Manoj Ramakrishnan | 3 Aug 02:20 2015
Picon

domain status in balancer-manager

Hi Folks,

I have a question regarding the status of a domain in http://localhost/balancer-manager page of httpd. 

Sometime I get the status of "Init Ok" and some other time it's "OK".  Is there any difference between this? I did some googling and could not find an answer. 
If anyone knows the different status flags balance manager uses then please share the knowledge or a link to any doco is highly appreciated. 

Thanks so much for your support. 

Cheers

Manoj

David Balažic | 31 Jul 23:07 2015

Forward proxy for non-443 port fails

Hi!

I have set up apache2-2.2.10-2.24.5 on SLES 11 SP1 as a forward proxy.
(see conf file below)

Then I set it as a proxy in Firefox on another PC and did some test.

HTTP access works fine to all tested sites (local and public internet) on different ports (80, 7001 etc...)
HTTPS works to port 433 ( https://www.google.com and so) but it fails for all other (tested) ports.

For example:

http://some.public.internet.site.org:8443
https://some-intranet-server:8081

The error reported by Firefox is a boilerplate error page:

The proxy server is refusing connections
Firefox is configured to use a proxy server that is refusing connections.
    Check the proxy settings to make sure that they are correct.
    Contact your network administrator to make sure the proxy server is working.

I sniffed the traffic between firefox and apache in this case and it is:

From Firefox to proxy:
CONNECT some.public.internet.site.org:8443 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Proxy-Connection: keep-alive
Connection: keep-alive
Host: some.public.internet.site.org:8443

From proxy to Firefox:
HTTP/1.1 403 Forbidden
Date: Fri, 31 Jul 2015 20:54:19 GMT
Server: Apache/2.2.10 (Linux/SUSE)
Vary: accept-language,accept-charset
Accept-Ranges: bytes
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
Content-Language: en

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<title>Access forbidden!</title>
<link rev="made" href="mailto:my_personal_address <at> example.org" />
<style type="text/css"><!--/*--><![CDATA[/*><!--*/
    body { color: #000000; background-color: #FFFFFF; }
    a:link { color: #0000CC; }
    p, address {margin-left: 3em;}
    span {font-size: smaller;}
/*]]>*/--></style>
</head>

<body>
<h1>Access forbidden!</h1>
<p>
    You don't have permission to access the requested object.
    It is either read-protected or not readable by the server.
</p>
<p>
If you think this is a server error, please contact
the <a href="mailto:my_personal_address <at> example.org">webmaster</a>.
</p>

<h2>Error 403</h2>
<address>
  <a href="/">some.public.internet.site.org</a><br />
  <span>
Fri Jul 31 22:54:19 2015<br />
Apache/2.2.10 (Linux/SUSE)</span>
</address>
</body>
</html>

It is an error page generated by apache (it has my email address I set in the config)

Here is the debug log for:
 - failed SSL connection to port 8443

[Fri Jul 31 21:40:57 2015] [debug] mod_proxy_connect.c(68): proxy: CONNECT: canonicalising URL some.public.internet.site.org:8443
[Fri Jul 31 21:40:57 2015] [debug] proxy_util.c(1345): [client 10.49.9.212] proxy: *: found forward
proxy worker for some.public.internet.site.org:8443
[Fri Jul 31 21:40:57 2015] [debug] mod_proxy.c(756): Running scheme some.public.internet.site.org
handler (attempt 0)
[Fri Jul 31 21:40:57 2015] [debug] mod_proxy_connect.c(104): proxy: CONNECT: serving URL some.public.internet.site.org:8443
[Fri Jul 31 21:40:57 2015] [debug] mod_proxy_connect.c(120): proxy: CONNECT: connecting
some.public.internet.site.org:8443 to some.public.internet.site.org:8443
[Fri Jul 31 21:40:57 2015] [debug] mod_proxy_connect.c(137): proxy: CONNECT: connecting to remote
proxy some.public.internet.site.org on port 8443

 - failed SSL connection to port 8081

[Fri Jul 31 22:41:28 2015] [debug] mod_proxy_connect.c(68): proxy: CONNECT: canonicalising URL some-intranet-server:8081
[Fri Jul 31 22:41:28 2015] [debug] proxy_util.c(1498): [client 10.49.9.212] proxy: *: found forward
proxy worker for some-intranet-server:8081
[Fri Jul 31 22:41:28 2015] [debug] mod_proxy.c(988): Running scheme some-intranet-server handler
(attempt 0)
[Fri Jul 31 22:41:28 2015] [debug] mod_proxy_connect.c(104): proxy: CONNECT: serving URL some-intranet-server:8081
[Fri Jul 31 22:41:28 2015] [debug] mod_proxy_connect.c(121): proxy: CONNECT: connecting
some-intranet-server:8081 to some-intranet-server:8081
[Fri Jul 31 22:41:28 2015] [debug] mod_proxy_connect.c(144): proxy: CONNECT: connecting to remote
proxy some-intranet-server on port 8081

 - successful SSL connection to port 443

[Fri Jul 31 21:40:50 2015] [debug] mod_proxy_connect.c(68): proxy: CONNECT: canonicalising URL another.public.internet.site.org:443
[Fri Jul 31 21:40:50 2015] [debug] proxy_util.c(1345): [client 10.49.9.212] proxy: *: found forward
proxy worker for another.public.internet.site.org:443
[Fri Jul 31 21:40:50 2015] [debug] mod_proxy.c(756): Running scheme
another.public.internet.site.org handler (attempt 0)
[Fri Jul 31 21:40:50 2015] [debug] mod_proxy_connect.c(104): proxy: CONNECT: serving URL another.public.internet.site.org:443
[Fri Jul 31 21:40:50 2015] [debug] mod_proxy_connect.c(120): proxy: CONNECT: connecting
another.public.internet.site.org:443 to another.public.internet.site.org:443
[Fri Jul 31 21:40:50 2015] [debug] mod_proxy_connect.c(137): proxy: CONNECT: connecting to remote
proxy another.public.internet.site.org on port 443

The proxy's response for a successful connection is:

CONNECT another.public.internet.site.org:443 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Proxy-Connection: keep-alive
Connection: keep-alive
Host: another.public.internet.site.org:443

HTTP/1.0 200 Connection Established
Proxy-agent: Apache/2.2.10 (Linux/SUSE)

(then Firefox sets up an SSL channel to the remote server)

Config:

Loaded modules (besides the default) : proxy proxy_http headers proxy_connect 

Listen 8080
ServerAdmin my_personal_address <at> example.org

 <VirtualHost _default_:8080>

    ProxyRequests On
    SSLProxyEngine On # this does not make a difference

    ErrorLog /var/log/apache2/debug.log
    LogLevel debug

    <Proxy *>
      Order deny,allow
      Deny from all
      Allow from 127.0.0.1 192.168.3.55  # the PC running Firefox
    </Proxy>
  </VirtualHost>

Is there something obvious I am missing?

Both the firefox PC and the PC running apache2 have unrestricted access to all tested websites. The sites
work from Firefox when no proxy is set. They are also accessible from the PC running apache.

Kind regards,
David Balažic
shailender | 31 Jul 08:57 2015
Picon

apache being used as proxy server not working properly

Hi,

I have scenario where serverA -> serverB(apache) -> serverC.

scenario we have is serverC can be any ipAddress which will be provided by
serverA in Request to apache.

Request send by serverA is  /Command1/10.10.10.10:80
I have define proxypass rules in my httpd.conf. Below are same

<VirtualHost *:80>
        KeepAliveTimeout 5
        MaxKeepAliveRequests 5
        Timeout 5
        KeepAlive on
        ProxyPreserveHost On
        ProxyTimeout 5
        ProxyRequests off

        ProxyPass /Command1/ip=(.*) http://$1/Command1
        ProxyPassReverse /Command1/ip=(.*) http://$1/Command1

</VirtualHost>

When I restart apache and send request i get error which i see in error logs
 AH00128: File does not exist: /somePath/Command1/ip=10.10.10.10:80

If I hardcode the ip in proxypass the everything works fine. 

But as I stated serving ip has to be picked from request send by serverA.

I then tried using Rewrite rule for proxy, which is as below
<VirtualHost *:80>
        KeepAliveTimeout 5
        MaxKeepAliveRequests 5
        Timeout 5
        KeepAlive on
        ProxyPreserveHost On
        ProxyTimeout 5
        ProxyRequests off

        RewriteEngine On

        RewriteRule /Command1/ip=(.*)  http://$1/Command1 [P]
</VirtualHost>
After using rewrite I'm able to forward request to serverC, but all the
request are not being send. Also in logs i see 
 AH02642: proxy: connection shutdown

Above message is logged aeverytime after apache had send request to serverC.

Could anybody please help me in resolving this.

What I'm looking for is all requests being propagated to correct server.

Thanks 

--
View this message in context: http://apache-http-server.18135.x6.nabble.com/apache-being-used-as-proxy-server-not-working-properly-tp5023061.html
Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.
weihua zhang | 31 Jul 01:01 2015
Picon

content length question

I ran into this content length issue lately and am trying to see if this is the right place to ask.

Really new to this, so please bear with me here.

Basically,  a post request received with content_length set to the compressed data length,  apache decompressed it, but left the content_length intact.

When I get the raw post data using php://input stream, the data got cut off in the middle,  according to the php source code I checked,   content_length was used to put the data to the stream.

My question is:   can apache adjust the content length after the decompression? how?
I looked through mod_deflate page,  can't figure it out...

Thanks a lot

jetz3874
Matias Visbeek | 30 Jul 16:39 2015

Remove carriage returns from certificate

Hi,

I'm using the following architecture

Client > Apache HTTP Server > OHS > WLS

Where OHS stands for Oracle Http Server and WLS stands for Oracle Weblogic Application Server.

Using HTTPS, I've stablished a 2 way SSL configuration for all the segments in the connection. 
WLS uses an specific header called WL-Proxy-Client-Cert which contains the client certificate encoded in Base64 and then maps one of the DN attributes to a user for authentication. This is solved in OHS by the use of Weblogic Plugin wich adds this specific header to the request when setting SSLOptions +ExportCertData.

This works fine when using the following Client > OHS > WLS. The original client certificate is passed to Weblogic. But when we add the Apache HTTP Server, this information needs to be passed manually using RequestHeader add WL-Proxy-Client-Cert "%{SSL_CLIENT_CERT}s". The thing is that this adds the Base64 Certificate adding -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- and various carriage returns (I assume this is due to OpenSSL) but Weblogic doesn't recognize and requires the Base64 encoding in just one line without any additional caracters at the begining and the end.

Is there a way to achieve this one line Base 64 certificate? Do I need to change any configuration? I tried to look for a way of striping those caracters inside the httpd.conf file but found nothing. Any workaround suggestion?

Thanks in advance.

Matías Visbeek
Sunil R | 30 Jul 05:37 2015
Picon

SSL handshake failure after httpd upgrade to 2.4.12

I’m trying to upgrade the Apache version from httpd 2.2.25 to 2.4.12. Im building apache with the same openssl version 0.9.8.After the upgrade I see that the openssl s_client query to the server fails with error:

[Mon Jul 27 02:57:47.982584 2015] [ssl:info] [pid 22460:tid 1943075728] SSL Library Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

 

The openssl client version is Openssl 0.9.8g ( OpenSSL/FIPS). In the httpd config file I have disabled SSLv2 and SSLv3.

When I enable debug options on the s_client this is the output:

 

Linux# /isan/bin/openssl s_client -connect localhost:443 -debug -state -msg

CONNECTED(00000003)

SSL_connect:before/connect initialization

write to 0x9d606b0 [0x9d61678] (124 bytes => 124 (0x7C))

0000 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 39 00 00   .z....Q... ..9..

0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0   8..5............

0020 - 00 00 33 00 00 32 00 00-2f 00 00 07 05 00 80 03   ..3..2../.......

0030 - 00 80 00 00 05 00 00 04-01 00 80 00 00 15 00 00   ................

0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08   ...... <at> .........

0050 - 00 00 06 04 00 80 00 00-03 02 00 80 68 fd d4 c6   ............h...

0060 - 77 4c 5e ef 2f 41 d4 18-e6 f8 6d d3 9e 8c b2 2d   wL^./A....m....-

0070 - b4 81 83 fd c7 63 f6 8b-fe 26 e9 97               .....c...&..

>>> SSL 2.0 [length 007a], CLIENT-HELLO

    01 03 01 00 51 00 00 00 20 00 00 39 00 00 38 00

    00 35 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00

    33 00 00 32 00 00 2f 00 00 07 05 00 80 03 00 80

    00 00 05 00 00 04 01 00 80 00 00 15 00 00 12 00

    00 09 06 00 40 00 00 14 00 00 11 00 00 08 00 00

    06 04 00 80 00 00 03 02 00 80 68 fd d4 c6 77 4c

    5e ef 2f 41 d4 18 e6 f8 6d d3 9e 8c b2 2d b4 81

    83 fd c7 63 f6 8b fe 26 e9 97

SSL_connect:SSLv2/v3 write client hello A

read from 0x9d606b0 [0x9d66bd8] (7 bytes => 0 (0x0))

7175:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

Linux#

 

The SSL handshake goes through fine in these cases:

1.When I enable SSLv3, the query goes through fine.

2. When I force the TLSv1 in the s_client query.

3. With the older httpd version 2.2.25

Is this intentional, to honor the disable SSLv3 configured?

Please help me let know what could be the issue? Let me know if any other details are needed.

Thx,
DS
ScuzzyEye | 30 Jul 00:04 2015

Deny, Allow with Apache 2.4

I'm having a difficult time figuring out how to convert an Apache 2.2 
access rule to 2.4.

What I'm doing in 2.2 is pretty simple:

order deny,allow
deny from 192.168.1.0/24
deny from 192.168.2.0/24
allow from 192.168.1.12

So denying some sub-nets, but allowing one IP in that range, and the 
rest of the world.

All the rule conversion examples I see for 2.4 are assuming the 
deny,allow order is being used to deny from all, and then allowing a 
small number of hosts or IPs. Even with general examples, the case of 
denying a few masked IP ranges, and then allowing a part of that range 
doesn't seem to be covered, and I nothing I've tried works. The single 
granted IP never seems to picked up, but is instead swallowed by the 
larger denied range.

Thanks for any help you can offer,
Chris
Jim Jagielski | 29 Jul 21:05 2015

Festina Lente - Nóirín Plunkett / Shirley

If you have ever read the httpd doccos, there are many people who
made them what they are, and are deserving of thanks. But today we
have lost one of the main and core talents behind them.

Nóirín was a bright light and a festive soul; they were talented
and humble, with a passion tempered by joy and love. Their life
had many highs, and some crushing lows, but Nóirín was always open
and listened to their heart.

I will miss Nóirín. We all will.
Justin M. | 27 Jul 22:06 2015
Picon

Configuration conflict between root folder and sub-folder

Hi dear Apache users,

I contact you because I am not that good at configuring Apache, and I am facing a problem that I am not able to solve alone.

I am setting up a Debian 8 (Jessie) server on which I wish to have:
* access by the svn: protocol
* access by the http: protocol
* access by a WebSVN interface

Everything is working well with the configuration given by the files attached, that is:
OK to access 'svn://mysvnserver/' from a Subversion client
    The SVN repository root is located in '/var/svn'
OK to access 'http://mysvnserver/svn' from a Subversion client, or directly from a web browser
    The configuration file is 'mods-enabled/dav_svn.conf'
OK to access 'http://mysvnserver/websvn' from a web browser
    The WebSVN files are located in '/var/www/websvn'
    The configuration file is 'sites-enabled/websvn.conf' (enabled by a2ensite)

But now I would have access to SVN with the http: protocol at the root folder (/) instead of a sub-folder (/svn). If I modify the '<Location /svn>' directive, the WebSVN interface is no longer accessible because Apache try to read '/websvn' as a repository (but it's not).
From the documentation, I read " An exception is <Location "/">, which is an easy way to apply a configuration to the entire server. " but I do not want to apply the configuration to /websvn! I have tried to use '<LocationMatch "^/(?!websvn).*$">' , '<Location /websvn>' or '<Directory /var/www/websvn>', but I did not get a satisfying solution at that time.

Do you have some clues to apply my "DAV svn" configuration on all sub-folders of the root, except '/websvn'? This would be greatly helpful.


Thanks to you all,
Justin
Attachment (site_websvn.conf): application/octet-stream, 620 bytes
Attachment (mod_dav_svn.conf): application/octet-stream, 3855 bytes

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe <at> httpd.apache.org
For additional commands, e-mail: users-help <at> httpd.apache.org
javalishixml | 27 Jul 10:22 2015

syn recv attack in our server??

Hi gurus,

We have 2 servers.
Server1 has a apache.
Server2 has a tomcat.

Now we see there are many syn recv connection via "netstat -ant".
These kinds of connection are running out the CPU.

We googled it and found it looks like of syn recv attack.

So I just want to know:
1. How to verify it DOES is a syn recv attack?
2. Is there any way to fight against these kind of connections? Can I do some configuration at Apache?
3. Because our server1 is deployed at a cloud center. I guess these cloud center should also be attack?

Appreciate for your quickly help!

Thanks,
LS


deva seetharam | 27 Jul 06:33 2015

debugging segmentation fault

hello

we are running debian linux stable (Jessie) with apache 2.4.10 and mod_wsgi  4.3.0-1 on a x86_64 machine. 
our application is written in python 2.7 and django 1.8.

the list of modules as reported by apachectl -M are:
Loaded Modules:
 core_module (static)
 so_module (static)
 watchdog_module (static)
 http_module (static)
 log_config_module (static)
 logio_module (static)
 version_module (static)
 unixd_module (static)
 access_compat_module (shared)
 alias_module (shared)
 auth_basic_module (shared)
 authn_core_module (shared)
 authn_file_module (shared)
 authz_core_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 cgi_module (shared)
 deflate_module (shared)
 dir_module (shared)
 env_module (shared)
 filter_module (shared)
 mime_module (shared)
 mpm_worker_module (shared)
 negotiation_module (shared)
 perl_module (shared)
 rewrite_module (shared)
 setenvif_module (shared)
 socache_shmcb_module (shared)
 status_module (shared)
 wsgi_module (shared)

we were getting segmentation faults when rest api clients were making requests. the apache error log has the following messages:

[Mon Jul 27 09:04:38.375433 2015] [core:notice] [pid 32693:tid 140315326191488] AH00052: child pid 32700 exit signal Segmentation fault (11)
[Mon Jul 27 09:04:38.375556 2015] [core:notice] [pid 32693:tid 140315326191488] AH00052: child pid 32701 exit signal Segmentation fault (11)

i have enabled core dumps by setting ulimit to unlimited and adding core dump config directive in the apache2.conf file. 

but the core dumps are not happening.  

when i tried to debug using gdb (gdb /usr/sbin/apache2), the environment variables are not getting read. 

any clues on how to go about this? thanks in advance.






Gmane