[users@httpd] Apache 2.2 and tls 1.2
New certs will successfully installed on Apache 2.2 but browsers now compain as they are not tls 1.2 compliant: https://www.ssllabs.com/ssltest/analyze.html?d=mail.gg-law.com&hideResults=on So, my consultant said we needed to change Apache to use mod_nss instead of mod_ssl to enable TLS. install mod_nss to the current apache replacing mod_ssl which supports tls 1.2. However, apache2-mod_nss and dependency mozilla-nss-tools installed fine but the the problem is that someplace along the way in updates the behavior changed. what is supposed to happen is that the migration script should snag the ssl certs and create a database in /etc/apache2/mod_nss.conf consisting of three files, cert8.db, key3.db and secmod.db but instead it seems that we have newer versions of mozilla-nss-tools which create instead the files cert9.db, key4.db and pkcs11.txt, despite all types of documentation referring to the first version. so I think that the certs are in fact getting imported to the new nss db, and i figured out what to change in the apache config file to tell it to look there for the cert when it starts up, but it fails to start and conveniently leaves no error message other than failed to load. i tried using earlier versions of apache2-mod_nss and mozilla-nss-tools in the hope that it might match the documented behavior but no. so i'm stuck at this point. Is there anything else I can try here? Bottom line is to get apache2-mod_nss configured and I think we'll be good to go. Thanks, Tom
Re: [users@httpd] Apache 2.2 and tls 1.2
On 7/23/20 4:41 PM, Tom Jubb wrote: > New certs will successfully installed on Apache 2.2 Apache 2.2 ? That was End of Life a while ago. You have a bigger problem. Migrate to 2.4.43 and then deal with certs and such. -- Dennis Clarke RISC-V/SPARC/PPC/ARM/CISC UNIX and Linux spoken GreyBeard and suspenders optional - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Apache 2.2 and tls 1.2
Understood. Just trying to exhaust all possible solutions before doing an OS upgrade. We need to change Apache to use mod_nss instead of mod_ssl to enable TLS. This used to work just fine (I've installed this on OES/SLES11), and you will in fact find it discussed here: https://support.microfocus.com/kb/doc.php?id=7016828# but unfortunately the other pages referenced in that article are broken links, another side effect of MicroFocus's ingestion of SUSE and Novell etc. Apparently, at some point since that TID was written, upstream updates to mod_nss changed the way it works in that the related tools create the nss certificate database in a different format by default (sqlite), and Apache doesn't seem to be willing to read it. There's probably a straightforward way around this, but it seems to be missing from the current documentation. Perhaps this question is better brought up in a SuSE listerv and not the general Apache listserv. From: Dennis Clarke Sent: Thursday, July 23, 2020 12:59 PM To: users@httpd.apache.org Subject: Re: [users@httpd] Apache 2.2 and tls 1.2 On 7/23/20 4:41 PM, Tom Jubb wrote: > New certs will successfully installed on Apache 2.2 Apache 2.2 ? That was End of Life a while ago. You have a bigger problem. Migrate to 2.4.43 and then deal with certs and such. -- Dennis Clarke RISC-V/SPARC/PPC/ARM/CISC UNIX and Linux spoken GreyBeard and suspenders optional - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Disabling access for git to specific Directory with Apache Basic Authentication
I have git setup with my Apache2 server and it serves git request just fine. Now I want to setup Basic Authentication for this, so not everybody can use every directory. My goal is that only the ADMIN group has access to the complete `/var/www/html/git` directory and my GITGROUP can access *only* `/var/www/html/git/subdir` directories. However, while Apache is asking for credentials, with the setup (below) GITGROUP is still allowed to access *all* git directories. What am I doing wrong? |SetEnv GIT_PROJECT_ROOT /var/www/html/git SetEnv GIT_HTTP_EXPORT_ALL ScriptAlias /git/ /usr/lib/git-core/git-http-backend/ Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch AuthType Basic AuthName "Authentication Required" AuthUserFile "/etc/apache2/.htpasswd" AuthGroupFile "/etc/apache2/groups" Require group ADMIN GITGROUP Order allow,deny Allow from all AuthType Basic AuthName "Authentication Required" AuthUserFile "/etc/apache2/.htpasswd" AuthGroupFile "/etc/apache2/groups" Require group ADMIN Options -Indexes Order allow,deny Allow from all AuthType Basic AuthName "Authentication Required" AuthUserFile "/etc/apache2/.htpasswd" AuthGroupFile "/etc/apache2/groups" Require group ADMIN GITGROUP Options -Indexes Order allow,deny Allow from all |
Re: [users@httpd] Disabling access for git to specific Directory with Apache Basic Authentication
On Thursday 23 July 2020 at 22:13:38, qv...@gmx.de wrote: > I have git setup with my Apache2 server and it serves git request just > fine. Now I want to setup Basic Authentication for this, so not > everybody can use every directory. My goal is that only the ADMIN group > has access to the complete `/var/www/html/git` directory and my GITGROUP > can access *only* `/var/www/html/git/subdir` directories. However, while > Apache is asking for credentials, with the setup (below) GITGROUP is > still allowed to access *all* git directories. What am I doing wrong? Maybe you could post the following in a more readable format so we have a better idea of how to help? > |SetEnv GIT_PROJECT_ROOT /var/www/html/git SetEnv GIT_HTTP_EXPORT_ALL > ScriptAlias /git/ /usr/lib/git-core/git-http-backend/ /usr/lib/git-core> Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch > AuthType Basic AuthName "Authentication Required" AuthUserFile > "/etc/apache2/.htpasswd" AuthGroupFile "/etc/apache2/groups" Require > group ADMIN GITGROUP Order allow,deny Allow from all > AuthType Basic AuthName "Authentication > Required" AuthUserFile "/etc/apache2/.htpasswd" AuthGroupFile > "/etc/apache2/groups" Require group ADMIN Options -Indexes Order > allow,deny Allow from all /var/www/html/git/subdir> AuthType Basic AuthName "Authentication > Required" AuthUserFile "/etc/apache2/.htpasswd" AuthGroupFile > "/etc/apache2/groups" Require group ADMIN GITGROUP Options -Indexes > Order allow,deny Allow from all | Antony. -- "640 kilobytes (of RAM) should be enough for anybody." - Bill Gates Please reply to the list; please *don't* CC me. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [users@httpd] Apache mod_autoindex and mod_deflate (gzip). Can't get pages compressed
Hi all! Is my email went to mail list successfully? I am just not sure. Thanks! -- Regards, Art -Original Message- From: Artem [mailto:e...@mail.ru.INVALID] Sent: 18 July 2020 13:59 PM To: users@httpd.apache.org Subject: [users@httpd] Apache mod_autoindex and mod_deflate (gzip). Can't get pages compressed Hi folks! I come across with issue I can't fix. I have Apache/2.4.43 OpenSSL/1.1.1g with mod_autoindex (showing directory listings instead of index.html) and with mod_deflate. I was able to get content gzipped, but only if they are files with extensions (e.g. .css, .html, etc.) But when I want to get gzipped page coming from mod_autoindex, I can't get it. E.g. https://domain.dom, https://domain.dom/somedir/, https://domain.dom/test/, etc. These URLs comes without Content-encoding: gzip header. More details: https://stackoverflow.com/questions/62942077/apache-mod-autoindex-and-mod-de flate-gzip-cant-get-pages-compressed (I hope that external links are OK here). Please advise. Thanks! -- Regards, Art - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: Re: [users@httpd] Disabling access for git to specific Directory with Apache Basic Authentication
Sorry about that, let's try that with a pastebin: https://pastebin.com/UHcZ3KJz On 23/07/2020 22:23, Antony Stone wrote: On Thursday 23 July 2020 at 22:13:38, qv...@gmx.de wrote: I have git setup with my Apache2 server and it serves git request just fine. Now I want to setup Basic Authentication for this, so not everybody can use every directory. My goal is that only the ADMIN group has access to the complete `/var/www/html/git` directory and my GITGROUP can access *only* `/var/www/html/git/subdir` directories. However, while Apache is asking for credentials, with the setup (below) GITGROUP is still allowed to access *all* git directories. What am I doing wrong? Maybe you could post the following in a more readable format so we have a better idea of how to help? |SetEnv GIT_PROJECT_ROOT /var/www/html/git SetEnv GIT_HTTP_EXPORT_ALL ScriptAlias /git/ /usr/lib/git-core/git-http-backend/ Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch AuthType Basic AuthName "Authentication Required" AuthUserFile "/etc/apache2/.htpasswd" AuthGroupFile "/etc/apache2/groups" Require group ADMIN GITGROUP Order allow,deny Allow from all AuthType Basic AuthName "Authentication Required" AuthUserFile "/etc/apache2/.htpasswd" AuthGroupFile "/etc/apache2/groups" Require group ADMIN Options -Indexes Order allow,deny Allow from all AuthType Basic AuthName "Authentication Required" AuthUserFile "/etc/apache2/.htpasswd" AuthGroupFile "/etc/apache2/groups" Require group ADMIN GITGROUP Options -Indexes Order allow,deny Allow from all | Antony. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Apache 2.2 and tls 1.2
On Thu, Jul 23, 2020 at 12:51 Tom Jubb wrote: > Understood. Just trying to exhaust all possible solutions before doing an OS > upgrade. FYI, I recently completed a local src build of Apache 2.4.43 (and APR and APR-UTIL), and OpenSSL 1.1.1g on Debian 10 Buster. I have documented the process on my Github repo at: https://github.com/tbrowder/config-scripts/tree/master/Apache Best regards, -Tom - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
