Michael.Beadle | 29 Jul 18:08 2014

Reconciling security advisories

If a vulnerability is listed on the 2.4 page (https://httpd.apache.org/security/vulnerabilities_24.html) - let's pick on CVE-2014-0226 for mod_status and it is listed as affecting 2.4.9 down to 2.4.1, would 2.2.x also be vulnerable? It is not specifically listed on the 2.2 vulnerability page (https://httpd.apache.org/security/vulnerabilities_22.html).

To add to any confusion, we are using the RHEL 6 RPM install of httpd, which is based on 2.2.15 with fixes added. So they have a versioning scheme of 2.2.15-## (currently 30). A new update was released stating that CVE-2014-0226 is corrected.

Did Red Hat re-engineer the 2.4 fix for 2.2?

Thank you for any input anyone may have.

Mike Beadle
Engineer - Collaborative Systems, Information Technology  •  Securian Financial Group
400 Robert Street North  •  St. Paul, MN 55101-2098
michael.beadle <at> securian.com  •  www.securian.com

Securian Financial Group – Financial security for the long run ®

This email transmission and any file attachments may contain confidential information intended solely for the use of the individual or entity to whom it is addressed. If you have received this email message in error, please notify the sender and delete this email from your system. If you are not the intended recipient, you may not disclose, copy, or distribute the contents of this email.
Mike Wenzel | 28 Jul 08:29 2014

apache umask to get 775 file permissions

I got an cgi-script which is creating a file. This file need 775 permissions (rwxrwxr-x). I need to get the apache to create this file with 775 permissions.

I researched, but 90% of all those solutions doesn't work for me or those "init scripts" doesn't even exists on my openSUSE 13.1 64-Bit.

I found out, that /usr/sbin/apache2 should be my "init script". I added umask 002 there, but it doesn't changed anything. I still have rw-r--r-- instead of rwxrwxr-x perimssions.

Can u please help me out?

Brad Harris | 25 Jul 22:13 2014

Web file location?

Not an Apache-specific question but I’d like to get some real world input. The default document root location for my specific Linux distro is /var/www/html. I’d like to hear what location some of you veteran web admins use. I generally just create subdirectories using the site name (e.g /var/www/html/sitename). Recently I’ve been tasked with granting access to one of our (new/dev) servers to an overseas consultant. I had decided to create a user for each site and put the files in “/home/user1/public_html” & “/home/user2/public_html”…then, to simplify things for them, I decided to create a single user that will administer both websites on that server and put them both in /home/user/public_html/site1 & /home/user/public_html/site2. Now I’m thinking about putting them back in /var/www/html/site1 & /var/www/html/site2 and just give the single user account ownership on both directories.


Let me know how you guys are doing things.



Brad Harris
Senior Windows System Engineer
Masco Cabinetry

Kraftmaid® | Merillat® | QualityCabinets®  | DENOVA®
4600 Arrowhead Drive
Ann Arbor, MI 48105

brad.harris <at> mascocabinetry.com

Direct: 734.205.4898

Mobile: 517.414.2842


Rose, John B | 25 Jul 21:39 2014

EnableMMAP question

We notice the default is "On"

If the home areas for each of your web sites are "nfs", is it better to set EnableMMAP to "Off"?

Paul Beckett | 25 Jul 20:00 2014

Segmentation Fault - too many proxy balancers

My apache server has started segmentation faulting all the time (seems to log a segmentation fault every few requests to the apache error log):

[Fri Jul 25 06:25:42.046752 2014] [core:notice] [pid 11226:tid 140006078953216] AH00052: child pid 11715 exit signal Segmentation fault (11)

This appears to be due to the number of proxy balancers I have configured (problem isn't related to any one specific proxy balancer, adding / removing any of the proxy balancers causes the problem to appear/disappear). I'm using Apache HTTPD as a reverse proxy for a lot of load-balanced (by apache httpd) application servers. My googling so far hasn't found any specific limit on the number of proxy, or how I can increase this. 

I am running Apache HTTPD 2.4.9, built from source on RHEL6.

I would be very grateful if anyone can shed more light on this, and assuming I'm right about a limit: point my in the right direction as to how I can increase this.

Ulrich.Herbst | 25 Jul 12:37 2014

[proxy_http:error] [pid 13256:tid 47013272524544] (11)Resource temporarily unavailable: [client] AH01110: error reading response

we have apaches as reverse proxies for some tomcat and wso2-application servers.
We get this error message on a high-load-webserver:
[proxy_http:error] [pid 13256:tid 47013272524544] (11)Resource temporarily unavailable: [client] AH01110: error reading response
And we have no clue, which resource is unavailable and what to do against it.
Apache-2.4.10 / apr-1.5.1
Ulimit of apache-user:
core file size          (blocks, -c) 0
data seg size           (kbytes, -d) unlimited
scheduling priority             (-e) 0
file size               (blocks, -f) unlimited
pending signals                 (-i) 46666
max locked memory       (kbytes, -l) 655360
max memory size         (kbytes, -m) unlimited
open files                      (-n) 655360
pipe size            (512 bytes, -p) 8
POSIX message queues     (bytes, -q) 819200
real-time priority              (-r) 0
stack size              (kbytes, -s) unlimited
cpu time               (seconds, -t) unlimited
max user processes              (-u) 655360
virtual memory          (kbytes, -v) unlimited
file locks                      (-x) unlimited
$ cat /proc/sys/kernel/threads-max
  • So, I don’t see any visible shortage of anything.
Any ideas how to find the reason for this error ?
Nick Edwards | 25 Jul 06:33 2014

rewrite rule problem

I've sent this to the roundcube list few days ago, no-one replied so ,
since its also apache related, I'll ask here.

<paste of message>

Trying to understand the new "security" rules in .htaccess

 - deny access to files not containing a dot or starting with a dot
#   in all locations except installer directory

RewriteRule ^(?!installer)(\.?[^\.]+)$ - [F]

This doesn't quite make sense, we have a help/ directory, which is not
accessible because of this rule yet all files in that directory are
foo.img or index.php, bar.php

change to

RewriteRule ^(?!(installer|help))(\.?[^\.]+)$ - [F]
permits our help/ directory to be read, this is sub optimum because it
will be overwrite at next update again, does someone with good
knowledge of rewrite rules able to shed some light on this?

<end paste>
So are roundcube folk doing it wrong?

The entire rewrite rule section is (although my problem is fixed by
only the above line, but in case there is a relation I'll include the
full bit here:

RewriteEngine On
RewriteRule ^favicon\.ico$ skins/larry/images/favicon.ico

# security rules:
# - deny access to files not containing a dot or starting with a dot
#   in all locations except installer directory
#RewriteRule ^(?!installer)(\.?[^\.]+)$ - [F]                 <---
this does NOT work
RewriteRule ^(?!(installer|help))(\.?[^\.]+)$ - [F]         <--- this works

# - deny access to some locations
RewriteRule ^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|program\/(include|lib|localization|steps))
- [F]
# - deny access to some documentation files
RewriteRule /?(README\.md|composer\.json-dist|composer\.json|package\.xml)$
- [F]

Javier Garcia | 24 Jul 22:51 2014

“405 method not allowed”. No errors when sending the request from a HTTP simulation web

Im getting a 405 when sending a POST request to "http://www.sermobi.com/customers" from a mobille app using an ajax function.

But I don't get that error using a tool like http://www.hurl.it/#top.

I have already enable CORS on my server and checked that it works ok for GET requests. I have also enabled it for POST requests.

I have already checked the access log and this is what I get after the POST request:

www.sermobi.com:80 - - [24/Jul/2014:18:44:38 +0200] "POST /new HTTP/1.1" 405 1009 "-" "Mozilla/5.0 (Linux; Android 4.4.3; One S Build/KTU84M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/ Mobile Safari/537.36"

Any help?




mod_rpaf does not work


I have Ubuntu 14.04 (upgraded from 12.04) with this:
Server version: Apache/2.4.7 (Ubuntu)
Server built:   Apr  3 2014 12:20:25
Server's Module Magic Number: 20120211:27
Server loaded:  APR 1.5.1-dev, APR-UTIL 1.5.3
Compiled using: APR 1.5.1-dev, APR-UTIL 1.5.3
Architecture:   32-bit
Server MPM:     prefork
  threaded:     no
    forked:     yes (variable process count)
Server compiled with....
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D HTTPD_ROOT="/etc/apache2"
 -D SUEXEC_BIN="/usr/lib/apache2/suexec"
 -D DEFAULT_PIDLOG="/var/run/apache2.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="mime.types"
 -D SERVER_CONFIG_FILE="apache2.conf"

Loaded Modules:
 core_module (static)
 so_module (static)
 watchdog_module (static)
 http_module (static)
 log_config_module (static)
 logio_module (static)
 version_module (static)
 unixd_module (static)
 access_compat_module (shared)
 alias_module (shared)
 apreq_module (shared)
 auth_basic_module (shared)
 authn_core_module (shared)
 authn_file_module (shared)
 authz_core_module (shared)
 authz_groupfile_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 cgi_module (shared)
 deflate_module (shared)
 dir_module (shared)
 env_module (shared)
 filter_module (shared)
 headers_module (shared)
 mime_module (shared)
 mpm_prefork_module (shared)
 negotiation_module (shared)
 perl_module (shared)
 php5_module (shared)
 reqtimeout_module (shared)
 rewrite_module (shared)
 rpaf_module (shared)
 setenvif_module (shared)
 status_module (shared)

This is from apache2.conf:
RPAFEnable On
RPAFsethostname On
RPAFheader X-Real-IP

No error on startup, so mod_rpaf module surely loaded.
Also, i have nginx as frontend which proxies requests to apache (backend) with php5. The problem is that
apache recieves X-Real-IP with correct client IP and php can see it ($_SERVER["HTTP_X_REAL_IP"]) but
mod_rpaf does not change $_SERVER['REMOTE_ADDR'] variable. Problem occured after upgrading my system
from 12.04 to 14.04 directly using "do-release-upgrade -d" command. Does someone know, how to fix this?
Sandeep Thakkar | 24 Jul 13:14 2014

Building Apache 2.4.x on Windows 7 32bit with Visual Studio 2013


I could successfully built httpd-2.4.7 on WIndows 7 32bit with Visual Studio 2010 with the help of few thread in mailing lists. But, now, we want to build it on another Windows 7 32bit machine, where we have Visual STudio 2013 installed. Hence. I just opened Apache.sln in VS2013, let the conversion happened, and then built it on the command line. 

But, I see some failures like:
_tbl_simple.obj : error LNK2011: precompiled object not linked in; image may not run^M
..\Release\iconv\_tbl_simple.so : fatal error LNK1120: 1 unresolved externals^M
NMAKE : fatal error U1077: '"C:\Program Files\Microsoft Visual Studio 12.0\VC\BIN\link.EXE"' : return code '0x460'^M
C:\Program Files\MSBuild\Microsoft.Cpp\v4.0\V120\Microsoft.MakeFile.Targets(38,5): error MSB3073: The command "NMAKE /nologo /f Makefile.win BUILD_MODE="Win32 Release" BIND_MODE=shared" exited with code 2.^M

ApacheMonitor.c(296): warning C4996: 'GetVersionExA': was declared deprecated^M
          C:\Program Files\Windows Kits\8.1\include\um\sysinfoapi.h(433) : see declaration of 'GetVersionExA'^M
CVTRES : fatal error CVT1100: duplicate resource.  type:MANIFEST, name:1, language:0x0409^M
LINK : fatal error LNK1123: failure during conversion to COFF: file invalid or corrupt^M

Please help. Thanks.


bae.hk | 24 Jul 10:38 2014

my dumpio log was missing

Hi, I am Bae (from Japan).

(apache Version: 2.0.64)

I installed the mod_dumpio, and getting request and reponse information in error.log.
But if log(one line) becomes long, the log of the one line'end is missing.

(Example) error.log
①dumpio_out (data-HEAP): 111222333444555666 (→ "777" is missing)
②dumpio_out (data-HEAP): 888999
※ Therefore, put together log above ①②, cannot get correct response("777" is missing).

It seems that this occur if one line becomes long, but cannot tell the point that the missing begins in(not a particular character, not a specific location).

Is there any solution of keeping a log from being missing?
(apache or mod_dumpio's setting?)

Thank you very much for your help.