* Krist van Besien [2009-12-18 14:54]:
> Now for test purposes I want to offer a way to look at the site as
> non authenticated users would see it, but without (for now) removing
> the authentication. As the website is still under development I
> don't want to allow unauthenticated access yet.
Ma
* Boyle Owen [2009-12-15 10:22]:
> > -Original Message-
> > From: Justin Pasher [mailto:just...@newmediagateway.com]
> > (a) Single FQDN, single DocumentRoot - Single IP.
> > (b) Multiple FQDN, single DocumentRoot - Single IP, assuming cert
> > supports all (sub)domains listed. Otherwise
* Roger [2009-12-14 17:47]:
> The situation that I was talking about is that if someone access
> http://example.com or http://www.example.com
> then redirect to either https://www.example.com OR https://example.com.
Sure.
> But of course, you cannot stop someone for trying to access
> https://ww
* Roger [2009-12-14 17:26]:
> Is the content under example.com and www.example.com the same?
> If it is, then just redirect all requests to example.com, www.example.com to
> one
> location. You don't need two certificates. In my opinion, if it is the same
> content then having multiple certificat
* [2009-11-17 17:42]:
> Because we are running productions, as stated on the Apache site in
> BOLD letters, mod_ajp is not for production use.
[ me asking about mod_ajp (or rather mod_proxy_ajp) and the exact URL
where this is stated, so we can eventually get it corrected ]
* [2009-12-10 19:0
* chuck.pa...@travelchannel.com [2009-12-10
18:33]:
> Just trying to rule out any issues we are having with Red Hat 5.2
> and Apache 2.2.3 ( httpd-2.2.3-31.el5_4.2). Does anyone know of any
> bug or issues using that version Apache and Mod_Proxy_AJP? We are
> having issues, but we are trying to s
* Zachary Uram [2009-12-06 14:13]:
> What does APR stand for?
http://apr.apache.org/
-peter
-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
* Daniel Reinhardt [2009-12-04 09:31]:
> Its like how Linux/Unix Distribution Creaters forcing IPv6 in a
> kernel when someone may not have a need for it or find it useless.
> They should instead build their distributions with IPv4 enabled by
> default, and include a IPv6 enabled Kernel for those
* vishesh kumar [2009-12-03 14:49]:
> I am using RHEL 5.2 and newbie in apache, as a preliminary step i executed
> following command to list apache modules
>
> root# httpd -l
>
> It showed me following output,
>
> core.c
> prefork.c
> http_core.c
> mod_so.c
>
> I eager to know , t
* André Warnier [2009-12-03 00:53]:
> You are also not contradicting my guess that mod_session might include a
> form-based login scheme, but not explicitly confirming it either. Does
> it ?
Yes, http://httpd.apache.org/docs/trunk/mod/mod_auth_form.html
-peter
---
* Robert Schenck [2009-12-02 12:46]:
> I have to use Apache, I don't have a choice (says my employer).
This was just meant as a heads up: depending on the publisher you
might have to rewrite most everything (URLs, HTML content, Cookies,
JavaScript, etc.), and every publisher does things different
* Robert Schenck [2009-12-02 12:03]:
> My office is subscribed to few academic journals. These journals verify the
> subscription via IP, such that anyone connected to the internet through our
> connection can access the journals.
You might also want to look at EZproxy
http://en.wikipedia.org/wik
* Tom Evans [2009-12-01 15:22]:
> Full copy of the raw email (as gmail remembers it) is at
> http://pastebin.com/m7aba774b
Yes, wildcard certificates are another possibilty, if your CA supports
them (same goes for subjectAltName, of course).
You'll still need one public IP-address per shared DNS-
* Boyle Owen [2009-12-01 14:51]:
> However, at least he now has an alternative... Would you mind
> helping him out with it?
http://markmail.org/message/yr52ptnpgbocgvad
cheers,
-peter
-
The official User-To-User support forum o
* Boyle Owen [2009-12-01 10:08]:
> Krist explained it very nicely... But maybe you still didn't get it:
> Without SNI, there is NO WAY TO DO THIS. It is a fundamental
> limitation of the HTTPS protocol with no production-grade
> work-around. SNI (server-name indication) was specifically added to
>
* Brian Mearns [2009-11-21 18:02]:
> Only the latest Apache (2.2.14) and OpenSSL built with the
> tlsextensions options support this. It's case SNI (Server Name
> Identification), where the client can send the fully qualified domain
> name as part of the handshake process. Without this, the server
chuck,
* Peter Schober [2009-11-17 23:54]:
> * chuck.pa...@travelchannel.com [2009-11-17
> 17:42]:
> > Because we are running productions, as stated on the Apache site in
> > BOLD letters, mod_ajp is not for production use. We see our jboss
> > down with it.
>
* Hendrik Schmieder [2009-11-19 12:53]:
> Is mod_fcgid stable enough for production usage ?
"Yes"
-peter
-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> f
chuck,
* chuck.pa...@travelchannel.com [2009-11-17
17:42]:
> Because we are running productions, as stated on the Apache site in
> BOLD letters, mod_ajp is not for production use. We see our jboss
> down with it.
I see a few references to mod_ajp from 2004 (e.g. in this thread[1])
but I guess y
* Yungwei Chen [2009-11-13 17:39]:
> The proxy server also needs to forward some requests (/nagios) to
> another internal apache server. Any suggestions in this case?
Exclude those from the proxy pass?
-peter
-
The official User
* Yungwei Chen [2009-11-13 17:00]:
>
>Order Deny,Allow
>Deny from all
>Allow from ...
>ProxyPasshttps://111.111.111.111/rpt
>ProxyPassReverse https://111.111.111.111/rpt
>ProxyPassReverseCookieDomain 111.111.111.111 100.100.100.100
>
* Francois Pernet [2009-11-13 09:12]:
> B) Tests with OpenLdap
[...]
> Doesn't work.
I guess then you'd better get this working on its own, before
continuing with httpd (it's certainly easier to debug LDAP connections
with a full blown LDAP command line tool),
-peter
* Peter Michaux [2009-10-18 22:27]:
> Any ideas how I can successfully build Apache httpd with mod_fastcgi
> on OS X?
Have you looked at fcgid instead?
http://httpd.apache.org/mod_fcgid/
-peter
-
The official User-To-User suppo
* Newman, Billy [2009-09-29 20:29]:
> I am currently experiencing problems with using xalan.jar that lives
> in lib/endorsed and apache.
You might be better off asking this elsewhere, this is the list
for the Apache httpd webserver,
-peter
* Alan AZZERA [2009-09-24 20:56]:
> I did this at first. I believe it works, since I'm able to retrieve
> information that concerns me. I don't need to authenticate myself on
> the OpenLDAP server to get most information. But I need to do so if I
> want to retrieve, for example, the hash of my pas
* azzera.alan [2009-09-24 16:55]:
> Anyway, I'm now just trying to authenticate on a single directory.
> Here is the relevant part of my config file :
[...]
> When connecting to the url, nothing happens. I checked with tcpdump,
> servers are talking to each other. What are they saying ? No idea...
* Alan AZZERA [2009-09-24 15:21]:
> I have a Virtual Host just used to do "reverse-proxyfication", with
> many rules in it. I would want to put a basic authentication banner
> against a LDAP server for this very VirtualHost. I'm stuck
> attempting to achieve this aim. I would appreciate very much
* Asimananda Mohanty [2009-09-21 14:37]:
> Should I assume that the certificate presented to apache is not the correct
> one?
> But the same certificate works fine when I use it on my ldap server where
> the ldap client is also installed.
Get the ldap command line client to work on the same machi
* Asimananda Mohanty [2009-09-21 14:11]:
> I can see client hello, server hello, certificate from server, server hello
> done, encrypted handshake messages on my packet sniffer.
> Well, I can see some checksum error in the server hello, certificate,
> encrypted handshake messages.
>
> For all the
* André Warnier [2009-09-21 13:51]:
> If "ldaps" means "secure LDAP" (as in SSL), then all packets would
> be encrypted, and your protocol analyser may just not be able to
> detect them.
Well, at least a TCP connect to (default) port 636 should be in the
trace (not that I'm saying there is) or in
* Scott Brady [2009-07-30 21:50]:
> # This is the folder I want freely accessible
>
> SSPIAuth Off
>
Does the generic way of
Allow from all
Satisfy any
work?
-peter
* Mike -- EMAIL IGNORED [2009-07-22 20:02]:
> I have several and numerous
> sections that have large sets of identical directives.
> If there a way to define a "subroutine" in httpd.config
> that can be called in these sections?
There is http://httpd.apache.org/docs/2.2/en/mod/core.html#include
* Joseph Morgan [2009-07-22 17:47]:
> In the cert world, your customers would likely rather see that your
> certs are signed by Verisign than by
> "pimpmycert.com"
As if they could tell the difference.
If both root CAs are in the browser's root chain, why shouldn't they
trust a certificate signe
* Nick Kew [2009-07-22 15:41]:
> Pascal S. Clermont wrote:
>
> > A conjunction of network based auth + "SetEnvIf Remote_Addr
> > "^192\.168\.1\.\d{1,3}$" REMOTE_USER=LOCAL_IP" might be suitable for my
> > current needs.
>
> That looks like a re-invention of "Satisfy Any".
> If you are re-inven
* Boyle Owen [2009-07-22 14:43]:
> > -Original Message-
> > From: news [mailto:n...@ger.gmane.org] On Behalf Of Nicholas Sherlock
> > >
> > > Jfyi: you might also try free and not widely recognized,
> > > http://cacert.org/
> >
> > Won't certificates signed by them be only useful for
>
* Peter Schober [2009-07-22 12:29]:
> Or STFW for cheap SSL certs. But you won't get below 60-80USD for a
> year, I guess.
FWIW, I think GoDaddy's TurboSSL seems to be as cheap as it gets
(27USD per year, starting with 2 years). Don't know anything about
their services or
* André Warnier [2009-07-22 13:29]:
> > Require valid-user
> > Order allow,deny
> > Allow from 192.168.1
> > Satisfy Any"
> >
> I don't think that this is exactly what the OP wanted.
Then maybe Jim Fox's mod_auth_location will do?
http://staff.washington.edu/fox/authlocation/
-peter
---
* Mike -- EMAIL IGNORED [2009-07-22 01:46]:
> I am thinking of securing part of my low volume
> web site with SSL. I wend to some certificate
> authorities, and I was blown away by the prices.
> Are there that are both cheap and widely recognized?
Jfyi: you might also try free and not widely rec
* Pascal S. Clermont [2009-07-21 21:53]:
> I want to secure some content from unauthorized access by using :
> "
> AuthType Basic
> AuthName "Authentication Required"
> AuthUserFile /etc/secret/auth.users
> Require valid-user
> "
> in one of my 's
>
> I would like to know if there is a possible w
* Luis Daniel Lucio Quiroz [2009-07-01 00:55]:
> I need that final server sees agents certificate.
> I was reading this link:
> http://www.zeitoun.net/articles/client-certificate-x509-authentication-behind-reverse-proxy/start
>
> But i dont know sure if that is what i need
Well, you posted a c
* Luis Daniel Lucio Quiroz [2009-06-30 23:29]:
> I have know an apache as inverse proxy https server. But now that server has
> included Cert authentication in aplication. The problem is that now apache
> does not proxy, is there any configuration to let support authentication?
Is this the sa
* Michelle Konzack [2009-06-26 14:13]:
> I have setup WebDAV and it works perfectly under Debian und Windows XP,
> but HOW can I reach it under Windows Vista?
This is hardly a question for a httpd list, is it?
Did you even STFW?
-peter
---
* Jon Skarpeteig [2009-06-17 09:56]:
> # Want to add support for nested groups by the following directive
> from http://httpd.apache.org/docs/trunk/mod/mod_authnz_ldap.html#reqgroup
>
> AuthLDAPMaxSubGroupDepth 20
>
>
> This gives med Internal Server Error, with the following error_log entry:
>
* Jeff Shearer [2009-06-02 16:32]:
> Over the last 3 days I have played with a number of configurations and
> executed numerous varieties of searchs. But to no good. If you look
> down to the caption "My Best Result," It seems OpenLDAP has made it to
> the point where it is searching the 2 c
* Sam theman [2009-05-27 20:45]:
> I was able to build a FIPS 140-2 apache, thanks to nobody at the
> apache users list.
On a more constructive note: docs get written when someone does the
work and puts them together. Find a stable place for your notes and
publish them, so others can find them.
-
* Peter Schober [2009-05-27 12:33]:
> > I have tried a number of configurations for group authenticaiton, all
> > without success. Following is the current iteration of my apache
> > configuration for the superteam.docs directory:
> >
> >
> >AuthTy
* Jeff Shearer [2009-05-27 08:43]:
> dn: cn=SuperTeam,ou=groups,dc=my,dc=mydomain,dc=com
> ou: groups
> description: People who are employees of Super Team
> uniqueMember: uid=jeffshearer,dc=my,dc=mydomain,dc=com
> uniqueMember: uid=maeshearer,dc=my,dc=mydomain,dc=com
> objectClass: groupOfUniqueN
* Ross Boylan [2009-05-12 18:17]:
> > Where is the SVN access
> > happening? From the Smalltalk app? From httpd?
>
> Both, though the smalltalk app is only going to talk to svn via http.
> There are potentially several scenarios (though I could probably
> dispense with some of them):
> 1) Someone
Ross et al.,
I'm not sure I understand the actual question at hand -- you have (or
want to write) a Smalltalk-based application that runs in it's own
webserver, and proxy to that with httpd? Where is the SVN access
happening? From the Smalltalk app? From httpd?
Is this SVN-webapp something like V
* André Warnier [2009-05-11 19:24]:
> in all kinds of applications that can run under Apache, to obtain a
> user-id ? The answer is basically no, because Apache (and HTTP) do not
> define such a standard mechanism.
Support for REMOTE_USER is not so bad, I'd say.
-peter
* Ali Naddaf [2009-04-09 18:19]:
> I also understand that the file system used on the server (say Ext2
> vs Ext3 vs Reiser, ...) can play a role here.
I'd suggest finding out how many files you can comfortably handle in a
single directory for the given filesystem before performance starts to
degr
* Flowering Weeds [2009-03-07 17:03]:
> Thanks for helping to explain http.sys.
*plonk*
cheers,
-peter
-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for
* Tim Ford [2009-03-05 19:57]:
> Thanks, I have apache set to listen on port 8080. When I type
> http://intranet:8080 it works but I want my users to just type in
> http://intranet and apache converts it for them. Its either
> mod_rewrite or mod_proxy.
No. If your users don't specify any port (an
* Todd Simons [2009-03-05 02:39]:
> I assume that I would build a to match the
> ProxyPass/ProxyPassReverse path statements?
[..]
> I tried this and it didn't work.
http://httpd.apache.org/docs/2.2/en/mod/core.html#directory
"Enclose a group of directives that apply only to the named
file-system
* Todd Simons [2009-03-05 00:25]:
> Please confirm:
>
>
> Allow from 10.3.2.0/24
> ProxyPass /dev3/app2/ http://internalhost3/dev3/app2/
> ProxyPassReverse /dev3/app2/ http://internalhost3/dev3/app2/
>
>
> ...when I made this modification, my apache fails to start
Make sure
* Todd Simons [2009-03-04 22:41]:
> We'd like to utilize one public hostname "http://webservers.domain.com";
> to rewrite different web apps, but control the access to the web app by
> ip address, similar to an "allow from" on a directory.
You could wrap the ProxyPasses in elements and put the
'
* John Oliver [2009-03-04 01:41]:
> On Tue, Mar 03, 2009 at 06:32:38PM -0500, Frank Gingras wrote:
> > Place your restrictions in your block instead, in your
> > vhost.
>
> I did. But without a / In the examples I saw, it looked like
> everything starting with a / was an absolute path on the
* Eric Covener [2009-02-26 20:06]:
> In LDAPv3, the bind is optional.
OK, I see it in the RFC. But it seems it's not optional in httpd.
Also you can't produce searches without binds with e.g. ldapsearch.
And it won't make much of a difference to the OP, since an anonymous
bind (i.e. not specifiyi
* Davide Bianchi [2009-02-26 19:33]:
> Well, to be picky, an 100% compliant LDAP server doesn't require to
> bind to do a first-level query, so you should be able to get your DN
> without the need for a fixed username/password.
Making a "query" without a "bind" in one sentence makes no sense to
m
* Reis Markus [2009-02-23 09:09]:
> Could you explain to me why this Location-Directive does NOT work:
>
not having read the rest of the thread, but
is the trailing " intentional?
cheers,
-peter
-
The official User-To-User sup
* Phaniraj Ranganath [2009-02-19 20:46]:
> Can anyone let me know when to use worker or prefork mpm.
> What are the advantages/disadvantages of one over the other?
http://httpd.apache.org/docs/2.2/en/mod/worker.html
http://httpd.apache.org/docs/2.2/en/mod/prefork.html
cheers,
-peter
---
* Szerdahelyi, Andras [2009-02-18 14:32]:
> I've been struggling with this error for weeks now, and still havent
> even got close to a solution. I have the following setup
I'd suggest getting this to work with openssl s_client first.
cheers,
-peter
--
* André Warnier [2009-02-18 18:18]:
> I don't think it is a dumb question, because authentication tends to be
> "sticky", and there are no directives like
> AuthType None
> or
> Require None
> or
> Satisfy nothing
But
Allow from all
Satisfy any
should do, even if this is within a prote
* Vasanth Kumar ravi [2009-02-18 03:06]:
> Is it possible to have authentication implemented at the Apache HTTP Server
> , using the Oracle database as Authorization provider.
[...]
> We would like to implement a custom login page at the Apache , which
> would in turn refer the oracle db for autho
* Vasanth Kumar ravi [2009-02-18 03:06]:
> I did research on the same, and found that only file /dbm based
> authentication is possible with HTTP Server
No, have a look at the documentation, e.g.
http://httpd.apache.org/docs/2.2/en/howto/auth.html
As far as authenticating against an Oracle
* Glen Barber [2009-02-16 18:10]:
> On Mon, Feb 16, 2009 at 11:40 AM, John Hudak wrote:
> > DITTO!!!
> > In the 'bad old days' of computing, everything was based on a text file. It
> > forces one to really understand what is behind the changes. I for one do
> > not subscribe to the 'dumbing dow
Just a few thoughts from the top of my head...
* Mohammed obaidan [2009-02-14 14:53]:
> What I really aiming at is complete portable administration tool for
> Apache. I am heading for this goal step by step and the first step is
> the GUI for configuring Apache.
So you want to write a complete a
* Mohit Anchlia [2009-02-05 17:39]:
> Couple of questions regarding mod_jk:
Note that mod_jk is supported by the tomcat people, not httpd (in
contrast to mod_proxy_ajp), so the tomcat connector documentation
applies.
> 2. Does mod_jk check if the system is up and running before forwarding
> that
* Carsten Aulbert [2009-01-18 18:35]:
> Krist van Besien schrieb:
> > The problem is that you are trying to work around a problem in the
> > protocol. It is not a limitation of apache that you can't use
> > namebased virtualhosts with ssl, it's a limitation in the protocol,
> > and you will encoun
* Brian Mearns [2009-01-16 14:40]:
> First, if I use SSLRequire to check various fields in a client's
> certificate, is it implied that the certificate has already been
> verified as signed by one of the CA's I've defined in
> SSLCACertificateFile, for instance? In other words, this isn't just
> c
* Eric Covener [2008-12-18 18:26]:
> > However, requests passed on to Apache Tomcat6 via mod_proxy_ajp don't
> > seem to be virtualized properly so Tomcat sees the request coming in
> > via http on port 80 (which is the physical scheme and port from
> > httpd, so Tomcat is not to blame here).
>
>
I've setup httpd (2.2.3) behind an ssl offloading appliance and
virtualized port and scheme for the affected server (or vhost).
ServerName https://somehost.example.org:443
UseCanonicalName On
However, requests passed on to Apache Tomcat6 via mod_proxy_ajp don't
seem to be virtualized properly
72 matches
Mail list logo
