[us...@httpd] Re: Apache Tomcat/httpd websites problem ?

2010-02-13 Thread Konstantin Kolinko
2010/2/13 André Warnier :
> Hi.
>
> Does anyone else experience problems accessing the Apache websites right now
> ?
> I am getting "Invalid Encoding" errors in Firefox 3.5.
>
> Content Encoding Error
> The page you are trying to view cannot be shown because it uses an invalid
> or unsupported form of compression.
>
> I would suspect a local problem, but Google, IBM and other pages seems to
> load fine.  IE also is unable to access the Apache pages.
>
> At further inspection, it seems to be due to an invalid gzip-encoded
> response.
>
>
> Example, captured using HttpFox browser plugin :
>
> Request :
> (Request-Line)  GET /tomcat-6.0-doc/index.html HTTP/1.1
> Host    tomcat.apache.org
> User-Agent      Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.3)
> Gecko/20090824 Firefox/3.5.3
> Accept  text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language en-gb,en;q=0.5
> Accept-Encoding gzip,deflate
> Accept-Charset  ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive      300
> Connection      keep-alive
> Range   bytes=1-
> If-Range        "d10ded-31ff-47d84a38e2700-gzip"
> Cache-Control   max-age=0
>
> Response :
> (Status-Line)   HTTP/1.1 200 OK
> Date    Sat, 13 Feb 2010 14:23:13 GMT
> Server  Apache/2.3.5 (Unix) mod_ssl/2.3.5 OpenSSL/0.9.7d mod_fcgid/2.3.2-dev
> Last-Modified   Tue, 19 Jan 2010 13:42:20 GMT
> Etag    "d10ded-31ff-47d84a38e2700-gzip"
> Accept-Ranges   bytes
> Vary    Accept-Encoding
> Content-Encoding        gzip
> Content-Range   bytes 1-12798/12799
> Content-Length  12798
> Keep-Alive      timeout=30, max=100
> Connection      Keep-Alive
> Content-Type    text/html
>
> Status line in HttpFox plugin :
>
> 00:02:23.326    0.179   483     13101   GET     200     text/html
> (NS_ERROR_INVALID_CONTENT_ENCODING)
> http://tomcat.apache.org/tomcat-6.0-doc/index.html
>

(resending, as the original message didn't reach all the recipients)

Yes, I am also seeing this error. I am using Firefox 3.6.

It occurs only with EU mirror of the site. The US mirror is running fine.

http://tomcat.eu.apache.org/
http://tomcat.us.apache.org/

More than that, the error is intermittent: refreshing the page I get

a) "Invalid Encoding" error
b) misrendered page (site search box is aligned to the left border of
the screen) (probably the stylesheet failed to load)
c) correctly rendered page


>From an error page footer I see that the EU server runs Apache/2.3.5,
while US one uses Apache/2.3.3

Apache/2.3.5 (Unix) mod_ssl/2.3.5 OpenSSL/0.9.7d mod_fcgid/2.3.2-dev
Server at tomcat.apache.org Port 80
Apache/2.3.3 (Unix) mod_ssl/2.3.3 OpenSSL/0.9.7d mod_fcgid/2.3.2-dev
Server at tomcat.us.apache.org Port 80


Best regards,
Konstantin Kolinko

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



[users@httpd] HTTPD 2.4.25 crash in mod_proxy (ajp)

2016-12-22 Thread Konstantin Kolinko
Hi!

My configuration:

(HTTPS) -> HTTPD -> mod_proxy_ajp -> Apache Tomcat

running on Windows 7, using 32-bit version of HTTPD built by Apache Lounge
http://www.apachelounge.com/download/

Apache 2.4.25 Win32
 httpd-2.4.25-win32-VC14.zip 20 Dec '16 13.873K

(Actually the binary itself logs that its build date is 17 Dec:
AH00456: Apache Lounge VC14 Server built: Dec 17 2016 10:42:52


After upgrade from 2.4.23 to 2.4.25 every request that is proxied to
Tomcat results in crash and restart of server child process.

At the server side I see that Windows generates a crash report
(displays an UI dialog prompting to send a report to MS) and a child
process crash is mentioned in HTTPD error log.

>From client's view the request is just processed slowly. It does
receive correct response, just waiting several seconds longer than
usual.


Requests that are not proxied (e.g. requests for static files, DAV
requests) are served correctly.


Fragment of HTTP error log:

[Thu Dec 22 15:08:12.015452 2016] [mpm_winnt:notice] [pid 5140:tid
364] AH00455: Apache/2.4.25 (Win32) OpenSSL/1.0.2j SVN/1.8.17
configured -- resuming normal operations
[Thu Dec 22 15:08:12.015452 2016] [mpm_winnt:notice] [pid 5140:tid
364] AH00456: Apache Lounge VC14 Server built: Dec 17 2016 10:42:52
[Thu Dec 22 15:08:12.015452 2016] [core:notice] [pid 5140:tid 364]
AH00094: Command line: 'D:\\Programs\\Server\\Apache2\\bin\\httpd.exe
-d D:/Programs/Server/Apache2'
[Thu Dec 22 15:08:12.031052 2016] [mpm_winnt:notice] [pid 5140:tid
364] AH00418: Parent: Created child process 3424
[Thu Dec 22 15:08:15.681459 2016] [mpm_winnt:notice] [pid 3424:tid
256] AH00354: Child: Starting 30 worker threads.
[Thu Dec 22 15:08:36.445095 2016] [mpm_winnt:notice] [pid 5140:tid
364] AH00428: Parent: child process 3424 exited with status 255 --
Restarting.
[Thu Dec 22 15:08:37.615097 2016] [mpm_winnt:notice] [pid 5140:tid
364] AH00455: Apache/2.4.25 (Win32) OpenSSL/1.0.2j SVN/1.8.17
configured -- resuming normal operations
[Thu Dec 22 15:08:37.615097 2016] [mpm_winnt:notice] [pid 5140:tid
364] AH00456: Apache Lounge VC14 Server built: Dec 17 2016 10:42:52
[Thu Dec 22 15:08:37.615097 2016] [core:notice] [pid 5140:tid 364]
AH00094: Command line: 'D:\\Programs\\Server\\Apache2\\bin\\httpd.exe
-d D:/Programs/Server/Apache2'
[Thu Dec 22 15:08:37.615097 2016] [mpm_winnt:notice] [pid 5140:tid
364] AH00418: Parent: Created child process 2244
[Thu Dec 22 15:08:41.390304 2016] [mpm_winnt:notice] [pid 2244:tid
256] AH00354: Child: Starting 30 worker threads.
[Thu Dec 22 15:08:54.546343 2016] [mpm_winnt:notice] [pid 5140:tid
364] AH00428: Parent: child process 2244 exited with status 255 --
Restarting.

Fragment of MS crash report summary
Note: all *.Name entries were in a different language, I translated
them into English below.

Sig[0].Name=Application name
Sig[0].Value=httpd.exe
Sig[1].Name=Application version
Sig[1].Value=2.4.25.0
Sig[2].Name=Application timestamp
Sig[2].Value=585506f4
Sig[3].Name=Failed module name
Sig[3].Value=mod_proxy.so
Sig[4].Name=Failed module version
Sig[4].Value=2.4.25.0
Sig[5].Name=Failed module timestamp
Sig[5].Value=585508a2
Sig[6].Name=Exception code
Sig[6].Value=c005
Sig[7].Name=Exception offset
Sig[7].Value=6567


Proxy configuration looks like the following:


ProxyRequests off


ProxyPass ajp://127.0.0.1:8009/foo
# Auth and Require directives here...



ProxyPass ajp://127.0.0.1:8009/bar
# Auth and Require directives here...




Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



Re: [users@httpd] HTTPD 2.4.25 crash in mod_proxy (ajp)

2016-12-22 Thread Konstantin Kolinko
2016-12-23 1:38 GMT+03:00 Rainer Jung :
> OK, looking closer at the suggested patch I see it fixes trace2-Loggging.
> When I activate e.g. trace8, I do get the expected crash in
> ap_proxy_check_connection.
>
> @Konstantin: do you have LogLevel trace2 or higher? If s, do you also see
> crashes with trace1 or lower?

I have "LogLevel warn". (That line is the same as in default httpd.conf file).

I cannot build the Windows binaries.

I reproduced this with a simple configuration:
I created a repository with binaries and configuration at GitHub:
https://github.com/kkolinko/test_20161222

Configuration:
- defaults
- change listen address and port number (127.0.0.1:9090)
- change listen address in Tomcat (127.0.0.1)
- enable mod_proxy, mod_proxy_ajp
- configure proxying for examples webapp.

Reproduction:
- Start servers
- Browse to http://127.0.0.1:9090/examples/
- Refresh the page (F5), If it matters, the browser is Firefox 50.1.0


Notes:
1.Running the reproducing recipe from
https://github.com/kkolinko/test_20161222 on Windows 10:

- There is no "send crash report to MS" dialog, but the crash line in
the log and response delay are the same.
- The exit code mentioned in the log is different:
AH00428: Parent: child process 4576 exited with status 3221225477 -- Restarting.
- I am closing server consoles with Ctrl+C. There is some oddity
following "Apache server interrupted..." line in error.log.
The text is mangled, as if two processes are trying to write to the
same log file.


Complete log files:
== access.log:

127.0.0.1 - - [23/Dec/2016:04:20:01 +0300] "GET /examples/ HTTP/1.1" 200 1285
127.0.0.1 - - [23/Dec/2016:04:20:08 +0300] "GET /examples/ HTTP/1.1" 304 -

== error.log

[Fri Dec 23 04:19:48.411938 2016] [mpm_winnt:notice] [pid 7036:tid
532] AH00455: Apache/2.4.25 (Win32) configured -- resuming normal
operations
[Fri Dec 23 04:19:48.413938 2016] [mpm_winnt:notice] [pid 7036:tid
532] AH00456: Apache Lounge VC14 Server built: Dec 17 2016 10:42:52
[Fri Dec 23 04:19:48.413938 2016] [core:notice] [pid 7036:tid 532]
AH00094: Command line: 'Apache24\\bin\\httpd.exe -d
D:/test_20161222/Apache24'
[Fri Dec 23 04:19:48.418938 2016] [mpm_winnt:notice] [pid 7036:tid
532] AH00418: Parent: Created child process 4576
[Fri Dec 23 04:19:50.969085 2016] [mpm_winnt:notice] [pid 4576:tid
540] AH00354: Child: Starting 64 worker threads.
[Fri Dec 23 04:20:06.617748 2016] [mpm_winnt:notice] [pid 7036:tid
532] AH00428: Parent: child process 4576 exited with status 3221225477
-- Restarting.
[Fri Dec 23 04:20:06.672751 2016] [mpm_winnt:notice] [pid 7036:tid
532] AH00455: Apache/2.4.25 (Win32) configured -- resuming normal
operations
[Fri Dec 23 04:20:06.672751 2016] [mpm_winnt:notice] [pid 7036:tid
532] AH00456: Apache Lounge VC14 Server built: Dec 17 2016 10:42:52
[Fri Dec 23 04:20:06.672751 2016] [core:notice] [pid 7036:tid 532]
AH00094: Command line: 'Apache24\\bin\\httpd.exe -d
D:/test_20161222/Apache24'
[Fri Dec 23 04:20:06.676751 2016] [mpm_winnt:notice] [pid 7036:tid
532] AH00418: Parent: Created child process 2136
Apache server interrupted...
016] [mpm_winnt:notice] [pid 2136:tid 4] AH00354: Child: Starting 64
worker threads.
[Fri Dec 23 04:20:16.267611 2016] [mpm_winnt:notice] [pid 7036:tid
532] AH00422: Parent: Received shutdown signal -- Shutting down the
server.
[Fri Dec 23 04:20:18.269834 2016] [mpm_winnt:notice] [pid 2136:tid 4]
AH00364: Child: All worker threads have exited.
[Fri Dec 23 04:20:18.306863 2016] [mpm_winnt:notice] [pid 7036:tid
532] AH00430: Parent: Child process 2136 exited successfully.



2. Running HTTPD on Windows 7 as a service, there is notable delay
when I stop the service.
Log says:

[Fri Dec 23 02:30:45.867800 2016] [mpm_winnt:notice] [pid 2484:tid
352] AH00422: Parent: Received shutdown signal -- Shutting down the
server.
[Fri Dec 23 02:31:15.882252 2016] [mpm_winnt:notice] [pid 2484:tid
352] AH00431: Parent: Forcing termination of child process 1848


Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



Re: [users@httpd] HTTPD 2.4.25 crash in mod_proxy (ajp)

2016-12-23 Thread Konstantin Kolinko
BCC: Steffen

2016-12-23 14:14 GMT+03:00 Rainer Jung :
> Am 23.12.2016 um 00:43 schrieb Yann Ylavic:
>>
>> On Fri, Dec 23, 2016 at 12:11 AM, Rainer Jung 
>> wrote:
>>>
>>> Am 22.12.2016 um 23:56 schrieb Yann Ylavic:
>>>>
>>>>
>>>> I was thinking about always using the new code, maybe with an "if
>>>> APLOGtrace2(s)" around to save a getsockname() call when not needed.
>>>
>>>
>>> I see, thanks.
>>
>>
>> Committed in r1775775, and proposed for backport to 2.4.x.
>
>
> Steffen from ApacheLounge recompiled mod_proxy.so for 2.4 including that
> fix. I handed over the new mod_proxy.so for Windows to Konstantin and
> hopefully he can do a quick retest.
>

Thank you!

1. Good news:

I tried with this mod_proxy.so  and request processing issue is fixed.

No reports of a child process crash (at server side), and no delays in
request processing (from client's point of view).

I tested both simple configuration (Windows 10) that I published on
GitHub and original server configuration (Windows 7).


2. Oddities at shutdown that I also mentioned are still there.

I mean the following:
- On Windows 7 (running as service, complex configuration):
"AH00431: Parent: Forcing termination of child process" log message

I do not see such message in old logs from 2.4.23.

Maybe the process is still broken, although it did not crash?


- On Windows 10 (running as console, simple configuration example - GitHub):

Before I hit Ctrl+C the error.log file is as follows:
(I added additional line breaks to separate lines that are wrapped in e-mail.)
[[[
[Fri Dec 23 14:53:15.097194 2016] [mpm_winnt:notice] [pid 2564:tid
496] AH00455: Apache/2.4.25 (Win32) configured -- resuming normal
operations

[Fri Dec 23 14:53:15.099195 2016] [mpm_winnt:notice] [pid 2564:tid
496] AH00456: Apache Lounge VC14 Server built: Dec 17 2016 10:42:52

[Fri Dec 23 14:53:15.099195 2016] [core:notice] [pid 2564:tid 496]
AH00094: Command line: 'Apache24\\bin\\httpd.exe -d
D:/test_20161222/Apache24'

[Fri Dec 23 14:53:15.103194 2016] [mpm_winnt:notice] [pid 2564:tid
496] AH00418: Parent: Created child process 4356

[Fri Dec 23 14:53:17.337322 2016] [mpm_winnt:notice] [pid 4356:tid
560] AH00354: Child: Starting 64 worker threads.
]]]

After I hit Ctrl+C in HTTPD console window, it becomes:
(I added additional line breaks to separate lines that are wrapped in e-mail.)
[[[
[Fri Dec 23 14:53:15.097194 2016] [mpm_winnt:notice] [pid 2564:tid
496] AH00455: Apache/2.4.25 (Win32) configured -- resuming normal
operations

[Fri Dec 23 14:53:15.099195 2016] [mpm_winnt:notice] [pid 2564:tid
496] AH00456: Apache Lounge VC14 Server built: Dec 17 2016 10:42:52

[Fri Dec 23 14:53:15.099195 2016] [core:notice] [pid 2564:tid 496]
AH00094: Command line: 'Apache24\\bin\\httpd.exe -d
D:/test_20161222/Apache24'

[Fri Dec 23 14:53:15.103194 2016] [mpm_winnt:notice] [pid 2564:tid
496] AH00418: Parent: Created child process 4356

Apache server interrupted...

016] [mpm_winnt:notice] [pid 4356:tid 560] AH00354: Child: Starting 64
worker threads.

[Fri Dec 23 14:55:05.467693 2016] [mpm_winnt:notice] [pid 2564:tid
496] AH00422: Parent: Received shutdown signal -- Shutting down the
server.

[Fri Dec 23 14:55:07.515308 2016] [mpm_winnt:notice] [pid 4356:tid
560] AH00364: Child: All worker threads have exited.

[Fri Dec 23 14:55:07.612380 2016] [mpm_winnt:notice] [pid 2564:tid
496] AH00430: Parent: Child process 4356 exited successfully.
]]]

The "Apache server interrupted..." line appears in the middle of the
file, overwriting some of existing text.

Usually I do not run HTTPD in console mode (httpd.exe -w), so I do not
know whether this logging oddity is a new issue.

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



Re: [users@httpd] HTTPD 2.4.25 crash in mod_proxy (ajp)

2016-12-23 Thread Konstantin Kolinko
BCC: Steffen

I did quick tests to verify whether shutdown issues are related to
mod_proxy.  They are not related.

2016-12-23 15:01 GMT+03:00 Konstantin Kolinko :
>
> 2. Oddities at shutdown that I also mentioned are still there.
>
> I mean the following:
> - On Windows 7 (running as service, complex configuration):
> "AH00431: Parent: Forcing termination of child process" log message
>
> I do not see such message in old logs from 2.4.23.
>
> Maybe the process is still broken, although it did not crash?

Quick test:

1) Start server service, Stop server service   (No HTTPS requests served)

No issue.

[Fri Dec 23 15:06:22.542629 2016] [mpm_winnt:notice] [pid 2636:tid
364] AH00422: Parent: Received shutdown signal -- Shutting down the
server.
[Fri Dec 23 15:06:24.570633 2016] [mpm_winnt:notice] [pid 3996:tid
256] AH00364: Child: All worker threads have exited.
[Fri Dec 23 15:06:24.648633 2016] [mpm_winnt:notice] [pid 2636:tid
364] AH00430: Parent: Child process 3996 exited successfully.

2) Start server service, Request a static page (root page of the
site), Stop server service.

The child process does not stop, is terminated forcedly.

[Fri Dec 23 15:07:02.353899 2016] [mpm_winnt:notice] [pid 3084:tid
364] AH00422: Parent: Received shutdown signal -- Shutting down the
server.
[Fri Dec 23 15:07:32.368352 2016] [mpm_winnt:notice] [pid 3084:tid
364] AH00431: Parent: Forcing termination of child process 5564

So this issue is real, but it is not related to mod_proxy.


> - On Windows 10 (running as console, simple configuration example - GitHub):
>
> Before I hit Ctrl+C the error.log file is as follows:
> (I added additional line breaks to separate lines that are wrapped in e-mail.)
> ...
> After I hit Ctrl+C in HTTPD console window, it becomes:
> (I added additional line breaks to separate lines that are wrapped in e-mail.)
> ...
>
> The "Apache server interrupted..." line appears in the middle of the
> file, overwriting some of existing text.
>

Quick test:

1) Start server service, Stop server service   (No HTTPS requests served)

This issue is observed.
("Apache server interrupted..." line appears in the middle of the file).

So this oddity is real, but it is not related to mod_proxy, not
related to processing of HTTP requests.

Maybe this is not a real issue, just an oddity.


Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



Re: [users@httpd] Configuring redirects httpd behind a TLS-terminating proxy

2017-01-24 Thread Konstantin Kolinko
2017-01-24 1:07 GMT+03:00 Christopher Schultz :
>
> I've got an EC2 instance behind a load balancer where TLS is being
> terminated. I've arranged for two separate httpd (2.4.25)
> VirtualHosts: one for the secure connections (proxied from the lb) and
> another for the non-secure connections.
>
> I have a Redirect directive that isn't behaving as I'd like it to behave
> :
>
> RedirectMatch permanent ^/$/site/
>
> I have the same redirect in both VirtualHosts. The redirect itself
> works, but it doesn't preserve the secure-protocol when I'm using the
> secure VirtualHost.
>
[]
>
> I'm expecting httpd to redirect a request from
> "https://www.example.com/"; to "https://www.example.com/site/"; but
> instead I'm getting redirected to "http://www.example.com/site/";.
>
> Can anyone see anything wrong with my configuration? Or do I have a
> misunderstanding of how RedirectMatch will built its relative URLs?

If that VirtualHost is accessed only by your lb, you should look at
ServerName directive. It can include a scheme.

http://httpd.apache.org/docs/2.4/mod/core.html#servername
[quote]
Sometimes, the server runs behind a device that processes SSL, such as
a reverse proxy, load balancer or SSL offload appliance. When this is
the case, specify the https:// scheme and the port number to which the
clients connect in the ServerName directive to make sure that the
server generates the correct self-referential URLs.
[/quote]


(Source code:
mod_alias.c/int fixup_redir(request_rec *r)
http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/mappers/mod_alias.c?view=markup#l679
-> calls ap_construct_url(), declared in include/http_core.h, implemented in
http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?revision=1772678&view=markup#l1194
-> calls ap_http_scheme(r), declared in include/httpd.h as
#define ap_http_scheme(r) ap_run_http_scheme(r)
-> It is a hook API, a method that can be implemented in a module.
http://marc.info/?t=13116506531&r=1&w=2
-> Implementation:
http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/http/http_core.c?revision=1757669&view=markup#l113
-> Calls
r->server->server_scheme
)

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



Re: [users@httpd] Error nghttp2 version is too old

2017-03-15 Thread Konstantin Kolinko
The source code:

https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/http2/config2.m4?revision=1779742&view=markup#l124

> AC_MSG_CHECKING([for nghttp2 version >= 1.2.1])

Just prints the "Checking..." message. The actual check is below -
compilation of some snippet.

> AC_TRY_COMPILE([#include ],[

If compilation and test succeed then the following assignment happens:
"ac_cv_nghttp2=yes".


Apparently the compilation and test failed, and the variable was not assigned.

The following block

> if test "x$ac_cv_nghttp2" = "xyes"; then
> [ a lot of lines checking capabilities and setting some flags ]
> else
>   AC_MSG_WARN([nghttp2 version is too old])
> fi

The "if" branch was skipped and "else" branch printed the warning.


I suggest you to check what is the actual value of NGHTTP2_VERSION_NUM.


> checking for user-provided nghttp2 base directory...

Try to specify the path explicitly,
  --with-nghttp2=PATH


2017-03-15 2:15 GMT+03:00 John Iliffe :
> I'm not sure it is evident that there is a question buried in the note
> below so here is a precis of what I asked:
>
> 1.  the requirement is for nghttp2 at level 1.2.1 whereas I have nghttp2
> 1.13.0 installed.  Why is that considered lower than the requirement?
>
> 2.  assuming (always a bad idea) that the problem is that the compiler is
> checking for some specific link in the nghttp2 library, is it likely that
> what I really need to do is install a back level, and if so, any idea what
> it is looking for?  ..or what back level is required?
>
> Sorry for the confusion.
>
> John
> 
> On Tuesday 14 March 2017 10:25:27 you wrote:
>> OK, I will have to see what I can do with Fedora, probably not much in
>> this case.
>>
>> My question though was that the version I have is 1.13.0 according to
>> rpm. That would seem to be higher than 1.2.1 so why would the compiler
>> complain? I assume that it has an internal requirement on the library
>> that it didn't find?
>>
>> In that case it might be necessary to back off a few levels to find
>> whatever the compiler wants?
>>
>> Regards,
>>
>> John
>> =
>>
>> > On Tuesday 14 March 2017 02:39:23 you wrote:
>> > > You really need to approach your package maintainer, I picked up
>> > > nghttp2 around that same point a year ago and never had an issue.
>> > >
>> > > Anything to do with rpm installs is on the maintainer, and has
>> > > nothing to do with this project, sorry we can't be of more help.
>> > >
>> > > On Sun, Mar 12, 2017 at 3:12 PM, John Iliffe 
>>
>> wrote:
>> > > > I am trying to compile Apache 2.4.25 on Fedora 25 Linux.
>> > > >
>> > > > The current version of nghttp2 is installed:
>> > > >
>> > > > -
>> > > > [John@prod04 httpd-2.4.25]$ rpm -qv nghttp2
>> > > > nghttp2-1.13.0-2.fc25.x86_64
>> > > > -
>> > > >
>> > > > -
>> > > > /usr/lib64/libnghttp2.so.14
>> > > > /usr/lib64/libnghttp2.so.14.9.0
>> > > > -
>> > > >
>> > > > To me, these would both seem to be greater than 1.2.1, but I am
>> > > > getting this error from configure:
>> > > >
>> > > > --
>> > > > checking for nghttp2... checking for user-provided nghttp2 base
>> > > > directory... none
>> > > > checking for pkg-config along ... checking for nghttp2 version >=
>> > > > 1.2.1... FAILED
>> > > > configure: WARNING: nghttp2 version is too old
>> > > > no
>> > > > checking whether to enable mod_http2... configure: error:
>> > > > mod_http2 has been requested but can not be built due to
>> > > > prerequisite failures
>> > > > 
>> > > >
>> > > > These are the currently available versions from the Fedora
>> > > > repository.
>> > > >
>> > > > Has anyone any suggestions as to why this might be occurring?
>> > > >
>> > > > Thanks in advance.
>> > > >
>> > > > John
>> > > > ===
>> > > >
>> > > > --
>> > > > -- - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> > > > For additional commands, e-mail: users-h...@httpd.apache.org
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



Re: [users@httpd] Hiding Apache version info on the Aix server for Apache.

2017-03-15 Thread Konstantin Kolinko
2017-03-14 14:56 GMT+03:00 Chunduru, Krishnachaithanya
:
> Hi All,
>
>
>
> Can anyone please let me know how to hide the apache version and the OS name
> running on Aix server.
>
>
>
> The servertokens or the server signature fields are set to PROD and
> signature off, then I tried restarting the httpd but apache was not starting
> until these two parameters are removed from the config file.

Thus your edits have an effect. Good.

What are the actual lines, and what was the actual error message?

Check you spelling.  Copy-paste from documentation, if possible.

Try to search if other configuration files define those directives.
(The files included into main httpd.conf file with "Include" directive).


Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



Re: [users@httpd] Lock down backuppc to an ip, and too ensure that an htpassword is presented

2017-03-31 Thread Konstantin Kolinko
2017-03-31 13:48 GMT+03:00 Brent Clark :
> Good day Guys
>
> Im trying to ensure a 'belt and braces' security solution for my backuppc.
>
> What Im trying to do is ensure a that I lock down backuppc to an ip, and
> too ensure that an htpassword is presented.
>
> Please could someone review my config, for htpasswd is presented in my
> browser, but 'Require ip' is not working / blocking.
>
> https://pastebin.com/RUY8WBRn
>
> If someone could assist, it would be appreciated.

Version = ?

See docs for directives "Satisfy All" (2.2 and earlier), "" (2.4 +).

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



Re: [users@httpd] Odd Date in http2 header

2017-04-07 Thread Konstantin Kolinko
2017-04-07 7:19 GMT+03:00 John Iliffe :
> I just enabled http2 on our server and tested using curl.  The test page is
> a static html page with nothing but some random characters on it, and no
> css or other secondary accesses.
>
> The protocol line is set to allow http2
> Protocols h2 h2c http/1.1
>
> Everything seems to work with the exception of the date.  The first file
> following is the result of a curl head request BEFORE activating mod_http2
> and the second one is after doing so.  No other change to the httpd.conf
> file.
>
> -without http2 being available--
> curl --http2 -I http://192.168.1.6:/yrarc/yrex0001.html
> HTTP/1.1 200 OK
> Date: Fri, 07 Apr 2017 03:42:12 GMT<-
> Server: Apache
> X-Frame-Options: SAMEORIGIN
> Last-Modified: Sun, 26 Mar 2017 03:12:45 GMT
> ETag: "c14-54bbf581b"
> Accept-Ranges: bytes
> Content-Length: 3092
> Content-Type: text/html
>
>
> ---with mod_http2 enabled--
> curl --http2 -I http://192.168.1.6:/yrarc/yrex0001.html
> HTTP/1.1 101 Switching Protocols
> Upgrade: h2c
> Connection: Upgrade
>
> HTTP/2 200
> date: Sun, 00 Jan 1900 00:00:00 GMT   <-
> server: Apache
> x-frame-options: SAMEORIGIN
> last-modified: Sun, 26 Mar 2017 03:12:45 GMT
> etag: W/"c14-54bbf581b"
> accept-ranges: bytes
> content-length: 3092
> content-type: text/html
>
> Does anyone know why the date (arrowed) should be wrong and if it would
> make any difference in the server operation?  Or maybe what am I missing?

1. What is exact version of your server?

2. If you say that "No other change to the httpd.conf file", what
caused the difference in ETag value?

3. Overall, this is strange.
If you do an HTTP/1.1 request (using curl without "--http2" flag),
does it respond with a correct Date header?

4. I wonder, whether the behaviour is affected by H2SerializeHeaders directive.
http://httpd.apache.org/docs/2.4/mod/mod_http2.html#h2serializeheaders

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



Re: [users@httpd] How to benchmark ChaCha20-Poly1305 capable websites using Apache Benchmark (ab) tool?

2017-07-25 Thread Konstantin Kolinko
2017-07-25 14:52 GMT+03:00 Matt Holdsworth :
> I'm trying to use 'ab' to do some performance benchmarks of my website after 
> having made some performance tweaks.
>
> Specifically, I'd like to test the difference in performance between the 
> following cipher suites - all supported by my website:
>
> ECDHE-RSA-AES128-GCM-SHA256
> ECDHE-ECDSA-AES128-GCM-SHA256
> ECDHE-ECDSA-CHACHA20-POLY1305
>
> The three commands that I've tried are:
>
> ab -l -n 1000 -c 10 -H "Accept-Encoding: gzip, deflate, br" -Z 
> ECDHE-RSA-AES128-GCM-SHA256 https://bytes.fyi/
> ab -l -n 1000 -c 10 -H "Accept-Encoding: gzip, deflate, br" -Z 
> ECDHE-ECDSA-AES128-GCM-SHA256 https://bytes.fyi/
> ab -l -n 1000 -c 10 -H "Accept-Encoding: gzip, deflate, br" -Z 
> ECDHE-ECDSA-CHACHA20-POLY1305 https://bytes.fyi/
>
> The first two work fine, but the third generates the following error:
>
> error setting cipher list [ECDHE-ECDSA-CHACHA20-POLY1305]
> 1995798240:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher 
> match:ssl_lib.c:1385:
> I think my versions of ab and openssl are both up-to-date enough to support 
> the test:
>
> pi@pi3:~ $ which ab && ab -V
> /usr/bin/ab
> This is ApacheBench, Version 2.3 <$Revision: 1757674 $>

1. Looking at http://svn.apache.org/r1757674
(Thu Aug 25 12:53:03 2016 UTC)
and history of httpd/httpd/branches/2.4.x/support/ab.c file that was
changed in that revision,

I think your version of AB does not support OpenSSL 1.1.0 at all,
as support for 1.1.0 was added by later revisions of that file,

http://svn.apache.org/viewvc?view=revision&revision=1787728
"Support OpenSSL 1.1.0"


> Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
> Licensed to The Apache Software Foundation, http://www.apache.org/
>
> pi@pi3:~ $ which openssl && openssl version
> /usr/bin/openssl
> OpenSSL 1.1.0f  25 May 2017
>
> The docs for Apache Benchmark don't give much detail on how to check/modify 
> the available cipher suites that can be specified:
>
> -Z ciphersuite
> Specify SSL/TLS cipher suite (See openssl ciphers)

2. Maybe it is also worth to try "-f TLS1.2". Though as the two other
ciphers work, maybe you do not need it.
https://httpd.apache.org/docs/2.4/programs/ab.html


> I think the above implies that I should be able to use any of the cipher 
> suites listed by the openssl ciphers command?
>
> All three of my target cipher suites are indeed listed, so I'm confused why 
> my ab test is failing for the ECDHE-ECDSA-CHACHA20-POLY1305 suite.
>
> Any tips would be much appreciated!
>
> Btw, I asked the same question on superuser.com, here:
>
> https://superuser.com/questions/1231720/how-to-benchmark-chacha20-poly1305-capable-websites-using-apache-benchmark-ab
>

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



Re: [users@httpd] RewriteRule : Altering the current protocol

2017-08-08 Thread Konstantin Kolinko
2017-08-07 18:42 GMT+03:00 Philippe Busque :
> Hello,
> I have a configuration question regarding RewriteRule.
>
> We have a SSL terminator in front of our Apache, which redirect traffic to
> different port based virtual host depending on which protocol the connection
> came from.
> As a result, Apache is only responding to HTTP requests.
>
> We have RewriteRule that perform relative 301 and 302 redirections.
>
> Exemple: RewriteRule ^/deprecatedPage.html$ / [R=301,L,E=nocache:1]
>
> According to the documentations:
> "If a fully-qualified URL is specified (that is, including
> http://servername/) then a redirect will be issued to that location.
> Otherwise, the *current protocol*, servername, and port number will be used
> to generate the URL sent with the redirect. "
>
> Because of the current protocol clause, all URL that are sent to a https
> address are redirected back to http. We have a catch all http to https
> redirection too, but that cause two redirections in a row we would like to
> avoid.
>
> Other than inputing the absolute URL to the destination, is it possible to
> change the 'current protocol' so that mod_rewrite  put https rather than
> http?
>
> I tried SetEnv SERVER_PROTOCOL=https  without success.

It sounds similar to the question that I answered in January:

http://markmail.org/message/a43q65rmszqf5t4j
[users@httpd] Configuring redirects httpd behind a TLS-terminating proxy
Jan 23, 2017 2:07:13 pm

Solved by configuring ServerName to include https protocol.
http://httpd.apache.org/docs/2.4/mod/core.html#servername

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



Re: [users@httpd] X-Forwarded-For header is missing

2017-11-07 Thread Konstantin Kolinko
2017-11-07 9:34 GMT+03:00 Surendhar Thallapelly :
> Hi Team,
>
> I configured apache http web server to redirect incoming WEBSERVICE call to
> another backend application server, X-Forwarded-For is missing(webserver ip)
> in backend call.
>
> I have configured below in my webserver httpd.conf file.
>
> ProxyPass /TestProject http://10.160.160.33:2914/TestProject
> ProxyPassReverse /TestProject http://10.160.160.33:2914/TestProject
>

1. Version of Apache HTTP server = ?
2. What is your configuration of ProxyAddHeaders directive?

http://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxyaddheaders


Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



Re: [users@httpd] X-Forwarded-For header is missing

2017-11-08 Thread Konstantin Kolinko
2017-11-07 21:44 GMT+03:00 Surendhar Thallapelly :
> Hi Konstantin,
>
>> Hi Team,
>>
>> I configured apache http web server to redirect incoming WEBSERVICE call
>> to
>> another backend application server, X-Forwarded-For is missing(webserver
>> ip)
>> in backend call.
>>
>> I have configured below in my webserver httpd.conf file.
>>
>> ProxyPass /TestProject http://10.160.160.33:2914/TestProject
>> ProxyPassReverse /TestProject http://10.160.160.33:2914/TestProject
>>
>
> 1. Version of Apache HTTP server = ? 2.2 & 2.4 both of versions it didn't
> work
> 2. What is your configuration of ProxyAddHeaders directive?
>
> http://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxyaddheaders
>
> ProxyAddHeaders On
>
> I also enabled
> LoadModule proxy_module modules/mod_proxy.so
> LoadModule proxy_http_module modules/mod_proxy_http.so
>
> X-Forwarded-Host is working showing in my backend call, only X-Forwarded-For
> is missing.  I am also attaching my complete http.conf(2.4 version) file for
> your review, please review and help me.


Maybe the "X-Forwarded-For" is sent by Apache HTTPD, but is processed
and removed by your backend?

E.g. in Apache Tomcat if a RemoteIpValve is configured,
it will process and hide this header from underlying web applications,
while its original value is still visible in Access Log and can be
logged with %{xxx}i

http://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Remote_IP_Valve


(BTW,
it is odd how you place your "ProxyAddHeaders On" directive at the top
of the file.

My expectation is that the directive should be moved below relevant
"LoadModule" line,
or the configuration fails to load.
)

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



Re: [users@httpd] Remote_Port not recognized by SetEnvIf?

2017-11-23 Thread Konstantin Kolinko
2017-11-23 14:07 GMT+03:00 Daniel :
> Hello,
>
> I'm trying to make a test using the REMOTE_PORT variable introduced in
> 2.4.26 according to the docs:
> http://httpd.apache.org/docs/2.4/expr.html#vars
>
> Problem I find is I can set this up easily with mod_rewrite.
>
> "
> RewriteEngine on
> RewriteRule .* - [E=REMOTE_PORT:%{REMOTE_PORT},NE]
> Header set RPHdrname %{REMOTE_PORT}e
> "
>
> But SetEnvIf does not recognize Remote_Port.
> Docs do not say it supports it, but since it is recent, I had hoped
> docs were not updated since 2.4.26 or similar.
>
> Tested this, perhaps incorrectly or in a too convoluted way, I will
> appreciate your feedback:
>
> "
> SetEnvIf Remote_Port (.*) REMOTE_PORT=$1
> Header set RPHdrname "%{REMOTE_PORT:}e
> "
>
> RPHdrname comes out empty this way ^^^

Maybe try SetEnvIfExpr directive instead of SetEnvIf?

http://httpd.apache.org/docs/2.4/mod/mod_setenvif.html#setenvifexpr

The Bugzilla ticket that introduced the REMOTE_PORT support in 2.4.26:
https://bz.apache.org/bugzilla/show_bug.cgi?id=59938

Looking at the changes, only expr parser was patched.

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



Re: [users@httpd] Can't get X-Forwarded-For to be passed through to app with apache reverse proxy

2019-09-23 Thread Konstantin Kolinko
пн, 23 сент. 2019 г. в 20:45, John Pyeatt :
>
> I have tried everything and I can't get Apache (2.4.39) to pass the 
> X-Forwarded-For header to my tomcat (8.5) instance.
>
> I have apache listening on port 8081 and bound to the public IP address as a 
> reverse proxy to a backend tomcat instance which is also bound to 8081 but on 
> 127.0.0.1.
> My apache instance has the following modules loaded:
>
>  proxy_module (shared)
>  proxy_connect_module (shared)
>  proxy_ajp_module (shared)
>  proxy_http_module (shared)
>  proxy_wstunnel_module (shared)
>  remoteip_module (shared)
>
> Here is my virtualhost stanza
> 
> ProxyPreserveHost On
> ProxyPass /MYAPP/admin http://127.0.0.1:8081/MYAPP/admin
> RemoteIPHeader X-Forwarded-For
> RemoteIPInternalProxy 127.0.0.0/8
> 
> ProxyAddHeaders On
> ProxyPassReverse /MYAPP/admin
> # Only allow ?cmd=spkr
> RewriteEngine On
> RewriteCond %{QUERY_STRING} !cmd=spkr
> RewriteRule .* - [F]
> 
> 
>
> According to the doc 
> https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxyaddheaders 
> ProxyAddHeaders On should do the trick.
>
> I've done a packet capture to see if the X-Forwarded-For header is being 
> generated by Apache but dropped on the floor in Tomcat and I'm not seeing 
> X-Forwarded-For header coming from Apache.
>

What is your configuration in Apache Tomcat?

If you expect HttpServletRequest,getRemoteAddr() to get the value from
the X-Forwarded-For header, you must have a valve
(org.apache.catalina.valves.RemoteIpValve) configured in your web
application (in its META-INF/context.xml file) on in an upper level in
request processing chain (in Host element in server.xml file) in
Apache Tomcat configuration,

alternatively the work can be done with a filter
(org.apache.catalina.filters.RemoteIpFilter) in the WEB-INF/web.xml
file of your web application.

https://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Remote_IP_Valve
https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#Remote_IP_Filter

IIRC both RemoteIpValve and RemoteIpFilter hide the X-Forwarded-For
header once they have processed it, so you won't see it in your web
application, but you may see it in access log if you configure it to
write out that header (as access logging happens at an earlier/outer
state of request processing chain). See tables "before/after" in the
documentation for the valve and filter.

> The slightly weird thing is that my tomcat app is also listening on port 5678 
> using AJP and that works if I change to ProxyPass /MYAPP/admin 
> ajp://127.0.0.1:5678/MYAPP/admin. Calls to HttpRequest.getRemoteAddr() in my 
> tomcat app correctly return the IP address of my client. I find it very hard 
> to believe that proxy_ajp_module works fine and proxy_http_module somehow has 
> a bug in it. So I must be missing some magic apache configuration setting.

In case of AJP protocol, the remote IP address is transmitted as part
of the protocol packet and does to require configuration at Tomcat
side.

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



Re: [users@httpd] git push to apache produces return code 22

2019-11-08 Thread Konstantin Kolinko
пт, 8 нояб. 2019 г. в 21:16, David Mehler :

> 'm trying to run git on FreeBSD with Apache 2.4 as the web server. My
> issue is I can pull/clone from the repo via remote:
>
> git clone https://git.example.com/myrepo.git

1. Looking at you 'ScriptAlias' directive, I think that for your
configuration the correct URL for your repository is actually

https://git.example.com/git/myrepo.git

You also have gitweb configured at

https://git.example.com/gitweb/myrepo.git

> DocumentRoot /usr/local/www/git/repos

2. With your DocumentRoot directive you directly expose your Git
repository files as a static website at the root URL of your site.
That is the reason why

git clone https://git.example.com/myrepo.git

works, but Git uses an old dump version of protocol for that access,
directly reading files one-by-one from the repository. Such access is
read-only and does not use the "smart" protocol supported by
git-http-backend executable.

A correct configuration would be to point DocumentRoot to some empty
directory, explicitly configured to serve as a root of your web server
(e.g. with a simple index.html).

[...]

> 
> Options +ExecCGI
>   SSLRequireSSL
> AllowOverride None
>
> AuthType Basic
> AuthName "Private Git Access"
> AuthUserFile "/usr/local/etc/apache24/git-auth-file"
> AuthGroupFile "/usr/local/etc/apache24/git-htgroup-file"
> Require valid-user
>  =~ m#/git-receive-pack$#">
> Require group gitwrite
> 
> 

3. I think that "Require" cannot be used twice in the same section
like you are using it above. From the docs the first 'Require' wins,
the second one is ignored.

I think that the first 'Require' can be moved into an "" section,

http://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#require
http://httpd.apache.org/docs/2.4/mod/core.html#else

4. Personally, I prefer to use  instead of .

In you case I think that will be




> ScriptAlias /git /usr/local/libexec/git-core/git-http-backend
> 
> SetEnv GIT_PROJECT_ROOT /usr/local/www/git/repos
> SetEnv GIT_HTTP_EXPORT_ALL
> # For anonymous write
>   #SetEnv REMOTE_USER anonymousweb
> Options +ExecCGI
>   SSLRequireSSL
>
> AuthType Basic
> AuthName "Private Git Access"
> AuthUserFile "/usr/local/etc/apache24/git-auth-file"
> AuthGroupFile "/usr/local/etc/apache24/git-htgroup-file"
> Require valid-user
>  =~ m#/git-receive-pack$#">
> Require group gitwrite
> 
> 

5. The "Require" directive is used twice here as well.


> I am not getting anything in the apache log files.

6. There is nothing in your access log file?

> CustomLog /var/log/git-httpd-access.log combined

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



Re: [users@httpd] Apache 2.4 mod_ldap does not appear to support SNI for authentication against LDAPS servers

2020-06-12 Thread Konstantin Kolinko
пт, 12 июн. 2020 г. в 17:14, James Stocks :
>
> We are attempting to use mod_ldap and mod_authnz_ldap to secure our apache2 
> web server.  We are using the Debian 10 Apache2 package, version 2.4.38.  Our 
> authentication provider is G-Suite, the LDAP endpoint is ldap.google.com.
>
> Apache connects to ldap.google.com, however it does not appear to 
> successfully negotiate a TLS connection.  As a workaround, we have set up 
> stunnel4 to handle the TLS session and configured Apache to use stunnel.  
> Apache is able to successfully authenticate using plain LDAP through the TLS 
> tunnel.  We have also successfully connected to the LDAP endpoint using 
> ldapsearch.
>
[...]
>
> Can anyone tell me whether SNI support is available in mod_ldap and if so how 
> do I activate it?
>

Just sharing a few pointers that I found:

1. Documentation for mod_ldap says that "SSL/TLS support is dependent
on which LDAP toolkit has been linked to APR. As of this writing,
APR-util supports: ..." and lists 5 different implementations.

http://httpd.apache.org/docs/2.4/mod/mod_ldap.html

2. Assuming that the implementation that you are dealing with is
OpenLDAP, a quick search finds the following item in their Bugzilla
(and on their mailing list):

https://www.openldap.org/lists/openldap-bugs/202002/msg00421.html
https://bugs.openldap.org/show_bug.cgi?id=9176
"(ITS#9176) libldap support for TLSv1.3 Encrypted SNI"

It was implemented a month ago, but apparently it is targeted for the
text major version (2.5.0) and is not part of the current 2.4.50
release of OpenLDAP.

https://git.openldap.org/openldap/openldap/-/commit/5c0efb9ce83db383631ce79e8f246d73c33b9ab3
https://git.openldap.org/openldap/openldap/-/commit/e96f90e21229f9d83129db0da017e0fe5a0a27c8

Thus I guess that the answer to your question is "not yet".

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



Re: [users@httpd] X-Frame-Options and security

2021-09-10 Thread Konstantin Kolinko
чт, 2 сент. 2021 г. в 18:18, Dave Wreski :
>
> 
> Header set X-XSS-Protection "1; mode=block"
> Header set X-Frame-Options "SAMEORIGIN"

https://httpd.apache.org/docs/2.4/en/mod/mod_headers.html#header

What headers are returned by error pages and by redirects (e.g. 302
redirect when requesting a directory without a trailing '/')?
What headers are returned by  dynamic responses (proxied or CGI), if
you have any?

Maybe like this, adapting an example from the docs:

Header onsuccess unset X-Frame-Options
Header always set X-Frame-Options "SAMEORIGIN"

> Header set X-Content-Type-Options "nosniff"
> Header always set Strict-Transport-Security "max-age=63072000; 
> includeSubDomains"
> Header set Feature-Policy "geolocation 'self'; vibrate 'none'"
> Header set Content-Security-Policy "frame-ancestors 'self'"
> 
>

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



Re: [users@httpd] Stupid question on mod_header

2021-10-06 Thread Konstantin Kolinko
ср, 6 окт. 2021 г. в 13:10, Martin Knoblauch :
>
> Hi,
>
>  sorry for asking this likely stupid question. This is with Apache HTTPD 
> 2.4.48.
>
> I want to change the value of the X-Frame-Options response header from DENY 
> to SAMEORIGIN. The header is apparently set by Tomcat 9.0.53.
>
> Naively, because the mod_header documentation says "The response header is 
> set, replacing any previous header with this name. The value may be a format 
> string.", I added a single
>
> Header always set X-Frame-Options SAMEORIGIN
>
> to the VirtualHost section of the httpd configuration. To my surprise my 
> browser (FF and Chrome) has two headers now, one with DENY, one with 
> SAMEORIGIN. And falls back to DENY :-(
>
> When I add an unset before the set, it works
>
> Header unset X-Frame-Options
> Header always set X-Frame-Options SAMEORIGIN
>
> Is my understanding of the mod_header documentation wrong, or do I miss 
> somethiong subtle?

See my recent answer in "X-Frame-Options and security" thread.
https://httpd.markmail.org/message/pwsrgbj7pjy4qiei

All is in the docs, if you read carefully, but I agree that it is subtle.
https://httpd.apache.org/docs/2.4/en/mod/mod_headers.html#header

Essentially, (as far as I am reading it), "onsuccess" and "always" are
just names of two separate tables (lists) of headers that exist in
parallel.


it does not offer any "normalized" single list of headers


Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



Re: [users@httpd] Linking a third party library with httpd during installation

2021-10-20 Thread Konstantin Kolinko
ср, 20 окт. 2021 г. в 21:59, Shariful Alam :
>
> Hello,
>
> I'm trying to install httpd-2.4.46 from the source. Usually, I use the 
> following command to configure and it works fine,
>
> ~/Downloads/httpd-2.4.46$ CFLAGS='-DSSL_EXPERIMENTAL_ENGINE 
> -DSSL_ENGINE -DOPENSSL_LOAD_CONF' LDFLAGS=-Wl,-rpath=/opt/openssl/lib 
> ./configure --prefix=/etc/apache2 --enable-ssl --with-ssl=/opt/openssl/ 
> --with-pcre=/usr/local/pcre --enable-so
>
>
> Currently, I'm trying to link a third-party library while installing the 
> httpd. using the following command,
>
>  ~/Downloads/httpd-2.4.46$ CFLAGS='-DSSL_EXPERIMENTAL_ENGINE 
> -DSSL_ENGINE -DOPENSSL_LOAD_CONF' LDFLAGS= -L./libxxx -Wl, -Bstatic -lxxx 
> -Wl, -rpath=/opt/openssl/lib ./configure --prefix=/etc/apache2 --enable-ssl 
> --with-ssl=/opt/openssl/ --with-pcre=/usr/local/pcre --enable-so
>
>
> and it shows the following error,
>
>-bash: -L./libxxx: No such file or directory
>
> However, the "libxxx " directory presents in the same directory from where 
> I'm running the above command.
>

Note that in your command line there is a whitespace just after
"LDFLAGS=" and before its supposed value.

A shell command may be preceded by a series of variable assignments.
When the shell encounters the whitespace just after "LDFLAGS=" it
interprets that it ends those assignments, and tries to execute
"-L./libxxx" as the command.

https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_09_01

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



Re: [users@httpd] Online page not affected by css

2022-06-16 Thread Konstantin Kolinko
чт, 16 июн. 2022 г. в 16:05, Tom Browder :
>
> I have a website whose home page appearance online is as expected. The site 
> has a subpage using css (in a separate file linked into the head element) to 
> form a modern, simple grid layout for testing. Both pages look as expected 
> when I view them on my local host using Firefox. However, when I view the 
> online site the subpage does not appear to be reading the css file.
>
> I have checked the directory and file permissions and they are correct as far 
> as I have used in the past (all owned by apache:apache). The directory 
> structure is such that the Document Root is at 
> /home/web-server/gbumc.church/public/ and the home index.html is rooted 
> there. Under that directory are css/ and pages/. The pages/congregants.html 
> file internally points to ../css/css.photo.
>
> The online site is at https://gbumc.church.
>
> Any suggestions are greatly appreciated.

Rename your stylesheet file to "photo.css"
so that (thanks to conf/mime.types configuration file) it will be
served with the correct Content-Type of "text/css".
As of now the server does not recognise what type of file it is.

Calling "wget --save-headers" with the URL I see that server sends

HTTP/1.1 200 OK
Date: Thu, 16 Jun 2022 15:23:53 GMT
Server: Apache/2.4.53 (Unix) OpenSSL/1.1.1n
Strict-Transport-Security: max-age=604800; includeSubDomains
X-Frame-Options: SAMEORIGIN
Upgrade: h2
Connection: Upgrade, Keep-Alive
Last-Modified: Thu, 16 Jun 2022 01:43:40 GMT
ETag: "14f-5e186c468f30d"
Accept-Ranges: bytes
Content-Length: 335
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Keep-Alive: timeout=20, max=200

Note that
a) No "Content-Type" header is present in the response,
b) A "X-Content-Type-Options: nosniff" header is present.

As such, the content type cannot be auto-detected by the browser.

BTW, HTTPD  2.4.54 has been released a week ago.

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



Re: [users@httpd] RewriteRule and priorities

2023-07-17 Thread Konstantin Kolinko
пн, 17 июл. 2023 г. в 05:24, Dave Wreski :
>
> Hi,
>
> I have a rewriterule like:
>
> RewriteRule ^/blog/(.*) /resources/blog/$1 [L,R=301]
>
> but I also have several instances where there are exceptions. In other words, 
> I have an article at /blog/ that I want to be redirected to some place other 
> than /resources/blog. How can I do this?
>
> Order of processing doesn't seem to matter.

https://httpd.apache.org/docs/2.4/en/mod/mod_rewrite.html#rewriterule
says:
"The order in which these rules are defined is important - this is the
order in which they will be applied at run-time."

Maybe you are missing processing flags, such as "L" or "END".

Flags are documented in more details here:
https://httpd.apache.org/docs/2.4/en/rewrite/flags.html


Note that you can turn on logging, see
https://httpd.apache.org/docs/2.4/en/mod/mod_rewrite.html#logging

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



Re: [users@httpd] Stripping trailing slashes (again)

2024-07-11 Thread Konstantin Kolinko
чт, 13 июн. 2024 г. в 17:41, Dave Wreski :
>
> Hi,
>
> Some time ago I requested help with a rewrite rule to strip trailing 
> slash(es) from all URLs in our joomla website, but I'm still having problems. 
> This is the rule I am currently working with:
>
> RewriteRule ^(.*)/+$ https://linuxsecurity.com$1 [R=301,L]
>
> It works fine for any URL other than the homepage. Somehow for the homepage 
> it creates an infinite loop, despite using "L", so perhaps I don't understand 
> what it's doing. The (.*) is supposed to match any character, but there 
> wouldn't be any preceding elements for the homepage.
>
> The problem as I see it is that, for the homepage, (.*) would be null, so $1 
> would also be null? This then creates the same URL as the one we're trying to 
> fix.

(.*) means "any character, 0 or more times".
"0 times" here means that it matches an empty string. (Technically, it
is an empty string, not null).

URL for the home page is "/".

(The first line of an HTTP 1.x request will be "GET / HTTP/1.1".
By definition of the protocol, there has to be some text between the
verb (GET) and the version.)

A possible solution that I see is to make the first '/' explicit.
adding it both to the regexp and to the replacement string:

  RewriteRule ^/(.*)/+$ https://linuxsecurity.com/$1 [R=301,L]

Alternatively, use '+' instead of '*' (meaning 1 or more times):

  RewriteRule ^(.+)/+$ https://linuxsecurity.com$1 [R=301,L]

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



Re: [users@httpd] Allow or Deny from large numbers of hosts

2025-04-15 Thread Konstantin Kolinko
пт, 21 мар. 2025 г. в 16:02, Christopher Schultz :
>
> All,
>
> Is there a way to load a bunch of allow or deny hosts from a file or
> other data-store? I have several dozen CIDR expressions and they will
> need to change periodically, so it would be more convenient if I could
> load them from at least a file on the disk and clean-up my config a bit.
>
> I suppose I could
>
>  Include my-allows.conf
>  Include my-denies.conf
>
> And then use awk/sed/whatever to convert the lists of hosts into "Allow
> from [host]" and "Deny from [host]" but less tooling would be more
> convenient, of course.

Hi, Chris!

1. "Allow from ... " and "Deny from ... " (provided by
mod_access_compat) are deprecated
and replaced by "Require ip" (from mod_authz_host).

https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html
https://httpd.apache.org/docs/2.4/upgrading.html#run-time

2. If you go on with "Require", it is possible to use expressions there:

https://httpd.apache.org/docs/2.4/mod/mod_authz_host.html
"Since v2.4.8, expressions are supported within the host require directives."

Expressions allow use of functions, such as "file".
https://httpd.apache.org/docs/2.4/expr.html

I have a configuration where I use this approach with the "Require
user" directive. It works, but I have not tested how well this scales
up. This looks like the following:

"%{file:${SRVROOT}/path/to/file.ext}"
where SRVROOT is set with a "Define" directive.

The file function is implemented here:
https://github.com/apache/httpd/blob/2.4.x/server/util_expr_eval.c#L1105

My understanding is that the file should be a single line, no longer
than MAX_FILE_SIZE that is defined there as 10 Mb.

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org