Hello;
I am an administrator for several websites. We are using Apache HTTP v2.2.9
as a front end to communicate with WebSphere 6.0 JVM's on the back end. This is
all, typically, on Solaris 9. To meet some of the high availability requirements
of our applications, we've been using the WebSphere
ll about a
community-driven approach I want to see if my fellow developers and
users had a suggestion for another presentation (or maybe a rewnewal of
the cookbook).
Any ideas out there?
--
Daniel Ruggeri
-
The official User-To-U
e you have in the :80
vhost. Add this to the SSL vhost, or move it to the server level
(outside of any vhosts):
AllowOverride All
Order deny,allow
Deny from all
Allow from 127.0.0.1
--
Daniel Ruggeri
R_ROUTE_CHANGED
ProxyPass /daniel/ balancer://DanielCluster/daniel/
For reference (and other proxy examples), I pulled this straight from a
presentation I gave at ACNA2010 here:
http://people.apache.org/~druggeri/notes/ApacheConNA%202010%20Presentation.odp
http://people.apache.org
My mistake. Simple permissions issue - should be fine now.
--
Daniel Ruggeri
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
xy uses (like X-ForwardedFor) that you can not change.
--
Daniel Ruggeri
nly* happen if a process obtains a lock but crashes before it
can be released. Otherwise, a well-behaved httpd server will not have
this issue - it is quite good at cleaning up after itself.
--
Daniel Ruggeri
-
To unsubscribe, e-
ine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*)$ https:///$1 [L,R]
You can also try enabling the rewrite log for more details.
--
Daniel Ruggeri
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
arly useful when
scripting startup/shutdowns.
--
Daniel Ruggeri
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
sr -key ssl.key -new
(This generates ssl.csr which you can safely email to be signed)
--
Daniel Ruggeri
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
will be the ssl.crt file. You should also
get a chain file back as well. This becomes the value of
SSLCertificateChainFile and is used for clients to tie your server's
identity to a trusted authority.
--
Daniel Ruggeri
---
is no such thing as HTTP 443
error code. Perhaps I read your email wrong, but httpd should never
return that status code.
--
Daniel Ruggeri
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional comma
le directive)?
I personally have never used OptRenegotiate, but the description of
the option seems to be related to the problem you are seeing. If this
portion fails, I would expect the 403 that the client is getting in
response.
nything operating
on layer 4 or up would do. In this sort of configuration you will bind
httpd to a distinct IP address bound to each machine in the load
balanced pair and let the upstream service manage the traffic. Capacity
in this configuration at the web layer scales linearly with each httpd
server. Beware, this option can be expensive.
--
Daniel Ruggeri
have to happen inside the Tomcat cluster.
There's lots of documentation on how to set up clustering in Tomcat.
Session persistence/stickiness would happen at the F5 load balancer.
--
Daniel Ruggeri
-
To unsubscribe, e-m
lem, you may need to check the data
coming back with some sort of request capturing (Firebug, Fiddler, etc)
or a network trace.
--
Daniel Ruggeri
e and restart without the define to disable maintenance mode.
--
Daniel Ruggeri
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
ll down by that time, at
least one user will be impacted before httpd takes it out of service again.
See the params for ProxyPass at
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass
--
Daniel Ruggeri
-
To unsubscribe,
rotocol specific logic. Please do report back if you come across
any complications.
--
Daniel Ruggeri
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
can control this with a condition (like looking for a specific
cookie, header or source IP address). In the example below, you would
use a cookie to gain access:
RewriteCond !%{HTTP_COOKIE} LetMeIn
RewriteRule .* /path/to/maintenance.html [L]
#Existing directives
-
ed to tweak the
values to accommodate those users.
--
Daniel Ruggeri
y be speaking out of school here, but I believe that means you have
too few workers. Do you have access to your httpd.conf?
The code for mod status simply iterates through the server_limit x
thread_limit and prints a character for each.
--
Daniel Ruggeri
ct/detail$
RewriteCond %{QUERY_STRING} ^(bsins=20.*)
RewriteRule .* balancer://product-gift/%1
Note the %1 back reference instead of $1 - %X is for cond matches, $X is
for rule matches.
--
Daniel Ruggeri
-
To unsubscribe,
On 6/8/2012 5:35 PM, Daniel Ruggeri wrote:
> You can use mod_rewrite to take action based on URI and query string as
> well as proxy. This should work for you:
Sorry! Correction!
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/product/detail$
RewriteCond %{QUERY_STRING} ^(bsins=20.*)
Rewri
there a way to force authentication to access the proxied resource?
You can accomplish this with a block instead of a
block. That may be the only change needed, depending on
the rest of your configuration.
--
Daniel Ruggeri
-
To unsub
re no provisions available to retry a request to
another backend server once it has been sent to a balancer member. I
would like to fix this some day but I am just not aware of a place that
this can be done currently as the balancer willy only attempt another
backend on connection failure only.
--
Daniel Ruggeri
However, this will turn foo.com into a proxy to bar.com
which brings its own challenges. If you go this route you will want to
tighten up the RewriteRule pattern a bit more as well as change the
FileMatch to LocationMatch.
--
Daniel Ruggeri
what httpd is
reading and writing.
--
Daniel Ruggeri
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
m but could create new ones or find another stumbling
block one step further into the process... and the next thing you know
you may have a mess of complicated config settings you don't want to
touch in the future for fear of breaking something.
--
Daniel Ruggeri
---
k asking this question on the modules-dev mailing list:
http://httpd.apache.org/lists.html#modules-dev
--
Daniel Ruggeri
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
e dark without more information.
--
Daniel Ruggeri
ewriteEngine On
RewriteCond %{HTTP_HOST} !^update.domain.com$ [NC]
RewriteRule ^/(.*)$ http://private.ip.address/$1 [P,L]
--
Daniel Ruggeri
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands,
g to sort it all
> out.)
>
> Thanks.
Since your servers are signed by a known CA, the browsers will only need
to have a private key/certificate imported to function. In your httpd
vhost, you will place your self-signed CA certificate (the one that
signs the clie
cer-manager
Order deny,allow
Deny from all
Allow from 192.168
--
Daniel Ruggeri
fter the "." in the cookie value) and
match it to the BalancerMember being used.
--
Daniel Ruggeri
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
some
containers return a 503 when the app is not yet initialized but the
container is up. Granted, you will still have one failed connection per
every X retry seconds, but in high-volume sites a few failures is much
more appetizing than h
wsermatch directives are not required - you could use
additional conditions like...
RewriteCond %{HTTP_USER_AGENT} .*iPad.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} .*iPhone.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} .*Android.* [NC]
--
Daniel Ruggeri
Found
Location: http://frontend.com/context/
It will replace all occurrences of the second argument with a
self-constructed URL of the server. The first argument is used to
translate the path if needed.
--
Daniel Ruggeri
--
easy workaround to the
problem. There's still a very slight efficiency that can be gained by
fixing the bug in that the directories aren't checked for the presence
of the files, though, so I'd still want to tackle it from that angle.
--
Daniel Ruggeri
I'm assuming that compiler optimizations would make both patches "six to
one, half dozen to the other" as far as code path followed during the
request cycle... but I agree.
Fixed in trunk in r1737114 and proposed for backport in 2.4 in STATUS.
--
Daniel Ruggeri
On 3/30/201
e key.
Currently there is no support for a passphrases in client certs and
will, unfortunately, cause a segfault without any other useful errors.
--
Daniel Ruggeri
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
ill show the
request as sent to the backend (but produces tons of logs).
Feel free to review/steal examples from this presentation as we get
closer to the balancer config:
http://people.apache.org/~druggeri/notes/ApacheConNA%202010%20Presentation.odp
--
Daniel Ruggeri
--
xperiences, though, outbound calls originate from the
physical (primary interface) address of the RP host - are you seeing
that reverse proxied requests are originating from the VIP of the vhost?
--
Daniel Ruggeri
icate,
you can use these directives:
SSLVerifyClient require
SSLCACertificateFile /path/to/your/CA/cert.pem
The word of caution here is that all users will have to present a client
certificate - which would mean they have to have them available to their
browsers or they will never be able to
ou can
do almost anything you'd like as it crosses the proxy. There are a few
examples in that presentation of some of the scenarios and use cases
that might be interesting. Deflate would be a good start - it's always
nice to save bandwidth.
--
Daniel Ruggeri
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
y disabled.
David;
Nothing available today, but I actually started work on adding this
functionality but got distracted - it's a very simple patch. I will try
to get something into trunk within the next week and will plan to
backport to 2.2.
--
Daniel Ruggeri
s a redirect. From there, just adjust the ProxyPassReverse line to
match what is coming back in Location.
--
Daniel Ruggeri
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
K" and log that (mod_log_config using
%{headername}o). Then anything without that header could be treated as
an error.
Otherwise, I am unaware of a way to interrogate the response object for
content and log differently.
--
Daniel Ruggeri
On 4/11/2013 1:42 AM, santosh kumar wrote:
> Hi
>
> I am
e header indicating "OK" and log that (mod_log_config using
%{headername}o). Then anything without that header could be treated as
an error.
Otherwise, I am unaware of a way to interrogate the response object for
content and log differently.
--
Daniel Ruggeri
he RedirectMatch that you posted.
--
Daniel Ruggeri
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
ll of those
configuration directives will note be applied.
--
Daniel Ruggeri
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
gt; To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
mod_susbstitute used on the frontend apache server would be a potential
option here. Have you tried that?
--
Daniel Ruggeri
--
an
SSL backend?
https://issues.apache.org/bugzilla/show_bug.cgi?id=53870
I've been bitten by this also. Update to openssl fixes this issue.
--
Daniel Ruggeri
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
s compile flag was dropped in 2.2 which made SSLCryptoDevice part of
a 'normal' build.
--
Daniel Ruggeri
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
Erman;
You are correct - there are no ways to pass arguments via the
configuration file. You could use environment entries to avoid hard
coding things in your engine, though.
--
Daniel Ruggeri
On 6/11/2013 12:01 PM, coolcuzu wrote:
> Thank you Daniel for your help.
>
> I believe a
ttp://192.168.8.77/APPX
>
> c)Stick Session is not maintained [ have checked the application after
> logging
You can enable debug log level - the balancer will log whether it can
detect the sticky session cookie.
> HTTP Status 404
he user will
receive an error (BAD GATEWAY) because nofailover is set. This parameter
ensures that if a failure occurs on the sticky node, the user stays put.
--
Daniel Ruggeri
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
those already enrolled in the tutorial.
Thanks - see you in Denver!
Links
[1]
http://apacheconnorthamerica2014.sched.org/event/b31cfdb9ac0db0cb954a0645a5e3981d?iframe=no&w=100&sidebar=yes&bg=no#.UxYgp4X1NuM
--
Daniel Ruggeri
-
Hi, John;
Good question, if there is sufficient interest in doing this, I can
reach out to my contacts with the conference planners and see what can
be done. I suspect that the schedule is already set, but it wouldn't
hurt to ask.
--
Daniel Ruggeri
On 3/4/2014 1:06 PM, Rose, John B
Absolutely - whatever works best for those attending.
Of course, for those who haven't attended BarCamp, that would also be a
great way to spend Thursday!
--
Daniel Ruggeri
On 3/4/2014 3:50 PM, Rich Bowen wrote:
>
> On 03/04/2014 02:06 PM, Rose, John B wrote:
>> Any chanc
On 3/4/2014 1:06 PM, Rose, John B wrote:
> Any chance of moving it to Thursday?
Hi, John;
I was poking through the schedule today and see that the session has,
indeed, been moved to Thursday at 09:00.
--
Daniel Rugg
everse proxy.
Tip: Configuration of SSL between httpd and IIS is optional but may be a
good idea if IIS ever generates a full link or redirect. When httpd
generates such things, it uses the protocol that it answered (so if you
speak cleartext to apache, the Location header will have http://). My
guess is that IIS would behave similarly.
--
Daniel Ruggeri
Hi;
You will also need to bump your version to 2.2.25 as failontimeout
was not backported until then.
--
Daniel Ruggeri
On 8/28/2014 8:01 AM, Daniel wrote:
> Try with failontimeout option set to on, by default it is "Off"
>
>
> 2014-08-28 2:07 GMT+02:00 Israel
trivial to do with a
Servlet filter in a J2EE app, but I am not sure about other implementations (my
own ignorance rather than it being technically impossible).
--
Daniel Ruggeri
Original Message
From: Jim Jagielski
Sent: November 20, 2014 7:36:11 AM CST
To: users
64 matches
Mail list logo
