Re: [users@httpd] Configuration for high concurrent load
On 03/03/2013 4:52 PM, "Austin Einter" wrote: > > Correcting typo-error > > > Dear Nick > Can you be bit precise here.., I am bit new to system. > > What I need to do so that, one client per server would not be required. > > Best Regards > > > On Sun, Mar 3, 2013 at 11:21 AM, Austin Einter wrote: >> >> Dear Bick >> Can you be bit precise here.., I am bit new to system. >> >> What I need to do so that, one client per server would not be required. >> >> Best Regards >> Austin >> >> >> On Sat, Mar 2, 2013 at 3:59 PM, Nick Kew wrote: >>> >>> >>> On 2 Mar 2013, at 10:08, Austin Einter wrote: >>> >>> > I am doing a similar job.. >>> > Here is the warning... >>> > >>> > Starting httpd: WARNING: MaxClients of 7500 exceeds ServerLimit value of 330 servers, >>> > lowering MaxClients to 330. To increase, please see the ServerLimit >>> > directive. >>> >>> The prefork MPM limits you to one client per server. Not useful for >>> higher loads. >>> >>> Has something happened to the performance tuning section in the docs? >>> >>> -- >>> Nick Kew >>> - >>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >>> For additional commands, e-mail: users-h...@httpd.apache.org >>> >> > Meaning use mpm_worker instead mpm_prefork. Find apache performance tuning doco on the apache web site and check the choosing mpm section.
[users@httpd] Problem compiling Apache httpd from source code on Linux
Hi All, I have been facing problem while compiling HTTPD on my linux machine. It hangs at the following location while configuration :- checking whether TCP_NODELAY and TCP_CORK can both be enabled... yes checking for TCP_CORK in netinet/tcp.h... yes checking for TCP_NOPUSH in netinet/tcp.h... no checking for SO_ACCEPTFILTER in sys/socket.h... no checking whether SCTP is supported... I am configuring it using the following switches :- ./configure --with-included-apr uname -r returns :- 2.6.18-194.el5 Can some one please suggest on how to build it ? Thanks Sarbjit
Re: [users@httpd] Problem compiling Apache httpd from source code on Linux
On Sun, 2013-03-03 at 14:41 +0530, Sarbjit singh wrote: > Hi All, > > I have been facing problem while compiling HTTPD on my linux machine. > It hangs at the following location while configuration :- > > > > checking whether TCP_NODELAY and TCP_CORK can both be enabled... yes > checking for TCP_CORK in netinet/tcp.h... yes > checking for TCP_NOPUSH in netinet/tcp.h... no > checking for SO_ACCEPTFILTER in sys/socket.h... no > checking whether SCTP is supported... > > I am configuring it using the following switches :- > > ./configure --with-included-apr > > uname -r returns :- > > 2.6.18-194.el5 > > Can some one please suggest on how to build it ? > > Thanks > Sarbjit You don't tell us what version of httpd. if it is 2.4.4, using --with-included-apr have you actually downloaded apr and apr-util and put them in srclib ? signature.asc Description: This is a digitally signed message part
Re: [users@httpd] Problem compiling Apache httpd from source code on Linux
Sorry for not providing the version of httpd. I am using httpd.2.2.24, I have downloaded the APR and APR-UTIL, but didn't put in the srclib as this folder was already having these inside it. But I tried compiling the APR standalone and encountered the same problem. Then I did at once tried putting inside the srclib folder and found this issue. Please let me know if some more information is required. -Sarbjit On Sun, Mar 3, 2013 at 5:57 PM, Noel Butler wrote: > ** > On Sun, 2013-03-03 at 14:41 +0530, Sarbjit singh wrote: > > Hi All, > > I have been facing problem while compiling HTTPD on my linux machine. It > hangs at the following location while configuration :- > > > > checking whether TCP_NODELAY and TCP_CORK can both be enabled... yes > checking for TCP_CORK in netinet/tcp.h... yes > checking for TCP_NOPUSH in netinet/tcp.h... no > checking for SO_ACCEPTFILTER in sys/socket.h... no > checking whether SCTP is supported... > > I am configuring it using the following switches :- > > ./configure --with-included-apr > > uname -r returns :- > > 2.6.18-194.el5 > > Can some one please suggest on how to build it ? > > Thanks > Sarbjit > > > You don't tell us what version of httpd. > if it is 2.4.4, using --with-included-apr have you actually downloaded > apr and apr-util and put them in srclib ? > >
Re: [users@httpd] using multiple LimitExcept directives
On Sun, Mar 3, 2013 at 2:46 AM, Igor Cicimov wrote: > > On 03/03/2013 3:34 PM, "James Martin" wrote: >> >> Folks, >> >> I'm attempting to using multiple LimitExcept directives in one >> Location. Basically I want to give a the "Actor" ldap group GET & >> PUTT access, the "WeatherMan" ldap group only GET access, and the >> "Actor" ldap group PUT access. I'm open to using either apache 2.2 or >> 2.4, as I see that apache 2.4 supports nesting of the Limit and >> LimitExcept directives. This is what I've tried so far: >> > > Can you please first check the above bold out groups for us? Is that correct > or one of them should be Artist instead? > I realize there was a typo there, sorry about that. I said Actor twice. The groups should be Artist, Actor, and WeatherMan Here's the proper text: Basically I want to give a the "Artist" ldap group GET & PUT access, the "WeatherMan" ldap group only GET access, and the "Actor" ldap group PUT access. I'm open to using either apache 2.2 or 2.4, as I see that apache 2.4 supports nesting of the Limit and LimitExcept directives. This is what I've tried so far: Require ldap-group cn=Artist, ou=groups, o=company Require ldap-group cn=WeatherMan, ou=groups, o=company Require ldap-group cn=Actor, ou=groups, o=company >> >> >> AuthType Basic >> AuthName "Secure Area" >> AuthBasicProvider ldap >>AuthLDAPURL >> "ldap://localhost:10389/ou=users,o=company?uid"; >> AuthLDAPBindDN uid=binder,ou=users,o=bashoproserv >> AuthLDAPBindPassword password > > >> >> Require ldap-group cn=Actor, ou=groups, o=company >> > > From the docs: > > and are used to enclose a group of access > control directives which will then apply to any HTTP access method not > listed in the arguments > It is my understanding that if you have GET PUT within LimitExcept then you are limiting all operations *except* GET & PUT. > In this context, isn't your above statement actually achieving the opposite > from what you want? > >> >> Require ldap-group cn=WeatherMan, ou=groups, o=company >> >> >> Require ldap-group cn=Actor, ou=groups, o=company >> >> >> >> In this case Apache only processes the last LimitExcept, so only >> operation that is successful is the PUT by a user in the Actor ldap >> group. >> >> >> I've also attempted to nest these statements (new feature in 2.4) and >> apache complains: >> >> " directive specifies methods already excluded" >> >> Here is that example: >> >> >> Require ldap-group cn=Artist, ou=groups, o=bashoproserv >> >> Require ldap-group cn=Actor, ou=groups, o=bashoproserv >> >> >> > > So is it Actor or Artist or both??? Can't see Artist in the first example... > > The docs further say: > > The and directives may be nested. In this case, each > successive level of or directives must further > restrict the set of methods to which access controls apply. > > When using or directives with the Require directive, > note that the first Require to succeed authorizes the request, regardless of > the presence of other Require directives. > > So, assuming GET+PUT for Artist, GET for WeatherMan and PUT for Actor, and > having the above said in mind, I would try something like this: > > > >Require ldap-group cn=Artist, ou=groups, o=company > > > >Require ldap-group cn=WeatherMan, ou=groups, o=company > > > >Require ldap-group cn=Actor, ou=groups, o=company > > I attempted your method and it *does* seem to work as I wanted (thanks!); however, my concern is as per the docs: """ The following example applies the access control only to the methods POST, PUT, and DELETE, leaving all other methods unprotected: Require valid-user """ To me that means that GET, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, and UNLOCK are not restricted at all. It also mentions """ A section should always be used in preference to a section when restricting access, since a section provides protection against arbitrary methods. """ Perhaps I need to combine the Limit with a LimitExcept so catch all of the other methods not defined? Thanks, - James >> I feel like I'm very close to getting this working, but I'm not quite >> grasping how to stack the LimitExcepts properly. >> >> Thanks for your help, >> >> >> James >> >> - >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >> For additional commands, e-mail: users-h...@httpd.apache.org >> - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Where are error logs created on windows?
Hi all, I have recently installed latest version of Apache2.2 on windows 7. I am operating as an administrator with username as 'adminuser' on this machine. The apache webserver is installed at this location: 'C:\Program Files\Apache Software Foundation\Apache2.2\' on this computer and all folders have write permission for 'adminuser'. After installing Apache 2.2 I made sure the basic "It works!" page was shown properly and the sample script which shows environment variables also works fine, but when I use a python-based simple CGI script, I get 'Internal Server error', although this script works fine when run standalone. This script only takes in a name in a text box and says hello to that name on 'Submit'. The main problem is that in logs folder, I do not see any access logs or error logs being created for this internal server error in the logs directory. My current 'LogLevel' is defined as "debug" in httpd.conf. Why are error/access logs not being written in apache's "logs" directory ? Log dir location: 'C:\Program Files\Apache Software Foundation\Apache2.2\logs' Thanks,Pranav
Re: [users@httpd] Where are error logs created on windows?
On 3/3/2013 11:40 AM, Pranav Kumar Ojha wrote: > Hi all, > > I have recently installed latest version of Apache2.2 on windows 7. I am > operating as an administrator with username as 'adminuser' on this > machine. The apache webserver is installed at this location: 'C:\Program > Files\Apache Software Foundation\Apache2.2\' on this computer and all > folders have write permission for 'adminuser'. > > After installing Apache 2.2 I made sure the basic "It works!" page was > shown properly and the sample script which shows environment variables > also works fine, but when I use a python-based simple CGI script, I get > 'Internal Server error', although this script works fine when run > standalone. This script only takes in a name in a text box and says > hello to that name on 'Submit'. > > The main problem is that in logs folder, I do not see any access logs or > error logs being created for this internal server error in the logs > directory. My current 'LogLevel' is defined as "debug" in httpd.conf. > > *Why are error/access logs not being written in apache's "logs" > directory ? * > Log dir location: 'C:\Program Files\Apache Software > Foundation\Apache2.2\logs' > * > * > Thanks, > Pranav How are you starting Apache? Are you running Apache as a service? Or are you starting it from the command-line? If you are running Apache as a service, then Apache will have the effective permissions of the account under which the service is running (not the permissions of your user account). If you are starting Apache from the command-line, then you need to be sure that you launch the command prompt (cmd.exe) with "Run as Administrator" and then start Apache, e.g., with "httpd --console". -Ben - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Re: mod_ssl help
Anyone?
On Fri, Mar 1, 2013 at 7:39 PM, Michele Mase' wrote:
> I'm testing a client authentication using:
>
> SSLCACertificateFile /path/to/pemfile.pem
>
> SSLVerifyClient require
> SSLVerifyDepth 2
> SSLOptions +StdEnvVars +ExportCertData
> SSLRequire %{SSL_CLIENT_I_DN} eq "/C=US/O=acme/OU=acme/CN=acme"
> /LocationMatch>
>
>
> I should use two different CA with the same DN (file /path/to/pemfile.pem)
> When i try to use this configuration I receive:
> Access totest denied for 10.10.10.10 (requirement expression not fulfilled)
> Failed expression: %{SSL_CLIENT_I_DN} eq ...
>
> The only way it works is without the SSLRequire directive.
> or
> Using only one CA in the file (file /path/to/pemfile.pem)
>
> Some suggestions?
>
> Regards
> Michele Masè
>
Re: [users@httpd] using multiple LimitExcept directives
On 04/03/2013 3:36 AM, "James Martin" wrote: > > On Sun, Mar 3, 2013 at 2:46 AM, Igor Cicimov wrote: > > > > On 03/03/2013 3:34 PM, "James Martin" wrote: > >> > >> Folks, > >> > >> I'm attempting to using multiple LimitExcept directives in one > >> Location. Basically I want to give a the "Actor" ldap group GET & > >> PUTT access, the "WeatherMan" ldap group only GET access, and the > >> "Actor" ldap group PUT access. I'm open to using either apache 2.2 or > >> 2.4, as I see that apache 2.4 supports nesting of the Limit and > >> LimitExcept directives. This is what I've tried so far: > >> > > > > Can you please first check the above bold out groups for us? Is that correct > > or one of them should be Artist instead? > > > > I realize there was a typo there, sorry about that. I said Actor > twice. The groups should be Artist, Actor, and WeatherMan Here's the > proper text: > > Basically I want to give a the "Artist" ldap group GET & PUT access, > the "WeatherMan" ldap group only GET access, and the "Actor" ldap > group PUT access. I'm open to using either apache 2.2 or 2.4, as I > see that apache 2.4 supports nesting of the Limit and LimitExcept > directives. This is what I've tried so far: > > > > Require ldap-group cn=Artist, ou=groups, o=company > > > Require ldap-group cn=WeatherMan, ou=groups, o=company > > > Require ldap-group cn=Actor, ou=groups, o=company > > > > >> > >> > >> AuthType Basic > >> AuthName "Secure Area" > >> AuthBasicProvider ldap > >>AuthLDAPURL > >> "ldap://localhost:10389/ou=users,o=company?uid"; > >> AuthLDAPBindDN uid=binder,ou=users,o=bashoproserv > >> AuthLDAPBindPassword password > > > > > >> > >> Require ldap-group cn=Actor, ou=groups, o=company > >> > > > > From the docs: > > > > and are used to enclose a group of access > > control directives which will then apply to any HTTP access method not > > listed in the arguments > > > > It is my understanding that if you have GET PUT within LimitExcept > then you are limiting all operations *except* GET & PUT. > > > > In this context, isn't your above statement actually achieving the opposite > > from what you want? > > > >> > >> Require ldap-group cn=WeatherMan, ou=groups, o=company > >> > >> > >> Require ldap-group cn=Actor, ou=groups, o=company > >> > >> > >> > >> In this case Apache only processes the last LimitExcept, so only > >> operation that is successful is the PUT by a user in the Actor ldap > >> group. > >> > >> > >> I've also attempted to nest these statements (new feature in 2.4) and > >> apache complains: > >> > >> " directive specifies methods already excluded" > >> > >> Here is that example: > >> > >> > >> Require ldap-group cn=Artist, ou=groups, o=bashoproserv > >> > >> Require ldap-group cn=Actor, ou=groups, o=bashoproserv > >> > >> > >> > > > > So is it Actor or Artist or both??? Can't see Artist in the first example... > > > > The docs further say: > > > > The and directives may be nested. In this case, each > > successive level of or directives must further > > restrict the set of methods to which access controls apply. > > > > When using or directives with the Require directive, > > note that the first Require to succeed authorizes the request, regardless of > > the presence of other Require directives. > > > > So, assuming GET+PUT for Artist, GET for WeatherMan and PUT for Actor, and > > having the above said in mind, I would try something like this: > > > > > > > >Require ldap-group cn=Artist, ou=groups, o=company > > > > > > > >Require ldap-group cn=WeatherMan, ou=groups, o=company > > > > > > > >Require ldap-group cn=Actor, ou=groups, o=company > > > > > > I attempted your method and it *does* seem to work as I wanted > (thanks!); however, my concern is as per the docs: > > """ > The following example applies the access control only to the methods > POST, PUT, and DELETE, leaving all other methods unprotected: > > > Require valid-user > > """ > > To me that means that GET, CONNECT, OPTIONS, PATCH, PROPFIND, > PROPPATCH, MKCOL, COPY, MOVE, LOCK, and UNLOCK are not restricted at > all. Correct since those 3 are important ones so you need only some users to access them and you dont care about the other methods. Why else would you use limit then with Require? By default ALL methods are unprotected. So in your case you dont need to give Artist GET access to anything, he already has it! The point is to allow access to that user ONLY and thats where Limit and Require come into play. > > It also mentions > > """ > A section should always be used in preference to a > section when restricting access, since a section > provides protection against arbitrary methods. > """ > Correct BUT only if it matches your user case. Does it??? Nothing wrong with using Limit if you know exactly what you are doing. > Perhaps I need to combine the Limit with a LimitExcept so catch al
Re: [users@httpd] Re: mod_ssl help
On 04/03/2013 7:33 AM, "Michele Mase'" wrote:
>
> Anyone?
>
>
> On Fri, Mar 1, 2013 at 7:39 PM, Michele Mase'
wrote:
>>
>> I'm testing a client authentication using:
>>
>> SSLCACertificateFile /path/to/pemfile.pem
>>
>> SSLVerifyClient require
>> SSLVerifyDepth 2
>> SSLOptions +StdEnvVars +ExportCertData
>> SSLRequire %{SSL_CLIENT_I_DN} eq "/C=US/O=acme/OU=acme/CN=acme"
>> /LocationMatch>
>>
>>
>> I should use two different CA with the same DN (file
/path/to/pemfile.pem)
>> When i try to use this configuration I receive:
>> Access totest denied for 10.10.10.10 (requirement expression not
fulfilled)
>> Failed expression: %{SSL_CLIENT_I_DN} eq ...
>>
>> The only way it works is without the SSLRequire directive.
>> or
>> Using only one CA in the file (file /path/to/pemfile.pem)
>>
>> Some suggestions?
>>
>> Regards
>> Michele Masè
>
>
Please paste the output of
# openssl x509 -noout -in /path/to/pemfile.pem -text
so we know what are we talking about here. If multiple dn in the file why
are you trying to match one using eq then? Anyway, the above command will
show us the issuer dn string and you can see what are you doing wrong.
Re: [users@httpd] SSL session problem
Zitat von Jens-Uwe Mozdzen : Zitat von "Jens-U. Mozdzen" : Hi list, I could use a helping hand with a SSL problem. [...] Anything I should do differently to get at least an ack from this list? Or is there some other, more appropriate list? I'd then be grateful for some pointer... Regards, Jens - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Re: mod_ssl help
The issuer dn is the same; the pem file is a ca bundle.
On Sun, Mar 3, 2013 at 11:23 PM, Igor Cicimov wrote:
>
> On 04/03/2013 7:33 AM, "Michele Mase'" wrote:
> >
> > Anyone?
> >
> >
> > On Fri, Mar 1, 2013 at 7:39 PM, Michele Mase'
> wrote:
> >>
> >> I'm testing a client authentication using:
> >>
> >> SSLCACertificateFile /path/to/pemfile.pem
> >>
> >> SSLVerifyClient require
> >> SSLVerifyDepth 2
> >> SSLOptions +StdEnvVars +ExportCertData
> >> SSLRequire %{SSL_CLIENT_I_DN} eq "/C=US/O=acme/OU=acme/CN=acme"
> >> /LocationMatch>
> >>
> >>
> >> I should use two different CA with the same DN (file
> /path/to/pemfile.pem)
> >> When i try to use this configuration I receive:
> >> Access totest denied for 10.10.10.10 (requirement expression not
> fulfilled)
> >> Failed expression: %{SSL_CLIENT_I_DN} eq ...
> >>
> >> The only way it works is without the SSLRequire directive.
> >> or
> >> Using only one CA in the file (file /path/to/pemfile.pem)
> >>
> >> Some suggestions?
> >>
> >> Regards
> >> Michele Masè
> >
> >
> Please paste the output of
>
> # openssl x509 -noout -in /path/to/pemfile.pem -text
>
> so we know what are we talking about here. If multiple dn in the file why
> are you trying to match one using eq then? Anyway, the above command will
> show us the issuer dn string and you can see what are you doing wrong.
>
Re: [users@httpd] using multiple LimitExcept directives
On Sun, Mar 3, 2013 at 4:08 PM, Igor Cicimov wrote: > > On 04/03/2013 3:36 AM, "James Martin" wrote: >> >> On Sun, Mar 3, 2013 at 2:46 AM, Igor Cicimov wrote: >> > >> > On 03/03/2013 3:34 PM, "James Martin" wrote: >> >> >> >> Folks, >> >> >> >> I'm attempting to using multiple LimitExcept directives in one >> >> Location. Basically I want to give a the "Actor" ldap group GET & >> >> PUTT access, the "WeatherMan" ldap group only GET access, and the >> >> "Actor" ldap group PUT access. I'm open to using either apache 2.2 or >> >> 2.4, as I see that apache 2.4 supports nesting of the Limit and >> >> LimitExcept directives. This is what I've tried so far: >> >> >> > >> > Can you please first check the above bold out groups for us? Is that >> > correct >> > or one of them should be Artist instead? >> > >> >> I realize there was a typo there, sorry about that. I said Actor >> twice. The groups should be Artist, Actor, and WeatherMan Here's the >> proper text: >> >> Basically I want to give a the "Artist" ldap group GET & PUT access, >> the "WeatherMan" ldap group only GET access, and the "Actor" ldap >> group PUT access. I'm open to using either apache 2.2 or 2.4, as I >> see that apache 2.4 supports nesting of the Limit and LimitExcept >> directives. This is what I've tried so far: >> >> >> >> Require ldap-group cn=Artist, ou=groups, o=company >> >> >> Require ldap-group cn=WeatherMan, ou=groups, o=company >> >> >> Require ldap-group cn=Actor, ou=groups, o=company >> >> >> >> >> >> >> >> >> AuthType Basic >> >> AuthName "Secure Area" >> >> AuthBasicProvider ldap >> >>AuthLDAPURL >> >> "ldap://localhost:10389/ou=users,o=company?uid"; >> >> AuthLDAPBindDN uid=binder,ou=users,o=bashoproserv >> >> AuthLDAPBindPassword password >> > >> > >> >> >> >> Require ldap-group cn=Actor, ou=groups, o=company >> >> >> > >> > From the docs: >> > >> > and are used to enclose a group of access >> > control directives which will then apply to any HTTP access method not >> > listed in the arguments >> > >> >> It is my understanding that if you have GET PUT within LimitExcept >> then you are limiting all operations *except* GET & PUT. >> >> >> > In this context, isn't your above statement actually achieving the >> > opposite >> > from what you want? >> > >> >> >> >> Require ldap-group cn=WeatherMan, ou=groups, o=company >> >> >> >> >> >> Require ldap-group cn=Actor, ou=groups, o=company >> >> >> >> >> >> >> >> In this case Apache only processes the last LimitExcept, so only >> >> operation that is successful is the PUT by a user in the Actor ldap >> >> group. >> >> >> >> >> >> I've also attempted to nest these statements (new feature in 2.4) and >> >> apache complains: >> >> >> >> " directive specifies methods already excluded" >> >> >> >> Here is that example: >> >> >> >> >> >> Require ldap-group cn=Artist, ou=groups, o=bashoproserv >> >> >> >> Require ldap-group cn=Actor, ou=groups, o=bashoproserv >> >> >> >> >> >> >> > >> > So is it Actor or Artist or both??? Can't see Artist in the first >> > example... >> > >> > The docs further say: >> > >> > The and directives may be nested. In this case, >> > each >> > successive level of or directives must further >> > restrict the set of methods to which access controls apply. >> > >> > When using or directives with the Require >> > directive, >> > note that the first Require to succeed authorizes the request, >> > regardless of >> > the presence of other Require directives. >> > >> > So, assuming GET+PUT for Artist, GET for WeatherMan and PUT for Actor, >> > and >> > having the above said in mind, I would try something like this: >> > >> > >> > >> >Require ldap-group cn=Artist, ou=groups, o=company >> > >> > >> > >> >Require ldap-group cn=WeatherMan, ou=groups, o=company >> > >> > >> > >> >Require ldap-group cn=Actor, ou=groups, o=company >> > >> > >> >> I attempted your method and it *does* seem to work as I wanted >> (thanks!); however, my concern is as per the docs: >> >> """ >> The following example applies the access control only to the methods >> POST, PUT, and DELETE, leaving all other methods unprotected: >> >> >> Require valid-user >> >> """ >> >> To me that means that GET, CONNECT, OPTIONS, PATCH, PROPFIND, >> PROPPATCH, MKCOL, COPY, MOVE, LOCK, and UNLOCK are not restricted at >> all. > Correct since those 3 are important ones so you need only some users to > access them and you dont care about the other methods. Why else would you > use limit then with Require? By default ALL methods are unprotected. So in > your case you dont need to give Artist GET access to anything, he already > has it! The point is to allow access to that user ONLY and thats where Limit > and Require come into play. > >> >> It also mentions >> >> """ >> A section should always be used in preference to a >> section when restricting access, since a section >>
Re: [users@httpd] headers null in a custom module
There are roaches in every mailing list who can't just shut their holes when there is nothing useful to contribute...wasting time and resources on this resource-limited planet. From: Stormy To: users@httpd.apache.org Sent: Friday, March 1, 2013 12:03 PM Subject: Re: [users@httpd] headers null in a custom module At 11:13 AM 3/1/2013 -0800, Crne We wrote: > why the heck some of the essential headers present in the request are null > when being processed in a custom apache module/hook function? Perhaps because you coding skills are at the same level as your societal skills writing to this list for assistance? Crne We P. "The only two things that are infinite in size are the universe and human stupidity. And I'm not completely sure about the universe." -- Albert Einstein > if this list is dead, is there another list dedicated for apache module > developers? - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Re: mod_ssl help
What I was trying to point to is this:
# openssl x509 -noout -in
/etc/ssl/certs/TWCA_Root_Certification_Authority.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
*Issuer: C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Root Certification
Authority*
Validity
Not Before: Aug 28 07:24:33 2008 GMT
Not After : Dec 31 15:59:59 2030 GMT
Subject: C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Root Certification
Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
.
.
.
as you can see the DN is coma separated not / separated
On Mon, Mar 4, 2013 at 9:41 AM, Michele Mase' wrote:
> The issuer dn is the same; the pem file is a ca bundle.
>
>
> On Sun, Mar 3, 2013 at 11:23 PM, Igor Cicimov wrote:
>
>>
>> On 04/03/2013 7:33 AM, "Michele Mase'" wrote:
>> >
>> > Anyone?
>> >
>> >
>> > On Fri, Mar 1, 2013 at 7:39 PM, Michele Mase'
>> wrote:
>> >>
>> >> I'm testing a client authentication using:
>> >>
>> >> SSLCACertificateFile /path/to/pemfile.pem
>> >>
>> >> SSLVerifyClient require
>> >> SSLVerifyDepth 2
>> >> SSLOptions +StdEnvVars +ExportCertData
>> >> SSLRequire %{SSL_CLIENT_I_DN} eq
>> "/C=US/O=acme/OU=acme/CN=acme"
>> >> /LocationMatch>
>> >>
>> >>
>> >> I should use two different CA with the same DN (file
>> /path/to/pemfile.pem)
>> >> When i try to use this configuration I receive:
>> >> Access totest denied for 10.10.10.10 (requirement expression not
>> fulfilled)
>> >> Failed expression: %{SSL_CLIENT_I_DN} eq ...
>> >>
>> >> The only way it works is without the SSLRequire directive.
>> >> or
>> >> Using only one CA in the file (file /path/to/pemfile.pem)
>> >>
>> >> Some suggestions?
>> >>
>> >> Regards
>> >> Michele Masè
>> >
>> >
>> Please paste the output of
>>
>> # openssl x509 -noout -in /path/to/pemfile.pem -text
>>
>> so we know what are we talking about here. If multiple dn in the file why
>> are you trying to match one using eq then? Anyway, the above command will
>> show us the issuer dn string and you can see what are you doing wrong.
>>
>
>
Re: [users@httpd] Re: mod_ssl help
On Mon, Mar 4, 2013 at 10:42 AM, Igor Cicimov wrote:
> What I was trying to point to is this:
>
> # openssl x509 -noout -in
> /etc/ssl/certs/TWCA_Root_Certification_Authority.pem -text
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 1 (0x1)
> Signature Algorithm: sha1WithRSAEncryption
> *Issuer: C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Root
> Certification Authority*
> Validity
> Not Before: Aug 28 07:24:33 2008 GMT
> Not After : Dec 31 15:59:59 2030 GMT
> Subject: C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Root Certification
> Authority
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> Public-Key: (2048 bit)
> .
> .
> .
>
> as you can see the DN is coma separated not / separated
>
> On the other hand when tested with "openssl s_connect" for one of my
certificates it comes out as "issuer=/C=AU/ST=NSW/L=Sydney/" so sorry
for the confusion seams the / separator is correct.
Any way, what does the test "openssl s_client -ssl3 -connect
server_name:443" show in your case?
>
> On Mon, Mar 4, 2013 at 9:41 AM, Michele Mase' wrote:
>
>> The issuer dn is the same; the pem file is a ca bundle.
>>
>>
>> On Sun, Mar 3, 2013 at 11:23 PM, Igor Cicimov wrote:
>>
>>>
>>> On 04/03/2013 7:33 AM, "Michele Mase'" wrote:
>>> >
>>> > Anyone?
>>> >
>>> >
>>> > On Fri, Mar 1, 2013 at 7:39 PM, Michele Mase'
>>> wrote:
>>> >>
>>> >> I'm testing a client authentication using:
>>> >>
>>> >> SSLCACertificateFile /path/to/pemfile.pem
>>> >>
>>> >> SSLVerifyClient require
>>> >> SSLVerifyDepth 2
>>> >> SSLOptions +StdEnvVars +ExportCertData
>>> >> SSLRequire %{SSL_CLIENT_I_DN} eq
>>> "/C=US/O=acme/OU=acme/CN=acme"
>>> >> /LocationMatch>
>>> >>
>>> >>
>>> >> I should use two different CA with the same DN (file
>>> /path/to/pemfile.pem)
>>> >> When i try to use this configuration I receive:
>>> >> Access totest denied for 10.10.10.10 (requirement expression not
>>> fulfilled)
>>> >> Failed expression: %{SSL_CLIENT_I_DN} eq ...
>>> >>
>>> >> The only way it works is without the SSLRequire directive.
>>> >> or
>>> >> Using only one CA in the file (file /path/to/pemfile.pem)
>>> >>
>>> >> Some suggestions?
>>> >>
>>> >> Regards
>>> >> Michele Masè
>>> >
>>> >
>>> Please paste the output of
>>>
>>> # openssl x509 -noout -in /path/to/pemfile.pem -text
>>>
>>> so we know what are we talking about here. If multiple dn in the file
>>> why are you trying to match one using eq then? Anyway, the above command
>>> will show us the issuer dn string and you can see what are you doing wrong.
>>>
>>
>>
>
RE: [users@httpd] Where are error logs created on windows?
Alright, starting httpd as administrator helped creating the file and resolved the issue. Thanks you! Thanks,Pranav > Date: Sun, 3 Mar 2013 15:20:25 -0500 > From: b...@indietorrent.org > To: users@httpd.apache.org > Subject: Re: [users@httpd] Where are error logs created on windows? > > > > On 3/3/2013 11:40 AM, Pranav Kumar Ojha wrote: > > Hi all, > > > > I have recently installed latest version of Apache2.2 on windows 7. I am > > operating as an administrator with username as 'adminuser' on this > > machine. The apache webserver is installed at this location: 'C:\Program > > Files\Apache Software Foundation\Apache2.2\' on this computer and all > > folders have write permission for 'adminuser'. > > > > After installing Apache 2.2 I made sure the basic "It works!" page was > > shown properly and the sample script which shows environment variables > > also works fine, but when I use a python-based simple CGI script, I get > > 'Internal Server error', although this script works fine when run > > standalone. This script only takes in a name in a text box and says > > hello to that name on 'Submit'. > > > > The main problem is that in logs folder, I do not see any access logs or > > error logs being created for this internal server error in the logs > > directory. My current 'LogLevel' is defined as "debug" in httpd.conf. > > > > *Why are error/access logs not being written in apache's "logs" > > directory ? * > > Log dir location: 'C:\Program Files\Apache Software > > Foundation\Apache2.2\logs' > > * > > * > > Thanks, > > Pranav > > How are you starting Apache? Are you running Apache as a service? Or are > you starting it from the command-line? > > If you are running Apache as a service, then Apache will have the > effective permissions of the account under which the service is running > (not the permissions of your user account). > > If you are starting Apache from the command-line, then you need to be > sure that you launch the command prompt (cmd.exe) with "Run as > Administrator" and then start Apache, e.g., with "httpd --console". > > -Ben > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org >
