Re: [us...@httpd] best practices for mod_rewrite

2009-05-14 Thread William A. Rowe, Jr. 
LoD MoD wrote:
> Hi List,
> Is the best practice for using rewrites in multiple areas of a site to
> use .htaccess files?

Best practices in httpd disavow all use of .htaccess for performance,
security and maintenance rationals.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] After restart Vista, working Apache 2.2.11 stopped working, reinstall, google, etc to no avail

2009-05-15 Thread William A. Rowe, Jr. 
Abel Braaksma wrote:
> Hi all,
> 
> system: Windows Vista Business, latest SP's, Apache HTTPd 2.2.11, MSI
> installation.
> 
> I've had a long-running well-working Apache, no problems, changed some
> configs today and restarted Apache and all was fine and dandy. Then I
> installed a new video driver today and after restart, Apache didn't
> start at all anymore with the following message in error.log:
> 
> [crit] (22)Invalid argument: Parent: Failed to create the child process.
> [crit] (OS 6)The handle is invalid.  : master_main: create child process
> failed. Exiting.
> [notice] Parent: Forcing termination of child process 36

> 
> I'm running out of ideas. I don't know what "Invalid argument" means
> here. Though I am a programmer, I have not yet tried to install the
> source or tried to debug, it seemed to daunting.

You shouldn't need to, we hope.  Note this code is in
http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/server/mpm/winnt/mpm_winnt.c
and the only arguments that can be corrupted are the cmd we build for
the child, the args to the cmd, the environment, and process attributes
(program type, standard input/output handles etc).

So your driver busted something; the question is, what?  Since we didn't
create it, you can presume we have no interest in debugging it :)  But
here's just a smattering of things that might help;

Lingering, corrupted system environment variables?

Permissions of the system account?  (Try changing the service to 'Logon As'
another user who you create and set up with Write permissions to the logs/
directory.)

Corrupted msvcrt.dll?

Corrupted service?  Might have to uninstall the service, reboot, then
manually delete this key;
HKLM\System\CurrentControlSet\Services\[service name]
and reinstall the service.

> PS: this question was also asked at experts-exchange, but got little
> response:

So much for 'expertise' ;-)  Glad you found a more informed place to ask.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] After restart Vista, working Apache 2.2.11 stopped working, reinstall, google, etc to no avail

2009-05-15 Thread William A. Rowe, Jr. 
Abel Braaksma wrote:
> 
> maybe I should install the debugging environment after all, to see what
> passes through there

All you should need are to extract the -symbols.zip .pdb files and use good
old windbg.

>> Corrupted service?  Might have to uninstall the service, reboot, then
>> manually delete this key;
>> HKLM\System\CurrentControlSet\Services\[service name]
>> and reinstall the service.
>>   
> 
> If you mean the Apache service: it has been removed a couple of times,
> but currently I run it from the command prompt to make the situation as
> simple as possible.

So this does fail in command mode?  Wow.

That's impressive :)

Just so you know, some video drivers install apache httpd, and if they are
responsible they use an alternate path and service name.  But perhaps this
one corrupted your environment, and httpd tends to look into that regkey
value for Apache2 to snag defaults, which is why I suggested you delete it.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] After restart Vista, working Apache 2.2.11 stopped working, reinstall, google, etc to no avail

2009-05-16 Thread William A. Rowe, Jr. 
Abel Braaksma wrote:
> 
> What can I still do? Is there someone around that can help me setup
> Visual Studio to run Apache from the IDE and to step through the source?

Did bin\httpd.exe -t tell you anything?

Please note that uninstalling apache leaves logs/ and conf/ (as you might
have noticed) and installing apache does not wipe out conf/ - so you have
to blast the directory if you want to ensure that this has nothing to do
with your own conf/ changes.

You might also note that fresh confs are always installed under the
conf/original/ tree, which you can always use to replace broken confs.

And finally, UAC can make your user-edits to files within program files/
or windows/ appear to exist, but the true file remains unmodified.  You
might want to turn off UAC to avoid such nonsense.  It even applies to
the administrator user.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Issue w/ Apache httpd 2.2.11 in Windows Vista

2009-05-27 Thread William A. Rowe, Jr. 
k...@redshift.com wrote:
> I installed Apache as a service as normal, then tried to run it.  It
> ran...but it won't read the httpd.conf file.  Even changing the service to
> call httpd.exe -k runservice -f (path to conf file) *does not work*.  I
> can only run httpd manually, from the command prompt, with the -f
> parameter, and get it to read the conf file.
> 
> Why???

Not enough info for anyone to give you an answer.  Some thoughts; don't mess
with the HKLM\Services key ever, always use httpd.exe -k config.  Another
thought - using UAC?  If you don't understand how it can hide file changes
and keep them private to your login, disable it.  You changed the run-as
user of the httpd service?  Perhaps it doesn't have write access to the logs
directory.  Perhaps you broke permissions on the volume for the SYSTEM (aka
LocalSystem) account?  It needs list and read directory permission all the
way from the root to all of the files it uses or serves.


> FYI, nothing shows up in the error log to explain this.  Also, apparently
> the registry key pointing to the proper path IS set (HKLM\SOFTWARE\Apache
> Software Foundation\Apache\2.2.11 ServerRoot) but isn't being used.

Note early startup errors are recorded to the Application Event Log.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Issue w/ Apache httpd 2.2.11 in Windows Vista

2009-05-27 Thread William A. Rowe, Jr. 
k...@redshift.com wrote:
>> k...@redshift.com wrote:
>>> I installed Apache as a service as normal, then tried to run it.  It
>>> ran...but it won't read the httpd.conf file.  Even changing the
>>> service to call httpd.exe -k runservice -f (path to conf file) *does
>>> not work*.  I can only run httpd manually, from the command prompt,
>>> with the -f parameter, and get it to read the conf file.
>>>
>>> Why???
>> Not enough info for anyone to give you an answer.  Some thoughts; don't
>> mess with the HKLM\Services key ever, always use httpd.exe -k config.
> 
> httpd.exe -k config output:
> 
> C:\Program Files\Apache Software Foundation\Apache2.2\bin>httpd.exe -k config
> Reconfiguring the Apache2.2 service
> The Apache2.2 service is successfully installed.
> Testing httpd.conf
> Errors reported here must be corrected before the service can be started.

defaults to;
 C:\Program Files\Apache Software Foundation\Apache2.2\conf\httpd.conf

you moved httpd.conf?  Then you must

httpd.exe -k config -d ServerRootDir -f PathTohttpd.conf

> In httpd.conf, I have the document root pointing to a different folder, so
> that's how I know it's not reading httpd.conf.

on the local drive or on the network?


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Apache 1.3 on Vista Home issue

2009-06-01 Thread William A. Rowe, Jr. 
Darryle Steplight wrote:
> Hi Evgeny,
>  I just installed Apache 2.2 on Windows Vista last week. I'm just
> curious , how are you starting Apache? Are you using the "net" command
> from the command line or are do you have it running as a windows
> service?

There is no difference above, the net command simply controls windows
services.

> On Mon, Jun 1, 2009 at 1:44 AM, Evgeny Savitsky
>  wrote:
>>
>> I'm trying to start apache on Windows Vista home premium and get the
>> following error:

We hope you are both aware that their are security issues with 1.3 on
windows which cannot be resolved (it wasn't designed to run on Windows,
but the behavior was hacked in after the fact).  Apache 2.0 is designed
for windows, Apache 2.2 considered changes to windows vista, so you are
strongly encouraged to upgrade, especially if looking for help.

Even 1.3.34 has a host of vulnerabilities solved in 1.3.41.  Where did
you find this thing, poor soul?

Now for all packages, the download site;
  http://archive.apache.org/dist/httpd/binaries/win32/symbols/
contains a .zip file matching your package you can unzip into the
apache directory.  These .pdb files allow Dr. Watson to untangle where
the crash is, and you can share that information with the list to see
if there are any ideas.  Unfortunately, poor Vista users don't have
Dr. Watson anymore, so they must obtain a package called windbg and
actually load the crash dump.  Not our doing, sorry about that.

The .dmp file would allow us to unwind where the crash is, but we
certainly aren't going fishing in such an ancient package; move to 2.2
and go from there.




-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Compiling Apache on windows VC9

2009-06-05 Thread William A. Rowe, Jr. 
Lester Caine wrote:
> PHP have decided that PHP5.3 will be the last version available for
> windows on VC6, and that PHP6 will be VC9 only, so is any work being
> done on a VC9 version of Apache? This seems to be in line with making
> IIS the default on Windows as there are no Apache modules in the VC9
> builds :(
> 
> Where is the best place to 'go' to discuss this upcoming problem and try
> and add Apache to the PHP builds I'm currently doing privately?

As a PHP developer, I suppose you are aware of the corresponding developer
forum of httpd?  If not, an email to dev-subscr...@httpd.apache.org should
get you there in one piece.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Compiling Apache on windows VC9

2009-06-05 Thread William A. Rowe, Jr. 
William A. Rowe, Jr. wrote:
> Lester Caine wrote:
>> PHP have decided that PHP5.3 will be the last version available for
>> windows on VC6, and that PHP6 will be VC9 only, so is any work being
>> done on a VC9 version of Apache? This seems to be in line with making
>> IIS the default on Windows as there are no Apache modules in the VC9
>> builds :(
>>
>> Where is the best place to 'go' to discuss this upcoming problem and try
>> and add Apache to the PHP builds I'm currently doing privately?
> 
> As a PHP developer, I suppose you are aware of the corresponding developer
> forum of httpd?  If not, an email to dev-subscr...@httpd.apache.org should
> get you there in one piece.

FWIW, asking for 'forward looking' development questions on the users@ list
is something like asking your stock broker how GE expects to perform in the
coming quarter ;)

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Fixing HTTP Service / Server Version Detected

2009-06-10 Thread William A. Rowe, Jr. 
Singh, Sukhjeet wrote:
> 
> The server allows capture of the HTTP service banner. Service banners
> can contain sensitive information, such as application and Operating
> System (OS) version numbers. An attacker can use the version information
> from your Web server to determine if there are any known vulnerabilities
> present, or can use such information to create attacks towards the
> specific application or OS.
> 
> SSL HTTP/1.1 200 OK Server: Apache-Coyote/1.1 X-Powered-By: Servlet 2.4;
> JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA
> date=200807181417)/JBossWeb-2.0 ETag: W/1570-1216412442000
> Last-Modified: Fri, 18 Jul 2008 20:20:42 GMT Content-Type: text/html
> Content-Length: 1570 Date: Wed, 11 Mar 2009 02:11:24 GMT

Repeat noise, you get noise in response.  Exploits are rarely sophisticated
in their attack.  They will probe for vulnerable URI's until they achieve
success.  You can cloak your Tomcat as IIS, your IIS as Apache or your httpd
as whatever and it won't matter one iota.

But no matter, "there's a directive for that"(TM)[1].  See

 http://httpd.apache.org/docs/2.2/mod/core.html#servertokens

Sadly, this information is useless to you.  This is not an httpd issue,
it's a JBoss issue.  Take it to their user forum.  This is not a JBoss
support forum.

[1] "there's a directive for that" is a Trademark of the Apache Software
Foundation, created by the Apache httpd Project.  :)


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Stable Release of Apache

2009-06-10 Thread William A. Rowe, Jr. 
Mohit Anchlia wrote:
> We are using Apache 2.2. How can I find which one is most recent
> stable version? I am trying to determine if we need to upgrade Apache.

Have you visited http://httpd.apache.org recently?

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Stable Release of Apache

2009-06-11 Thread William A. Rowe, Jr. 
Tom Evans wrote:
> On Thu, 2009-06-11 at 07:57 -0700, Mohit Anchlia wrote:
>> I see that apache 2.2.11 has been released but how do I find out if
>> that's a stable release and something I can consider deploying in
>> production?
> 
> All releases of apache are stable releases; that is the definition of a
> release. The apache project don't release the unstable versions (eg the
> 2.1 and 2.3 branches).

Well, mostly correct.  We do 'release' 2.1, 2.3 branches (development or
unstable, as you call it) by identifying them as -alpha or -beta.

There would be no 'stable' -alpha or -beta designations, when the branch
reaches maturity, it is given the next even-numbered revision, e.g. 2.4
or 3.0, and won't be identified as either -alpha or -beta.

OR quoting the web site...

"The Apache HTTP Server Project is proud to announce the release of version
2.2.11 of the Apache HTTP Server ("Apache"). This version is principally a
bugfix release."

"This version of Apache is a major release and the start of a new stable
branch, and represents the best available version of Apache HTTP Server. New
features include Smart Filtering, Improved Caching, AJP Proxy, Proxy Load
Balancing, Graceful Shutdown support, Large File Support, the Event MPM, and
refactored Authentication/Authorization."

I guess it's a little misleading, 2.2 certainly isn't "new" anymore, and
quoting the actual 2.2.11 announcement file;

"The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release of version 2.2.11 of the Apache HTTP Server
("Apache")."

"This version of Apache is principally a bug fix release."

"We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade."

So there's the message that should actually be on the main site :)  cc'ing
docs@ so they can take a look at this and contribute an appropriate solution
to the confusion.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Configure Server To Run In Windows Vista

2009-06-17 Thread William A. Rowe, Jr. 
Sevis wrote:

> 
> The "Start" shortcut (which works, but only after UAC prompting) is:
> 
> "C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe" -w  -f
> "C:/Users/joeUser/AppData/Roaming/Apache/httpd.conf" -n "ApacheHttpd" -k start

A fine mess you have gotten yourself into, eh?  Congratulations for at least
trying to outsmart Vista.

Why is your httpd.conf under Apache/ instead of Apache/conf?  Unnecessary
confusion?

By default, you'll see the httpd service is run-as SYSTEM (LocalSystem)
acct, which apparently doesn't have privileges to joeUser until you have
logged in interactively.  In fact, I'm not even sure which of the various
paths are physical :)

But in any case, for grins just try changing Apache service to run-as user
joeUser and see if that doesn't solve your entire headache, for now.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Apache 2.3 source?

2009-06-19 Thread William A. Rowe, Jr. 
Prasanna Ram Venkatachalam wrote:
> 
> Is it possible to get a copy of the Apache 2.3 source? Looked around
> on the source distribution site and can't find anything.
> 
>  
> Might help. This is an automated snapshot system. Not sure if it
> completely works!! :(
> http://httpd.apache.org/dev/
> http://cvs.apache.org/snapshots/httpd/

Better choice;

svn co http://svn.apache.org/repos/asf/httpd/httpd/trunk httpd-2.3

ASF project pages all have some 'developer info' page with details of their
subversion URL.

Enjoy!

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Setting the Timeout directive to refrain a DoS attacks

2009-06-25 Thread William A. Rowe, Jr. 
André Warnier wrote:
> fredk2 wrote:
>> Would'nt you think that a (simple) timer for the header could fend off
>> some
>> of the effect.  Can't we assume that if it takes more than 3 second to
>> enter
>> the header we do not want that client (i'll have to learn to type
>> faster in
>> telnet :-).
>>
> 
> For the headers, I think it might help.
> But I'm sure that then the attack would switch to sending the headers
> fast, and then a long POST body, very slowly...
> 
> On another track, it seems that the "Event MPM" model of Apache also is
> relatively insensitive to the slowloris thing.

... except, again for POST bodies.  Event MPM does not help, there.



-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Setting the Timeout directive to refrain a DoS attacks

2009-06-25 Thread William A. Rowe, Jr. 
André Warnier wrote:
> William A. Rowe, Jr. wrote:
>> André Warnier wrote:
>>> fredk2 wrote:
>>>> Would'nt you think that a (simple) timer for the header could fend off
>>>> some
>>>> of the effect.  Can't we assume that if it takes more than 3 second to
>>>> enter
>>>> the header we do not want that client (i'll have to learn to type
>>>> faster in
>>>> telnet :-).
>>>>
>>> For the headers, I think it might help.
>>> But I'm sure that then the attack would switch to sending the headers
>>> fast, and then a long POST body, very slowly...
>>>
>>> On another track, it seems that the "Event MPM" model of Apache also is
>>> relatively insensitive to the slowloris thing.
>>
>> ... except, again for POST bodies.  Event MPM does not help, there.
>>
> So basically, Fame and Gratitude (and an Apache teeshirt ?) await
> whoever can design an effective strategy against this.

Timeout handling can be refactored to 'behave as advertised'... there is
a discrepancy with the documentation.

But a pure asynchronous server would break 50% of handler and a good chunk
of the filter modules out there.  First, threading stripped them of the
ability to use 'static' storage; now free threading (resuming on an
arbitrary thread) will strip them of using tls storage.  It's a major 3.0
breaking change when this is introduced; it will be but it's not right
around the corner.




-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Setting the Timeout directive to refrain a DoS attacks

2009-06-25 Thread William A. Rowe, Jr. 
Tom Evans wrote:
> 
> It is a bit like an arms race - I guess a solution could be to use a
> dedicated thread for reading in POST bodies. 

This is why IIS appears to the author that is invulnerable; IIS does fill
an initial buffer, at least 64k worth.  Exhaust that buffer and it should
cripple IIS just fine.

Because ultimately, you are not going to 'read POST bodies' as a specific
functional step.  They are of arbitrary length.  I can POST an entire .iso
dvd image.  If not consumed while read, this operational step would be
a joke, and you have a whole new DoS vector.

If Apache 3.0 event MPM becomes free-threaded, this situation goes away;
while waiting for more POST content, the request handler and modules would
not occupy a thread at all.  Look forward to the dire warnings of the evils
of threading, all over again, as third party modules are discovered to be
buggy, and are slowly fixed or forgotten.

> The best way to stop slowloris is to not allow a single user to cripple
> your server in this way, by restricting the number of connections a
> single IP can have to your servers. That of course, only leads to it
> becoming a DDoS rather than a DoS.

Precisely.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Serving subdomains - ProxyPassMatch issues

2009-06-25 Thread William A. Rowe, Jr. 
Karthik Manimaran wrote:
> ProxyPassReverse too doesn't work when I use regex.

Of course it does.

You just need multiple ProxyPassReverse mappings to correct the
myriad ways that the forward pass had occurred.  Setting the back
end server to use canonical server name and URI's sure helps.



-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] How can I secure my apache server from DoS attack ?

2009-06-26 Thread William A. Rowe, Jr. 
Damian Myerscough wrote:
> 
> mod_evasive works against DOS attacks but is ineffective against the slowloris
> attack

Uhm, distinctions without a difference?  How is slowloris not claiming
to be a DOS attack?  And there are a host of DOS vectors evasive doesn't
claim to address.

Very odd statement, above.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Wrong charset convert SOLVED

2009-07-01 Thread William A. Rowe, Jr. 
Jiří Eichler wrote:
> Ok, "AddDefaultCharset off" added to httpd.conf, charset spec in header
> disappeared in both cases, It must be enough for this time. As regards
> file uploads, I really want to use utf-8 for multilingual support and I
> believe that it is technically possible even on Windows. It just needs
> to configure server to know that received filename is in utf-8. Windows
> 'reputedly' use something like Unicode. Sometimes I wonder why is so
> much problems with charsets. Maybe because it is hard to recognize in
> which charset is text written.

All filesystem URI's for Apache HTTPD on Windows are in utf-8.

But all URI's should be given spelled out in %XX form, so the encoding
itself on the page doesn't matter.

It is so much problem because user/developers think in their region, alone.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] apache modules

2009-07-08 Thread William A. Rowe, Jr. 
Boyle Owen wrote:
> If you just load modules but don't actually use them (ie, no directives
> in config), then no.

That is not entirely true.  Most register a hook provider to evaluate if
they are the candidate for providing auth, injecting filters or handling
the request.

Those hooks do cost some cycles to evaluate and answer, even if the answer
is always 'no, not this module'.

So you are wise to remove modules that are not used.

Also, some security flaws in the past have exploited only one module
of httpd.  The users who had not loaded or enabled that module were not
affected.  So it is also a courtesy to the next administrator down the
road (or yourself) to simplify the number of modules loaded.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Windows rotatelogs, cmd.exe permission

2009-07-08 Thread William A. Rowe, Jr. 
Philip J Dicke wrote:
> I currently have httpd running as a windows service, logging on as a 
> restricted
> user called "webserver".  That account is very restricted in the folders that
> it can read/execute.  In order to follow the security policy, the webserver
> account needs to be configured so that it cannot access cmd.exe.  When httpd
> runs on windows and uses piped output to a log file, it creates a named piped
> and launches a "shell (cmd.exe)" to run the executable.  FAIL!

Ok; please explain how the process initially has rights to invoke cmd.exe
and how these were subtracted after initialization?

> Windows does not seem to have the "apachectl graceful" command that unix 
> does. 

That's right; every service control command 128 is a graceful today, which
is what the ApacheMonitor taskbar-utility issues when you choose 'restart'.
So does httpd.exe -k restart.  But Windows OS only knows a hard restart,
stop and then restart the parent.

However the child process lives only one iteration, just as in unix.

The new feature I have worked up uses "||realpipe args" if you want to
absolutely invoke realpipe without a command shell (on win or unix).  The
syntax "|$pipecmd args" works as today, sending the pipecmd args to the
command shell.

In 2.3 forward, realpipe will be the default.  In 2.2, pipecmd stays the
default as to not disrupt so many people.  So offering both syntaxes
should help you with an httpd.conf that will make the transition.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Windows rotatelogs, cmd.exe permission

2009-07-08 Thread William A. Rowe, Jr. 
Philip J Dicke wrote:
>> Ok; please explain how the process initially has rights to invoke cmd.exe
>> and how these were subtracted after initialization?
> Well it works now b/c the webserver user has access to the cmd.exe.  Security
> review revealed that access needs to be removed.

Ok; that's not what your post said... you implied it was restart-related :)

>> syntax "|$pipecmd args" works as today,
> 
> AWESOME!!! this is exactly the solution I was looking for!  Just tried it and
> seems to be working.  I will let you know if there any issues.

Huh?  That feature is not implemented yet.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Reload httpd.conf on Windows

2009-07-08 Thread William A. Rowe, Jr. 
André Warnier wrote:
> Vamshikrishna T wrote:
>> Hi,
>>
>>> From your query, I observed that we can reload apache configuration file
>> without restarting the apache web server on Linux. I would like to
>> know, how can we do it?
>>
> See http://httpd.apache.org/docs/2.2/stopping.html

or more importantly;

  http://httpd.apache.org/docs/2.2/platform/windows.html#winsvc


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[us...@httpd] [Fwd: Application Period for Travel Assistance to ApacheCon US 2009 Opens Soon]

2009-07-22 Thread William A. Rowe, Jr. 

For our communities' attention, this is a few day's heads up before the
applications actually open...

 Original Message 
Subject: Application Period for Travel Assistance to ApacheCon US 2009 Opens
Soon
Date: Wed, 22 Jul 2009 19:46:15 +1000
From: Gav... 

The Travel Assistance Committee is taking in applications for those wanting
to attend ApacheCon US 2009 (Oakland) which takes place between the 2nd and
6th November 2009.

The Travel Assistance Committee is looking for people who would like to be
able to attend ApacheCon US 2009 who may need some financial support in
order to get there. There are limited places available, and all applications
will be scored on their individual merit. Applications are open to all open
source developers who feel that their attendance would benefit themselves,
their project(s), the ASF and open source in general.

Financial assistance is available for flights, accommodation, subsistence
and Conference fees either in full or in part, depending on circumstances.
It is intended that all our ApacheCon events are covered, so it may be
prudent for those in Europe and/or Asia to wait until an event closer to
them comes up - you are all welcome to apply for ApacheCon US of course, but
there should be compelling reasons for you to attend an event further away
that your home location for your application to be considered above those
closer to the event location.

More information can be found on the main Apache website at
http://www.apache.org/travel/index.html - where you will also find a link to
the online application and details for submitting.

Applications for applying for travel assistance will open on 27th July 2009
and close of the 17th August 2009.

Good luck to all those that will apply.

Regards,

The Travel Assistance Committee





-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] compilation of apache 2.2 on windows

2009-08-06 Thread William A. Rowe, Jr. 
walty wrote:
> 
> By the way, the line of error seems to induced from somewhere inside
> "srclib\apr-util\aprutil.dep"

Right.  set NO_EXTERNAL_DEPS=1 in the environment, that will actually
bypass all broken (and working) dependency checking.

> Do I miss something here?

Nope, the new APR packages carefully avoided this issue.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[us...@httpd] ApacheCon opportunities

2009-08-19 Thread William A. Rowe, Jr. 
Questions and *very important* information for *everyone* in relation to
httpd.conf - the HTTP Server conference at ApacheCon, which happens this
November 2nd through 6th in Oakland CA US...

Q. Users, is there interest in organizing an evening meetup with some short
sessions, BoFs and user-to-user interaction?  It would probably run from
7:30pm until late on Mon or Thursday evening, in addition to the trainings
and sessions.  Meetups already scheduled are here, so IMHO either mon or thu
would work best;  http://wiki.apache.org/apachecon/ApacheMeetupsUs09

Q. Developers, is there interest in organizing official hack-a-thon activity
on Mon, Tues, or both during the day?  Note that you might be interested in
participating in the Apache BarCamp starting Monday, and the Incubating
Apache TrafficServer may be holding a hack-a-thon as well a Tues eve meetup.

Here is the very important information I promised...

The httpd opportunities at the event include a very popular training,
Apache HTTP Server - Nuts to Bolts by Jim Jagielski and Rich Bowen
on Mon-Tues;  http://www.us.apachecon.com/c/acus2009/sessions/363

On Wed 9/4 on the Tomcat track, you'll find a very relevant session

mod_jk / mod_proxy and others by Jean-Frederic Clere
http://www.us.apachecon.com/c/acus2009/sessions/320

On Thu 9/5 during httpd.conf track, users will discover

Munging URLs with mod_rewrite by Rich Bowen
http://www.us.apachecon.com/c/acus2009/sessions/301

Hardening Enterprise Apache Installations Against Attacks by Sander Temme
http://www.us.apachecon.com/c/acus2009/sessions/302

Scalable Internet Architectures, a 2 hour deep-dive by Theo Schlossnagle
http://www.us.apachecon.com/c/acus2009/sessions/305

Recent Developments in SSL and Browsers by Rick Andrews
http://www.us.apachecon.com/c/acus2009/sessions/330

On Fri 9/6 during httpd.conf track, users and devs alike will enjoy

Welcome to the Future! by Rich Bowen
http://www.us.apachecon.com/c/acus2009/sessions/336

Deciphering mod_ssl: Using SSL with the Apache HTTP Server by Joe Orton
http://www.us.apachecon.com/c/acus2009/sessions/321

mod_lua in Apache 2.4 by Brian McCallister
http://www.us.apachecon.com/c/acus2009/sessions/306

Writing modules for Apache httpd by Jim Jagielski
http://www.us.apachecon.com/c/acus2009/sessions/344

Testing Apache Modules with Python and Ctypes by Markus Litz
http://www.us.apachecon.com/c/acus2009/sessions/304


Remember you still have Thursday and Friday to register at an additional
$200 or more savings with the super-early bird rate, just extended and
only through this Friday!  Click, don't bookmark, to register, now...

   http://www.us.apachecon.com/c/acus2009/







-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] ApacheCon opportunities

2009-08-20 Thread William A. Rowe, Jr. 
William A. Rowe, Jr. wrote:
> 
> Here is the very important information I promised...
> 
> On Wed 9/4 on the Tomcat track, you'll find a very relevant session
> On Thu 9/5 during httpd.conf track, users will discover
> On Fri 9/6 during httpd.conf track, users and devs alike will enjoy

Not /9/, mea culpa!

Sander Temme points out that the above dates are incorrect (and not
internationally sensitive, either).  November 4, 5, and 6 are the dates
that apply to the three track days.  Thanks Sander.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] DBDPersist Off in vhost causes startup error log entries

2009-08-20 Thread William A. Rowe, Jr. 
Nick Kew wrote:
> 
> Problem: The user has got a confusing error message.
> 
> Diagnosis: apr_dso_load and apr_dso_sym on Windows platform
> return an OS error instead of an APR error on failure.
> 
> As an APR user, mod_dbd handles the APR errors APR_EDSOOPEN
> and APR_ESYMNOTFOUND and gives the user a tailored error
> message.  That was based on the behaviour of unix/apr_dso.

Apparently, the macro APR_STATUS_IS_ESYMNOTFOUND etc aren't
correctly defined or utilized.

It is against APR practice to remap errors; the error results
from the apr_dso interface are correct.  I'd be strongly -1 to
changing this practice.

It is consistent with APR practice to define APR_STATUS_IS tests
to capture the wide diversity of practices on different OS's,
this started with EAGAIN vs EWOULDBLOCK and has grown more
complex from year to year.

If you want to ensure we have the appropriate DSO-related
APR_STATUS_IS tests and use those within apu_dso, +1!

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Can you supply username & password for AuthType Basic within a POST/GET?

2009-08-26 Thread William A. Rowe, Jr. 
Jeff Sherk Forerunner Ministries wrote:
> Per Erics earlier response, if I encode the username and password in the
> URL with https instead of
> http, is it secure?
> 
> Like this https://username:passw...@mydomain.com/foo

Provided you are using https: SSL or TLS Upgrade you are assured it is
secure because nothing has been transmitted before handshaking is complete.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Using environment variable in condition

2009-08-27 Thread William A. Rowe, Jr. 
Bhuvaneswaran A wrote:
> 
> Short question: How do I use a environment variable in 
> condition in httpd.conf file? I like to use "SVN-ACTION" variable in
>  condition in order to define specific configuration for SVN
> requests. 

You don't; IfDefine's are evaluated at server startup, not per-request.

This is a classic problem not well addressed by the TLS v1.0 protocol.
You are best off using two different virtual hosts.  SNI (server name
identification, al la named virtual hosts) are now supported by httpd
2.2.13 and openssl 0.9.8k if I understood correctly.  It's up to the
client to also support it, of course.  Hopefully, svn does already or
will soon.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Apache for Windows won't start

2009-09-01 Thread William A. Rowe, Jr. 
John Oliver wrote:
> So I installed 2.2.13 on W2K3 R2 Enterprise Edition SP2  When I try to
> start it, I get a message about error code 1, and there is nothing in
> the error.log  This is the first time I've tried to do this under
> Windows.  With Linux/UNIX, there would be *something* in the error_log.
> But here, I'm stuck.  How to proceed?

Windows Application Event Log (until there is a chance to open the log file)

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] apache approach to blocking external sites that invoke requests to my server via an iframe?

2009-09-03 Thread William A. Rowe, Jr. 
David Taveras wrote:
> Hello,
> 
> Ive been told that there a server level approach to be able to block
> external sites which are calling my server for requests via an iframe.
> Their idea is to steal my dynamic content and make it look like theirs.

http://tinyurl.com/m7r86l

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Apache 2.0.63 log timestamps

2009-09-08 Thread William A. Rowe, Jr. 
Justin Amburn wrote:
> Hi all,
> 
>   I’m new to the list—hello. I just wanted to ask you guys a question to
> see if you might know “off the top” – Does anyone remember anything
> about there being a known bug in Apache 2.0.63 that causes access log
> timestamps to be out of order? A colleague mentioned this behavior, but
> I have not been able to reproduce it. Any feedback would be welcome.

Not a bug; behavior is by design.  The timestamp is the moment the request
was received; it is logged upon completion.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Apache for Windows won't install

2009-09-08 Thread William A. Rowe, Jr. 
John Oliver wrote:
> Trying to install apache_2.2.13-win32-x86-openssl-0.9.8k.msi on a W2K3
> R2 Enterprise SP2 VM.  After I click "Install", I get an error telling
> me, "The system cannot open the device or file specified".  The
> Application Log says:
> 
> Product: Apache HTTP Server 2.2.13 -- Internal Error 2755. 110,
> C:\Downloads\apache_2.2.13-win32-x86-openssl-0.9.8k.msi

http://www.apache.org/dist/httpd/binaries/win32/TROUBLESHOOTING.html

Read the last sentence please.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Apache 64 bit ?

2009-09-09 Thread William A. Rowe, Jr. 
ricardo13 wrote:
> Only one question.
> 
> Is there Apache 64bit ???
> Where do I download ??

No, it's eight bit ASCII.

http://httpd.apache.org/dist/httpd/

It's up to your compiler toolchain and CFLAGS (or CC command) to
decide what it compiles when you ./configure and make.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Apache 64 bit ?

2009-09-09 Thread William A. Rowe, Jr. 
William A. Rowe, Jr. wrote:
> ricardo13 wrote:
>> Where do I download ??
> 
> http://httpd.apache.org/dist/httpd/

sorry, that is http://httpd.apache.org/download for your nearest
mirror, or http://www.apache.org/dist/httpd/ for the master server.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Apache 64 bit ?

2009-09-09 Thread William A. Rowe, Jr. 
ricardo13 wrote:
> 
> I saw this  http://www.blackdot.be/?inc=apache/binaries site .
> And I have a server with Core 2 Quad (64 bits).

You still haven't mentioned an operating system.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Apache for Windows won't install

2009-09-09 Thread William A. Rowe, Jr. 
John Oliver wrote:
> On Tue, Sep 08, 2009 at 06:27:00PM -0500, William A. Rowe, Jr. wrote:
>> John Oliver wrote:
>>> Trying to install apache_2.2.13-win32-x86-openssl-0.9.8k.msi on a W2K3
>>> R2 Enterprise SP2 VM.  After I click "Install", I get an error telling
>>> me, "The system cannot open the device or file specified".  The
>>> Application Log says:
>>>
>>> Product: Apache HTTP Server 2.2.13 -- Internal Error 2755. 110,
>>> C:\Downloads\apache_2.2.13-win32-x86-openssl-0.9.8k.msi
>> http://www.apache.org/dist/httpd/binaries/win32/TROUBLESHOOTING.html
>>
>> Read the last sentence please.
> 
> Awesome.  Thanks.
> 
> I did try following through this mess myself :-)  One item that jumped
> out was:
> 
> Disallowing installation of component:
> {1CA051B0-1B70-11D2-9ADD-006097C4E452} since the same component with
> higher versioned keyfile exists
> 
> I searched the Registry for that key, but came up bingo.

Not an issue, it's the MSVCRT runtime merge module, and no harm in having
a later version installed.

> MSI (s) (BC:78) [09:42:25:532]: Grabbed execution mutex.
> MSI (s) (BC:D4) [09:42:25:532]: Resetting cached policy values
> MSI (s) (BC:D4) [09:42:25:532]: Machine policy value 'Debug' is 0
> MSI (s) (BC:D4) [09:42:25:532]: *** RunEngine:
>*** Product:
> C:\Downloads\apache_2.2.13-win32-x86-openssl-0.9.8k.msi
>*** Action: INSTALL
>*** CommandLine: **
> MSI (s) (BC:D4) [09:42:25:547]: Machine policy value
> 'DisableUserInstalls' is 0
> MSI (s) (BC:D4) [09:42:25:563]: Note: 1: 1309 2: 5 3:
> C:\Downloads\apache_2.2.13-win32-x86-openssl-0.9.8k.msi 

I know, doesn't sound like an error, looks like a Note, but I think it is
your error message... Error reading from file: Verify that the file exists
and that you can access it.

What are the permissions on C:\Downloads, or this .msi?  Remember to install
a package, windows switches into an Administrator/LocalSystem context.  Just
because you-the-user could read the file, doesn't mean the system can.

Or obvious question; is the download corrupt?  Or is C:\Downloads a mount to
a network file store?

> DEBUG: Error 2835:  The control ErrorIcon was not found on dialog
> SetupError
> Internal Error 2835. ErrorIcon, SetupError

That's strange; there is a WarningIcon, and no references whatsoever to
ErrorIcon in the msi database.  But it says 'DEBUG' - lets presume that
is harmless too.

> The system cannot open the device or file specified.
> MSI (s) (BC:D4) [09:42:27:579]: Note: 1: 1309 2: 5 3:
> C:\Downloads\apache_2.2.13-win32-x86-openssl-0.9.8k.msi 


Here's the error again... From this point on, things are shutting down
and you can ignore all the noise.

> DEBUG: Error 2835:  The control ErrorIcon was not found on dialog
> SetupError
> Internal Error 2835. ErrorIcon, SetupError
> The system cannot open the device or file specified.
> MSI (s) (BC:78) [09:42:28:344]: I/O on thread 3268 could not be
> cancelled. Error: 127
> MSI (s) (BC:78) [09:42:28:344]: I/O on thread 996 could not be
> cancelled. Error: 127
> MSI (s) (BC:78) [09:42:28:344]: I/O on thread 3260 could not be
> cancelled. Error: 127
> MSI (s) (BC:78) [09:42:28:344]: I/O on thread 5628 could not be
> cancelled. Error: 127
> MSI (s) (BC:78) [09:42:28:344]: I/O on thread 3680 could not be
> cancelled. Error: 127
> MSI (s) (BC:78) [09:42:28:344]: I/O on thread 5264 could not be
> cancelled. Error: 127
> MSI (s) (BC:78) [09:42:28:344]: I/O on thread 468 could not be
> cancelled. Error: 127
> MSI (s) (BC:D4) [09:42:28:344]: MainEngineThread is returning 110
> MSI (s) (BC:78) [09:42:28:344]: No System Restore sequence number for
> this installation.
> MSI (s) (BC:78) [09:42:28:360]: User policy value 'DisableRollback' is 0
> MSI (s) (BC:78) [09:42:28:360]: Machine policy value 'DisableRollback'
> is 0
> MSI (s) (BC:78) [09:42:28:360]: Incrementing counter to disable
> shutdown. Counter after increment: 0
> MSI (s) (BC:78) [09:42:28:360]: Note: 1: 1402 2:
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
> 3: 2 
> MSI (s) (BC:78) [09:42:28:360]: Note: 1: 1402 2:
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
> 3: 2 
> MSI (s) (BC:78) [09:42:28:360]: Note: 1: 1402 2:
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\InProgress
> 3: 2 
> MSI (s) (BC:78) [09:42:28:360]: Note: 1: 1402 2:
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\InProgress
> 3: 2 
> MSI (s) (BC:78) [09:42:28:360]: Decrementing counter to disable
> shutdown.

Re: [us...@httpd] About apache2 vulnerability with apr and apr-utils. How bad is it?

2009-09-10 Thread William A. Rowe, Jr. 
David Taveras wrote:
> 
> I run apache 2.2.9 & apache 2.2.11 both with  apr-1.2.11p2   & 
> apr-util-1.2.10p2
> 
> According to the CVE at
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2412  only  0.9.x
> and 1.3.x are affected .  Could anybody confirm that this is so? If
> not.. how bad is this vulnerability to a user? Would mod_security help
> for this?

[cc'ing dev@ to point out this error]

The description of the CVE is wildly wrong.

There is no known exploit of these flaws relative to Apache httpd itself.
The version numbers you reference refer to APR, so this is applicable to
all distributions of httpd 2.x (2.0 included 0.9, 2.2 included 1.3).

Third party modules might be affected; Other projects or products using APR
may be affected; one project is known to be affected.

However, any code which is affected remains vulnerable, in that these
bugs would only be triggered by using untainted/untrusted input as the
memory allocation size.  Any affected application would be subject to
memory exhaustion DoS vectors until the code properly detaints the input
which determines the size of memory allocations.

This was granted a CVE strictly on the basis that the effects of the flaw
may unexpectedly be worse than expected; the affected code may unexpectedly
continue, rather than failing or segfaulting as expected, based on design.

Finally, mod_security is very unlikely to have any effect whatsoever on
this group of issues.  Input into httpd is already constrained in terms
of size before these calls to APR occur, so this is unlikely to affect
typical httpd modules.  Non-HTTP protocols, or HTTP implementations other
than httpd are more likely to be affected, again depending upon the code
used and caution exercised by the developer.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] About apache2 vulnerability with apr and apr-utils. How bad is it?

2009-09-10 Thread William A. Rowe, Jr. 
David Taveras wrote:
> 
> You mentioned as far as APR causing a DoS, how about the execution of
> arbitrary code through apache as the CVE says..?

No, you misinterpreted; the application developer must expose a DoS/memory
exhaustion vector; where that exists, and the affected version of APR
is used, and the information written to the never-allocated buffer just
happens to overlap some predictable, current allocations, then the external
user may trigger a segfault but possibly worse, depending ENTIRELY on
the code in the application.

An example is http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2411
svn's libsvn_delta library, but there may be other applications in the
wild which suffer similar, lesser or worse side effects from trusting
untained user input.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] How does Transfer-Encoding: chunked work with CGI?

2009-09-11 Thread William A. Rowe, Jr. 
André Warnier wrote:
> Hi.
> As regarding the overall content-length header, has anyone re-checked
> the relevant part of the HTTP RFCs ? I haven't yet, but I seem to
> remember that for chunked encoding, each chunk has an individual length,
> but there is no overall content-length.
> Which would meake sense, because at the time the initial headers are
> sent out, the total length is not necessarily known.
> In terms of CGI, that would mean that when Apache calls the CGI module,
> it cannot set the CONTENT-LENGTH as an environment value, since it isn't
> known yet.

That's what it does, yup.  In fact the combination is prohibited, so the
content length header is unset in the presence of chunked encoding.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] virtualhosts: the default VH gets all trafic. why??

2009-09-14 Thread William A. Rowe, Jr. 
Eric Covener wrote:
> On Mon, Sep 14, 2009 at 4:37 PM, André Warnier  wrote:
>> robert rottermann wrote:
>>
>> ...
>> Nothing to do with your problem, but is the following normal/safe ?
>>
>> Server loaded:  APR 1.3.8, APR-Util 1.3.4
>> Compiled using: APR 1.3.8, APR-Util 1.3.9
>>
>> (I mean compiling with APR-Util 1.3.9 but running with a lower version)
> 
> Yes, this compatibility is promised by APR versioning rules.

Although a host of bugfixes are lost by degrading from .9 to .4, not good.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] win32 install fails if drive letter removed

2009-10-05 Thread William A. Rowe, Jr. 
David Balažic wrote:
> Hi!
> 
> Just checking here if this is a know bug.
> 
> I downloaded 
> http://www.apache.si/httpd/binaries/win32/apache_2.2.13-win32-x86-no_ssl.msi
> on my Windows XP Pro SP3 system, started it, set some more or less
> normal options (
> set hostname, domain and email, the used the typical/default settings).
> During that I removed an external drive (F:). Then when I clicked
> Finish in the wizard,
> I immediatelly got an error dialog about F: no being a valid drive.
> After OKing it, I could just
> close the installer. There was nothing installed.
> 
> As I was installing onto C:\... I don't see why the absence of F:
> should break the installation.
> 
> Note: I also have Eset NOD32 v4.0 running.

You are at the mercy of the Microsoft Installer here, I suspect the same 
behavior would
occur if you installed most any package.  This falls into that strange category 
where
Microsoft insists you close your programs before running an installer.

And yes, anti-spy/spam/viralware all tend to interfere with installations, but 
they should
not affect the apache installer in any particular manner.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] win x64

2009-10-16 Thread William A. Rowe, Jr. 
David Southwell wrote:
> Can anyone tell me if it is possible to get apache 2.2.13 or 2.2.14 to 
> running 
> as a win XP x64 bit program with ssl or am I limited to 32 bit? I  know a 32 
> bit version is available and will run but I would like to take advantage of a 
> 64bit system with a quad processor.

Yes you can, it's non trivial but entirely doable, there are various blog posts
about how users have done so (using visual c toolchains).

We have not due to the opacity of x64 msvcrt.dll and MS's claims that it will no
longer follow K&R, C99 etc for user-space apps.

Apache will consuming noticeably more memory and cpu when built for x64.  You 
might
want to investigate shrinking your stack size, if your primary goal is just to 
run
more workers.  You'll find .14 does a much better job supporting ThreadStackSize
and MaxMemFree.

I'll come up with something out of the box for -win32-src.zip and binaries of 
the
Apache 2.4.x (and perhaps some beta 2.3.x).  These won't be using msvcrt 
anymore.

> Will I need to compile it? Can it be done using gcc or should I try to 
> install   
> it under cygwin?

That's about the worst thing you can do; most unix libs presume 64ILP or 64LP 
and
the entire 64P model of win64 will really hurts compatibility; people are making
progress but it's a slog.

Remember that Windows x64 is not using the same processor semantics as Linux or
Solaris or Darwin on x64, it is entirely its own beast.



-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] ad-supported apache proxy

2009-10-26 Thread William A. Rowe, Jr. 
Marcos Mendez wrote:
> Does anyone have any suggestions about what is the best way to
> implement an ad-supported proxy? I've got mod_substitute injecting
> some content, but it only seems to work on simple websites. Should I
> be looking at redirecting urls to a frame, and putting the ads there?
> Is there any other way of doing it?

Take a look at mod_sed in trunk/; because it's a -full- implementation
of sed rather than just substitute-lines, so you can do line-oriented
insert/delete/buffer merge etc etc etc.

mod_substitute is replaced with mod_sed in the next major httpd release
but you should be able to compile in that module without too much trouble
into 2.2.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] apache 2.2 and mod_fcgid

2009-11-19 Thread William A. Rowe Jr. 
Hendrik Schmieder wrote:
> Hello,
> 
> can somebody tell why mod_fcgid is not part of the apache distribution ?

Mostly because it is evolving faster/out of sync with the httpd distribution,
and applies to all of the 2.0, 2.2 and trunk distributions.

Will it become part of the core once it is 'baked'?  Good question, time will
tell.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] apache 2.2 and mod_fcgid

2009-11-19 Thread William A. Rowe Jr. 
Peter Schober wrote:
> * Hendrik Schmieder  [2009-11-19 12:53]:
>> Is mod_fcgid stable enough for production usage ?
> 
> "Yes"

agreed [1]

[1] there is an issue handling large POST bodies in 2.3.4, you may wish to stay
with 2.3.1 (not recommended though), or grab from subversion, or hold for 2.3.5.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Adding module to Apache-httpd

2009-11-30 Thread William A. Rowe Jr. 
Ruiyuan Jiang wrote:
> I compiled remoteip module and loaded it without problem.
> In one of my virtualhost of Apache reverse proxy, I added and tested:
> 
> RemoteIPHeader X-Client-IP
> Or
> RemoteIPHeader X-Forwarded-For
> 
> Or both
> 
> I don't see the remote client IP is being forwarded to the backend server 
> from Apache as it supposed to be. Does anyone know why or what I did wrong? 
> Thanks.

There is the %{Header-Name}i syntax of the custom log, so you could easily
verify which header is actually in use.  X-Forwarded-For is the usual 'public'
method, but nobody promises you'll have such information assigned.  The other
example would entirely depend on your load balancer/router which picks up the
requests and has redispatched them.  Usually such devices will *not* share any
info over the web, but replace that particular header unilaterally.

Also note the module will only set the IP address as 'authentic' when the remote
machine is trusted, see

http://httpd.apache.org/docs/trunk/mod/mod_remoteip.html#remoteipinternalproxy

and the commentary at the top of that page.

[I'm thinking about a RemoteIPTrustedHeader directive that wouldn't deal with
that scrutiny, but I'm a bit hesitant.  You know your own IP's of your own
infrastructure to trust such proxies, right?]

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Apache httpd does not respect the HTTP RFCs !

2009-11-30 Thread William A. Rowe Jr. 
André Warnier wrote:
> ;-)
> I just wanted, once, to use a subject line with capitals and an
> exclamation mark.
> 
> It seems however that in this particular case, neither Tomcat nor Apache
> httpd follow the rules, when they default to the .. default virtual host
> in the case where they cannot find a match between the Host: header and
> one of their defined virtual hosts.
> Doesn't the following say that they MUST return a 400 status ?
> 
> http://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html#sec5.2

In theory, yes.  As a practical matter, no...

"""
An origin server that does not allow resources to differ by the requested host 
MAY ignore
the Host header field value when determining the resource identified by an 
HTTP/1.1 request.
"""

Apache httpd may operate in either mode.

I agree it should be easier, Rich and I have it down to 3-4 lines of rewrite 
magic
to kick out a 400, but we should probably allow this to be explicit [default?]

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] httpd translate to dutch

2009-11-30 Thread William A. Rowe Jr. 
Teun wrote:
> 
> Are there Dutch people who like to start translate apache httpd manual?

:)  We have about 5 Dutch committers or those who are fluent in the httpd
project, unfortunately all are developers/overcommitted.  I encourage you
to email d...@httpd.apache.org with your suggestion, especially if it an
offer to help translate or at least review translations :)

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Passing remote client IP address to backend server and session stickness

2009-11-30 Thread William A. Rowe Jr. 
I realize I just answered you, but in response to your explicit and
specific questions;

Ruiyuan Jiang wrote:
> 
> Question 1: Is there a way to pass Internet users' IP address to backend 
> server through Apache reverse proxy server? I am testing that feature so far 
> no luck. My backend server gets Apache proxy server's IP address. But I'd 
> like to have Internet users' IP being passed through Apache. This is http 
> request.

Only if this information has been shared with you by the upstream proxy
or router/gateway/forward proxy.  E.g. - what mod_remoteip is designed
to decode, ---when the information is presented---.

> Question 2: I am testing another Apache reverse proxy which proxies two 
> backend https servers. I am trying to use mod_proxy_balancer.
> 
> 
>   Balancermember https://192.168.1.1:443 keepalive=on
>   Balancermember https://192.168.1.2:443 keepalive=on
> 
> 
> Proxypass /test balancer:mycluster/
> 
> When I test to access the site, I got login prompt from first server which I 
> saw from access log. I typed in login name and password. I got the login 
> prompt back but from the log I saw the connectivity was back from server 2. 
> It seems to me like round robin connection to backend server by Apache. I 
> tried with keyword "JSESSION" but no luck. Does anyone know how to configure 
> Apache so the same connection always goes through the same backend https 
> (http) server. Thanks in advance.

Are you forgetting your ProxyPassReverse statements?  As of the current
version, the syntax above (but wtf happened to your // before mycluster???)
would work just fine for a ProxyPassReverse rule.

> This message (including any attachments) is intended
> solely for the specific individual(s) or entity(ies) named
> above, and may contain legally privileged and
> confidential information. If you are not the intended 
> recipient, please notify the sender immediately by 
> replying to this message and then delete it.
> Any disclosure, copying, or distribution of this message,
> or the taking of any action based on it, by other than the
> intended recipient, is strictly prohibited.

You have emailed a public list.  Your intended individuals are the world.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Re: Apache httpd does not respect the HTTP RFCs !

2009-12-01 Thread William A. Rowe Jr. 
Carsten Wiedmann wrote:
> William A. Rowe Jr. schrieb:
>> I agree it should be easier, Rich and I have it down to 3-4 lines of rewrite 
>> magic
>> to kick out a 400, but we should probably allow this to be explicit 
>> [default?]
> 
> That would be nice. And if I'm be able to set the status code in a
> RewriteRule and/or Header directive.
> I guess you have seen my RewriteRule with the Perl script in my other message.
> Well, I'm only using a Perl script, because this is not possible (assuming
> httpd-multilang-errordoc.conf is enabled):
> | RewriteRule ^.*$ /error/HTTP_BAD_REQUEST.html.var \
>   [PT,NS,E=REDIRECT_STATUS:400]
> | Header set Status "400 Bad Request"
> 
> I'm getting my multi language error document, but I can't set the status
> header in this way.

You are going way overboard, I suspect.  Simply try;

NameVirtualHost *:80

# This MUST be the first host, it will be the default after all other
# hosts are evaluated and rejected.  The servername must simply be a
# name which is never used, so example.com is appropriate.

ServerName bad.host.example.com
RewriteEngine On
RewriteRule .* - [R=400]


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Re: Apache httpd does not respect the HTTP RFCs !

2009-12-01 Thread William A. Rowe Jr. 
Carsten Wiedmann wrote:
> 
> Well, and the error document with [R=400] (or other status codes) is also
> not multi language.

Right; presume for a moment that anyone hitting your server with a bogus dns
reference or by-ip is doing so in a less-than-friendly, spidery or malicious
manner.  Are they really worth sending an elegant error page to?

You can't both set the code and trigger ErrorDocument; but of course patches
would be welcome.

I'm not certain if this works, but;

Redirect 400 /

or

RedirectMatch 400 .*

would more likely provide the proper error page you are looking for, but
I haven't tested this for you.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Building Apache 2.2 without IPv6

2009-12-03 Thread William A. Rowe Jr. 
Zachary Uram wrote:
> Krist I prefer IPv4 addressing. I can remember 128.2.10.12 but I can't
> remember some insane IPv6 hexadecimal address! lol. And I love my
> commands such as ping, traceroute, dig, host, nslookup etc.

This has nothing to do with why to enable IPv6 in APR.

Look, the IPv6 API is far superior to the standard posix IPv4 functions.
IGNORE the danged IPv6 addresses, that isn't the point!!!

To make Apache httpd speak only IPv4 is trivial.  Replace

  Listen 80

with a sensible

  Listen 0.0.0.0:80

which tells httpd to listen only on IPv4 adapters, all of them, on their
respective port 80's.  And unless you tell it otherwise, it WON'T attempt
to listen on any IPv6 adapters.

And if IPv6 confuses you, PLEASE take a minute to look at :: syntax :)

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Building Apache 2.2 without IPv6

2009-12-04 Thread William A. Rowe Jr. 
Daniel Reinhardt wrote:
> From: "William A. Rowe Jr." 
> Sent: 04 December, 2009 7:03
> To: 
> Subject: Re: [us...@httpd] Building Apache 2.2 without IPv6
> 
>> Zachary Uram wrote:
>>> Krist I prefer IPv4 addressing. I can remember 128.2.10.12 but I can't
>>> remember some insane IPv6 hexadecimal address! lol. And I love my
>>> commands such as ping, traceroute, dig, host, nslookup etc.
>>
>> This has nothing to do with why to enable IPv6 in APR.
> 
> Actually it has everything to do with it.  IPv6 is useless to me on a
> small HOME LAN of 5 computers.

No, it isn't.

IPv6 defines an entire set of improved DNS interrogation techniques which
are vastly superior to the original, IPv4/Posix subset.  getaddrinfo()
and getnameinfo() don't exist without IPv6 'support'.  That support doesn't
have to include a single binding to an adapter, but those functions are part
of the IPv6 'spec'.

If you want to continue to belabor your arguments, this is a users list.
I'm sure other users will entertain your dialog.

But if APR *detected* IPv6 functions, that functionality is enabled.  If
your packager dropped you an IPv6 enabled package and an IPv4 kernel, that
is their mistake and you need to move this dialog to their forum if you hope
to gain any results from your complaints.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: AW: [us...@httpd] Silent Installation Apache HTTP Server

2009-12-17 Thread William A. Rowe Jr. 
Buchbauer Thomas wrote:
> Platform: Windows
> Version: latest release (>= 2.2.13)

I recently updated the docs; see
http://httpd.apache.org/docs/trunk/platform/windows.html#advinst

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: AW: AW: [us...@httpd] Silent Installation Apache HTTP Server

2009-12-17 Thread William A. Rowe Jr. 
Buchbauer Thomas wrote:
> Sounds good!
> 
> Is there also a way to provide an so called 'answer-file' instead of 
> specifying the values in the command-line?
> See http://nsis.sourceforge.net/Docs/Chapter4.html#4.12

You know the variables; this isn't a Microsoft System Installer
(msiexec) support list, you might try the usual msdn discussion
forums or actually check the docs ;-)

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: AW: [us...@httpd] Silent Installation Apache HTTP Server

2009-12-18 Thread William A. Rowe Jr. 
André Warnier wrote:
> William A. Rowe Jr. wrote:
>> Buchbauer Thomas wrote:
>>> Platform: Windows
>>> Version: latest release (>= 2.2.13)
>>
>> I recently updated the docs; see
>> http://httpd.apache.org/docs/trunk/platform/windows.html#advinst
>>
> That is a great page. Thanks.
> But it does not seem to be the same one as one gets when following from
> the httpd 2.2 docs main page, namely
> http://httpd.apache.org/docs/2.2/platform/windows.html
> When do these get reconciled ?

Someone needs to backport.  Usually it's the original author, but no doubt
I just held off since I have more changes to make to that document.  But
it doesn't stop someone else from backporting it.

Can anyone comment who's used the revised guide to try some advanced
installation tricks?

The forum for documentation feedback is the d...@httpd.apache.org list

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Code coverage while running web server

2009-12-21 Thread William A. Rowe Jr. 
Krist van Besien wrote:
> On Sat, Dec 19, 2009 at 1:30 AM, Guruprasad JG  
> wrote:
>> I am referring to the Apache code written in C. I would like to see if all
>> the paths are exercised for - request processing, resource management,
>> connection pooling, and configuration directives of the apache core. This
>> would be more like functional testing of apache.
> 
> I think you'll have to explain to us what you exactly mean with
> checking that "all the paths are exercised". I have no clue how to
> "exercise paths" in any context, and I do consider my knowledge of the
> English language quite substantial. Maybe you should rephrase your
> question.
> If you just want to know what goes on inside Apache when a request is
> processed than you can ofcourse run it in a debugger. Will be slow,
> though. Make sure the timeout in whatever client you use is high
> enough.

This is a common phrase in software engineering.  The only solution to
achieve code coverage is to instrument httpd with a code coverage tool,
and test it.

See the http://httpd.apache.org/test/ page and the repository at
http://svn.apache.org/viewvc/httpd/test/framework/trunk/ for the test
framework of httpd.  Patches to increase code coverage would be welcome.

You will not achieve 100% on a single box, due to the platform differences
in the code paths.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Apache 2.2.14 - Win XP - requests hanging, nothing sent

2010-01-13 Thread William A. Rowe Jr. 
On 1/13/2010 10:26 AM, Nathan Long wrote:
> Hi! First time posting - will try to step lightly.
> 
> I've got Apache 2.2.14 installed on a Win XP laptop. Some page loads
> work fine, but others never complete. To rule out PHP or MySQL, I made
> a 1 KB, static, HTML-only page, and I get the same hit-or-miss issue
> with it. I've also tried Firefox and IE, with the same results.

XP [personal operating system] only supports two simultanious applications
of the TransmitFile API.

Please try the 'stock answer' of 'EnableSendfile Off' in your config.



-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Apache on IA64

2010-01-13 Thread William A. Rowe Jr. 
On 1/9/2010 9:58 AM, Jorge Schrauwen wrote:
> I have not targetted IA64, but I've done a quite a lot of binaries for
> EMT64/AMD64.

Note the architectures are radically different, AIUI IA64 has a 64 bit
default int, X86_64 is a 32 bit;  IA64 is a big endian platform, IIRC,
while X86_64 is small endian.  There will be any number of other major
and many subtle discrepancies.

You will have to tune all of the .hw files appropriate, but patches are
welcome.  Best of luck :)

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] %2F to /

2010-01-17 Thread William A. Rowe Jr. 
On 1/16/2010 9:51 AM, Kpadvel wrote:
> Okey, I wasn't aware of that. Starting a new thread.
> 
> Experts plesae advise and here is the problem...
> 
> We are getting a dummy 404-not found error on a page wherein which the URL 
> has %2F and it needs to be decoded as / but thats not happening. We don't use 
> Vhost and proxy pass. We added the AllowEncodedSlashes On to the server 
> config but still no luck. We haven't compiled the Apache with php.

%2F is not '/' - please read your RFC 2616 very carefully, the character
'/' is a path delimiter; and %2F != '/' for purposes of the protocol, but
another character entirely.  If httpd did what you have requested, it would
be riddled with security holes.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] SSL error reported from windows socket

2010-01-25 Thread William A. Rowe Jr. 
On 1/25/2010 10:05 AM, Tony Anecito wrote:
> Hi All,
> 
> I am getting intermittant windows ssl error regarding connections. Something 
> like socket error code 12157 ERROR_INTERNET_SECURITY_CHANNEL_ERROR.

This message has no relationship to Apache httpd that I'm aware of, it is
from a different set of APIs altogether.  Is this from your error.log?

> It is intermittant and I am load testing against Apache web server using 
> loadrunner 9.0. We are using SSLV3 for Apache 2.2. There is some strange 
> message in the error about retrys(0). Is there some control on the Apache 
> side for setting the retries to more than 0?

I believe it's a loadrunner configuration, if I had to guess.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] getting client ip address information from http request.

2010-02-05 Thread William A. Rowe Jr. 
On 2/5/2010 7:13 AM, Arnab Ganguly wrote:
> Hi All,
> How do I retrieve client ip information from the http request in Apache
> module ? Like the loadbalancer is putting it own ip in the place of
> client ip address. We tried %{X-Forwarded-For} but this takes care of
> access log not the module specific log.
> 
> So from the request is there any function call can be done to retrieve
> the client information.

You are looking for

  http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/metadata/mod_remoteip.c

  http://httpd.apache.org/docs/trunk/mod/mod_remoteip.html

(yes, it will build on httpd-2.2).

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[us...@httpd] Re: Fwd: Cron /root/bin/bugcron.sh

2010-02-07 Thread William A. Rowe Jr. 
On 2/7/2010 6:45 PM, Sander Temme wrote:
> 
> 
> Begin forwarded message:
> 
>> ASF Bugzilla is running its weekly stats at Sun Feb 7 23:08:02 UTC 2010
> <..>
>>   65 bugs for Apache httpd-1.3
> 
> Now that we have lowered the boom on 1.3, shall we close it out for new bugs? 
>  
> 
> Anyone have an opinion on the existing open bugs?  Uproot them or let them 
> wilt? 

IMHO - either reclass them as trunk, fixed, or WONTFIX if they are n/a to trunk.

It's low hanging fruit for anyone on the user list.  What would users@ folks 
thing
of becoming the assignee of this weekly bug list, to help out with that?



-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] IP address in access_log are always 0.0.0.0

2010-02-25 Thread William A. Rowe Jr. 
On 2/24/2010 12:39 PM, Frank Chiulli wrote:
> 
> I was asked to update subversion to 1.6.6 on this box as well as
> others.  As part of that update, I updated both apr and apr-util from
> 0.9.4 to 0.9.13.  Initially everything seemed to be ok.  Then someone
> noticed that all the IP addresses in /var/log/httpd/access_log had
> changed from IPv4 to IPv6.

Pick up httpd 2.0.63 and the current apr versions!  You need to understand
that 0.9.4 -> 0.9.13 (which is already years too old!!!) was a larger
jump than binary compatibility will permit, and that you broke binary
compatibility again when you let APR pick up the presence of IPv6, which
might or might not have been present when the 0.9.4 was first installed.

0.9 doesn't exactly respect the same binary compatibility rules as versions
1.0 and later, because the rules were still evolving rapidly.  When finally
the httpd 2.2 shipped, using apr 1.x, things had settled in and both the
projects are better able to enforce binary compatibility.

With your old and new APR libraries, you just swapped in a BMW engine
underneath the hood of your VW beetle, and this probably isn't the only
side effect of a badly fit component.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Re: Upgrading from Apache1 1.x to 2.1.14

2010-02-25 Thread William A. Rowe Jr. 
On 2/21/2010 12:07 PM, Paul McFerrin wrote:
> I gave up on Xampp as a web server.  Too many problems with not having
> symbolic links.  Went and got Apache version 2.0.63 and I'm trying to
> port it to Cygwin.

That's a really foolish idea, since the httpd security model depends upon
a case sensitive filesystem or specific canonical support of the file system
that won't be found in the cygwin portability layer.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] FIPS 140_2 compliant for mod_proxy?

2010-03-03 Thread William A. Rowe Jr. 
On 3/3/2010 8:34 AM, Mike Trent wrote:
> 
> Unfortunatley restricting the algorithms to FIPS compliant algorithms in the
> apache configs is not good enough to claim FIPS 140-2 compliance. The
> openSSL library 'must' be running in FIPS mode. It is a requirement of FIPS
> 140-2 that the module doing the cryptographic functions is a FIPS
> 'validated' module. When in FIPS mode SSL will automatically restrict the
> algorithms.  Perhaps I need to post this on the openSSL forum instead.

It does more than that.  It invokes validated implementations of those specific
algorithms, not the optimized but not FIPS approved implementations that are 
used
by openssl by default.

Bring it to the attention of dev@, or more specifically, raise an issue on the
httpd bugzilla against 2.2.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[us...@httpd] [Announce] Apache HTTP Server (httpd) 2.2.15 Released

2010-03-06 Thread William A. Rowe Jr. 
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release and immediate availability of version
2.2.15 of the Apache HTTP Server ("httpd").  This version of httpd is
principally a security and bug fix release.

Notably, this release was updated to reflect the OpenSSL Project's
release 0.9.8m of the openssl library, and addresses CVE-2009-3555
(cve.mitre.org), the TLS renegotiation prefix injection attack.
This release further addresses the issues CVE-2010-0408, CVE-2010-0425
and CVE-2010-0434 within mod_proxy_ajp, mod_isapi and mod_headers
respectively.

We consider this release to be the best version of httpd available, and
encourage users of all prior versions to upgrade.

Apache HTTP Server 2.2.15 is available for download from:

  http://httpd.apache.org/download.cgi

Please see the CHANGES_2.2 file, linked from the download page, for a
full list of changes.  A condensed list, CHANGES_2.2.15 provides the
complete list of changes since 2.2.14. A summary of security
vulnerabilities which were addressed in the previous 2.2.14 and earlier
releases is available:

  http://httpd.apache.org/security/vulnerabilities_22.html

Apache HTTP Server 2.2.15 is compatible with Apache Portable Runtime
(APR) versions 1.3 and 1.4, APR-util library version 1.3, and
APR-iconv library version 1.2.  The most current releases should
be used to address known security and platform bugs.  At the time of
this httpd release, the recommended APR releases are:

  * Apache Portable Runtime (APR) library version 1.4.2 (bundled),
or at minimum, version 1.3.12
  * ARR-util library version 1.3.9 (bundled)
  * APR-iconv library version 1.2.1 (only bundled in win32-src.zip)

Older releases of these libraries have known vulnerabilities or other
defects affecting httpd.  For further information and downloads, visit:

  http://apr.apache.org/

Apache HTTP Server 2.2 offers numerous enhancements, bug fixes, and
performance enhancements over the 2.0 codebase.  For an overview of
new features introduced since 2.0 please see:

  http://httpd.apache.org/docs/2.2/new_features_2_2.html

This release builds upon and extends the httpd 2.0 API.  Modules written
for httpd 2.0 will need to be recompiled in order to run with httpd 2.2,
and may require minimal or no source code changes.

When upgrading or installing this version of httpd, please bear in mind
that if you intend to use httpd with one of the threaded MPMs (other
than the Prefork MPM), you must ensure that any modules you will be
using (and the libraries they depend on) are thread-safe.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] How to apply patches that are in patches_applied directory

2010-03-09 Thread William A. Rowe Jr. 
On 3/9/2010 12:35 PM, Jeff Trawick wrote:
> 2010/3/7 Serj :
>> Hi,
>> There is no instructions how to apply patches
>> http://www.apache.org/dist/httpd/binaries/win32/patches_applied/ to the
>> source of Apache 2.2.15 before compiling and linking. How can I do it?
> 
> Using some good build of GNU patch for Windows (maybe
> http://gnuwin32.sourceforge.net/packages/patch.htm ?), cd into each of
> the openssl and zlib directories you've created under
> httpd-2.2.15/srclib and run something like

I avoid gnu myself, because it tends to handle files as unix.  My favorite
toolchain is http://unxutils.sourceforge.net/ which handles files in a more
windows-friendly way (but use the same gnu sources and same unix behavior).

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] apache on windows

2010-03-13 Thread William A. Rowe Jr. 
On 3/12/2010 3:59 PM, Brent Davidson wrote:
> Can anyone out there tell me if is workable or not to install
> Apache(most current version) on a Windows Web server?

It seems folks have missed the crux of your question.

You can run httpd.exe on any flavor of Windows, client or server.

The client operating systems have several deliberate flaws, such as only
allowing two simultaneous TransmitFile() calls (al la EnableSendfile On
in httpd language), and other crippling 'optimizations'.  Several settings
must be tweaked in order to get passable low volume performance.

The server operating systems, and I presume Windows Web Server is among
these, do not cripple the network stack in favor of 'interactive' use.

The major difference between these all is the EULA terms about simultaneous
connections and simultaneous logins.  Depending on your licensing you may
typically have only 10 logins allowed on entry level server products.  That
will *include* every connection you authenticate using mod_auth_sspi and
similar NTLM based auth solutions.

Review your Windows Web Server EULA, and I expect you will find it to be
acceptable for most basic applications of Apache httpd.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] 2.2.15-win32 compile failure (config-win.h)

2010-03-15 Thread William A. Rowe Jr. 
On 3/15/2010 5:41 PM, Andy Wang wrote:
> Hi all,
> Just trying to build httpd 2.2.15 on Windows and I'm running into error:
> 
> NMAKE : fatal error U1073: don't know how to make '"config-win.h"'
> Stop.

If you are building the "NT" targets, they no longer exist.  I wasn't paying
attention when we moved the sources from apr 1.3.x to apr 1.4.x, where NT
became the default (e.g. Release Win32), and "Release Win9x" was added for
legacy support.  Can you make sure you are trying to build 'generic' Win32?

Or can you point to the particular file and I'll fix the .mak files.

I hope to eliminate the dep problems, and then committing them for posterity,
since the source files aren't likely to be rearranged again in 2.2 (or 2.0,
or released apr flavors).

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Is web server in front of app server necessary?

2010-03-15 Thread William A. Rowe Jr. 
On 3/15/2010 8:52 PM, 夏蒸鑫 wrote:
> maybe,I don't know.
> but there is one point that we must believe.
> that is,tomcat's stable version is more secure than devel version of httpd.

Really?

You have over a century, perhaps 2 centuries of security experience among the
experts who monitor httpd commits, and that is only the core developers who 
aren't
out to profit over httpd's flaws to become blips on the httpd radar.  Hundreds 
of
researchers are watching httpd commits for the opportunity to say 'gotcha', and
hundreds more for the opportunity to quietly exploit a vulnerability.

It will be nice once the tomcat project grows to such proactive oversight.

All that said, neither is 'better'; the advantage of running httpd in front of
a tomcat server is that one is likely to avert an exploit in the other, due to 
the
fact that you have two sets of parsers in place, each rejecting bogus requests, 
so
the chances of a defect in one server showing up are significantly minimized.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] 2.2.15-win32 compile failure (config-win.h)

2010-03-16 Thread William A. Rowe Jr. 
On 3/16/2010 9:44 AM, Andy Wang wrote:
> 
> Looking at the aprutil.mak, it looks like the default target is the
> generic Win32 Release target.
> The config-win.h failure is from aprutil.dep referenced by aprutil.mak
> (line 425 under the .\dbd\apr_dbd_mysql target):
>{$(INCLUDE)}"config-win.h"\

That's strange that it was picked up, when I export[ed] .dep's I just drop
the include paths for the DB layers, to prevent those from being resolved.

Hacking this away now; will probably tweak apr/build/fixwin32mak.pl to simply
strip off all 'generic' $(INCLUDE)'s which really shouldn't be dependencies.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Locked Apache configuration file

2010-03-20 Thread William A. Rowe Jr. 
On 3/20/2010 9:48 AM, Eric Covener wrote:
> On Sat, Mar 20, 2010 at 9:23 AM, Marc Buyens  wrote:
>> Thanks for the suggestion. Unfortunately, it does not solve the mystery. I
>> installed the tool and used the search option to find references to the
>> file, but without result. I am not an expert in these things, but I tried
>> finding references to the file or its folder, etc. in various ways, but it
>> does not return any results.
>> Another thing that I observed is that I can rename the file, but if I do so,
>> the file is immediately recreated.
> 
> What made you think it was "locked" in the first place?  There's a
> Vista/Win7 FAQ that lets users edit administrator-owned files by
> silently redirecting them as soon as you make changes, but Apache sees
> the original.

Note it is more insidious than that.

Even the administrator is editing files as 'just a user' in the normal Windows 7
or Vista UAC environment.  You actually have to create yourself a real admin
session to bring up these files in notepad or what have you.

Either set your notepad shortcut to 'run as user administrator' or you can just
launch an admin cmd.exe prompt (which isn't what happens when you run cmd.exe)
by either tagging the shortcut to run-as-user, or by invoking

runas /user:administrator "cmd.exe /k"


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Locked Apache configuration file

2010-03-20 Thread William A. Rowe Jr. 
On 3/20/2010 11:52 AM, Marc Buyens wrote:
> Hello. Many thanks for this. I am new to W7 and wasn't aware of this.
> This is clearly one more Bill Gates quirk. What's the use of assigning
> administrator rights to users if they are not used? Anyway, you solved
> my problem. Explicitly asking to run as administrator allows me to
> change the file. It is a bit like confirming that I am still alive
> before editing the file. Some form of technology progress, I assume, but
> not a progress of human logic...

The 'workaround' would be for the installer to set up the shortcuts as 'requires
administrator privilege' - no password, no notepad.

But that's really a hack.  Instead I'm just looking towards moving volatile,
configuration things out of c:/Program Files/ into - well that's where I'm
stuck.  There's no /etc/ or /var/ on win32 ;-)

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Locked Apache configuration file

2010-03-20 Thread William A. Rowe Jr. 
On 3/20/2010 1:02 PM, Daniel Reinhardt wrote:
> 
> Why not install Apache and other web serving stuff into a non-protected
> directory like c:\usr\local\apache

My c:\usr is quite locked down, thank you very much :)

> You can customize your installation locations.

We already enable that in the MSI installer.

> C:\Program Files is protected by the OS.

C:\ Root is protected by the OS as well.

The point isn't to run it as a unix app on windows, but to be a first class
citizen.  To do that, it's all about respecting conventions.

It appears that convention is now C:\ProgramData\Vendor\Application\

The idea moving fowards is there is only one copy of the program, by
default in the usual location, but the ability to install a skeleton
of a service (conf, logs, htdocs) anywhere, usually ProgramData as the
global/system server, but optionally a private-for-one-user flavor in
their own \Users\[username]\AppData\Local [or Roaming?]
profile, if they like.  Still working this through.

Making win32 more unix-like doesn't help win32 folks become acquainted with
Apache, very much.  But if you like to install everything under c:\opt\httpd
you are welcome to do that, instead :)

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Locked Apache configuration file

2010-03-20 Thread William A. Rowe Jr. 
On 3/20/2010 7:46 PM, Daniel Reinhardt wrote:
> 
> --
> From: "William A. Rowe Jr." 
> Sent: 20 March, 2010 18:18
> To: 
> Subject: Re: [us...@httpd] Locked Apache configuration file
> 
>> On 3/20/2010 1:02 PM, Daniel Reinhardt wrote:
>>>
>>> Why not install Apache and other web serving stuff into a non-protected
>>> directory like c:\usr\local\apache
>>
>> My c:\usr is quite locked down, thank you very much :)
>>
>>> You can customize your installation locations.
>>
>> We already enable that in the MSI installer.
>>
>>> C:\Program Files is protected by the OS.
>>
>> C:\ Root is protected by the OS as well.
>>
>> The point isn't to run it as a unix app on windows, but to be a first
>> class
>> citizen.  To do that, it's all about respecting conventions.
>>
>> It appears that convention is now C:\ProgramData\Vendor\Application\
>>
>> The idea moving fowards is there is only one copy of the program, by
>> default in the usual location, but the ability to install a skeleton
>> of a service (conf, logs, htdocs) anywhere, usually ProgramData as the
>> global/system server, but optionally a private-for-one-user flavor in
>> their own \Users\[username]\AppData\Local [or Roaming?]
>> profile, if they like.  Still working this through.
>>
>> Making win32 more unix-like doesn't help win32 folks become acquainted
>> with
>> Apache, very much.  But if you like to install everything under
>> c:\opt\httpd
>> you are welcome to do that, instead :)
>>
>> -
>> The official User-To-User support forum of the Apache HTTP Server
>> Project.
>> See http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>>   "   from the digest: users-digest-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>>
> 
> William,
> 
> You pretty much missed the entire point of my post, as it went clear
> over your head.  You can install anything you want and have it reside
> outside of c:\program files and it would still work.

Of course, that's why the installer lets you pick a path.  [You did make the
connection that I authored the win32 installer, I presume?]

Program Files doesn't work for some, maybe they run scripts or apps that
don't respect spaces, or the (x86) trips up some parsers also.

And it's too much typing for me; besides a 'test install', all dozen or
so copies on my boxes are installed on short easy-to-type paths.

> On 64bit Windows it comes with 2 Program Files and they are: c:\program
> files which is for 64bit applications, and then there is c:\program
> files(x86)\ which is for 32bit applications.  There is no default or
> conventional way of installing things on Windows or Linux.

There are conventions.  On both.  Choose from one of several, and even some
entirely erroneous conventions (e.g. wizbang should not be in the path
c:\program files\wizbang, but under c:\program files\wizsoft\wizbang\, but
plenty of apps do such nonsense).  Conventions on Linux include /usr/local/app
or /opt/app or /usr/app, all depending on what one is trying to accomplish.
Of course you can install on c:\windows\system32, or /usr/bin, but this is
just a bad idea when it comes to migration or OS upgrades.

> Reread my reply to you a little bit slower, and you will see what I was
> trying to say.  THe directory path I was giving you as an example was
> just that an example.  I use WAMP Server, and I installed it on my D:
> drive under d:\apache2.

I did :)  We don't disagree - that doesn't mean the user who keeps their
*programs* (easily replaced or upgraded) separate from backed-up important
customizations should have to use WAMP's pile-it-on model, or fight with
the default protections against the ASF installer.  TMTOWTDI

The only thing I noticed in your comment is that I like to keep all
unix-ported apps and frameworks on the same drive letter; some more
primitive ports are just not so good with drive letters.  Apache is fine
with them, but that doesn't mean all favorite cgi apps will be.  [You
could also make a compelling argument for keeping it on a different
drive letter than the OS, for that very reason.]


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Apache 2.2 optimization -> Three tips

2010-03-22 Thread William A. Rowe Jr. 
On 3/22/2010 3:34 AM, Geoff Millikan wrote:
> Here's three things I wish I had read about Apache optimization that are not
> commonly discussed (we found out by years of trial and error).

Agreed, agreed, and *huh*?

> 3. Increase your StartServers to the number of maximum requests on your
> biggest page.  For example, if your busiest page requires 30 hits/requests
> to load all the images, css, javascript, etc then 

It needs to be generously sized, but not users * maxrequests.  Just starting
your average server load is correct, e.g. if your server averages 300 
simulatious
connections, you need to start with 300 servers, and you never want it to drop
below that number.

Yes, a browser can make multiple connections, but this is typically only two
parallel pipelines, perhaps even four.  But 30 workers are not handling the
30 requests comprising one user connecting to your site!!!  You just happened
to hit a magic correlation in your testing :)

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Apache 2.2 optimization -> Three tips

2010-03-22 Thread William A. Rowe Jr. 
On 3/22/2010 5:08 AM, Geoff Millikan wrote:
>> if your server averages 300 simulatious connections, you need
>> to start with 300 servers, and you never want it to drop
>> below that number.
> 
> Your experience might show otherwise however based on our experience - if we
> averaged 300 new customers/min at once (not 300 requests/sec) a
> MinSpareServers of 300 wouldn't be enough.

A connection is not a customer, as we discuss below.  I'm using the technical,
networking term connection, and this is what you can observe in mod_status
over a period of time to calculate an average (and min/max).

>> Yes, a browser can make multiple connections, but this is 
>> typically only two
>> parallel pipelines, perhaps even four.  
> 
> The "average" browser now makes 6 parallel connections per hostname per:
> http://www.browserscope.org/

Interesting research, thanks!

>> But 30 workers are not handling the 30 requests comprising
>> one user connecting to your site!!!  You just happened
>> to hit a magic correlation in your testing :)
> 
> I agree, the way I understand the prefork model to work, the 30 processes
> aren't each serving one of the 30+ requests this Customer's browser made (is
> keepalive tracked across processes?).  However, the way the testing worked
> out for us, it seems that way.  We did a lot of testing to come up with our
> numbers and just "ball parking" it, the number of servers seemed to work out
> best when matched to the number of requests per page.  

Fair enough, but if your testing was of ~30 requests, and we are believing that
the typical browser is making 6 simultaneous connections, then it sounds like
the real magic was 6 * fudge factor of 5 ;-P


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] apache+mod_fcgid on windows

2010-03-23 Thread William A. Rowe Jr. 
On 3/23/2010 11:32 AM, Brent Davidson wrote:
> I have Apache 2.2.15 installed on Windows2008 box, along with mysql and
> php. This is a test box right now, but will be a production server when
> this testing is completed.
> The msi download for windows does not include mod_fcgid.

Nope but the binary is in the distribution tree and linked from the download
page, so I'm not sure where you got turned around.  You mentioned the source
package but I'm assuming that isn't what you wanted, and apparently the
downloads page is out of date.

Look here;

http://www.apache.org/dist/httpd/binaries/win32/

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] apache+mod_fcgid on windows

2010-03-23 Thread William A. Rowe Jr. 
On 3/23/2010 12:32 PM, Jeff Trawick wrote:
>>
>> http://www.apache.org/dist/httpd/binaries/win32/
> 
> FWIW, we didn't get a mod_fcgid 2.3.5 binary build prepared for Windows.

Thanks for that point; one will be on its way shortly.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Multiple programs on port 80

2010-03-25 Thread William A. Rowe Jr. 
On 3/25/2010 2:46 PM, Mark wrote:
> On another server I run with IIS, I was able to configure it such that
> different domain names (that led to the same server) would take users to
> different websites, or, if none were met, would merely send it to
> whatever other programs I had running on port 80. I was wondering if
> it's possible to do this with apache. I would like my one domain to go
> to my apache site, and the IP address to take me to my other program
> running on port 80, meebo repeater. I wasn't sure how to phase this in a
> google search and the few things in the http.conf file that sounded
> relevant became dead-ends, so here I am. Anyways - I hope one of you can
> answer this; thanks in advance.

The phrase you are looking for is "Named virtual hosts", happy googling,
and check out the NameVirtualHost, ServerName and ServerAlias directives
for httpd.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [EMAIL PROTECTED] Here's a new one (to me).

2008-07-29 Thread William A. Rowe, Jr. 

Grant Peel wrote:

index.html = 1401 bytes.

?


Well that's good, you have to understand that without proxy module enabled,
these are /local/ requests...


Grant Peel wrote:


On this past Saturday, my server started seeing sporadic spikes in 
CPU usage. As it turns out, somehow, some bot or something somewhere 
is connecting to me server and relaying messages to another server.


Don't freak out...


Log lines:

66.139.69.201 - - [29/Jul/2008:04:01:58 -0400] "GET 
http://www.microsoft.com/ HTTP/1.0" 200 1401 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 
1.1.4322)"


How large is your index.html?



go ahead and (without using DNS) just

telnet {your-ip} 80

GET http://www.microsoft.com/ HTTP/1.0
Host: www.microsoft.com

and see what the server comes back with; it will be your own index.html.

Without proxy; the http://hostname is stripped off, and your server
simply served up /


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Re: suExec and UserDir module

2008-08-07 Thread William A. Rowe, Jr. 

Juan Asensio Sánchez wrote:

Does anyone know if this can be done? Any help?

2008/8/4 Juan Asensio Sánchez <[EMAIL PROTECTED] >

Hi everybody

I have just configured a LDAP based Samba Server. Now i want the
users to publish their websites with the module UserDir. The problem
is that user's directories are chmoded 700 (and I want to be 700)


But that is not possible.  You would be a fool to deploy suexec arbitrarily
across all the users, that's WORSE than setting the appropriate 711 perms
granting effectively far more permissions than you intended.

So if you won't set permissions appropriately, give the users another place
to store per-user documents outside of their home directories.



-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Re: Does Apache Support Piped Logs On Windows Platform

2008-08-08 Thread William A. Rowe, Jr. 

Yoann Roman wrote:

William A. Rowe, Jr. wrote:


Then it became 'run this shell command through cmd.exe' - which needed
stdin/out/err all set up right to not-fail running as-a-service.

Change it back from shellcmd to program and voila, the code works.  We
hacked at various handle codes for stdout/stderr, but nothing except
a legitimate file stream will make cmd.exe happy.

So Apache just dies with a message that it fails to create the log.


Was this problem ever resolved in 2.2.9?


Yes, the behavior I describe above, with apr 1.2, should have been resolved
with 2.2.9 and apr 1.3.0.


I'm trying to set up 2.2.9 as a service on an XP SP2 box with either
rotatelog or cronolog for main and vhost error/access logs, but I see
several cmd.exe processes when starting it up. I have a W2K box with 2.0.63
that doesn't have this shell behavior (also a service using cronolog).


Oh - it still runs cmd.exe.  The difference is - there are the correct
pipes between apache and that cmd/invoked program/script.


What I found...

This says a similar problem was resolved in 2.2.6:


Please be specific about *your* problem...


I also skimmed through the SVN logs for log.c and didn't see anything about
fixing this.


No, these are all subdependencies, you wouldn't note them from log.c


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Re: Re: Does Apache Support Piped Logs On Windows Platform

2008-08-11 Thread William A. Rowe, Jr. 

Yoann Roman wrote:

William A. Rowe, Jr. wrote:

Oh - it still runs cmd.exe.  The difference is - there are the correct
pipes between apache and that cmd/invoked program/script.


That's what I'm trying to avoid, actually. I have 2 vhosts with this
install, each doing its own error and access logging. With the 2 processes
per log (not sure why that happens, either) plus cmd.exe, that adds up to 20
processes for 5 logs.

I was actually looking for implementation of the additional piping options
discussed in the dev list exchange I mentioned. I'm basically trying to get
the same behavior with 2.2.9 on XP that I'm seeing on 2.0.63 on W2K (no
cmd.exe).


After this was "broken" across all platforms, I raised on this list a
suggestion for a new syntax; for example "||... would mean a command line
shell environment (really "pipe"), while "|$..." would mean really exec.
That was the idea, anyways, we should be revisiting it.  Realize this isn't
Win32 specific, but it's an issue across platforms.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] How to get SSL handshake errors logged

2008-08-14 Thread William A. Rowe, Jr. 

Wilda, Jet wrote:

Hi,

How do I get Apache httpd (2.0.X and 2.2.X) to log SSL handshake 
errors?  I found that if I set ‘LogLevel info’ they will be logged to the error 
log.  However it then logs way to much stuff.  What I need is a way to just log 
all the SSL errors especially the handshake errors.  Thanks for any and all 
help ☺


I thought that the failure itself was logged at level 'error'.  Certainly,
at level 'warning'.  If this is not so, we should review the error levels
of the various emits from mod_ssl.

Feel free to sniff the LogLevel info for one failed connection, and point
out the one error that you believe should have been logged at warn/error.

Notice that you can tell which are which right in the logs, just look for
[info], [warn] etc on each log line.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Problem with configs

2008-08-22 Thread William A. Rowe, Jr. 

Joseph S D Yao wrote:


I have just joined this mailing list, but a Google indicates that this
topic has not come up before.  If I am wrong, I apologize, and ask for a
pointer.


Good way to attract attention of lurkers :)


I understand that the argument to the Proxy directive is supposed to be
a shell-style wildcard (rather than a simple prefix match), as the
argument to the ProxyMatch directive is supposed to be a Perl-style
regular expression.


Ok.  So a shell style wildcard never hits on a path delimiter, right?


http://*.tuxedo.org*>


Perhaps you meant http://*.tuxedo.org/*

But the trailing * is redundant.  drop it all together.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Problem with configs

2008-08-24 Thread William A. Rowe, Jr. 

Joseph S D Yao wrote:

I understand that the argument to the Proxy directive is supposed to be
a shell-style wildcard (rather than a simple prefix match), as the
argument to the ProxyMatch directive is supposed to be a Perl-style
regular expression.

Ok.  So a shell style wildcard never hits on a path delimiter, right?


That depends on what "shell-style wildcard" means in a given
implementation.  I have seen ones where the path delimiter is not a
special character.  As the '/' is (a) not solely a path delimiter and
(b) not the unique path delimiter, in a URL, I had not expected that to
be a special character here.


Shell wildcards are sensitive to path delimiters; read RFC 2616 and its
cited RFC's; "/" are path delimiters, End of discussion.


In fact, noting that a "*" will match
"http://www.example.com/dir1/dir2/dir3/page.html";, I rather suspect that
it is not.


It will.


http://*.tuxedo.org*>

Perhaps you meant http://*.tuxedo.org/*

But the trailing * is redundant.  drop it all together.


Yours does not accept the common usage, "http://www.tuxedo.org";, with no
trailing '/'.  Most Web servers will accept and correct this.


No; they don't - your browser did.  But that correction is prior to httpd
handling the request.  "/" is the minimal path, see the RFC.


It is not clear to me that the "*" is redundant.  Without it, don't I
restrict myself to the home page?  


No


All examples I have seen used with
 that are not using "*" end in '*'.


Who suggested random configurations you discover from google are any good?

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] How to start Apache automatically with certificate?

2008-08-28 Thread William A. Rowe, Jr. 

Joseph S D Yao wrote:

On Thu, Aug 28, 2008 at 10:31:42AM -0300, Tan, Liao  wrote:

Ok, ic I can simply remove the passphrase, and provided the new key be 
readabale by root only, I should not have any security problems... is it simply 
remove it? or any other settings, configuratios, re-installation?


It should not be owned by root, because you should not be running your
server as root.  You should be running your servers as some other user,
say, "apache", and so the uncloaked cert files should be stored as
read-only by "apache".


Yes, and the server should be *started* as root, User/Group modified to
a limited access account (e.g. apache, or nobody), all system resources
initially created and owned by root (e.g. logs/, certs etc), and the
appropriate access control granted to the apache/nobody user (no write
access to logs/, no read access to keys).

There are logs that are dynamically created, give your apache user write
access to a logs/safe/ directory to put those into.  But the logs/ dir
should never be modifiable by the apache user.  Similarly the certs dir
should never be readable by the apache user.

If you start your server (e.g. launch it) from the 'apache' user account,
it's impossible to keep the running server from manipulating the logs/
directory etc, or accessing keys files, etc.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] How to start Apache automatically with certificate?

2008-08-28 Thread William A. Rowe, Jr. 

Joseph S D Yao wrote:

On Thu, Aug 28, 2008 at 05:42:59PM -0400, Eric Covener wrote:
...

root-owned private key sure sounds wiser to me.

...

Tell me three good reasons why.  Bad ones don't count.


I owe you one and that's all my time you'll waste.

A root owned private key perms 400 is going to be visible to a cgi if
you are foolish enough to make it readable.  And once there, any trivial
MTM or DNS hole is going to allow your users to impersonate your business.

If starting as root and changing to apache/nobody user, that key will not
be visible if there's a local code execution vulnerability.

Please folks, treat Yao's security advise with the appropriate caution.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Error when creating certificate in HPUX

2008-09-03 Thread William A. Rowe, Jr. 

Joseph S D Yao wrote:


Long ago but not far away, when I had to implement this on HP-UX, I
found that it had no "random" device.  Not many systems did, then or
now.  So I got the Entropy Generating Daemon [egd, written in Perl], and
it worked fine.  Remember to have it start at boot BEFORE anything that
uses random data.  And you will have to tell 'openssl' etc. about it.

Oh, look, it's moved to sourceforge.  ;-)

http://sourceforge.net/projects/egd/


Or, just search hpux site for their /dev/random device patch.  It's built
into 11.23 but was a separate download/add-in for earlier 11.x flavors.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] How to start Apache automatically with certificate?

2008-09-04 Thread William A. Rowe, Jr. 

Joseph S D Yao wrote:

On Thu, Sep 04, 2008 at 03:55:33PM +0100, Tom Evans wrote:
...

They've also suggested that their conf files be owned by root, and only
readable by the apache user, which you also disagree with.

...

Nobody has come up with a good argument for this, or a refutation of my
argument against it.


The refutation is that in order to bind to port 80, have access to keys,
etc, httpd must start as root.  If the conf files are owned by an "wwwadmin"
role user, that's fine, it's one degree removed from root.  But if they
are owned by the user which httpd process runs-as (after User directives),
then the system can be exploited;

whomever configures httpd.conf ultimate is running code as-root initially.
Perhaps you have modperl configuration, or exploit an overrun of config
syntax parsing.  Whatever, your conf is run as root, so it is no less secure
to demand these files are edited by root.


Your security advice, from what I've seen, is at best misinformed, and
at worst it is negligent. I urge anyone reading this thread to check
some reputable sources before implementing any of Joseph's suggestions.


I urge anyone reading this thread to actually read it.


Please stop pushing an ill advised agenda until you thoroughly understand
httpd security.  Tom Evans post was the most succinct summary presented
yet, and I find no fault in it.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Prevent img smoothing?

2008-09-04 Thread William A. Rowe, Jr. 

Mike -- EMAIL IGNORED wrote:

On my website I have a BMP picture that is 13x20 pixels.
I want it displayed as a matrix of little squares.
Displaying on Win2k with IE or Firefox, and on WinXP
using IE, that is what I get.  But on WinXP with Firefox,
the picture is "smoothed" into a blurry mess.  Is there
a way to I prevent this?


Exactly as Dragon mentioned, apache has nothing to do with this.

I suspect the gif compression of a 130x200 image consisting
of 10x10 blocks would be not much bigger than your bmp picture.
Just serve the correctly scaled image.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] How to start Apache automatically with certificate?

2008-09-04 Thread William A. Rowe, Jr. 

Joseph S D Yao wrote:

On Thu, Sep 04, 2008 at 12:33:20PM -0500, William A. Rowe, Jr. wrote:

Joseph S D Yao wrote:

On Thu, Sep 04, 2008 at 03:55:33PM +0100, Tom Evans wrote:
...

They've also suggested that their conf files be owned by root, and only
readable by the apache user, which you also disagree with.

...

Nobody has come up with a good argument for this, or a refutation of my
argument against it.

The refutation is that in order to bind to port 80, have access to keys,
etc, httpd must start as root.  If the conf files are owned by an "wwwadmin"
role user, that's fine, it's one degree removed from root.  ...


Which is all I've been saying.  Thanks for finally agreeing.


No, I disagree with you above unless the caveats and warnings that you have
elided above are restored.  People reading the above (with no context) are
likely to deploy far more vulnerable configurations than the conventional
"maintain httpd.conf files as root" wisdom.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Content Negotiation problem

2008-09-04 Thread William A. Rowe, Jr. 

Keelan Long wrote:


Anyone have any idea whats wrong?


Try

 Options -multiviews

in your config file above those directories.  If you aren't serving
one-of-several flavors, e.g. if you had five corresponding .html files
with the same base name but different languages/character sets, then
multiviews does nothing but perhaps mess things up.

The base names, in this case, for 1 John 1.1-2.6.html, is simply
1 John 1, although there is only one filename that matches that pattern.
For some though, you have "duplicates" if you look only at the text
leading up to the first period.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] any reasons not to compile with -enable-exception-hook?

2008-09-18 Thread William A. Rowe, Jr. 

fredk2 wrote:

Hi,

is there any reasons why you would not want in production (or hardened
server) an apache compiled with -enable-exception-hook?


Yes.  You can and should expect that once the server is compromised, it's
possible although highly unlikely that the actual target of that hook is
also compromised.  Many would rather that the process was brought down,
hard, at the first exception, and that code no longer ran in that context.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Configuration Problems

2008-09-19 Thread William A. Rowe, Jr. 

André Warnier wrote:


Not knowing Vista, I have not much to contribute, 


the bit of information you are missing is file permissions and UAC (User
Access Control).  Clearly a file permission problem, because it didn't
silently accept their change as a private copy that the system would
ignore.  Run notepad (for example) "as administrator" and the file can
be modified; alternately run


but a little bit of advice :

Re : C:\Program Files\Apache Software Foundation\Apache2.2\conf\httpd.conf

If you are really at the beginning, and if this is not forbidden in 
Vista, I would suggest to de-install your Apache package, and re-install 
it in a directory such as "C:\Apache2.2" or even "C:\Apache2".
That will take you 5 minutes now, and save you later many keystrokes, 
many typos and many headaches.


No argument.  I've determined to do this for my classroom work, since
students copying from an overhead are prone to mistype.  The permissions
may be prickly though,

Paths with spaces in them bite you sooner or later, and that one is 
really terrible. Can't even paste it into an email without wrapping it 
around.

And think of your  sections in your httpd.conf later..


Two points.  Quote the pathnames, it's trivial.  Secondly, try ^C/^V,
it spares you a ton of embarrassment.  (It has for me.)

I really don't know why the Apache Windows package creators embed such a 
terrible path by default in that installer.


Because c:\ pollution is even worse, and MS choose the convention, not us.
Give me a break and complain to them.

The next solution will be worse.  The proper solution is that the actual
configuration is a per-user mess living in a tree that is named;

  c:\Users[*]\Application Data\Apache Software Foundation\Apache2.2\

[*] Documents and Settings for all you poor XP/2003/NT users



-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

  1   2   3   4   5   6   7   8   9   10   >