Re: [users@httpd] Redirection via HTTPS

[Chris Arnold]

On Feb 8, 2015, at 1:38 AM, YUSUI T 
mailto:yusui.tomik...@gmail.com>> wrote:


The error.log says nothing.

Next, I exchanged  for the "Redirect". But it shows the 
following errors.

You probably could have left that entry in and just added the Redirect 
statement (not sure what flavor of OS you are using).

root@hostname:~# tail -n 6 /etc/apache2/mods-available/ssl.conf

ServerName www.mydomain.com
Redirect / https://www.mydomain.com/


# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
root@hostname:~# service apache2 restart
 * Restarting web server apache2
Action 'start' failed.
The Apache error log may have more information.
 [fail]
 * The apache2 instance did not start within 20 seconds. Please read the log 
files to discover problems
root@hostname:~# tail -n 5 /var/log/apache2/error.log
[Sun Feb 08 06:12:22.767055 2015] [mpm_prefork:notice] [pid 5874] AH00169: 
caught SIGTERM, shutting down
[Sun Feb 08 06:12:23.818133 2015] [ssl:emerg] [pid 5950] AH02240: Server should 
be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] 
((null):0)
[Sun Feb 08 06:12:23.818204 2015] [ssl:emerg] [pid 5950] AH02312: Fatal error 
initialising mod_ssl, exiting.
[Sun Feb 08 06:14:23.209329 2015] [ssl:emerg] [pid 6028] AH02240: Server should 
be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] 
((null):0)
[Sun Feb 08 06:14:23.209419 2015] [ssl:emerg] [pid 6028] AH02312: Fatal error 
initialising mod_ssl, exiting.

Add Debug to your loglevel and try to restart. That should give a little more 
info.

[users@httpd] Integrating Apache customlog with mod_security errorlog

[Kianoosh Kashefi]

I've set up apache 2.2 and mod_security 2 on a centos 6 machine. As
you know mod_security produces it's own kind of error log file which
it's output is something like :

[Sun Feb 08 13:53:25 2015] [error] [client 192.168.22.90] ModSecurity:
 [file 
"/etc/httpd/conf.d/mod_security2/base_rules/modsecurity_crs_30_http_policy.conf"]
[line "31"] [id "960032"] [rev "2"] [msg "Method is not allowed by
policy"] [data "GET"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"]
[maturity "9"] [accuracy "9"] [tag
"OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag
"OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] Access
denied with code 403 (phase 1). Match of "within
%{tx.allowed_methods}" against "REQUEST_METHOD" required. [hostname
"192.168.110.13"] [uri "/favicon.ico"] [unique_id
"VNc5HcCoFt0AACRCAkcD"]

I need this log plus several further parameters which are : Client
port and ip, server port and ip and user-agent info which can be
easily set to be written in another log file like this:

LogFormat "[Remote_Address \"%{REMOTE_ADDR}M\"] [Remote_Port
\"%{REMOTE_PORT}M\"] [Server_Address   \"%{SERVER_ADDR}M\"]
[Server_Port \"%{SERVER_PORT}M\"] [User_Agent \"%{User-agent}i\"]\n"
custom-format-1

 CustomLog logs/error-v.log custom-format-1

which returns :

[Remote_Address "192.168.22.90"] [Remote_Port "55025"] [Server_Address
"192.168.110.13"] [Server_Port ""] [User_Agent "Mozilla/5.0 (X11;
Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/40.0.2214.93 Safari/537.36"]

but the problem is that I want both these logs in the same file and I
have tried to write both logs into the same file in apache httpd.conf
but they are written into two separate lines (like a "\n" is used in
the end of mod_security error log) which for my particular use is
unacceptable.

What should I do to get both logs in the same file and in a single line of text.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Redirection via HTTPS

[YUSUI T]

2015-02-08 20:30 GMT+09:00 Chris Arnold :

> You probably could have left that entry in and just added the Redirect 
> statement (not sure what flavor of OS you are using).

OS I am using is Ubuntu 14.04.1 LTS (GNU/Linux 2.6.32-042stab093.5 x86_64).

> root@hostname:~# tail -n 6 /etc/apache2/mods-available/ssl.conf
> 
> ServerName www.mydomain.com
> Redirect / https://www.mydomain.com/
> 
>
> # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
> root@hostname:~# service apache2 restart
>  * Restarting web server apache2  
>   Action 'start' failed.
> The Apache error log may have more information.
>  
> [fail]
>  * The apache2 instance did not start within 20 seconds. Please read the log 
> files to discover problems
> root@hostname:~# tail -n 5 /var/log/apache2/error.log
> [Sun Feb 08 06:12:22.767055 2015] [mpm_prefork:notice] [pid 5874] AH00169: 
> caught SIGTERM, shutting down
> [Sun Feb 08 06:12:23.818133 2015] [ssl:emerg] [pid 5950] AH02240: Server 
> should be SSL-aware but has no certificate configured [Hint: 
> SSLCertificateFile] ((null):0)
> [Sun Feb 08 06:12:23.818204 2015] [ssl:emerg] [pid 5950] AH02312: Fatal error 
> initialising mod_ssl, exiting.
> [Sun Feb 08 06:14:23.209329 2015] [ssl:emerg] [pid 6028] AH02240: Server 
> should be SSL-aware but has no certificate configured [Hint: 
> SSLCertificateFile] ((null):0)
> [Sun Feb 08 06:14:23.209419 2015] [ssl:emerg] [pid 6028] AH02312: Fatal error 
> initialising mod_ssl, exiting.
>
>
> Add Debug to your loglevel and try to restart. That should give a little more 
> info.

I exchanged "LogLevel warn" for "LogLevel debug" in /etc/apache2/apache2.conf.
And I restarted apache.

root@hostname:~# service apache2 restart
 * Restarting web server apache2
 Action 'start' failed.
The Apache error log may have more information.
 [fail]
 * The apache2 instance did not start within 20 seconds. Please read
the log files to discover problems
root@hostname:~# tail -n 3 /var/log/apache2/error.log
[Sun Feb 08 13:31:27.595792 2015] [ssl:info] [pid 7124] AH02200:
Loading certificate & private key of SSL-aware server
'www.mydomain.com:443'
[Sun Feb 08 13:31:27.595843 2015] [ssl:emerg] [pid 7124] AH02240:
Server should be SSL-aware but has no certificate configured [Hint:
SSLCertificateFile] ((null):0)
[Sun Feb 08 13:31:27.595849 2015] [ssl:emerg] [pid 7124] AH02312:
Fatal error initialising mod_ssl, exiting.
root@hostname:~#

It looks like I could get only line of [ssl:info] in addition to previous log.

Yusui

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Update on password-protected directory problem

[Steve Matzura]

I found the problem, but can't explain it.

In my original site-specific .conf file I had a directory block giving
access to a directory that does not exist. It was a holdover from the
old system that was not duplicated/replicated on the new one. The odd
thing is that Apache didn't complain about the directory itself not
existing. What it did, though, was to let anyone in to the directory
block immediately preceding it, which *is* password-protected. When I
removed the directory block pointing to the non-existent directory,
the password--protected one displayed the normal username-and-password
access dialog as it should. Very odd.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] why Apache strip html data attribute ???

[A. Lotfi]

Hi,
I am not an Apache expert, I am just a java and html developer,  I wrote lot of 
code using html data attributes, but I was surprised that Apache swallow are 
strip them, I went to this page :

mod_proxy_html - Apache HTTP Server Version 2.4

|   |
|   |  |   |   |   |   |   |
| mod_proxy_html - Apache HTTP Server Version 2.4Apache Module mod_proxy_html 
Available Languages:  en  | fr  Description: Rewrite HTML links in to ensure 
they are addressablefrom Clients' networks in a proxy ... |
|  |
| View on httpd.apache.org | Preview by Yahoo |
|  |
|   |


somewhere it said :
If the first form is used, mod_proxy_html will also clean up the HTML to the 
specified standard. It cannot fix every error, but it will strip out bogus 
elements and attributes.


please help me.thanks.  Abdel
The nature of promises is that they remain immune to changing circumstances.
Frank Underwood, ‘House of Cards’

Re: [users@httpd] why Apache strip html data attribute ???

[Yehuda Katz]

HTML 4.01 and XHTML 1.0 don't support the data- attributes since they were
added in HTML5, so striping them out is the correct behavior.
If that is not what you want it to do, don't set that directive.

- Y

On Sun, Feb 8, 2015 at 12:15 PM, A. Lotfi 
wrote:

> Hi,
>
> I am not an Apache expert, I am just a java and html developer,  I wrote
> lot of code using html data attributes, but I was surprised that Apache
> swallow are strip them, I went to this page :
>
>
> mod_proxy_html - Apache HTTP Server Version 2.4
> 
>
>
> [image: image]
> 
>
>
>
>
>
> mod_proxy_html - Apache HTTP Server Version 2.4
> 
> Apache Module mod_proxy_html Available Languages:  en  |  fr  Description:
> Rewrite HTML links in to ensure they are addressable from Clients' networks
> in a proxy ...
> View on httpd.apache.org
> 
> Preview by Yahoo
>
>
> somewhere it said :
>
> If the first form is used, mod_proxy_html will also clean up the HTML to
> the specified standard. It cannot fix every error, but it will strip out
> bogus elements and attributes.
>
>
>
> please help me.
> thanks.
>
> Abdel
>
> The nature of promises is that they remain immune to changing
> circumstances.
> Frank Underwood, ‘House of Cards’
>

Re: [users@httpd] Redirection via HTTPS

[Chris Arnold]

> Server should be SSL-aware but has no certificate configured [Hint:
> SSLCertificateFile] ((null):0)
> [Sun Feb 08 13:31:27.595849 2015] [ssl:emerg] [pid 7124] AH02312:
> Fatal error initialising mod_ssl, exiting.

Are you sure you have a cert configured? Double check ssl config

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Redirection via HTTPS

[Yann Ylavic]

On Sun, Feb 8, 2015 at 7:36 AM, YUSUI T  wrote:
>
> root@hostname:~# tail -n 6 /etc/apache2/mods-available/ssl.conf
> 
> ServerName www.mydomain.com
> Redirect / https://www.mydomain.com/
> 

You probably want to redirect to https when the request is plain http, hence :
  
above.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Redirection via HTTPS

[Yann Ylavic]

On Sun, Feb 8, 2015 at 9:03 PM, Yann Ylavic  wrote:
> On Sun, Feb 8, 2015 at 7:36 AM, YUSUI T  wrote:
>>
>> root@hostname:~# tail -n 6 /etc/apache2/mods-available/ssl.conf
>> 
>> ServerName www.mydomain.com
>> Redirect / https://www.mydomain.com/
>> 
>
> You probably want to redirect to https when the request is plain http, hence :
>   
> above.

Sorry, I completely misread your issue, please ignore this.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Any Comparisons? -- mod_wl vs mod_proxy vs mod_jk

[Todd Simons]

Hello All
We've been using the generic mod_proxy for years.   We utilize Apache to
layer in HTTPS from the world into our DMZ, then utilize
proxypass/proxypassreverse to our internal servers.  Our internal servers
vary between iis, weblogic, tomcat, and a few others.

mod_proxy has been working great for us.

Recently I've been asked why not mod_wl and mod_jk.   I really have no
answer and I haven't been able to find much online with regards to
advantages of one vs another.

Has anyone seen, or have, any links that can help outline the difference?

Thanks,
~Todd

Re: [users@httpd] Any Comparisons? -- mod_wl vs mod_proxy vs mod_jk

[Daniel]

2015-02-09 2:22 GMT+01:00 Todd Simons :

> Hello All
> We've been using the generic mod_proxy for years.   We utilize Apache to
> layer in HTTPS from the world into our DMZ, then utilize
> proxypass/proxypassreverse to our internal servers.  Our internal servers
> vary between iis, weblogic, tomcat, and a few others.
>
> mod_proxy has been working great for us.
>
> Recently I've been asked why not mod_wl and mod_jk.   I really have no
> answer and I haven't been able to find much online with regards to
> advantages of one vs another.
>
> Has anyone seen, or have, any links that can help outline the difference?
>
> Thanks,
> ~Todd
>


I can tell you about a bit the weblogic plugin.

Latest versions include WLSRequest directive that, according to its
documentation:
* Lower web server processing overhead in general
* Resolves substantial performance degradation when the web server
DocumentRoot is on a slow filesystem
* Resolves 403 errors for URIs which cannot be mapped to the filesystem due
to the filesystem length restrictions

Among the interesting things it offers weblogic plugin dinamically updates
the weblogic cluster members on first connection, no matter if you didn't
specify all members of the cluster.

For all related info I would suggest you to check the documentation page
which describes everything it can do:
http://docs.oracle.com/middleware/1213/webtier/PLGWL/toc.htm

In any case, if you are happy with your actual solution, why change?


-- 
*Daniel Ferradal*
IT Specialist

email dferra...@gmail.com
linkedin es.linkedin.com/in/danielferradal

Re: [users@httpd] Redirection via HTTPS

[Daniel]

2015-02-08 21:15 GMT+01:00 Yann Ylavic :

> On Sun, Feb 8, 2015 at 9:03 PM, Yann Ylavic  wrote:
> > On Sun, Feb 8, 2015 at 7:36 AM, YUSUI T 
> wrote:
> >>
> >> root@hostname:~# tail -n 6 /etc/apache2/mods-available/ssl.conf
> >> 
> >> ServerName www.mydomain.com
> >> Redirect / https://www.mydomain.com/
> >> 
> >
> > You probably want to redirect to https when the request is plain http,
> hence :
> >   
> > above.
>
> Sorry, I completely misread your issue, please ignore this.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
This is the list of virtualhosts you need. It could be reduced, but for
educational purposes here is how all virtualhosts should look to represent
your scenario more or less as I have understood you were asking. As you
will see there is no need for mod_rewrite at all for this case.

I assumed you want to redirect port 80 to SSL too, if not, ignore the first
non-ssl virtualhost examples.

###
# domain.com port 80 redirects to SSL www.domain.com

ServerName domain.com
DocumentRoot /path/to/docroot
Redirect / https://www.domain.com/


###
# www.domain.com port 80 redirects to SSL www.domain.com

ServerName www.domain.com
DocumentRoot /path/to/docroot
Redirect / https://www.domain.com/


###
# domain.com port 443 SSL redirects to SSL www.domain.com

ServerName domain.com
DocumentRoot /path/to/docroot
SSLEngine on
SSLCertificateKeyFile /my/path/to/domain.com.key
SSLCertficicateFile /my/path/do/domain.com.crt
Redirect / https://www.domain.com/



# www.domain.com port 443 SSL

ServerName www.domain.com
DocumentRoot /path/to/docroot
SSLEngine on
SSLCertificateKeyFile /my/path/to/www.domain.com.key
SSLCertificateFile /my/path/do/www.domain.com.crt

###
# And your actual configuration from here on



Hope this helps

-- 
*Daniel Ferradal*
IT Specialist

email dferra...@gmail.com
linkedin es.linkedin.com/in/danielferradal

AW: [users@httpd] Any Comparisons? -- mod_wl vs mod_proxy vs mod_jk

[Andre.Wendel]

Hello,

mod_wl has some advantages, mod_proxy does not support i.e. mod_proxy does 
normally only a ping to check if a backend server is available, which normally 
works in 99% even if the web-application behind is not available, so it is 
possible that mod_proxy routes the request to /backend even if /backend is not 
yet available, because the application server has not loaded the application 
yet.

This means mod_wl does a little bit more then just checking if the backend 
server is available via ping, it even checks if the backend url gives a working 
response. Also mod_wl gets information about the all current cluster members 
within the session cookie, so if a server is not available anymore he directly 
knows, which cluster members the plugin can forward the request. Also to 
simulate the load balancing with mod_proxy in front of a weblogic, this must be 
done via a ROUTE_ID within the Apache and can not be done via the sessionid 
like it is done with Glassfish or Tomcat.

But it also has currently some disadvantages i.e. certificate handling via 
oracle wallets.

Currently all our instances are running with mod_proxy and we have normally no 
problems, only in the case an application on ONE cluster member breaks, so that 
the application server is still available but not the application, so in this 
case the only feature I’m currently missing within mod_proxy is an check URL 
feature.

Cheers,
André

Von: Daniel [mailto:dferra...@gmail.com]
Gesendet: Montag, 9. Februar 2015 08:13
An: 
Betreff: Re: [users@httpd] Any Comparisons? -- mod_wl vs mod_proxy vs mod_jk



2015-02-09 2:22 GMT+01:00 Todd Simons 
mailto:tsimons@gmail.com>>:
Hello All
We've been using the generic mod_proxy for years.   We utilize Apache to layer 
in HTTPS from the world into our DMZ, then utilize proxypass/proxypassreverse 
to our internal servers.  Our internal servers vary between iis, weblogic, 
tomcat, and a few others.

mod_proxy has been working great for us.

Recently I've been asked why not mod_wl and mod_jk.   I really have no answer 
and I haven't been able to find much online with regards to advantages of one 
vs another.

Has anyone seen, or have, any links that can help outline the difference?

Thanks,
~Todd


I can tell you about a bit the weblogic plugin.

Latest versions include WLSRequest directive that, according to its 
documentation:
* Lower web server processing overhead in general
* Resolves substantial performance degradation when the web server DocumentRoot 
is on a slow filesystem
* Resolves 403 errors for URIs which cannot be mapped to the filesystem due to 
the filesystem length restrictions

Among the interesting things it offers weblogic plugin dinamically updates the 
weblogic cluster members on first connection, no matter if you didn't specify 
all members of the cluster.

For all related info I would suggest you to check the documentation page which 
describes everything it can do:
http://docs.oracle.com/middleware/1213/webtier/PLGWL/toc.htm

In any case, if you are happy with your actual solution, why change?


--
Daniel Ferradal
IT Specialist

email dferra...@gmail.com
linkedin 
es.linkedin.com/in/danielferradal