headers
Nick Kew | 1 Oct 2010 01:53

Re: Untainting module for Apache


On 30 Sep 2010, at 18:23, Igor Galić wrote:

> Why not put it in svn in httpd's sandbox?

Hadn't 100% decided ...

>> http://people.apache.org/~niq/mod_taint.html
>> http://people.apache.org/~niq/mod_taint.c
> 
> does it make more sense to use it on a reverse proxy or
> on the backend in question?

Either of those might find a use for it.  Running it on a proxy
has the advantage of being the first port of call, so long
as nothing bad can come from behind the proxy.  I guess
that's a similar question to authentication at the proxy.
The "what are you protecting against" (malicious vs
accidental attack) might be relevant too if you have
both internal/trusted and external/untrusted users.

--

-- 
Nick Kew

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe <at> httpd.apache.org
   "   from the digest: users-digest-unsubscribe <at> httpd.apache.org
For additional commands, e-mail: users-help <at> httpd.apache.org
(Continue reading)

Permalink | Reply | 2 comments |
headers
J. Greenlees | 1 Oct 2010 03:49

Re: Untainting module for Apache

Nick Kew wrote:
> ~snip~

> Either of those might find a use for it.  Running it on a proxy
> has the advantage of being the first port of call, so long
> as nothing bad can come from behind the proxy.  I guess
> that's a similar question to authentication at the proxy.
> The "what are you protecting against" (malicious vs
> accidental attack) might be relevant too if you have
> both internal/trusted and external/untrusted users.
>   

I'll have to look for the reference articles, but a quick summary of them:
Majority of recent corporate security breaches have been insider jobs.
disgruntled employees, recently dismissed, or not thinking were the 
usual causes.
I know it was a Gartner and Associates report. [ for whatever the source 
is worth ]

So a best practice for securing is there is no trusted user. makes for a 
not very usable system though.
I could easily see mod_taint giving a more usable system  without losing 
a lot in the security of the system.

Jaqui

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe <at> httpd.apache.org
(Continue reading)

Permalink | Reply | 1 comment |
headers
J. Greenlees | 1 Oct 2010 03:55

Re: Untainting module for Apache

J. Greenlees wrote:
> Nick Kew wrote:
>> ~snip~
>
>> Either of those might find a use for it.  Running it on a proxy
>> has the advantage of being the first port of call, so long
>> as nothing bad can come from behind the proxy.  I guess
>> that's a similar question to authentication at the proxy.
>> The "what are you protecting against" (malicious vs
>> accidental attack) might be relevant too if you have
>> both internal/trusted and external/untrusted users.
>>   
>
> I'll have to look for the reference articles, but a quick summary of 
> them:
> Majority of recent corporate security breaches have been insider jobs.
> disgruntled employees, recently dismissed, or not thinking were the 
> usual causes.
> I know it was a Gartner and Associates report. [ for whatever the 
> source is worth ]
>
> So a best practice for securing is there is no trusted user. makes for 
> a not very usable system though.
> I could easily see mod_taint giving a more usable system  without 
> losing a lot in the security of the system.
>
> Jaqui

oops, I was wrong, it was the U.S. Secret Service report.
http://www.secretservice.gov/ntac_its.shtml
(Continue reading)

Permalink | Reply | 0 comments |
headers
菊池 裕 | 1 Oct 2010 07:04
Favicon

How to upgrade mod_proxy_ajp

Hello.

I'm using Apache 2.2.11 and mod_proxy_ajp to connect it with JBoss AS.
I heard that mod_proxy_ajp of this version is too buggy and has some security holes,
so I want to upgrade it to latest one.

Can I upgrade mod_proxy_ajp by downloading the latest source of Apache(2.2.16)
and compiling only the module to apply it to Apache 2.2.11?
Or should I simply upgrade "Apache" to current version?
Please give me some opinions.

Best regards.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe <at> httpd.apache.org
   "   from the digest: users-digest-unsubscribe <at> httpd.apache.org
For additional commands, e-mail: users-help <at> httpd.apache.org
Permalink | Reply | 2 comments |
headers
William A. Rowe Jr. | 1 Oct 2010 07:19

Re: How to upgrade mod_proxy_ajp

On 10/1/2010 12:04 AM, 菊池 裕 wrote:

> Or should I simply upgrade "Apache" to current version?

Good idea.

At the very least, upgrade *ALL* of the modules/proxy/ components, you can
find out what is linked into each module by inspecting config.m4 from the
modules/proxy directory in the 2.2.16 tarball.

But still, upgrading to a recent release all around is a good idea.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe <at> httpd.apache.org
   "   from the digest: users-digest-unsubscribe <at> httpd.apache.org
For additional commands, e-mail: users-help <at> httpd.apache.org
Permalink | Reply | 1 comment |
headers
Rainer Jung | 1 Oct 2010 09:44
Picon
Favicon

Re: Win2003, Apache2.2 & Tomcat6 Apache proxy to Tomcat

On 30.09.2010 22:29, Mike Rea wrote:
> I am running a Win2003 server using Apache2.2 to basically just proxy to
> Tomcat6 with SSL.
>
> I had tried running just tomcat6 but from everything that I read it was
> better for SSL traffic to proxy using Apache, so that is what i did.
>
> Right now I am just pointing it to the Tomcat default page, that is easy
> enough to change later.
>
> Here is where I am at.
>
> 1. On the server if I go to http: //localhost: it brings up the page fine.
> 2. On the server https: //localhost   also brings up the page fine.  Of
> course I do get a certificate error because the SSL cert is for my
> domain.  But it does work and the samples run fine.
>
> 3. From either the server or another PC, if I goto http: //my.
> domain.com <http://domain.com>   it works fine and brings up the Tomcat
> default page.
> 4. From either place going to https  the browser says waiting and
> eventually returns an error.
>
> In my httpd.conf file I have:
>
> Listen 80
> Listen 443
> The mod_proxy 's, mod_ssl & mod_vhost_alias are all turned on.
>
>
(Continue reading)

Permalink | Reply | 3 comments |
headers
Mike Rose | 1 Oct 2010 12:34
Picon

What Directives apply to a file/directory? Resultant set of directives?

Hello,

I've worked as a sysadmin with the Apache web-server for a few years.
Often I want to know what set of apache directives are being applied
to a file and/or directory. Sometimes because of error reports and
often because the behaviour is not what I want. With experience I
think I've learned better how to configure apache httpd, however I
still run into situations where I really want to know what apache is
doing to server a particular file.

I want to know what set of directives apache is applying to a piece of
content when it is served.

I've asked around and searched for something that will do this and not
found anything. Maybe I'm missing something...

regards,

Mike.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe <at> httpd.apache.org
   "   from the digest: users-digest-unsubscribe <at> httpd.apache.org
For additional commands, e-mail: users-help <at> httpd.apache.org
Permalink | Reply | 0 comments |
headers
Mike Rea | 1 Oct 2010 13:05
Picon

Re: Win2003, Apache2.2 & Tomcat6 Apache proxy to Tomcat

Sorry.
Yes they are https, not https just me mis-typing.
The email client was seeing all of those as links and the apache listserv bounced my original email as spam.  So I added the spaces to get it to go thru.  They are not in the conf files.
 
Yes general message in IE, I will try it in firefox and others and see what I get.  Really not getting anything in the error log, first place I looked.
Thanks

On Fri, Oct 1, 2010 at 3:44 AM, Rainer Jung <rainer.jung <at> kippdata.de> wrote:
On 30.09.2010 22:29, Mike Rea wrote:
I am running a Win2003 server using Apache2.2 to basically just proxy to
Tomcat6 with SSL.

I had tried running just tomcat6 but from everything that I read it was
better for SSL traffic to proxy using Apache, so that is what i did.

Right now I am just pointing it to the Tomcat default page, that is easy
enough to change later.

Here is where I am at.

1. On the server if I go to http: //localhost: it brings up the page fine.
2. On the server https: //localhost   also brings up the page fine.  Of
course I do get a certificate error because the SSL cert is for my
domain.  But it does work and the samples run fine.

3. From either the server or another PC, if I goto http: //my.
domain.com <http://domain.com>   it works fine and brings up the Tomcat

default page.
4. From either place going to https  the browser says waiting and
eventually returns an error.

In my httpd.conf file I have:

Listen 80
Listen 443
The mod_proxy 's, mod_ssl & mod_vhost_alias are all turned on.



In my httpd-vhosts.conf file here is what I have:

NameVirtualHost *:80 (although on this try it isn't named, shows error
in the logs but doesnt seem to hurt anything)
NameVirtualHost *:443
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
ProxyPass / http: //localhost:8080/
ProxyPassReverse / http: //localhost:8080/
<VirtualHost *:443>
    SSLEngine On
    SSLProxyEngine on
    SSLCertificateFile conf/ssl/certname.cer
    SSLCertificateKeyFile conf/ssl/keyname.key

I assume you have a more complete SSL config included, like setting the cipher suite and enabling SSL session handling. See the default configuration provided with the Apache web server.


ProxyPass / httpa: //localhost:8443/
ProxyPassReverse / httpa: //localhost:8443/

httpa does not exist, and the space between the scheme and the rest of the URL won't be good either. What do you really have in your config here?

If you only want Tomcat to do http and the Apache reverse proxy should do the full https, then use again


ProxyPass / http: //localhost:8080/
ProxyPassReverse / http: //localhost:8080/

    ErrorLog "logs/mydomain.com-error.log"
    CustomLog "logs/mydomain.com-access.log" common
</VirtualHost>


I have tried several different rewrites on this and just not getting it
to work.
I did put the port 80 => 8080 pass in a VirtualHost tag, it works fine
on http: //localhost  but when using https it gives some bogus message
of the server being too busy.
I took the 443 =>8443 directives out of the VirtualHost tag and that
works fine on http: //localhost  but when using https it goes to the
Apache default page.
No matter what I do, I still get an error from http: //my. domain.com
<http://domain.com> while http: //my. domain.com <http://domain.com>

runs fine.

Any ideas?  I am definately not an expert with Apache setup.  I am more
a DB & ERP system guy who has been writting more and more jsp apps.
Now I have one that I need to secure and having one heck of a time doing it.
(Sorry for the spaces.  e-mail was seeing them as URLs and the listserv
SPAM filter was blocking the email)
Thanks in advance for any help.
Mike

If it still doesn't work:

What error message do you get in the client? If it is the general error message provided by Microsoft Internet Explorer, use some other browser to see the full error message.

Is there any message in the error log of Apache?

Regards,

Rainer

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe <at> httpd.apache.org
 "   from the digest: users-digest-unsubscribe <at> httpd.apache.org
For additional commands, e-mail: users-help <at> httpd.apache.org




--
Michael Rea
mike.a.rea <at> gmail.com
Cell: 330-402-2280
--------------------------------
www.theusergroup.org
Enspire ERP users resource with forums, issue lists, white papers and more. 
Permalink | Reply | 2 comments |
headers
Rainer Jung | 1 Oct 2010 14:29
Picon
Favicon

Re: Win2003, Apache2.2 & Tomcat6 Apache proxy to Tomcat

On 01.10.2010 13:05, Mike Rea wrote:
> Sorry.
> Yes they are https, not https just me mis-typing.
> The email client was seeing all of those as links and the apache
> listserv bounced my original email as spam.  So I added the spaces to
> get it to go thru.  They are not in the conf files.
> Yes general message in IE, I will try it in firefox and others and see
> what I get.  Really not getting anything in the error log, first place I
> looked.
> Thanks

Don't overlook my hint about using port 8080 instead of 8443.

> On Fri, Oct 1, 2010 at 3:44 AM, Rainer Jung <rainer.jung <at> kippdata.de
> <mailto:rainer.jung <at> kippdata.de>> wrote:
>
>     On 30.09.2010 22:29, Mike Rea wrote:
>
>         I am running a Win2003 server using Apache2.2 to basically just
>         proxy to
>         Tomcat6 with SSL.
>
>         I had tried running just tomcat6 but from everything that I read
>         it was
>         better for SSL traffic to proxy using Apache, so that is what i did.
>
>         Right now I am just pointing it to the Tomcat default page, that
>         is easy
>         enough to change later.
>
>         Here is where I am at.
>
>         1. On the server if I go to http: //localhost: it brings up the
>         page fine.
>         2. On the server https: //localhost   also brings up the page
>         fine.  Of
>         course I do get a certificate error because the SSL cert is for my
>         domain.  But it does work and the samples run fine.
>
>         3. From either the server or another PC, if I goto http: //my.
>         domain.com <http://domain.com/> <http://domain.com
>         <http://domain.com/>>   it works fine and brings up the Tomcat
>
>         default page.
>         4. From either place going to https  the browser says waiting and
>         eventually returns an error.
>
>         In my httpd.conf file I have:
>
>         Listen 80
>         Listen 443
>         The mod_proxy 's, mod_ssl & mod_vhost_alias are all turned on.
>
>
>
>         In my httpd-vhosts.conf file here is what I have:
>
>         NameVirtualHost *:80 (although on this try it isn't named, shows
>         error
>         in the logs but doesnt seem to hurt anything)
>         NameVirtualHost *:443
>         <IfModule ssl_module>
>         SSLRandomSeed startup builtin
>         SSLRandomSeed connect builtin
>         </IfModule>
>         ProxyPass / http: //localhost:8080/
>         ProxyPassReverse / http: //localhost:8080/
>         <VirtualHost *:443>
>              SSLEngine On
>              SSLProxyEngine on
>              SSLCertificateFile conf/ssl/certname.cer
>              SSLCertificateKeyFile conf/ssl/keyname.key
>
>
>     I assume you have a more complete SSL config included, like setting
>     the cipher suite and enabling SSL session handling. See the default
>     configuration provided with the Apache web server.
>
>
>         ProxyPass / httpa: //localhost:8443/
>         ProxyPassReverse / httpa: //localhost:8443/
>
>
>     httpa does not exist, and the space between the scheme and the rest
>     of the URL won't be good either. What do you really have in your
>     config here?
>
>     If you only want Tomcat to do http and the Apache reverse proxy
>     should do the full https, then use again
>
>
>     ProxyPass / http: //localhost:8080/
>     ProxyPassReverse / http: //localhost:8080/
>
>              ErrorLog "logs/mydomain.com-error.log"
>              CustomLog "logs/mydomain.com-access.log" common
>         </VirtualHost>
>
>
>         I have tried several different rewrites on this and just not
>         getting it
>         to work.
>         I did put the port 80 => 8080 pass in a VirtualHost tag, it
>         works fine
>         on http: //localhost  but when using https it gives some bogus
>         message
>         of the server being too busy.
>         I took the 443 =>8443 directives out of the VirtualHost tag and that
>         works fine on http: //localhost  but when using https it goes to the
>         Apache default page.
>         No matter what I do, I still get an error from http: //my.
>         domain.com <http://domain.com/>
>         <http://domain.com <http://domain.com/>> while http: //my.
>         domain.com <http://domain.com/> <http://domain.com
>         <http://domain.com/>>
>
>         runs fine.
>
>         Any ideas?  I am definately not an expert with Apache setup.  I
>         am more
>         a DB & ERP system guy who has been writting more and more jsp apps.
>         Now I have one that I need to secure and having one heck of a
>         time doing it.
>         (Sorry for the spaces.  e-mail was seeing them as URLs and the
>         listserv
>         SPAM filter was blocking the email)
>         Thanks in advance for any help.
>         Mike
>
>
>     If it still doesn't work:
>
>     What error message do you get in the client? If it is the general
>     error message provided by Microsoft Internet Explorer, use some
>     other browser to see the full error message.
>
>     Is there any message in the error log of Apache?
>
>     Regards,
>
>     Rainer
>
>     ---------------------------------------------------------------------
>     The official User-To-User support forum of the Apache HTTP Server
>     Project.
>     See <URL:http://httpd.apache.org/userslist.html> for more info.
>     To unsubscribe, e-mail: users-unsubscribe <at> httpd.apache.org
>     <mailto:users-unsubscribe <at> httpd.apache.org>
>     "   from the digest: users-digest-unsubscribe <at> httpd.apache.org
>     <mailto:users-digest-unsubscribe <at> httpd.apache.org>
>     For additional commands, e-mail: users-help <at> httpd.apache.org
>     <mailto:users-help <at> httpd.apache.org>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe <at> httpd.apache.org
   "   from the digest: users-digest-unsubscribe <at> httpd.apache.org
For additional commands, e-mail: users-help <at> httpd.apache.org
Permalink | Reply | 1 comment |
headers
Thomas Lindgren | 1 Oct 2010 14:50

Debian Lenny + MaxRequestsPerChild

Hi all,

We just upgraded to Debian Lenny and saw some unexpected behaviour from an Apache node running a mod_perl2 app which I hope someone here can explain.

After running the system for a short while, the server stops accepting requests. Checking the system, we can see that all workers have disappeared but the apache2 parent process remains alive. There's no relevant information in the access or error logs. After some experimentation, we have also found that if we restart the server with MaxRequestsPerChild set to zero, it seems to keep going. It thus looks like the workers stop after serving MaxRequestsPerChild, then are not restarted.

So, any ideas about what's going on or how to troubleshoot this would be appreciated.

Here are some further details:

apache2.conf - Problematic config section (migrated from etch):
<IfModule mpm_worker_module>
   StartServers          2
   MaxClients          200
   MinSpareThreads      25
   MaxSpareThreads      75
  ThreadsPerChild      50
  MaxRequestsPerChild   10000
</IfModule>

apache2.conf - working (default) config:
<IfModule mpm_worker_module>
   StartServers          2
   MaxClients          200
   MinSpareThreads      25
   MaxSpareThreads      75
  ThreadsPerChild      25
  MaxRequestsPerChild   0
</IfModule>

$ apache2 -v
Server version: Apache/2.2.9 (Debian)
Server built:   Apr 20 2010 15:42:00

$ APACHE_RUN_USER=www-data APACHE_RUN_GROUP=www-data apache2 -t -D DUMP_MODULES
Loaded Modules:
 core_module (static)
 log_config_module (static)
 logio_module (static)
 mpm_worker_module (static)
 http_module (static)
 so_module (static)
 alias_module (shared)
 apreq_module (shared)
 auth_basic_module (shared)
 auth_digest_module (shared)
 authn_file_module (shared)
 authz_default_module (shared)
 authz_groupfile_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 cgid_module (shared)
 dav_module (shared)
 dav_fs_module (shared)
 dav_lock_module (shared)
 deflate_module (shared)
 env_module (shared)
 headers_module (shared)
 mime_module (shared)
 negotiation_module (shared)
 perl_module (shared)
 proxy_module (shared)
 proxy_http_module (shared)
 setenvif_module (shared)
 ssl_module (shared)
 status_module (shared)
Syntax OK

Best regards,
Thomas
--
Thomas Lindgren, Chief Technology Officer, Diino AB

Permalink | Reply | 3 comments |

Gmane