gt;be 27 characters long.
Yes, I noted that one too. Had to redo a couple of aliases to parse the logs.
There is a note about a change to mod_unique_id in the changelog, but
it fails to mention the format change.
Ahoj,
Christian Folini
--
There are two primary choices in life: (1) To accep
Hi there,
My company, netnea.com, is a small consulting / contracting company based in
Berne, the capital of Switzerland. We specialize in network monitoring and
Apache / ModSecurity.
We have an open position for a webserver engineer with a strong interest in
security.
I am the author of the 2nd
r the
other until the site works as expected.
Now as for "might required". That really depends on your
setup. A brief looked good to me.
regs,
Christian
--
Christian Folini, Swiss Post IT, Unix / Apache Engineering
+41 (0)58 338
riteLogLevel 2
RewriteLog "/var/log/apache2/rewrite.log"
RewriteCond %{SERVER_PORT} ^80$
RewriteRule /pagamento/boleto - [last]
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [redirect,last]
--
Christian Folini, Swiss Post IT, Unix / Apache Enginee
On Tue, Feb 12, 2008 at 07:43:52PM -0800, Andrew2008 wrote:
>
> I have the following
>
> ProxyPass /foo http://www.abc.com
> ProxyPassReverse /foo http://www.abc.com
>
> I got an error when it tried to ProxyPassReverse back below
>
> "Forbidden. You don't have permission to access /foo/ on th
Hi Lance,
Have you checked the documentation?
http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html#rewritecond
Christian
On Fri, Feb 08, 2008 at 12:47:52AM -0600, Campbell, Lance wrote:
> Apache 2.2
>
>
>
> I know it is possible to chain mod rewrite rules. Is it possible with
> mod rewrite
ng an existing, preopened connection would save the tcp
handshake and optionally the more expensive ssl handshake. That is what
I am after actually. But as mentioned in my previous message: even the
most simple setup fails to work as advertised.
regs,
Christian
--
Christian Folini, Swi
ppreciated.
regards,
Christian
--
Christian Folini, Swiss Post IT, Unix / Apache Engineering
+41 (0)58 338 79 96 [EMAIL PROTECTED]
-
The official User-To-User support forum of the Apache HTTP Server Project.
See htt
parts you really need.
Takes a bit of time, but usually, it works - and teaches you a
lot about apache.
Christian
--
Christian Folini, Swiss Post IT, Unix / Apache Engineering
+41 (0)58 338 79 96 [EMAIL PROTECTED]
---
Hey Alexey,
There is an issue with ProxyTimeout in Apache 2.0, but
Apache 2.2 seemed to work as advertised when I ran
tests a few months back. Your results look strange to me.
My setup was very similar to yours, but I used netcat
as application server.
application server:
netcat -l -p 8
iles, lock-files, mutex-files are not
interferring. Launch a 2nd apache with this 2nd config file. Done.
Regs,
Christian
--
Christian Folini, Swiss Post IT, Unix / Apache Engineering
+41 (0)58 338 79 96 [EMAIL PROTECTED]
-
unds like mod_auth_tkt:
http://www.openfusion.com.au/labs/mod_auth_tkt/
There is some additional info at:
http://pplusdomain.net/cgi-bin/blosxom.cgi
This module is very lightweight and a joy to use.
Regards,
Christian
--
Christian Folini, Swiss Post IT, Unix / Apache Engineering
Hi-ho,
I propose you go with the reverse proxy and install ModSecurity
with the Core Rule set. That should be enough for a general
level of security. However, you should keep an eye on the
audit-logs of ModSecurity, as the core rules let many possible
attacks pass, but say so in the audit log. (T
er they'll work in the domain
> place.
Okay. I saw it leaves some doubt in this regard.
> Guess I'll have to try it and see.
yep. If it works, you might want to give feedback to the
apache documentation project.
regs,
Christian
--
Christian Folini, Swiss Post IT,
regs,
Christian
--
Christian Folini, Swiss Post IT, Unix / Apache Engineering
+41 (0)58 338 79 96 [EMAIL PROTECTED]
-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://
Hi there,
http://marc.info/?l=apache-httpd-users works fine with me.
good luck,
Christian
On Wed, Jan 16, 2008 at 05:48:44PM +0530, kernel.2k5 wrote:
> hello All ,
>
> kindly let me know any URL with search facility , so i will first search
> old POSTs for any qery and then only will ask here
On Tue, Jan 15, 2008 at 03:44:11PM +0100, Boyle Owen wrote:
> That's a matter of opinion - I guess you are expecting it only to block
> the PHP file if it exists. But that would mean that apache would have to
> stat the file (ie, expensive file operation) even though it knows that
> it is going to
On Tue, Jan 15, 2008 at 04:09:01PM +0530, Mandy Singh wrote:
> Hi,
>
> On my webserver, the serving of images under the img directory is taking a
> lot of time generally.
>
> I have 1000s of images under one /img/ directory.
It depends on the actual numbers. Why don't you give it a
try and redu
On Sun, Jan 13, 2008 at 11:42:03PM -0500, Shaun T. Erickson wrote:
> My site has too much traffic, according to my hosting provider. Is
> there any easy way to block all International (non-USA) IP addresses
> via an .htaccess file?
Use the geoip module. But I doubt it works with only .htaccess.
C
On Mon, Jan 07, 2008 at 09:58:25AM -0600, Campbell, Lance wrote:
> I am looking for a web tutorial for writing apache 2.0.x modules. Does
> anyone have a reference they could give me?
Get the Apache Modules Book by Nick Kew.
regs,
Christian
-
On Thu, Dec 20, 2007 at 11:40:02AM +, Melanie Pfefer wrote:
> the http service is critical and cannot kill sessions.
> Is there a way to reload the configuration without
> restarting apache?
apachectl -h
Usage: /data/custom-apaches/apache-2.0.61/bin/httpd \
[-D name] [-d directory] [-f file
You are stopping them inside apache now. Next obvious step is a
firewall. Either on the server on a dedicated box in front
of it.
regs,
Christian
On Sat, Dec 15, 2007 at 12:57:17PM -0800, Charles Michener wrote:
> I have a couple of spider bots hitting my server that I do not wish to have
> acc
Hi there,
I'd work with multiple apaches and possibly a proxy setup,
where the code writing one sits behind in the 2nd layer.
regs,
Christian
On Fri, Dec 14, 2007 at 12:22:05PM +0530, Gaurav Pruthi wrote:
> Hi,
>
> I have 2 virtualhosts configured under apache. Apache runs as user apache,
> gr
try mod_qos. It does exactly that.
On Thu, Dec 13, 2007 at 01:31:58PM +0300, Artem Kuchin wrote:
> Here is the situation. Heavy db driven site takes about 1-1.5 second
> to load some pages. While loading such page it takes a lot of memory
> and cpu. It is not a problem it is used normally, but so
On Wed, Dec 12, 2007 at 11:27:19AM +0100, Axel-Stephane SMORGRAV wrote:
> Have a look at mod_log_config, specifically the %D and %T format strings.
ModSecurity has a few additional timers as well. They do not
appear in the documentation, but are covered in Ivan Ristic's
Apache Security Book, p.
On Fri, Dec 07, 2007 at 09:13:40AM -0800, Dragon wrote:
> Put the following terms into Google and you will come up with several
> alternatives at the top of the first page:
>
> "apache httpd log analysis open source free software"
The 2nd page lists
http://en.wikipedia.org/wiki/Web_log_analy
On Sat, Dec 08, 2007 at 10:25:06AM -0800, Charles Michener wrote:
> I have a 'not too bright' router that does not allow me to block naughty IP's
> from my Apache 2.2 server so I am successfully blocking them from Apache
> using the 'Deny from' directive.
>
> What performance load do I get as I
On Mon, Dec 03, 2007 at 09:01:41AM +0100, Boyle Owen wrote:
> > Is it possible to log incoming connections that don't send any data?
>
> Don't think so... HTTP is an application that sits on top of TCP/IP. So
> the session is established at the TCP/IP layer and the server is ready
> to pipe any in
Hi there,
no need to YELL in the subject line. But if you are really
interested to learn something, then RFC 2616 Hypertext Transfer Protocol
HTTP/1.1 is a good read.
It does not answer all (implementation) questions, but goes
to quite a length regarding 304.
regs,
Christian
On Wed, Nov 28, 2
On Tue, Nov 27, 2007 at 07:39:33PM -0800, Al Sparks wrote:
> Running Apache 1.3 with lots of virtual
> names.
>
> ...
>
> Are there some examples out there? I only see non-SSL examples.
There is not much of a change with Apache 1.3. With 2.0/2.2
there is the sslproxyengine that has to be enable
On Mon, Nov 26, 2007 at 08:25:40AM -0500, Grant Peel wrote:
> I have a client for whom I have added about 500 301 redirects in thier
> VirtualHost container. The server has about 200 VirtualHosts total.
>
> What kind of performance issues would one think all those redirects have on
> the whole (
On Mon, Nov 26, 2007 at 09:58:22AM +0100, Gottschalch Christian wrote:
> Hi List,
>
> short question, in apache mpm prefork, who is handling the connection ?
> if i understand it right, then the apache root process dispatches a
> connection to an worker process, this process is processing the re
On Wed, Nov 21, 2007 at 04:59:33PM +0100, Boyle Owen wrote:
> It is worth emphasising that this "problem" is nothing specific to do with
> apache; it's a fundamental feature of HTTP/HTTPS.
You might want to read this recent howto:
http://howtoforge.net/enable-multiple-https-sites-on-one-ip-using-
On Mon, Nov 19, 2007 at 09:59:20AM -0500, Greg Boyington wrote:
> to the docroot's .htaccess file. Not as effective as dropping the
> packets at the border, obviously, but in this case the attacker wasn't
> very bright/determined.
I see. Yes, this helps for a non-determined DoS attack.
Thanks. H
On Sun, Nov 18, 2007 at 11:02:21AM -0500, Greg Boyington wrote:
> I like the firewall approach myself, as it seems likely that anyone
> with malicious intent (as distinct from the uninformed download
> accelerator user, etc) should forfeit their rights to your bandwidth
> regardless of protocol.
On Fri, Nov 16, 2007 at 02:18:11PM -0800, dertown wrote:
>
> I used the tools and there is no path or domain in the original cookie that
> ican see.
> I know it is encrypted under MD5 so maybe icant access the cookie and change
> it.
>
> Is there a way to hold a cookie with in the prroxy server i
On Fri, Nov 16, 2007 at 10:06:50AM -0500, Greg Boyington wrote:
> > - Play around with MaxRequestsPerChild. A typical value
>
> I will do -- I experimented with low values (100-1000) in addition to
> 0, but nothing seemed to correlate. In my testing, the hangs would
> often occur long before thi
Hey Greg,
On Thu, Nov 15, 2007 at 12:20:44PM -0500, greg boyington wrote:
> Background: The server was recently updated to FreeBSD 5.5 from 5.3,
> which had run for a couple of years without interruption. I'm not
> especially convinced the issue I'm having is related to this upgrade,
> ...
>
>
hi there,
Have you tried
RewriteRule /meat(.*).html /handbook.html [last]
without any proxying and stuff?
302 is not an error btw. It's a standard http status code.
regs,
Christian
On Tue, Nov 13, 2007 at 05:37:17PM +0300, Arifolth wrote:
> Hi All!
>
> I need to substitute requested page
On Tue, Nov 13, 2007 at 09:55:31AM +0100, PENIN Guillaume (VFE) wrote:
> I receive at least one error per second from mod-proxy : "proxy recv
> body from upstream server timed out".
>
> Can you explain me what does this error mean ?
>
> Configuration : Apache 1.3.27
>
I am not sure about the d
On Tue, Nov 06, 2007 at 10:41:57PM +0100, Fabrizio Reale wrote:
> I have a web application (Plone) which has its own authentication, but in an
> intranet I set up the NTLM authentication using the mod_ntlm module.
> It works very well when I am using a windows PC, but when I use my Linux
> desktop
On Thu, Nov 08, 2007 at 10:27:59AM -0800, Andrew Rosolino wrote:
>
> Ok I did it but how am I suppose to read this?
That's not the interesting part. There should be more data.
Below is an example of a simple GET request
in a local setup. You can clearly see the request.
You can also take this in
On Thu, Nov 08, 2007 at 11:36:51AM +0100, Bj wrote:
> httperf (from HP) is also basic but a bit more evolued.
>
> You can use Jmeter to test your Webservice. If you want to obtain 1
> req/s with Jmeter you will have to use several Jmeter instances on several
> servers.
siege and proxysniffer
On Thu, Nov 08, 2007 at 11:00:10AM +0100, Krist van Besien wrote:
> > Sounds like a task for "sudo".
>
> Another option is making the httpd executable suid root.
Ouch.
Starting a webserver on port 80 as a normal user is not
a good thing. Sudo helps to limit the security breach somewhat
if you re
Hey Andrew,
You have to try and isolate the problem.
It's a start to remove modules and make the issue
go away in a lab setup and thus identify the component
that is causing the problem. Try to nail down the
individual requests that cause a server process/thread
to hang.
Ideally mod_forensic shou
On Tue, Nov 06, 2007 at 02:29:03PM +, Melanie Pfefer wrote:
> hi
>
> I modified user in httpd.conf but as long as the port
> number is 80, only root can start apache. subsequent
> process will be run as non-root.
>
> any idea how to allow this user to start apache?
Sounds like a task for "su
On Mon, Nov 05, 2007 at 02:30:02AM -0500, Nilesh Bansal wrote:
> Hi,
>
> Thanks Nick. mod_loadavg is not very useful since we have a tomcat
> behind the apache proxy doing real heavyweight work. Also mod_evasive
> is a bit restrictive since it wants multiple requests to the exact
> same URI or exa
Hey Ursula,
On Wed, Oct 31, 2007 at 01:57:07PM -0700, [EMAIL PROTECTED] wrote:
> In the webserver configuration, I need to compare the value of a cookie
> against the request URL.
>
> E.g. on a request for /path/to/files/abc.zip, return the file if the
> cookie contains the file name: MYCOOKIE=a
On Wed, Oct 31, 2007 at 12:39:40PM +, Nick Kew wrote:
> > I think it is worth posting it here, as it is a good example for
> > mod_rewrite use.
>
> It's a very BAD example of mod_rewrite use, because you're reinventing
> a wheel that's been implemented for over 10 years in Apache.
> See mod_ne
On Wed, Oct 31, 2007 at 11:09:02AM +0100, Jack Tuckson wrote:
> Apache 2.2.6.
okay. thanks.
> I can't provide configs, but the Listen directives are correct.
you choose.
> My question is whether Apache uses tcp connections for mod_cache to
> communicate with Apache.
Your Apache front instance
Hi there,
I do not really understand your setup. Are you intending to say,
that you have two seperate apache instances, one serving via
mod_cache and the other one (in front) proxying requests
via mod_proxy_balancer?
Please be very clear with your setup. Then please provide
your apache versions a
Hi there,
We have been playing around with mod_deflate and caching
the other day to solve an urgent performance problem, where
mod_deflate was not an option.
We got some sort of poor man's mod_deflate out of it.
It works on static files only and it means you have to
gzip the static files in the
Hey Harold,
On Tue, Oct 30, 2007 at 02:29:18PM +0100, Harald Heggelund wrote:
> Since installing a new slackware server with apache and sendmail
> out-of-the-box, I have noticed my server is sending (moderate amounts of)
> spam worldwide.
> I suspect some webform or cgi-script. In the apache log,
On Mon, Oct 22, 2007 at 11:06:29PM +0200, Alan AZZERA wrote:
> Seems to be the same idea you describe, but with more flexibility &
> robustness - thanks to real DNS records.
Same idea, yes. But I would not exactly call it robust in
the sense of the KISS principle. I think it is never a good
idea t
Another idea in the same direction:
Use a RewriteMap on every request and have the
rewrite map do something ressuorce intensive.
...
RewriteEngine On
RewriteMapmymap prg:/tmp/tmp.pl
RewriteRule ^/(.*) ${mymap:$1}
And the map /tmp/tmp.pl:
#!/usr/bin/perl -w
use
On Fri, Oct 19, 2007 at 09:09:54PM +0200, Alan AZZERA wrote:
> > RewriteRule /(.*) http://backend/$1 [proxy,last]
>
> But AFAIK, mod_rewrite cannot alter anything *inside* the HTML code
> going out the server. mod_proxy_html can...
yep.
> I'm currently trying to deal with PMWiki. It uses only H
On Fri, Oct 19, 2007 at 10:05:58AM -0700, Shaw, Dan wrote:
> happens at the transport level. Although at a proxy level the stream
> stays open and waits for transport and ACK from client to backend. When
> the rewrite is use does it close connection or send ACK. I would not
> think so but getting
Hi there,
I am trying to figure out a simple way to write a
flag into the access log. This flag should state
wether a request has been treated locally or wether
it has been proxied/forwarded to a backend server.
So far I arrived with
LogFormat "... %{proxyflag}e ..." extended
SetEnv proxyflag
hya,
On Fri, Oct 19, 2007 at 03:32:37PM +0200, Alan AZZERA wrote:
> I ran into such awful hacks with mod_proxy_html.
Proxying bad applications is a dirty business. They do not
get any cleaner when they are told to behave nicely behind
a proxy.
> IMHO... It could be efficient, but it was impossi
Hi there,
Why are you using an old version of ModSecurity? As you
start anew I suggest you start out with ModSecurity > 2.1.
Then stick with the core-rules for a start and read
the excellent security blog on the website to deal with
false positives. There are many very good posts on the
subject.
Hey Alan,
You are facing a very typical problem. I am not proficient
with mod_proxy_html, so I am not sure I can help you.
However, the best way is always to go and fix the
application. If you can not do that for whatever
reason, then mod_proxy_html is a good approach. A
more general approach is
Hey Rick and Dan,
I see nothing particularly complicated in your request. Maybe
this is just me.
I suggest you configure proxy1 as the rewriter/proxy and proxy2 to
be as transparent as possible (-> no rewriting, just proxying).
To make your config more clear, you should use mod_rewrite to
define
On Thu, Oct 18, 2007 at 06:33:22PM -0400, Joshua Slive wrote:
> On 10/18/07, Tom Hart <[EMAIL PROTECTED]> wrote:
> > Hey everybody. I'm getting a 500 error code (Internal Server Error),
> > that doesn't tell me anything about why the error happened. Naturally I
> > looked to the error.log but that
ely have to tune things, then lower the
default timeout.
just my 2 cents.
Christian Folini
-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info
On Tue, Oct 16, 2007 at 09:20:51AM +0100, Melanie Pfefer wrote:
> hi
> I configured apache2 to enable deflate module.
>
> to disable this option, do i only need to comment it
> in httpd.conf?
> or should i do the configuration again?
Hey Melanie,
Disabling it in the config will do. Do not
forget
Hey Peter,
Your web interface functionality sounds quite sexy.
We seem to have about your size when hits are concerned,
split over dozens of https applications.
We are more concentrating on releases. Behind there is a
a svn repository we use to work on the code (dedicated dev
boxes). When a pr
On Wed, Oct 03, 2007 at 09:31:18AM -0400, Joshua Slive wrote:
> On 10/3/07, Christian Folini <[EMAIL PROTECTED]> wrote:
> > So if I came to the conclusion that this sould be
> > solved by updating the documentation (and forward
> > the problem to to the documentation m
- [last]
RewriteRule /edit - [last]
RewriteRule ^(.*) http://www.example.com/$1 [redirect, last]
Hope this helps.
Christian
On Thu, Oct 04, 2007 at 08:16:04AM -0400, Ajai Khattri wrote:
> On Thu, 4 Oct 2007, Christian Folini wrote:
>
> > I am missing the context. :)
&g
On Wed, Oct 03, 2007 at 05:42:15PM -0400, Ajai Khattri wrote:
> Any ideas what am I missing here?
I am missing the context. :)
Please provide your whole config. I think it has to
do with the structure of your config file.
regs,
Christian
>
>
> --
> A
>
>
>
On Wed, Oct 03, 2007 at 05:04:29PM +0500, Asrai khn wrote:
> So I am looking for suggestions how to make his failures of web server less
> pain.
Lot of suggestions are possible, but they all inflict pain.
A very clean and widspread solution is to have two identical
webservers (use a deployment sc
orward
the problem to to the documentation mailinglist),
would that be a good idea?
regs,
Christian
On 2007-09-27 8:09:05, Christian Folini wrote:
> Hello,
>
> Back in March 2007, there was a report on unexpected behaviour of
> timeout settings in a reverse proxy setup:
>
> htt
On 10/1/07, Bj <[EMAIL PROTECTED]> wrote:
> Hi,
>
> Does someone know how to get the number of requests pending in the
> backlog ? I didn't find interesting information in /proc/...
By hazard, I have been playing around with this as well today.
On my debian sarge(!) host, I can get them via the UI
Hey Alec,
This looks like a tricky problem. Have you looked at the traffic
using tcpdump or ethereal when the machine hangs? You might
also try out mod_forensic or mod_security and add mod_security
internal timestamps to the access-log. Using these logs you will
get a clearer idea where it hangs.
Hey James,
Your if-then is technically relatively easy to do with
mod-rewrite.
However, in real life you are likely to face unexpected
problems when accessing "a diverse and historical range
of applications" via two different channels, one being
http and one being https. Fully qualified URLs in
On Fri, Sep 28, 2007 at 01:13:44PM +1000, Robinson Craig wrote:
> Therefore, this makes me think that I can't actually use netstat to
> 'measure' the 'number of concurrently connected clients'? Is this a fair
> assumption?
Hey Craig,
You can still do that, but limit yourself to the Established
co
forge.net/projects/mod-qos/
It gives you just that.
Otherwise you can also try mod_security2 and play around with
the guardian_log, which is meant to help you deal with DoS
attacks and your problem seems similar to a small DoS. :)
regs,
Christi
ed behaviour, an undocumented feature, a bug or a
misconfiguration on my behalf.
Any comment is appreciated.
Christian Folini
-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/use
from your help:
See http://remo.netnea.com/twiki/bin/view/Main/FeatureRequests
for these.
best regards,
Christian Folini
--
[EMAIL PROTECTED] -http://www.netnea.com
ModSecurity and mod_security are trademarks of Breach Security, Inc.
netnea.com is not affiliated with Breac
via the homepage: http://remo.netnea.com/?q=demo
Enjoy,
Christian Folini
--
[EMAIL PROTECTED] -http://www.netnea.com
-
The official User-To-User support forum of the Apache HTTP Server Project.
See
Hi Laurence,
I propose you try to isolate your problem.
Try to get an ssl-setup without the authentication, rsa
and securid stuff working. If mod_ssl still does
not work, then you know where to dig further. Right now, it
is difficult to tell where the problem actually lies.
When you are locking d
On Mon, Jul 31, 2006 at 11:15:13PM -0700, vivek k wrote:
> When the Apache server tries to modify the file it
> is gving
> permission denied error in the error_log file.
>
> Is there a way of solving this problem ? Can i
> configure the Webserver to run as userID dts.
As mentioned before you
se
> /usr/bin/kill -1 $pid
> fi
> ;;
>
> *)
> echo "Usage: $0 { start | stop | restart }"
> exit 1
> ;;
> esac
> exit 0
>
> Any ideas as to why it says its starting but doesn't and do
me, how to pass on the certificate to the
backend application?
best regards,
Christian
--
Christian Folini - <[EMAIL PROTECTED]>
-
The official User-To-User support forum of the Apache HTTP Server Project.
Se
On Mon, Dec 05, 2005 at 01:42:34PM -0600, Jason Martens wrote:
> Here are the relevant apache config statements:
>
>Order deny,allow
>Deny from all
>allow from 10.
>
>
> ProxyPass /Internal/phone_list/ http://another.server/phone_list/
Have you tried to add a ProxyPassReverse s
Hey Ken,
Your apache config has some serious bugs.
Please check the IP addresses. Either of
the Listen-statement or of your Virtual Hosts.
"[::]:80" does not look good.
Then you have a problem with rotatelogs. Maybe it is a
followup, but rather not.
Check the permissions on /logs. Did logging to
85 matches
Mail list logo
