Re: [EMAIL PROTECTED] file size limitation?

2006-01-12 Thread marc
No,  this will not work.  I have asked for a cite to specific apache 
documentation as to such limitations but never did receive a response,  though 
it is an acknowledged limit. We were hoping to netboot some larger images via 
http and got caughyt in a image size that grew beyond the limit  I am 
hoping that as 64 bit OS become the standard that this limitation will 
eventually disappear  

 Original message 
>Date: Thu, 12 Jan 2006 10:41:11 -0500 (EST)
>From: "Chris Purcell" <[EMAIL PROTECTED]>  
>Subject: [EMAIL PROTECTED] file size limitation?  
>To: users@httpd.apache.org
>
>Is there a maximum file size limitation in Apache where you cannot
>download files over 4GB?I have both an Apache 1.3.29 server and an
>Apache 2.2.0 server with the same files on them.  One file is 4.2GB and
>the other is 5GB.   When  you view the files in  your browser on the
>1.3.29 server, the files are shown as 165MB and 787MB, respectively.   On
>the Apache 2.2.0 server, the file sizes are shown correctly, but when you
>try to download them, they fail once you reach the 4GB mark of the
>download.
>
>I'm running these on a SLES9 server with the reiserfs filesystem, if that
>matters any.
>
>Thanks,
>Chris
>
>-
>The official User-To-User support forum of the Apache HTTP Server Project.
>See http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>   "   from the digest: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]
>

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



[EMAIL PROTECTED] FIle size limitations

2005-07-19 Thread marc
I can't seem to find any documentation on any actual file
limitations impoased, if any, by apache 1.x or 2.x as far as
indexing or downloading from the server. 

I have been told that there is a 2 gig limit,  but I put a 4
gig netboot image on an apache 1.x server and it seems to show
up just fine.  I have put the same file in an apache 2.x
server and not only doesn;t it show up,  but I get error
messages trying to access it via its full URL. There is some
discussion I have seen that suggests that apache does not work
between 2 and 4 gig because of the size of the pertinent
integer,  but have not been able to find anything specific.

The target application is that we want to be able to serve up
a 5 gig workstation image and it owuld be handy if we could
serve it up via http

Any help would be appreciated.  Thanks in advance...

Marc Grober

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



[EMAIL PROTECTED] Apache ACL

2008-01-14 Thread Marc
Hello people, 

following issue:

Here is the directory layout
|-- dir1
|   |-- dir2
|   |   `-- dir3

In dir1 is a .htaccess:


Order Deny,Allow
Deny from all


Directory dir3 contains an .htacess with "Options +Indexes" and .gif-files only.

If I remove the .htaccess in dir1 the directory listing is displayed.

If I keep it, the .htaccess in dir3 seems to be ignored as Error 403 (Forbidden)
is returned.

If I write "" instead of php in the .htaccess in dir1 it
all works, and the gif files in dir3 are not displayed (as it should be, an
empty directory listing is returned). So what is it with the PHP files? It seems
to behave like I am unable to access any subdirectory of a directory containing
a .php file with the FilesMatch directive above. Why??

Thanks for any input you might have on this.

Regards,
Marc


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



[EMAIL PROTECTED] Re: Apache ACL

2008-01-15 Thread Marc
Boyle Owen  swx.com> writes:

> 
> The problem you describe has no obvious solution, so there must be
> additional config directives interfering with your setup. See notes
> below:  
> 
> > -Original Message-
> > From: news [mailto:news  ger.gmane.org] On Behalf Of Marc
> > Sent: Monday, January 14, 2008 4:46 PM
> > To: users  httpd.apache.org
> > Subject: [users  httpd] Apache ACL
> > 
> > Hello people, 
> > 
> > following issue:
> > 
> > Here is the directory layout
> > |-- dir1
> > |   |-- dir2
> > |   |   `-- dir3
> > 
> > In dir1 is a .htaccess:
> > 
> > 
> > Order Deny,Allow
> > Deny from all
> > 
> > 
> > Directory dir3 contains an .htacess with "Options +Indexes" 
> > and .gif-files only.
> > 
> > If I remove the .htaccess in dir1 the directory listing is displayed.
> 
> In which dir - dir3?

Yes.

> 
> > 
> > If I keep it, the .htaccess in dir3 seems to be ignored as 
> > Error 403 (Forbidden)
> > is returned.
> 
> From what URL?

Well, from http://server_name_of_virtual_host/dir1/dir2/dir3/

> What is in the error log for this request?

I guess now I see the problem:

[error] [client 88.xx.xx.xx.xx] client denied by server configuration:
/path/to/dir3/index.php

However, there is no index.php in that directory. Alone it being mentioned in
the DirectoryIndex seems to be enough for the access to be denied :-\ Strange
behavior.

regards,
Marc


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



[EMAIL PROTECTED] compiling 2.2.8 with dbd and mysql 5.0.51a

2008-03-23 Thread Marc

Hi,

I have some problems compiling apache 2.2.8 with included apr and mysql. I
hope someone can help me sort this out.

I have successfully compiled with postgres but when i add the mysql option,
than configure breaks down with:

checking for gcc... gcc
checking for C compiler default output file name... a.out
checking whether the C compiler works... configure: error: cannot run C
compiled programs.
If you meant to cross compile, use `--host'.
See `config.log' for more details.


these are the configure options i am using:

--enable-rewrite --enable-ssl --with-ssl=/usr/local/ssl
--with-pgsql=/usr/local/pgsql --with-mysql=/usr/local/mysql --with-sqlite2
--enable-dbd=shared --enable-authn-dbd --with-included-apr


And this is what is listed about mysql:

configure: checking for mysql in /usr/local/mysql
checking mysql.h usability... yes
checking mysql.h presence... yes
checking for mysql.h... yes
checking for mysql_init in -lmysqlclient_r... yes
  adding "-I/usr/local/mysql/include/mysql" to APRUTIL_INCLUDES
  adding "-L/usr/local/mysql/lib/mysql" to APRUTIL_LDFLAGS
  adding "-lmysqlclient_r" to APRUTIL_LDFLAGS
  adding "-lmysqlclient_r" to APRUTIL_EXPORT_LIBS
  adding "-lmysqlclient_r" to APRUTIL_LIBS
  adding "-L/usr/local/mysql/lib/mysql" to LDFLAGS
  adding "-lmysqlclient_r" to LDFLAGS

Thanks, in advance,
Marc



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -. 
Roos IT BV
the Netherlands 

t:  +31 (0)20 - 345 88 04
f:  +31 (0)20 - 345 88 06
e:  [EMAIL PROTECTED]
 


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



[users@httpd] duplicate logging into one global access/error log

2021-10-06 Thread Marc
Currently I have virtualhost configuration files that configure logging like 
this[1] (in a local dir). How can I add something to eg 
/etc/httpd/conf/httpd.conf that logs everything of all configured virtual hosts 
ALSO into some global log file? 



[1]

..
..
CustomLog "|/usr/sbin/rotatelogs -L /home//logs/www.example.com-access.log 
-p /usr/local/sbin/rlogs-umask.sh -l 
/home//logs/%Y/www.example.com-%Y%m%d-access.log 86400" combined
ErrorLog "|/usr/sbin/rotatelogs -L /home//logs/www.example.com-error.log -p 
/usr/local/sbin/rlogs-umask.sh -l 
/home//logs/%Y/www.example.com-%Y%m%d-error.log 86400"
..
..
..





RE: [users@httpd] Local css/js files take 5 seconds to load

2021-10-12 Thread Marc
> Httpd with default settings. Opening a local html document with cleared
> cache in any browser takes very long to load. The Chrome network tab
> shows that the "Content Download" from included local css/js files take
> 5 seconds to load. No matter how many or which files. Issue appeared
> after updating to v2.4.48.

I would guess that is either your network connection or your filesystem, but 
even static files would be loaded into ram cache. What if you do a curl -v from 
localhost?




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


RE: [users@httpd] How to display the True-Client-IP header in the access log

2021-10-19 Thread Marc
With haproxy you have an option to enable a proxy protocol, this transmits the 
client ip. I guess something similar must exist in your case.

> 
> When Apache is accessed via a CDN (Akamai), I would like to record the
> IP of the accessing client in the Apache logs.
> In order to display the True-Client-IP header sent by Akamai in the
> access log like X-Forward-For, do I have to change the Logformat setting
> in httpd.conf as follows?
> 
> Logformat
> "%{True-Client-IP}i %h %l %u %t˶~˵"%r\" %>s %b˶~˵"%{Referer}i\" \%{User-
> Agent}i\" combined
> 
> If anyone has had any success with True-Client-IP showing up in the
> logs, please let me know.
> 
> Regards,
> 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


RE: [users@httpd] Re: Choosing Windows platfrorm

2021-10-23 Thread Marc
> 
> With over 1.4 billion devices now running Windows 10/11, customer
> satisfaction is higher than any previous version of windows.
> 
> 

WTF WTF I @#$@#$@#$ hate windows 10. Customer statisfaction with Microsoft is 0
https://www.reddit.com/r/aargh_Microsoft/





-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


RE: [users@httpd] Is it possible to install/configure SSL certificates on a server behind a reverse proxy?

2022-01-12 Thread Marc
You can just do that. I have also certs behind a reverse proxy. My whole 
'virtual/internal' applications in containers is running with my own CA 
certificates and on the reverse proxy I have some certs from known CA's
Specific for this setup is a proxy protocol, that informs the public ip 
addresses instead of local ones.

Best is it to ask on something like the haproxy community.

> My question:
> 
> Would it have been possible to install the SSL certificates in the virtual
> machines?
> 
> 
> As far as I know, no, because then the reverse proxy can be seen as a 'man
> in the middle attack'.
> 
> This is why I configured the SSL certificates on the host, and as far as I
> know this is also how it should be (after reading some articles about it
> on the internet).
> 
> 
> I do however also found the Apache directive SSLProxyEngine
>  . Is
> it possible with this directive the install/configure the SSL certificates
> inside the virtual machines?
> 
> 
> I'm curious :-)!
> 


RE: [users@httpd] How to get someone to look at a Apache bug report on Red Hat's Bugzilla?

2022-02-24 Thread Marc
> 
> Since you don't have paid support from RedHat, there is absolutely no
> reason to not install your own version of httpd.
> 

I agree. The days of relying on a lts distribution are coming to an end. I have 
the impression that RedHat is not the place to be anymore. Moving packages from 
the lts to scl, now dropping centos etc. They seem not to be able to catch up 
with patching everything. I think the trend will be getting your crucial rpm's 
directly from the source.


RE: [users@httpd] Re: Getting XAMPP Apache on Windows 10 to work through local network!

2022-04-07 Thread Marc
Some client told me to never do business with companies/people that call 
themselves hero, master etc. Makes me wonder about people calling themselves 
good guy.



> -Original Message-
> From: 😉 Good Guy 😉 
> Sent: Thursday, 7 April 2022 04:57
> To: users@httpd.apache.org
> Subject: [users@httpd] Re: Getting XAMPP Apache on Windows 10 to work
> through local network!
> 
> I am assuming you have installed WordPress in a folder. If this is so
> and assuming your Apache is working as you say then it is simply to type
> something like this in the browser:
> 
> 
> In the above command WordPress is the folder in which the index.php file
> resides.
> 
> Have you "installed" wordpress or are you just beginning to install it
> and got stuck with it?
> 
> 
> On 07/04/2022 03:04, A Z wrote:
> > I don't want to introduce the complications of bind or dns,
> > or any other similar facility in Windows.
> >
> >
> 
> --
> 
> With over 1.9 billion devices now running Windows 10/11, customer
> satisfaction is higher than any previous version of windows.
> 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org



RE: [users@httpd] Log to syslog?

2022-04-12 Thread Marc
> > i went through this issue the hard way
> 
> Urgh - thanks for the comprehensive reply.
> 
> > there does not seem to be anything at all as apache seems to be all file
> > related
> 
> I wonder why mod_syslog has not been made more generic?
> 
> > redirecting to logger just does not work.
> >
> > i wrote a python script that uses sockets (assuming linux, freebsd etc)
> 
> Yes, I'm on Linux - thanks for the script, and for the comments re logger etc.
> 
> *If anyone else has a suggestion for how Apache can log to syslog, I'm still
> interested in other possible ways to achieve it!*
> 

I have been asking something similar a while ago, logggin to something like 
influx. I know how to redirect syslog to influx. So if I can redirect eg ip's 
and 2XX/4XX to syslog, that would be very interesting. 




[users@httpd]

2023-05-13 Thread Marc
How do I get that the file (docroot)/images/favicon.ico is not loaded from the 
disk but instead from the /tmp/os-favicon.ico?


"/tmp/os-favicon.ico"
  

https://httpd.apache.org/docs/2.4/mod/core.html#files
Is this te best manual?? "# Insert stuff that applies to cat.html here" is not 
very helpful. How should ever be able to learn/read this from the 
documentation???





RE: [users@httpd]

2023-05-15 Thread Marc


> >
> > How do I get that the file (docroot)/images/favicon.ico is not loaded
> from the disk but instead from the /tmp/os-favicon.ico?
> 
> Use the Alias directive.
> https://httpd.apache.org/docs/2.4/urlmapping.html
> 

Hmmm, so I am ending up with somwthing like this. Is that really the best way 
to do this?

 61 Alias "/images/favicon.ico" "/tmp/os-favicon.ico"
 62 
 63 Require all granted
 64 



RE: [users@httpd]

2023-05-15 Thread Marc
/tmp is just an example. Files are located elsewhere, actually at a location 
where the rest should not be available/accessible. I only want to 'redirect' 
this file.

> 
> You want to use  instead. I also strongly recommend
> storing your images in another path.
> 
> On Mon, May 15, 2023 at 3:48 AM Marc  <mailto:m...@f1-outsourcing.eu> > wrote:
> 
> 
> 
> 
>   > >
>   > > How do I get that the file (docroot)/images/favicon.ico is not
> loaded
>   > from the disk but instead from the /tmp/os-favicon.ico?
>   >
>   > Use the Alias directive.
>   > https://httpd.apache.org/docs/2.4/urlmapping.html
>   >
> 
>   Hmmm, so I am ending up with somwthing like this. Is that really
> the best way to do this?
> 
>61 Alias "/images/favicon.ico" "/tmp/os-
> favicon.ico"
>62 
>63 Require all granted
>64 
> 
> 



[users@httpd] RE: config - how are multiple VirtualHost directives for the same address handled?

2023-06-30 Thread Marc
> 
> How does apache httpd 2.4 handle multiple VirtualHost directives for the
> same address ?
> 
> For example:
> 
> 
>   SSLCertificateFile "${SRVROOT}/conf/server.crt"
># ...
> 
> 
> 
>   DocumentRoot "/www/docs/host.example.com"
>   # ...
> 
> 
> Are the settings merged, as if written like this:
> 
> 
>   SSLCertificateFile "${SRVROOT}/conf/server.crt"
># ...
>   DocumentRoot "/www/docs/host.example.com"
>   # ...
> 

But you are using ServerName and ServerAlias to load the correct one not?


> 
> Or is one directive block used and the other ignored (which one)?
> 
> The reason I ask is that I have general SSL related settings in one file
> ( ssl.conf ) and the content related settings in another ( content.conf
> ) and both config files are included in the main config file.
> 

You can have general ssl stuff in different (global) config. There is already 
such file and just add these to the Virtualhost

SSLEngine on
SSLCertificateFile
SSLCertificateKeyFile
SSLCertificateChainFile




[users@httpd] RE: config - how are multiple VirtualHost directives for the same address handled?

2023-06-30 Thread Marc
> >
> > How does apache httpd 2.4 handle multiple VirtualHost directives for
> > the same address ?
> >
> > For example:
> >
> > 
> >   SSLCertificateFile "${SRVROOT}/conf/server.crt"
> ># ...
> > 
> >
> > 
> >   DocumentRoot "/www/docs/host.example.com"
> >   # ...
> > 
> >
> > Are the settings merged, as if written like this:
> >
> > 
> >   SSLCertificateFile "${SRVROOT}/conf/server.crt"
> ># ...
> >   DocumentRoot "/www/docs/host.example.com"
> >   # ...
> > 
> 
> But you are using ServerName and ServerAlias to load the correct one
> not?
> 
> There is no correct one. Both are correct. I want both.

I don't understand the problem you are trying to solve. 

FWIIW from my past experience having identical virtual host configurations, 
apache services the one it first/last loads and ignores the rest. You just have 
to test this, but I would not want to use such a thing in production.






[users@httpd] RE: *****SPAM***** [users@httpd] How can I force a server name header?

2023-08-02 Thread Marc
> 
> I'm trying to test a new server located at internal IP 192.168.1.5.  The
> production server lives at IP 192.168.1.7 on the same network.
> 
> How can I force the browser to connect to the correct server?  If I try
> "http://192.168.1.5"; the redirect on the first (alphabetically) virtual
> server redirects to the production server.
> 
> What I need to be able to do is combine the virtual server id with the
> network address so I connect to the same name but on the machine I'm
> testing.  I think this is the "ServerName" header but I don't know where
> I can enter this on Firefox.
> 
> Anybody have any experience with this problem?

Put in the /etc/hosts or c:\windows\system32\drivers\etc\hosts


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


[users@httpd] loading shop.example.com in www.test.com/shop/

2023-08-03 Thread Marc
I was wondering if it is even possible to publish an existing shop hosted on 
the subdomain shop.example.com and show it as a 'folder' in www.test.com/shop. 
Will I have problems with browsers (cookies?). I don't want to resolve this on 
the file system because both have different uid/gids on files.


RE: [users@httpd] loading shop.example.com in www.test.com/shop/

2023-08-04 Thread Marc
> 
> 
>   I was wondering if it is even possible to publish an existing shop
> hosted on the subdomain shop.example.com   and
> show it as a 'folder' in www.test.com/shop  .
> Will I have problems with browsers (cookies?). I don't want to resolve
> this on the file system because both have different uid/gids on files.
> 
> 
> 
> 
> You can just Alias /shop/ /path/to/documentrootof/shop.example.com/
> 

Yes I did not expect this to work because of file system permissions and 
different php version.

>  From the http server side, there are a few ways to do it, Alias,
> internal redirects, reverse proxy.
> 

Currently I am having 

 24 SSLProxyEngine On
 25 SSLProxyVerify none
 26 SSLProxyCheckPeerCN off
 27 SSLProxyCheckPeerName off
 28 SSLProxyCheckPeerExpire off
 29 
 30 ProxyPass"https://shop.example.com/";
 31 ProxyPassReverse "https://shop.example.com/";
 32
 33 Options +Indexes +ExecCGI +FollowSymLinks -MultiViews
 34 Order Allow,Deny
 35 Allow from all
 36 
 37

Home page loads fine however, I have static urls in html pages to 
https://shop.example.com/ is it possible to have those rewriten to / relative 
urls?


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


[users@httpd] allow general access after 1 auth

2023-08-12 Thread Marc

I was wondering if it is possible to allow general access to an url after some 
account authenticated for this url. Without the necessity to adapt the web 
application for this

Say we have closed https://www.example.com/webapp with something like
Require valid-user
Order deny,allow
Deny from all

If someone authenticates on https://www.example.com/webapp, the url is 
available for everyone. 

Some inactivity timeout should lock the url again.


[users@httpd] realtime protection against cloud scans

2023-09-12 Thread Marc

Anyone having a suggestion on how to block cloud crawlers/bots? Obviously I 
would like search engine bots to have access, but all the other crap I want to 
lose. Only 'real users'.

What is best practice for this? Just getting amazon, googleusercontent, 
digitalocean, azure ip ranges and put them in something like ipset or are there 
currently better ways of doing this?




[users@httpd] where to change this "internal server error message"

2023-09-15 Thread Marc
Where/how can I change this message?

The server encountered an internal error or
misconfiguration and was unable to complete
your request.
Please contact the server administrator at
 xxx to inform them of the time this error occurred,
 and the actions you performed just before this error.
More information about this error may be available
in the server error log.


or as a work-a-round, how can refuse access with modsecurity and just generate 
a 200 blank page response.

SecRule REQUEST_HEADERS:User-Agent "blockthisua" 
"id:'13006',phase:2,log,deny,status:200"


RE: [users@httpd] where to change this "internal server error message"

2023-09-15 Thread Marc

> See the ErrorDocument directive.

It does not seem to work. It looks like this config is skipped and the error is 
loaded directly from the httpd binary. 

ErrorDocument 500 /406.html

> Now, why is that response not suitable? And why would you respond with a
> 200 for a blocked user agent?

I think it is better to return to scrapers 200 and empty content, instead of 
notifying them so they can reconfigure their systems.

> 
> 
>   Where/how can I change this message?
> 
>   The server encountered an internal error or
>   misconfiguration and was unable to complete
>   your request.
>   Please contact the server administrator at
>xxx to inform them of the time this error occurred,
>and the actions you performed just before this error.
>   More information about this error may be available
>   in the server error log.
>   
> 
>   or as a work-a-round, how can refuse access with modsecurity and just
> generate a 200 blank page response.
> 
>   SecRule REQUEST_HEADERS:User-Agent "blockthisua"
> "id:'13006',phase:2,log,deny,status:200"
> 



RE: [users@httpd] where to change this "internal server error message"

2023-09-15 Thread Marc
> 
> What is returning the 500 response here? Is php/python/perl involved?

No, I think this mod_security is generating this

> As for the scrapers, you are absolutely wasting your time customizing the
> response. I would just return a 403, actually.

I think you might be right. I did not expect to waste so much time on trying to 
just send an 'empty' body.

> 
> 
>   > See the ErrorDocument directive.
> 
>   It does not seem to work. It looks like this config is skipped and
> the error is loaded directly from the httpd binary.
> 
>   ErrorDocument 500 /406.html
> 
>   > Now, why is that response not suitable? And why would you respond
> with a
>   > 200 for a blocked user agent?
> 
>   I think it is better to return to scrapers 200 and empty content,
> instead of notifying them so they can reconfigure their systems.
> 
>   >
>   >
>   >   Where/how can I change this message?
>   >
>   >   The server encountered an internal error or
>   >   misconfiguration and was unable to complete
>   >   your request.
>   >   Please contact the server administrator at
>   >xxx to inform them of the time this error occurred,
>   >and the actions you performed just before this error.
>   >   More information about this error may be available
>   >   in the server error log.
>   >   
>   >
>   >   or as a work-a-round, how can refuse access with modsecurity
> and just
>   > generate a 200 blank page response.
>   >
>   >   SecRule REQUEST_HEADERS:User-Agent "blockthisua"
>   > "id:'13006',phase:2,log,deny,status:200"
>   >
> 
> 



RE: [users@httpd] realtime protection against cloud scans

2023-09-15 Thread Marc
I would even state that >80% of your server load is crap, if you don't block 
any ranges. Besides that you open yourself up to vulnerability checks and 
monitoring for domain hijacking etc.

> 
> Does the traffic from those cloud ranges have any significant impact on
> your server performance?
> 
> On Tue, Sep 12, 2023 at 10:33 AM Marc  <mailto:m...@f1-outsourcing.eu> > wrote:
> 
> 
> 
>   Anyone having a suggestion on how to block cloud crawlers/bots?
> Obviously I would like search engine bots to have access, but all the other
> crap I want to lose. Only 'real users'.
> 
>   What is best practice for this? Just getting amazon,
> googleusercontent, digitalocean, azure ip ranges and put them in something
> like ipset or are there currently better ways of doing this?
> 
> 
> 



RE: [users@httpd] realtime protection against cloud scans

2023-09-16 Thread Marc

> > using the NTP firewall
> 
> Sorry, using the NFT firewall.
> 

I still need to get familiar with nft. Currently I am using ipset, adding ip's 
with scripts. But ipset is preconfigured for specific netmask /24 /X. So at 
some point your /24 is getting full with 65k entries. It would be nice if then 
automitcally /24 are merged/moved to ipsets bigger than /24. 

I am looking for something that can do this automatically. 

Currently I am thinking of creating multiple ipsets for /16 /18 /22 etc and I 
don't know if I should just put corresponding ranges in there form 
digitalocean, amazon, googleusercloud and azure. Or indeed go ips from abuse 
lists, but then risking that lots are not there and you are still adding slowly 
these clouds like digitalocean. 

Afaik was ipset very good with latency. I have no idea how this is replaced.






RE: [users@httpd] proxying SSL -> SSL

2023-10-04 Thread Marc
> 
> Hi guys.
> 
> I've sroogled & have found people suggesting working examples, I thought I
> had some notes but now I'm thinking I read that it should not work..
> so I'm not sure what to think of this seemingly setup:
> 
> 
>   ServerAdmin web...@lemko.xyz 
>   ServerName siem.mine.priv
> 
>   ErrorLog /var/log/httpd/siem.mine.priv-error_log
>   CustomLog /var/log/httpd/siem.mine.priv-access_log common
> 
>   SSLProxyEngine on
>   #SSLEngine on
>   #SSLProxyVerify none
>   #SSLProxyCheckPeerCN off
>   SSLCertificateFile  /etc/pki/tls/certs/siem.mine.priv.crt
>   SSLCertificateKeyFile   /etc/pki/tls/private/siem.mine.priv.key
>   #SSLProxyCACertificateFile /etc/wazuh-indexer/certs/root-ca.pem
>   #SSLProxyMachineCertificateFile /etc/wazuh-indexer/certs/admin.pem
> 
>   RequestHeader set X-Forwarded-Proto “https”
>   RequestHeader set X-Forwarded-Port “443”
> 
>   ProxyRequests Off
>   #ProxyPreserveHost on
>   #ProxyPass /  https://127.0.0.1:8443/
>   #ProxyPassReverse  /  https://127.0.0.1:8443/
> 
>   
> # preserve Host header to avoid cross-origin problems
> ProxyPreserveHost on
> # proxy to
> ProxyPass https://127.0.0.1:8443/
> ProxyPassReverse  https://127.0.0.1:8443/
>   
> 
> 
> 
> As you can see I've fiddle whit all those options in different combinations
> but nothing works for me.
> Would you know how to fix or... perhaps you have Apache rev-proxying to
> Wazuh?
> 

Have you added this 
SSLProxyEngine on



RE: [users@httpd] Is it true that Nginx is faster, more secure and better than Apache?

2023-10-04 Thread Marc
I know that with nginx you can't configure your chain certificate separately, 
super annoying.

> 
> Hello,
> Thanks again.
> Why has Apache Foundation never tested Apache performance with Nginx?
> 
> 
> 
> 
>   On Sat, Sep 30, 2023 at 12:00 PM, Frank Gingras
>wrote:
>   There might be some online, however, due to the different
> architectures, they are not likely to be terribly useful. Do avoid the ones
> that bash needlessly either product.
> 
>   On Sat, Sep 30, 2023 at 3:09 AM Jason Long
>  wrote:
> 
> 
>   Hello,
>   Thank you so much for your info.
>   Why are they trollish? I am curious to learn more.
>   Is there a fair comparison between Apache and Nginx?
> 
> 
> 
>   On Saturday, September 30, 2023 at 10:35:12 AM GMT+3:30, Frank
> Gingras mailto:thu...@apache.org> > wrote:
> 
> 
> 
> 
> 
>   Additionally, your recent string of questions to this mailing
> list come off as a bit trollish.
> 
>   On Sat, Sep 30, 2023 at 3:04 AM Frank Gingras   > wrote:
>   > If any of the mod_php extensions are not thread-safe, you will
> need to use the prefork mpm, which will indeed bloat every httpd worker.
> This is not the ideal nor recommended configuration.
>   >
>   > Instead, use the event mpm and proxy_fcgi to pass the request
> to php-fpm.
>   >
>   > Alternatively, you can recompile php to be thread-safe and use
> event mpm with mod_php, which will give you a small execution speed
> advantage.
>   >
>   > The statement you posted is more or less FUD which leaves out
> very important details.
>   >
>   > On Sat, Sep 30, 2023 at 2:56 AM Jason Long
>  wrote:
>   >> Hello,
>   >> Is the following sentence correct?
>   >> "The way Apache loads PHP in its standard setup (with
> mod_php) compared to Nginx alone puts it at a disadvantage. You will see
> performance gains, particularly in memory usage, just by switching to
> Nginx, given you're using a PHP-driven application."
>   >>
>   >> Thank you.
>   >>
>   >> -
> 
>   >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> 
>   >> For additional commands, e-mail: users-h...@httpd.apache.org
> 
>   >>
>   >>
>   >
> 
> 
>   
> -
>   To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> 
>   For additional commands, e-mail: users-h...@httpd.apache.org
> 
> 
> 



[users@httpd] dynamic ssl cert/key selection

2023-10-20 Thread Marc
Is there a way to chose what ssl certs/keys to load when you have something like

 ServerAlias test.*.*

So when host test.example.com is serviced, that it will get 

SSLCertificateFile "/etc/pki/tls/certs/example.com.crt"


So when host test.example.net is serviced, that it will get 

SSLCertificateFile "/etc/pki/tls/certs/example.net.crt"


RE: [users@httpd] dynamic ssl cert/key selection

2023-10-20 Thread Marc





- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -. 
F1 Outsourcing Development Sp. z o.o.
Poland 

t:  +48 (0)12 4207 835
e:  m...@f1-outsourcing.eu

> -Original Message-
> From: Will Fatherley 
> Sent: Friday, 20 October 2023 16:04
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] dynamic ssl cert/key selection
> 
> 
>   Is there a way to chose what ssl certs/keys to load when you have
> something like
> 
>ServerAlias test.*.*
> 
>   So when host test.example.com   is serviced,
> that it will get
> 
>   SSLCertificateFile "/etc/pki/tls/certs/example.com.crt"
> 
> 
>   So when host test.example.net   is serviced,
> that it will get
> 
>   SSLCertificateFile "/etc/pki/tls/certs/example.net.crt"
> 
> 
> A trivial and safe way if you need a solution asap might involve declaring
> a  for each host.

I would like to have single access/error log for all these serveralias matches.

> I’ve not seen globbing/wildcarding like this, and also makes me curious is
> it possible to get a public key signed by a CA with this globbing pattern?

yes I am getting the certs like this. I just want to prevent creating the vhosts



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


[users@httpd] working with a reverse proxy

2024-02-27 Thread Marc
I am having a more or less default setup where I proxy a website with something 
like this

ProxyPass"https://${proxyhost}/en_gb";
ProxyPassReverse "https://${proxyhost}/en_gb";

ProxyPassReverseCookieDomain "${proxyhost}" "${defaulthost}"

ProxyHTMLURLMap ... 
ProxyHTMLURLMap ..

Everything on the default host seems to work quite well and you can navigate 
all pages that are proxied.

The issue that I have is that the proxied website at some point does an api 
request to an external host, sending it's hostname. I want it to send the 
hostname of the defaulthost, not the proxyhost. 

What would a best practice of 'informing' the proxyhost about that it is being 
proxied and it should send the defaulthost hostname?

Should I for instance set headers, and in the proxied website should I check on 
such headers? (Btw this is php). Or are there other things available like 
HTTP_X_FORWARDED_FOR




RE: [users@httpd] working with a reverse proxy

2024-02-27 Thread Marc

> 
> > What would a best practice of 'informing' the proxyhost about that it is
> being proxied and it should send the defaulthost hostname?
> 
> can try
> https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypreservehost

Proxy only works when I am having ProxyPreserveHost Off, I can't change that.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


RE: [users@httpd] working with a reverse proxy

2024-02-28 Thread Marc
> 
> 
>   >
>   > > What would a best practice of 'informing' the proxyhost about that
> it is
>   > being proxied and it should send the defaulthost hostname?
>   >
>   > can try
>   >
> https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypreservehost
> 
>   Proxy only works when I am having ProxyPreserveHost Off, I can't
> change that.
> 
> 
> What happens when you use ProxyPreserveHost, exactly?

I am getting a 'Content Encoding Error'. I think this proxied web application 
by default is doing some routing based on host names. 


RE: [users@httpd] working with a reverse proxy

2024-02-28 Thread Marc


> > Should I for instance set headers, and in the proxied website should I
> check on such headers? (Btw this is php). Or are there other things
> available like HTTP_X_FORWARDED_FOR
> 
> mod_proxy should add the "X-Forwarded-Host" header (i.e.
> HTTP_X_FORWARDED_HOST in cgi/php) with the value of defaulthost, when
> forwarding the request to proxyhost. This is the default behaviour,
> unless "ProxyAddHeaders off".
> 


Thanks Yann! I was looking indeed at the wrong headers, these two are having 
the correct value.

[HTTP_X_FORWARDED_SERVER] 
[HTTP_X_FORWARDED_HOST]

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


RE: [users@httpd] Measurements of htaccess processing penalty

2024-03-04 Thread Marc
If you are testing, can you do it again with putting the .htaccess in cache? I 
am just curious :)

https://hoytech.com/vmtouch/

> 
> The HTTPD documentation says "You should avoid using .htaccess files
> completely if you have access to httpd main server config file. Using
> .htaccess files slows down your Apache http server. Any directive that you
> can include in a .htaccess file is better set in a Directory block, as it
> will have the same effect with better performance."
> I wanted to see if I could measure how much slower it is and boy does it
> make a difference. (This is actually part of my PhD research into how to
> better understand configuration management.)
> 
> I built HTTPD from source with a lot of debugging features (i.e. symbols, no
> compiler optimization), so these specific numbers are only valid in the
> context of this test, but they are still interesting.
> 
> I created a file DOCUMENT_ROOT/1.txt containing just the text "1" (Short
> URL) and a file
> DOCUMENT_ROOT/1/2/3/4/5/6/7/8/9/10/11/12/13/14/15/16/17/18/19/20/21.txt
> containing the text "21" (Long URL).
> I used ab to run get requests, first 10,000, then 100,000, then 100,000
> again, just to check for variability (and it turns out there isn't any
> significant variability). I ran ab on the same machine as httpd.
> I ran the requests first with AllowOverride None, then with AllowOverride
> All but no .htaccess files, then with AllowOverride All and .htaccess files
> with a mix of "Require all denied" and "Require all granted".
> I also collected the number of instructions executed by the system using
> perf.
> 
> Here is a quick summary of the results:
> 
> AllowOverride None / Long URL:
> - 1.367 seconds
> - 13.637 seconds
> - 13.607\ seconds
> 
> AllowOverride None / Short URL:
> - 1.283 seconds
> - 12.981 seconds
> - 12.989 seconds
> 
> AllowOverride All / Long URL:
> - 2.002 seconds
> - 20.015 seconds
> - 20.032 seconds
> 
> AllowOverride All / Short URL:
> - 1.370 seconds
> - 13.581 seconds
> - 13.590 seconds
> 
> AllowOverride All / Long URL with `.htaccess` files:
> - 3.062 seconds
> - 31.042 seconds
> - 31.122 seconds
> 
> AllowOverride All / Short URL with `.htaccess` files
> - 1.431 seconds
> - 14.487 seconds
> - 14.461 seconds
> 
> 
> The change in perf counters matched the changes in wall clock time.
> The only thing surprising about any of these results was the magnitude of
> the performance effects.
> I think it is most interesting that for this example of a path 20
> directories deep, having an extra .htaccess file nested in each directory
> actually doubled the amount of time it took to process the request.
> 
> - Y


RE: [users@httpd] Measurements of htaccess processing penalty

2024-03-04 Thread Marc


> 
> The whole point of .htaccess files is that they aren't cached, it gives
> users who are not able to control the server the ability to make
> configuration changes.

I have never ever modified these in application directories. You do this maybe 
once in the top level, maybe for some redirection and other configs. That is 
then the last time you touched them.

> If you can control the server process, you should
> prut configuration in  sections that are loaded at start time
> which are then cached in memory by the server process.

Yes I will now ;) On the other hand, you could argue to just stick to web 
application defaults and maybe cache them.


[users@httpd] virtualhost environment setting for proxy

2024-03-26 Thread Marc


I have currently this in my virtual host config

SetEnvIf Host test\.example\.com CODE=123


How should I change this line for when this website is being access via 
ProxyPass and ProxyPassReverse?




[users@httpd] RE: virtualhost environment setting for proxy

2024-03-26 Thread Marc
> I have currently this in my virtual host config
> 
> SetEnvIf Host test\.example\.com CODE=123
> 
> 
> How should I change this line for when this website is being access via
> ProxyPass and ProxyPassReverse?
> 

SetEnvIf X-Forwarded-Server


[users@httpd] pipe logs to somethings that resembles a curl post

2024-04-08 Thread Marc

I was wondering how I could use piped logs to redirect some logs, comparable to 
curl post requests. 

[1]
https://httpd.apache.org/docs/current/logs.html


[users@httpd] RE: pipe logs to somethings that resembles a curl post

2024-04-10 Thread Marc
Currently I have modified some rust application that does this to satisfaction. 
But piping to a 60MB binary for quite a few virtual hosts does not really seem 
efficient to me. 
Is there not some apache module that can offer a "global" access to logging and 
'clones' all logging to some tcp socket? (I prefer not to route first to 
syslog) 

> 
> 
> I was wondering how I could use piped logs to redirect some logs,
> comparable to curl post requests.
> 
> [1]
> https://httpd.apache.org/docs/current/logs.html

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


[users@httpd] RE: pipe logs to somethings that resembles a curl post

2024-04-10 Thread Marc

Oops I was mislead by some old posts. GlobalLog[1] does this for everything. 
However I have not found what value[2] has the requested virtual host name. 

[1]
https://httpd.apache.org/docs/current/mod/mod_log_config.html

[2]
https://httpd.apache.org/docs/current/mod/mod_log_config.html#formats

> 
> Currently I have modified some rust application that does this to
> satisfaction. But piping to a 60MB binary for quite a few virtual hosts
> does not really seem efficient to me.
> Is there not some apache module that can offer a "global" access to
> logging and 'clones' all logging to some tcp socket? (I prefer not to
> route first to syslog)
> 
> >
> >
> > I was wondering how I could use piped logs to redirect some logs,
> > comparable to curl post requests.
> >
> > [1]
> > https://httpd.apache.org/docs/current/logs.html
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org


[users@httpd] RE: pipe logs to somethings that resembles a curl post

2024-04-10 Thread Marc
%v sorry for polluting this list

PS. If it is any consolation, I have registered myself at a retirement home

> -Original Message-
> From: Marc 
> Sent: Wednesday, 10 April 2024 14:22
> To: users@httpd.apache.org
> Subject: [users@httpd] RE: pipe logs to somethings that resembles a curl
> post
> 
> 
> Oops I was mislead by some old posts. GlobalLog[1] does this for
> everything. However I have not found what value[2] has the requested
> virtual host name.
> 
> [1]
> https://httpd.apache.org/docs/current/mod/mod_log_config.html
> 
> [2]
> https://httpd.apache.org/docs/current/mod/mod_log_config.html#formats
> 
> >
> > Currently I have modified some rust application that does this to
> > satisfaction. But piping to a 60MB binary for quite a few virtual hosts
> > does not really seem efficient to me.
> > Is there not some apache module that can offer a "global" access to
> > logging and 'clones' all logging to some tcp socket? (I prefer not to
> > route first to syslog)
> >
> > >
> > >
> > > I was wondering how I could use piped logs to redirect some logs,
> > > comparable to curl post requests.
> > >
> > > [1]
> > > https://httpd.apache.org/docs/current/logs.html
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org


RE: [users@httpd] RE: pipe logs to somethings that resembles a curl post

2024-04-10 Thread Marc
> >
> > [1]
> > https://httpd.apache.org/docs/current/mod/mod_log_config.html
> >
> > [2]
> > https://httpd.apache.org/docs/current/mod/mod_log_config.html#formats
> 
> You could also use
> https://httpd.apache.org/docs/current/mod/mod_lua.html#luahooklog to
> split up your logs or discard/silence certain entries.
> 

Thanks! that is indeed also a nice option. I would not be surprised if I would 
want to manage this a bit more in the near future. 


[users@httpd] better configtest

2024-04-16 Thread Marc

With the forced upon us 90 day certificate renewal crap, my httpd was down 
today although I have a 'restart procedure' that verifies a bit for errors with 
apachectl configtest.

1. 
what is the point of having a apachectl configtest, when a restart can still 
fail? It can't be to difficult to include cert checks here, can it? This is now 
becoming a significant part.

2.
AH00016: Configuration Failed
AH00016: Configuration Failed
AH00016: Configuration Failed
AH00016: Configuration Failed
AH00016: Configuration Failed
AH00016: Configuration Failed
AH00016: Configuration Failed

This is useless, why not list config line or cert name?


RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread Marc
> 
> I was looking for openssl command(s) to generate server side certificate
> and key so that https start working on my apache 2.4 web server on
> windows.
> 
> I looked on Internet but found few commands but they all used different
> arguments to openssl.
> 
> Can someone please give me exact openssl command(s) to use.
> 
> I will appreciate it.

I think you need to search for setting up your own CA and sign certs. I don't 
think openssl commands are any differnt on windows. Maybe easier to get an 
existing cert and use that, and just ignore the warning?
Maybe there are even easier to use tools on windows that do this all for you? 
Microsoft certool?


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread Marc
> 
> Windows is my development environment. Later the website will be hosted
> on linux and the linux hosting provider will provide SSL certificate.
> 

But should your development be not protocol independent? If your code works on 
http it should also work on https. I am getting sick of these wordpress idiots 
where they still have hardcoded links everywhere and I can't even convert a 
website from http to https.


RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread Marc
> 
> 
>   But should your development be not protocol independent? If your
> code works on http it should also work on https. I am getting sick of
> these wordpress idiots where they still have hardcoded links everywhere
> and I can't even convert a website from http to https.
> 
> 
> 
> Are you saying that I am a wordpress idiot?
> 

No :) Development/management team of wordpress are idiots. They are still 
advising people incorrectly to upgrade eg while distributions are backporting 
security stuff. A developer should just do developing. A dentist is also not 
telling an ophthalmologist what to do. Why do you care if you are using http or 
https? Unless you are developing something specific to the https protocol (eg. 
sni) forget about it.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread Marc
> 
> Pardon me- have 443 redirect to 80 of the environment variable is true.
> Alternatively, have a completely different 443 vhost declared for
> development purposes
> 
> On Tue, Apr 16, 2024 at 11:30 AM Will Fatherley   > wrote:
> 
> 
> 
>   But should your development be not protocol independent? If
> your code works on http it should also work on https. I am getting sick
> of these wordpress idiots where they still have hardcoded links
> everywhere and I can't even convert a website from http to https.
> 
> 
>   TLS is not in the application layer as HTTP is, so it’s just a
> complication that has to be managed in development. I don’t know how
> Wordpress works, but there are solutions beyond its configuration.

You are writting it is not application layer and then write it needs to be 
addressed in development?

>   For example, if you just need to verify your HTTP-based application
> functions as desired, but there is commingling of HTTPS and HTTP in
> application HREFs then use the `if` directive with a development-only
> environment variable in your virtual hosts. If the client follows a HTTPS
> link that isn’t going to work for keying material reasons, have the 443
> virtual host redirect to 80 if the development variable in the
> development environment
> 

This is more about the ability to host an application regardless if it is on 
http or https. How https is enforced/applied is up to the manager of the 
server, why would you even care as a developer of an application?




RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread Marc
>   >
>   >   But should your development be not protocol independent? If
> your
>   > code works on http it should also work on https. I am getting
> sick of
>   > these wordpress idiots where they still have hardcoded links
> everywhere
>   > and I can't even convert a website from http to https.
>   >
>   >
>   >
>   > Are you saying that I am a wordpress idiot?
>   >
> 
>   No :) Development/management team of wordpress are idiots. They are
> still advising people incorrectly to upgrade eg while distributions are
> backporting security stuff. A developer should just do developing. A
> dentist is also not telling an ophthalmologist what to do. Why do you
> care if you are using http or https? Unless you are developing something
> specific to the https protocol (eg. sni) forget about it.
> 
> 
> 
> Marc, let's try to be friendly towards users and adopt a more neutral
> tone.  New users have questions, and it's normal. Calling folks "idiots"
> isn't helping here.
> 

And I am trying so hard to be part of the woke movement. 15 years ago people 
were not writing about gays. Maybe it takes another 15 years to be allowed to 
write about idiots. They already are officially mentioned in the dictionary. ;)


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread Marc
> 
> On Tuesday 16 April 2024 at 18:42:09, Marc wrote:
> 
> > This is more about the ability to host an application regardless if it
> is
> > on http or https. How https is enforced/applied is up to the manager of
> > the server, why would you even care as a developer of an application?
> 
> I often develop applications on servers which I manage.

How is this relevant?

> Please stop trying to enforce your opinion of the demarcation between
> disciplines on other people.
> 
> Not every developer is only a developer.
> 

This is also not relevant to what I am stating. If you develop, do it 
regardless of http/https that is convenient for everyone. It will be to your 
own benefit. If you have to host the application on your own server, so be it. 
It will be easier with choosing your https solution. You could already be 
developing it now, and later you can check how to use openssl. Last thing you 
want, is an application that forces https or http.



RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-17 Thread Marc

> 
>   http is an insecure protocol. I don't want my website to run on
> http. So, I am hardcoding https in links in my website that refer to
> pages in my website.
>
>
>   Now, I know that you will write why not redirect http to https by
> default. 

No because that is not relevant to me and what I would like to address. I am 
even deploying https on tasks in private air-gapped environments. This is not a 
discussion about whether or not https should be used and when.


> The problem with this is that if the website gets migrated to
> different provider and if people forget to redirect http to https in new
> setup then it will become a security problem.

I know there are many idiots out there and your concern is very valid. Most of 
the security breaches you read about is about such issues. 
However, can you imagine the apache dev team thinking like you? Hard coding 
everything to https? Can you imagine all http ports of tomcat, httpd, jboss 
etc. being dropped? These people have been making rock solid applications for 
decades they don't lecture others how to use or not use https. 
You will never match them in any way, why not follow their lead?


>   Hardcoding https solves all issues.
> 

A few years back I had an argument with apple developers. They were having in 
the build process of the calendar server openssl. The developers thought for 
security purposes it would be better to include it in the build. This resulted 
in that calenderservers were always having an old insecure openssl, because the 
openssl updated by the distribution was not used. (and nobody is going to build 
the application frequently) This is what happens when application developers 
think they are security geniuses.

The point I am trying to make is that you as an application developer should be 
focussed on developing your application it is not your business how this 
application is hosted. You should not concern yourself with things you are not 
experienced in/with. Especially when it comes to something as crucial as 
security. You are not removing ca certs from the trust store, your are not 
setting secure ciphers, you are not setting limits on key sizes etc. Why would 
you then even bother with https or http?

With your argument you might as well hard code the domain name in your 
application (like wordpress) and hardcode root name servers etc. 
If you buy an egg in the store, it does not come with any requirement that it 
should be used only for making cakes. Grasp this concept.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-17 Thread Marc
> I don't know what you are trying to prove by your points + you are
> insulting people for no reason.

I am insulting no one, mostly stating what is common.


> If you insult people, they may insult you back.
> 
> Russia attacked Ukraine and Ukraine/NATO hit Russia back.

I think you are the only one on this planet that would dare to summarize this 
conflict like this. But it proves my point, stick just to what you know, with 
development.


> The original discussion was about openssl commands and I think that since
> you don't know openssl commands, you should not have said anything.
> 

You wrote it was for a local development environment. I just thought why bother 
with the openssl? Obviously I should not have made assumptions. You could also 
be cryptographer working on mod_ssl.


> Let other people do what they want to do. If they want to hardcode
> something, why are you bothered.

I am just pointing out there multiple roads that lead to Rome. Some of which 
are known to be less troublesome than others. If you get stuck on some dirt 
track to Rome, others will be required to come and help.


> I will hard code https, its my choice. It has nothing to do with you.
> 

Obviously, I am just stating it is not really what most experienced 
professionals do. 


> Now, you are saying to hard code root name servers, etc. which doesn't
> make sense.

Because you do not know about it. That is the point I am trying to make. Just 
separate it from application development.


> You are taking this discussion in all sorts of directions and I don't
> know what you want to prove.

Really? I thought I made my point numerous times.


> If people are asking for advice on PHP then advise them on PHP or don't say 
> anything.
> Don't start advising them about Java.

Please... I am not even making remarks about you asking openssl questions at 
httpd.


> 
> By the way, if you insult me, I will insult you back.
> 

I think most people will understand that I try to make you see the difference 
between developing an application and how it is hosted/used what ever, operate 
within your area of expertise. 



RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-17 Thread Marc

> 
>   So, is this wrong forum for asking about openssl commands required
> for generating certificates for enabling https on apache?
>

Mostly you will be notified. The only thing you need to add to your virtual 
host for https is this:

SSLEngine on
SSLCertificateFile 
SSLCertificateChainFile 
SSLCertificateKeyFile 

It really does not matter how keys / crts have been generated. Just choose 
something that is quick and easy. 

> 
>   Most of the websites showed how to generate .pem certificates, but
> after reading about ssl/https on apache website, I saw that apache
> requires .crt certificates.

pem, crt, cer check if they start like this

-BEGIN CERTIFICATE-

check apache log file for start up errors.

>   Obviously, I can figure out this whole thing if I read whole
> openssl manual and apache ssl configs, etc. but I don't want to invest
> time in that and I was looking for a quick solution and that's why I
> posted here.
> 

Just choose a tool that can quickly generate key and crt. Does not matter which 
tool. Someone send you already reply to something.


>   I would really like to know how my idea of hardcoding https can go
> wrong?
> 

It can be anything, it is just unexpected application behaviour to someone who 
might work with it in the future. Maybe internal health check url? Cron? 
Debugging? Personally I find it sometimes annoying with testing container 
images. In my own development environment I am constantly switching between 
development and production certs.

I would always opt for having this at least configured as an option.

> 
> Anyways, I looked more on google and I think that I have found what I was
> looking for on this page:
> https://gist.github.com/taoyuan/39d9bc24bafc8cc45663683eae36eb1a
> 

Forget about going specific for openssl, it is just a tool. Choose the simplest 
solution for your development environment. If you are doing hosting yourself. 
Your going to end up with automated certs on your hosting environment any way, 
you will never see an openssl command.






RE: [users@httpd] better configtest

2024-04-17 Thread Marc
> >
> > 1.
> > what is the point of having a apachectl configtest, when a restart can
> still fail? It can't be to difficult to include cert checks here, can it?
> This is now becoming a significant part.
> 
> The bar is useful, not perfect.  configtest checks for _syntax_ validity.
> 
> > 2.
> > AH00016: Configuration Failed
> > AH00016: Configuration Failed
> > AH00016: Configuration Failed
> > AH00016: Configuration Failed
> > AH00016: Configuration Failed
> > AH00016: Configuration Failed
> > AH00016: Configuration Failed
> >
> > This is useless, why not list config line or cert name?
> 
> This error means post-configuration failed. This is when the collected
> config is acted upon, which is not really within line-by-line mode.
> Normally there's a preceding error message with more details, maybe in
> a vhost-specific error log?

Maybe, I would have to look through quite a lot. 

Can't the development team re-think about this? What is the point of not 
starting httpd if there is an issue with a single virtual host? Why not have 
that specific virtual host fail only? I would like to have this config syntax 
check expanded to cert content or some other way of validating that I can test 
if I can restart httpd safely.






-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


[users@httpd] proxypass to next proxy

2024-05-06 Thread Marc


On some production environment I am using this:


 ProxyPass http://test.example.com/test


But on development I can't access test.example.com, traffic needs to be routed 
through another proxy on a different port. How should I rewrite this so 
requests for /test -> test.example.com go via proxy.local.net on port 5000?





[users@httpd] RE: proxypass to next proxy

2024-05-06 Thread Marc
> 
> 
> On some production environment I am using this:
> 
> 
>  ProxyPass http://test.example.com/test
> 
> 

ProxyRemote "http://test.example.com/test " "http://proxy.local.net:5000";

 ProxyPass http://test.example.com/test



RE: [users@httpd] http ok, https Forbidden

2024-05-15 Thread Marc
> 
> we have a apache 2.4.59 running on windows for an internal page.
> Now we would like to use https instead of http
> 
> Opening the url via http works,
> when I use https I get
> 
> Forbidden
> You don't have permission to access this resource.
> 
> I activated the debug level and see this lines
> 

Not enough info, maybe you just lack the configuration of a https virtual host 
entry?



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


[users@httpd] output buffer php ProxySet

2024-06-20 Thread Marc
I am experimenting a bit with output buffering with php-fpm[1]. In my default 
setup I can't get this to work. Currently I am only getting this to work when I 
add this to my virtualhost config:


ProxySet enablereuse=on flushpackets=on


I assume this will impact the rest of the website. Is there a way to limit this 
to a directory or file? I prefer to have this done in a .htaccess file because 
I am not sure if I will be able to access httpd conf files.




[1]
header( 'Content-type: text/html; charset=utf-8' );
echo 'Begin ...';
for( $i = 0 ; $i < 10 ; $i++ )
{
echo $i . '';
flush();
ob_flush();
sleep(1);
}
echo 'End ...';
?>




[users@httpd] RE: output buffer php ProxySet

2024-06-22 Thread Marc
> I am experimenting a bit with output buffering with php-fpm[1]. In my
> default setup I can't get this to work. Currently I am only getting this
> to work when I add this to my virtualhost config:
> 
> 
> ProxySet enablereuse=on flushpackets=on
> 
> 
> I assume this will impact the rest of the website. Is there a way to
> limit this to a directory or file? I prefer to have this done in a
> .htaccess file because I am not sure if I will be able to access httpd
> conf files.
> 
> 
> 
> 
> [1]
> header( 'Content-type: text/html; charset=utf-8' );
> echo 'Begin ...';
> for( $i = 0 ; $i < 10 ; $i++ )
> {
> echo $i . '';
> flush();
> ob_flush();
> sleep(1);
> }
> echo 'End ...';
> ?>
> 

side effect of this is that the max execution time set in php.ini is no 
honoured any more.






RE: [users@httpd] Simulating rewrite rules?

2024-07-11 Thread Marc
> 
> RewriteCond %{HTTP_USER_AGENT} ^$
> [OR]
> RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).*
> [NC,OR]
> RewriteCond %{HTTP_USER_AGENT}
> ^.*(HTTrack|clshttp|archiver|loader|email|nikto|miner|python).* [NC,OR]
> RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|libwww\-
> perl|curl|wget|harvest|scan|grab|extract).* [NC,OR]
> RewriteCond %{HTTP_USER_AGENT}
> ^.*(Googlebot|SemrushBot|PetalBot|Bytespider|bingbot).* [NC]
> RewriteRule (.*)https://guardiandigital.com/$1 [L,R=301]
> 
> 
> SetEnvIf user-agent "(?i:GoogleBot)" googlebot=1
> SetEnvIf user-agent "(?i:SemrushBot)" googlebot=1
> SetEnvIf user-agent "(?i:PetalBot)" googlebot=1
> SetEnvIf user-agent "(?i:Bytespider)" googlebot=1
> SetEnvIf user-agent "(?i:bingbot)" googlebot=1
> 
> 
>   
> Require ip 1.2.3.4
> Require env googlebot
>   
> 

I would think that mod_security is more efficient for this
SecRule REQUEST_HEADERS:User-Agent "" 
"id:'13006',phase:2,log,deny,status:200"

Why allow SemrushBot, PetalBot and Bytespider? If they don't give you traffic, 
block them. Better add things for yandex and duckduckgo. Duckduckgo is getting 
better than google. Maybe start looking for ai crawlers also.

> I was also originally trying to associate the rewriterules with the
> requireany using  but then realized I didn't even have to do that -
> it would just automatically get processed independently. It looks so
> simple now, but took me a while to make it this simple.
> 
> 

What also helps is blocking these clouds, just get their ip ranges

- amazon
- googleusercontent
- digital ocean
- ovh



PS. Don't give google the credit to have bot variable named after them ;).


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


RE: [users@httpd] reverse proxy setup

2024-07-11 Thread Marc
 I am testing a bit with this:

 32 
 33 # files are still loaded from default host
 34 Define defaulthost ""
 35 Define proxyhost ""
 36
 37 ProxyPreserveHost Off
 38 ProxyAddHeaders On
 39 SetOutputFilter  proxy-html
 40 ProxyHTMLEnable On
 41 ProxyHTMLExtended On
 42
 43 ProxyPass"https://${proxyhost}/";
 44 ProxyPassReverse "https://${proxyhost}/";
 45
 46 ProxyPassReverseCookieDomain "${proxyhost}" "${defaulthost}"
 47 ProxyPassReverseCookiePath   "/" "//"
 48
 49 Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=None
 50
 51 ProxyHTMLURLMap https://${proxyhost}/ 
https://${defaulthost}/
 52
 53 Options +ExecCGI +FollowSymLinks -MultiViews
 54 

> -Original Message-
> From: bruce 
> Sent: Thursday, 11 July 2024 13:20
> To: users@httpd.apache.org
> Subject: [users@httpd] reverse proxy setup
> 
> Hi.
> 
> Testing a github app that appears to use/require reverse proxy to
> display results on the browser.
> 
> The basic app uses npm/nextjs to generate content, Per different
> sites, the process uses PM2 to run the process, and to be able to show
> the content via an internal/local "server". This is accessed via  --
> http://127.0.0.1:3000.
> 
> Using curl on the local/test server, content can be accessed via the site
>  curl  http://127.0.0.1:3000.
> 
> My issue now, is how to create the Apache conf to be able to have the
> user at http://1.2.3.4/berat, be able to display the content. This
> requires somehow setting up the reverse proxy process, in the VirtHost
> of the config file. The test site is being run from a subdir
>   /var/www/html/berat <<<
> 
> Researching/testing hasn't had the light go off yet!
> 
> Here's what I've got, but it's not correct.
> 
> Pointers would be useful. (and possible explanation!)
> 
> cat /etc/apache2/sites-available/berat.conf
> 
> ServerAdmin f...@yahoo.com
> ServerName  temp22
> ServerAlias temp
> 
> DocumentRoot   /var/www/html/berat
> 
> ProxyRequests Off
> ProxyPreserveHost On
> 
> Require all granted
> 
> 
> ProxyPreserveHost On
> 
> 
>   ProxyPreserveHost Off
>   ProxyErrorOverride Off
> 
> 
>  #ProxyPass/api/system-a/
> https://external-domain.example2.org/system-a/
> 
>  ProxyPass /berat http://127.0.0.1:3000/
> 
>  ProxyPassReverse /berat http://127.0.0.1:3000/
> 
> 
> #DocumentRoot   /var/www/html/berat
> 
> 
> 
> 
> #ProxyRequests Off
> #ProxyPreserveHost On
> #
> #  Require all granted
> #
> 
> #ProxyPass / http://127.0.0.1:3000/
> 
> #ProxyPassReverse / http://127.0.0.1:3000/
> 
> #DirectoryIndex index.html index.php
> 
> #Options -Indexes +FollowSymLinks +MultiViews
> Options +FollowSymLinks
> 
> AllowOverride All
> Require all granted
> ##Options -Indexes +FollowSymLinks +MultiViews
> AllowOverride All Require all granted
> 
> 
> ##Options Indexes FollowSymLinks MultiViews
> ##Options -Indexes FollowSymlinks
> #Options FollowSymlinks
> #AllowOverride All
> ##Order allow,deny
> ##allow from all
> #Require all granted
> 
> 
> ##Alias "/berat" "/var/www/html/berat/"
> 
> 
> LogLevel debug
> ErrorLog ${APACHE_LOG_DIR}/error.log
> CustomLog ${APACHE_LOG_DIR}/access.log combined
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org



RE: [users@httpd] apache reverse proxy question -- i think

2024-07-13 Thread Marc
You can't do this with something like alias?

Alias "/images/logo.svg" "/var/www/html/berat/public/logo.svg"

> 
> I'd like something like::
> 
>ProxyPass /logo.svg   http://1.2.3.4/berat/public/logo.svg
>ProxyPassReverse /logo.svg   http://1.2.3.4/berat/public/logo.svg
> doesn't work
> 
>ProxyPass logo.svg   http://1.2.3.4/berat/public/logo.svg
>ProxyPassReverse logo.svg   http://1.2.3.4/berat/public/logo.svg
>   doesn't work
> 
> in the page source
>href="/logo.svg"
> 
>  which should redirect to --  /var/www/html/berat/public/logo.svg
> or http://1.2.3.4/berat/public/logo.svg
> 
> thanks
> 
> 
> 
> >
> >
> >
> >>
> >> I have a situation where I'm trying to create a foo.config file for a
> >> test apache app.
> >>
> >> in the html of the app, i have a href="/test.svg".
> >>
> >> the actual test.svg resides in the physical dir:
> >>  /var/www/html/berat/public/test.svg
> >>
> >> so I'm trying to figure out how to handle this. As far as I can tell,
> >> this is a reverse proxie issue
> >>
> >> but I can't do
> >>
> >> another
> >>  ProxyPass '
> >>
> >>  as I'm already doing the following which works...
> >>   ProxyPass / http://127.0.0.1:3000/
> >>   ProxyPassReverse / http://127.0.0.1:3000/
> >>
> >>  is there some method that I trigger off the actual "filename"
> >>
> >> are there any pointers/examples you can point me to..
> >>
> >> This appears to be the last issue I'm grappling with.
> >>
> >> thanks
> >>



[users@httpd] temporary enable/disable access

2024-08-01 Thread Marc

I have currently such virtual host config:


  1 
  2   AllowOverride All
  3   Require all granted
  4 

 45 
 46   Order deny,allow
 47   Deny from all
 48   #Allow from all
 49   Allow from 1.1.1.1
 50   #Allow from 2.2.2.2
 51   # allow cron

The idea is that I can quickly limit access to the website by uncommenting just 
a single line in the config. However when I change it to 

 47   #Deny from all
 48   Allow from all

Such files in dirs are not protecting files any more

[@]# cat /aaa/////.htaccess
Order deny,allow
Deny from all

Anyone know what I need to add to the location /  section?






RE: [users@httpd] temporary enable/disable access

2024-08-02 Thread Marc
> 
> 
>   I have currently such virtual host config:
> 
> 
> 1 
> 2   AllowOverride All
> 3   Require all granted
> 4 
> 
>45 
>46   Order deny,allow
>47   Deny from all
>48   #Allow from all
>49   Allow from 1.1.1.1
>50   #Allow from 2.2.2.2
>51   # allow cron
> 
>   The idea is that I can quickly limit access to the website by
> uncommenting just a single line in the config. However when I change it
> to
> 
>47   #Deny from all
>48   Allow from all
> 
>   Such files in dirs are not protecting files any more
> 
>   [@]# cat /aaa/////.htaccess
>   Order deny,allow
>   Deny from all
> 
>   Anyone know what I need to add to the location /  section?
> 
> 
> 
> 
> 
> 
> 
> Why are you still using 2.2 authz directives here, out of curiosity?

Maybe more experienced users with this that can comment.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


RE: [users@httpd] Location of Web Site Pages

2024-08-20 Thread Marc
> I have been trying to find the location of the actual html pages that you
> see on my website so I can edit them. But in my document root I only have
> 
> 400.shtml
>  iew&p=/var/www/html&f=400.shtml#new>  229 28-Oct-2021 07:25:02
>   root(0)/root(0)
>  &p=/var/www/html&f=400.shtml#new> 644
>  &p=/var/www/html&f=400.shtml#new>
>    i?do=edit&p=/var/www/html&f=400.shtml#new>
>    i?do=del&p=/var/www/html&f=400.shtml>
>  &p=/var/www/html&f=400.shtml#new>
>  &p=/var/www/html&c=/var/www/html/400.shtml#new>
>  &p=/var/www/html&m=/var/www/html/400.shtml#new>
> 401.shtml
>  iew&p=/var/www/html&f=401.shtml#new>  207 28-Oct-2021 07:25:02
>   root(0)/root(0)
>  &p=/var/www/html&f=401.shtml#new> 644
>  &p=/var/www/html&f=401.shtml#new>
>    i?do=edit&p=/var/www/html&f=401.shtml#new>
>    i?do=del&p=/var/www/html&f=401.shtml>
>  &p=/var/www/html&f=401.shtml#new>
>  &p=/var/www/html&c=/var/www/html/401.shtml#new>
>  &p=/var/www/html&m=/var/www/html/401.shtml#new>
> 403.shtml
>  iew&p=/var/www/html&f=403.shtml#new>  203 28-Oct-2021 07:25:02
>   root(0)/root(0)
>  &p=/var/www/html&f=403.shtml#new> 644
>  &p=/var/www/html&f=403.shtml#new>
>    i?do=edit&p=/var/www/html&f=403.shtml#new>
>    i?do=del&p=/var/www/html&f=403.shtml>
>  &p=/var/www/html&f=403.shtml#new>

what about doing a 

find / -iname '*cse.cgi*' -ls

ps everything you see there could be redirected and does not have to be local 
at all.
 
> 
> 
> The information contained in this email and/or the file (s) attached,
> is/are strictly confidential and may contain legal privileges. This email

this is not going to work, you just published to the public internet


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


RE: [users@httpd] How do I add the "samesite" attribute to JSESSION cookie

2024-10-18 Thread Marc
> 
> 
> It sounds like you might be running Tomcat behind Apache HTTP. If so, add
> (or edit) the  element in
> $CATALINA_BASE/conf/context.xml to read
> 

This is also an issue when you are using JkMount?

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


[users@httpd] how to redirect ip ranges to warning page

2024-10-29 Thread Marc

I am blocking most of amazon,google,azure clouds with ipsets. I also seem to 
have added (automatically) ranges that were abusive from apple safe browsing 
(or so?)

I would like to remove these ip addresses of apple safe browsing from the tcp 
filter, but I want httpd to redirect all these ip clients to a single page. 
Telling users to disable safe browsing. 

How can I best do this?


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


[users@httpd] RE: how to redirect ip ranges to warning page

2024-10-29 Thread Marc
> 
> 
> I am blocking most of amazon,google,azure clouds with ipsets. I also seem
> to have added (automatically) ranges that were abusive from apple safe
> browsing (or so?)
> 
> I would like to remove these ip addresses of apple safe browsing from the
> tcp filter, but I want httpd to redirect all these ip clients to a single
> page. Telling users to disable safe browsing.
> 
> How can I best do this?
> 

I have currently these ranges on my abuse list that match ranges apple is 
communicating as being used by them. I was also thinking about this marking 
that you can do with ip tables and then based on the mark, maybe redirect to 
some page?


104.28.30.0/25
104.28.30.128/27
104.28.30.160/29
104.28.31.0/30
104.28.31.4/31
104.28.31.6
104.28.31.9
104.28.31.10/31
104.28.31.12/30
104.28.31.16/30
104.28.31.20
104.28.31.23
104.28.31.24/29
104.28.31.32/30
104.28.31.36/31
104.28.31.38
104.28.31.41
104.28.31.42/31
104.28.31.44/30
104.28.31.48/28
104.28.31.64/31
104.28.31.66
104.28.40.0/25
104.28.40.128/27
104.28.40.160/29
104.28.40.168/30
104.28.40.172/31
104.28.40.174
104.28.54.0/26
104.28.54.64/27
104.28.54.96/31
104.28.55.0/25
104.28.55.128/26
104.28.55.192/27
104.28.55.224/28
104.28.55.240/29
104.28.55.248/30
104.28.55.252/31
104.28.55.254
104.28.64.0/27
104.28.64.32/28
104.28.64.48/31
104.28.64.54/31
104.28.64.56/30
104.28.64.60/31
104.28.65.0/30
104.28.65.4/31
104.28.65.6
104.28.65.11
104.28.65.12/30
104.28.65.16/28
104.28.65.32/29
104.28.65.40/31
104.28.65.42
104.28.65.45
104.28.65.46/31
104.28.65.48/28
104.28.65.64/31
104.28.65.66
104.28.86.0/27
104.28.86.32/28
104.28.86.48/30
104.28.86.52/31
104.28.86.54
104.28.86.56/29
104.28.86.64/26
104.28.86.128/30
104.28.86.132/31
104.28.86.136/30
104.28.87.0/29
104.28.87.8
104.28.87.10/31
104.28.87.12/30
104.28.87.16/29
104.28.87.24/30
104.28.87.28
104.28.87.31
104.28.87.32/28
104.28.87.48/29
104.28.87.56/30
104.28.87.60/31
104.28.87.64/29
104.28.87.72/30
104.28.87.76
104.28.87.79
104.28.87.80
104.28.87.83
104.28.87.84/30
104.28.87.88/29
104.28.87.96/28
104.28.87.112
104.28.87.115
104.28.87.116/30
104.28.87.120/31
104.28.87.122
104.28.88.0/28
104.28.88.16/29
104.28.88.26/31
104.28.88.28/30
104.28.88.32/29
104.28.88.40/30
104.28.88.44
104.28.88.47
104.28.88.48/28
104.28.88.64/29
104.28.88.72/30
104.28.88.76/31
104.28.88.80/29
104.28.88.88/30
104.28.88.92/31
104.28.88.94
104.28.88.97
104.28.88.98
104.28.88.101
104.28.88.102/31
104.28.88.104/29
104.28.88.112/28
104.28.88.128/29
104.28.88.136/31
104.28.88.140/30
104.28.88.144/30
104.28.89.0/28
104.28.89.16/29
104.28.89.24/31
104.28.89.27
104.28.89.28/30
104.28.89.32/27
104.28.89.64/27
104.28.89.96/29
104.28.89.104
104.28.89.107
104.28.89.108/31
104.28.89.110
104.28.98.0/26
104.28.98.64/29
104.28.98.72/31
104.28.98.74
104.28.98.76/30
104.28.98.80/28
104.28.98.96/28
104.28.98.112/30
104.28.99.0/26
104.28.99.64/29
104.28.99.72/31
104.28.99.78/31
104.28.99.83
104.28.99.84/30
104.28.99.88/30
104.28.99.92/31
104.28.99.94
104.28.99.97
104.28.99.98/31
104.28.99.100/30
104.28.99.104/29
104.28.99.112/28
104.28.99.128/26
104.28.99.192/27
104.28.99.224/28
104.28.99.240/31
104.28.99.242
104.28.102.3
104.28.102.4/31
104.28.102.6
104.28.102.9
104.28.102.10/31
104.28.102.12/30
104.28.102.16
104.28.102.19
104.28.102.20
104.28.102.23
104.28.102.24/30
104.28.102.28/31
104.28.102.30
104.28.102.33
104.28.102.34/31
104.28.102.36/31
104.28.102.38
104.28.102.43
104.28.102.44/30
104.28.102.48/28
104.28.102.64/29
104.28.102.72
104.28.102.75
104.28.102.76/30
104.28.102.80
104.28.102.85
104.28.102.86
104.28.102.89
104.28.102.90/31
104.28.102.92/30
104.28.102.96/29
104.28.102.106/31
104.28.102.108/30
104.28.103.0/25
104.28.103.128/29
104.28.103.138/31
104.28.103.140/30
104.28.103.144/28
104.28.103.160/27
104.28.103.192/28
104.28.103.208/29
104.28.103.216/31
104.28.114.0/27
104.28.114.32/30
104.28.114.36
104.28.114.43
104.28.114.44
104.28.114.49
104.28.114.50/31
104.28.114.52/30
104.28.114.56/29
104.28.114.64
104.28.115.0/26
104.28.115.64/27
104.28.115.96/31
104.28.115.98
104.28.128.6/31
104.28.128.11
104.28.128.12/30
104.28.128.16/30
104.28.128.20
104.28.129.0/27
104.28.129.32/30
104.28.129.36/31
104.28.129.38
104.28.129.45
104.28.129.46
104.28.129.51
104.28.129.52/30
104.28.129.56/30
104.28.129.60
104.28.130.0/28
104.28.130.16
104.28.130.19
104.28.130.20/30
104.28.130.24/29
104.28.130.32/28
104.28.130.48/29
104.28.130.56/30
104.28.130.60
104.28.130.63
104.28.130.64/28
104.28.130.80/30
104.28.130.84/31
104.28.130.86
104.28.130.89
104.28.130.90/31
104.28.130.92/30
104.28.130.96/29
104.28.130.104/30
104.28.130.114/31
104.28.130.116/31
104.28.130.122/31
104.28.130.126/31
104.28.130.128/31
104.28.130.132/30
104.28.130.136/29
104.28.130.144/31
104.28.130.154/31
104.28.130.156/30
104.28.130.160/29
104.28.130.168
104.28.130.171
104.28.130.172/30
104.28.130.176/28
104.28.130.192/29
104.28.131.0/28
104.28.131.16/30
104.28.131.24/29
104.28.131.32/30
104.28.131.36/31
104.28.131.41
104.28.131.42
104.28.131.45
104.28.131.46
104.28.131.49
104.28.131.50/31
104.2

RE: [users@httpd] RE: how to redirect ip ranges to warning page

2024-10-31 Thread Marc
> 
> > I prefer to return there everything with 4xx return code, but can't get
> this for /
> 
> Use an empty directory as the documentroot, disable mod_autoindex. Use
> a highish debug level to check

I am for now sticking to virtualhost only configs as I don't want to change 
global settings.
So I disabled the mod_autoindex with this "Options -Indexes"

So I have my custom error docs in the catch all for blocked ips like this

ErrorDocument 4xx
ErrorDocument 5xx

When I then access a random site www.example.net/doesnotexist
I get correct 404 and the correct error doc

When I then access random site www.example.net/
I get correct 404, not the ErrorDocument I configured, but a Forbidden 
(default?) message.

When I add to the virtualhost config
DirectoryIndex /myerrordoc.html
I get (not) correct 200, but the correct errordocument 


> what your rewriteRules are actually doing. Also, if you had written
> what you're actually getting for /,
> what you've tried so far to get the desired result, and what exactly
> your current httpd configuration

Current catch all for blocked ips is almost empty. I like to 'drop' these 
requests as quickly as possible. Just this DirectoryIndex, ErrorDocument and 
DirectoryIndex
I am not sure how these redirects work client side or server side. But since I 
messing with the tcp traffic, I have the impression that the redirect is ending 
up at a different virtualhost. 



RE: [users@httpd] RE: how to redirect ip ranges to warning page

2024-10-31 Thread Marc
>   >
>   > >
>   > >
>   > > I am blocking most of amazon,google,azure clouds with ipsets. I
> also seem
>   > > to have added (automatically) ranges that were abusive from
> apple safe
>   > > browsing (or so?)
>   > >
>   > > I would like to remove these ip addresses of apple safe
> browsing from the
>   > > tcp filter, but I want httpd to redirect all these ip clients
> to a single
>   > > page. Telling users to disable safe browsing.
>   > >
>   > > How can I best do this?
>   > >
>   >
>   > I have currently these ranges on my abuse list that match ranges
> apple is communicating as being used by them. I was also thinking about
> this marking that you can do with ip tables and then based on the mark,
> maybe redirect to some page?
>   >
>   >
>   > 104.28.30.0/25 
>   > 104.28.30.128/27 
> 
>   My first suggestion would have been a set of RewriteRule /
> rewriteCond
>   to serve a static html page for all clients that match. Since
>   mod_rewrite doesn't support IP subnet matching, but only regexes on
>   e.g. "%{REMOTE_ADDR}", that's not really going to be a nice
> solution
>   for such a long list of networks.
> 
>   As an alternative, you can use Require ip
>   (https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#require)
>   and define a suitable ErrorDocument.
> 
>   If you're using ip tables, you can re-route the request to a
> different
>   TCP port and configure a vhost that serves the chosen document for
> any
>   request to any path.
> 
>   Rainer
> 

Yes this is probably the most efficient. I am surprised this seems to work for 
http and https traffic. I am testing with this now. Only thing I probably am 
stuck with is having this in GlobalLog.
I prefer to return there everything with 4xx return code, but can't get this 
for /





RE: [users@httpd] RE: how to redirect ip ranges to warning page

2024-10-31 Thread Marc
> [...]
> > >   If you're using ip tables, you can re-route the request to a
> different
> > >   TCP port and configure a vhost that serves the chosen document
> for any
> > >   request to any path.
> [...]
> > Yes this is probably the most efficient. I am surprised this seems to
> work for http and https traffic.
> 
> Do you mean to the same port for http and https? Or are you surprised
> that it works for https at all?

yes I am doing in prerouting a destination to 81, having there a virtualhost 
without ssl and both 80 and 443 seem to go ok. Not tested this thouroughly 
though.

> The latter shouldn't be a surprise - the clients will not be able to
> know about the port remapping, and
> as long as you supply a valid certificate, they will be happy.

Yes, that is what is strange a tls site is intercepted ok and directed to this 
block catch all without ssl. I even tested this with other browsers.



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


RE: [users@httpd] RE: how to redirect ip ranges to warning page

2024-10-31 Thread Marc
> 
> > I am testing with this now. Only thing I probably am stuck with is
> having this in GlobalLog.
> 
> you can turn off your GlobalLog if you add an
> [env=[!]environment-variable] statement and
> setenv that environment-variable in your new vhost.
> https://httpd.apache.org/docs/2.4/mod/mod_log_config.html#globallog
> 

Thanks! :)


RE: [users@httpd] SSL setup assistance

2024-09-18 Thread Marc
> 
> I am running Apache on a Windows server with at least close to latest
> release.  It host my personal website and a website for my home Christmas
> light show.  Just simple static web pages - nothing fancy at all.  There
> is absolutely nothing that needs any degree of security.  As such I have
> never made any attempt to set up SSL on the server.
> 
> This is becoming an issue because more and more browsers are getting
> picky about http only traffic - in particular imbedding an image from a
> http website into an otherwise https website (lighting forums running
> https with images imbedded from my website is the specific issue).
> 
> I tried to set up SSL on my server a couple years ago and after whatever
> changes were made, Apache would not even start (and I don't remember what
> error message were logged).  So I reverted the Apache config back to what
> it had been and ignored the issue for a few more years.
> 
> So can someone either point me to a good step by step or walk me through
> what I need to do to get this working.  I had gotten the cert back then
> via Let's Encrypt, and that was the easy part.

just add this and change your port

SSLEngine on
SSLCertificateFile "/home/acme/www.x.cer"
SSLCertificateChainFile "/home/acme/www.xx.cer"
SSLCertificateKeyFile "/home/acme/www.x.key"

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


RE: [users@httpd] LDAP connection failure: what does "not authoritative" mean?

2024-11-26 Thread Marc
Is ldapsearch working from the same server? There can be lots of issues with 
ssl and auth sff. 

> I'm trying to do basic authentication via LDAP to Active Directory.
> HTTPD logs this:
> 
> [Mon Nov 25 16:02:47.362939 2024] [authnz_ldap:debug] [pid 6205:tid
> 6205] mod_authnz_ldap.c(548): [client
> 2600:381:cb60:bf0:c6bb:b64d:24e:24da:46526] AH01691: auth_ldap
> authenticate: using URL
> ldap://ads.iu.edu/ou=Accounts,DC=ads,DC=iu,DC=edu?CN?one
> [Mon Nov 25 16:02:47.381431 2024] [authnz_ldap:debug] [pid 6205:tid
> 6205] mod_authnz_ldap.c(569): [client
> 2600:381:cb60:bf0:c6bb:b64d:24e:24da:46526] AH01694: auth_ldap
> authenticate: user mwood authentication failed; URI /nagios/ [LDAP:
> ldap_start_tls_s() failed][Connect error] (not authoritative)
> [Mon Nov 25 16:02:47.381449 2024] [auth_basic:error] [pid 6205:tid 6205]
> [client 2600:381:cb60:bf0:c6bb:b64d:24e:24da:46526] AH01618: user mwood
> not found: /nagios/
> 
> I don't know what it doesn't like about the connection.  The server's
> certificate checks out.  I've got LDAPTrustedGlobalCert set:
> 
> More configuration:
> 
>   LDAPTrustedGlobalCert CA_BASE64 /etc/ssl/certs/ca-certificates.crt
> 
>   AuthType basic
>   AuthBasicProvider ldap
>   AuthName "ADS"
> 
>   AuthLDAPURL "ldap://ads.iu.edu/ou=Accounts,DC=ads,DC=iu,DC=edu?CN?one";
> STARTTLS
>   AuthLDAPBindDN "CN={omitted},OU=Accounts,DC=ads,DC=iu,DC=edu"
>   AuthLDAPBindPassword "{omitted}"
>   AuthLDAPBindAuthoritative Off
>   AuthLDAPGroupAttribute  member
>   AuthLDAPRemoteUserAttribute CN
> 
>   
> Require ldap-group CN=IN-ULib-Admins,OU=IN-
> ADMINS,OU=IN,DC=ads,DC=iu,DC=edu
> 
>   {a list of "Require ip"s}
> 
>   
> 
> What have I missed?
> 



[users@httpd] off topic - how to secure httpd

2024-12-04 Thread Marc
I hope nobody minds me addressing this off topic question.

I was thinking about adding ipv6, and when I got a range to try with, I was 
actually surprised how many I got. This made me wonder how many ipv6 are being 
used and how many ipv4. 

Having these ipv6 so abundantly available made me also think about how I have 
currently arranged my abuse mitigation. Currently I am having ipsets for 
different subments and use a sort of honeypot approach, anything automated that 
scans for vulnerabilities in wordpress or weird files and ignores the 
robots.txt is getting blocked.

Such an approach will lead over years that you block most of azure, google, 
amazon, digitial ocean, .cn etc. 

I don't think this will go well for ipv6 to be honest. If there are so many out 
there, my ipsets will grow even bigger. 

I was wondering how others are solving this?






-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


[users@httpd] proxy for www and without

2025-02-01 Thread Marc
How should I change this config so it works with www.a.com and a.com?  I tried 
with trying to assign %{HTTP_HOST} to defaulthost


Define defaulthost "a.com"
Define proxyhost "b.com"

ProxyPreserveHost Off
ProxyAddHeaders On
SetOutputFilter proxy-html
ProxyHTMLEnable On
ProxyHTMLExtended On

ProxyPass"https://${proxyhost}/xxx";
ProxyPassReverse "https://${proxyhost}/xxx";

ProxyPassReverseCookieDomain "${proxyhost}" "${defaulthost}"

ProxyHTMLURLMap https://${proxyhost}/xxx https://${defaulthost}/en/



[users@httpd] proxy urlmapping outside of the path

2025-01-31 Thread Marc
I have a config and actually only want to allow access to a specific path xxx 
of the proxied host nothing else. However that path on the proxied host is 
refering to files eg in the root

ProxyPreserveHost Off
ProxyAddHeaders On
SetOutputFilter  proxy-html
ProxyHTMLEnable On
ProxyHTMLExtended On

ProxyPass"https://${proxyhost}/xxx";
ProxyPassReverse "https://${proxyhost}/xxx";


ProxyHTMLURLMap https://${proxyhost}/xxx https://${defaulthost}/aaa

I have such references to the proxied host in the website pages, links suchs as 
these:

https://proxyhost/js/";>https://proxyhost/js/s";>https://proxyhost/js/.js";>https://proxyhost/js/..js";>https://proxyhost/js/ljs";>https://proxyhost/js/";>

Any ideas what what would be a good method to handle these exceptions outside 
of the xxx path?


[users@httpd] RE: proxy urlmapping outside of the path

2025-01-31 Thread Marc

> 
> I have a config and actually only want to allow access to a specific
> path xxx of the proxied host nothing else. However that path on the
> proxied host is refering to files eg in the root
> 
> ProxyPreserveHost Off
> ProxyAddHeaders On
> SetOutputFilter  proxy-html
> ProxyHTMLEnable On
> ProxyHTMLExtended On
> 
> ProxyPass"https://${proxyhost}/xxx";
> ProxyPassReverse "https://${proxyhost}/xxx";
> 
> 
> ProxyHTMLURLMap https://${proxyhost}/xxx https://${defaulthost}/aaa
> 
> I have such references to the proxied host in the website pages, links
> suchs as these:
> 
> https://proxyhost/js/";> src="https://proxyhost/js/s";> src="https://proxyhost/js/.js";> src="https://proxyhost/js/..js";> src="https://proxyhost/js/ljs";> src="https://proxyhost/js/";>
> 
> Any ideas what what would be a good method to handle these exceptions
> outside of the xxx path?

Is it correct that this does not work?



ProxyPass"https://";
ProxyPassReverse "https://";


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


RE: [users@httpd]

2024-12-14 Thread Marc
You should have a service provider for such stuff. This starts to look like 
when your kid is ill and then asking in the local pet shop for advise.

> 
> I had two working websites until I realized over the weekend that my
> server was running Ubuntu 23.04 which had no apparent easy upgrade to
> 24.04. So I backed up my web files and site config files and did a clean
> install of Ubuntu. I have been trying to get my sites back up since
> (Sunday 8th of December).I am currently working on getting one of them
> up, once it is up I’ll work on the other one.
> 
> 
> 
> I am able to load my site locally via local IP address or remotely via
> public IP. However, I am unable to load the site via URL, locally or
> remotely
> 
> 


[users@httpd] efficient abuse page

2025-01-16 Thread Marc
I have currently some abuse page that notifies the ip is blocked. I am 
generating this page with php because I want to display the ip adres on this 
page. Is there a more efficient way to generate a page with one line of text 
and the blocked ip address?
Maybe directly in apache without using php-fpm?

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


[users@httpd] http/3 quic support

2025-01-17 Thread Marc

Anyone have some manual for enabling http/3 quic on el9? Is this by default now 
support in kernels?





-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


[us...@httpd] mod_auth_pgsql and mod_auth_mysql on the same server

2009-06-15 Thread Marc Feist

Hi!

I'm trying to get both authentication methods running on a server.
One virtual server uses the pgsql and other virtual servers use mysql  
for authentication.


It all works fine except the servers using mysql have got an error_log  
full of lines like:
[...] [mod_auth_pgsql.c] - missing configuration parameters, referer:  
[...]


Is there any way to get rid of this? Maybe disabling mod_auth_pgsql  
for certain virtual servers? I didn't find any option anywhere.


Best,
Marc 


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



Re: [us...@httpd] mod_auth_pgsql and mod_auth_mysql on the same server

2009-06-15 Thread Marc Feist

Hi!


In other words, if there exists some configuration directive inside  
the

main configuration, then every VirtualHost generally inherits it from
there, unless it specifically overrides it inside of its own  
VirtualHost

section.



That's the problem. There are no options for mod_auth_pgsql in the  
main configuration.
mod_auth_pgsql is only loaded from the mods-enabled diirectory as the  
first module (000_mod_auth_pgsql)


There is no global configuration. It seems to be enabled by default  
for all virtual hosts with no "switch" to disable/enable it anywhere  
except completely disabling it for the whole server.


Best,
Marc

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



Re: [us...@httpd] mod_auth_pgsql and mod_auth_mysql on the same server

2009-06-15 Thread Marc Feist

Hi!


Use mod_authn_dbd, which works obsoletes the modules mentioned
in your subject line for authentication.


Thanks a lot for the hint! I'll have a deep look at this.

Best,
Marc

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



RE: [us...@httpd] mod_auth_pgsql and mod_auth_mysql on the same server

2009-06-18 Thread Marc Feist
Hi!
 
> Use mod_authn_dbd, which works obsoletes the modules mentioned
> in your subject line for authentication.

Thanks to Nick for pointing me to DBD. I googled 2 days for
mod_auth_mysql/mod_auth_pgsql with no clues at all.

Everything is working now!

Best,
Marc

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



[us...@httpd] SSI - file not included

2009-07-08 Thread Marc Patermann

Hi,

I tried a simple "include" with SSI.

In the root directory I added a .htaccess file with
AddType text/html .shtml
AddOutputFilter INCLUDES .html

In index-test.html i added


This works fine.

Now I moved the footer.html to another directory.


This works fine, too.

Now I moved the file again and it stops working.


foo/ and bar/ are both "DAV on".
foo/ is accessable without authencitation.
bar/ is "basic auth" protected (file and ldap).

Can the included file not be placed in an authentictaion protected 
directory or is there something else?



Marc

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



Re: [us...@httpd] SSI - file not included

2009-07-08 Thread Marc Patermann

Boyle Owen schrieb:

Can the included file not be placed in an authentictaion protected 
directory ?


Apparently not... Otherwise, it would be a way to circumvent
authentication.

Check what it says in the error_log; that should tell you more than
"..stops working.."
If there is a 401 Unauthorized then that's the problem.

I can't see any 401 errors in access or error log.
There are only "unable to include "./bar/footer.html" in parsed file 
/opt/www/index-test.html" messages.



Marc

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



Re: [us...@httpd] group authorization via LDAP

2009-10-02 Thread Marc Patermann

Hi,

Tom Evans schrieb:

On Thu, 2009-10-01 at 17:18 -0400, Tony Rice (trice) wrote:



This is how we do it:
[...]
AuthzLDAPAuthoritative "On"
Require valid-user
Require ldap-group cn=Department,ou=Groups,o=Company

Does this work?
When I read the docs:
"Require valid-user
If this directive exists, mod_authnz_ldap grants access to any user that 
has successfully authenticated during the search/bind phase."

and:
"Other Require values may also be used which may require loading 
additional authorization modules. Note that if you use a Require  value 
from another authorization module, you will need to ensure that 
AuthzLDAPAuthoritative  is set to off to allow the authorization phase 
to fall back to the module providing the alternate Require value."

-> http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html

This seems to me like either "Require valid-user" is not working at all 
- because AuthzLDAPAuthoritative is "On" - or it overrules any 
ldap-group setting. Hm!?



Marc

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



Re: [us...@httpd] Filter by group attribute using mod authnz_ldap

2009-10-02 Thread Marc Patermann

Hi,

Mxrgus Pxrt schrieb:

Would it be possible to filter users not only by user attributes or 
groups but also by attributes of group using authnz_ldap?


Example:

Users:
cn: First Last, ou: people, dc: lol
cn: Second Last, ou: pople, dc: lol

Groups:
cn: lord, ou: group, dc: lol
 member: First Last
 attribute111: yes

Now, if attribute111 is yes, auth succeeds.


If not, what would be your recommendation, how to solve this task?

Hm, if there was any group-filter setting ...
But you have to _name_ the ldap-group anyone, don't you? So just name 
LDAP groups here which have the attribute. :)


If you use AuthLDAPBindDN for searching ldap by apache, you could "hide" 
other groups than these with the attribute by ACL on the ldap server.




Marc

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



Re: [us...@httpd] .htaccess files not working from internet? intranetaccessfine

2009-10-13 Thread Marc Patermann

Kaya Saman schrieb:

Using host: hostname from telnet I get this:

You have to simulate what the browser would do.
So "URL" or "hostname" must be http://the.url.you.never/told/us.here, OK? :)

You could try Firefox and LiveHTTPHeaders add-on.
http://www.mozilla-europe.org/de/firefox/
https://addons.mozilla.org/de/firefox/addon/3829

Then you may see, what's going on.


Marc

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



[us...@httpd] httaccess stopped working

2009-10-25 Thread Marc Fromm
I have used this htaccess file for quite some time now and it worked, only 
allowing access to specific ip addressess.
For some reason the htaccess is not blocking ip addresses outside the ones 
specified.
I have 'x'ed out the ip addresses and changed the user user name for this email.

AuthType Basic
AuthName "Outside Access."
AuthUserfile /etc/htpasswd
require user user_name
#require valid-user
Satisfy All

order deny,allow
deny from all
allow from xxx.xxx.216
allow from xxx.xxx.42
allow from xxx.xxx.43
allow from xxx.xxx.188
allow from xxx.xxx.189


Any ideas on what could have changed to so the deny from all is no longer 
working? Users are still asked for a username and password. Some posts state to 
avoid using LIMIT. If that is correct then what is the better method?

Thanks

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



[us...@httpd] RE: httaccess stopped working update

2009-10-25 Thread Marc Fromm
Update on my htaccess problem.
Recently I set up a spider trap which required placing an htaccess file on the 
www/html directory. The htaccess file listed in my first email is a sub 
directory of html/.

The tutorial had me create this htaccess file. Is the  . . .  
section over ruling the htaccess file in the sub directory?

# Block bad-bots using lines written by bad_bot.pl script above
SetEnvIf Request_URI 
"^(/403.*\.htm|/robots\.txt|/file_instead_of_what_they_want\.htm)$" allowsome


order allow,deny
allow from all
deny from env=getout


-Original Message-----
From: Marc Fromm 
Sent: Sunday, October 25, 2009 7:48 PM
To: users@httpd.apache.org
Subject: [us...@httpd] httaccess stopped working

I have used this htaccess file for quite some time now and it worked, only 
allowing access to specific ip addressess.
For some reason the htaccess is not blocking ip addresses outside the ones 
specified.
I have 'x'ed out the ip addresses and changed the user user name for this email.

AuthType Basic
AuthName "Outside Access."
AuthUserfile /etc/htpasswd
require user user_name
#require valid-user
Satisfy All

order deny,allow
deny from all
allow from xxx.xxx.216
allow from xxx.xxx.42
allow from xxx.xxx.43
allow from xxx.xxx.188
allow from xxx.xxx.189


Any ideas on what could have changed to so the deny from all is no longer 
working? Users are still asked for a username and password. Some posts state to 
avoid using LIMIT. If that is correct then what is the better method?

Thanks

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



[us...@httpd] output buffer

2009-12-29 Thread Marc Fromm
I am receiving the "Cannot send session cookie - headers already sent" message 
even though I am using ob_start() at the top of my php script.

The php.ini file has output_buffering set to 4096 4096.
My server is running Red Hat Enterprise Linux 5.2 I am using PHP 5.1.6

Is there some other setting in httpd that I need to adjust to be able to start 
a session within the php script?

Thanks

Marc



[us...@httpd] Locked Apache configuration file

2010-03-20 Thread Marc Buyens
I am migrating to a new PC that runs Windows 7 and try reinstalling the 
Apache/PHP environment that I use to develop and test my website. Apache 
2.2.15 no SSL. PHP 5.2.12. This same combination was used on my old XP 
machine. Installation did not give any special problems. Apache has not 
been configured as a service, but to start as a task when I ask. 
However, when I now want to edit the configuratution file, the file is 
locked. It is not read procted as such, but some process seems to use 
it. I stopped more or less everyting on the machine, checked all 
processes that are still running, but did not find any potential 
culprit. Apart from the OS, all other installed stuff is pretty much the 
same. Any suggestion?


MarcB

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



Re: [us...@httpd] Locked Apache configuration file

2010-03-20 Thread Marc Buyens
Thanks for the suggestion. Unfortunately, it does not solve the mystery. 
I installed the tool and used the search option to find references to 
the file, but without result. I am not an expert in these things, but I 
tried finding references to the file or its folder, etc. in various 
ways, but it does not return any results.
Another thing that I observed is that I can rename the file, but if I do 
so, the file is immediately recreated.


On 20/03/2010 13:26, Eric Covener wrote:

On Sat, Mar 20, 2010 at 8:16 AM, Marc Buyens  wrote:
   

I am migrating to a new PC that runs Windows 7 and try reinstalling the
Apache/PHP environment that I use to develop and test my website. Apache
2.2.15 no SSL. PHP 5.2.12. This same combination was used on my old XP
machine. Installation did not give any special problems. Apache has not been
configured as a service, but to start as a task when I ask. However, when I
now want to edit the configuratution file, the file is locked. It is not
read procted as such, but some process seems to use it. I stopped more or
less everyting on the machine, checked all processes that are still running,
but did not find any potential culprit. Apart from the OS, all other
installed stuff is pretty much the same. Any suggestion?
 

http://technet.microsoft.com/en-us/sysinternals/bb896655.aspx


   


--
Marc Buyens
Analyst, Management Consultant&  Managing Director

Xpragma bvba
Mechelsesteenweg 254
B-2820 Bonheiden
Belgium

tel.+32-(0)15-340 845
marc.buy...@xpragma.com
http://www.xpragma.com/


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



Re: [us...@httpd] Locked Apache configuration file

2010-03-20 Thread Marc Buyens
Well, first of all, you can see it. I use EditPad to edit text files 
etc. and the icon shows a little lock bottom left. When I open the file 
in the editor, it warns me about the file being read-only or in use. Of 
course, it might be a problem of the editor, so I opened the file in 
Notepad. This works, does not give a warning, but when I ask to save the 
file, it sends me in a save as dialogue. When I specify the same 
filename and after confirming that I want to replace the file, the save 
fails.


On 20/03/2010 15:48, Eric Covener wrote:

On Sat, Mar 20, 2010 at 9:23 AM, Marc Buyens  wrote:
   

Thanks for the suggestion. Unfortunately, it does not solve the mystery. I
installed the tool and used the search option to find references to the
file, but without result. I am not an expert in these things, but I tried
finding references to the file or its folder, etc. in various ways, but it
does not return any results.
Another thing that I observed is that I can rename the file, but if I do so,
the file is immediately recreated.
 

What made you think it was "locked" in the first place?  There's a
Vista/Win7 FAQ that lets users edit administrator-owned files by
silently redirecting them as soon as you make changes, but Apache sees
the original.

   


--
Marc Buyens
Analyst, Management Consultant&  Managing Director

Xpragma bvba
Mechelsesteenweg 254
B-2820 Bonheiden
Belgium

tel.+32-(0)15-340 845
marc.buy...@xpragma.com
http://www.xpragma.com/


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



Re: [us...@httpd] Locked Apache configuration file

2010-03-20 Thread Marc Buyens
Hello. Many thanks for this. I am new to W7 and wasn't aware of this. 
This is clearly one more Bill Gates quirk. What's the use of assigning 
administrator rights to users if they are not used? Anyway, you solved 
my problem. Explicitly asking to run as administrator allows me to 
change the file. It is a bit like confirming that I am still alive 
before editing the file. Some form of technology progress, I assume, but 
not a progress of human logic...


On 20/03/2010 17:22, William A. Rowe Jr. wrote:

On 3/20/2010 9:48 AM, Eric Covener wrote:
   

On Sat, Mar 20, 2010 at 9:23 AM, Marc Buyens  wrote:
 

Thanks for the suggestion. Unfortunately, it does not solve the mystery. I
installed the tool and used the search option to find references to the
file, but without result. I am not an expert in these things, but I tried
finding references to the file or its folder, etc. in various ways, but it
does not return any results.
Another thing that I observed is that I can rename the file, but if I do so,
the file is immediately recreated.
   

What made you think it was "locked" in the first place?  There's a
Vista/Win7 FAQ that lets users edit administrator-owned files by
silently redirecting them as soon as you make changes, but Apache sees
the original.
 

Note it is more insidious than that.

Even the administrator is editing files as 'just a user' in the normal Windows 7
or Vista UAC environment.  You actually have to create yourself a real admin
session to bring up these files in notepad or what have you.

Either set your notepad shortcut to 'run as user administrator' or you can just
launch an admin cmd.exe prompt (which isn't what happens when you run cmd.exe)
by either tagging the shortcut to run-as-user, or by invoking

runas /user:administrator "cmd.exe /k"


-
The official User-To-User support forum of the Apache HTTP Server Project.
Seehttp://httpd.apache.org/userslist.html>  for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
"   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


   


--
Marc Buyens
Analyst, Management Consultant&  Managing Director

Xpragma bvba
Mechelsesteenweg 254
B-2820 Bonheiden
Belgium

tel.+32-(0)15-340 845
marc.buy...@xpragma.com
http://www.xpragma.com/


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



[us...@httpd] [Tips] How to Dynamically Limit Access to a folder based on its name and Apache SSL Session Variable

2010-03-23 Thread Marc Leurent
Hello everybody, is it possible to dynamically restrict access to a folder 
based on its name?

For example, all my folders are MAC address names and I would like to 
dynamically restrict each directory access based on %{SSL_CLIENT_S_DN_CN} which 
contains the mac address of the client
Thanks

ex: 
Restrict /home/web/provisioning/000e08133a50  folder to be accessible only by 
host with SSL_CLIENT_S_DN_CN="000e08133a50"
Restrict /home/web/provisioning/000e08133a54  folder to be accessible only by 
host with SSL_CLIENT_S_DN_CN="000e08133a54"
...

But doing it dynamically without changing apache configuration or creating a 
.htpasswd each time I add a new folder

I would like to have something like

SSLVerifyClient require
SSLRequire  %{SSL_CLIENT_S_DN_CN} =~ 
m/^NAME_OF_THE_WILDCARD_FOLDER_WITCH_IS_ALSO_A_MAC_ADDRESS$/



Thanks for your help!
Best Regards,

-- 
-- --
Marc LEURENT
lf...@leurent.eu

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



  1   2   3   4   >