Re: [users@httpd] Use Multiple Server Certificates On One Server: Is This Possible?

On Wed, Mar 12, 2014 at 9:11 AM, Eric Covener wrote: > On Wed, Mar 12, 2014 at 9:00 AM, Tom Browder wrote: >> I was surprised to see this message (see below) to the dev list. >> >> Note the last line of the cropped message below: >> >>> The certificate

Re: [users@httpd] dynamic virtual hosts

On Wed, Mar 12, 2014 at 2:56 PM, Rose, John B wrote: > Has anyone used mod_vhost, or mod_rewrite, some other way, or some > combination, and implemented in production, dynamic virtual hosts of unique > hundreds or more, sub domains. > > If so, which method did you use, and can you give us the co

Re: [users@httpd] dynamic virtual hosts

On Wed, Mar 12, 2014 at 3:11 PM, Tom Browder wrote: ... If you have sub-domains just define another macro similarly except you will have one or more additional parameters in front of "${PROJECT} ${TLD}" for the new macros. By using such layouts I am able to build new vhosts (htttpd.co

[users] Re: [users@httpd] CAC Card Authentication

On Fri, May 30, 2014 at 1:06 AM, Jason Pyeron wrote: >> -Original Message- >> From: McGregor, Donald (Don) (CIV) ... >> I'm attempting to get CAC card authentication working with >> Apache httpd-2.2.3-85 on Centos 5. CAC cards are the DoD ... > And if you are working on an accredited DoD s

[users] Recommended practice for mitigating BREACH/CRIME attacks with Apache 2.4+, SSL/TLS-only sites, and use of mod_deflate?

I have several SSL/TLS-only virtual sites running under Apache 2.4.7. I haven't turned on compression because of all the warnings about CRIME and BREACH. However, when I run my sites against web site analyzers they always suggest turning on compression. So what is the consensus? If compression i

[users] Re: Recommended practice for mitigating BREACH/CRIME attacks with Apache 2.4+, SSL/TLS-only sites, and use of mod_deflate?

On Tue, Jun 3, 2014 at 3:52 PM, Tom Browder wrote: > I have several SSL/TLS-only virtual sites running under Apache 2.4.7. > I haven't turned on compression because of all the warnings about > CRIME and BREACH. However, when I run my sites against web site > analyzers they alway

Re: [users] Re: Recommended practice for mitigating BREACH/CRIME attacks with Apache 2.4+, SSL/TLS-only sites, and use of mod_deflate?

On Fri, Jun 6, 2014 at 10:16 AM, Jeff Trawick wrote: >> On Tue, Jun 3, 2014 at 3:52 PM, Tom Browder wrote: >> > I have several SSL/TLS-only virtual sites running under Apache 2.4.7. >> > I haven't turned on compression because of all the warnings about >> >

Re: [users] Re: Recommended practice for mitigating BREACH/CRIME attacks with Apache 2.4+, SSL/TLS-only sites, and use of mod_deflate?

On Fri, Jun 6, 2014 at 10:35 AM, Tom Browder wrote: > On Fri, Jun 6, 2014 at 10:16 AM, Jeff Trawick wrote: >>> On Tue, Jun 3, 2014 at 3:52 PM, Tom Browder wrote: >>> > I have several SSL/TLS-only virtual sites running under Apache 2.4.7. >>> > I haven't

[users@httpd] TLS, SNI, and Multiple VHosts

If I get a server TLS certificate for an IP address, is it true that I can have essentially unlimited TLS VHosts using that certificate (assuming clients are SNI-capable)? Best regards, -Tom - To unsubscribe, e-mail: users-unsub

[users@httpd] Apache 2.4.10 and Basic Authentication: No Luck

After reading the somewhat confusing docs on limiting access to a directory, I found that basic authentication with TLS is the recommended way. I have several virtual hosts running on a TLS-only server and want to limit access to a private directory for just one of the hosts (not that I am using m

[users@httpd] Re: Apache 2.4.10 and Basic Authentication: No Luck [SOLVED]

On Mon, Apr 13, 2015 at 10:51 AM, Tom Browder wrote: > After reading the somewhat confusing docs on limiting access to a > directory, I found that basic authentication with TLS is the > recommended way. Duh, I made a typo on the dir name (he says as he smacks his forehead in disgust)!

[users@httpd] AuthBasic Questions: Modify the pop-up message? Change auth cache time?

I now have basic authorization (under TLS) working okay, but I would like to influence the user experience a bit via Apache behavior if possible. A few questions if you please: 1. Can I modify the pop-up message? 2. Can I change the cache behavior of the access? As it is, my Google Chrome keep

Re: [users@httpd] AuthBasic Questions: Modify the pop-up message? Change auth cache time?

On Tue, Apr 14, 2015 at 2:11 PM, Pete Houston wrote: ... > Good luck, Thanks, Pete, that's what I was afraid of. I hope mod_perl get released for Apache 2.4 soon! Best, -Tom - To unsubscribe, e-mail: users-unsubscr...@httpd.a

[users@httpd] Re: httpd and OpenSSL 1.0.2

On May 27, 2015 5:26 AM, "Mario Brandt" wrote: > Hi Tom, > I saw you on the httpd dev mailing list about that topic. How did you > manage to build apache against 1.0.2? > > Cause if I try that I get in my VM > > /opt/apache2/modules/mod_ssl.so: undefined symbol: SSL_CONF_CTX_finish > > or on my re

[users@httpd] Re: httpd and OpenSSL 1.0.2

On Wed, May 27, 2015 at 11:33 AM, Mario Brandt wrote: > Hi Tom, > > I tried on Debian 7 and 8 both x64 > > To see your configure options would help a lot. Okay, here's what I had to do to my Linux Deb 7, 64-bit system: 1. Remove any deb packages of httpd, apr, apr-util, openssl. 2. Source pac

[users@httpd] Re: httpd and OpenSSL 1.0.2

On Mon, Jun 1, 2015 at 10:22 AM, Tom Browder wrote: > Okay, here's what I had to do to my Linux Deb 7, 64-bit system: ... > 2. Source packages used (in order of installation): ... > pcre2-10.00.tar.bz2 Oops, my error: I had to use pcre-8.36 (httpd cannot yet use pcre2)

[users@httpd] Are passwords with embedded spaces allowed using htdbm?

I can get htdbm to accept a cleartext password with spaces when using the mode where I enter the password at the command line, e.g., htdbm -cB dbmfilename user and the password is validated ok using htdbm -vB dbmfilename user but I can’t get it to work using the batch mode: htdbm -cbB db

[users@httpd] Re: Are passwords with embedded spaces allowed using htdbm?

On Sat, Jun 9, 2018 at 09:00 Tom Browder wrote: > I can get htdbm to accept a cleartext password with spaces when using the > mode where I enter the password at the command line, e.g > ... I’m sorry for the wasted bandwidth, but I proved myself wrong! I used a bash script sussessfu

[users@httpd] Using mod_macro reverse proxy named virtual hosts with TLS

Can anyone point to an example of a conf file with a macro defining a named virtual host with both the following attributes: + TLS + reverse proxy I can find good examples of macros with either attribute, but none with both. I currently have a single server running 10+ named virtual hosts using

[users@httpd] Re: Using mod_macro reverse proxy named virtual hosts with TLS

On Fri, Dec 14, 2018 at 10:22 Tom Browder wrote: > Can anyone point to an example of a conf file with a macro defining a > named virtual host with both the following attributes: > ... Ping. Anyone? How about an example with TLS and two separate name-based virtual servers, each using

[users@httpd] SSI and CGI execution

I am successfully using CGI progs (written in the Perl and Raku programming languages), but they are standalone and execute their tasks when called in either of these ways: 1. as an SSI program in the section of an .shtml page: 2. as an href link in the section of an .html or .shtml page:

[users@httpd] Reverse proxy: how to map a domain.tld to a local host port

I want to map multiple virtual hosts (https://domain.tld) to a backend server app. All the recipes I see do something like this: ProxyPreserveHost On ProxyPass "/""http://localhost:8000"; ProxyPassReverse "/""http://localhost:8000"; Does that mean the single app

Re: [users@httpd] Reverse proxy: how to map a domain.tld to a local host port

On Wed, Oct 16, 2019 at 01:15 wrote: > Is there any way to map each unique domain.tld to a different app at a > unique port just for that domain.tld? > > Why not just using virtualhosts also on your backend > (tomcat,wildfly,jetty,etc)? Also, if you want to use port based VH on your > backend wit

[users@httpd] Virtual host macros and reverse proxy

I have multiple virtual hosts for which I would like to use a reverse proxy to a dynamic application running constantly on my server. I would like to use a macro to do something like this pseudo code: $port = 16000 for each domain.tld map domain.tld to localhost:$port $por

[users@httpd] Re: Virtual host macros and reverse proxy

On Fri, Jan 24, 2020 at 12:06 Tom Browder wrote: > I have multiple virtual hosts for which I would like to use a reverse > proxy to a dynamic application running constantly on my server. > ... Ping

[users@httpd] Can one use both certificate and password access to the same resource?

I have a working website with part of it restricted to users with private TLS certificates installed. I would like to add the option for some users to access the same area with the form-based user name and password scheme. Can that be done? Thanks. -Tom

Re: [users@httpd] Configuration question

On Tue, Jan 28, 2020 at 13:07 o1bigtenor wrote: > On Tue, Jan 28, 2020 at 9:49 AM Eric Covener wrote: > > > How can I have different document roots for various applications on the > > > same server? > > virtual hosts. > > Thanking you for your assistance. To those others that had also responded >

Re: [users@httpd] Re: Virtual host macros and reverse proxy

On Wed, Jan 29, 2020 at 08:36 Gillis J. de Nijs wrote: > > There's mod_macro that might be useful. I don't think it does calculations, > though, so you might need to do some things yourself. Maybe you could indeed > generate the conf files yourself and use Include or IncludeOptional. ... Tha

Re: [users@httpd] Configuration question

On Wed, Jan 29, 2020 at 9:20 AM o1bigtenor wrote: > On Wed, Jan 29, 2020 at 7:14 AM Tom Browder wrote: > > https://www.ssllabs.com/ssltest/ > > > > Check one of my sites and see for yourself: > > > > https://freestatesofamerica.org > > > (Grin) Didn&

Re: [users@httpd] Configuration question

On Wed, Jan 29, 2020 at 11:47 AM Tom Browder wrote: > > >... > But I'm in the process of putting most of the config online. I'll put > my main macro first. See the following for my main vhost macro: https://github.com/tbrowder/apache-httpd-tidbits/bl

Re: [users@httpd] Re: Virtual host macros and reverse proxy

apache-httpd-tidbits/blob/master/conf/vhost-proxy.macro.conf -Tom > On Wed, Jan 29, 2020 at 4:05 PM Tom Browder wrote: >> >> On Wed, Jan 29, 2020 at 08:36 Gillis J. de Nijs >> wrote: >> > >> > There's mod_macro that might be useful. I don't th

Re: [users@httpd] Configuration question

On Wed, Jan 29, 2020 at 3:34 PM Tom Browder wrote: > On Wed, Jan 29, 2020 at 11:47 AM Tom Browder wrote: > > > >... > > But I'm in the process of putting most of the config online. I'll put > > my main macro first. And for the whole conf directory see this:

Re: [users@httpd] Configuration question

On Thu, Jan 30, 2020 at 09:31 o1bigtenor wrote: > On Wed, Jan 29, 2020 at 5:28 PM Tom Browder wrote: ... > > > > > But I'm in the process of putting most of the config online. I'll put > > > > my main macro first. > > > > And for the whole c

[users@httpd] Apache and systemd

If I build a new server using --enable-systemd how does that affect using apachectl? Can I still apachectl for interactive start/stop while systemd takes care of reboots? Thanks. Best regards, -Tom

[users@httpd] Let's Encrypt (LE) and port 80

Before LE came along, I tightened my single server down to redirect http to https. With LE I've been using the cert generation method where I stop Apache, create the required certs with a Raku program, and restart Apache. Now with my new Apache 2.4.43 I'm ready to automate the process. Is there an

Re: [users@httpd] Let's Encrypt (LE) and port 80

On Wed, Jun 17, 2020 at 08:11 Stefan Eissing wrote: > There is a module called "mod_md" which gets and renews certificates from > LE. It's part of 2.4.43. > ... > You do not need to have port 80 open to use it. It also works with port > 443 alone. > Stefan, thanks. I've read a bit about mod_md b

Re: [users@httpd] Let's Encrypt (LE) and port 80

pOn Wed, Jun 17, 2020 at 09:55 dmallor wrote: You can just setup a global redirect on your 80 listener but exclude LE > root path > ... > Thanks, Danny. I've never used rewrites before, but that looks like a good idea. But which of the two solutions would you prefer? What is the downside of bl

Re: [users@httpd] Apache and systemd

On Wed, Jun 17, 2020 at 15:46 Richard wrote: ... > > If I build a new server using --enable-systemd how does that affect > > using apachectl? ... > You would use "systemctl" to start/stop/reload/... the server, e.g., > >systemctl start httpd.service Thanks, Richard. Hm, that doesn't work

Re: [users@httpd] Let's Encrypt (LE) and port 80

On Wed, Jun 17, 2020 at 11:47 @lbutlr wrote: > On 17 Jun 2020, at 07:05, Tom Browder wrote: ... > Most of the automation scripts for LE pretty much walk your through > setting this up. ... > Not making a suggestion, as this is harder to setup, but it is something > to think

Re: [users@httpd] Let's Encrypt (LE) and port 80

On Wed, Jun 17, 2020 at 11:50 dmallor wrote: > I have never used that module and always preferred to keep 80 open purely > for redirects (and LE) > ... Thanks, Danny. -Tom

Re: [users@httpd] Let's Encrypt (LE) and port 80

On Wed, Jun 17, 2020 at 18:11 @lbutlr wrote: > On 17 Jun 2020, at 16:37, Tom Browder wrote: > > Thanks for the info--but all I'm only running a dozen or so hosts on a > single ... > Zero maintenance. Set it up once and forget it. It is all automated. I wish I could use

Re: [users@httpd] Apache and systemd

On Thu, Jun 18, 2020 at 07:24 David Copeland wrote: > On OpenSuse, I use > > systemctl apache2 > > where is start, stop, status, reload, or whatever (do a "man > systemctl") > Thanks, Dave. But do you add the appropriate systemd files to enable auto start and shutdown of httpd upon reboot? M

Re: [users@httpd] Apache and systemd

On Thu, Jun 18, 2020 at 07:48 David Copeland wrote: > Hi Tom, > > To have Apache start on boot do: *systemctl enable apache2* > David, thanks so much! So should a person installing Apache from source with "--enable-systemd" expect the service to be enabled during the installation, i.e., this is

[users@httpd] Getting "DSO" failed to load when trying to access a DBM password file

I'm using locally built Apache 2.4.43 with Apr 1.7.0 and Apr-util 1.6.1 on Debian Buster. I'm trying to use DBM password files I built with an earlier version (approx 2.4.30ish) which worked fine. I got a complaint from a user he couldn't log in and I saw in the error logs that the password file c

[users@httpd] Re: Getting "DSO" failed to load when trying to access a DBM password file

On Sun, Jun 28, 2020 at 18:19 Tom Browder wrote: > I'm using locally built Apache 2.4.43 with Apr 1.7.0 and Apr-util 1.6.1 on > Debian Buster. I'm trying to use DBM password files I built with an earlier > version (approx 2.4.30ish) which worked fine. > ... PROBLEM SOLVED

[users@httpd] Testing a server locally before remote deployment

My current setup is designed to run on a remote server with its static IP assigned to my domains registered with Namecheap and served by their DNS servers. All my virtual hosts are name-based, https-only, and have individual TLS certs from Letsencrypt. Is there any simple way to run my local serv

[users@httpd] mod_md: is a restart always require for auto updates?

I'm running Apache 2.4.43 and just added my first managed virtual host with mod_md and all worked fine. Now I want to move all my other virtual host to the same process but I have a few questions first: 1. For an auto renewal for the current managed domain, will I have to manually restart each tim

Re: [users@httpd] mod_md: is a restart always require for auto updates?

On Tue, Jul 14, 2020 at 02:01 Stefan Eissing wrote: > > 1. For an auto renewal for the current managed domain, will I have to > > manually restart each time? > Clarification: only a reload (graceful) is necessary, not stop+start. Good point, thanks. Since the renewal is done usually a month in

Re: [users@httpd] Apache 2.2 and tls 1.2

On Thu, Jul 23, 2020 at 12:51 Tom Jubb wrote: > Understood. Just trying to exhaust all possible solutions before doing an OS > upgrade. FYI, I recently completed a local src build of Apache 2.4.43 (and APR and APR-UTIL), and OpenSSL 1.1.1g on Debian 10 Buster. I have documented the process on m

[users@httpd] TLS handling with reverse proxy

I have a successful non-apache reverse proxy server working behind a non-tls public-facing apache server. What do I have to do to use TLS with Let's Encrypt certs managed certificates? I have "normal" managed TLS servers working fine, but the reverse proxy TLS settings are a mystery to me. Thank

[users@httpd] Re: TLS handling with reverse proxy

On Sun, Aug 30, 2020 at 06:58 Tom Browder wrote: > I have a successful non-apache reverse proxy server working behind a > non-tls public-facing apache server. What do I have to do to use TLS with > Let's Encrypt certs managed certificates? I'll be showing the virtual host

Re: [users@httpd] TLS handling with reverse proxy

On Sun, Aug 30, 2020 at 10:37 Yuma Technical Inc. wrote: > I may be using the setup you describe. I have Webmin to manage services > ... Thanks, that helps. My data flow is a bit different, but every little piece of a working solution is a step in the right direction! Best regards: -Tom

Re: [users@httpd] TLS handling with reverse proxy

On Sun, Aug 30, 2020 at 11:12 Tom Browder wrote: > On Sun, Aug 30, 2020 at 10:37 Yuma Technical Inc. > wrote: > >> I may be using the setup you describe. I have Webmin to manage services >> > ... > Can you tell me how the _default_ works with SNI virtual hosts? -Tom

Re: [users@httpd] TLS handling with reverse proxy

On Mon, Aug 31, 2020 at 07:10 Tom Browder wrote: > On Sun, Aug 30, 2020 at 11:12 Tom Browder wrote: > >> On Sun, Aug 30, 2020 at 10:37 Yuma Technical Inc. < >> yumatechni...@gmail.com> wrote: >> >>> I may be using the setup you describe. I have Webmin t

Re: [users@httpd] TLS handling with reverse proxy

On Mon, Aug 31, 2020 at 14:18 Yuma Technical Inc. wrote: > Don’t forget the “:” between host and port. If you want, even * > So I guess ${DOMAIN}.${TLD}:${PORT} > That is part of the macro definition. The vhost details come after that and its format is correct as you showed it. I think I'm get

[users@httpd] Debugging a reverse proxy using TLS

Is there any way with the Apache logs to see (and capture) the raw data being received on the backside of a reverse proxy using TLS? If so, is there any way to unenccode the data offline with OpenSSL if one has the public and private keys? Thanks so much. Best regards, -Tom

Re: [users@httpd] Debugging a reverse proxy using TLS

On Tue, Sep 1, 2020 at 10:18 Eric Covener wrote: > On Tue, Sep 1, 2020 at 10:58 AM Tom Browder wrote: > > Is there any way with the Apache logs to see (and capture) the raw data > being received on the backside of a reverse proxy using TLS? > > I assume https://httpd.apach

[users@httpd] Base server versus virtual servers

I am fine-tuning a single physical server running multiple virtual hosts defined by a macro and using SNI for access to each. The apache version is 2.4.43 and OpenSSL is 1.1.1g. OS is Debian 10 Buster. In looking at the docs about OCSP it mentions possible problems with restarts when the cert prov

Re: [users@httpd] Base server versus virtual servers

On Fri, Sep 4, 2020 at 04:07 @lbutlr wrote: > ... The name I define in https.conf as ServerName is the rDNS for the machine. > This domain has no pages associated with it, though it does have an info > page under a sub directory, and is only there for the base config. > That is interesting and

[users@httpd] Alternatives to SSI (server side includes)?

I have been using server side includes since I started my websites on Apache about 10 years ago. The performance hit I'm getting is too high and I would like to get the same utility with something more modern and appropriate. What I have been doing with SSI is executing some fairly involved db pro

[users@httpd] Re: Alternatives to SSI (server side includes)?

On Sat, Oct 3, 2020 at 12:18 Tom Browder wrote: > I have been using server side includes since I started my websites on Apache ... > Any suggestions for SSI replacement with a more asynchronous method? Let me be more specific about the data flow I'm using with the landing (home)

Re: [users@httpd] Re: Alternatives to SSI (server side includes)?

On Sat, Oct 3, 2020 at 13:46 Scott A. Wozny wrote: > Sounds like a job for AJAX, but before throwing out the baby with the bath > water I'd seriously consider turning up logging with timestamps on your > existing CGI and > That's a good idea, Scott, I've just been too lazy and debugging CGI is s

Re: [users@httpd] Re: Alternatives to SSI (server side includes)?

On Sun, Oct 4, 2020 at 04:38 Rob De Langhe wrote: > I simply use (or dynamically construct) a page with iframes, in which each > iframe gets loaded by a separate CGI results; > Hm, I've always thought that iframes were frowned upon in modern practice. I'll have to read up on them Thanks, Rob. C

Re: [users@httpd] Re: Alternatives to SSI (server side includes)?

On Sun, Oct 4, 2020 at 13:05 Scott A. Wozny wrote: > IMHO, Web Sockets aren't going to get you any real benefit here. The > primary > Thanks, Scott. I do intend to look into the timing. BTW, this website takes over eight seconds to load, and it uses the same CGI setup as my other sites: h

Re: [users@httpd] Alternatives to SSI (server side includes)?

On Sun, Oct 4, 2020 at 17:49 James Moe wrote: ... > Aren't cookies good for this type of tracking? I don't think data from cookies would be as reliable. Anyway, I just haven't dealt with cookies up till now and probably won't any time soon. Thanks. -Tom

[users@httpd] To Gzip or not?

I've been looking at ways to speed up my web services using < https://webpagetest.org> for analysis. One thing I've been reading about is using mod_deflate to compress certain files but keep seeing the warnings about using compression with https due to certain known threats. In my searches so far

Re: [users@httpd] To Gzip or not?

On Sun, Nov 22, 2020 at 09:41 Yves Goergen wrote: > I've recently learned about these issues, too. Thanks, Yves, I've delayed answering because I was collecting various pieces of references and got lost trying to put it all together. I hope all are well and wish you all a Merry Christmas. -To

Re: [users@httpd] To Gzip or not?

On Sat, Oct 10, 2020 at 15:01 Antony Stone < antony.st...@apache.open.source.it> wrote: > On Saturday 10 October 2020 at 20:23:46, Tom Browder wrote: ... > > > I've been looking at ways to speed up my web services using > > https://webpagetest.org for analysis. One

[users@httpd] Different security warnings for a site with Chrome on Linux, Windows, and iOS

I have a site, , that shows secure (black lock icon) with the Chrome browser on Linux and Windows 10. However, it shows the black triangle with the white exclamation point with the Chrome browser on iOS (iPad and iPhone). I get A+ on the site with the SSL Labs security check.

Re: [users@httpd] Different security warnings for a site with Chrome on Linux, Windows, and iOS

On Mon, Aug 9, 2021 at 10:21 Richard wrote: > > Date: Monday, August 09, 2021 09:51:39 -0500 > > From: Tom Browder ... > > I have a site, <https://nwflug.org>, that shows secure (black lock ... > Firefox on linux indicates that "Parts of this page are not secure&q

Re: [users@httpd] Different security warnings for a site with Chrome on Linux, Windows, and iOS

On Mon, Aug 9, 2021 at 11:21 AM Dino Ciuffetti wrote: ... > Richard is right. > It's this image in your HTML that is loading via HTTP instead of HTTPS: Thanks, Dino. -Tom - To unsubscribe, e-mail: users-unsubscr...@httpd.apache

[users@httpd] Feasible to use both password TLS cert access on same directory?

I have a website that has been using private website user TLS certs successfully for over 10 years. Now I am investigating providing user name and password access to it as well. (I have that implemented on another site and it has worked satisfactorily for a couple of years.) My question is: can I

Re: [users@httpd] RE: [EXTERNAL] [users@httpd] Feasible to use both password TLS cert access on same directory?

On Fri, Sep 3, 2021 at 16:21 Orendt, John wrote: > Hi Tom > ... > These two techniques can be used separately or together. > When both password and client cert are used it could be called two factor > authentication. > > Any of the above combinations are supported by httpd. > Thanks, John. But ca

Re: [users@httpd] RE: [EXTERNAL] [users@httpd] Feasible to use both password TLS cert access on same directory?

On Sat, Sep 4, 2021 at 08:44 Rob wrote: > Correct me if I'm wrong but I believe what you're looking for is basically > in the FAQ: > http://httpd.apache.org/docs/current/ssl/ssl_howto.html#intranet > Thanks, Ron. I agree think seems to have the right settings combination if I back out the intrane

[users@httpd] Latest version: should I use openssl 3+

I am upgrading from Apache 2.4.43 to 2.4.52 and using openssl from source. I currently use 1.1.1.k and would normally go to the latest LTS version1.1.1.m; however, would it be better to move to version 3+ now? Thanks. -Tom - To

[users@httpd] Re: Latest version: should I use openssl 3+

On Tue, Feb 1, 2022 at 11:06 AM Tom Browder wrote: > I am upgrading from Apache 2.4.43 to 2.4.52 and using openssl from > source. I currently use 1.1.1.k and would normally go to the latest > LTS version1.1.1.m; however, would it be better to move to version > 3+ now? Well, the ob

Re: [users@httpd] Re: Latest version: should I use openssl 3+

On Sat, Feb 5, 2022 at 12:42 PM Christophe JAILLET wrote: > >> I am upgrading from Apache 2.4.43 to 2.4.52 and using openssl from > >> source. I currently use 1.1.1.k and would normally go to the latest > >> LTS version1.1.1.m; however, would it be better to move to version > > Well, the obvious

[users@httpd] Reverse proxy for TLS connections

I am trying to integrate some Raku (formerly Perl 6) code to handle post TLS inputs (decrypted dat) to one of my websites. How can I get access to the decrypted input via a reverse proxy? I am using macros and have successfully use CGI in multiple sites. Are CGI variables the answer instead of a r

[users@httpd] Re: Reverse proxy for TLS connections

On Sun, Feb 20, 2022 at 06:30 Tom Browder wrote: > I am trying to integrate some Raku (formerly Perl 6) code to handle post > TLS inputs (decrypted dat) to one of my websites. How can I get access to > the decrypted input via a reverse proxy? I think I see that can be done using Re

Re: [users@httpd] Re: Reverse proxy for TLS connections

On Mon, Feb 21, 2022 at 10:16 Eric Covener wrote: ... > > I think I see that can be done using RewriteCond and friends somehow. > > It is not clear what you're asking about. Can you describe the > topology in more detail and clarify what "input" (a header? a request > body?) you need and where if

Re: [users@httpd] Re: Reverse proxy for TLS connections

On Mon, Feb 21, 2022 at 13:34 Tom Browder wrote: > On Mon, Feb 21, 2022 at 10:16 Eric Covener wrote: Let me try to rephrase the situation and question: If I use a reverse proxy as in the basic example in the docs, does that handle https traffic also? Or does the the "http://www.exa

Re: [users@httpd] Re: Reverse proxy for TLS connections

On Tue, Feb 22, 2022 at 09:50 Eric Covener wrote: > On Tue, Feb 22, 2022 at 10:44 AM Tom Browder > wrote: > > > > On Mon, Feb 21, 2022 at 13:34 Tom Browder wrote: > >> > >> On Mon, Feb 21, 2022 at 10:16 Eric Covener wrote: > > > > >

Re: [users@httpd] Re: Reverse proxy for TLS connections

On Tue, Feb 22, 2022 at 11:59 Eric Covener wrote: ... > The server decrypts incoming requests the same way regardless of how > it will later handle the request (static file, CGI, proxy). Okay, thanks. I'll head in that direction and see if I can get it all to work. Thank you very much, Eric, f

Re: [users@httpd] Re: Reverse proxy for TLS connections

On Tue, Feb 22, 2022 at 12:16 Tom Browder wrote: > On Tue, Feb 22, 2022 at 11:59 Eric Covener wrote: > ... > >> The server decrypts incoming requests the same way regardless of how >> it will later handle the request (static file, CGI, proxy). > > > Okay, thanks. I

Re: [users@httpd] Re: Reverse proxy for TLS connections

On Wed, Feb 23, 2022 at 06:03 Tom Browder wrote: … > I seem to be making some progress. I can get an A from SSL Labs, but I'm > getting a 503 response when I try to go to the website directly ( > https://gbumc.church). > I turned on DumpIO input and output and see the following

Re: [users@httpd] Re: Reverse proxy for TLS connections

On Wed, Feb 23, 2022 at 16:04 Eric Covener wrote: ... > It could be, the full unredacted error_log entries might have more details. > I would test with curl/wget on the proxy and make sure the backend is > reachable. If curl/wget don't work, the proxy server isn't going to > work. SOLVED The r

[users@httpd] Is a home directory for the httpd user safe?

In order to run a service behind my reverse proxy I need to have a defined user with some kind of writeable home directory. The easy choice to get started is to create a /home/apache directory for my apache user. Is that safe or should I do something else? I do have my systemd service file worki

Re: [users@httpd] Is a home directory for the httpd user safe?

On Sun, Feb 27, 2022 at 09:11 Jeroen Verhoeckx wrote: > Why do you need a predefined user with a writeable home directory? Because that user executes the server loop behind the reverse proxy. The program running that server uses the Raku programming language which needs some default settings to

Re: [users@httpd] Is a home directory for the httpd user safe?

On Sun, Feb 27, 2022 at 3:24 PM Stormy wrote: > > On 2022-02-27 10:31 a.m., Tom Browder wrote: > > On Sun, Feb 27, 2022 at 09:11 Jeroen Verhoeckx > > wrote: > > > >> Why do you need a predefined user with a writeable home directory? ... Sorry, I was not very c

[users@httpd] Deprecated warnings with v2.4.53

I have tried to move from openssl 1.1.1o to 3.0.3 and am getting lots of deprecated warnings during the httpd build. I also tried when attempting http 2.4.52 and didn't complete iththen either because of the same warnings. Note I have not changed my configuration settings (except the openssl versi

[users@httpd] Re: Deprecated warnings with v2.4.53

On Sat, May 14, 2022 at 18:20 Tom Browder wrote: > I have tried to move from openssl 1.1.1o to 3.0.3 and am getting lots of > deprecated warnings during the httpd build. I also tried when Looking more closely at the build, the warnings *are* coming from the httpd code.Since they are wa

Re: [users@httpd] Re: Multi-domain with SSL - Virtualhost all need IPs?

On Fri, May 20, 2022 at 12:09 Yehuda Katz wrote: > That is not correct. That causes httpd to try to look up the matching IP > address using DNS. Use only IP addresses or wildcards. > You should try the Apache Macro to see if it might help. I have used for years for over a dozen virtual hosts d

[users@httpd] Re: Deprecated warnings with v2.4.53

On Sat, May 14, 2022 at 18:20 Tom Browder wrote: > I have tried to move from openssl 1.1.1o to 3.0.3 and am getting lots of > deprecated warnings during the httpd build. I also tried when attempting > http 2.4.52 and didn't complete iththen either because of the same warnings.

Re: [users@httpd] Re: Deprecated warnings with v2.4.53

On Fri, May 27, 2022 at 01:31 Deepak Goel wrote: > Please post the config & warnings... > I am still fiddling with openssl config options based on Ivan Ristic's suggestions, but I will post the config and warnings when I get a stable set of options for that and Apache. Thanks, Deepak. Best reg

Re: [users@httpd] Apache website conversion from alias to virtualhost

On Wed, Jun 8, 2022 at 07:12 Thomas WILLIAMSON wrote: > Hello, > > I have to take over an internal Web server that has been configured by a > colleague who is no longer there. Our developers team asks me to convert > applications URLs from an *Alias* to a *Virtualhosts* (subdomain naming) > syste

[users@httpd] Managed domains: how do I get from staging to a real letsencrypt cert?

I got a test cert installed, and Qualys SSL Labs show it. I have changed my httpd.conf line back to the actual staging site, did a graceful restart, but nothing has changed. I have inspected the md directory and don't see any issues recognizable to me. I have another server, with different vhosts,

Re: [users@httpd] Managed domains: how do I get from staging to a real letsencrypt cert?

On Sun, Jun 12, 2022 at 08:09 Frank Gingras wrote: > Changing certificates means that you have to issue a full restart, and not > graceful. > Thanks, Frank. I tried stop then start, then restart, but no change. I also checked Qualys again--still a staging cert. (And I have checked the httpd.con

Re: [users@httpd] Managed domains: how do I get from staging to a real letsencrypt cert?

On Sun, Jun 12, 2022 at 09:12 Tom Browder wrote: > On Sun, Jun 12, 2022 at 08:09 Frank Gingras wrote: > >> Changing certificates means that you have to issue a full restart, and >> not graceful. >> > > Thanks, Frank. I tried stop then start, then restart, but no ch

[users@httpd] [SOLVED] Re: [users@httpd] Managed domains: how do I get from staging to a real letsencrypt cert?

On Sun, Jun 12, 2022 at 12:26 Frank Gingras wrote: > Can we see the apachectl -S output (you can munge to example.tld if > needed)? > Frank, I was able to get all working by removing the md directory, updating the httpd.conf file to use the real v2 URL instead of the staging area, doing a hard r

Re: [users@httpd] Apache website conversion from alias to virtualhost

On Tue, Jun 14, 2022 at 02:24 Thomas WILLIAMSON < t-william...@eauxdevienne.fr> wrote: > @Tom Browder: it seems to be a Symfony and SSO issue. Our developers team > is facing issues when accessing simultaneously to different applications > hosted on the server (in different t

<    1   2   3   >