To clarify, I did lodge a bug report
https://issues.apache.org/bugzilla/show_bug.cgi?id=56038
A quick fix of the affected code did get SessionExclude working. The
behavior is that no session is loaded, so if SessionExclude is applied to a
location which requires authentication, the authentication
Okay, I take that back. Call me an Apache idiot.
The SessionExclude directive did not work. I could not get it to work for
any path prefix. I'm taking a closer look at mod_session.c to see how this
should work. Strangely enough, and I dare barely suggest this, there
appears to be a bug in mod_sessi
Well, it looks like I've just answered one of my questions. The
"SessionExclude" directive "allows sessions to be disabled relative to URL
prefixes". I had not tried this because I don't want sessions to be
completely disabled. However, desperate, I tried it. It apparently does not
completely disab
Using form based auth, e.g.
AuthName "forms_foo"
AuthFormProvider my_provider
AuthType form
AuthFormLoginRequiredLocation "/foo_form"
Session On
SessionCookieName foo_cookie path=/foo/;httponly
SessionCryptoPassphrase somereallyneatandnicepassphrase
SessionCookieRe
Greetings Apache httpd community,
I'm following up to myself, since I've had no response to the initial
query. I'm hoping that someone with session experience can help!
I am using Apache httpd 2.4.7 on ArchLinux, and have questions about
mod_session usage. I'm using mod_auth_form and mod_session
Unfortunately, those directions are about as simple as it gets. Building
the Windows binaries can be hard work. Unless you have a specific reason to
them yourself, I recommend the builds from
http://www.apachelounge.com/download/.
- Y
Sent from a gizmo with a very small keyboard and hyperactive a
The part of the URL after the # is not sent to the server, so it is not
possible to match on it. Anyway, if you just remove it from your pattern,
you should get the same result since you do not appear to be trying to
match on anything after it.
- Y
Sent from a gizmo with a very small keyboard and
That configuration looks to me like it says NOT CBC or MD5. Can you confirm
whether the server is actually accepting CBC or MD5 ciphers?
A tool like https://www.ssllabs.com/ssltest/index.html can tell you if your
server is publicly accessible.
- Y
Sent from a gizmo with a very small keyboard and
On Mon, Jan 20, 2014 at 8:25 AM, Kalyana sundaram wrote:
> access_status is -3 and r->status is 413. But I am not getting why in
> ap_process_request r->status is set to HTTP_OK before calling ap_die. This
> seems like causing the issue
>
-3 is AP_FILTER_ERROR (in 2.2.x). That makes sense for th
On Mon, Jan 20, 2014 at 2:17 AM, Tilden Doran D wrote:
> Hi All,
>
>
>
> I required help to configure FTP Load balancer in Apache Server 2.4 .
>
> I have downloaded Apache server 2.4 , APR , APR-util and PCRE and build
> it and also configured as my HTTP load balancer. Now I want to configure
access_status is -3 and r->status is 413. But I am not getting why in
ap_process_request r->status is set to HTTP_OK before calling ap_die. This
seems like causing the issue
On Mon, Jan 20, 2014 at 6:49 PM, Eric Covener wrote:
> On Mon, Jan 20, 2014 at 8:13 AM, Kalyana sundaram
> wrote:
> > If
On Mon, Jan 20, 2014 at 8:13 AM, Kalyana sundaram wrote:
> If ap_die is called
> 413 is the response code on header sent to client
> 200 is the response code on logs
> body has the error document and the response appended
>
> If ap_finalize_request_protocol is called
> 413 is response code on head
If ap_die is called
413 is the response code on header sent to client
200 is the response code on logs
body has the error document and the response appended
If ap_finalize_request_protocol is called
413 is response code on header
413 is logged
response is not appended to error document
On Mon,
On Mon, Jan 20, 2014 at 7:29 AM, Kalyana sundaram wrote:
> But if I call ap_finalize_request_protocol(r) instead of using else part,
> things are fine
> Thats why I wish to understand, when mod_php is called
Ignoring all of the cases you aren't testing, what's the behavior in
that case (headers
We originally configured Apache with this directive:
SSLCipherSuite RC4-SHA
Then, then when the network scan found the vulnerability, we modify with this
SSLCipherSuite
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS:!DES-
But if I call ap_finalize_request_protocol(r) instead of using else part,
things are fine
Thats why I wish to understand, when mod_php is called
On Mon, Jan 20, 2014 at 5:51 PM, Eric Covener wrote:
> On Mon, Jan 20, 2014 at 7:11 AM, Kalyana sundaram
> wrote:
> > ===>php response
>
> As I
On Mon, Jan 20, 2014 at 7:11 AM, Kalyana sundaram wrote:
> ===>php response
As I had described, whatever you're using for PHP (probably mod_php)
is ignoring errors while reading the request body and allowing your
script to run and append output. I suggest you search for / report a
bug to the
On Mon, Jan 20, 2014 at 5:21 PM, Eric Covener wrote:
> On Mon, Jan 20, 2014 at 5:31 AM, Kalyana sundaram
> wrote:
> >
> > Hi
> > I am using httpd-2.2.26. Whenever I use LimitRequestBody directive Apache
> > gives 413 to user if content length is greater than the value specified
> in
> > directiv
> The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many s=
> ingle-byte biases, which makes it easier for remote attackers to conduct pl=
> aintext-recovery attacks via statistical analysis of ciphertext in a large =
> number of sessions that use the same plaintext.
http://http
On Mon, Jan 20, 2014 at 6:24 AM, Nallu Naren wrote:
> Hi team,
>
> I've written my own module for Apache 2.2 and it is working as expected and
> Now I've upgrade to 2.4.x by recompiling with 2.4.3 header files and every
> thing seems to be working fine.
>
> Now when I tried to install my module wh
On Mon, Jan 20, 2014 at 5:31 AM, Kalyana sundaram wrote:
>
> Hi
> I am using httpd-2.2.26. Whenever I use LimitRequestBody directive Apache
> gives 413 to user if content length is greater than the value specified in
> directive but logs as 200. It even appends the response html along with
> error
Hello everyone.
Where can I find a list of vulnerabilies related to apache 2.2.26.
I would like to know if this release bypasses the vulnerability CVE-2013-25=
66
The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many s=
ingle-byte biases, which makes it easier for remo
Hi team,
I've written my own module for Apache 2.2 and it is working as expected and
Now I've upgrade to 2.4.x by recompiling with 2.4.3 header files and every
thing seems to be working fine.
Now when I tried to install my module which is compiled on Apache 2.4.3 is
not working on Apache 2.2, is
Hi
I am using httpd-2.2.26. Whenever I use LimitRequestBody directive Apache
gives 413 to user if content length is greater than the value specified in
directive but logs as 200. It even appends the response html along with
error document. This problem happens in httpd-2.4.4 also
On further debuggi
24 matches
Mail list logo
