Salatiel Filho | 22 Dec 16:57 2014
Picon

Help to understand "satisfy any" on directory and location directtives

Hello, i am trying to password protect my server allowing different
users to access different locations.

The basic configuration is:

        <Directory />
                Options FollowSymLinks
                AllowOverride None
                Deny from all
        </Directory>
        <Directory /var/www/≥
                Options -Indexes FollowSymLinks MultiViews
                AllowOverride None
                AuthName Intranet
                AuthType Basic
                AuthBasicProvider file
                AuthUserFile /etc/apache2/passwd
                Require user user1
                Satisfy any
        </Directory>

        <Location /restricted>
                AuthName restricted
                AuthType Basic
                AuthBasicProvider file
                AuthUserFile /etc/apache2/passwd
                Require user user2
                Satisfy any
        </Location>

(Continue reading)

Carlos Ross | 22 Dec 15:38 2014
Picon

RE: Unsubscribe

Please unsubscribe me - don't want any more junk email.

> To: users <at> httpd.apache.org
> From: Gregory.Wahl <at> Colorado.EDU
> Date: Fri, 19 Dec 2014 20:03:32 +0000
> Subject: [users <at> httpd] Unsubscribe
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe <at> httpd.apache.org
> For additional commands, e-mail: users-help <at> httpd.apache.org
>
Adarsh Sharma | 22 Dec 07:58 2014
Picon

Apache failed to restart

Hi,

I am using apache2 for running all my nagios servers and all servers working fine with Ubuntu 10.4 and Apache 2.2.14 version but i am not able to understand why my nagios UI is not opening as i can see apache2 is failed to restart due to below error  :

#root <at> d101:~# cat /etc/issue
Ubuntu 12.04.5 LTS \n \l

root <at> d101:~# apache
apache2     apache2ctl  apachectl  
root <at> dbmon1001:~# apache2 -V
Server version: Apache/2.2.22 (Ubuntu)
Server built:   Jul 22 2014 14:35:25
Server's Module Magic Number: 20051115:30
Server loaded:  APR 1.4.6, APR-Util 1.3.12
Compiled using: APR 1.4.6, APR-Util 1.3.12
Architecture:   64-bit
Server MPM:     Prefork
  threaded:     no
    forked:     yes (variable process count)

root <at> d101:~# /etc/init.d/apache2 restart
Syntax error on line 31 of /etc/apache2/sites-enabled/graphite.conf:
Name duplicates previous WSGI daemon definition.
Action 'configtest' failed.
The Apache error log may have more information.
   ...fail!
root <at> dbmon1001:~#

root >cat  /etc/apache2/sites-enabled/graphite.conf: ( Bold/Italic are lines 21 and 31 respectively )

WSGISocketPrefix run/wsgi
WSGIImportScript /opt/graphite/conf/graphite.wsgi process-group=graphite application-group=%{GLOBAL}

<VirtualHost *:8010>
        ServerName graphite
        DocumentRoot "/opt/graphite/webapp"
        ErrorLog /opt/graphite/storage/log/webapp/error.log
        CustomLog /opt/graphite/storage/log/webapp/access.log common

        # I've found that an equal number of processes & threads tends
        # to show the best performance for Graphite (ymmv).
        WSGIDaemonProcess graphite processes=20 threads=20 display-name='%{GROUP}' inactivity-timeout=120
        WSGIProcessGroup graphite
        WSGIApplicationGroup %{GLOBAL}
         
        # XXX You will need to create this file! There is a graphite.wsgi.example
        # file in this directory that you can safely use, just copy it to graphite.wgsi
        WSGIScriptAlias / /opt/graphite/conf/graphite.wsgi
            
        Alias /content/ /opt/graphite/webapp/content/
        <Location "/content/">
                SetHandler None
        </Location>

        # XXX In order for the django admin site media to work you
        # must change <at> DJANGO_ROOT <at> to be the path to your django
        # installation, which is probably something like:
        # /usr/lib/python2.6/site-packages/django
        Alias /media/ " <at> DJANGO_ROOT <at> /contrib/admin/media/"
        <Location "/media/">
                SetHandler None
        </Location>

        # The graphite.wsgi file has to be accessible by apache. It won't
        # be visible to clients because of the DocumentRoot though.
        <Directory /opt/graphite/conf/>
                Order deny,allow
                Allow from all
        </Directory>

</VirtualHost>

I checked in logs as well but there is no useful information regarding this error.
Anyone faced this kind of issue before. Please let me know how can i fixed this kind of issue.

Strange apache2 ports are listening :

root <at> d101:~# netstat -lntp | grep apache2
tcp        0      0 0.0.0.0:8010            0.0.0.0:*               LISTEN      10036/apache2  
tcp        0      0 0.0.0.0:9999            0.0.0.0:*               LISTEN      10036/apache2  
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      10036/apache2  
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      10036/apache2  
root <at> d101:~#

Thanks
Rose, John B | 19 Dec 20:30 2014
Picon

memory-mapping and updating cached content in RAM question

Red Hat 7 Apache 2.4.6
Filesystem is local

How does updating the cache in RAM of frequently viewed pages with MMapFile work if you change sections of
the page frequently, but say 75% of page stays the same?  Like calendar
Items on the page. Or news releases. Since that is common nowadays. 

Do we have to restart Apache to update the cache?

Thanks


congo | 19 Dec 14:53 2014
Picon

load balancing based on source IP

hello,

what is the best way for obtaining IP stickyness in apache httpd load  
balancer ? -i currently run httpd 2.2.29 (FreeBSD), 64bit Prefork  
ofcause with the mod_proxy* modules enabled..

However - the case is that i want to direct requests from one IP to  
one backend, and all other requests to another backend - but on the  
same hostname and url.

is it possible  ?

br
congo
Ronald Verlaan | 19 Dec 09:40 2014

apache ldap issue

Hi all,


I am trying to use ldap to have users authenticate when accessing nagios (webbased monitoring tool) in their webbrowser.


When accessing nagios the browser responds with a popup window, asking for credentials (username, password). Authentication then fails.


Error in /var/log/httpd/error.log:

[Thu Dec 18 16:43:42 2014] [debug] mod_authnz_ldap.c(432): [client 192.168.112.196] [12830] auth_ldap authenticate: using URL ldap://ad.blue.local/dc=blue,dc=local?sAMAccountName
[Thu Dec 18 16:43:42 2014] [info] [client 192.168.112.196] [12830] auth_ldap authenticate: user ronald authentication failed; URI /nagios/ [ldap_search_ext_s() for user failed][Operations error]

This on Centos 6.6, using apache 2.2.15

Webbrowser used is firefox and/or chrome.


Contents of /etc/httpd/conf.d/authz_ldap.conf:


LogLevel debug
LoadModule authz_ldap_module modules/mod_authz_ldap.so
<IfModule mod_authz_ldap.c>
   <Location /nagios>
   AuthBasicProvider ldap
   AuthLDAPURL "ldap://ad.blue.local/dc=deepocean,dc=local?sAMAccountName" NONE
   AuthzLDAPAuthoritative on
   AuthLDAPBindDN "nagiosadmin <at> blue.local"
   AuthLDAPBindPassword "7f7g67d6s"
      AuthType Basic
      AuthName "Nagios Access"
      require valid-user
   </Location>
</IfModule>


I am stuck now and don't know how to troubleshoot any further.

Using ldapsearch the user ronald is found in ldap!

Any help would be appreciated!

Met vriendelijke groet,
 
Ronald Verlaan
----------------------------------------------------------------------------
Metis IT B.V.
Kalfjeslaan 70 | 2623 AJ | Delft | www.metisit.com
----------------------------------------------------------------------------
Telefoon +31 15 737 00 12 | Mobiel +31 6 42 50 80 65
E-mail ronald.verlaan <at> metisit.com | KvK 34247070
----------------------------------------------------------------------------
Dit bericht kan informatie bevatten die niet voor u bestemd is. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. Metis IT B.V. aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.
Bryan K. Walton | 18 Dec 18:44 2014

Learn more about how Apache writes log files to disk (and impact on i/o)

Hi,

I'm trying to learn more about the technical details regarding how Apache writes to log files. 
Specifically, does Apache call an fsync() on log writes or perhaps just a close()?

Just trying to figure out how much log writing contributes to disk i/o with Apache 2.2.

I would appreciate any insight a developer might offer me on this issue.
Thanks,
Bryan
Sylvain Goulmy | 18 Dec 14:30 2014
Picon

Apache 2.4 create a huge amount of shared memory segments

I'm currently working on a migration from Apache 2.2 to 2.4 (2.4.10). I'm facing an issue with the usage of proxy_balancer with Apache 2.4. They now require the mod_slotmem_shm.so module to work correctly. 

I have added this module but i noticed that a single proxy_balancer now creates many memory shared segments on the OS. The problem is that my configuration declares many proxy_balancer (nearly 100), actually i soon as i declare more that 10 proxy balancers, i encountered this error :

    [proxy_balancer:emerg] [pid 1430:tid 140583699289856] (28)No space left on device: AH01185: worker slotmem_create failed

After many investigation i finally identified that the shared memory segment is the ressource exceeded which raises that error.

On my OS (RHEL 6.4), i have the following configuration :

    ------ Shared Memory Limits --------
    max number of segments = 4096
    max seg size (kbytes) = 67108864
    max total shared memory (kbytes) = 17179869184
    min seg size (bytes) = 1

I also noticed that a single proxy_balancer creates almost 350 shm on the system.

Is it normal that a single proxy_balancer creates so many shm ?

Do i really have to increase the memory segment on my system in huge proportion to handle all my proxy_balancers ?

Am i missing something ? :)

Thanks in advance.
James Smith | 17 Dec 17:42 2014
Picon

Apache 2.4 failing to start as non-privileged user can't write to /var/lock & /var/run

I have just upgraded from apache 2.2 to apache 2.4 - running apache2 as (me)
a non-privileged user... as part of a development server....

When I start apache I get the following errors (to screen)..

mkdir: cannot create directory '/var/run/apache2': Permission denied
chown: changing ownership of '/var/lock/apache2.SflOHVQnC2': Operation 
not permitted
mkdir: cannot create directory '/var/run/apache2': Permission denied
chown: changing ownership of '/var/lock/apache2.LDivziHYgr': Operation 
not permitted

and in the error logs...

[Wed Dec 17 15:30:56.576419 2014] [core:info] [pid 6729] AH00096: 
removed PID file /www/tmp/js5/www-dev/logs/apache2.pid (pid=6729)
[Wed Dec 17 15:30:56.576451 2014] [mpm_prefork:notice] [pid 6729] 
AH00169: caught SIGTERM, shutting down
[Wed Dec 17 15:31:00.990415 2014] [core:emerg] [pid 6790] (13)Permission 
denied: AH00023: Couldn't create the proxy mutex (file 
/var/lock/apache2/proxy.6790)
[Wed Dec 17 15:31:00.990492 2014] [proxy:crit] [pid 6790] (13)Permission 
denied: AH02478: failed to create proxy mutex

I have configured:

PidFile               ${PAGESMITH_SERVER_LOGS}/apache2.pid
Mutex               file:${APACHE_LOCK_DIR} default

where these point to directories in /www/tmp/js5, additionally 
APACHE_RUN_DIR is set to
a path in /www/tmp/js5

so don't expect Apache to be trying to write to the /var/run and 
/var/lock directories,
are there any other locations/configuration directives that I need to 
change to stop
the site writing these files...

James

--

-- 
 The Wellcome Trust Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE. 
Fabricio Pedroso Jorge | 17 Dec 03:36 2014
Picon

Apache HTTP Server and Weblogic Plug-in for Apache

Hi all,

   I am trying to configure a test env with an Apache HTTP Server and an Oracle Weblogic 12c Cluster. The configuration is:

   Apache HTTP Server: 192.168.0.149
   Weblogic Cluster......: 192.168.0.129 (2 Clustered Managed Servers in the same server for testing purposes).

The configuration of my httpd.conf file, regarding the plug-in configurations can be seen below:


[...]
Listen 8080
[...]
LoadModule weblogic_module modules/mod_wl.so
[...]
<IfModule mod_weblogic.c>
   WeblogicHost 192.168.0.123
   WeblogicPort 7005
</IfModule>

<Location /benefits>
   SetHandler weblogic-handler
   WLSocketTimeoutSecs 20
</Location>

When i try to acess my app (benefits) using the address http://192.168.0.149:8080/benefits, i get the following error:

No backend server available for connection: timed out after 10 seconds or idempotent set to OFF or method not idempotent.

At the error_log, the error message is the following:

[Tue Dec 16 23:37:14 2014] [error] [client 192.168.0.118] <849214187838263> weblogic: *******Exception type [NO_RESOURCES] (apr_socket_connect call failed with error=13, host=192.168.0.123, port=7006 ) raised at line 1682 of URL.cpp
[Tue Dec 16 23:37:14 2014] [error] [client 192.168.0.118] weblogic: Trying GET /benefits at backend host '192.168.0.123/7006; got exception 'NO_RESOURCES: [os error=13,  line 1682 of URL.cpp]: apr_socket_connect call failed with error=13, host=192.168.0.123, port=7006 '
[Tue Dec 16 23:37:16 2014] [error] [client 192.168.0.118] <849214187838263> weblogic: *******Exception type [NO_RESOURCES] (apr_socket_connect call failed with error=13, host=192.168.0.123, port=7005 ) raised at line 1682 of URL.cpp
[Tue Dec 16 23:37:16 2014] [error] [client 192.168.0.118] weblogic: Trying GET /benefits at backend host '192.168.0.123/7005; got exception 'NO_RESOURCES: [os error=13,  line 1682 of URL.cpp]: apr_socket_connect call failed with error=13

What am i doing wrong? Thanks for the attention and pacience.

--
Fabrício Pedroso Jorge.

Administrador de Banco de Dados
Oracle 11g Certified SQL Expert
Oracle 11g Certified Associate
Oracle 11g Certified Professional
Linux Professional Institute Certified Level I (LPIC-I)
ITIL V3 Foudations
certificacaodb.com.br

Resumo Profissional:
http://br.linkedin.com/in/fabriciojorge

Contatos:
+ 55 91 88991116
skype: fabricio.pedroso.jorge
fpjbito <at> gmail.com
J Tom Moon 79 | 17 Dec 01:55 2014
Picon

apache 2.4 enable SSL for simple VirtualHost *:8843

I'm unable to simply enable SSL for a VirtualHost using a very simple configuration.

I'm recently upgraded Ubuntu 12 to Ubuntu 14.  apache was upgraded from 2.2 to 2.4.7 .  I've checked the 2.4 docs for 2.2.->2.4 changes and reviewed my configuration scripts in depth.
I can create an unencrypted VirtualHost (http) but not one an encrypted one (https) on port 8843.  I can browse to the site just fine with http://server:8843 (I see the expected index.html file).  If I try https://server:8843 I get "ssl_error_rx_record_too_long" error (using Firefox 33).

I've tried many options within the configuration files.  I haven't drastically changed any pre-configured apache configuration files.  The apache2 service does see my changes but just seems to not enable SSL.
Here is a selected summary of all the related files.  Can anyone identify what I'm missing?

----

__/etc/apache2/apache2.conf__
  ...
  ErrorLog ${APACHE_LOG_DIR}/error.log
  LogLevel debug
  IncludeOptional mods-enabled/*.load
  IncludeOptional mods-enabled/*.conf
  Include ports.conf
  ...
  IncludeOptional conf-enabled/*.conf
  IncludeOptional sites-enabled/*.conf

__/etc/apache2/mods-enabled/ssl.load__
  # Depends: setenvif mime socache_shmcb
  LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so

__/etc/apache2/mods-enabled/ssl.conf__
  <IfModule ssl_module>
  # I've tried both of the following sets for SSLRandomSeed
  SSLRandomSeed startup builtin
  SSLRandomSeed connect builtin
  SSLRandomSeed startup file:/dev/urandom 512
  SSLRandomSeed connect file:/dev/urandom 512
  
  AddType application/x-x509-ca-cert .crt
  AddType application/x-pkcs7-crl .crl
  
  # tried with and without the next option
  #SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase
  
  SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
  SSLSessionCacheTimeout 300
  SSLCipherSuite all
  SSLProtocol all     # tried this as 'HIGH:!aNULL:!MD5'
  SSLInsecureRenegotiation on   # tried this on and off
  ErrorLog /var/log/apache2/mod_ssl.log
  LogLevel debug
  SSLStrictSNIVHostCheck Off 
  </IfModule>

__/etc/apache2/sites-enabled/ssl-test__
  # tried with and without each of the following
  #LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
  #LoadModule ssl_module modules/mod_ssl.so
  
  Listen 8843
  <VirtualHost *:8843>
  ServerName myserver
  SSLEngine on  # tried with this directive at the top and the bottom of this file
  DocumentRoot /var/www/
  <Directory "/var/www/">
       Options Indexes FollowSymLinks MultiViews
       AllowOverride None
       Order allow,deny
       allow from all
       SSLRequireSSL  # tried with and without this directive
  </Directory>
  ErrorLog ${APACHE_LOG_DIR}/ssl-test.log
  SSLCertificateFile /etc/ssl/certs/test1.cert.pem
  SSLCertificateKeyFile /etc/ssl/private/test1.cert.key
  
  # tried with and without all of the following directives
  SSLCipherSuite HIGH:!aNULL:!MD5
  #SSLCipherSuite HIGH
  SSLProtocol -all +TLSv1 +SSLv3
  #SSLProtocol all
  SSLVerifyClient none  
  SSLProxyEngine off   
  SSLRequireSSL   
  SSLRandomSeed startup file:/dev/urandom 1024  
  SSLRandomSeed connect file:/dev/urandom 1024
  </VirtualHost>

__/etc/apache2/ports.conf__
  <IfModule ssl_module>
  Listen 8843
  </IfModule>

The user that runs apache2 is user www-data .  
I have tested that www-data and root can access the key files /etc/ssl/certs/test1.cert.pem /etc/ssl/private/test1.cert.key .
  $ sudo -u www-data cp /etc/ssl/certs/test1.cert.pem /etc/ssl/private/test1.cert.key /tmp/

I have checked that /usr/lib/apache2/modules/mod_ssl.so exists and is executable.
  $ sudo -u www-data ls -l /usr/lib/apache2/modules/mod_ssl.so
  -rwxr-xr-x 1 root root 211184 Jul 22 07:38 /usr/lib/apache2/modules/mod_ssl.so

I have tailed the relevant apache2 logs and checked for errors.  I see these SSL related message on startup. (including one skip message for 127.0.0.1:80, but then later there is a resuming message)
  [ssl:info] [pid 21186:tid 139942871500672] AH01887: Init: Initializing (virtual) servers for SSL
  [ssl:info] [pid 21186:tid 139942871500672] AH01876: mod_ssl/2.4.7 compiled against Server: Apache/2.4.7, Library: OpenSSL/1.0.1f
  [auth_digest:notice] [pid 21187:tid 139942871500672] AH01757: generating secret for digest authentication ...
  [auth_digest:debug] [pid 21187:tid 139942871500672] mod_auth_digest.c(250): AH01759: done
  [ssl:debug] [pid 21297:tid 140596905265024] ssl_engine_pphrase.c(181): AH02199: SSL not enabled on vhost 127.0.1.1:80, skipping SSL setup
  [socache_shmcb:debug] [pid 21297:tid 140596905265024] mod_socache_shmcb.c(389): AH00821: shmcb_init allocated 512000 bytes of shared memory
  ...
  [ssl:info] [pid 21297:tid 140596905265024] AH01887: Init: Initializing (virtual) servers for SSL
  [ssl:info] [pid 21297:tid 140596905265024] AH01876: mod_ssl/2.4.7 compiled against Server: Apache/2.4.7, Library: OpenSSL/1.0.1f
  [mpm_worker:notice] [pid 21297:tid 140596905265024] AH00292: Apache/2.4.7 (Ubuntu) OpenSSL/1.0.1f configured -- resuming normal operations
  [mpm_worker:info] [pid 21297:tid 140596905265024] AH00293: Server built: Jul 22 2014 14:36:38
  [core:notice] [pid 21297:tid 140596905265024] AH00094: Command line: '/usr/sbin/apache2'
  [mpm_worker:debug] [pid 21297:tid 140596905265024] worker.c(1829): AH00294: Accept mutex: fcntl (default: sysvsem)

The openssl binary runs and supports ciphers:
  $ openssl ciphers
  ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:...

I check the apache2ctl binary compilations settings
  $ apache2ctl -V
  AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress   this message
  Server version: Apache/2.4.7 (Ubuntu)
  Server built:   Jul 22 2014 14:36:38
  Server's Module Magic Number: 20120211:27
  Server loaded:  APR 1.5.1-dev, APR-UTIL 1.5.3
  Compiled using: APR 1.5.1-dev, APR-UTIL 1.5.3
  Architecture:   64-bit
  Server MPM:     worker
    threaded:     yes (fixed thread count)
      forked:     yes (variable process count)
  Server compiled with....
   -D APR_HAS_SENDFILE
   -D APR_HAS_MMAP
   -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
   -D APR_USE_SYSVSEM_SERIALIZE
   -D APR_USE_PTHREAD_SERIALIZE
   -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
   -D APR_HAS_OTHER_CHILD
   -D AP_HAVE_RELIABLE_PIPED_LOGS
   -D DYNAMIC_MODULE_LIMIT=256
   -D HTTPD_ROOT="/etc/apache2"
   -D SUEXEC_BIN="/usr/lib/apache2/suexec"
   -D DEFAULT_PIDLOG="/var/run/apache2.pid"
   -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
   -D DEFAULT_ERRORLOG="logs/error_log"
   -D AP_TYPES_CONFIG_FILE="mime.types"
   -D SERVER_CONFIG_FILE="apache2.conf"

I checked apache2ctl settings
  $ apache2ctl -S
  AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
  VirtualHost configuration:
  ServerRoot: "/etc/apache2"
  Main DocumentRoot: "/var/www"
  Main ErrorLog: "/var/log/apache2/mod_ssl.log"
  Mutex authdigest-client: using_defaults
  Mutex ssl-stapling: using_defaults
  Mutex ssl-cache: using_defaults
  Mutex default: dir="/var/lock/apache2" mechanism=fcntl 
  Mutex mpm-accept: using_defaults
  Mutex authdigest-opaque: using_defaults
  Mutex watchdog-callback: using_defaults
  PidFile: "/var/run/apache2/apache2.pid"
  Define: DUMP_VHOSTS
  Define: DUMP_RUN_CFG
  Define: ENABLE_USR_LIB_CGI_BIN
  User: name="www-data" id=33
  Group: name="www-data" id=33

The apache2ctl syntax check is OK.
  $ apache2ctl -t
  AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
  Syntax OK

The file /etc/init.d/apache2 does start apache using /usr/sbin/apache2ctl (and not /usr/sbin/apache2 ).


Any ideas on what I need to enable SSL for this VirtualHost ?
Again, I can see HTTP response on 8443 but never HTTPS.

--
-JamesThomasMoon1979

Gmane