[EMAIL PROTECTED] Many virtual hosts on 80 port and one on 443 (SSL)
Hi all I have set up a web server with many virtua users on 80 and a virtual host on 443 port (SSL) Then if a user type a domain of any virtual host (except SSL) using the form https://virtualhost then it goes to the host on the 443. Well, i want to prevent that from accessing SSL using any domain (included in my VHs) Any ideas? - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re[2]: [EMAIL PROTECTED] Many virtual hosts on 80 port and one on 443 (SSL)
mod_rewrite is not enabled in my server's configuration (well i don't
want to enable it)
Any other idea ?
From: Axel-Stéphane SMORGRAV <[EMAIL PROTECTED]>
To: , "John" <[EMAIL PROTECTED]>
Date: Monday, February 6, 2006, 1:28:14 PM
Subject: [EMAIL PROTECTED] Many virtual hosts on 80 port and one on 443 (SSL)
Monday, February 6, 2006, 1:28:14 PM, you wrote:
> What about this:
> RewriteEngine ON
> RewriteCond %{HTTP_HOST} =virtualhost
> RewriteRule .* - [F]
> or alternatively
> RewriteEngine ON
> RewriteCond %{HTTP_HOST} !=sslservername
> RewriteRule .* - [F]
> Instead or returning a HTTP 403 you could redirect the request to the
> apropriate URL:
> RewriteEngine ON
> RewriteCond %{HTTP_HOST} !=sslservername
> RewriteRule ^(.*)$ http://%{HTTP_HOST}$1 [R]
> -ascs
> -Original Message-
> From: John [mailto:[EMAIL PROTECTED]
> Sent: Monday, February 06, 2006 10:52 AM
> To: users@httpd.apache.org
> Subject: [EMAIL PROTECTED] Many virtual hosts on 80 port and one on 443 (SSL)
> Hi all
> I have set up a web server with many virtua users on 80 and a virtual host on
> 443 port (SSL)
> Then if a user type a domain of any virtual host (except SSL)
> using the form https://virtualhost then it goes to the host on the
> 443.
> Well, i want to prevent that from accessing SSL using any domain (included in
> my VHs)
> Any ideas?
> -
> The official User-To-User support forum of the Apache HTTP Server Project.
> See http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: [EMAIL PROTECTED]
>" from the digest: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> -
> The official User-To-User support forum of the Apache HTTP Server Project.
> See http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: [EMAIL PROTECTED]
>" from the digest: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] Two Default charset conf
Hi all I am wondering i i cound configure apache 2.0.55 with two default charsets Is that possible ? Thanks in advance - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re[2]: [EMAIL PROTECTED] Two Default charset conf
Yes, i meand AddDefaultCharset per Directory. I did the configuration with success. Thank you very much John From: Joshua Slive <[EMAIL PROTECTED]> To: users@httpd.apache.org, John <[EMAIL PROTECTED]> Date: Wednesday, March 8, 2006, 4:22:19 PM Subject: [EMAIL PROTECTED] Two Default charset conf Wednesday, March 8, 2006, 4:22:19 PM, you wrote: > On 3/8/06, John <[EMAIL PROTECTED]> wrote: >> Hi all >> >> I am wondering i i cound configure apache 2.0.55 with two default >> charsets >> >> Is that possible ? > You have not provided enough details. > AddDefaultCharset can be scoped inside sections, so it is > possible to change the default for different locations. But I have no > idea if that is what you are looking for. > Joshua. > - > The official User-To-User support forum of the Apache HTTP Server Project. > See http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: [EMAIL PROTECTED] >" from the digest: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] Logging per directory
Is any way to log accesses per directory ?
RE: [EMAIL PROTECTED] Logging per directory
I want to parse access_log and generate per user(directory) analysis. I did that using weblog. Any better way to do that? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joshua Slive Sent: Tuesday, April 04, 2006 4:35 PM To: users@httpd.apache.org Subject: Re: [EMAIL PROTECTED] Logging per directory On 4/4/06, Boyle Owen <[EMAIL PROTECTED]> wrote: > > -Original Message- > > From: john [mailto:[EMAIL PROTECTED] > > Sent: Dienstag, 4. April 2006 12:30 > > To: users@httpd.apache.org > > Subject: [EMAIL PROTECTED] Logging per directory > > > > Is any way to log accesses per directory ? > > AFAIK, no. TransferLog has "Context:server config, virtual host" (see http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#transferlog) Right. But you can use conditional logging to set an env variable per directory and direct the log based on this variable. It wouldn't be pretty. You are better off post-processing your logs to split them as you like. Joshua. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] Error Code 104
Hello all I dound the error code in the access_log It was generated during a POST of a cgi script. Has anyone faced that error code before? - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re[2]: [EMAIL PROTECTED] Error Code 104
From: Joshua Slive <[EMAIL PROTECTED]> To: users@httpd.apache.org, John <[EMAIL PROTECTED]> Date: Monday, August 8, 2005, 3:52:52 PM Subject: [EMAIL PROTECTED] Error Code 104 Monday, August 8, 2005, 3:52:52 PM, you wrote: > On 8/8/05, John <[EMAIL PROTECTED]> wrote: >> Hello all >> >> I dound the error code in the access_log >> >> It was generated during a POST of a cgi script. >> >> Has anyone faced that error code before? > Not I nor the HTTP spec. Are you sure it isn't your cgi script > throwing out a garbage Status line? > Joshua. Possibly the cgi-script generates that output (or forces apache to output that weird error code) Another wierd error code is 70007 during the execution of that cgi - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re[2]: [EMAIL PROTECTED] Error Code 104
From: Marc Powell <[EMAIL PROTECTED]> To: Date: Monday, August 8, 2005, 11:29:36 PM Subject: [EMAIL PROTECTED] Error Code 104 Monday, August 8, 2005, 11:29:36 PM, you wrote: >> -Original Message----- >> From: John [mailto:[EMAIL PROTECTED] >> Sent: Monday, August 08, 2005 5:20 AM >> To: users@httpd.apache.org >> Subject: [EMAIL PROTECTED] Error Code 104 >> >> Hello all >> >> I dound the error code in the access_log >> >> It was generated during a POST of a cgi script. >> >> Has anyone faced that error code before? > Do you mean like -- > [Mon Aug 8 15:01:15 2005] [error] System: Connection reset by peer > (errno: 104) > In my experience these can generally be attributed to network problems > or the browser terminating communication badly and these > [Mon Aug 8 15:08:35 2005] [info] [client blah] (104)Connection reset by > peer: client stopped connection before send mmap completed > Are generally seen when the client pressed the stop button or moved to a > different page before the current object loaded completely. > -- > Marc > - > The official User-To-User support forum of the Apache HTTP Server Project. > See http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: [EMAIL PROTECTED] >" from the digest: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] My error log is (104)Connection reset by peer: Could not get next bucket brigade [500, #0] - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] Apache Log Attack
I am having numerous IPs that are changing daily and constantly
hitting my webserver and taking up about 1Mbit solid 24x7. There is
no POST/GET or any other type of connection, it just seems like they
open port 80 and start pushing tons of junk. The IPs are from APNIC
and are not country specific. Any help would be greatly appreciated,
we are getting slammed by these hits.
Their IP has been changed to aaa.bbb.ccc.ddd and my domain has been
changed to www.mydomain.com.
20050819-10-access.log:aaa.bbb.ccc.ddd www.mydomain.com -
[19/Aug/2005:10:44:20 -0400]
"\xa4Y~5\xcf2\"\xf4\xcc\xcf\xd3\x90-H\xd3\x8f
u\xe6\xd9\x1d*\xe5\xc0\xf7+x\x81\x87D\x0e_P" 302 123 "-" "-"
20050819-10-access.log:aaa.bbb.ccc.ddd www.mydomain.com -
[19/Aug/2005:10:44:20 -0400]
"\xf2\xebq\xff\xa0\xd0;u\x06\x8c~\x87xsM\xd0\
xbe\x82\xbe\xdb\xc2FA+\x8c\xfa0\x7fp\xf0\xa7T\x862\x95\xaa[h\x13\v\xe6\xfc\xf5\xca\xbe}\x9f\x89\x8aA\x1b\xfd\xb8Oh\xf6r{\x14\x99\xcd
\xd3\r\xf0D:\xb4\xa6fS3\v\xcb\xa1\x10^L\xec\x03Ls\xe6\x05\xb41\x0e\xaa\xad\xcf\xd5\xb0\xca'\xff\xd8\x9d\x14M\xf4y'YB|\x9c\xc1\xf8\xc
d\x8c\x87 #d\xb8\xa6\x87\x95L\xb0Z\x8dN-\x99\xe7=\xb1`" 400 299 "-" "-"
20050819-10-access.log:aaa.bbb.ccc.ddd www.mydomain.com -
[19/Aug/2005:10:44:20 -0400]
"\xb1\x80\xad\bA\xe9gA\xa5\xd5\x9f\xe4\x18\x9
f\x15B" 302 123 "-" "-"
20050819-10-access.log:aaa.bbb.ccc.ddd www.mydomain.com -
[19/Aug/2005:10:44:20 -0400]
"\xb8\xe0\xe1`\x8fn<{\xf4[b\x8a\x8a\x8f'\\\xf
7\xe5\x87J;[EMAIL
PROTECTED]/\x9ej\xef\x10P\x9b\xc8\x81C)(\x8a\xf6\xe9\x9eG\xa1\x81H1l\xcd\xa4\x9e\xde\x81
\xa3\x8c\x98\x10\xff\x9aC\xcd\xcfW\xc7PY\xbf\xbd\x1c'\x03(\x7f]\x89_\xb9I4N`<\xe5\xde\x02\x98B\xb2\r+\xb6\x14\xec\xbb\xb8/s\xe2Q~}\x
1d\xd8\x84\xd3\x1f\x01\xbePk\x16\xd6C!\x83\x19\x15" 400 - "-" "-"
20050819-10-access.log:aaa.bbb.ccc.ddd www.mydomain.com -
[19/Aug/2005:10:44:20 -0400]
"2q\xaf\xf2d\xd0\xf2HA\xd6F_\t\x96\xff\x84\xe
6_\xc5\x17\xc5>\xfc3c\xc3\x84\x92\xab\b\xa3\xaa?\xf0?\x1cU\xadQO\xc4\x85\x96X^\xd5\x88\x1e\x81V\x8c\xbb\xe9\x9fm%\xc8\xeb\t\r\x19\x1
dJ\x071\x01X\xec\x97\xd5\r|\x15\b\xaaH\x0fA\xc8\xd0\x14\xa3\x91\xe8\xb3P/`\x90+\x85\xe3\xb7\xe3\x1d
/-b(\xd3P\x10\x17]\xe7\xe8\xf7\x
c4\xe2\xa8\xe1\xc8\xcf:e\xcaX,-\xe2\x0c`\xdc,b\x05<" 400 299 "-" "-"
20050819-10-access.log:aaa.bbb.ccc.ddd www.mydomain.com -
[19/Aug/2005:10:44:20 -0400]
"O\x12s\xff?\x02\xa3\xb5\x8e\x03\x165\xbf\x9a
\x13=\xed\x88
\xcaj\xe7\xc6\xd2\xa5v\x945Q2g\xf2\xc3&\xe8\x96\x9c\x83U\xfb\xa9\xf3\x85.\x07+&\xb1\x8b\xbfJ\xe3`;\"\xbc\xf2o\b\xbd\v"
400 - "-" "-"
20050819-10-access.log:aaa.bbb.ccc.ddd www.mydomain.com -
[19/Aug/2005:10:44:20 -0400]
"u\xfbs]^\x12\xfe\x93u\xe0\x9e\xd5\x8e8\xed @
\xa5\\\xf6\x99N\x83]\x11\x1c\xb5*\xbd\x1f\xd8\x7f\xc5.s\x93\x18\xce\t\xb1^V\xa6\x84/P\xb7\x91\x82!\x1e\x05h\xed\x86\xb1\xfa\xb5\xf4S
\x8f\xc2\x9f\x173G\x02]UB/\xbd\xc0\xa3fH\xcd\xb0\xe6\x11\xd6\xa8\x03\xed\xed\xa6yv\xce\xc9"
400 299 "-" "-"
-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] apache2 SSL passphrase
Hi all I have encrypted the private key and every time that i star apache 2.0.54 it requires the password. How could i overcome that obstacle? Thanks in advance - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] php GD and chrooted apache
I have chrooted apach 2.0.54 and everything goes well. I installed gd, php4-gd using rpms Installation went as i expected. Then i copied the gd.so in the chroot jail and copied all the related libraries the gd.so uses. I can start chrooted apache whithout giving any error but when i run phpinfo() script idon;t get any info about gd Everything seems to be working (like xml, session, posix, mime_type) except for gd. What am i doing wrong? I have checked all the apache logs and they don;t give any error. Thanks in advance. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] Apache handles filename/something
Hi all When I type http://server/index.php i can see the index.php But when I type http://server/index.php/1234 i can also see the index.php I assume that Apache handles index.php as a directory or alias and does not give the 404 error code but 304 or 200. Any thoughts on that? - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [EMAIL PROTECTED] Apache handles filename/something
So, is there any way to force a 404 error when someone uses /something ? -Original Message- From: Nick Kew [mailto:[EMAIL PROTECTED] Sent: Friday, February 15, 2008 1:31 PM To: users@httpd.apache.org Subject: Re: [EMAIL PROTECTED] Apache handles filename/something On Fri, 15 Feb 2008 13:26:50 +0200 "john" <[EMAIL PROTECTED]> wrote: > Hi all > > When I type http://server/index.php i can see the index.php > But when I type http://server/index.php/1234 i can also see the > index.php The term you're looking for in TFM is PATH_INFO. > I assume that Apache handles index.php as a directory or alias and > does not give the 404 error code but 304 or 200. In the case of a script, the script gets to decide. But yes, it defaults to 200 if it runs successfully. -- Nick Kew Application Development with Apache - the Apache Modules Book http://www.apachetutor.org/ - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] mod_status Kbytes
Hi all I have apache 1.3.37 and I noticed that Total Kbytes value has a limitation, 580 GB approximately. Has anyone else noticed that? - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] test
test
[EMAIL PROTECTED] Unlock Your Mind's Hidden Power, Today...
www.HumanDataTransfer.com great information. --- MAF Anti-Spam ID: 20060801082756H1v3CkI2 - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] Name Resolution error
Hi all I have installed apache 2.2.3 Apache starts automatically, so there is an error [Mon Jan 08 20:11:27 2007] [error] (EAI 3)Temporary failure in name resolution: Could not resolve host name DomainName1 -- ignoring! [Mon Jan 08 20:11:27 2007] [error] (EAI 3)Temporary failure in name resolution: Could not resolve host name DomainName2-- ignoring! DomainName1 and DomainName2 are the names for my virtual hosts. After that error I have to reload apache and then everything works fine. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [EMAIL PROTECTED] Name Resolution error
HostnameLookups is for logging. I have other systems with many virtual hosts and there is no problem at all. Is there any possibility that when apache starts (runlevel 3) cannot resolve the host names. If I shut the apache (having resolution problem) and then just restart it, everything works fine. _ From: joseph c [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 09, 2007 7:48 AM To: users@httpd.apache.org Subject: Re: [EMAIL PROTECTED] Name Resolution error how about the value of the "HostnameLookups", it should set to "Off" On 1/9/07, john <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > wrote: Hi all I have installed apache 2.2.3 Apache starts automatically, so there is an error [Mon Jan 08 20:11:27 2007] [error] (EAI 3)Temporary failure in name resolution: Could not resolve host name DomainName1 -- ignoring! [Mon Jan 08 20:11:27 2007] [error] (EAI 3)Temporary failure in name resolution: Could not resolve host name DomainName2-- ignoring! DomainName1 and DomainName2 are the names for my virtual hosts. After that error I have to reload apache and then everything works fine. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [EMAIL PROTECTED] Name Resolution error
I totally agree with you. My system is an opensuse 10.1 and I didn't have any problem until the last update through YOU. Do you experience any similar problem? _ From: Jonathan Mangin [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 09, 2007 4:56 PM To: users@httpd.apache.org Subject: Re: [EMAIL PROTECTED] Name Resolution error Sorry about that. - Original Message - From: john <mailto:[EMAIL PROTECTED]> To: users@httpd.apache.org Sent: Tuesday, January 09, 2007 2:37 AM Subject: RE: [EMAIL PROTECTED] Name Resolution error HostnameLookups is for logging. I have other systems with many virtual hosts and there is no problem at all. Is there any possibility that when apache starts (runlevel 3) cannot resolve the host names. If I shut the apache (having resolution problem) and then just restart it, everything works fine. _ From: joseph c [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 09, 2007 7:48 AM To: users@httpd.apache.org Subject: Re: [EMAIL PROTECTED] Name Resolution error how about the value of the "HostnameLookups", it should set to "Off" On 1/9/07, john <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > wrote: Hi all I have installed apache 2.2.3 Apache starts automatically, so there is an error [Mon Jan 08 20:11:27 2007] [error] (EAI 3)Temporary failure in name resolution: Could not resolve host name DomainName1 -- ignoring! [Mon Jan 08 20:11:27 2007] [error] (EAI 3)Temporary failure in name resolution: Could not resolve host name DomainName2-- ignoring! DomainName1 and DomainName2 are the names for my virtual hosts. After that error I have to reload apache and then everything works fine. In /etc/rc3.d I have S99apache2. Doesn't the 99 have to do with the order services are started? I see in Solaris that network services are started in run level 2.
RE: [EMAIL PROTECTED] Name Resolution error
The script is /etc/rc.d/rc3.d/S11apache2 -> ../apache2 I feel that the priority of the apache's beginning was unexpectedly changed _ From: Jonathan Mangin [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 10, 2007 5:27 PM To: users@httpd.apache.org Subject: Re: [EMAIL PROTECTED] Name Resolution error I didn't receive a copy of your last post, but I'm going to pretend you're talking to me. (Please, BTW, use plain text for posts.) In /etc/rc3.d (or wherever) what is the name of your apache startup script? - Original Message - From: john <mailto:[EMAIL PROTECTED]> To: users@httpd.apache.org Sent: Wednesday, January 10, 2007 8:55 AM Subject: RE: [EMAIL PROTECTED] Name Resolution error I totally agree with you. My system is an opensuse 10.1 and I didn't have any problem until the last update through YOU. Do you experience any similar problem? _ From: Jonathan Mangin [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 09, 2007 4:56 PM To: users@httpd.apache.org Subject: Re: [EMAIL PROTECTED] Name Resolution error Sorry about that. ----- Original Message - From: john <mailto:[EMAIL PROTECTED]> To: users@httpd.apache.org Sent: Tuesday, January 09, 2007 2:37 AM Subject: RE: [EMAIL PROTECTED] Name Resolution error HostnameLookups is for logging. I have other systems with many virtual hosts and there is no problem at all. Is there any possibility that when apache starts (runlevel 3) cannot resolve the host names. If I shut the apache (having resolution problem) and then just restart it, everything works fine. _ From: joseph c [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 09, 2007 7:48 AM To: users@httpd.apache.org Subject: Re: [EMAIL PROTECTED] Name Resolution error how about the value of the "HostnameLookups", it should set to "Off" On 1/9/07, john <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > wrote: Hi all I have installed apache 2.2.3 Apache starts automatically, so there is an error [Mon Jan 08 20:11:27 2007] [error] (EAI 3)Temporary failure in name resolution: Could not resolve host name DomainName1 -- ignoring! [Mon Jan 08 20:11:27 2007] [error] (EAI 3)Temporary failure in name resolution: Could not resolve host name DomainName2-- ignoring! DomainName1 and DomainName2 are the names for my virtual hosts. After that error I have to reload apache and then everything works fine. In /etc/rc3.d I have S99apache2. Doesn't the 99 have to do with the order services are started? I see in Solaris that network services are started in run level 2.
RE: [EMAIL PROTECTED] Name Resolution error
Well, I did what you mentioned but the problem remains Cannot resolve the virtual hosts. Any other ideas? _ From: Jonathan Mangin [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 10, 2007 11:20 PM To: users@httpd.apache.org Subject: Re: [EMAIL PROTECTED] Name Resolution error After rechecking all paths, I would: rm /etc/rc.d/rc3.d/S11apache2 ln -s /etc/rc.d/apache2 /etc/rc.d/rc3.d/S99apache2 Be aware of all occurrences of K11apache2 (or equivalent) also. Now apache2 will be (close to) the last service started in run level 3. - Original Message - From: john <mailto:[EMAIL PROTECTED]> To: users@httpd.apache.org Sent: Wednesday, January 10, 2007 11:45 AM Subject: RE: [EMAIL PROTECTED] Name Resolution error The script is /etc/rc.d/rc3.d/S11apache2 -> ../apache2 I feel that the priority of the apache's beginning was unexpectedly changed _ From: Jonathan Mangin [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 10, 2007 5:27 PM To: users@httpd.apache.org Subject: Re: [EMAIL PROTECTED] Name Resolution error I didn't receive a copy of your last post, but I'm going to pretend you're talking to me. (Please, BTW, use plain text for posts.) In /etc/rc3.d (or wherever) what is the name of your apache startup script? - Original Message - From: john <mailto:[EMAIL PROTECTED]> To: users@httpd.apache.org Sent: Wednesday, January 10, 2007 8:55 AM Subject: RE: [EMAIL PROTECTED] Name Resolution error I totally agree with you. My system is an opensuse 10.1 and I didn't have any problem until the last update through YOU. Do you experience any similar problem? _ From: Jonathan Mangin [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 09, 2007 4:56 PM To: users@httpd.apache.org Subject: Re: [EMAIL PROTECTED] Name Resolution error Sorry about that. - Original Message - From: john <mailto:[EMAIL PROTECTED]> To: users@httpd.apache.org Sent: Tuesday, January 09, 2007 2:37 AM Subject: RE: [EMAIL PROTECTED] Name Resolution error HostnameLookups is for logging. I have other systems with many virtual hosts and there is no problem at all. Is there any possibility that when apache starts (runlevel 3) cannot resolve the host names. If I shut the apache (having resolution problem) and then just restart it, everything works fine. _ From: joseph c [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 09, 2007 7:48 AM To: users@httpd.apache.org Subject: Re: [EMAIL PROTECTED] Name Resolution error how about the value of the "HostnameLookups", it should set to "Off" On 1/9/07, john <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > wrote: Hi all I have installed apache 2.2.3 Apache starts automatically, so there is an error [Mon Jan 08 20:11:27 2007] [error] (EAI 3)Temporary failure in name resolution: Could not resolve host name DomainName1 -- ignoring! [Mon Jan 08 20:11:27 2007] [error] (EAI 3)Temporary failure in name resolution: Could not resolve host name DomainName2-- ignoring! DomainName1 and DomainName2 are the names for my virtual hosts. After that error I have to reload apache and then everything works fine. In /etc/rc3.d I have S99apache2. Doesn't the 99 have to do with the order services are started? I see in Solaris that network services are started in run level 2.
RE: [EMAIL PROTECTED] Name Resolution error
My config is ... ServerAdmin root@ Domainname1 ServerName Domainname1 . -Original Message- From: Krist van Besien [mailto:[EMAIL PROTECTED] Sent: Thursday, January 11, 2007 2:48 PM To: users@httpd.apache.org Subject: Re: [EMAIL PROTECTED] Name Resolution error On 1/11/07, john <[EMAIL PROTECTED]> wrote: > > > > > Well, I did what you mentioned but the problem remains > > > > Cannot resolve the virtual hosts. When you say that "Domainname1" is the name of one of your virtual hosts, what do you exaclty mean by that? Can you post us part of your actual config? Krist -- [EMAIL PROTECTED] Bremgarten b. Bern, Switzerland -- "...what you don't realize is that in the future Google WILL reach sentience, will [have had] invent[ed] a time machine, and will [have had] travel[ed] back in time to prevent Bill Gates... only to become Bill Gates by accident because of a search engine optimization miscalculation." (Comment on the Dilbert Blog) - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [EMAIL PROTECTED] Name Resolution error
My system is able to resolve all the hostnames. The problem occurs during the boot. -Original Message- From: Krist van Besien [mailto:[EMAIL PROTECTED] Sent: Thursday, January 11, 2007 3:28 PM To: users@httpd.apache.org Subject: Re: [EMAIL PROTECTED] Name Resolution error On 1/11/07, john <[EMAIL PROTECTED]> wrote: > My config is > > ... > > ServerAdmin root@ Domainname1 > ServerName Domainname1 Is your server able to resolve this name? The problem might be that apache is not able to find out what IP adress this Virtual Host needs to be atached too. Krist -- [EMAIL PROTECTED] Bremgarten b. Bern, Switzerland -- "...what you don't realize is that in the future Google WILL reach sentience, will [have had] invent[ed] a time machine, and will [have had] travel[ed] back in time to prevent Bill Gates... only to become Bill Gates by accident because of a search engine optimization miscalculation." (Comment on the Dilbert Blog) - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [users@httpd] Dual apache2 installations: Ubuntu Package and Locally Built (All on a single server)
One gotcha you may run into, some .conf parameters have changed. You can't just copy the old 2.2.x .conf file over to 2.4.x without checking. Since some of the changes occurred in various levels of 2.2 they aren't all referenced in the migration notes. Been there, done that, got the bruises to prove it! John = On 02/08/12 09:45 PM, Tom Browder wrote: On Thu, Aug 2, 2012 at 5:35 PM, Mauricio Tavares wrote: On Thu, Aug 2, 2012 at 5:53 PM, Tom Browder wrote: ... The "Debian" option should make the situation somewhat easier, BUT, will it overwrite existing configuration files? It's not supposed to, but has anyone tried to do this? ... IMHO, if you are building apache from source, you should be able to tell it to use a different location not only for its binaries but also for its config files. At least that is what I have done with, say, openldap before. Do configure -h (I think) and check the options to specify where you want it to install itself. Then you just write a quick startup script for this new apache; if you need I might have something you can use for ideas. Thanks, Marcio--good idea. I'll call for help if I get stuck. Best regards, -Tom - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] httpd.conf Invalid Argument
I'm not an AIX user but for Linux, the definition of EINVAL is:
The mode provided to fopen(), fdopen(), or freopen() was invalid.
The file could exist but you might be trying to open it for writing or
appending?
Regards,
John
==
On Tue, 2018-06-12 at 16:17 -0500, Vandana Sakamuri wrote:
> Hi all,
>
> I compiled apache 2.4.27 on an AIX server and installed it on to other AIX
> servers of same OS. It works on all servers except one where I see the error
> "httpd: Could not open configuration file
> /usr/local/etc/httpd/conf/httpd.conf: Invalid argument" when I try to start
> using apachectl. The same error appears when I try httpd -M. The configuration
> file exists and the permissions are correct. Any suggestions on what might be
> wrong?
>
> I did httpd -M under truss and see this
>
> kopen("/usr/local/etc/httpd/conf/httpd.conf", 044000) Err#22 EINVAL
>
> On a good server, it shows
>
> kopen("/usr/local/etc/httpd/conf/httpd.conf", 044000) = 3
>
> Any help is appreciated.
>
> Thanks!
>
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Can I return a 404 for a file that is also the ErrorDocument?
I may be missing something here but in the case where 404.html is directly
requested as /404.html, the 200 is the correct response code because the file
was found and served. 404 means that the file was not found.
regards,
John==On Mon, 2018-07-09 at 10:33 -0400,
Eric Covener wrote:
> On Mon, Jul 9, 2018 at 9:49 AM David Wakelin wrote:
> > I have created a file 404.html to act as my 404 page that is returned
> > by ErrorDocument:
> > ErrorDocument 404 /404.html
> > This works fine, except when accessing 404.html directly, which returns a
> > status code of 200
> > I've attempted a RewriteRule like so:
> > ErrorDocument 404 /404.html
> > RewriteRule "404\.html" - [R=404]
> > However, this now returns an error instead of my 404.html doc:
> > The requested URL /does-not-exist.html was not found on this server.
> > Additionally, a 404 Not Found error was encountered while trying to use an
> > ErrorDocument to handle the request.
> > How can I return a status of 404 for the 404.html document itself?
> > I have seen solutions using PHP, but I am NOT using PHP and have no means to
> > do so (I don't use mpm_prefork and I will not setup and run php-fpm just for
> > a status code header)
> > Kind Regards
> >
> >
> > David Wakelin
> >
> >
> >
> >
> >
> > www.aplpackaging.co.uk da...@aplpackaging.co.uk 01903 202 333
>
>
> You could try checking the REDIRECT_STATUS per-request environment variable to
> try to determine if it's being accessed directly.
> Or maybe in mod_rewrite check %{THE_REQUEST} for /404.html -- I think this
> won't change as a result of internal redirects, error pages, etc.
>
>
>
[users@httpd] Odd session cookies
Beginning last Sunday (2 September) I have been finding several oddly named
session cookies each day on my server. The normal Apache session cookies have
names like "sess_d50280ded90f1dbd48fcfd5fc77baa77". These new ones have names
like:
sess_mycustomsession
sess_sessionidhere
The content seems strange too, although so far I haven't found anything
important in one of the. The owner name is often mine, although some have
"php-fpm" as the file owner.
Here is an example:
cookie name: sess_rfc1867-tests-post
cookie content:
upload_progress_rfc1867_sid_only_cookie_2.php|a:5:{s:10:"start_time";i:153591608
5;s:14:"content_length";i:603;s:15:"bytes_processed";i:603;s:4:"done";b:1;s:5:"f
iles";a:2:{i:0;a:7:{s:10:"field_name";s:5:"file1";s:4:"name";s:9:"file1.txt";s:8
:"tmp_name";s:14:"/tmp/phpQWrbXC";s:5:"error";i:0;s:4:"done";b:1;s:10:"start_tim
e";i:1535916085;s:15:"bytes_processed";i:1;}i:1;a:7:{s:10:"field_name";s:5:"file
2";s:4:"name";s:9:"file2.txt";s:8:"tmp_name";s:14:"/tmp/phpSoCWFv";s:5:"error";i
:0;s:4:"done";b:1;s:10:"start_time";i:1535916085;s:15:"bytes_processed";i:1;}}}
Does anyone have any idea what these are and if I have some sort of a compromise
to the server going on?
Thanks in advance.
John
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Peculiar mod_php result
I am running Apache 2.4.25 using php-fpm 5.6.30. I do NOT use mod_php. Last week I compiled a newer version of PHP, 7.2.9, and I included the --with-apxs parameter in the build, which causes mod_php to be generated. The "make install" function updated the Apache httpd.conf file to show LoadModule php7 module ...etc. I think (don't know for sure) that the old php5 module may not have been commented out at the time, although it was not in use. Early this morning, when logrotate did a restart on Apache all of the child processes immediately halted, even though they should not have been affected by the new php7 module being loaded because they contact php-fpm via ports in the 9000-9099 group. When I was called in to figure out what happened, Apache and all its children were running in the process list (ps -ef) but inactive. I stopped it (systemctl stop httpd) and restarted (systemctl start httpd) and immediately all child processes segfaulted. This is the httpd error log: [Sun Sep 09 03:18:02.789845 2018] [mpm_event:notice] [pid 11190:tid 139629420282816] AH00489: Apache/2.4.25 (Unix) OpenSSL/1.0.2k configured -- resuming normal operations [Sun Sep 09 03:18:02.789874 2018] [core:notice] [pid 11190:tid 139629420282816] AH00094: Command line: '/usr/apache-2.4.25/bin/httpd' [Sun Sep 09 03:29:44.524219 2018] [core:notice] [pid 11190:tid 139629420282816] AH00052: child pid 25939 exit signal Segmentation fault (11) [Sun Sep 09 03:29:44.524285 2018] [core:notice] [pid 11190:tid 139629420282816] AH00052: child pid 25941 exit signal Segmentation fault (11) plus one segfault line for each child... My question: when the php7 module was not used, and there is no addHandler statement for mod_php, why did the child processes load it? More importantly, when mod_proxy_fcgi is handling all xxx.php format URL's, why would the child processes even be involved? Thanks in advance. John - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] SSL Handshake Exception in call from Android
Be sure that there is at least one cipher suite in common between the server and the Android app. The most likely issue is that all SSL protocols and also TLS v1 have been disabled on the server. (required for any e-commerce server taking VISA or Mastercard). There is a **lot** of info about how to do this at: https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslciphersuite John == On Fri, 2018-11-02 at 19:10 -0500, Jerry Malcolm wrote: > Hi Jeffrey, Thanks for the quick response. > > I set the LogLevel to debug. I'm getting a ton of debug info > everywhere. However, the https requests from my app are not even > showing up in any logs not even the virtual host access or error > logs or the apache system logs. Nada... nothing. As if the calls were > never made. Just to make sure there wasn't something else wrong, I > changed https:// to http:// in my app, and everything works, including a > ton of debug info in all of the logs. But as soon as I use https, it > looks like the requests aren't even making it into httpd. But again > the whole site works fine in https when using a browser. > > Any ideas? Am I not looking at the right place for the logs? > > Jerry > > > On 11/2/2018 4:55 PM, Jeff Cauhape wrote: > > Jerry, > > > > Have you set LogLevel to "debug" in httpd.conf and then check the sever > > error logs? > > Could be helpful to see what the server is objecting to. > > > > Jeffrey Cauhape – IT Professional III – Linux and Solaris Administrator > > Nevada Department of Employment, Training and Rehabilitation > > (775) 684-3804 (office) jpcauh...@detr.nv.gov > > > > -Original Message- > > From: Jerry Malcolm [mailto:techst...@malcolms.com] > > Sent: Friday, November 2, 2018 1:59 PM > > To: users@httpd.apache.org > > Subject: [users@httpd] SSL Handshake Exception in call from Android > > > > I am writing an Android app that needs to make calls to my httpd server > > (Apache 2.4.33). I am getting the following exception in my Android app: > > > > Exception: javax.net.ssl.SSLHandshakeException: > > javax.net.ssl.SSLProtocolException: SSL handshake aborted: > > ssl=0x809adc78: Failure in SSL library, usually a protocol error > > error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert > > handshake failure (external/openssl/ssl/s23_clnt.c:744 > > 0x725e0cfc:0x) > > > > The same Android app calls Google Maps https with no problem and also calls > > another server with https that I do not own with no problem. So I'm > > assuming I have something wrong in my httpd config. But I need some help > > figuring it out. > > > > The same web site responds just fine to https calls from browsers. It just > > doesn't work when called from my Android app. It also works fine if I use > > http instead of https. But I need https. > > > > Suggestions as to what might be wrong? > > > > Thx. > > > > Jerry > > > > > > - > > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > > For additional commands, e-mail: users-h...@httpd.apache.org > > > > > > - > > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > > For additional commands, e-mail: users-h...@httpd.apache.org > > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] port forwarding and other options for having access to my apache server through the ip address
Start here: https://portforward.com/technicolor/td5130/ What you need to do is open port 80 (unencrypted http), that is, Internet browsers. Be sure you have appropriate security because you are putting your machine in a hostile environment!If you don't believe that, look at your log after a few days on the 'net! If you plan to encrypt your pages, you will also need port 443 open (HTTPS). Good luck. John On Fri, 2019-01-11 at 20:04 +0200, Stathis G. Arapostathis wrote: > Dear Sirs / Madams, > I was wondering on how I could configure my router and make any other > necessary configurations in order to open up my localhost to the web and > letting internet users to access my locally stored pages by putting my ip > address. > > I have an old router and no support is available. My isp does not have support > and I received zero responses from the router's support service. I think I > have added a port in my router's menu but still internet users do not have > access on it. > > > I am using the latest ms4w package which uses apache 2.4.27 along with > mapserver and few other mapping tools. > > My router is the technicolor td5130. > > Could anyone provide some feedback please? > > Thank you. > > > > > > > Virus-free. www.avast.com > > >
Re: [users@httpd] port forwarding and other options for having access to my apache server through the ip address
I'm not sure about your configuration so this might be irrelevant, but try looking at all the moving parts here. For example, since your IP is dynamic, how are you doing address resolution on the Internet? Does your address resolver have the correct real address? Try pinging yourself. If that works, then see where the router is sending port 80. The internal router is probably a NAT arrangement, so check that the port 80 destination setting is for your server machine. (ie, suppose you are at Inet address 205.100.1.1, and that you can really ping this address. Where does the router send port 80 to?) It should be something like 192.168.1.xxx. Is this your local server's address? If DHCP it could easily change periodically.If so. make the internal address static. If your actual firewall doesn't support static NAT addresses, you can usually force the issue by giving the server a static address that it will always use to connect. If all that works, then look at the firewall router's log. Most of them retain a log of connections and failed connections. See if your attempt to connect actually made it to your firewall and how it disposed of it, One comment, these logs are about as arcane as anything I have ever seen! Be careful, when you change settings you can make a real mess if you guess wrong! Be sure you know what you did so you can back out without having to re- initialize. Just as a last desperate idea, when you make a firewall/router change, power cycle it, just in case the change didn't get picked up. After that, sorry, off of ideas. John=On Fri, 2019-01-11 at 14:23 -0700, Jonathon Koyle wrote: > The only other suggestions I have are to Verify that your server is accessible > from another machine, not blocked by a firewall or only listening on > loopback. It isn't likely to be an ISP issue unless they try to restrict you > from serving a website... > > On Fri, Jan 11, 2019, 13:54 Stathis G. Arapostathis wrote: > > well, i have a dynamic ip but this is not my problem. I also portforwarded > > port 80 before sending current question but I still do not have access. > > There are some years passed since the last time I port-forwarded apache > > server and I thought that maybe some additional modifications from apache- > > server side are needed as the updates pass through time. > > > > I guess I have to contact my ISP again, it could be an ISP issue. > > thank you very much for the quick responses. > > > > > > > > > > > > > > > > Virus-free. www.avast.com > > > > > > > > > > On Fri, Jan 11, 2019 at 10:37 PM Jonathon Koyle > > wrote: > > > You may also need to look into whether you have a static or dynamic IP > > > address. Many Consumer ISP packages provide dynamic, so the public IP > > > address changes periodically, often a day or two in my experience. Also > > > note this won't be the IP address of your host machine, but the IP > > > assigned to the router. > > > > > > On Fri, Jan 11, 2019 at 11:14 AM John wrote: > > > > Start here: > > > > https://portforward.com/technicolor/td5130/ > > > > What you need to do is open port 80 (unencrypted http), that is, > > > > Internet browsers. Be sure you have appropriate security because you > > > > are putting your machine in a hostile environment!If you don't believe > > > > that, look at your log after a few days on the 'net! > > > > If you plan to encrypt your pages, you will also need port 443 open > > > > (HTTPS). > > > > Good luck. > > > > John > > > > On Fri, 2019-01-11 at 20:04 +0200, Stathis G. Arapostathis wrote: > > > > > Dear Sirs / Madams, > > > > > I was wondering on how I could configure my router and make any > > > > > other necessary configurations in order to open up my localhost to the > > > > > web and letting internet users to access my locally stored pages by > > > > > putting my ip address. > > > > > > > > > > I have an old router and no support is available. My isp does not have > > > > > support and I received zero responses from the router's support > > > > > service. I think I have added a port in my router's menu but still > > > > > internet users do not have access on it. > > > > > > > > > > > > > > > I am using the latest ms4w package which uses apache 2.4.27 along with > > > > > mapserver and few other mapping tools. > > > > > > > > > > My router is the technicolor td5130. > > > > > > > > > > Could anyone provide some feedback please? > > > > > > > > > > Thank you. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Virus-free. www.avast.com > > > > > > > > > > > > > > >
Re: [users@httpd] Combining SSL and basic user (group) authentication
Why not redirect the incoming HTTP connections to HTTPS? ServerName www.mysite.ca Redirect permanent / https://www.mysite.com Good luck! John == On Sun, 2019-03-31 at 16:05 +0200, Richard70nl wrote: > Dear all, > > I’m trying to figure out how I can give access to documents by combining SSL > and basic user authentication. The following is from my httpd config: > > > AllowOverride None > Options None > > AuthType Basic > AuthName "Test User" > AuthBasicProvider dbd > AuthDBDUserPWQuery "select human.get_user_password(%s);" > AuthzDBDQuery "select human.get_user_groups(%s);" > > Require ssl > Require dbd-group user > > > The “Require ssl” denies access to the document for normal http:// connections > which is what I want. But it allows accessing the documents without doing any > authentication if I do use a https:// connection. My goal is to have an SSL > connection but still it’s required to authenticate. > > If I remove the “Require ssl” then the authentication works as expected but > then a normal http:// connection is possible also. I want to avoid, for the > obvious reason, that with basic authentication the password is send > unencrypted (just the standard base64 encoding according to the HTTP > specification). > > BTW, I though that “Satisfy all” would solve this issue but it does not. > > Or is the rewrite trick where http:// connections are redirected to https:// > connections sufficient? I somehow have the idea it’s not but I can’t put my > finger on that. Any insights on this would also be appreciated. > > Any hints would be appreciated. > > Cheers, > Richard > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Received 404 not found error on existing CGI script
It seems a bit self-evident, but have you checked that Apache has permission to access your cgi-bin directory? John==On Wed, 2020-06-24 at 17:14 +0100, angel Hall-Coulston wrote: > Try setting your log file level to debug, you will get far more information. > Also at the end of the 'log format' code in your configuration file (easy > double check by command 'httpd -V' which will double check your conf file) add > '%L' which when added to both access_log file formats AND error_log formats > will give matches between the two easily found with the 'grep' command 'grep > "[long-scrambled-unique-characters-for-that-particular-error] '*_log' . Make > sure you first are in the log directory. > Another helpful tip… your apache comes with it’s VERY OWN manual pages which > when enabled in your 'includes' section of your config file, will allow you to > access MUCH quicker than going online, where you will find everything you need > to know. > > Angel Hall-Coulston > Scotland. > > > On 24 Jun 2020, at 00:35, barry kimelman wrote: > > > > my system is an ubuntu 20.04 lts laptop. > > > > I successfully installed apache2. I verified the installation by visiting > > http://localhost:80 > > > > Now I am having problems trying to run a Perl CGI script which I had running > > under Windows 10 on Apache 2.4 > > > > I modified the sites-enabled/000-default.conf > > file by removing the '#' from the start of the "Include > > conf-available/serve-cgi-bin.conf" line. I then created the > > /usr/lib/cgi-bin directory. I next put a small Perl CGI script named > > "printenv.cgi" under /usr/lib/cgi-bin. I then restarted the apache2 > > server. When I attempted to run my newly created CGI script gy visiting > > localhost:80/cgi-bin/printenv.cgi > > all that happened was I received a "404 Not Found" error. I looked at > > the apache logfile and it provided no further info. > > > > > > I even tried using the "wget" command. same 404 error. > > > > > > > > What have I done > > wrong? > > > > -- > > > > Barrry Kimelman > > Winnipeg, Manitoba, Canada
Re: [users@httpd] Content-Security-Policy for a WordPress website.
Are you sure the header is coded properly? I've never used it but here is an example: Content-Security-Policy: default-src 'self' Note there are no ' "" ' around the default-src. My reference is: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP Regards, John On Thu, 2020-09-17 at 19:27 +, Jason Long wrote: > Hello, > When I added "Header set Content-Security-Policy "default-src > 'self';"" to "httpd.conf" then my website style and some graphical > features are disable. > Why? > > Thank you. > > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Replays from Internet
Since the beginning of 2021 we have encountered two online orders and possibly a third, where the customer denies making the order and the httpd log seems to confirm that. In each case, the person made an order and a day or more later a second order was placed for the same item and carrying the same credit card information. Since everything looked valid and the delay bypassed our duplicate order check, the order was accepted. Some background: a customer can connect to our catalogue and move around untracked for as long as they want until they decide to place an order. At this point there is only one path to follow to enter address info, credit card, etc. This ends with a summary of the order and if they click to proceed, it POST's the server order processor with the relevant info causing the credit card to be charged and the order to be entered. In total 3 scripts must be processed in the correct order. I scanned for the customer's IP in the httpd access log in each case and found that when they made the valid order they were on our catalogue and followed the correct path to place the order, confirming it as expected. BUT, and here is what I am having trouble understanding, for the invalid order ONLY the last request was logged as received by httpd. It shows the correct source (ie the page that should have resulted in an order) yet that page does not show in the httpd log as having been served. In one case, NO other page was served to that customer on that day ahead of the received order, at least judging from IP addresses in use. So what I appear to be seeing is a replay from the Internet which I find hard to accept as real. Has anyone ever seen this before and if so what did they do to resolve it? The only other possibility that I can think of is that their browser cached the page and re-transmitted it. (a violation of the HTML standard I think for a form page). The environment is Apache 2.4.25 on Fedora using php-fpm. Thanks in advance and apologies for the length of this post. John - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Replays from Internet
Yes, I would agree that it isn't Apache but where else would I find a group of people with extensive experience with web interfaces. Our transaction logs and order entry system show these false orders but that is what I would expect since a perfectly consistent order was placed online. The problem, so far as I can see, is that the requests were replayed externally since we first encounter them as a received packet to httpd. From there our internal systems just processed what they had. What is of most interest to me is whether anyone has ever encountered this sort of situation and if so,how they resolved it. Regards, and thank you for the prompt reply Antony. John == On Tue, 2021-01-19 at 18:05 +0100, Antony Stone wrote: > On Tuesday 19 January 2021 at 18:00:11, Ruben Safir wrote: > > > this has nothing to do with apache > > I think that's a somewhat harsh way of putting it, but I do agree > that since > "that page does not show in the httpd log as having been served" you > are > correct, and the problem lies elsewhere. I would suggest looking at > any > database logs for transactions made, to see whether that shows where > the > duplicate order updates came from. > > > On Tue, Jan 19, 2021 at 11:55:41AM -0500, John wrote: > > > Since the beginning of 2021 we have encountered two online > orders and > > > possibly a third, where the customer denies making the order and > the > > > httpd log seems to confirm that. > > > > > > In each case, the person made an order and a day or more later a > > > second order was placed for the same item and carrying the same > credit > > > card information. Since everything looked valid and the delay > > > bypassed our duplicate order check, the order was accepted. > > > > > > Some background: a customer can connect to our catalogue and > move > > > around untracked for as long as they want until they decide to > place > > > an order. At this point there is only one path to follow to > enter > > > address info, credit card, etc. This ends with a summary of the > order > > > and if they click to proceed, it POST's the server order > processor > > > with the relevant info causing the credit card to be charged and > the > > > order to be entered. In total 3 scripts must be processed in the > > > correct order. > > > > > > I scanned for the customer's IP in the httpd access log in each > case > > > and found that when they made the valid order they were on our > > > catalogue and followed the correct path to place the order, > confirming > > > it as expected. > > > > > > BUT, and here is what I am having trouble understanding, for the > > > invalid order ONLY the last request was logged as received by > httpd. > > > It shows the correct source (ie the page that should have > resulted in > > > an order) yet that page does not show in the httpd log as having > been > > > served. In one case, NO other page was served to that customer > on > > > that day ahead of the received order, at least judging from IP > > > addresses in use. > > > > > > So what I appear to be seeing is a replay from the Internet > which I > > > find hard to accept as real. Has anyone ever seen this before > and if > > > so what did they do to resolve it? The only other possibility > that I > > > can think of is that their browser cached the page and re- > transmitted > > > it. (a violation of the HTML standard I think for a form page). > > > > > > The environment is Apache 2.4.25 on Fedora using php-fpm. > > > > > > Thanks in advance and apologies for the length of this post. > > Regards, > > > Antony. > > -- > "Black holes are where God divided by zero." > > - Steven Wright > >Please reply to > the list; > please > *don't* CC me. > > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Replays from Internet
Thanks Yehuda, I think you may have caught it. What happens is that the order entry page returns with an attached pdf copy of the invoice but this is not a redirect, it is the same page that they POST'd. The customer then has to click "finished" to get back to the web site. So I learned something I didn't know. Thank you. John On Tue, 2021-01-19 at 12:06 -0500, Yehuda Katz wrote: > It is likely that the user still has the browser tab open and it > refreshes for some reason, or their browser crashed and reopened, or > they use a session restore tool when they reopen the browser - all > of these could cause an exact duplicate request. > You might want to look into the Post-Redirect-Get pattern. > > In a nutshell: > When a POST request completes without any errors, never return any > output except a redirect to a completion page. The browser will make > a new GET request to this page and any POST data will not be > included. > > This will prevent a form that was submitted successfully from ever > being resubmitted accidentally. > > On Tue, Jan 19, 2021 at 12:00 PM John wrote: > > Since the beginning of 2021 we have encountered two online orders > > and > > possibly a third, where the customer denies making the order and > > the > > httpd log seems to confirm that. > > > > In each case, the person made an order and a day or more later a > > second order was placed for the same item and carrying the same > > credit > > card information. Since everything looked valid and the delay > > bypassed our duplicate order check, the order was accepted. > > > > Some background: a customer can connect to our catalogue and move > > around untracked for as long as they want until they decide to > > place > > an order. At this point there is only one path to follow to enter > > address info, credit card, etc. This ends with a summary of the > > order > > and if they click to proceed, it POST's the server order processor > > with the relevant info causing the credit card to be charged and > > the > > order to be entered. In total 3 scripts must be processed in the > > correct order. > > > > I scanned for the customer's IP in the httpd access log in each > > case > > and found that when they made the valid order they were on our > > catalogue and followed the correct path to place the order, > > confirming > > it as expected. > > > > BUT, and here is what I am having trouble understanding, for the > > invalid order ONLY the last request was logged as received by > > httpd. > > It shows the correct source (ie the page that should have resulted > > in > > an order) yet that page does not show in the httpd log as having > > been > > served. In one case, NO other page was served to that customer on > > that day ahead of the received order, at least judging from IP > > addresses in use. > > > > So what I appear to be seeing is a replay from the Internet which > > I > > find hard to accept as real. Has anyone ever seen this before and > > if > > so what did they do to resolve it? The only other possibility > > that I > > can think of is that their browser cached the page and re- > > transmitted > > it. (a violation of the HTML standard I think for a form page). > > > > The environment is Apache 2.4.25 on Fedora using php-fpm. > > > > Thanks in advance and apologies for the length of this post. > > > > John > > > > > > -- > > --- > > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > > For additional commands, e-mail: users-h...@httpd.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Replays from Internet [EXT]
Thanks James. Yes, all we received was the duplicate POST so far as I can find. The script that would have initiated that POST was not shown in the log as having been run. That's what caught my attention. I have been misunderstanding the html standard since I was of the opinion that it did not allow a retry on a failed POST and on Firefox if you try to do that you get "Document Expired - The requested document is not available in Firefox's cache". But that doesn't apply to whatever is going on in the background I guess. I will make the changes to the script to implement your suggestions. Thanks to both of you for the replies and pointing me in the required direction. It is great to be able to get assistance from skilled people. John === On Tue, 2021-01-19 at 17:10 +, James Smith wrote: > Trying to understand - was it just the last POST that you were > seeing - not the series of posts leading up to that stage of the > form process.. > > In this case it looks as (Yehuda is just saying) that the request is > kept in the browser. > > There are some ways to get around this: > (1) never POST and print - always do a full redirect for the user - > this takes the "successful post" out of the users history > (2) Have a unique ID representing the cart (you probably have a cart > ID somewhere for the order) and make sure that the same cart ID is > not used twice for payment. > This is better to be something like a UUID or similar. > Second time payment is attempted on cart with given UUID the > attempt is rejected. > > James > > -Original Message- > From: John > Sent: 19 January 2021 16:56 > To: Apache > Subject: [users@httpd] Replays from Internet [EXT] > > Since the beginning of 2021 we have encountered two online orders > and possibly a third, where the customer denies making the order and > the httpd log seems to confirm that. > > In each case, the person made an order and a day or more later a > second order was placed for the same item and carrying the same > credit card information. Since everything looked valid and the > delay bypassed our duplicate order check, the order was accepted. > > Some background: a customer can connect to our catalogue and move > around untracked for as long as they want until they decide to place > an order. At this point there is only one path to follow to enter > address info, credit card, etc. This ends with a summary of the > order and if they click to proceed, it POST's the server order > processor with the relevant info causing the credit card to be > charged and the order to be entered. In total 3 scripts must be > processed in the correct order. > > I scanned for the customer's IP in the httpd access log in each case > and found that when they made the valid order they were on our > catalogue and followed the correct path to place the order, > confirming it as expected. > > BUT, and here is what I am having trouble understanding, for the > invalid order ONLY the last request was logged as received by httpd. > It shows the correct source (ie the page that should have resulted > in an order) yet that page does not show in the httpd log as having > been served. In one case, NO other page was served to that customer > on that day ahead of the received order, at least judging from IP > addresses in use. > > So what I appear to be seeing is a replay from the Internet which I > find hard to accept as real. Has anyone ever seen this before and > if so what did they do to resolve it? The only other possibility > that I can think of is that their browser cached the page and re- > transmitted it. (a violation of the HTML standard I think for a form > page). > > The environment is Apache 2.4.25 on Fedora using php-fpm. > > Thanks in advance and apologies for the length of this post. > > John > > > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > > > - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Replays from Internet
Hi Nick: Yes, I could use a good night's sleep! I'm in the process of implementing the suggestions from Yehuda and James that I got yesterday. I had been thinking of something along that line but I also wanted to know why this turned up twice now after 12 years of running basically the same functional code. I'm curious! Re the IP address, well I only have limited information because at the point where this happens the customer has not completed the order so I don't have the invoice number which serves as a key. After the order is processed I have the IP address from whence it came. So, I scanned the Apache access log on the theory that a single order will come from one IP address, that is select, enter address info, enter credit card info, confirm, which is 4 separate scripts, each a form/POST sequence that gets gathered up as it goes along and the whole data collection gets passed as a single transaction to the order entry script. What I found was the first order processed exactly in the sequence that one would expect: script 1, script 2,...etc. But the replay only contained a single call to the server, on the order entry script, but with the correct and complete data and showing the reason for the call on this script as the previous script in the sequence. This previous script was never called, or at least not logged by Apache if it was. So, I figured it had to be a replay of the final call and that is what I was asking about. The answers I got seem to cover a probable reason and so that is what I am currently changing and updating. Regards, and thank you for taking the time to reply. John === On Wed, 2021-01-20 at 09:53 +, Nick Kew wrote: > > On 19 Jan 2021, at 16:55, John wrote: > > > > I scanned for the customer's IP > > What leads you to suppose the customer's IP was unchanged between > the two orders? > > Sorry, there's no sensible explanation: the above is the only > comment > I can offer at a technical level. Maybe the customer is messing you > around, or your system is duplicating entries offline. Unless > you've > got yourself hopelessly confused and need a good night's sleep and a > day off to clear the head. > - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Error in Apache Documentation
On the Apache documentation page: https://httpd.apache.org/docs/2.4/misc/security_tips.html Under Denial of Service Attacks, the link: http://modules.apache.org/ leads to a 404 Not Found result. It probably requires updating. Regards, John - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Professional Product
As a longtime Apache user who has had innumerable questions answered promptly by members of this list I have been watching this person and wondering how anyone could be so obtuse. IMO he has been treated more than fairly and some of the people supplying answers have gone far beyond what one would normally expect for free list support. Keeping in mind that this is free software I wonder how how anyone could reasonably quantify Back Button's response as appropriate or correct. Please keep it up Apache supporters; your patience is appreciated by the majority of us! And we don't swear and blame you when we can't come to grips with reality! Regards, John === On Fri, 2021-04-30 at 16:12 +, dana whitelow wrote: > Hey fcuk wits! > > click this link https://openliberty.io/guides/ > > for the firs time in your life you will see a ROFESSIONAL PRODUCT. > cherish the experience > because you are not going to get it here at apache.org. > > I took one look at the apache product and I staright way bought > this book > https://www.amazon.co.uk/WildFly-Administration-Guide-Francesco-Marchioni/dp/8894038920 > > Best Regards > > back.button@aol. > > > danawhite...@aol.com - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Source of JSESSIONID Cookie
I am developing a payment function that requires data to be loaded from a third-party URL. Firefox is throwing errors such as: 1. Some cookies are misusing the “SameSite“ attribute, so it won’t work as expected 2 2 Cookie “JSESSIONID” has “SameSite” policy set to “Lax” because it is missing a “SameSite” attribute, and “SameSite=Lax” is the default value for this attribute. card.html 3. Cookie “JSESSIONID” has been rejected because it is in a cross- site context and its “SameSite” is “Lax” or “Strict”. These are default cookies from somewhere; my code doesn't set or manage them. Searching the web suggests that these are http server cookies but I can't find anything explicit in the Apache documentation. From httpd.conf : 152:#LoadModule session_module modules/mod_session.so 153:#LoadModule session_cookie_module modules/mod_session_cookie.so so the session cookie modules are not loaded. Does anyone know how to set the correct "Samesite" value in this type of cookie? Or prevent the cookie from being sent? I'm not sure what I need to set since I WANT to allow cross-site responses to the browser to pick up response data not coming from my server. Neither "lax" nor "strict" seems right to me; maybe just not send the cookie? Thanks in advance. John == - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Source of JSESSIONID Cookie
Thanks for the suggestion Jim. I checked and it just gets weirder. The cookies that are being reported and that seem to be responsible for my problems are arising in other web pages that might not even be open at the moment. Some of them I recognize as belonging to functions that I used earlier today and seem to be just hanging around. Not that that excuses them, and I will start a project to update them to have "samesite" cookies, but some of these pages are over a decade old and have been in use longer than the samesite attribute. That said, the JSESSIONID cookie is not one of them and I still don't know where it is being set or by which page. Thanks for the help and the knowledge increment! John = On Tue, 2022-01-18 at 18:33 -0500, Jim Albert wrote: > On 1/18/2022 3:36 PM, John wrote: > > These are default cookies from somewhere; my code doesn't set or > > manage them. > > > Focusing on this portion of your response: > "These are default cookies from somewhere; my code doesn't set or > manage > them." > > ... using your browser's Developer Tools (F12), look at the Response > Header to learn more about specific cookies as in what element of > your > request results in the relevant Set-Cookie header. > > Jim > > > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Source of JSESSIONID Cookie
Thanks Jim. I don't have Chrome installed here at the moment (used to be) so I'll have to re-install it. For some reason Firefox doesn't provide much information on cookie contents although they do show up now in the dev-tools|memory tab. This project is not my highest priority, although my most frustrating one at the moment, so it may be a week or two until I can get back to it. Thank you for your replies and your insight into the problem. Regards, John == On Wed, 2022-01-19 at 12:50 -0500, Jim Albert wrote: > In Chrome you can view cookie details via: > Settings | Security and Privacy | Cookies and other site data | See > all > cookies and site data > There exists a 'Search cookies' feature which should help you find > the > origin of your cookies in question. > > Once located you can see if that origin is relevant to the network > requests as indicated in DevTools. > > This might or might not help as your original posts indicates some > messages of rejected cookies. > It can't hurt to see if you have any record of them in you cookie > cache. > Although JSESSIONID sounds like a very common java related cookie. > > I believe you should see some record of the rejected cookie if you > examine all the response headers in each subrequest in DevTools > (under > the Network tab). Even if the cookie is rejected there should be an > attempt to set it visible in the response headers. > > Jim > > > On 1/19/2022 11:24 AM, John wrote: > > Thanks for the suggestion Jim. > > > > I checked and it just gets weirder. The cookies that are being > > reported and that seem to be responsible for my problems are > > arising > > in other web pages that might not even be open at the moment. > > Some of > > them I recognize as belonging to functions that I used earlier > > today > > and seem to be just hanging around. > > > > Not that that excuses them, and I will start a project to update > > them > > to have "samesite" cookies, but some of these pages are over a > > decade > > old and have been in use longer than the samesite attribute. > > > > That said, the JSESSIONID cookie is not one of them and I still > > don't > > know where it is being set or by which page. > > > > Thanks for the help and the knowledge increment! > > > > John > > = > > > > On Tue, 2022-01-18 at 18:33 -0500, Jim Albert wrote: > > > On 1/18/2022 3:36 PM, John wrote: > > > > These are default cookies from somewhere; my code doesn't set > > > > or > > > > manage them. > > > > > > Focusing on this portion of your response: > > > "These are default cookies from somewhere; my code doesn't set > > > or > > > manage > > > them." > > > > > > ... using your browser's Developer Tools (F12), look at the > > > Response > > > Header to learn more about specific cookies as in what element > > > of > > > your > > > request results in the relevant Set-Cookie header. > > > > > > Jim > > > > > > > > > > > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] SSLEngine error
I'm trying to bring up Apache on a new server running Rocky Linux 9.1 and also upgrade the version of Apache from 2.4.25 to current. I have installed a .pem format certificate and when I try to start Apache I get this error: Starting The Apache HTTP Server... httpd[12399]: AH00526: Syntax error on line 11 of /etc/httpd/conf.d/coax.conf: httpd[12399]: Invalid command 'SSLEngine', perhaps misspelled or defined by a module not included in the server configuration systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE systemd[1]: httpd.service: Failed with result 'exit-code'. systemd[1]: Failed to start The Apache HTTP Server. To me SSLEngine looks properly coded and the same configuration worked on the previous server. Here is what I have: ServerName www.example.ca ServerAlias t.example.ca DocumentRoot /usr/httpd/example Options -MultiViews H2Direct on ProxyPassMatch "^/.*\.php(/.*)?$" fcgi://127.0.0.1:9002/usr/httpd/example SSLEngine on SSLCipherSuite HIGH: !ADH: !SSLv2: !SSLv3: !TLSv1: !aNULL: !eNULL: !RC4: !PSK: !MD5 SSLCertificateFile /etc/httpd/conf/sslcert/www.example.pem SSLCertificateKeyFile /etc/httpd/conf/sslcert/www.example.ca.key SSLCACertificateFile /etc/httpd/conf/sslcert/intermediate.crt SSLHonorCipherOrder on Header always set Strict-Transport-Security "max-age-63072000;includeSubDomains" This looks to me like I missed something in the upgrade but hours of searching the documentation haven't given me any possibilities. Any ideas would be appreciated! John == - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] SSLEngine error
Right on - thank you. That lead to a whole bunch more errors but at least they are new! John == On Sat, 2023-11-18 at 12:46 -0800, rakesh r wrote: > make sure you have installed mod_ssl. > > Thanks > Rakesh > > On Sat, Nov 18, 2023 at 12:43 PM John wrote: > > > > I'm trying to bring up Apache on a new server running Rocky Linux 9.1 and > > also upgrade the > > version > > of Apache from 2.4.25 to current. > > > > I have installed a .pem format certificate and when I try to start Apache I > > get this error: > > > > Starting The Apache HTTP Server... > > httpd[12399]: AH00526: Syntax error on line 11 of > > /etc/httpd/conf.d/coax.conf: > > httpd[12399]: Invalid command 'SSLEngine', perhaps misspelled or defined by > > a module not > > included in > > the server configuration > > systemd[1]: httpd.service: Main process exited, code=exited, > > status=1/FAILURE > > systemd[1]: httpd.service: Failed with result 'exit-code'. > > systemd[1]: Failed to start The Apache HTTP Server. > > > > To me SSLEngine looks properly coded and the same configuration worked on > > the previous server. > > Here > > is what I have: > > > > > > ServerName www.example.ca > > ServerAlias t.example.ca > > DocumentRoot /usr/httpd/example > > Options -MultiViews > > H2Direct on > > ProxyPassMatch "^/.*\.php(/.*)?$" fcgi://127.0.0.1:9002/usr/httpd/example > > SSLEngine on > > SSLCipherSuite HIGH: !ADH: !SSLv2: !SSLv3: !TLSv1: !aNULL: !eNULL: !RC4: > > !PSK: !MD5 > > SSLCertificateFile /etc/httpd/conf/sslcert/www.example.pem > > SSLCertificateKeyFile /etc/httpd/conf/sslcert/www.example.ca.key > > SSLCACertificateFile /etc/httpd/conf/sslcert/intermediate.crt > > SSLHonorCipherOrder on > > Header always set Strict-Transport-Security > > "max-age-63072000;includeSubDomains" > > > > > > This looks to me like I missed something in the upgrade but hours of > > searching the documentation > > haven't given me any possibilities. Any ideas would be appreciated! > > > > John > > == > > > > > > - > > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > > For additional commands, e-mail: users-h...@httpd.apache.org > > > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Re: users Digest 18 Nov 2023 20:42:58 -0000 Issue 6519
No, that was the immediate problem and someone else suggested it So I imported mod_ssl but at the moment that just moved the error elsewhere. The default Rocky Apache installation breaks everything up into little pieces in separate files and they aren't always compatible, certainly not with the customization I have on this Apache instance. That's added to me trying to import a previous Apache configuration to run on a different OS. The problem at the moment is something to do with a temporary certificate file having no trigger but I have already shut down - I'll try and chase it tomorrow and find out what went wrong. Thanks for your response though. That's what I like about FOSS software: there is usually someone somewhere who has encountered the same problem you are seeing. Regards, John == On Sat, 2023-11-18 at 19:56 -0800, Aditya Shastri wrote: > May not fix your problem, but I'm curious if mod_ssl was imported? > > On Sat, Nov 18, 2023 at 12:43 PM wrote: > > > > > > users Digest 18 Nov 2023 20:42:58 - Issue 6519 > > > > Topics (messages 122954 through 122954) > > > > SSLEngine error > > 122954 by: John > > > > Administrivia: > > > > - > > To post to the list, e-mail: users@httpd.apache.org > > To unsubscribe, e-mail: users-digest-unsubscr...@httpd.apache.org > > For additional commands, e-mail: users-digest-h...@httpd.apache.org > > > > -- > > > > > > > > > > -- Forwarded message -- > > From: John > > To: Apache Help > > Cc: > > Bcc: > > Date: Sat, 18 Nov 2023 15:42:46 -0500 > > Subject: SSLEngine error > > I'm trying to bring up Apache on a new server running Rocky Linux 9.1 and > > also upgrade the > > version > > of Apache from 2.4.25 to current. > > > > I have installed a .pem format certificate and when I try to start Apache I > > get this error: > > > > Starting The Apache HTTP Server... > > httpd[12399]: AH00526: Syntax error on line 11 of > > /etc/httpd/conf.d/coax.conf: > > httpd[12399]: Invalid command 'SSLEngine', perhaps misspelled or defined by > > a module not > > included in > > the server configuration > > systemd[1]: httpd.service: Main process exited, code=exited, > > status=1/FAILURE > > systemd[1]: httpd.service: Failed with result 'exit-code'. > > systemd[1]: Failed to start The Apache HTTP Server. > > > > To me SSLEngine looks properly coded and the same configuration worked on > > the previous server. > > Here > > is what I have: > > > > > > ServerName www.example.ca > > ServerAlias t.example.ca > > DocumentRoot /usr/httpd/example > > Options -MultiViews > > H2Direct on > > ProxyPassMatch "^/.*\.php(/.*)?$" fcgi://127.0.0.1:9002/usr/httpd/example > > SSLEngine on > > SSLCipherSuite HIGH: !ADH: !SSLv2: !SSLv3: !TLSv1: !aNULL: !eNULL: !RC4: > > !PSK: !MD5 > > SSLCertificateFile /etc/httpd/conf/sslcert/www.example.pem > > SSLCertificateKeyFile /etc/httpd/conf/sslcert/www.example.ca.key > > SSLCACertificateFile /etc/httpd/conf/sslcert/intermediate.crt > > SSLHonorCipherOrder on > > Header always set Strict-Transport-Security > > "max-age-63072000;includeSubDomains" > > > > > > This looks to me like I missed something in the upgrade but hours of > > searching the documentation > > haven't given me any possibilities. Any ideas would be appreciated! > > > > John > > == > > > > > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Connection TLS Error
When I try to connect to Apache (2.4.53) using TLS 1.3 I get a browser error: Error code: SSL_ERROR_RX_RECORD_TOO_LONG(Firefox) with no errors shown in the Apache error log. I'm trying to serve a static page (ie no PHP content) I tried netstat -lpan | grep 443 and that only shows IPv6 on this port; why no IPv4? There is a Listen 443 directive in the httpd.conf. Apache is running with startup info: [Sun Nov 19 13:46:40.402742 2023] [core:notice] [pid 17776:tid 17776] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0 [Sun Nov 19 13:46:40.403422 2023] [suexec:notice] [pid 17776:tid 17776] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Sun Nov 19 13:46:40.417257 2023] [lbmethod_heartbeat:notice] [pid 17776:tid 17776] AH02282: No slotmem from mod_heartmonitor [Sun Nov 19 13:46:40.419377 2023] [mpm_event:notice] [pid 17776:tid 17776] AH00489: Apache/2.4.53 (Rocky Linux) OpenSSL/3.0.7 configured -- resuming normal operations [Sun Nov 19 13:46:40.419405 2023] [core:notice] [pid 17776:tid 17776] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND' TLS/mod_ssl is running with the default Rocky permissions and set to our certificate info. To force connection to the test server I changed the URL from www.example.ca to t.example.ca and included this in the hosts file on the workstation. t.example.ca is listed in the config files under "ServerAlias t.example.ca" The browser tools give this info: Accept text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Encoding gzip, deflate, br Accept-Language en-US,en;q=0.5 Connection keep-alive DNT 1 Host t.example.ca Sec-Fetch-Dest document Sec-Fetch-Mode navigate Sec-Fetch-Site cross-site Upgrade-Insecure-Requests 1 User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/119.0 none of which seems terribly relevant. Any ideas how to attack this? Thanks in advance. John == - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Connection TLS Error
On Sun, 2023-11-19 at 14:35 -0500, Eric Covener wrote: > On Sun, Nov 19, 2023 at 2:31 PM John wrote: > > > > When I try to connect to Apache (2.4.53) using TLS 1.3 I get a browser > > error: > > Error code: SSL_ERROR_RX_RECORD_TOO_LONG (Firefox) > > What does your SSL-enabled virtualhost look like Here is the example.conf include file; ssl.conf follows # SSL Support for example.ca ONLY! ServerName www.example.ca ServerAlias t.example.ca DocumentRoot /usr/httpd/example Options -MultiViews H2Direct on ProxyPassMatch "^/.*\.php(/.*)?$" fcgi://127.0.0.1:9002/usr/httpd/example # SSLEngine on # SSLCipherSuite HIGH: !ADH: !SSLv2: !SSLv3: !TLSv1: !RC4: !PSK: !MD5 SSLCipherSuite TLSv1.3 Header always set Strict-Transport-Security "max-age-63072000;includeSubDomains" # Redirect if logon is to example.ca without the 'www' ServerName www.example.ca Redirect permanent / https:example.ca ---The following, except for the certificate locations, is pretty much the config from Rocky ssl.conf # When we also provide SSL we have to listen to the # standard HTTPS port in addition. # Listen 443 https ## ## SSL Global Context ## ## All SSL configuration in this context applies both to ## the main server and all SSL-enabled virtual hosts. ## # Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog # Inter-Process Session Cache: # Configure the SSL Session Cache: First the mechanism # to use and second the expiring timeout (in seconds). SSLSessionCache shmcb:/run/httpd/sslcache(512000) SSLSessionCacheTimeout 300 # # Use "SSLCryptoDevice" to enable any supported hardware # accelerators. Use "openssl engine -v" to list supported # engine names. NOTE: If you enable an accelerator and the # server does not start, consult the error logs and ensure # your accelerator is functioning properly. # SSLCryptoDevice builtin #SSLCryptoDevice ubsec ## ## SSL Virtual Host Context ## # General setup for the virtual host, inherited from global configuration #DocumentRoot "/var/www/html" #ServerName www.example.com:443 # Use separate log files for the SSL virtual host; note that LogLevel # is not inherited from httpd.conf. ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel warn # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # List the protocol versions which clients are allowed to connect with. # The OpenSSL system profile is used by default. See # update-crypto-policies(8) for more details. #SSLProtocol all -SSLv3 #SSLProxyProtocol all -SSLv3 # User agents such as web browsers are not configured for the user's # own preference of either security or performance, therefore this # must be the prerogative of the web server administrator who manages # cpu load versus confidentiality, so enforce the server's cipher order. SSLHonorCipherOrder on # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. # The OpenSSL system profile is configured by default. See # update-crypto-policies(8) for more details. SSLCipherSuite PROFILE=SYSTEM SSLProxyCipherSuite PROFILE=SYSTEM # Point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that restarting httpd will prompt again. Keep # in mind that if you have both an RSA and a DSA certificate you # can configure both in parallel (to also allow the use of DSA # ciphers, etc.) # Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt) # require an ECC certificate which can also be configured in # parallel. # SSLCertificateFile /etc/pki/tls/certs/localhost.crt <---original SSLCertificateFile /etc/httpd/conf/sslcert/www.example.ca.pem # Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) # ECC keys, when in use, can also be configured in parallel # SSLCertificateKeyFile /etc/pki/tls/private/localhost.key <---original SSLCertificateKeyFile /etc/httpd/conf/sslcert/www.example.ca.key # Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the # concatenation of PEM encoded CA certificates which form the # certificate chain for the server certificate. Alternatively # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # c
Re: [users@httpd] Connection TLS Error
On Sun, 2023-11-19 at 15:17 -0500, Eric Covener wrote: > On Sun, Nov 19, 2023 at 3:15 PM John wrote: > > > > On Sun, 2023-11-19 at 14:35 -0500, Eric Covener wrote: > > > On Sun, Nov 19, 2023 at 2:31 PM John wrote: > > > > > > > > When I try to connect to Apache (2.4.53) using TLS 1.3 I get a browser > > > > error: > > > > Error code: SSL_ERROR_RX_RECORD_TOO_LONG (Firefox) > > > > > > What does your SSL-enabled virtualhost look like > > > > Here is the example.conf include file; ssl.conf follows > > > > # SSL Support for example.ca ONLY! > > > > ServerName www.example.ca > > ServerAlias t.example.ca > > DocumentRoot /usr/httpd/example > > Options -MultiViews > > H2Direct on > > ProxyPassMatch "^/.*\.php(/.*)?$" fcgi://127.0.0.1:9002/usr/httpd/example > > # SSLEngine on > > ^^^ Pretty suspicious? > SSLEngine being commented out? It is already turned on in ssl.conf and one of the problems that I already had to fix was duplicate entries between conf file sections. > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Connection TLS Error
On Sun, 2023-11-19 at 16:16 -0500, Frank Gingras wrote: > > > On Sun, Nov 19, 2023 at 3:25 PM John wrote: > > On Sun, 2023-11-19 at 15:17 -0500, Eric Covener wrote: > > > On Sun, Nov 19, 2023 at 3:15 PM John wrote: > > > > > > > > On Sun, 2023-11-19 at 14:35 -0500, Eric Covener wrote: > > > > > On Sun, Nov 19, 2023 at 2:31 PM John wrote: > > > > > > > > > > > > When I try to connect to Apache (2.4.53) using TLS 1.3 I get a > > > > > > browser error: > > > > > > Error code: SSL_ERROR_RX_RECORD_TOO_LONG (Firefox) > > > > > > > > > > What does your SSL-enabled virtualhost look like > > > > > > > > Here is the example.conf include file; ssl.conf follows > > > > > > > > # SSL Support for example.ca ONLY! > > > > > > > > ServerName www.example.ca > > > > ServerAlias t.example.ca > > > > DocumentRoot /usr/httpd/example > > > > Options -MultiViews > > > > H2Direct on > > > > ProxyPassMatch "^/.*\.php(/.*)?$" > > > > fcgi://127.0.0.1:9002/usr/httpd/example > > > > # SSLEngine on > > > > > > ^^^ Pretty suspicious? > > > > > > > > > SSLEngine being commented out? It is already turned on in ssl.conf and one > > of the problems that > > I > > already had to fix was duplicate entries between conf file sections. > > > - > > > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > > > For additional commands, e-mail: users-h...@httpd.apache.org > > > > > > > > > > > > > - > > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > > For additional commands, e-mail: users-h...@httpd.apache.org > > > > > > > You can't inherit SSLEngine on like that - you must either set it in the > vhost context, or include > a file that sets it. I don't see an include directive in your vhost, either. Thanks Frank and Eric. I kind of suspected that when I thought about it but truly Eric caught me by surprise because I had to delete (comment out actually) a number of things that can't appear in multiple places. (eg Listen). Thanks again fellows. John == - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Still have messed up TLS
Apache won't start when https/TLS is activated although it runs fine with only http. I made the changes previously suggested but now httpd just doesn't start. The error from systemctl is: - Nov 21 15:17:51 prod02 systemd[1]: Starting The Apache HTTP Server... Nov 21 15:17:51 prod02 systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE Nov 21 15:17:51 prod02 systemd[1]: httpd.service: Failed with result 'exit-code'. Nov 21 15:17:51 prod02 systemd[1]: Failed to start The Apache HTTP Server. - and a more useful error from the Apache error log is: - [Tue Nov 21 15:17:51.411388 2023] [core:notice] [pid 29577:tid 29577] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0 [Tue Nov 21 15:17:51.412008 2023] [suexec:notice] [pid 29577:tid 29577] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Tue Nov 21 15:17:51.415738 2023] [ssl:emerg] [pid 29577:tid 29577] AH01898: Unable to configure permitted SSL ciphers [Tue Nov 21 15:17:51.415748 2023] [ssl:emerg] [pid 29577:tid 29577] SSL Library Error: error:0AB9:SSL routines::no cipher match [Tue Nov 21 15:17:51.415751 2023] [ssl:emerg] [pid 29577:tid 29577] AH02312: Fatal error initialising mod_ssl, exiting. AH00016: Configuration Failed I **think** this may be due to the fact that the default installation of Rocky has a lot of http config files and they all get concatenated BUT I haven't been able to figure out the SSLCipherSuite line. ssl.conf (default install) has this: #SSLCipherSuite PROFILE=SYSTEM SSLProxyCipherSuite PROFILE=SYSTEM but I can't find "SYSTEM" in any of Apache, OpenSSL, or Rocky docs and it isn't defined in this configuratiion file. Also included in the concatenation is the custom one for this server: # SSLCipherSuite HIGH: !ADH: !SSLv2: !SSLv3: !TLSv1: !RC4: !PSK: !MD5 SSLCipherSuite TLSv1.3 The first line is copied from the old (current production) server and leads to a failure to start error in the syntax immediately but best practice suggests that the second line is what I want anyway. Reading up on this suggests that the '!' ciphers do not appear in TLSv1.3 so not available to delete. The docs indicate that SSLCipherSuite is a per directory parameter and no conflict should be caused by it appearing in two different files. So, I have two immediate questions: 1. I have the default openssl installed which is version openssl-3.0.7-6.el9_2.x86_64. Is this adequate to provide all ciphers that are required by the cipher suite TLSv1.3? 2. Is there something that someone knows of by way of documentation that I haven't found yet? Thanks for any assistance. John == - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Still have messed up TLS
Thanks for the reply Aditya. The version of openssl is: openssl-3.0.7-6.el9_2.x86_64 the version of mod_ssl is: mod_ssl-2.4.53-11.el9_2.5.x86_64 The result of openssl ciphers -s -v tlsv1_3 is: TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD TLS_AES_128_CCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM(128) Mac=AEAD This looks like an awful short list to me (what about all the RSA'a or elliptic curve for example) BUT what I have seen in many places is that TLS v 1.3 is the only secure cipher protocol for an e-commerce server. According to SSL Labs only the following should be available: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp256r1 (eq. 3072 bits RSA) FS256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 2048 bits FS 256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp256r1 (eq. 3072 bits RSA) FS128 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 2048 bits FS 128 (from a scan of our current server with the weak ciphers removed. These are the remaining strong ones). As you can see, no matches but I'm not sure how to remedy that. John == On Tue, 2023-11-21 at 19:01 -0800, Aditya Shastri wrote: > To answer your question to the best of my knowledge, > 1. Openssl 1.1.1 and above support TLSv1.3. These are the TLSv1.3 > ciphers Openssl 3.0 support > https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_ciphersuites.html > 2. This link says that TLSv1.3 is supported. > https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite:~:text=If%20the%20SSL%20library%20supports%20TLSv1.3 > > Can you give us the output of > $ openssl ciphers -s -v -tls1_3 > > One option to test the ciphers on your HTTPD is to change the > SSLCipherSuite to allow all ciphers and use a tool like > https://testssl.sh/ to list all the ciphers available to help > troubleshoot further. > > On Tue, Nov 21, 2023 at 12:37 PM John wrote: > > > > Apache won't start when https/TLS is activated although it runs fine with > > only http. I made the > > changes previously suggested but now httpd just doesn't start. The error > > from systemctl is: > > - > > Nov 21 15:17:51 prod02 systemd[1]: Starting The Apache HTTP Server... > > Nov 21 15:17:51 prod02 systemd[1]: httpd.service: Main process exited, > > code=exited, > > status=1/FAILURE > > Nov 21 15:17:51 prod02 systemd[1]: httpd.service: Failed with result > > 'exit-code'. > > Nov 21 15:17:51 prod02 systemd[1]: Failed to start The Apache HTTP Server. > > - > > and a more useful error from the Apache error log is: > > - > > [Tue Nov 21 15:17:51.411388 2023] [core:notice] [pid 29577:tid 29577] > > SELinux policy enabled; > > httpd > > running as context system_u:system_r:httpd_t:s0 > > [Tue Nov 21 15:17:51.412008 2023] [suexec:notice] [pid 29577:tid 29577] > > AH01232: suEXEC > > mechanism > > enabled (wrapper: /usr/sbin/suexec) > > [Tue Nov 21 15:17:51.415738 2023] [ssl:emerg] [pid 29577:tid 29577] > > AH01898: Unable to configure > > permitted SSL ciphers > > [Tue Nov 21 15:17:51.415748 2023] [ssl:emerg] [pid 29577:tid 29577] SSL > > Library Error: > > error:0AB9:SSL routines::no cipher match > > [Tue Nov 21 15:17:51.415751 2023] [ssl:emerg] [pid 29577:tid 29577] > > AH02312: Fatal error > > initialising mod_ssl, exiting. > > AH00016: Configuration Failed > > > > I **think** this may be due to the fact that the default installation of > > Rocky has a lot of http > > config files and they all get concatenated BUT I haven't been able to > > figure out the > > SSLCipherSuite > > line. ssl.conf (default install) has this: > > #SSLCipherSuite PROFILE=SYSTEM > > SSLProxyCipherSuite PROFILE=SYSTEM > > but I can't find "SYSTEM" in any of Apache, OpenSSL, or Rocky docs and it > > isn't defined in this > > configuratiion file. > > Also included in the concatenation is the custom one for this server: > > # SSLCipherSuite HIGH: !ADH: !SSLv2: !SSLv3: !TLSv1: !RC4: !PSK: !MD5 > > SSLCipherSuite TLSv1.3 > > The first line is copied from the old (current production) server and leads > > to a failure to > > start > > error in the syntax immediately but best practice suggests that the second > > line is what I want > > anyway. Reading up on this suggests that the '!' ciphers do not
Re: [users@httpd] Still have messed up TLS
SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is sent or allowed to be received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is sent and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
--
On Tue, 2023-11-21 at 19:01 -0800, Aditya Shastri wrote:
> To answer your question to the best of my knowledge,
> 1. Openssl 1.1.1 and above support TLSv1.3. These are the TLSv1.3
> ciphers Openssl 3.0 support
> https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_ciphersuites.html
> 2. This link says that TLSv1.3 is supported.
> https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite:~:text=If%20the%20SSL%20library%20supports%20TLSv1.3
>
> Can you give us the output of
> $ openssl ciphers -s -v -tls1_3
>
> One option to test the ciphers on your HTTPD is to change the
> SSLCipherSuite to allow all ciphers and use a tool like
> https://testssl.sh/ to list all the ciphers available to help
> troubleshoot further.
>
> On Tue, Nov 21, 2023 at 12:37 PM John wrote:
> >
> > Apache won't start when https/TLS is activated although it runs fine with
> > only http. I made the
> > changes previously suggested but now httpd just doesn't start. The error
> > from systemctl is:
> > -
> > Nov 21 15:17:51 prod02 systemd[1]: Starting The Apache HTTP Server...
> > Nov 21 15:17:51 prod02 systemd[1]: httpd.service: Main process exited,
> > code=exited,
> > status=1/FAILURE
> > Nov 21 15:17:51 prod02 systemd[1]: httpd.service: Failed with result
> > 'exit-code'.
> > Nov 21 15:17:51 prod02 systemd[1]: Failed to start The Apache HTTP Server.
> > -
> > and a more useful error from the Apache error log is:
> > -
> > [Tue Nov 21 15:17:51.411388 2023] [core:notice] [pid 29577:tid 29577]
> > SELinux policy enabled;
> > httpd
> > running as context system_u:system_r:httpd_t:s0
> > [Tue Nov 21 15:17:51.412008 2023] [suexec:notice] [pid 29577:tid 29577]
> > AH01232: suEXEC
> &
Re: [users@httpd] Still have messed up TLS
On Sun, 2023-11-26 at 18:06 -0500, Paul wrote: > On 2023-11-26 16:12, John wrote: > > After a week of chasing this around I have managed to change the problem > > several times but I'm > > still > > unable to get Apache started. I **think** there is something unrelated to > > the error that I'm > > seeing > > that may have been included in the default config but before I go down that > > rabbit hole I > > realize > > that I am making a number of assumptions because I don't know how to check, > > so if everyone would > > please bear with me, and my apologies in advance: > > > > Here are the relevant parts of the full configuration: > > > > /usr/sbin/httpd -M > > I think you said you were using "Rocky Linux" associated with RHEL which > may use /usr/sbin/httpd rather than /usr/share/apache2 (debian). If > "Rocky" is a spin-off (I have no knowledge of it) perhaps they have a > "users list" that could help you? > > In any case what is the output of 'apachectl -S' (or perhaps 'httpd > -S')? Is it only your TLS that is problematic, or are there other > underlying glitches? You write "httpd.service: Main process exited, > code=exited, status=1/FAILURE" and this looks to me that it could > preceed any TLS certs. > > Also, your "SSLCACertificateFile" probably has to be used carefully. It > "can be used alternatively and/or additionally to "SSLCACertificatePath" > and should only be used if "SSLCADNRequestPath or SSLCADNRequestFile" > are missing. See <https://httpd.apache.org/docs/2.4/mod/mod_ssl.html>. > Yours appear to be missing from what you write (please delete all rem'ed > out lines, it's rather boring) - are you sure this is what you want? > > Good luck -- Paul > > > > ***89 deleted module lines here** > > ssl_module (shared) > > systemd_module (shared) > > > > the full config file for the ONLY https virtual server > > -- > > # SSL Support for Coax Publications ONLY! > > > > ServerName www.coaxpublications.ca > > # ServerAlias t.coaxpublications.ca > > DocumentRoot /usr/httpd/coax > > Options -MultiViews > > H2Direct on > > ProxyPassMatch "^/.*\.php(/.*)?$" fcgi://127.0.0.1:9002/usr/httpd/coax > > SSLEngine on > > # SSLCipherSuite HIGH: !ADH: !SSLv2: !SSLv3: !TLSv1: !RC4: !PSK: !MD5 > > SSLCipherSuite TLSv1.3 > > SSLCertificateFile /etc/httpd/conf/sslcert/www.coaxpublications.ca.pem > > SSLCertificateKeyFile > > /etc/httpd/conf/sslcert/www.coaxpublications.ca.key > > SSLCACertificateFile /etc/httpd/conf/sslcert/intermediate.crt > > SSLHonorCipherOrder on > > Header always set Strict-Transport-Security > > "max-age-63072000;includeSubDomains" > > > > > > # Redirect if logon is to coaxpublications without the 'www' > > > > ServerName coaxpublications.ca > > Redirect permanent / https://www.coaxpublications.ca > > > > -- > > > > the systemctl status on attempting to start: > > -- > > # systemctl status httpd > > × httpd.service - The Apache HTTP Server > > Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; > > preset: disabled) > > Drop-In: /usr/lib/systemd/system/httpd.service.d > > └─php-fpm.conf > > Active: failed (Result: exit-code) since Sun 2023-11-26 15:14:50 EST; > > 25min ago > > Duration: 1d 22h 32min 36.626s > > Docs: man:httpd.service(8) > > Process: 56733 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND > > (code=exited, > > status=1/FAILURE) > > Main PID: 56733 (code=exited, status=1/FAILURE) > > Status: "Reading configuration..." > > CPU: 25ms > > > > Nov 26 15:14:50 prod02 systemd[1]: Starting The Apache HTTP Server... > > Nov 26 15:14:50 prod02 systemd[1]: httpd.service: Main process exited, > > code=exited, > > status=1/FAILURE > > Nov 26 15:14:50 prod02 systemd[1]: httpd.service: Failed with result > > 'exit-code'. > > Nov 26 15:14:50 prod02 systemd[1]: Failed to start The Apache HTTP Server. > > -- > > > > our production TLS certificate. The one on the problem server is a .pem > > version of the same > > thing > > because it will eventually replace this server. What I don't know is how > > to confirm that the > > .pem > > cert is identical to thi
Re: [users@httpd] Multi site SSL problems
On Fri, 2024-05-10 at 15:48 -0400, Sean Conner wrote: > It was thus said that the Great Chris me once stated: > > I set up each entry with but when I do that, the > > second site will complain that the cert is for site1. So if I go to > > site2.com, I get a browser error that the cert is for site1. It will show > > me the content for site1. > > On my development server, I have the following: > > > ServerName playground.roswell.area51 > SSLEngine on > SSLCertificateFile /home/spc/web/playground/cert.pem > SSLCertificateKeyFile /home/spc/web/playground/key.pem > ... > > > > ServerName wiki.roswell.area51 > SSLEngine on > SSLCertificateFile /home/spc/web/wiki/cert.pem > SSLCertificateKeyFile /home/spc/web/wiki/key.pem > ... > > > > I am not sure how to do this part: > > Do not use the 2.2 authz directives (Allow/Deny/Order) and use Require > > instead > > I am running Apache 2.2, does it still apply? > > It does not look like mod_access_compat is listed under mods-enabled > > That I don't remember as I've been running Apache 2.4 for a couple of > years now. > > -spc > > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > Typo in the 2nd virtual host "1932.168.1.10:" probably should be "192.168.1.10" John == - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Apache won't start, nothing is logged.
System is RHEL5.2, httpd-2.2.3-22.el5 httpd was running. I got new certificates, installed them, restarted. After fixing the inevitable selinux issues, I was getting a message about not being able to read the passphrase. I ensured no httpd processes were running, stripped the passphrase from the private key, and now wehn I try to start the httpd service I get one word... FAILED. Nothing is logged to error_log, messages, or audit.log I can't find anything in any other logs that appears relevant. How do I find out what it's unhappy about? -- *** * John Oliver http://www.john-oliver.net/ * * * *** - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Apache won't start, nothing is logged.
On Mon, May 18, 2009 at 07:47:56PM +0200, Florian Bender wrote: > Hi, > it seems as if it's the same error I've encountered today, yet I've > done slightly different things which may have caused it. > Does Apache start when you disable mod_ssl? That has worked for me, > yet isn't a satisfying solution. Yes, disabling SSL allows httpd to start. And that is far more than an "unsatisfying" solution. -- *** * John Oliver http://www.john-oliver.net/ * * * *** - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Httpd on Ubuntu 9.04
Hi: I don't want to hijack this thread, but since the question has been answered, I have a related one...WHY does the Debian distro 'relocate' things such as apache? Since I've been getting into the guts of Debian and Ubuntu over the last 2-3 years, I am finding a lot of 'non standard' things that drive me nuts when trying to solve a problem. I consider myself a fairly knowledgable Unix user/developer (at least, back in the bad old days) and some of the changes I've seen in the Debian/Ubuntu distros make me scratch my head and say Why? For example, their use of bin, and sbin, and root being acquired by 'sudo'.. Just curious... On Fri, May 22, 2009 at 12:48 AM, Res wrote: > On Thu, 21 May 2009, Frank Gingras wrote: > >> The debian maintainers though it would be suitable to rename it to apache2 >> / apache2ctl. >> >> See: http://wiki.apache.org/httpd/DistrosDefaultLayout > > I often wonder who is worse, Micro$oft or Debian, both want everything > "their" way. > > My solution for the OP is apt-get remove apache2 (http2 or whatever they > call it these days) and get the source (it will be a lot more current then > ubuntu/debians version as well and wont be hacked or butchered) so will be > cleaner and bug free'r. > > If you still have issues you'll far likely get better support here useing it > since few people here would know what butchering Debian have done. > > > -- > Res > > -Beware of programmers who carry screwdrivers > > - > The official User-To-User support forum of the Apache HTTP Server Project. > See http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > " from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Httpd on Ubuntu 9.04
I've seen apps installed in sbin, and /home/username when from my perspective, they should have been in bin. While I haven't used a lot of different distros (slackware, RH (prior to their business model change), and commercial Unix distros by att, sun, dec, HP), I've never run into 'sudo'...I can understand the security argument for this, but don't necessarily agree with the approach. Anyway. its more of a 'Why do they do this' as a general question as opposed to a specific configuration. Guess I should take this question to the Debian forum On Fri, May 22, 2009 at 8:52 AM, Eric Covener wrote: > On Fri, May 22, 2009 at 8:39 AM, John Hudak wrote: >> Forexample, their use of bin, and sbin, and root being acquired by >> 'sudo'.. >> Just curious... > > Aren't those all pretty conventional? > > -- > Eric Covener > cove...@gmail.com > > - > The official User-To-User support forum of the Apache HTTP Server Project. > See http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > " from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Apache performance issue on AMD 6000+ cpu
Hi, I've searched the archives and the web in general but haven't found an answer. Problem: I recently started setting up a new machine for use as a standard LAMP server and as a box to investigate XEN virtualisation. When doing some crude performance tests using ab, I found that performance of the machine was not what I would have expected. We have a number of XEON based systems in a different hosting provider. My expectation was that the AMD 6000+ box would perform at least as well as the XEON boxes. Command: ab -k -c 100 -n 50,000 http://localhost/ index.html here was a static text file with either standard debian content or a "hello world" message so size of content is usually less than 20 bytes or so. AMD BOX: about 8,000 requests per second. XEON BOX: about 16,000 requests per second. XEON BOX: 2 gb ram 1 x xeon 3050 @ 2.13ghz (dual core) / is on a mirror of 2 seagate barracuda (it appears. write speed on this box is quite poor...) 32 bit debian etch apache 2.2.3 AMD BOX: 6gb ram 1 x amd x2 6000+ (dual core) / on a mirror of 2 samsung drives. Not sure which ones but bonnie tells me I/O perfomance is superior to XEON box. Various versions of debian were tried and various kernels but all gave similar results lenny 64 bit and 32 bit xen and non xen kernels xen guest os in 32 and 64 bit lenny and etch The hosting provider gives us a black box installation menu that didn't seem to be able to install etch so I can't quite compare apples to apples which is unfortunate. Apache configs. In order to try and level this unlevel playing field I tried a lot of different apache configs on the amd box including using exactly the same one as on herbgarden yet performance remained about the same. What I did notice was that according to vmstat 1, cpu idle count never dropped below 50% on the amd box indicating some issue with multithreading. My question is, should I expect the ab test above on the AMD box to be at least the same as on the XEON box rather than then current poor situation? Any pointers appreciated. John Extra info: AMD BOX: # cat /proc/cpuinfo processor : 0 vendor_id : AuthenticAMD cpu family : 15 model : 107 model name : AMD Athlon(tm) 64 X2 Dual Core Processor 6000+ stepping: 2 cpu MHz : 3100.000 cache size : 512 KB physical id : 0 siblings: 2 core id : 0 cpu cores : 2 apicid : 0 initial apicid : 0 fdiv_bug: no hlt_bug : no f00f_bug: no coma_bug: no fpu : yes fpu_exception : yes cpuid level : 1 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt rdtscp lm 3dnowext 3dnow pni cx16 lahf_lm cmp_legacy svm extapic cr8_legacy 3dnowprefetch bogomips: 6205.46 clflush size: 64 power management: ts fid vid ttp tm stc 100mhzsteps processor : 1 vendor_id : AuthenticAMD cpu family : 15 model : 107 model name : AMD Athlon(tm) 64 X2 Dual Core Processor 6000+ stepping: 2 cpu MHz : 3100.000 cache size : 512 KB physical id : 0 siblings: 2 core id : 1 cpu cores : 2 apicid : 1 initial apicid : 1 fdiv_bug: no hlt_bug : no f00f_bug: no coma_bug: no fpu : yes fpu_exception : yes cpuid level : 1 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt rdtscp lm 3dnowext 3dnow pni cx16 lahf_lm cmp_legacy svm extapic cr8_legacy 3dnowprefetch bogomips: 6205.46 clflush size: 64 power management: ts fid vid ttp tm stc 100mhzsteps free total used free sharedbuffers cached Mem: 6200668 5367805663888 0 24740 453800 -/+ buffers/cache: 582406142428 Swap: 4200888 04200888 hope:~# - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] https works, http doesn't
Forbidden You don't have permission to access / on this server. Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request. Web server is RHEL 5.2 running httpd-2.2.3-22.el5 Nothing is logged to any error_log. Access attempts are logged and look OK. There is no firewall... iptables is stopped, and I get the same result from localhost. Nothing is logged to audit.log, and the problem persists afetr "setenforce 0" There is an index.html with 644, and it's in /var/www/html with 755, and that is set as the DocumentRoot. HTTPS works perfectly. -- *** * John Oliver http://www.john-oliver.net/ * * * *** - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] https works, http doesn't
On Mon, Jun 01, 2009 at 06:00:22PM -0400, Frank Gingras wrote: > John, > > What does the error log say, exactly? Absolutely nothing, besides the messages from httpd starting. > John Oliver wrote: > >Forbidden > > > >You don't have permission to access / on this server. > > > >Additionally, a 403 Forbidden error was encountered while trying to use > >an ErrorDocument to handle the request. > > > > > > > > > >Web server is RHEL 5.2 running httpd-2.2.3-22.el5 Nothing is logged to > >any error_log. Access attempts are logged and look OK. There is no > >firewall... iptables is stopped, and I get the same result from > >localhost. Nothing is logged to audit.log, and the problem persists > >afetr "setenforce 0" There is an index.html with 644, and it's in > >/var/www/html with 755, and that is set as the DocumentRoot. HTTPS > >works perfectly. -- *** * John Oliver http://www.john-oliver.net/ * * * *** - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] https works, http doesn't
On Mon, Jun 01, 2009 at 03:09:23PM -0700, Sander Temme wrote: > > > >Web server is RHEL 5.2 running httpd-2.2.3-22.el5 Nothing is logged > >to > >any error_log. > > I believe that is impossible: 403s are logged. Are you sure you are > looking in the right log? What are the access controls on your > DocumentRoot? It ought to be! But... [r...@mda-vm1h ~]# tail /var/log/httpd/access_log 192.49.61.83 - - [01/Jun/2009:14:34:27 -0700] "GET /aspl/ HTTP/1.1" 403 247 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10" 128.49.61.123 - - [01/Jun/2009:14:34:46 -0700] "POST /threshold/services/ThresholdQuery?wsdl HTTP/1.0" 403 328 "-" "Axis/1.2.1" 127.0.0.1 - - [01/Jun/2009:14:36:13 -0700] "get /" 403 - "-" "-" 127.0.0.1 - - [01/Jun/2009:14:36:26 -0700] "get /index.html" 403 305 "-" "-" 192.49.61.83 - - [01/Jun/2009:14:46:43 -0700] "GET /verification/verify/editAPM.action HTTP/1.1" 403 263 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10" 192.49.61.83 - - [01/Jun/2009:14:46:51 -0700] "GET / HTTP/1.1" 403 - "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10" 192.49.61.83 - - [01/Jun/2009:14:48:20 -0700] "GET / HTTP/1.1" 403 - "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10" 192.49.61.83 - - [01/Jun/2009:14:48:22 -0700] "GET / HTTP/1.1" 403 - "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10" 192.49.61.83 - - [01/Jun/2009:15:12:35 -0700] "GET / HTTP/1.1" 403 - "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10" 192.49.61.83 - - [01/Jun/2009:15:12:38 -0700] "GET /favicon.ico HTTP/1.1" 403 250 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10" [r...@mda-vm1h ~]# tail /var/log/httpd/error_log [Mon Jun 01 14:30:46 2009] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Mon Jun 01 14:30:47 2009] [notice] Digest: generating secret for digest authentication ... [Mon Jun 01 14:30:47 2009] [notice] Digest: done [Mon Jun 01 14:30:47 2009] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations [Mon Jun 01 14:33:45 2009] [notice] caught SIGTERM, shutting down [Mon Jun 01 14:33:45 2009] [notice] SELinux policy enabled; httpd running as context user_u:system_r:httpd_t [Mon Jun 01 14:33:45 2009] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Mon Jun 01 14:33:46 2009] [notice] Digest: generating secret for digest authentication ... [Mon Jun 01 14:33:46 2009] [notice] Digest: done [Mon Jun 01 14:33:46 2009] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations There isn't exactly a plethora of log files for me to choose from: [r...@mda-vm1h ~]# ls -l /var/log/httpd/ | grep "Jun 1" -rw-r--r-- 1 root root 5879 Jun 1 15:12 access_log -rw-r--r-- 1 root root 2578 Jun 1 14:33 error_log -rw-r--r-- 1 root root 1412 Jun 1 14:46 ssl_access_log -rw-r--r-- 1 root root 637 Jun 1 14:45 ssl_error_log -rw-r--r-- 1 root root 1684 Jun 1 14:46 ssl_request_log As for "access controls" on /var/www/html... none besides file permissions. [r...@mda-vm1h ~]# ls -la /var/www/html/ total 32 drwxr-xr-x 3 root root 4096 Nov 12 2008 . drwxr-xr-x 6 root root 4096 Nov 12 2008 .. -rw-r--r-- 1 root root 1480 Apr 22 21:58 index.html > What is the LogLevel in your configuration file? Right now, "warn". I'll bump it up and try again. > >Access attempts are logged and look OK. There is no > > Do you mean the access attempt that resulted in the above response? > What response code is logged? See above. > >firewall... iptables is stopped, and I get the same result from > >localhost. Nothing is logged to audit.log, and the problem persists > >afetr "setenforce 0" > > You are definitely talking to the httpd, not to your firewall. No firewall. iptables is stoipped, browser and client are on same segment / subnet, and I get the same result from localhost. > >There is an index.html with 644, and it's in > >/var/www/html with 755, and that is set as the DocumentRoot. HTTPS > >works perfectly. > > What are the differences in access controls between your SSL vhost and > yo
Re: [us...@httpd] https works, http doesn't
On Mon, Jun 01, 2009 at 03:09:23PM -0700, Sander Temme wrote: > > I believe that is impossible: 403s are logged. Are you sure you are > looking in the right log? What are the access controls on your > DocumentRoot? > > What is the LogLevel in your configuration file? I bumped LOgLevel to 'debug' and got: [r...@mda-vm1h ~]# tail -f /var/log/httpd/error_log [Mon Jun 01 15:20:52 2009] [debug] proxy_util.c(1967): proxy: initialized single connection worker 1 in child 8833 for (*) [Mon Jun 01 15:20:52 2009] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations [Mon Jun 01 15:20:52 2009] [info] Server built: Nov 12 2008 07:09:27 [Mon Jun 01 15:20:52 2009] [debug] prefork.c(991): AcceptMutex: sysvsem (default: sysvsem) [Mon Jun 01 15:20:52 2009] [debug] proxy_util.c(1854): proxy: grabbed scoreboard slot 0 in child 8830 for worker ajp://192.168.1.2:8009/ [Mon Jun 01 15:20:52 2009] [debug] proxy_util.c(1873): proxy: worker ajp://192.168.1.2:8009/ already initialized [Mon Jun 01 15:20:52 2009] [debug] proxy_util.c(1967): proxy: initialized single connection worker 0 in child 8830 for (192.168.1.2) [Mon Jun 01 15:20:52 2009] [debug] proxy_util.c(1854): proxy: grabbed scoreboard slot 1 in child 8830 for worker proxy:reverse [Mon Jun 01 15:20:52 2009] [debug] proxy_util.c(1873): proxy: worker proxy:reverse already initialized [Mon Jun 01 15:20:52 2009] [debug] proxy_util.c(1967): proxy: initialized single connection worker 1 in child 8830 for (*) [Mon Jun 01 15:21:10 2009] [debug] mod_deflate.c(447): [client 128.49.61.83] Zlib: Compressed 414 to 293 : URL / [Mon Jun 01 15:21:16 2009] [debug] mod_deflate.c(447): [client 128.49.61.83] Zlib: Compressed 305 to 232 : URL /index.html [Mon Jun 01 15:21:18 2009] [debug] mod_deflate.c(447): [client 128.49.61.83] Zlib: Compressed 305 to 232 : URL /index.html [Mon Jun 01 15:21:19 2009] [debug] mod_deflate.c(447): [client 128.49.61.83] Zlib: Compressed 305 to 232 : URL /index.html [Mon Jun 01 15:21:19 2009] [debug] mod_deflate.c(447): [client 128.49.61.83] Zlib: Compressed 305 to 232 : URL /index.html [Mon Jun 01 15:21:19 2009] [debug] mod_deflate.c(447): [client 128.49.61.83] Zlib: Compressed 305 to 232 : URL /index.html The last six lines are me shift-refreshing trying to get to index.html -- *** * John Oliver http://www.john-oliver.net/ * * * *** - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] https works, http doesn't
On Mon, Jun 01, 2009 at 06:27:35PM -0400, Frank Gingras wrote: > John, > > Then you are looking in the wrong error log, since a 403 is always logged. > > The other possibility is that you're hitting browser cache. There are no other log files. [r...@mda-vm1h ~]# date Mon Jun 1 15:46:53 PDT 2009 [r...@mda-vm1h ~]# ls -l /var/log/httpd/ | grep "Jun 1" -rw-r--r-- 1 root root 8927 Jun 1 15:46 access_log -rw-r--r-- 1 root root 13210 Jun 1 15:46 error_log -rw-r--r-- 1 root root 3527 Jun 1 15:43 ssl_access_log -rw-r--r-- 1 root root 637 Jun 1 14:45 ssl_error_log -rw-r--r-- 1 root root 3979 Jun 1 15:43 ssl_request_log [r...@mda-vm1h ~]# tail /var/log/httpd/error_log [Mon Jun 01 15:21:52 2009] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Mon Jun 01 15:21:53 2009] [notice] Digest: generating secret for digest authentication ... [Mon Jun 01 15:21:53 2009] [notice] Digest: done [Mon Jun 01 15:21:53 2009] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations [Mon Jun 01 15:46:13 2009] [notice] caught SIGTERM, shutting down [Mon Jun 01 15:46:14 2009] [notice] SELinux policy enabled; httpd running as context user_u:system_r:httpd_t:s0 [Mon Jun 01 15:46:14 2009] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Mon Jun 01 15:46:14 2009] [notice] Digest: generating secret for digest authentication ... [Mon Jun 01 15:46:14 2009] [notice] Digest: done [Mon Jun 01 15:46:14 2009] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations And I'm using shift-refresh, so it isn't likely to be browser cache. Unless httpd is writing the logged 403s to somewhere else. Not sure how that could be,a s I have: ErrorLog logs/error_log And maybe it isn't a 403? Browser just says: Forbidden You don't have permission to access /index.html on this server. -- *** * John Oliver http://www.john-oliver.net/ * * * *** - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] https works, http doesn't
On Mon, Jun 01, 2009 at 03:51:33PM -0700, Sander Temme wrote: > > On Jun 1, 2009, at 3:27 PM, Frank Gingras wrote: > > >John, > > > >Then you are looking in the wrong error log, since a 403 is always > >logged. > > > >The other possibility is that you're hitting browser cache. > > Yes, but John's other e-mail does show activity, which means he's > actually serving pages. > > We're looking at the right log, and it's trying to serve the right file. Exactly. This totally smacks of an selinux issue, but with nothing logged by auditd, and "setenforce 0" doesn't fix... -- *** * John Oliver http://www.john-oliver.net/ * * * *** - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] https works, http doesn't
On Mon, Jun 01, 2009 at 04:10:24PM -0700, Sander Temme wrote: > > On Jun 1, 2009, at 3:24 PM, John Oliver wrote: > > >[Mon Jun 01 15:21:19 2009] [debug] mod_deflate.c(447): [client > >128.49.61.83] Zlib: Compressed 305 to 232 : URL /index.html > > > So it's trying to serve you something. This is probably the > internally generated response from the server after it boinked on > serving the standard error page document. > > Your access log: > > >192.49.61.83 - - [01/Jun/2009:15:12:35 -0700] "GET / HTTP/1.1" 403 - > >"-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.10) > >Gecko/2009042316 Firefox/3.0.10" > >192.49.61.83 - - [01/Jun/2009:15:12:38 -0700] "GET /favicon.ico HTTP/ > >1.1" 403 250 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv: > >1.9.0.10) Gecko/2009042316 Firefox/3.0.10" > > Interesting that it would serve *no content* for the / and 250 bytes > for the favicon.ico. Suggests a different data path is followed. > > As you may know, if you don't put any content in /var/www/html, Red > Hat will serve the 403 error page because it has configured Directory > Listings of /var/www/html to be forbidden. By striking coincidence, > that error page HTML document is dolled up to look like the default > "this is a Red Hat box" page you (should) see in your browser. Yup, but DirectoryIndex (or my manually spoecifying index.html) ought to take care of that. > So what have you changed to your config? You HAVE changed things: for > starters deflate is not on by default. ServerTokens OS ServerRoot "/etc/httpd" PidFile run/httpd.pid Timeout 120 KeepAlive Off MaxKeepAliveRequests 100 KeepAliveTimeout 15 StartServers 8 MinSpareServers5 MaxSpareServers 20 ServerLimit 256 MaxClients 256 MaxRequestsPerChild 4000 StartServers 2 MaxClients 150 MinSpareThreads 25 MaxSpareThreads 75 ThreadsPerChild 25 MaxRequestsPerChild 0 Listen 80 LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule auth_digest_module modules/mod_auth_digest.so LoadModule authn_file_module modules/mod_authn_file.so LoadModule authn_alias_module modules/mod_authn_alias.so LoadModule authn_anon_module modules/mod_authn_anon.so LoadModule authn_dbm_module modules/mod_authn_dbm.so LoadModule authn_default_module modules/mod_authn_default.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_user_module modules/mod_authz_user.so LoadModule authz_owner_module modules/mod_authz_owner.so LoadModule authz_groupfile_module modules/mod_authz_groupfile.so LoadModule authz_dbm_module modules/mod_authz_dbm.so LoadModule authz_default_module modules/mod_authz_default.so LoadModule ldap_module modules/mod_ldap.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so LoadModule include_module modules/mod_include.so LoadModule log_config_module modules/mod_log_config.so LoadModule logio_module modules/mod_logio.so LoadModule env_module modules/mod_env.so LoadModule ext_filter_module modules/mod_ext_filter.so LoadModule mime_magic_module modules/mod_mime_magic.so LoadModule expires_module modules/mod_expires.so LoadModule deflate_module modules/mod_deflate.so LoadModule headers_module modules/mod_headers.so LoadModule usertrack_module modules/mod_usertrack.so LoadModule setenvif_module modules/mod_setenvif.so LoadModule mime_module modules/mod_mime.so LoadModule status_module modules/mod_status.so LoadModule autoindex_module modules/mod_autoindex.so LoadModule info_module modules/mod_info.so LoadModule vhost_alias_module modules/mod_vhost_alias.so LoadModule negotiation_module modules/mod_negotiation.so LoadModule dir_module modules/mod_dir.so LoadModule actions_module modules/mod_actions.so LoadModule speling_module modules/mod_speling.so LoadModule userdir_module modules/mod_userdir.so LoadModule alias_module modules/mod_alias.so LoadModule rewrite_module modules/mod_rewrite.so LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_balancer_module modules/mod_proxy_balancer.so LoadModule proxy_ftp_module modules/mod_proxy_ftp.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule proxy_connect_module modules/mod_proxy_connect.so LoadModule cache_module modules/mod_cache.so LoadModule suexec_module modules/mod_suexec.so LoadModule disk_cache_module modules/mod_disk_cache.so LoadModule file_cache_module modules/mod_file_cache.so LoadModule mem_cache_module modules/mod_mem_cache.so LoadModule cgi_module modules/mod_cgi.so Include conf.d/*.conf User apache Group apache ServerAdmin r...@localhost UseCanonicalName Off DocumentRoot "/var/www/html" Options FollowSymLinks AllowOverride None Options -Indexes FollowSymLinks AllowOverride None Orde
[us...@httpd] Upgrading Apache 2.0.54 to 2.0.63 on Windows Server 2003
I'm a Linux guy, but have been handed the above to do on a live server. I'm just wondering if I use the msi file will it upgrade the current installation? Will it stop and start the service? Keep the current config files? Sorry for the probably slightly stupid questions but google hasn't turned a lot up for me and I don't want to risk lengthy downtime of the sites on the server. Thanks in advance! jc - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Apache suddenly stops serving requests, recv() returns -1/errno=EAGAIN forever
hmmm, could you be more specific about the fix? For example what distro and build? and what kernel version did you originally have and what version was it patched to?? John On Fri, Jun 26, 2009 at 9:43 PM, Elmar Krieger wrote: > Dear all, > > fortunately, our expert system admin could locate and solve the problem, > I'm posting what I heard in case someone googles this thread: > > So in our case, the random download stalls, where recv() on the socket > connection would report -1/errno=EAGAIN for an hour without progress, where > caused by a problem with state filtering in the iptables config, related to > the local firewall. It required a new Linux kernel to fix, since then Apache > is running happily... > > CU, > Elmar > > > Tom Evans wrote: > >> On Wed, 2009-06-24 at 08:09 -0500, Elmar Krieger wrote: >> >>> Dear Apache users, >>>>> >>>>> I'm forced to write yet another program that downloads HTTP files from >>>>> an >>>>> Apache server, >>>>> >>>> ... >>>> Naive question : why would you do that, when there are probably at least >>>> 10 existing libraries/utilities that already do that, and do it right ? >>>> >>>> I mean that downloading a file from a webserver is not just a matter of >>>> opening a socket and reading bytes from it. There are such things as >>>> status codes, HTTP headers, encoding, transfer-encoding, etc.. >>>> Do you really want to re-invent the wheel ? >>>> >>> I did of course start with code from the web, but that was not reliable >>> enough. For example the download routines of Firefox and Safari are not >>> satisfactory, because they also hang forever occasionally, and don't >>> automatically restart the transfer with a new request. I need it 100% >>> fool-proof. >>> >>> Anyway, could you point me to the most reliable public domain (not GNU >>> GPL) library you know, that compiles in Linux, Windows and MacOSX? Then I >>> can compare the code.. >>> >>> And any idea under which circumstances a recv() from a socket connection >>> to Apache can report -1/errno=EAGAIN for an hour without progress would >>> still be appreciated. It's a server side problem, because it happens from >>> clients all over the world ;-) >>> >>> Thanks for your help, >>> Elmar >>> >>> >>> >> I can download all sorts of large files from apache, it truly Works For >> Me, so this certainly sounds like a naive client app rather than a >> server side bug. >> >> Any reason why you aren't using curl/libcurl/wget/libfetch? When there >> are BSD licensed wheels out there, don't design your own.. >> >> Eg: http://curl.haxx.se/ (MIT) >> http://curl.haxx.se/libcurl/ (MIT) >> http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libfetch/ (BSD) >> >> Curl has a list of the FOSS http libraries: >> http://curl.haxx.se/libcurl/competitors.html >> >> HTH >> >> Tom >> >> >> >> >> >> - >> The official User-To-User support forum of the Apache HTTP Server Project. >> See http://httpd.apache.org/userslist.html> for more info. >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >> " from the digest: users-digest-unsubscr...@httpd.apache.org >> For additional commands, e-mail: users-h...@httpd.apache.org >> > > > - > The official User-To-User support forum of the Apache HTTP Server Project. > See http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > " from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >
[us...@httpd]
help
[us...@httpd] Help with rewrite / redirect
I have a server that's always been known as https://server1.com/ It's now known as https://server2.com/ Anyone who accesses it as https://server1.com/ winds up getting a certificate error as well as other issues. I want to grab and rewrite any https://server1.com/ URLs to https://server2.com/ But it seems like there are dozens of ways to do this, and none are working for me. mod_rewrite, mod_alias, Redirect, RewriteCond, blah blah blah... nothing I try ahs any effect. -- *** * John Oliver http://www.john-oliver.net/ * * * *** - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Help with rewrite / redirect
On Tue, Jul 14, 2009 at 05:50:13PM -0500, Doug Bell wrote: > On Jul 14, 2009, at 5:25 PM, John Oliver wrote: > > >I have a server that's always been known as https://server1.com/ It's > >now known as https://server2.com/ Anyone who accesses it as > >https://server1.com/ winds up getting a certificate error as well as > >other issues. I want to grab and rewrite any https://server1.com/ > >URLs > >to https://server2.com/ But it seems like there are dozens of ways to > >do this, and none are working for me. mod_rewrite, mod_alias, > >Redirect, > >RewriteCond, blah blah blah... nothing I try ahs any effect. > > > > What do you mean by doesn't work? URL never changes. > I'm guessing you mean it still has the certificate error, and that > will happen. You'd be guessing wrong ;-) > My suggestion is to keep a cert for both domains until the transition > is complete. That will be the easiest (though not necessarily the > cheapest). Pretty tough to do with one IP address... ;-) That isn't my problem. SSL works perfectly. I just can't come up with the right magic incantation that will rewrite my URL for me. -- *** * John Oliver http://www.john-oliver.net/ * * * *** - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Proxying SSL
I believe I need to proxy SSL. I have one Apache server, with SSL, and am using ProxyPass to get https://server1/app/ to proxy to https://server2/app/ server2 is set up to use certificate details for authorization. I found http://httpd.apache.org/docs/2.2/mod/mod_ssl.html There are an awful lot of SSLProxy* directives, and I'm not sure what all I need to get this working. I added SSLProxyEngine on and got errors like: [Wed Jul 22 23:02:56 2009] [warn] Proxy client certificate callback: (server1:443) downstream server wanted client certificate but none are configured [Wed Jul 22 23:02:56 2009] [error] (502)Unknown error 502: proxy: pass request body failed to [2001:480:10:61:250:56ff:fe2f:f1c3]:443 (server2) I'm not sure why it's trying to talk IPv6 to server2 I added a hosts entry with the correct IPv4 address, just to eliminate that issue, but I get the same error. -- *** * John Oliver http://www.john-oliver.net/ * * * *** - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] New user/syntax error message
Using Window Vista 64 bit I've been struggling to install apache properly so that I can begin to learn php. On installation of version 2.2 .13-win32-x86-no-ssl.msi I've gotten a message that installation was successful but cannot stop until syntax error on line 483 is corrected. Line 483 is : LoadModule php5_module "C:john/documents /php5apache2_2.dll" I noticed that the actual file path was as follows: LoadModule php5_module "C:john/documents/php-5.2.10-Win32/php5apache2_2.dll" So I made that change and saved the config file. But got not change in outcome. Thanks. John Jensen Homewoodpottery.com
[us...@httpd] Apache for Windows won't start
So I installed 2.2.13 on W2K3 R2 Enterprise Edition SP2 When I try to start it, I get a message about error code 1, and there is nothing in the error.log This is the first time I've tried to do this under Windows. With Linux/UNIX, there would be *something* in the error_log. But here, I'm stuck. How to proceed? -- *** * John Oliver http://www.john-oliver.net/ * * * *** - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Apache for Windows won't start
On Tue, Sep 01, 2009 at 06:12:47PM -0500, William A. Rowe, Jr. wrote: > John Oliver wrote: > > So I installed 2.2.13 on W2K3 R2 Enterprise Edition SP2 When I try to > > start it, I get a message about error code 1, and there is nothing in > > the error.log This is the first time I've tried to do this under > > Windows. With Linux/UNIX, there would be *something* in the error_log. > > But here, I'm stuck. How to proceed? > > Windows Application Event Log (until there is a chance to open the log file) Ahh. It's complaining about not being able to bind to port 80. Netstat doesn't show anything else listening on that port. I poked around in the properties of the service, thinking maybe it's running as a non-privileged user, but no, it's running as SYSTEM. Next step? :-) Thanks... -- *** * John Oliver http://www.john-oliver.net/ * * * *** - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Lookaround assertions in mod_rewrite/mod_alias regex?
How can one use lookahead/lookbehind assertions in the regex for a mod_rewrite RewriteRule, or mod_alias AliasMatch? Currently when I attempt to use a question mark in my regex, as needed for lookarounds, I get an internal server error for mod_rewrite, or a syntax error for mod_alias. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Apache for Windows won't install
Trying to install apache_2.2.13-win32-x86-openssl-0.9.8k.msi on a W2K3 R2 Enterprise SP2 VM. After I click "Install", I get an error telling me, "The system cannot open the device or file specified". The Application Log says: Product: Apache HTTP Server 2.2.13 -- Internal Error 2755. 110, C:\Downloads\apache_2.2.13-win32-x86-openssl-0.9.8k.msi Googling "Internal Error 2755" does not return anything helpful. -- *** * John Oliver http://www.john-oliver.net/ * * * *** - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Apache for Windows won't install
On Wed, Sep 09, 2009 at 01:19:33PM -0500, William A. Rowe, Jr. wrote: > >*** Product: > > C:\Downloads\apache_2.2.13-win32-x86-openssl-0.9.8k.msi > >*** Action: INSTALL > >*** CommandLine: ** > > MSI (s) (BC:D4) [09:42:25:547]: Machine policy value > > 'DisableUserInstalls' is 0 > > MSI (s) (BC:D4) [09:42:25:563]: Note: 1: 1309 2: 5 3: > > C:\Downloads\apache_2.2.13-win32-x86-openssl-0.9.8k.msi > > I know, doesn't sound like an error, looks like a Note, but I think it is > your error message... Error reading from file: Verify that the file exists > and that you can access it. > > What are the permissions on C:\Downloads, or this .msi? Eff me. SYSTEM did not have any permissions. Added Full Control, and I'm off to the races. Thanks Bill. I really appreciate this. -- *** * John Oliver http://www.john-oliver.net/ * * * *** - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Manually adding an entry to httpd.conf for a domain that would share a DocumentRoot with an existing domain/account
I'd like to add a domain to httpd.conf manually, because it shares a DocumentRoot with an already existing account. I recently moved servers, and the old server had Apache 1.3. Using an Include, I added this to httpd.conf: ServerAlias domain.com *.domain.com ServerName domain.com DocumentRoot /home/account1/public_html User account1 Group account1 Where account1 was the account for a pre-existing domain added by cPanel. I also added the appropriate zone for the associated IP, and everything worked as expected. In the new server which has Apache 2.0.63, I tried the following: ServerAlias domain.com *.domain.com ServerName domain.com DocumentRoot /home/account1/public_html suPHP_UserGroup account1 account1 SuexecUserGroup account1 account1 However after restarting httpd, I get a 403 Forbidden page for the domain, so I have made a mistake or missed something. What is the correct way to replicate what the Apache 1.3 code does, in Apache 2? That is, adding a domain which shares a DocumentRoot with an existing domain. Thanks, John M. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Manually adding an entry to httpd.conf for a domain that would share a DocumentRoot with an existing domain/account
> Let's try to solve your problem... > > What is the output of the following command? > httpd -S > > What is in your error log? > > Do you have the correct NameVirtualHost statement somewhere? > > Krist Thank you for the suggestions - I hadn't checked the Apache error log, and in that log I found the error: "(13)Permission denied: /home/account1/public_html/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable" .htaccess was already readable so I'm not sure what the cause of this problem was, but after googling it seems this is solved by reinstalling Frontpage extensions (which I'd uninstalled earlier). I was then able to uninstall the extensions again and the issue did not reappear. Strange error. John - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Certificates Revocation Lists and Apache...
Hi, I need a little help with Certificate Revocation Lists. I did setup client certificates filtering with apache and it seem to work fine so far (used a tutorial on http://www.adone.info/?p=4, down right now). I have a "CA" that is signing a "CA SSL". Then, the "CA SSL" is signing the clients certificates. Now, I am testing Certificate Revocation Lists, but apache keeps saying: "Invalid signature on CRL" I used: $ openssl ca -config openssl.conf -name CA_ssl_default -revoke cassl/$CLIENTNAME.pem Using configuration from openssl.conf Enter pass phrase for cassl/private/cassl.key: Revoking Certificate 02. Data Base Updated $ openssl ca -config openssl.conf -name CA_ssl_default -gencrl -out cassl/crl.pem -crldays 365 Using configuration from openssl.conf Enter pass phrase for /root/Certifs/cassl/private/cassl.key: $ # cat cassl/crl.pem -BEGIN X509 CRL- MIIB... ... ...v40= -END X509 CRL- In apache logs, when the CRL file is activated in the conf: [debug] ssl_engine_init.c(538): Configuring client authentication [debug] ssl_engine_init.c(1113): CA certificate: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain [debug] ssl_engine_init.c(601): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW] [debug] ssl_engine_init.c(626): Configuring certificate revocation facility [debug] ssl_engine_init.c(729): Configuring RSA server certificate [debug] ssl_engine_init.c(768): Configuring RSA server private key When I try to connect with a revoked (or unrevoked) certificate, I get: [debug] ssl_engine_kernel.c(1199): Certificate Verification: depth: 2, subject: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain, issuer: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain [debug] ssl_engine_kernel.c(1391): CA CRL: Issuer: C=AA, ST=BB, L=CC, O=DD, CN=myhost.mydomain, lastUpdate: Nov 4 14:39:36 2009 GMT, nextUpdate: Nov 4 14:39:36 2010 GMT [warn] Invalid signature on CRL [error] Certificate Verification: Error (8): CRL signature failure [debug] ssl_engine_kernel.c(1779): OpenSSL: Write: SSLv3 read client certificate B [debug] ssl_engine_kernel.c(1798): OpenSSL: Exit: error in SSLv3 read client certificate B [debug] ssl_engine_kernel.c(1798): OpenSSL: Exit: error in SSLv3 read client certificate B [info] [client 192.168.16.23] SSL library error 1 in handshake (server myhost.mydomain:12345) [info] SSL Library Error: 67567722 error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01 [info] SSL Library Error: 67530866 error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed [info] SSL Library Error: 218910726 error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib [info] SSL Library Error: 336105650 error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned [info] [client 192.168.16.23] Connection closed to child 0 with abortive shutdown (server myhost.mydomain:12345) Also, at one point, I got a "data too large": [warn] Invalid signature on CRL [error] Certificate Verification: Error (8): CRL signature failure [debug] ssl_engine_kernel.c(1779): OpenSSL: Write: SSLv3 read client certificate B [debug] ssl_engine_kernel.c(1798): OpenSSL: Exit: error in SSLv3 read client certificate B [debug] ssl_engine_kernel.c(1798): OpenSSL: Exit: error in SSLv3 read client certificate B [info] [client 192.168.16.23] SSL library error 1 in handshake (server myhost.mydomain:12345) [info] SSL Library Error: 67530884 error:04067084:rsa routines:RSA_EAY_PUBLIC_DECRYPT:data too large for modulus [info] SSL Library Error: 218910726 error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib [info] SSL Library Error: 336105650 error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned [info] [client 192.168.16.23] Connection closed to child 0 with abortive shutdown (server myhost.mydomain:12345) I reduced my CA and CASSL keys from 2048 down to 1024... not sure if it helped, but I don't have this error anymore... How can I check if the crl.pem file is ok? $ openssl crl -in cassl/crl.pem -text Certificate Revocation List (CRL): Version 1 (0x0) Signature Algorithm: sha1WithRSAEncryption Issuer: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain Last Update: Nov 4 14:39:36 2009 GMT Next Update: Nov 4 14:39:36 2010 GMT Revoked Certificates: Serial Number: 02 Revocation Date: Nov 4 14:37:03 2009 GMT Signature Algorithm: sha1WithRSAEncryption 03:... ... ...:8d -BEGIN X509 CRL- MIIB... ... ...v40= -END X509 CRL- Any idea what I am doing wrong? I was pointed to this bug https://issues.apache.org/bugzilla/show_bug.cgi?id=45708 but I don't think it applies to me. My tests are pretty simple: clean state, generate CA/CASSL/clients certificates, generate crl, crl verify fails. No changes in between... Thx, JD
Re: [us...@httpd] http redirection to httpd
sangfroid wrote: Hi, I have two webpages... 1. www.mypage.com and 2. www.mypage.com/private The issue that I am having is, I need to redirect all http requests coming to http://www.mypage.com/private to https://www.mypage.com However, I don't want the requests coming to http://www.mypage.com to be redirected to https://www.mypage.com. How do I accomplish it ? I will highly appreciate your suggestions..Thanks.. Simplest solution is the Redirect directive: From http://httpd.apache.org/docs/2.0/mod/mod_alias.html#redirect : The Redirect directive maps an old URL into a new one by asking the client to refetch the resource at the new location. The old /URL-path/ is a case-sensitive (%-decoded) path beginning with a slash. A relative path is not allowed. The new /URL/ should be an absolute URL beginning with a scheme and hostname. Example: | Redirect /service http://foo2.bar.com/service | If the client requests |http://myserver/service/foo.txt|, it will be told to access |http://foo2.bar.com/service/foo.txt| instead. So in your case you would use something like: | Redirect /private https://foo2.bar.com/ | | | John
Re: [us...@httpd] Apache as File Server
Nitin Gupta wrote: Hi All In my application, I have a scenario in which user can upload various files. I am persisting these files on the File System itself. I need to make a http interface on these saved files. Can I make use of Apache web server to serve these files from the file system over http protocol? Yes. That's the basic function of a web server! If yes, then please suggest a optimal configuration to make Apache a typical file server. Rgds n The default configuration should work just fine. In order to display directory listings (indexes) of the files, you'll want to /avoid/ using the DirectoryIndex directive (which tells Apache to display an HTML page such as index.html etc. instead of an an index). Check out: http://httpd.apache.org/docs/2.0/mod/core.html#options http://httpd.apache.org/docs/2.0/mod/mod_autoindex.html and http://httpd.apache.org/docs/2.0/mod/mod_dir.html In its simplest configuration, Apache will display directory listings of the files at and below the web root and allow users to navigate the directories and download any file by right clicking on it. Have fun! John
[us...@httpd] Re: Spam:*****, Re: [us...@httpd]
On Wed, 2009-11-11 at 14:54 +0200, Kaya Saman wrote: > André Warnier wrote: > > Stephen Love wrote: > >> Ok, now we're getting somewhere... just ENOUGH to eliminate the path > >> inbetween... I'd just like to ask APACHE for a unique signature of > >> the machine sending the message to compare it against others. Nothing > >> more, nothing less. > >> > >> > >> See us online at http://www.LOVEnCompany.com. > >> > > Well, it looks like this list already gave you all the possible > > human-level help. If that does not solve your problem, maybe you > > should ask for some higher-level intervention. > > > > > > > Please check the OSI systems stack for further information which is > directly compatible with the TCP/IP system's stack - in fact it's kind > of an expanded version that all network engineers use!! > > Basically in the underlying network components you have physical, media > access, and network layers (1-3); layers 4-7 usually deal with the > computers themselves which start from ports and go to the apps themselves. > > Now layer 2, at least true for Ethernet means that the MAC address of > the system is only point to point between machine and switch port, after > that things change. Layer 3 is convoluted by the intervention of NAT or > proxy so the only thing you are likely to get is the WAN IP address of > the network. > > Unique identifiers are impossible, even using Cisco's proprietary CDP > (cisco discovery protocol) which discoverers neighboring Cisco devices > cannot go beyond next hop device as uses layer 2 addressing as reference!!! > > The only way I suppose in theory one could do what you are after is for > the user to download a little app that has a unique signature and > broadcasts the full system info according to that. So at least with the > client part of the program you could have say 1 x 10^50 unique > signatures generated by a shell script or program then link them to a > server somewhere.. I do believe this is called spyware though and is > highly illegal!!! > > In all honesty I think the best way is going through webalizer, GeoIP, > awstats, or Ntop!!! And if going through reverse proxy with Squid like > me; unlike me you can form the logs of Squid in a different way and > hence forward those to Apache, then get Apache to read those 'different' > logs so that you have the correct data collection available to you > As far as I know of this would be about the only way to go! At least you > get the WAN IP of the remote network and can collect and collate > geographic locational information and also ISP info too :-) > > Without using divine power or alien intervention... > > > - > The official User-To-User support forum of the Apache HTTP Server Project. > See http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >" from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > Isn't this being discussed in the wrong forum? What is ***looks*** like is that you have a class of computers that you need to query to find out which one sent the message/packet/transaction or whatever. This is the classic case for a digital signature. The group has to be reasonably finite since you need to have a public key for each computer that you need to authenticate. Then send something in each packet that has to be encrypted under the senders private key. You can authenticate that it came from that sender by decrypting under its public key. If the result is the original token, then you can be reasonably certain where the message originated. John - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] SSL received a record that exceeded the maximum permissible length.
I have one physical server with two IP addresses. I created
VirtualHosts for each:
NameVirtualHost 192.168.1.47:443
NameVirtualHost 192.168.1.129:443
ServerName virtual.host1
DocumentRoot /var/www/html2
ErrorLog logs/ssl_error2_log
CustomLog logs/ssl_request2_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
SSLEngine on
SSLProtocol all -SSLv2
SSLVerifyClient require
SSLVerifyDepth 10
SSLCertificateFile /etc/pki/tls/certs/subscriber.pem
SSLCACertificateFile /etc/pki/tls/certs/cabundle.crt
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
ServerName virtual.host2
DocumentRoot /var/www/html
ErrorLog logs/ssl_error_log
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
SSLEngine on
SSLProtocol all -SSLv2
SSLCertificateFile /etc/pki/tls/certs/ois_cert.pem
SSLCertificateKeyFile /etc/pki/tls/private/ois_key.pem
SSLCACertificateFile /etc/pki/tls/certs/cabundle.crt
SSLVerifyClient require
SSLVerifyDepth 10
When I visit https://virtual.host2/ I get:
SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)
But nothing is logged, even if I change LogLevel to 'debug'.
https://192.168.1.129/ works just fine. I've double-checked the file
permissions for the cert and key, and that the cert is not expired.
Googling hasn't helped. I'm at kind of a loss here! What else can I
look at for more clues?
--
***
* John Oliver http://www.john-oliver.net/ *
* *
***
-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] SSL received a record that exceeded the maximum permissible length.
On Fri, Nov 13, 2009 at 12:31:50PM -0500, Eric Covener wrote: > > > > > > > When I visit https://virtual.host2/ I get: > > > > SSL received a record that exceeded the maximum permissible length. > > > > (Error code: ssl_error_rx_record_too_long) > > > > My guess is that your actually receving this connection on an > interface not listed in any of your vhosts, so it's handled as HTTP by > the "base" server config. > > Can you use at least 1 *:443? When I had *:443 I got a message about: [warn] NameVirtualHost *:443 has no VirtualHosts And there are no other interfaces. eth0 and eth1, each with one of the two IPs above. -- *** * John Oliver http://www.john-oliver.net/ * * * *** - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] SSL received a record that exceeded the maximum permissible length.
On Fri, Nov 13, 2009 at 05:29:07PM +, Philip Wigg wrote: > > NameVirtualHost 192.168.1.47:443 > > NameVirtualHost 192.168.1.129:443 > > You can't use name based virtual hosting with SSL. Try these lines > out. You need to make sure you have a Listen directive for those > IP/port combinations though. Oh, duh... :-) Thanks, I'm back in business. -- *** * John Oliver http://www.john-oliver.net/ * * * *** - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] how to install gcc required for apache 2.2 on RHEL 4
From: Brian Mearns > On Thu, Nov 19, 2009 at 5:34 AM, Philip Wigg wrote: > >> I am installing Apache web server 2.2.14 on RHEL 4. When I am running > >> configure command in the apache, it is throwing error “No c++ compiler > >> found”. > > > > This isn't an Apache question but anyway, you probably just need to > > type 'up2date gcc'. Unless there's a reason why you want to install > > Apache from source, you can probably also type 'up2date httpd' to > > install Apache instead of building your own. Make sure you patch your > > system up to date after you've done that. > > > I used Fedora, which is closely related to red-hat. I'm not sure was > up2date is, but if that doesn't work, you should be able to use yum, > like `yum install gcc`, as the super user. As Phil said, you can also > install apache directly with `yum install httpd` (notice the package > isn't called apache). I suspect apache 2.2 (as opposed to 2.0) is not available by default for RH4... Also, he may need: gcc-c++ And maybe he could try: http://www.apache.org/dist/httpd/binaries/rpm/ JD - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] writing modules?
I assume you are developing for Apache 2? You might want to do some searching and reading on Apache modules API: http://www.linuxdocs.org/HOWTOs/Apache-Overview-HOWTO-12.html http://modules.apache.org/doc/Intro_API_Prog.html As well as other 'house keeping' activities that must be done: http://threebit.net/tutorials/apache2_modules/tut1/tutorial1.html O'Reiley has some pretty good books detailing the process -John On Thu, Dec 3, 2009 at 9:35 AM, Zachary Uram wrote: > Morning, > > I would like to make my own apache module (in C) for Linux but have no > idea where to start. Any guides on doing this? > > Thanks! > Zach > > - > The official User-To-User support forum of the Apache HTTP Server Project. > See http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > " from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >
Re: [us...@httpd] writing modules?
The o'Rieley book I had in mind is by MacEchren (?) and Stein...and it is with Perl and C... On Thu, Dec 3, 2009 at 11:23 AM, Rich Bowen wrote: > > On Dec 3, 2009, at 09:56 , John Hudak wrote: > > I assume you are developing for Apache 2? > You might want to do some searching and reading on Apache modules API: > http://www.linuxdocs.org/HOWTOs/Apache-Overview-HOWTO-12.html > http://modules.apache.org/doc/Intro_API_Prog.html > > As well as other 'house keeping' activities that must be done: > http://threebit.net/tutorials/apache2_modules/tut1/tutorial1.html > > O'Reiley has some pretty good books detailing the process > > > No, O'Reilly doesn't have any books on the subject at all. The only book on > the subject is Nick Kew's book. > > If you're referring to the Eagle book, please note that it's ten years old > and focuses primarily on Perl. It was a good book at the time, but is now > mostly a bookend. At 700 pages, it plays that role effectively and > attractively. > > -- > Rich Bowen > rbo...@rcbowen.com > > > >
Re: [us...@httpd] HTTPD Logwatch
On Fri, 2009-25-12 at 12:23 +0100, André Warnier wrote: > Kaustubh Deorukhkar wrote: > > I am naive user..but this is what comes to my mind...please see if this > > helps > > > > - create seperate logs per website... > > > > SetEnvIf Referer www\.mydomain1\.com site1_request > > CustomLog logs/mydomain1_log common env=site1_request > > > > SetEnvIf Referer www\.mydomain2\.com site2_request > > CustomLog logs/mydomain2_log common env=site2_request > > ... > > > This won't work. The "referer" is the name of the system the request > comes *from*, not the host who serves it. > As Lukreme mentions, you can have (and probably the OP has) different > logfiles for each website, with Virtual Hosts. > But I believe the OP's issue is different. The "logwatch" he's talking > about is probably some utility which monitors several logfiles at once. > But let him explain. > > - > The official User-To-User support forum of the Apache HTTP Server Project. > See http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >" from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > === Logwatch is a Linux/Unix utility that reports on whatever logs it is requested to report. Here is the description from the MAN file. " LogWatch is a customizable, pluggable log-monitoring system. It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish. Easy to use - works right out of the package on almost all systems. " Normally HTTPD logs are reported along with any other system logs. Here is a sample of this morning's (remarkably small!) report for my server. Most mornings this report is several hundred lines long; mostly hackers. - httpd Begin A total of 2 unidentified 'other' records logged GET /err HTTP/1.1 with response code(s) 404 1 responses GET /./err HTTP/1.1 with response code(s) 404 1 responses Requests with error response codes GET /err HTTP/1.1 with response code(s) 404 1 responses GET /././.html HTTP/1.1 with response code(s) 403 1 responses GET /./.html HTTP/1.1 with response code(s) 403 1 responses GET /./err HTTP/1.1 with response code(s) 404 1 responses GET /.html HTTP/1.1 with response code(s) 403 1 responses -- httpd End - --- Regards, John = - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Apache Load balancing
From: nima chavooshi > Before any thing I want to know about differences between mod_proxy > and load balancing with UltraMonkey. http://httpd.apache.org/docs/2.0/mod/mod_proxy.html http://www.ultramonkey.org/ JD - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Very Very strange problem in opensuse 11.1, file uploading reports "not an image file"
There are a couple of choices to debug here.
First, the code you supplied is comparing the mime-type parameters
obtained from the call to:
$upload_file_type = $GLOBALS
['HTTP_POST_FILES']['profile_image']['type'];
So, first I would echo $upload_file_type and see what it is actually
getting.
Second, in_array() is case sensitive - see if the mime-type is somehow
getting upper case; the $file_type_list function may be converting to
upper.
Third, what is the client doing to set the mime-type? This is probably
OK (why mentioned it last) but maybe the type of the upload files is
not being set correctly/at all?
Also, I checked and $GLOBALS simply lists ALL variables in global scope.
So, somewhere you should have a function extracting 'HTTP_POST_FILES'
from the POST data. (global variable $HTTP_RAW_POST_DATA). You might
want to check that. Try printing out the $GLOBALS array and see if
there is a variable in it called HTTP_POST_FILES using print_r(). This
will print the array member name => array member value which should
help.
You will have to do more but at least knowing where the problem is is a
good start!
=
On Sat, 2010-16-01 at 22:42 +0530, J. Bakshi wrote:
> On Sat, 16 Jan 2010 17:31:28 +0100
> Marcin 'Rambo' Roguski wrote:
>
> > On Sat, 16 Jan 2010 21:48:15 +0530
> > "J. Bakshi" wrote:
> >
> > > Dear list,
> >
> > > that it simply reports "Not an Image file". And this is happening
> > > with all files even with image ( jpg, bmp etc..) and with as small
> > > as 1KB and as big as 500KB. I have checked the log with "Loglevel
> > > debug" and there is nothing in the error log which can give any
> > > hints.
> >
> > Can you check if the files are actually uploaded and are viewable with
> > ordinary image viewer? This looks like problem with PHP or CGI script
> > you use to upload than apache. Enable error reporting in php.ini if
> > it's not on. Analyze the script that serves as upload gateway.
>
> Many thanks for your kind attention. I have already checked in the suse
> server and the files are not uploaded in the folder where they suppose to be.
> Though in debian server the folders do have all the uploaded files. Regarding
> the script, I have found codes which are actually doing the upload (though I
> am not a php coder)
>
> ` ` `
> function fileUploder(){
> $upload_file_path = 'fileadmin/user_upload/images/profile/';
> $file_size = 100;
> $file_type_list=
> Array('image/png','image/jpeg','image/gif','application/octet-stream','image>
> $upload_flag = false;
> $msg = '';
> $target_path = '';
>
> // Check the file parameters
>$upload_file_type =
> $GLOBALS['HTTP_POST_FILES']['profile_image']['type'];
>if(in_array($upload_file_type, $file_type_list))
>{
> // file type is ok
> if($GLOBALS['HTTP_POST_FILES']['profile_image']['size'] <
> $file_size)
> $upload_flag = true;
>else
> $msg = 'Over size file';
>}
>else
> $msg = 'Not an Image file';
>
> ` ` `
>
> Error reporting is already enabled in vhost configuration
>
> php_flag display_startup_errors on
> php_flag display_errors on
> php_flag html_errors on
>
> Kindly suggest me what else to do.
>
> Thanks
>
>
> -
> The official User-To-User support forum of the Apache HTTP Server Project.
> See http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>" from the digest: users-digest-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Very Very strange problem in opensuse 11.1, file uploading reports "not an image file"
On Sun, 2010-17-01 at 11:30 +0530, J. Bakshi wrote: > On Sat, 16 Jan 2010 13:35:37 -0500 > John Iliffe wrote: > > > There are a couple of choices to debug here. > > > > First, the code you supplied is comparing the mime-type parameters > > obtained from the call to: > > > > $upload_file_type = $GLOBALS > > ['HTTP_POST_FILES']['profile_image']['type']; > > > > So, first I would echo $upload_file_type and see what it is actually > > getting. > > > > Second, in_array() is case sensitive - see if the mime-type is somehow > > getting upper case; the $file_type_list function may be converting to > > upper. > > > > Third, what is the client doing to set the mime-type? This is > > probably OK (why mentioned it last) but maybe the type of the upload > > files is not being set correctly/at all? > > > > Also, I checked and $GLOBALS simply lists ALL variables in global > > scope. So, somewhere you should have a function extracting > > 'HTTP_POST_FILES' from the POST data. (global variable > > $HTTP_RAW_POST_DATA). You might want to check that. Try printing > > out the $GLOBALS array and see if there is a variable in it called > > HTTP_POST_FILES using print_r(). This will print the array member > > name => array member value which should help. > > > > You will have to do more but at least knowing where the problem is is > > a good start! > > > Hello, > > Thanks for your kind response and clarification. Regarding debug I have > a good idea rather than flipping through the code written by some one > else because I am not a php coder and hope you will also like it. > I have only and only one option. Check with a php code that file can be > uploaded with the same filetype check used in the previous code and if > it fails then find out why so. Can I get a simple image uploader php > code with the file type checking and some good echo to see what is > actually happening in the net ? And if the code can do its job > successfully then it might be not a server side problem. Can you > suggest me any link which provides such a code ? In the mean time I am > also looking for it through google but getting a direction from the > experienced one is always great. > > - No, sorry I can't help you there unfortunately. I'm not a very experienced PHP coder either; I just used it to create a basic web server. I don't do uploads so no samples available. I noticed certain items in your code the linked it to the mime-type and figured that if you can echo what is actually happening so you can see it, then you can fix it. You might be able to get some help at: http://ca3.php.net/manual/en/index.php the PHP online manual. It has a lot of sample code contributed by users. > The official User-To-User support forum of the Apache HTTP Server Project. > See http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >" from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Something's fishy going on: dead server & no log messages
Some things that come to mind: 1. Is your router properly configured for port forwarding? 2. is the service you are using to do host redirection properly configured? 3. is the machine name & domain name you chose for your 'new' installation the same name as you specified on your hosting service? 4. Are you doing virtual hosting? are the names set up correctly and in the right order? 5. Having not set apache up on the windoz machine, any chance you had to modify the hosts or lmhosts file, and need to do that to the new copy of xp? Hmmm...all out of ideas... Good luck John On Sat, Jan 30, 2010 at 5:46 PM, steve reilly wrote: > Paul McFerrin wrote: > >> Wow, my base site at http://localhost works !!! >> Second: windows firewall is in fact disabled. >> Third: infection due to unsafe surfing which is history now. >> Fourth: To reload. Complete Installation including FORMAT from a XP Pro >> CD that included all of the updates thru SP3 on one CD. Everything else >> reinstalled from disk copies I've kept over the years. No further updates. >> >> Service: Residential. This is very low traffic. My email and download >> traffic is considerable more. TIMING COINCIDENCE??? Maybe. I hate to >> contact them and raise their level of suspicion. >> > > i doubt time warner is blocking anything but mail transfer ports. ive been > running 3 sites from a residential account for over 5 years with no > problems. (im definately not using windows though, bsd and linux) you have > your router and port forwarding 80 to the internal ip of your apache install > working properly? > > steve > > > > - > The official User-To-User support forum of the Apache HTTP Server Project. > See http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > " from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >
[us...@httpd] Runaway Apache Processes - Second Victim
I have been using Apache for several years without trouble on CentOS 4 originally, CentOS 5 now. Most of my applications are php/mysql and mostly Drupal. FYI, I have run into a problem that sounds identical to Dan Bunyards thread here: http://markmail.org/thread/pnmwmalsfe6c7j6c Everything runs fine, then all of a sudden I have 12 or so Apache processes all trying to use 100% of the CPU and the system slows to a crawl. I can replicate the issue by running: ab -n 100 -c 25 http://example.com/ The problem seems to be getting worse (today, a hacker sent a bunch of urls to my server looking for phpmyadmin and that took me down). I have a very low traffic server with personal websites only. I have a busy day when Google crawls my system. I have about 1.5GB of ram. List of some rpms I use: httpd-2.2.3-31.el5.centos.2 php-5.3.1-1.el5.remi php-mysql-5.3.1-1.el5.remi php-mysql-5.3.1-1.el5.remi I watch htop when it happens and the server seems to process everything fine for a while with httpd and mysqld using a good amount of cpu, then mysqld use slows and many more httpd processes start using some cpu. Then about 12 or so (never counted) httpd procesess use the cpu about equally and the server is nearly unresponsive. The memory was not exhausted. I have tried many, many things in my configuration hoping I could figure it out. I do not know how to run straces or other developer type things, but I can probably figure it out if you give me some hints. -- Sincerely, John Thomas - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Runaway Apache Processes - Second Victim
On 02/04/2010 11:24 AM, John Thomas wrote: FYI, I have run into a problem that sounds identical to Dan Bunyards thread here: http://markmail.org/thread/pnmwmalsfe6c7j6c Everything runs fine, then all of a sudden I have 12 or so Apache processes all trying to use 100% of the CPU and the system slows to a crawl. I can replicate the issue by running: ab -n 100 -c 25 http://example.com/ FYI, I fixed this by downgrading to php 5.2 from 5.3. -- Sincerely, John Thomas - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
