[users@httpd] IPTABLES and Apache ProxyPass
Hi everyone, I posted my issue on stackoverflow but nobody answer me. I have a webserver secured with iptables : iptables -L -v Chain INPUT (policy DROP 67 packets, 8002 bytes) pkts bytes target prot opt in out source destination 62 4648 ACCEPT tcp -- anyany 192.168.200.0/24 anywhere tcp dpt:ssh 0 0 ACCEPT tcp -- anyany 192.168.200.0/24 anywhere tcp dpt:ndmp 0 0 ACCEPT tcp -- anyany anywhere anywhere tcp dpt:http 0 0 ACCEPT tcp -- anyany anywhere anywhere tcp dpt:https 0 0 ACCEPT all -- lo any anywhere anywhere Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 30 packets, 4600 bytes) pkts bytes target prot opt in out source destination I also have some ProxyPass and ProxyPassReverse configurations in httpd.conf file. If I stop iptables service, the ProxyPass configuration is working but when it's up it failed. Which iptables configuration should I set ?
Re: [users@httpd] IPTABLES and Apache ProxyPass
Try setting the forward default policy to accept Sent from mobile device. 832 576 5956. Please call me if you need an imediate reply and excuse any and all typos. On May 18, 2015 9:28 AM, "Kevin Caliati" wrote: > Hi everyone, > I posted my issue on stackoverflow but nobody answer me. > > > I have a webserver secured with iptables : > > iptables -L -v > Chain INPUT (policy DROP 67 packets, 8002 bytes) > pkts bytes target prot opt in out source > destination >62 4648 ACCEPT tcp -- anyany 192.168.200.0/24 anywhere > tcp dpt:ssh > 0 0 ACCEPT tcp -- anyany 192.168.200.0/24 anywhere > tcp dpt:ndmp > 0 0 ACCEPT tcp -- anyany anywhere anywhere > tcp dpt:http > 0 0 ACCEPT tcp -- anyany anywhere anywhere > tcp dpt:https > 0 0 ACCEPT all -- lo any anywhere anywhere > > Chain FORWARD (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > > Chain OUTPUT (policy ACCEPT 30 packets, 4600 bytes) > pkts bytes target prot opt in out source > destination > > I also have some ProxyPass and ProxyPassReverse configurations in > httpd.conf file. > > If I stop iptables service, the ProxyPass configuration is working but > when it's up it failed. > > Which iptables configuration should I set ? > >
Re: [users@httpd] IPTABLES and Apache ProxyPass
You should enable stateful packet inspection on both INPUT an OUTPUT, as the communications between your reverse proxy and the origin server are not included in your rules: OUTPUT any, but responses (received on INPUT) are only accepted if sent to... Port 80 or 443. Responses are sent to the original source port (>1024) Iptables -A INPUT -m state --state RELATED, ESTABLISHED -j ACCEPT Envoyé de mon iPad Le 18 May 2015 à 08:35, "Kevin Caliati" mailto:kcali...@gmail.com>> a écrit : Hi everyone, I posted my issue on stackoverflow but nobody answer me. I have a webserver secured with iptables : iptables -L -v Chain INPUT (policy DROP 67 packets, 8002 bytes) pkts bytes target prot opt in out source destination 62 4648 ACCEPT tcp -- anyany 192.168.200.0/24 anywhere tcp dpt:ssh 0 0 ACCEPT tcp -- anyany 192.168.200.0/24 anywhere tcp dpt:ndmp 0 0 ACCEPT tcp -- anyany anywhere anywhere tcp dpt:http 0 0 ACCEPT tcp -- anyany anywhere anywhere tcp dpt:https 0 0 ACCEPT all -- lo any anywhere anywhere Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 30 packets, 4600 bytes) pkts bytes target prot opt in out source destination I also have some ProxyPass and ProxyPassReverse configurations in httpd.conf file. If I stop iptables service, the ProxyPass configuration is working but when it's up it failed. Which iptables configuration should I set ?
RE: [users@httpd] Help - 2.2 to 2.4 migration onto new server failing
Hi Jim, "Turns out that it is - although it's not called IIS in Windows 2012." So, What is it called in Windows 2012? Carl -Original Message- From: Jim Walls [mailto:j...@k6ccc.org] Sent: Sunday, May 17, 2015 2:54 PM To: users@httpd.apache.org Subject: Re: [users@httpd] Help - 2.2 to 2.4 migration onto new server failing On 5/17/2015 11:31 AM, Kees Nuyt wrote: > On Tue, 12 May 2015 14:28:23 -0700, you wrote: > >> IIS is NOT running - one of the first things I checked after >> installing windows. I will NEVER run IIS and make sure it's dead >> right away. Checked again and it's did not resurrect itself from the dead. > Oops, sorry, I should have read a bit more before replying :( > Turns out that it is - although it's not called IIS in Windows 2012. When I installed the OS onto brand new drives (so there is no possibility of some leftover from something previously installed), there is an option to install IIS services which I unchecked and had assumed that it really was not there. There is nothing to indicate that IIS (by that name) is there either, but that functionality is there. Found lots of on-line sources to indicate that it's there with instructions for removal - none have worked so far. Still poking at it... I will report here when I get it working right... -- 73 - Jim Walls - K6CCC j...@k6ccc.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Help - 2.2 to 2.4 migration onto new server failing
I just read somewhere about 2012 having something called "Microsoft Deployment Service" running on port 80. Apparently was not showing up anywhere but one person got rid of it by: sc stop "MsDepSvc" sc config "MsDepSvc" start= disabled Might give it a try. On Mon, 18 May 2015 16:08:58 + "Hessel, Carl" wrote: Hi Jim, "Turns out that it is - although it's not called IIS in Windows 2012." So, What is it called in Windows 2012? Carl -Original Message- From: Jim Walls [mailto:j...@k6ccc.org] Sent: Sunday, May 17, 2015 2:54 PM To: users@httpd.apache.org Subject: Re: [users@httpd] Help - 2.2 to 2.4 migration onto new server failing On 5/17/2015 11:31 AM, Kees Nuyt wrote: On Tue, 12 May 2015 14:28:23 -0700, you wrote: IIS is NOT running - one of the first things I checked after installing windows. I will NEVER run IIS and make sure it's dead right away. Checked again and it's did not resurrect itself from the dead. Oops, sorry, I should have read a bit more before replying :( Turns out that it is - although it's not called IIS in Windows 2012. When I installed the OS onto brand new drives (so there is no possibility of some leftover from something previously installed), there is an option to install IIS services which I unchecked and had assumed that it really was not there. There is nothing to indicate that IIS (by that name) is there either, but that functionality is there. Found lots of on-line sources to indicate that it's there with instructions for removal - none have worked so far. Still poking at it... I will report here when I get it working right... -- 73 - Jim Walls - K6CCC j...@k6ccc.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Re: Why is "Act As Part of the Operating System" needed for Apache on Windows?
No takers? Somebody here must use Apache on windows...
On Thu, May 14, 2015 at 2:55 PM CE wrote:
> Hi Everyone,
>
> This is my first time here, so if I'm doing this wrong please correct me
> so that I learn. (Be gentle.)
>
> I have a question about running Apache httpd 2.4.x on Windows Server 2008
> R2. I searched everywhere online for an answer and read the manuals, but
> the most info I got was that someone posed this question here 11 years ago
> and there was no reply. (Copied below.)
>
>
> The Apache 2.4 documentation recommends creating a new user for httpd that
> has "Log on as a service" AND "Act as part of the operating system" rights.
>
> My question is, why is "act as part of the operating system" needed? It is
> a very high risk permission.
>
> I ran Apache without this right and it seems to work fine. What feature
> needs it? I don't want the server to suddenly fail on me, but I also don't
> understand why it is "required." Help?
>
>
>
> MORE DETAIL, IF YOU WANT
>
> The "Act as part of the operating system" permission is a high risk
> permission. Programs with this access can impersonate any user on the
> entire computer, thereby getting full access to any file. It is basically
> the Windows equivalent of root.
>
> My concern here is that setting read/write/execute permissions for the
> Apache user is effectively meaningless because of that capability. And more
> importantly, should the server get compromised for any reason (e.g., a
> client somehow convincing the httpd service to execute harmful code due to
> a configuration mistake), the attacker would be able to do literally
> anything if they impersonate as an Administrator.
>
> On Linux, Apache runs a service to bind to port 80 (or whichever) as root,
> but the web-serving sub-processes run as limited users, so this isn't an
> issue there. On IIS, the sites run as site specific users ("application
> pool" users), so even if the server/site is compromised, the attacker has
> no permissions to do anything beyond affect the specific site files.
>
> On Apache for Windows, it seems that the whole thing is run under the
> equivalent of root. I'm nervous do that. In fact, Microsoft specifically
> recommends AGAINST providing "Act as part of the operating system" to any
> users.
>
> Apache recommending a new user with the permission:
> https://httpd.apache.org/docs/2.4/platform/windows.html
>
> Microsoft recommending against it:
> https://msdn.microsoft.com/en-us/subscriptions/dn221957(v=ws.10).aspx
>
>
>
> --- EMAIL I FOUND IN THE ARCHIVES THAT WAS NEVER ANSWERED
>
> (Can be seen online here:
> http://httpd.markmail.org/search/?q=%22act+as+part+of+the+operating+system%22+why#query:%22act%20as%20part%20of%20the%20operating%20system%22%20why+page:1+mid:v3nkvtddxoumjaoo+state:results
> )
>
> Jan 12, 2004
>
>
> Hey everyone,
>
> Have a question about the "User rights assignment" in windows. In the
> apache docs they recommend (when running apache as a service) to create a
> new user account for the apache service and to grant this new user "Log on
> as a service and Act as part of the operating system" priviledges. Our
> apache test server seems to run fine without "Act as part of the operating
> system". Why is this right needed? It seems to be more than necessary.
> Maybe we have the module that needs this right disabled. Can anyone see any
> reason to enable this right?
>
> Here is the apache doc that talks about this
> http://httpd.apache.org/docs-2.0/platform/windows.html#winsvc
>
> Here is the Microsoft description of *Act as part of the operating system*
>>
>> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/proddocs/525.asp
>>
>> Thanks, Ryan
>> *Ryan Johnson Security Architect ESP Group *
>
>
[users@httpd] Proxy pass fails with Spring Security
Hi Everyone, I was hoping someone could shed some light on the issue I’m receiving Issue Proxy pass to https://uccx-pri.auckland.ac.nz:8444/cuic/j_spring_security_check timeouts / hangs with a connection issue Log Snippet Access Log uccx-reports.dev.auckland.ac.nz: 127.0.0.1 - - [15/May/2015:17:20:42 +1200] "POST /cuic/j_spring_security_check?originalUrl= HTTP/1.1" 302 - "https://uccx-reports.dev.auckland.ac.nz/cuic/Login.htmx"; "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0" Rewrite Log 127.0.0.1 - - [uccx-reports.dev.auckland.ac.nz/sid#7f275a8c8210][rid#7f2708002b20/initial] setting env variable 'host' to 'uccx-pri.auckland.ac.nz', referer: https://uccx-reports.dev.auckland.ac.nz/cuic/Login.htmx 127.0.0.1 - - [uccx-reports.dev.auckland.ac.nz/sid#7f275a8c8210][rid#7f2708002b20/initial] forcing proxy-throughput with https://uccx-pri.auckland.ac.nz:8444/cuic/j_spring_security_check, referer: https://uccx-reports.dev.auckland.ac.nz/cuic/Login.htmx 127.0.0.1 - - [uccx-reports.dev.auckland.ac.nz/sid#7f275a8c8210][rid#7f2708002b20/initial] go-ahead with proxy request proxy:https://uccx-pri.auckland.ac.nz:8444/cuic/j_spring_security_check [OK], referer: https://uccx-reports.dev.auckland.ac.nz/cuic/Login.htmx Rewrite rule is very basic ServerName https://uccx-reports.dev.auckland.ac.nz RewriteRule .* https://uccx-pri.auckland.ac.nz:8444$0 [L,P,QSA,E=host:uccx-pri.auckland.ac.nz] Notes Bypassing Apache to Authenticate via Spring Security works correctly https://uccx-pri.auckland.ac.nz:8444/cuic/Login.htmx I don’t have direct access the backend server but would like to know if someone has come across a similar issue ? - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
