[us...@httpd] Reverse Proxy: Max-Forwards has reached zero - proxy loop?
Hello List, i am trying to access a M$ Exchange Server via a Apache Reverse Proxy. But i am getting the error: Max-Forwards has reached zero - proxy loop? I already checked, if some name resolved to itself (which WAS the case and i fixed it), but it still does not work. Here is the setup and config: = ppp0 IP: webmail.example.com (resolvses to 123.123.123.123 from official dns) eth0 IP: 192.168.123.123 (LAN IP) and webmail.example.com (resolvses to 192.168.123.5 from apche/internal) ServerName webmail.example.com SSLEngine on SSLCertificateFile /usr/local/apache/conf/webmail.example.cert SSLCertificateKeyFile /usr/local/apache/conf/webmail.example.key SSLProxyEngine on RewriteEngine on RewriteRule ^/$ /exchange [R] ProxyPass /exchange https://webmail.example.com/exchange ProxyPassReverse /exchange https://webmail.example.com/exchange ProxyPass /exchweb https://webmail.example.com/exchweb ProxyPassReverse /exchweb https://webmail.example.com/exchweb AddType application/x-httpd-php .php INTERNET < webmail.example.com (123.123.123.123) => Linux/LAMP <=== 192.168.123.123 > Exchange (192.168.123.5) What am i doing wrong here and why does it loop? Thanks a lot, Mario - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Reverse Proxy: Max-Forwards has reached zero - proxy loop?
Hi Nick, it still does not work if i use: ServerName webmail.example.com SSLEngine on SSLCertificateFile /usr/local/apache/conf/webmail.example.cert SSLCertificateKeyFile /usr/local/apache/conf/webmail.example.key SSLProxyEngine on RewriteEngine on RewriteRule ^/$ /exchange [R] ProxyPass /exchange https://webmail.example.com/exchange ProxyPassReverse /exchange https://webmail.example.com/exchange #ProxyPass /exchweb https://webmail.example.com/exchweb #ProxyPassReverse /exchweb https://webmail.example.com/exchweb AddType application/x-httpd-php .php Still the same error. Any further ideas? Thanks, Mario On Tue, Jun 9, 2009 at 11:56 AM, Nick Kew wrote: > On Tue, 9 Jun 2009 10:30:57 +0200 > ml ml wrote: > >> Hello List, >> >> i am trying to access a M$ Exchange Server via a Apache Reverse Proxy. >> But i am getting the error: Max-Forwards has reached zero - proxy >> loop? > > That's because you have a loop. In fact, two: > >> >> ServerName webmail.example.com > >> ProxyPass /exchange https://webmail.example.com/exchange > >> ProxyPass /exchweb https://webmail.example.com/exchweb > >> > > -- > Nick Kew - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Directory Permssions
Hello All, I am confused about directory permissions inside of my wwwroot/ I am using name-based virtual hosting and I have y web root as /var/ www/html All of my websites are inside /var/www/html in their own directories. How can I i have a directory protected from crawlers indexing it? What is the right permission set? How can I have a directory that apache can use, but nobody can browse to? The reason is that I have PHP/MySQL Setup and I store all of my MySQL connection information and queries in a directory and I dont want people 'finding' this by simple browsing the website or using a web grabber to take a copy of the whole site. Can anyone provide insight? -Jason - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Directory Permssions
Hi Doug, So does that prevent crawling and browsing, but does allow if I click a link or include a file it will work? -Jason On Jul 13, 2009, at 4:57 PM, Doug Bell wrote: On Jul 13, 2009, at 1:37 PM, ML wrote: Hello All, I am confused about directory permissions inside of my wwwroot/ I am using name-based virtual hosting and I have y web root as /var/ www/html All of my websites are inside /var/www/html in their own directories. How can I i have a directory protected from crawlers indexing it? What is the right permission set? How can I have a directory that apache can use, but nobody can browse to? The reason is that I have PHP/MySQL Setup and I store all of my MySQL connection information and queries in a directory and I dont want people 'finding' this by simple browsing the website or using a web grabber to take a copy of the whole site. Can anyone provide insight? To prevent a directory from being served by the webserver, do this: Order allow,deny Deny from all Put this block in your block. Doug Bell -- Senior Developer, Plain Black Corp. [ http://plainblack.com ] all that groks is - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Directory Permssions
Hi Doug, So does that prevent crawling and browsing, but does allow if I click a link or include a file it will work? No, it prevents the directory and all files within from being served by the webserver at all. Anything else is either half-secure or half- broken I don't understand what you mean by "crawling", "browsing", and "include a file". They're really all the same thing: A client (be it Firefox or GoogleBot) is asking the webserver for something. If you want to prevent the nice robots from asking for something, you can use a robots.txt file. This will not prevent naughty robots from asking for something. Lets think about this a different way. Say I have a directory of files that contain my MySQL connection information, queries, etc, etc. How do I prevent people from browsing the directory but allow the files to still be used when I include them in a page. Say to connect to MySQL. -Jason - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Directory Permssions
Hi Tom, Say I have a directory of files that contain my MySQL connection information, queries, etc, etc. How do I prevent people from browsing the directory but allow the files to still be used when I include them in a page. Say to connect to MySQL. Don't ever put them inside your document root. Ever. Place them outside, and then include them from within the PHP script which requires it. PHP doesn't give a monkey's where on disk you load things from. Seriously, this is one of the many ways that a developer/server admin can be made to look like a fool. Don't put configuration data inside your document root. So my root is /var/www/html/ could I put my MySQL in /var/www// or in /etc/httpd// and this would be OK? -Jason - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] centos 6 - 1 of 2 machines starts and not the other
hu guys I regularly read this list I can usually find me in the excellent documentation apache. I'm in front of a very strange problem I possess two desktop machines which works with the Apache server with centos 6 1 of 2 machines starts and not the other. I use the apache config file here that provides standard distribution any help for me sincerely -- http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC2626742 gpg --keyserver pgp.mit.edu --recv-key C2626742 http://urlshort.eu fakessh @ http://gplus.to/sshfake http://gplus.to/sshswilting http://gplus.to/john.swilting signature.asc Description: Ceci est une partie de message numériquement signée
Re: [users@httpd] centos 6 - 1 of 2 machines starts and not the other
Le vendredi 24 février 2012 à 08:59 +1000, Noel Butler a écrit :
> On Thu, 2012-02-23 at 23:15 +0100, ml wrote:
> > hu guys
> >
> > I regularly read this list I can usually find me in the excellent
> > documentation apache.
> > I'm in front of a very strange problem I possess two desktop machines
> > which works with the Apache server with centos 6
> >
> > 1 of 2 machines starts and not the other.
> >
> > I use the apache config file here that provides standard distribution
> >
> > any help for me
> >
> > sincerely
>
> In my city today it is very overcast, with severe weather warnings for
> very heavy possible minor flooding rains, it is most likely for this
> reason my ESP fails to connect to you, so, you will have revert to the
> old ways and provide a copy of your config and start up scripts here,
> or on pastebin and reference the link here.
>
>
>
httpd.conf
http://pastebin.com/XUgxbCuT
init script
http://pastebin.com/yTNLf4D4
this my log
[Fri Feb 24 01:06:33 2012] [error] Connect Failed Access denied for user
'rt_user'@'localhost' (using password: YES)\n
at /usr/share/perl5/vendor_perl/RT.pm line 206\nCompilation failed in
require at (eval 2) line 1.\n
[Fri Feb 24 01:06:33 2012] [error] Can't load Perl
file: /usr/sbin/webmux.pl for server localhost.localdomain:0, exiting...
DBI connect('dbname=rt3;host=localhost','rt_user',...) failed: Access
denied for user 'rt_user'@'localhost' (using password: YES)
at /usr/share/perl5/DBIx/SearchBuilder/Handle.pm line 106
[Fri Feb 24 01:07:49 2012] [error] Connect Failed Access denied for user
'rt_user'@'localhost' (using password: YES)\n
at /usr/share/perl5/vendor_perl/RT.pm line 206\nCompilation failed in
require at (eval 2) line 1.\n
[Fri Feb 24 01:07:49 2012] [error] Can't load Perl
file: /usr/sbin/webmux.pl for server localhost.localdomain:0, exiting...
it seems that I have a package installed RT webmux and I want to retire
but I do not know the exact name for the rpm-e - nodeps
any help are welcome
--
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC2626742
gpg --keyserver pgp.mit.edu --recv-key C2626742
http://urlshort.eu fakessh @
http://gplus.to/sshfake
http://gplus.to/sshswilting
http://gplus.to/john.swilting
https://lists.fakessh.eu/mailman/
This list is moderated by me, but all applications will be accepted
provided they receive a note of presentation
signature.asc
Description: Ceci est une partie de message numériquement signée
[users@httpd] redirect ssl mailman
hello guys I encounter a problem with the package mailman and forwarding ssl my precedent conversation to this problem http://www.mail-archive.com/mailman-users@python.org/msg61411.html mark sapiro was thinking of a httpd problem I call the httpd community to provide help me to rewrite the url for this to work. thanks -- http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC2626742 gpg --keyserver pgp.mit.edu --recv-key C2626742 http://urlshort.eu fakessh @ http://gplus.to/sshfake http://gplus.to/sshswilting http://gplus.to/john.swilting https://lists.fakessh.eu/mailman/ This list is moderated by me, but all applications will be accepted provided they receive a note of presentation - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] redirect ssl mailman
Le lundi 23 juillet 2012 à 12:28 +1000, Noel Butler a écrit :
> On Sun, 2012-07-22 at 22:22 +0200, ml wrote:
> > hello guys
> >
> > I encounter a problem with the package mailman and forwarding ssl
> > my precedent conversation to this problem
> > http://www.mail-archive.com/mailman-users@python.org/msg61411.html
> >
> > mark sapiro was thinking of a httpd problem
> > I call the httpd community to provide help me to rewrite the url for
> > this to work.
> >
> > thanks
> >
>
> Firstly, it's not a good idea to just post to this group saying "hey,
> go read this URL" like above, as you can bet the majority here wont
> bother reading it as they are not to know if its malicious or not.
>
> Instead place all relevant information about your problem, and what
> the wiki suggests you use, in your post.
>
> That said, try changing /mailman/ to /mailman
>
I just remove the slash in expressions.
but still same effect
only the url
http://lists.fakessh.eu/mailman
is rewritten correctly
other url strict redirect not work
my config is that
RewriteEngine On
Options +FollowSymlinks
RewriteCond %{HTTPS}off [NC]
RewriteRule ^/mailman(/.*) https://%{HTTP_HOST}/mailman$1 [L,R]
RedirectMatch ^/mailman[/]*$ https://lists.fakessh.eu/mailman/listinfo
any idea are appreciated
--
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC2626742
gpg --keyserver pgp.mit.edu --recv-key C2626742
http://about.me/fakessh
http://urlshort.eu fakessh @
http://gplus.to/sshfake
http://gplus.to/sshswilting
http://gplus.to/john.swilting
https://lists.fakessh.eu/mailman/
This list is moderated by me, but all applications will be accepted
provided they receive a note of presentation
signature.asc
Description: Ceci est une partie de message numériquement signée
Re: [users@httpd] redirect ssl mailman
Le 2012-07-23 11:43, Noel Butler a écrit :
On Mon, 2012-07-23 at 06:12 +0200, ml wrote:
Firstly, it's not a good idea to just post to this group saying
"hey,
go read this URL" like above, as you can bet the majority here
wont
bother reading it as they are not to know if its malicious or not.
Instead place all relevant information about your problem, and
what
the wiki suggests you use, in your post.
That said, try changing /mailman/ to /mailman
I just remove the slash in expressions.
but still same effect
only the url
http://lists.fakessh.eu/mailman
is rewritten correctly
That was in httpd.conf as perm redirect? not a rewrite rule, that
should work, I redirect http to https for webmail that way, we use
/webmail/manager and it is redirected to webmail/manager, not webmail
as it seems to in your case
when i wrote the redirectpermanent with /mailman
https://lists.fakessh.eu/mailman
i received error in browser as this mailman not work
what I find most suspicious is that this writing is never executed
RewriteRule ^/mailman(/.*) https://%{HTTP_HOST}/mailman$1
[L,R=permanent]
can be written as
RewriteRule ^/mailman(/.*) https://%{HTTP_HOST}/mailman$1 [R=301,QSA,L]
I try this rule as soon as I get home: at this time I am with my father
--
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC2626742
gpg --keyserver pgp.mit.edu --recv-key C2626742
http://about.me/fakessh
http://urlshort.eu fakessh @
http://gplus.to/sshfake
http://gplus.to/sshswilting
http://gplus.to/john.swilting
https://lists.fakessh.eu/mailman/
This list is moderated by me, but all applications will be accepted
provided they receive a note of presentation
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] httpd external authentication
Hi, is there an somewhat easy method to have httpd handle the session/authorization but let some external script deal with the authentication? When an incoming request require authentication, httpd should check the session for an authenticated user and if there is none, grab a script and send the request to it with "hey dude, this request require a user. do your auth-thing and then return the username to me and I handle the rest". The external script or application should just receive the request, process it and if authentication passes, tell apache it's okay and tell it who's knocking. Thank you. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] mod_authnz_ldap: constructible AuthLDAPBindDN
I've searched the mod_authnz documentation and also had already a look into mod_authnz's sources to find an existing chance to configure some kind of variable "bindDN-Pattern" but after reading both I understand mod_authnz the way that it is mandatory to either use anonymous bind or some kind of "proxy-user bind" (AuthLDAPBindDN) to search for an user's DN (e.g. searching for uid/email) to bind to the LDAP server using the found DN and the user provided password. Have I missed something during my readings or is this an unsupported feature? For example apache's tomcat 5.5/6.0 JNDIrealm's configuration already does provide a userPattern (please see http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm and search for "userPattern"). Please let me explain the background why there is a common demand for such a mod_authnz feature: Anonymous and even proxy-user based search request could harm a company's restrictive data privacy policies. Therefore some directory information tree (DIT) and LDAP server designs offer advanced but very easy (for clients like mod_authnz) to implement/use approaches to offer the administrator a chance to get rid of the need for proxy-user based search but to be able to make an authorization decission directly in each user's context. As searching the user's branch seems not very harmful in regard to privacy concerns searching the groups and their memberships is definitively more "interesting". In modern directory designs/implementations therefore an user's group membership is also stored (as the DNs of the groups a distinct user is member of) directly in each user's entry where the directory keeps track of the referential integrity (which for example is supported by openldap). Thus there is no need to expose the groups and their membership in general to any service's proxy-user. Instead, the authorization decision can be made directly using the authenticated user's ldap connection as the user has been successfully bind to the LDAP server before. Take for example this shortend LDIF based user entry: dn: uid=userA,dc=example,dc=com uid: userA memberOf: cn=groupA,dc=example,dc=com memberOf: cn=groupB,dc=example,dc=com memberOf: cn=groupC,dc=example,dc=com IMHO there's no a need to prior search for "(uid=userA)" using a proxy user in case the company's default policy is to just permit the uid for login (instead of the eMail address for example) and use the user provided uid to construct the bindDN which will be bind against the LDAP server using the provided password. If the bind was successful the user's connection (in this user's context) can be used to *compare* his memberOf attribute against the authorized groupDN. Please note that an LDAP server that only allows the "compare" operation on the memberOf attribute (which can be enforced by LDAP server internal ACLs) will not disclose any others of this user's group membership information to the service (compare != search and compare != read) which fulfills most restrictive privacy policies. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] mod_authnz_ldap: constructible AuthLDAPBindDN
Eric Covener schrieb: On Sat, Jun 19, 2010 at 7:48 AM, wrote: I've searched the mod_authnz documentation and also had already a look into mod_authnz's sources to find an existing chance to configure some kind of variable "bindDN-Pattern" but after reading both I understand mod_authnz the way that it is mandatory to either use anonymous bind or some kind of "proxy-user bind" (AuthLDAPBindDN) to search for an user's DN (e.g. searching for uid/email) to bind to the LDAP server using the found DN and the user provided password. Look at the trunk documentation, there are a few recently added directives in this neighborhood. Ahhh that sounds very fine: http://httpd.apache.org/docs/trunk/mod/mod_authnz_ldap.html Thanks a lot for your help! How are the chances that these directives get "backported" into mod_authnz_ldap of any httpd 2.2.[>15]? - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] mod_authnz_ldap: constructible AuthLDAPBindDN
Eric Covener schrieb: On Sat, Jun 19, 2010 at 10:49 AM, wrote: Eric Covener schrieb: On Sat, Jun 19, 2010 at 7:48 AM, wrote: I've searched the mod_authnz documentation and also had already a look into mod_authnz's sources to find an existing chance to configure some kind of variable "bindDN-Pattern" but after reading both I understand mod_authnz the way that it is mandatory to either use anonymous bind or some kind of "proxy-user bind" (AuthLDAPBindDN) to search for an user's DN (e.g. searching for uid/email) to bind to the LDAP server using the found DN and the user provided password. Look at the trunk documentation, there are a few recently added directives in this neighborhood. Ahhh that sounds very fine: http://httpd.apache.org/docs/trunk/mod/mod_authnz_ldap.html Thanks a lot for your help! How are the chances that these directives get "backported" into mod_authnz_ldap of any httpd 2.2.[>15]? Not too likely at the moment, but if you test them on trunk and provide feedback maybe a bit more likely. ok, I'll give feedback in case I get the current trunk version to compile successfully on my ldap development system and also: if you need or want me to test/debug special LDAP related features of trunk's mod_authnz_ldap just let me know. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
