[users@httpd] Compression does not work with load balancer
When we hit apache directly, we can see "Accept Encoding: gzip,deflate" in the request header and "Content-Encoding:gzip,deflate" in the response header, so we can confirm (?) compression is working fine. However, when we hit the load balancer, which forwards the request to the same apache instance, compression does not work. no "Content-Encoding:gzip,deflate" in the response header. Any Idea how we can proceed to troubleshoot this?. Things I have tried: -Ive tried enabling forensic logs, the request that comes from LB to apache has the accept encoding. -Ive checked that the deflate module is loaded -Ive tried enabling the compression for a specific virtual host, and even at generic level, still no go. Does this have anything to do with the virtual host or listen port configuration? -- View this message in context: http://old.nabble.com/Compression-does-not-work-with-load-balancer-tp31274787p31274787.html Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Virtualhost location variable
I've the following situation: I need to block the access on a particular location,as the example: ... Order Deny,Allow Deny from all Allow from localhost safenet1 safenet2 ... ... I need to do the same for all the virtualhosts, more than 1K... Solution1: using sed|awk put the rule inside all virtualhosts. Solution2: How could I write some env variable thet by default block the /manager uri? Is it possible? Regards Michele - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Centralised path-based authorisation
Hi list, I'm setting up an Apache server with many path-based authorisations. The goal is to create a file server over HTTP(S). Using an FTP server is not an option. As far as I know, There's only two options available on Apache to set up these kind of authorisations : .htaccess files : can become heavy resources consuming, doesn't need to restart Apache, needs to access the host filesystem. vhost configuration file : far less resources consuming, needs to restart apache to commit the changes, needs to access the host filesystem. Is there another way to do this ? I'm searching for something with a database authentication backend, so I can change autorisations through a service and doesn't need to restart the server. Thanks, -- Bastien Semene Administrateur Réseau& Système Cyanide Studio - FRANCE - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd]
Here is a small problem one of my server was shutdown for 2 months due to a migration activity. After 2 months when one of our vendors finally has migrated it when I boot the machine then I do not see any response in Apache logs.More over when I start or stop or restart Apache2 /etc/init.d/apache2 status I do not see any output. /etc/init.d/apache2 stop or /etc/init.d/apache2 start even does not show any thing I mean output and also ps -el | grep apache2 does not give any pid that shows Apache is running so what can I do to start apache here? - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Centralised path-based authorisation
On 30 Mar 2011, at 10:21, Admin Cyanide wrote: > another way to do this ? > I'm searching for something with a database authentication backend, so I can > change autorisations through a service and doesn't need to restart the server. How much flexibility do you need? If you use a backend such as an SQL database or LDAP, you can maintain that without touching your apache configuration. -- Nick Kew Available for work, contract or permanent http://www.webthing.com/~nick/cv.html - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Re:
Ok after some time of digging I found I found in /etc/init.d/ directory there are following files apache apache2.1 and apache2.2 I remember long time back when I had installed it was only apache but surprisingly I find these two files apache2.1 and apache2.2 also. Now when I did /etc/init.d/apache2.2 start then it started working but I correctly remember I had not created apache2.1 or apache2.2 or apache either so what could be the reason for creation of these files which had created this problem? - Original Message - From:James Godrej To:"users@httpd.apache.org" Cc: Sent:Wednesday, 30 March 2011 3:39 PM Subject: Here is a small problem one of my server was shutdown for 2 months due to a migration activity. After 2 months when one of our vendors finally has migrated it when I boot the machine then I do not see any response in Apache logs.More over when I start or stop or restart Apache2 /etc/init.d/apache2 status I do not see any output. /etc/init.d/apache2 stop or /etc/init.d/apache2 start even does not show any thing I mean output and also ps -el | grep apache2 does not give any pid that shows Apache is running so what can I do to start apache here? - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Apache httpd question(emergent)
On March 29, 2011 22:01 , "Liu JinGang" wrote: As Eric and Mark said, do you have the document or web-link file explain this viewpoint?( Apache doesn't discriminate the http methods to access CGI.) I do not know of any document that explains the viewpoint. However, you can observe and test that Apache does not discriminate. Also, Apache *will* discriminate if you use the Limit and LimitExcept directives. So you can have either behavior. Since you can have either behavior, I hope a document is not necessary. I apologize if I do not understand the question. Then my mail said that: *> And then if I access the HTML file of "/opt/web/htroot" , the result as following:* *> The GET, HEAD, OPTIONS can access the HTML file. I don't set the * *> limits except TRACE. This is the default ?* Why? The default is that all methods are accepted. The purpose of Apache is to serve web content in reponse to HTTP requests. So when Apache receives an HTTP request, it tries to serve the content, unless you tell Apache not to serve the content or unless there is some problem with the request. Your list of methods (above) is not complete. With the configuration from your first email message, other methods will also be accepted for accessing the HTML file. For example, the POST method will be accepted to access the HTML file. I can use the "curl" program to send a POST request for /index.html on my web server: curl --data foo=1 --data bar=2 http://f14dev1.catseye.org/index.html When I run the above command, the request is sucessful, even though this is just a static HTML file (no CGI): 2011-03-30T06:40:37.984640-0400 - 172.16.168.128:42060 - f14dev1.catseye.org:80 "POST /index.html HTTP/1.1" +200/200 876us 265/475/729 pid=1459 "curl/7.21.0 (x86_64-redhat-linux-gnu) libcurl/7.21.0 NSS/3.12.8.0 zlib/1.2.5 libidn/1.18 libssh2/1.2.4" "-" (I use a special LogFormat directive, so the log line above is not the default one that Apache usually uses. But hopefully it is understandable: "172.16.168.128 contacts f14dev1.catseye.org and makes the request 'POST /index.html' which succeeds with HTTP status code 200") I hope this helps. Please let me know if I am answering the wrong questions. -- Mark Montague m...@catseye.org
Re: [users@httpd] Re:
Ok after some time of digging I found I found in /etc/init.d/ directory there are following files apache apache2.1 and apache2.2 I remember long time back when I had installed it was only apache but surprisingly I find these two files apache2.1 and apache2.2 also. Now when I did /etc/init.d/apache2.2 start then it started working but I correctly remember I had not created apache2.1 or apache2.2 or apache either so what could be the reason for creation of these files which had created this problem? If you did not create them, then someone else did, probably by installing or attempting to upgrade one or more software packages. Apache HTTP Server will never create start-up scripts itself, unless you download the source code, build httpd from source, and then type "sudo make install". -- Mark Montague m...@catseye.org - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Apache is too slow with SSL
As subject specifies, I have problem with running Apache on SSL only. I tried to use 'ab' and tested port 80& 443 both. port 80 is too fast than running the server with port 443. SSL needs a source of random data. What source have you told Apache to use? Note that it is possilble that some sources will block until random data becomes available -- if that is happening, then it might account for the slowdown you are seeing. The source of random data is controlled by the SSLRandomSeed directive. See: http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslrandomseed I run Apache under Linux, which has a good, non-blocking /dev/urandom implementation. Thus, I use the following directives in my Apache global server configuration: SSLRandomSeed startup file:/dev/urandom 512 SSLRandomSeed connect file:/dev/urandom 512 However, this may or may not be appropriate for your situation -- your hardware and usage patterns are very different from mine. Also, this may not be the source of your problem. But it is the only idea that came to mind. Hopefully other people on the list will have better suggestions. -- Mark Montague m...@catseye.org - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Directories Being Probed Even When Index Listing Denied
You miss understand. A user with ftp access only to a single virtual host can upload a PHP shell to there web space. The PHP shell allows them to login with a made up password they make. Once logged in to the PHP shell they are no longer restricted by there FTP login permissions due to the fact that a PHP shell runs under the www-data account. The fact that they have now hijacked the www-data account using the uploaded PHP shell allows them to see the other virtual hosts PHP scripts. And even the root directory on the server if the www-data account is not jailed. if it is jailed they are restricted to seeing all virtual hosts on the server. jailed or not jailed you can view your neighborer PHP Code and steel it. How would one go about preventing this kind of attack while using virtual hosts and PHP. First, have the files for each virtual host owned by different users. This will prevent someone who comes in via FTP from being able to access files belonging to other virtual hosts. (By the way, you really should not use FTP since it is insecure; switch to SFTP instead). Next, configure Apache to execute the PHP for each virtual host as user unique to that virtual host (and different from the user who owns the files for that virtual host). There are several ways to do this, including suEXEC, FastCGI, and reverse proxies. For more information, see http://wiki.apache.org/httpd/PrivilegeSeparation -- Mark Montague m...@catseye.org
Re: [users@httpd] Centralised path-based authorisation
Le 30/03/2011 12:30, Nick Kew a écrit : On 30 Mar 2011, at 10:21, Admin Cyanide wrote: another way to do this ? I'm searching for something with a database authentication backend, so I can change autorisations through a service and doesn't need to restart the server. How much flexibility do you need? If you use a backend such as an SQL database or LDAP, you can maintain that without touching your apache configuration. My wish is to have an easy to maintain system. If paths and logins can be stored in SQL this could be perfect. I just don't know how to do this. I just want to be sure we're talking about authorisations and not authentication. I know how to use SQL, LDAP or whatever to create authentications mechanisms. What I'm searching is path based authorisations to allow acces to xxx/yyy folder to bob, while other authenticated users can't access to it (though it can be more complex). - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Centralised path-based authorisation
On 30 Mar 2011, at 14:32, Admin Cyanide wrote: > I just want to be sure we're talking about authorisations and not > authentication. I know how to use SQL, LDAP or whatever to create > authentications mechanisms. > What I'm searching is path based authorisations to allow acces to xxx/yyy > folder to bob, while other authenticated users can't access to it (though it > can be more complex). I can't tell you your best solution. But you could, for example, map paths to authz groups. Then you update your ACLs by amending group memberships. If you already knew that and thought it should be obvious, then the answer is no, there's nothing builtin that'll help. Unless your access maps to filesystem access and can be driven by file ownership. -- Nick Kew Available for work, contract or permanent http://www.webthing.com/~nick/cv.html - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Centralised path-based authorisation
Le 30/03/2011 15:40, Nick Kew a écrit : On 30 Mar 2011, at 14:32, Admin Cyanide wrote: I just want to be sure we're talking about authorisations and not authentication. I know how to use SQL, LDAP or whatever to create authentications mechanisms. What I'm searching is path based authorisations to allow acces to xxx/yyy folder to bob, while other authenticated users can't access to it (though it can be more complex). I can't tell you your best solution. But you could, for example, map paths to authz groups. Then you update your ACLs by amending group memberships. If you already knew that and thought it should be obvious, then the answer is no, there's nothing builtin that'll help. Unless your access maps to filesystem access and can be driven by file ownership. I don't know about mappings between paths and authz groups, though I can imagine what it is. I'll dig there, thank you for your time ! -- Bastien Semene Administrateur Réseau& Système Cyanide Studio - FRANCE - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Directories Being Probed Even When Index Listing Denied
On Wed, Mar 30, 2011 at 7:35 AM, Mark Montague wrote: > Next, configure Apache to execute the PHP for each virtual host as user > unique to that virtual host (and different from the user who owns the files > for that virtual host). There are several ways to do this, including > suEXEC, FastCGI, and reverse proxies. For more information, see > http://wiki.apache.org/httpd/PrivilegeSeparation > I use the (experimental) ITK MPM (http://mpm-itk.sesse.net/). It allows you to specify the user that a particular vhost is running as. I recommend that option (as does linode < http://library.linode.com/web-servers/apache/installation/ubuntu-10.10-maverick#multi_processing_module > ). - Yehuda
[users@httpd] Load Balancing mod_webdav?
This may be a stupid idea, but has anyone had any experience load-balancing two Apache (2.2 in our case) servers that are running mod_dav? We've searched and searched and it looks like it's just something that no one at all talks about. We've got a setup in production where we've got Apache 2.2.17 servers on two different machines (1 per machine) ,identical, each with mod_dav. They're both sitting behind a hardware load-balancer that does a port rewrite sending traffic to only one of the two. We'd like to let it round-robin between both, but were unsure whether that was safe/wise/possible. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Active Active Data center and stickyness
On Wed, Mar 30, 2011 at 12:12 AM, Mohit Anchlia wrote: > thanks! F5 supports the cookies and is recommended way but the problem > is server A is not managed by us and may be very difficult to > convience them to enter cookie (changing code). Is it possible to > embed cookies for non-browser clients in serverA? I don't understand the question. Server A is an HTTP client, so it would have a chance to inject cookies. They are after all just an HTTP header. Whether it is a browser or not is irrelevant. > Are there any other options if server A can't be changed. Not with the little information I have. If I was working on this solution, the major part of the project would be research. Traffic dumps between client and server A, traffic dumps between server A and my system. Code review of server A. How? Why? What? Who? When? Where? If there is a needle there, you need to find it, otherwise, you will need to find the smallest impact method for embedding a needle. Either way, information is key and research is the way of gathering information. The implementation is always simpler than the discovery, otherwise the project is boring. I think we have given about all the available solutions to you, but your job is to find the details needed to implement them. We can't do that for you. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Active Active Data center and stickyness
Appreciate all the input! Those things were already part of my list that are mentioned in this email. What I was trying to point was that we are really in restrictive env where server A can't be changed and 3rd party may not agree to change. So I was wondering if there is something like caching on Apache servers or something similar that can help. So if user A with id "A" comes to site 1 and if that user is actually supposed to be in site 2 then redirect. Or may be some better solution on similar lines. On Wed, Mar 30, 2011 at 7:11 AM, Ben Timby wrote: > On Wed, Mar 30, 2011 at 12:12 AM, Mohit Anchlia > wrote: >> thanks! F5 supports the cookies and is recommended way but the problem >> is server A is not managed by us and may be very difficult to >> convience them to enter cookie (changing code). Is it possible to >> embed cookies for non-browser clients in serverA? > > I don't understand the question. Server A is an HTTP client, so it > would have a chance to inject cookies. They are after all just an HTTP > header. Whether it is a browser or not is irrelevant. > >> Are there any other options if server A can't be changed. > > Not with the little information I have. If I was working on this > solution, the major part of the project would be research. Traffic > dumps between client and server A, traffic dumps between server A and > my system. Code review of server A. How? Why? What? Who? When? Where? > If there is a needle there, you need to find it, otherwise, you will > need to find the smallest impact method for embedding a needle. Either > way, information is key and research is the way of gathering > information. The implementation is always simpler than the discovery, > otherwise the project is boring. > > I think we have given about all the available solutions to you, but > your job is to find the details needed to implement them. We can't do > that for you. > > - > The official User-To-User support forum of the Apache HTTP Server Project. > See http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > " from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Active Active Data center and stickyness
On Wed, Mar 30, 2011 at 10:17 AM, Mohit Anchlia wrote: > Appreciate all the input! Those things were already part of my list > that are mentioned in this email. > > What I was trying to point was that we are really in restrictive env > where server A can't be changed and 3rd party may not agree to change. > So I was wondering if there is something like caching on Apache > servers or something similar that can help. So if user A with id "A" > comes to site 1 and if that user is actually supposed to be in site 2 > then redirect. Or may be some better solution on similar lines. Understood, without direct access to the system, and a wealth of information, we can't answer that question for you. There is probably some identifying information there, but you can't tell us what it is and we can't look for it, so our hands are tied. I have developed systems in the past where I glob the user agent and some other headers from clients and hash those to use as an identifier. The same browser will produce the same identifier, and can be used to identify the user in absence of anything else. But I don't know what headers or other details are in your HTTP requests. I don't know what there is to work with. Anyway, good luck! - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Load Balancing mod_webdav?
- Original Message - > This may be a stupid idea, but has anyone had any experience > load-balancing two Apache (2.2 in our case) servers that are running > mod_dav? We've searched and searched and it looks like it's just > something that no one at all talks about. I've been thinking about this for some time, but then decided that it's generally a stupid idea. Mostly because there are a couple dozen of Dav clients and all of them have their own interpretation of how to speak to a Dav Server. My idea back then was to have subversion read/write -- but that seems like a terribly stupid idea because you have no way to split it up properly. > We've got a setup in production where we've got Apache 2.2.17 servers That sounds like a bad idea. Have you considered starting with test? > on two different machines (1 per machine) ,identical, each with What kind of storage do they sit on? This is crucial, because mod_dav works with FS locks. > mod_dav. They're both sitting behind a hardware load-balancer that > does a port rewrite sending traffic to only one of the two. We'd > like to let it round-robin between both, but were unsure whether > that was safe/wise/possible. Round-robin seems like the best idea, but only if you enable sticky sessions. i -- Igor Galić Tel: +43 (0) 664 886 22 883 Mail: i.ga...@brainsware.org URL: http://brainsware.org/ - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Active Active Data center and stickyness
Thanks! I will get more info and post what I find or route I go. On Wed, Mar 30, 2011 at 7:22 AM, Ben Timby wrote: > On Wed, Mar 30, 2011 at 10:17 AM, Mohit Anchlia > wrote: >> Appreciate all the input! Those things were already part of my list >> that are mentioned in this email. >> >> What I was trying to point was that we are really in restrictive env >> where server A can't be changed and 3rd party may not agree to change. >> So I was wondering if there is something like caching on Apache >> servers or something similar that can help. So if user A with id "A" >> comes to site 1 and if that user is actually supposed to be in site 2 >> then redirect. Or may be some better solution on similar lines. > > Understood, without direct access to the system, and a wealth of > information, we can't answer that question for you. There is probably > some identifying information there, but you can't tell us what it is > and we can't look for it, so our hands are tied. > > I have developed systems in the past where I glob the user agent and > some other headers from clients and hash those to use as an > identifier. The same browser will produce the same identifier, and can > be used to identify the user in absence of anything else. But I don't > know what headers or other details are in your HTTP requests. I don't > know what there is to work with. > > Anyway, good luck! > > - > The official User-To-User support forum of the Apache HTTP Server Project. > See http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > " from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] The .htaccess ANSI (ASCII) Format and linked problems
Hi, As we can pay attention .htaccess must be only redacted in ANSI. This rule is not absolute : * The Windows version supports the 3 chars which marks the encoding of the file. If on Linux a file coming from windows env with is the 3 format coding identification is submitted we get : INTERNAL SERVER ERROR I just lost 9 days locked because nobody had the idea to check the file in hexa and had never taking care of the encoding. Practically if the content is ANSI if will be identical if coded 8859-2 or UTF8 or ANSI and seen identical on editors screens. Most of editors recognize the format and save into the same is not changed by user. If accidentally somebody have to save a full project, it can (this is what happens) save in UTF-8 the htaccess file. On development platform which was windows everything was ok. When the file have been loading by ftp to the server on linux the error occurred. So My question and proposal is : Why all the version will not test for .htaccess if the first 3 chars are not encoding marks and then either threat the following as ASCII (the same as on windows) or send a clear message : "ERROR HTACCESS file must be encoded ANSI" This probably will earn time and money to people who have to work with the two platforms and as me have no incident during last seven years... Best regards Trebly
Re: [users@httpd] Load Balancing mod_webdav?
- Original Message - > - Original Message - > > This may be a stupid idea, but has anyone had any experience > > load-balancing two Apache (2.2 in our case) servers that are running > > mod_dav? We've searched and searched and it looks like it's just > > something that no one at all talks about. > > I've been thinking about this for some time, but then decided that > it's generally a stupid idea. > Mostly because there are a couple dozen of Dav clients and all of > them have their own interpretation of how to speak to a Dav Server. Good point, we've definitely run into that! > > My idea back then was to have subversion read/write -- but that > seems like a terribly stupid idea because you have no way to split > it up properly. > > > We've got a setup in production where we've got Apache 2.2.17 > > servers > > That sounds like a bad idea. Have you considered starting with test? > Oh yeah, we tested the one-at-a-time setup like we're using in test first. This is the result of that, not the start! :) > > on two different machines (1 per machine) ,identical, each with > > What kind of storage do they sit on? This is crucial, because > mod_dav works with FS locks. > Well, that complicates it I'm sure. They've actually both got an NFS mount from a different box mounted as their WebDAV root. The thing there is, why exactly is that a bad idea? Is it "just" a matter of getting one file over-writing another one potentially or do you risk more serious issues than that? Yes, we certainly could/should try FTP, SFTP/SSH, or SMB, but for a couple of reasons (partly work-flow, partly security) we'd rejected those. We wound up at WebDAV only because it seemed like the only thing left. We'd be open to any other ideas though. > > mod_dav. They're both sitting behind a hardware load-balancer that > > does a port rewrite sending traffic to only one of the two. We'd > > like to let it round-robin between both, but were unsure whether > > that was safe/wise/possible. > > Round-robin seems like the best idea, but only if you enable > sticky sessions. > That's the thing though, given all the little quirks of WebDAV, the various issue with clients, and the NFS mount, is that safe/possible to let them round-robin? Thanks! > i > > -- > Igor Galić > > Tel: +43 (0) 664 886 22 883 > Mail: i.ga...@brainsware.org > URL: http://brainsware.org/ > > - > The official User-To-User support forum of the Apache HTTP Server > Project. > See http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > " from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] mod_ssl with apach-1.3.19
Hello Users, We have complicated issue here. let me explain in a bit. We have production machine running on apache-1.3.19 / mod_ssl-2.8.1 / OpenSSL 0.9.5a. Now issue in security scanner we found some issue in openssl 0.9.5a version and mod_ssl-2.8.1 is statically compiled with openssl so we can just upgrade openssl. So i am planing to compile mod_ssl-2.8.1 with fixed version of openssl-0.9.5a so how should i proceed with this ? On other server i have compile mod_ssl but module name is libssl.so why not mod_ssl.so can anybody suggest how to compule mod_ssl.so without re-compile apache.. -Satish
[users@httpd] mod_ssl with apach-1.3.19
Hello Users, We have complicated issue here. let me explain in a bit. We have production machine running on apache-1.3.19 / mod_ssl-2.8.1 / OpenSSL 0.9.5a. Now issue in security scanner we found some issue in openssl 0.9.5a version and mod_ssl-2.8.1 is statically compiled with openssl so we can just upgrade openssl. So i am planing to compile mod_ssl-2.8.1 with fixed version of openssl-0.9.5a so how should i proceed with this ? On other server i have compile mod_ssl but module name is libssl.so why not mod_ssl.so can anybody suggest how to compule mod_ssl.so without re-compile apache.. -Satish
Re: [users@httpd] mod_ssl with apach-1.3.19
1.3 is no longer supported, and 1.3.19 is an ancient version of 1.3. Over ten years old. However, reaching back into the past ... generally mod_ssl was built statically, rather than as a so. If it *was* built as a so, you might be able to rebuild it using apxs, but I'm not sure. This seems like the perfect opportunity to bring yourself into the current decade. On Mar 30, 2011, at 4:41 PM, satish patel wrote: > Hello Users, > > We have complicated issue here. let me explain in a bit. We have production > machine running on apache-1.3.19 / mod_ssl-2.8.1 / OpenSSL 0.9.5a. Now issue > in security scanner we found some issue in openssl 0.9.5a version and > mod_ssl-2.8.1 is statically compiled with openssl so we can just upgrade > openssl. > > So i am planing to compile mod_ssl-2.8.1 with fixed version of openssl-0.9.5a > so how should i proceed with this ? On other server i have compile mod_ssl > but module name is libssl.so why not mod_ssl.so > > can anybody suggest how to compule mod_ssl.so without re-compile apache.. > > -Satish -- Rich Bowen rbo...@rcbowen.com rbo...@apache.org PGP Key ID CC78C893 - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [users@httpd] mod_ssl with apach-1.3.19
I knew this is old but we can't stop production right a way! need some time to upgrade.. I am looking for small hack... After couple of changes in Makefile of mod_ssl i build libssl.so module with the help of apxs. But what if i want name like mod_ssl.so what should i do ? or just rename libssl.so to mod_ssl.so [satish@donkey mod_ssl-2.8.1-1.3.19]$ ldd ./pkg.sslmod/libssl.so statically linked > From: rbo...@rcbowen.com > Date: Wed, 30 Mar 2011 16:57:29 -0400 > To: users@httpd.apache.org > Subject: Re: [users@httpd] mod_ssl with apach-1.3.19 > > 1.3 is no longer supported, and 1.3.19 is an ancient version of 1.3. Over ten > years old. > > However, reaching back into the past ... generally mod_ssl was built > statically, rather than as a so. If it *was* built as a so, you might be able > to rebuild it using apxs, but I'm not sure. > > This seems like the perfect opportunity to bring yourself into the current > decade. > > On Mar 30, 2011, at 4:41 PM, satish patel wrote: > > > Hello Users, > > > > We have complicated issue here. let me explain in a bit. We have production > > machine running on apache-1.3.19 / mod_ssl-2.8.1 / OpenSSL 0.9.5a. Now > > issue in security scanner we found some issue in openssl 0.9.5a version and > > mod_ssl-2.8.1 is statically compiled with openssl so we can just upgrade > > openssl. > > > > So i am planing to compile mod_ssl-2.8.1 with fixed version of > > openssl-0.9.5a so how should i proceed with this ? On other server i have > > compile mod_ssl but module name is libssl.so why not mod_ssl.so > > > > can anybody suggest how to compule mod_ssl.so without re-compile apache.. > > > > -Satish > > -- > Rich Bowen > rbo...@rcbowen.com > rbo...@apache.org > PGP Key ID CC78C893 > > > > > > - > The official User-To-User support forum of the Apache HTTP Server Project. > See http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >" from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org >
[users@httpd] Apache 2.2.15 (and 2.2.17) binary installers no longer deploy 'lib' and 'include' directories
Hello, I'm long time user of Apache webserver as I build my own 3rd party modules for Apache. I recall all Apache 2.0.x (even the 1.3.x) binary installers used to deploy a 'lib' and an 'include' directories. Starting with Apache 2.2.x, things seem to have changed, up until 2.2.9 (I think), the 'include' directory is deployed by the installer but not the 'lib' directory. I just installed Apache 2.2.15 using (httpd-2.2.15-win32-x86-openssl-0.9.8m-r2.msi) and didn't see an 'include' nor a 'lib' directories. The reason I'm asking is when I build my (3rd party) modules, I use the include and lib directories to compile my modules as there is a dependency on them (headers and apr* libraries). Right now and going forward, I don't see how I could do this? I guess the general question is how does other 3rd party module writers compile/build their modules without include or lib directories provided by the binary installer. Thanks for help. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Apache 2.2.15 (and 2.2.17) binary installers no longer deploy 'lib' and 'include' directories
On 3/30/2011 4:39 PM, Ahab Abouzour wrote: > > Starting with Apache 2.2.x, things seem to have changed, up until 2.2.9 (I > think), the 'include' directory is deployed by the installer but not the > 'lib' directory. I just installed Apache 2.2.15 using > (httpd-2.2.15-win32-x86-openssl-0.9.8m-r2.msi) and didn't see an 'include' > nor a 'lib' directories. No, there is an optional feature which triggers the installation of the include/ and lib/ directories. Pay attention to the product selection dialog during installation. And FWIW, 2.2.17 is current. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Apache is too slow with SSL
Hi Mark, Thanks for your suggestion. I tried below settings in httpd.conf - #SSLRandomSeed startup builtin #SSLRandomSeed connect builtin SSLRandomSeed startup file:/dev/urandom 1024 SSLRandomSeed connect file:/dev/urandom 1024 the commented line was there when I initially posted my query and now I changed it with mentioned lines. But still got the same result. Even i tried with /dev/random option but that option didn't work at all (may be not supported with my OS config) Could you or anyone please help me to resolve this problem. I want to resolve it. I tried to google it but couldn't find any solution. Any help will be great. Thanks On Wed, Mar 30, 2011 at 7:24 AM, Mark Montague wrote: > >> As subject specifies, I have problem with running Apache on SSL only. >> I tried to use 'ab' and tested port 80& 443 both. port 80 is too fast >> than running the server with port 443. > > > SSL needs a source of random data. What source have you told Apache to use? > Note that it is possilble that some sources will block until random data > becomes available -- if that is happening, then it might account for the > slowdown you are seeing. > > The source of random data is controlled by the SSLRandomSeed directive. > See: > > http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslrandomseed > > I run Apache under Linux, which has a good, non-blocking /dev/urandom > implementation. Thus, I use the following directives in my Apache global > server configuration: > > SSLRandomSeed startup file:/dev/urandom 512 > SSLRandomSeed connect file:/dev/urandom 512 > > However, this may or may not be appropriate for your situation -- your > hardware and usage patterns are very different from mine. > > Also, this may not be the source of your problem. But it is the only idea > that came to mind. Hopefully other people on the list will have better > suggestions. > > -- > Mark Montague > m...@catseye.org > > - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] SetEnv scope
Hi all, We find it quite handy to use SetEnv to store configuration variables for our PHP / Python Web apps. Helps us keep configuration separate to the application, hence moving code from development to production environments becomes quite simple. Our SetEnvs are generally defined in our VirtualHost configuration. I was wondering what the scope of these variables are. Are they confined to the scripts VirtualHost or the entire Apache instance. Would this be considered a security issue? Thanks. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] The .htaccess ANSI (ASCII) Format and linked problems
On 30 Mar 2011, at 18:21, Bernard TREMBLAY wrote: > Hi, > > As we can pay attention .htaccess must be only redacted in ANSI. ANSI isn't an encoding. Unless perhaps you're back in the 1980s when the notion of an encoding was undefined. > This rule is not absolute : > • The Windows version supports the 3 chars which marks the encoding of > the file. You mean you used an XML editor (or text editor whose developers can't tell the difference) and created a file with a BOM? > If on Linux a file coming from windows env with is the 3 format coding > identification is submitted we get : > > INTERNAL SERVER ERROR So you look in your error log! > So My question and proposal is : > > Why all the version will not test for .htaccess if the first 3 chars are not > encoding marks and then either threat the following as ASCII (the same as on > windows) or send a clear message : > > "ERROR HTACCESS file must be encoded ANSI" That would be incorrect. What message did you see in your error log, and what was not clear about it? As far as httpd is concerned, a BOM in a htaccess is just garbage. -- Nick Kew Available for work, contract or permanent http://www.webthing.com/~nick/cv.html - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [users@httpd] Apache httpd question(emergent)
Mark Montague: Thank you very much ! * I do not know of any document that explains the viewpoint. However, you can observe and test that Apache does not discriminate. I have test that Apache does not discriminate. I also did not find the document that explains the viewpoint,so I want to know that if someone have got it _ From: Mark Montague [mailto:m...@catseye.org] Sent: Wednesday, March 30, 2011 6:48 PM To: Liu JinGang Cc: users@httpd.apache.org; 'Eric Covener' Subject: Re: [users@httpd] Apache httpd question(emergent) I do not know of any document that explains the viewpoint. However, you can observe and test that Apache does not discriminate. Also, Apache *will* discriminate if you use the Limit and LimitExcept directives. So you can have either behavior. Since you can have either behavior, I hope a document is not necessary. I apologize if I do not understand the question. Then my mail said that: I hope this helps. Please let me know if I am answering the wrong questions. == Thanks! I understand it . -- Mark Montague m...@catseye.org
