David Goudet | 30 May 22:54 2016

Content-Length=0 when PING Timeout failover on next backend

Hi,

I have question about PING feature on mod_proxy_http. (I am not sure that this is right mailing list).
When reverse proxy server does not received 100-Continue before PING timeout, doest request should be
replayed fully on next backend server? 
If yes (request should be replyed on next backend server), i observed strange behaviour of httpd when PING
timeout occurs POST request is replayed (failover) on next backend server but the Content-Length of the
POST request has been set with value 0 and not POST data are sent. Hereafter the POST request forwarded
during failover on next backend server:

POST /foo/form.html HTTP/1.1
Host: xxxx
User-Agent: Wget/1.14 (linux-gnu)
Accept: */*
Content-Type: application/x-www-form-urlencoded
Expect: 100-Continue, 100-Continue
X-Forwarded-For: 192.168.216.158, 192.168.216.158
X-Forwarded-Host: foo, foo
X-Forwarded-Server: foo, foo
Connection: Keep-Alive
Content-Length: 0

Original request forwarded one first backend server:
POST /foo/form.html HTTP/1.1
Host: xxxx
User-Agent: Wget/1.14 (linux-gnu)
Accept: */*
Content-Type: application/x-www-form-urlencoded
Expect: 100-Continue
X-Forwarded-For: 192.168.216.158
(Continue reading)

Mohanavelu Subramanian | 30 May 20:05 2016
Picon

Two way SSL authentication between apache proxy server and tomcat

Hi All,

Good Morning.

I want to implement 2 way SSL authentication between apache proxy and tomcat. I am using mod_proxy to integrate apache and tomcat. I have some doubts in the implementation. I have done some initial analysis on this.

I would create a self-signed CA certificate(CA.crt). I would create client(apache.pem) and server certificate(tomcat.pem). Both these certificates would be signed my CA. I add client certificate to apache proxy server using SSLProxyMachineCertificateFile. I have configured tomcat to refer server certificate.
 
Then I add this CA certificate into the client and server truststore. So, during handshake, the authentication will be successful. 
1. Is this the effective way of implementing authentication with certificates ? I think the same client     certificate can be copied by unknown user and send request to tomcat. Could you please suggest if there is better way implementing the authentication, if any.

2. Is it possible to sign a certificate by more than 1 CA?

3. I have my design like this.

    client-------------------------->apache (mod_proxy) ----------------->tomcat
                https                                                      https
                user.crt                 apache.pem                tomcat.pem

I have configured mod_proxy to forward the actual client certificate(user.crt) to tomcat via mod proxy as below:

SSLProxyMachineCertificateFile apache.pemSSLProxyCACertificateFile CA.crtRequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
I want to forward the user.crt to tomcat and in my application the user.crt is verified.but the request.getAttribute("javax.servlet.request.X509Certificate"); returns null.I am not getting the user.crt. Could you please give me an idea how to fetch SSL_CLIENT_CERT in my application and parse it.
Thanks in Advance.
Best Regards,Mohan


Falco Schwarz | 30 May 14:26 2016

mod_rewrite, scopes and inheritance

Hi there,

I have a question regarding the inheritance of RewriteRules from
different scopes. So, I have the following setup:

httpd.conf:
- several <Directory> blocks, including the following:
    <Directory /opt/www>
        AllowOverride  None
        Options        FollowSymLinks
        Require        all granted

        RewriteEngine On
        RewriteOptions InheritDownBefore
        RewriteCond %{REQUEST_URI} ^/some/very/special/path.html
        RewriteRule ^ - [END]
    </Directory>

httpd-vhosts.conf
- two vhosts, one on port 80, one on port 443
- a global RewriteRule from http to https (in the vhost using port 80)
- the DocumentRoot pointed to /opt/www

Now, I actually want that the request to the very-special-path file
will never be rewritten to https and I though by using the
RewriteOptions InheritDownBefore directive, that I could achieve that.
Yet it does not seem to work - the rule is not inherited at all. To me
it seems as a RewriteRule in a Directory block is treated differently
than a rule outside of it.

Is there any way to inherit the rule from the directory scope on
server level to a virtual host? Could this be a possible bug in the
inheritance of rules or am I missing something here?

Regards,
Falco
Venkataramani, Sundar | 30 May 11:41 2016

Urgent - Port 443(Apache is getting blocked)

Team,

 

We are facing these issue second time in one month and it is impacting our customers.

 

Our application is configured on Port:443 in Apache server. Today morning Application stopped working in Port No:443 suddenly, where as application was working in Port no:20443 which is internal

To HP Team.

 

Port 443 issue was resolved after restarting the Apache server and application is working fine.  Usage of the application is very low.

 

Please let us know reason for these?. Appreciate your help.

 

Thanks

Sundar.V

 

 

Michał Nazarewicz | 29 May 18:43 2016
Gravatar

WebP and content negotiation

Dear Apache users.

I’m trying to use content negotiation to serve WebP images.  Sadly,
browsers lie about what they accept (this is no new discovery).  For
example, Firefox sends the following header:

    Accept: image/png,image/*;q=0.8,*/*;q=0.5

despite the fact not knowing how to display WebP images.  The end
result is that if I have a .jpg and .webp file on my server, the
latter is being served to Firefox which is unable to decode it.

Chrome sends:

    Accept: image/webp,image/*,*/*;q=0.8

which is also a lie (it doesn’t accept APNG for example), but at least
it works when negotiating between JPEG and WebP files.

To work around this I would like to consider *.webp images in content
negotiation only if browser sent image/webp in Accept header
explicitly.  IS it possible?  Or perhaps there is a better way?
Vacelet, Manuel | 27 May 14:28 2016
Gravatar

Last-Modified header overridden

Hi all,

I got a weird behavior with apache 2.4.12 (from RHEL scl for that matter).

I have a php application (behind fcgi/fpm) that sets Last-Modified header like:
<?php header('Last-Modified: never');

but when I curl the page, the header sent is:
< Last-Modified: Thu, 01 Jan 1970 00:00:00 GMT

When the date is correct in my php app, the returned value is OK but as soon as it's not RFC valid, it's modified.

Note: I tested with nginx instead of apache, nginx doesn't modify the header so it's not an issue with the php/fpm part.

Any idea ?
Akira Murakami | 26 May 09:17 2016
Picon

SSL problem related to ServerName directive

Hi,

I am trying to use Apache 2.2.21 and Subversion 1.18.11
with OpenSSL 1.0.2h on Windows Server 2008 R2 Enterprise.

I have a problem which is related to ServerName directive on httpd-ssl.conf.

When I type in the host name of URL such as "www.example.com" on ServerName
directive,
the Browser(IE) shows error message stating that "Internet Explorer cannot
display the webpage".

But when I type machine name of server on ServerName directive,
the browser shows correct page.
Even though I can access the browser with this method, I still cannot
access SVN client because of SSL hand-shake error.

Any help is appreciated.
Mohanavelu Subramanian | 25 May 16:16 2016
Picon

Secured connection between Apache Httpd and Tomcat over AJP protocol

Hi All,

Good Morning.

I have Httpd process and Tomcat instances both running on 2 different machines. The communication between them happens through AJP protocol (mod_jk) which doesnt support encryption. But we are using some features of mod_jk like automatic passing of security information like SSL certificate to tomcat which inturn is accessed in our application, validated and verified.

Now, we have requirement to make the communication between them as Secured.
Since AJP doesnt support encryption, I came to know that we need to use SSH, IPSec. But I could not find any proper document to configure SSH or IPSec for AJP. Could please share if you any.

I have considered mod_proxy_http as well for supporting security which is easy to configure as well. But as I mentioned above we are already making use mod_jk features. Again it will require more efforts to migrate from mod_jk to mod_proxy_http.

Any other suggestions please.

Thanks in Advance.

Best Regards,
Mohan
Sergio Fernández Rubio | 25 May 16:01 2016
Picon

mod_log_sql creating null columns

Good morning.

I am using the mod_log_sql plugin to apache, in order to save logs in a MySQL db.
I am only saving values in 4 columns, but in the created table, there are 25 columns.
I would like to know if there's any way to remove those columns instead of saving NULL values.

Thank you!

Sergio Fernández Rubio
(+34) 687 016 994
sergio1993_1 <at> hotmail.com
Miguel González | 24 May 12:06 2016

rewrite in .htaccess

Hi all,

  I´m having issues with a migration to a new domain redirecting all
URLs to the new domain.

  My .htaccess looks like this:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

RewriteCond %{HTTP_HOST} ^oldomain\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www.olddomain.com$
RewriteRule ^(.*)$ http://www.newdomain.com/$1 [R=302,L]

For the time being I´m using a 302 redirect until I made sure it works.

My main problem is that if I tyope old.domain.com I get redirected to
www.newdomain.com. But if type some sections, I don´t get any redirection:

olddomain.com/team/
olddomain.com/contact/
etc

I have purged the Varnish cache in case there is any issue because the
only section that gets redirected is oldomain.com/wp-admin/ (which is
bypassed by Varnish).

I have Apache 2.4.18 from Cpanel and behind Varnish

Thanks,

Miguel
Daniel Betz | 24 May 10:27 2016
Picon

unsubscibe

 


Gmane