Mitton/YD/RWDOE) > Subject:Re: [us...@httpd] SSL on Apache 2.2.14 > > > LSN: Not Relevant > User Filed as: Not a Record > > Here is the complete command: > > openssl s_server -cert /erd/www/erd/server/apache/httpd-2.2.14/ > installed/conf/ssl.crt/www-erdc.crt -key /erd/www/erd/server/apache/ > httpd-2.2.14/installed/conf/ssl.key/www-erdc.secureprivate.key - > CAfile /erd/www/erd/server/apache/httpd-2.2.14/installed/conf/ssl.crt/ > intermediate.crt -www > > Your suggested 'GET / HTTP/1.0\r\r' was successful. > > However, I found something interesting doing an ldd -- a few of them > have wrong paths: > > bash-2.05# ldd httpd > libm.so.1 => /usr/lib/libm.so.1 > libaprutil-1.so.0 => /wrong/path > libexpat.so.0 => /wrong/path > libapr-1.so.0 => /wrong/path > libuuid.so.1 => /usr/lib/libuuid.so.1 > libsendfile.so.1 => /usr/lib/libsendfile.so.1 > librt.so.1 =>/usr/lib/librt.so.1 > libsocket.so.1 =>/usr/lib/libsocket.so.1 > libnsl.so.1 => /usr/lib/libnsl.so.1 > libpthread.so.1 => /usr/lib/libpthread.so.1 > libdl.so.1 =>/usr/lib/libdl.so.1 > libthread.so.1 =>/usr/lib/libthread.so.1 > libc.so.1 => /usr/lib/libc.so.1 > libucb.so.1 => (file not found) > libresolv.so.2 =>/usr/lib/libresolv.so.2 > libelf.so.1 => /usr/lib/libelf.so.1 > libucb.so.1 => /usr/ucblib/libucb.so.1 > libaio.so.1 => /usr/lib/libaio.so.1 > libmd5.so.1 => /usr/lib/libmd5.so.1 > libmp.so.2 =>/usr/lib/libmp.so.2 > /usr/platform/SUNW,Sun-Fire-V250/
Re: [us...@httpd] SSL on Apache 2.2.14
Here are the build commands I've tried: ./configure --prefix=/home/consolati1/apache/httpd-2.2.14/installed -- enable-static-support --enable-ssl --with-ssl=/home/consolati1/openssl/ openssl-0.9.8l/installed --with-mpm=prefork ./configure --prefix=/home/consolati1/apache/httpd-2.2.14/installed/ -- enable-ssl --with-ssl=/home/consolati1/openssl/openssl-0.9.8g/ installed/ (currently using this one) Both of them result in the same thing, and were the commands my predecessor used. I will try building it with the configure command you sent. I haven't personally tried gcc, but my coworkers have left extensive notes of errors that gcc throws. It couldn't hurt to try again. It is odd that libssl and libcrypt aren't in there -- I tried building statically, as you can see, but the httpd -l that I posted was from the second one (which should be dynamic). Any ideas why they're missing? Thanks, John On Nov 25, 2009, at 2:14 PM, dan_mit...@ymp.gov wrote: We are only at Apache 2.2.9, but don't have any problems. The command I use to build apache with is: ./configure --prefix=/usr/local/apache-2.2.9 --with-ssl=/usr/local/ ssl --with-z=/usr/local/lib --enable-ssl --enable-cache --enable- disk-cache --enable-mem-cache --enable-autoindex --enable-mods- shared="rewrite ssl dav dav-fs proxy" of course, this is building a shared mod_ssl.so, and a few other things. We use gcc instead of Sun's. Can you try it with gcc? I can't image that is the problem, but it might be worth a test. We have changed both Apache and OpenSSL versions, several times, and never had any certificate problems. Here is one thing to look into... Looking back at your 'ldd httpd' output, there is no mention of libssl or libcrypt, so I assume that you are statically linking them in. Are you sure that you are picking up the OpenSSL version and not Sun's default installed version in /lib ? Can you post your build command? Personally, I like dynamic linking, so that you can upgrade to a new OpenSSL, without having to redo everything that uses it. Dan Please respond to users@httpd.apache.org To:users@httpd.apache.org cc: (bcc: Dan Mitton/YD/RWDOE) Subject:Re: [us...@httpd] SSL on Apache 2.2.14 LSN: Not Relevant User Filed as: Not a Record Dan, The error occurs on both Safari and Firefox on Apache 2.2.14. We don't have IE in our environment. Both Safari and Firefox work as they should with 2.0.47. It looks like mod_ssl.c is compiled in -- it shows up with httpd -l. I've checked the links you sent me. The description doesn't provide a whole lot of detail, and, according to the other one, I checked to make sure I am using prefork instead of MPM -- it seems to default to prefork anyway, but I specified it in the /config before compilation. I've Googled to my wit's end for several days without finding anything conclusive. Some pages hint at compilation options, others at compilers (I'm using Sun's cc, not gcc), but nothing conclusive. Here is one question I couldn't find the answer to, though: if I requested a server certificate using a specific version of OpenSSL, can I use that same certificate in a different version of Apache with a different version of OpenSSL? Or do I have to re-request if I upgrade OpenSSL? A long shot I know, but I'm running out of options... Thank you for the help, John On Nov 25, 2009, at 12:07 PM, dan_mit...@ymp.gov wrote: > > John, > > You should not need to upgrade Solaris. I've got apache running on > a solaris 9 box just fine. > > Your "wrong path" shouldn't be a problem either. Those are just > "the last place to look" for an .so. Solaris will use what is in > the 'crle' command and the LD_LIBRARY_PATH environment variable > first (I'm not sure of the order). > > You may or may not have a mod_ssl.so, depending on how you compiled > apache. If you run: > > httpd -l (that's an el) > > It will list out which modules are compiled in. If you see > mod_ssl.c, you will not have a mod_ssl.so. Otherwise, mod_ssl.so > should normally be in your apache's modules subdirectory. > > Do you only get the error on Firefox and not IE? > > Dan > > > Please respond to users@httpd.apache.org > > > To:users@httpd.apache.org > cc: (bcc: Dan Mitton/YD/RWDOE) > Subject:Re: [us...@httpd] SSL on Apache 2.2.14 > > > LSN: Not Relevant > User Filed as: Not a Record > > Here is the complete command: > > openssl s_server -cert /erd/www/erd/server/apache/httpd-2.2.14/ > installed/conf/ssl.crt/www-erdc.crt -key /erd/www/erd/server/apache/ > httpd-2.2.14/installed/conf/ssl.key/www-erdc.secureprivate.key - > CAfile /erd/www/erd/server/apache/httpd-2.2.14/installed/conf/ ssl.crt/ > intermediate.crt -www > > Your suggested 'GET / HTTP/1.0\r\r' was successful. > > However, I found something interesting doing an ldd -- a few of them > have wrong paths: > > bash-2.05# ldd httpd > libm.so.1 => /usr/lib/libm.so.
Re: [us...@httpd] SSL on Apache 2.2.14
I would stick with openssl-0.9.8l, the other have a bunch of vulnerabilities, but that can get taken care of once this other problem is fixed :) When you built OpenSSL, did you build it "shared"? My command is: ./config shared zlib-dynamic --prefix=/usr/local/ssl-0.9.8l --openssldir=/usr/local/ssl-0.9.8l are your openssl libraries in: /home/consolati1/openssl/openssl-0.9.8g/installed/ or are they in: /home/consolati1/openssl/openssl-0.9.8g/installed/lib you should have a libssl.so.0.9.8 and libcrypto.so.0.9.8 somewhere. Please respond to users@httpd.apache.org To: users@httpd.apache.org cc: (bcc: Dan Mitton/YD/RWDOE) Subject:Re: [us...@httpd] SSL on Apache 2.2.14 LSN: Not Relevant User Filed as: Not a Record Here are the build commands I've tried: ./configure --prefix=/home/consolati1/apache/httpd-2.2.14/installed -- enable-static-support --enable-ssl --with-ssl=/home/consolati1/openssl/ openssl-0.9.8l/installed --with-mpm=prefork ./configure --prefix=/home/consolati1/apache/httpd-2.2.14/installed/ -- enable-ssl --with-ssl=/home/consolati1/openssl/openssl-0.9.8g/ installed/ (currently using this one) Both of them result in the same thing, and were the commands my predecessor used. I will try building it with the configure command you sent. I haven't personally tried gcc, but my coworkers have left extensive notes of errors that gcc throws. It couldn't hurt to try again. It is odd that libssl and libcrypt aren't in there -- I tried building statically, as you can see, but the httpd -l that I posted was from the second one (which should be dynamic). Any ideas why they're missing? Thanks, John On Nov 25, 2009, at 2:14 PM, dan_mit...@ymp.gov wrote: > > We are only at Apache 2.2.9, but don't have any problems. The > command I use to build apache with is: > > ./configure --prefix=/usr/local/apache-2.2.9 --with-ssl=/usr/local/ > ssl --with-z=/usr/local/lib --enable-ssl --enable-cache --enable- > disk-cache --enable-mem-cache --enable-autoindex --enable-mods- > shared="rewrite ssl dav dav-fs proxy" > > of course, this is building a shared mod_ssl.so, and a few other > things. We use gcc instead of Sun's. Can you try it with gcc? I > can't image that is the problem, but it might be worth a test. > > We have changed both Apache and OpenSSL versions, several times, and > never had any certificate problems. > > Here is one thing to look into... Looking back at your 'ldd httpd' > output, there is no mention of libssl or libcrypt, so I assume that > you are statically linking them in. Are you sure that you are > picking up the OpenSSL version and not Sun's default installed > version in /lib ? Can you post your build command? Personally, I > like dynamic linking, so that you can upgrade to a new OpenSSL, > without having to redo everything that uses it. > > Dan > > > Please respond to users@httpd.apache.org > > > To:users@httpd.apache.org > cc: (bcc: Dan Mitton/YD/RWDOE) > Subject:Re: [us...@httpd] SSL on Apache 2.2.14 > > > LSN: Not Relevant > User Filed as: Not a Record > > Dan, > > The error occurs on both Safari and Firefox on Apache 2.2.14. We > don't have IE in our environment. Both Safari and Firefox work as > they should with 2.0.47. > > It looks like mod_ssl.c is compiled in -- it shows up with httpd -l. > > I've checked the links you sent me. The description doesn't provide a > whole lot of detail, and, according to the other one, I checked to > make sure I am using prefork instead of MPM -- it seems to default to > prefork anyway, but I specified it in the /config before compilation. > > I've Googled to my wit's end for several days without finding anything > conclusive. Some pages hint at compilation options, others at > compilers (I'm using Sun's cc, not gcc), but nothing conclusive. > > Here is one question I couldn't find the answer to, though: if I > requested a server certificate using a specific version of OpenSSL, > can I use that same certificate in a different version of Apache with > a different version of OpenSSL? Or do I have to re-request if I > upgrade OpenSSL? A long shot I know, but I'm running out of > options... > > Thank you for the help, > John > > On Nov 25, 2009, at 12:07 PM, dan_mit...@ymp.gov wrote: > > > > > John, > > > > You should not need to upgrade Solaris. I've got apache running on > > a solaris 9 box just fine. > > > > Your "wrong path" shouldn't be a problem either. Those are just > > "the last place to look" for an .so. Solaris will use what is in > > the 'crle' command and the LD_LIBRARY_PATH environment variable > > first (I'm not sure of the order). > > > > You may or may not have a mod_ssl.so, depending on how you compiled > > apache. If you run: > > > > httpd -l (that's an el) > > > > It will list out which modules are compiled in. If you see > > mod_ssl.c, you will not have a mod_ssl.so. Otherwise, mod_ssl.so > > should normally be in your apache's modules
Re: [us...@httpd] name based virtual hosts for multiple domains?
I have a VPS running Debian and Apache 2.2 and I'd like to setup name based virtual hosts in Apache for several domains and I will have several subdomains for each domain. Is this possible? For example: Sure you can. Look at doc on apache.org and look at module vhost_alias since it's usually used to achieve similar goals you want to reach. iñ - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Limiting Connection per virtual host and Custom messaging
Apache 2.11: Couple of questions: 1. Is there a way to limit Max Client Connections per virtual host? 2. When Max Connection is reached, is there a way to return custom error message in the response? For eg: "Please try again in 15mts." - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] limiting diretory/file content?
I wish to use Apache 2.2 to limit where users may go. I wish to avert the so-called "fishing" where a user sees: (note that I will be using name based virtual hosts to host multiple domains on the same physical server/same ip) http://www.site.org/whatever/something.html and tries to access http://www.site.org/whatever/ I would like it on a directory basis, a file basis may be needed later but not for now. How may I achieve this? A sample config info would be appreciated since I never did this before :) If a user tries to access a forbidden directory I wish to display a custom message to them like "Stop that!" or something so also how may I do that? Thanks and Happy Thanksgiving! Zach - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] limiting diretory/file content?
http://www.site.org/whatever/something.html and tries to access http://www.site.org/whatever/ I would like it on a directory basis, a file basis may be needed later but not for now. Which rule would you set to disable access? Rule based on IP for instance? If a user tries to access a forbidden directory I wish to display a custom message to them like "Stop that!" or something so also how may I do that? You can do that by .htaccess combining rule for no access and customized page for message. iñ - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Limiting Connection per virtual host and Custom messaging
1. Is there a way to limit Max Client Connections per virtual host? At least 2: - mod_slotlimit: http://sourceforge.net/projects/mod-slotlimit/ - Vhost Limit Module: http://modules.apache.org/search.php?id=698 iñ - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [us...@httpd] apache 2.2.13 SSL renegotiation vulnerability
> -Original Message- > From: David Taveras [mailto:d3taveras3...@gmail.com] > Sent: Wednesday, November 25, 2009 10:56 PM > To: users@httpd.apache.org > Subject: [us...@httpd] apache 2.2.13 SSL renegotiation vulnerability > > Hello, > > Ive seen that 2.2.14 comes with a patch for the recent SSL > renegotiation vulnerability. Could anybody tell me if there is a patch > available for apache 2.2.13 The patch applies to four files in mod_ssl: Index: modules/ssl/ssl_private.h Index: modules/ssl/ssl_engine_init.c Index: modules/ssl/ssl_engine_io.c Index: modules/ssl/ssl_engine_kernel.c If you compare the diffs between 2.2.13 and 2.2.14, you'll find that there is only a difference in one file (ssl_engine_init.c) and even that is only an edit within a line (so the line arrangement doesn't change). Therefore, the patch _should_ work just fine with 2.2.13. Try it and let us know! > .. iam not ready to update yet. If you're going to recompile a module, there's not much more effort to just doing the whole thing.. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. PS - To test the patch is working: http://www.mail-archive.com/d...@httpd.apache.org/msg46109.html > > Thank you. > > David > > - > The official User-To-User support forum of the Apache HTTP > Server Project. > See http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >" from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. The sender's company reserves the right to monitor all e-mail communications through their networks. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
