The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,860 other subscribers

Archive for the ‘Apache2’ Category

« Previous Entries
Next Entries »

apache links for log formats, log kinds, etc

Posted by jpluimers on 2017/01/27

Am I the only one who thinks Apache logging configuration is a mess? Especially when you look at the templates shipping with various *nix distros?

Files like vhost-ssl.template and vhost.template using different ways of logging for the same thing make me cringe. This apart from ordering of configuration between the files being different, some lines doing tab-indent and others doing space-indent and non-matching spaces-per-tab settings between the files.

The apache wiki examples have different issues.

How can you expect mere mortals getting vhost configuration right when the provided templates are so bad?

Given the move towards SSL/TLS, mortals like me won’t easily get it right either.

A few things I think that should be done:

  • For vhosts, standardise on vhost_combined, not  combined.
  • Favour CustomLog over TransferLog.
  • Make a choice: either log in a Catch All log file, or put each vhost log in different files (now it’s different for the SSL and normal template).
  • If using separate log files per vhost, then include a vhost reference in the log filenames.
  • Add a vhost_ssl_combined in addition to ssl_combined.
  • Document ErrorLog in the same place as CustomLog and TransferLog.
  • Provide templates for combining regular and SSL vhost configs which currently is hard.
  • Make timestamps in logging formats the same. They are different between ssl_combined and the others. Don’t you hate that? What happened to ISO-8601?

–jeroen

Posted in *nix, Apache2, Linux, openSuSE, Power User, SuSE Linux | Leave a Comment »

Getting A or better grading on SSL Labs HTTPS tests

Posted by jpluimers on 2016/12/30

Now that everyone has had enough time to get proper TLS certificates using for instance LetsEncrypt, it’s time to up the ante: score better than an A on the SSL Labs tests from either their main site or dev site:

Here are some links to get there:

–jeroen

Posted in *nix, Apache2, Communications Development, Development, Encryption, Internet protocol suite, Let's Encrypt (letsencrypt/certbot), Power User, Security, TCP, TLS | Leave a Comment »

Apache error 503 when using ProxyPass:

Posted by jpluimers on 2016/12/05

When using ProxyPass (for instance within a Location) in Apache and you get an http error 503 (service unavailable), then usually the page/service to which the proxy directs to is dead.

I had this when shellinabox (forked from the old Google code repo) died on me.

In addition, ensure your ProxyPass statements contain a slash at the end your you will get a http error 502  (bad gateway):


Proxy Error
The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET /account/login.
Reason: DNS lookup failure for: 192.168.71.46:8080account
Additionally, a 502 Bad Gateway error was encountered while trying to use an ErrorDocument to handle the request.

view raw

502-error–bad-gateway.txt

hosted with ❤ by GitHub


<Location /shell>
ProxyPass http://localhost:4200/
Require all granted
</Location>
<Location />
ProxyPass http://192.168.71.46:8080/
Require all granted
</Location>

view raw

ProxyPass.conf

hosted with ❤ by GitHub

–jeroen

via:

Posted in *nix, *nix-tools, Apache2, Power User | Leave a Comment »

On OpenSuSE, when adding Apache vhosts with their own log files don’t forget to update your logrotate configuration

Posted by jpluimers on 2016/10/27

Sometimes you forget one crucial step…

When adding Apache vhosts on OpenSuSE and each vhost has it’s own set of log-files, then they will not be logrotated by default.

So you have to edit the configuration.

I’ve done it by copying the default apache2 logrotate configuration file for each vhost like this:

/etc/logrotate.d # cp apache2 apache2.vhost.##hostname##

Here ##hostname## is the name of the vhost.

Then I edited each file and replaced the generic log file names with the specific ones for each vhost.

There are only a few vhosts on my system so the manual job wasn’t so bad, but with a great number of vhosts you’d probably want to make this a template process beyond this:

function logrotate-add-apache2-vhost-file()
{
  # $1 is the vhost name
  ## http://stackoverflow.com/questions/16790793/how-to-replace-strings-containing-slashes-with-sed/16790877#16790877
  cat /etc/logrotate.d/apache2 | sed -r "s#/var/log/apache2/#/var/log/apache2/$1-#g" > /etc/logrotate.d/apache2.vhost.$1 
  git add /etc/logrotate.d/apache2.vhost.$1
}

This will then show in less what logrotate (which will output both to stderr and stdout, hence the 2>&1 redirect) would do on the next invocation:

logrotate -d /etc/logrotate.conf 2>&1 | less

And this is a very nice logrotate alias as well:

alias logrotate-show-status='echo "# systemctl list-timers --all" && systemctl list-timers --all && echo "# systemctl status logrotate.timer --full" && systemctl status logrotate.timer --full && echo "# journalctl -u logrotate" && journal

–jeroen

Posted in *nix, *nix-tools, Apache2, Development, Linux, logrotate, openSuSE, Power User, Scripting, Software Development, SuSE Linux, Tumbleweed | 1 Comment »

Fighting with IPv6 – There and back again

Posted by jpluimers on 2016/01/09

Interesting:

During the last weeks I finally got my hands dirty with IPv6. A comment on my blog and an email informed me that my server (hosting this blog) is not reachable via IPv6, albeit it has an IPv6 address. That said, I tried to get that running and fell into several holes, due to firewalls, […]

Source: Fighting with IPv6 – There and back again

Posted in *nix, *nix-tools, Apache2, iptables, Linux, Power User | Leave a Comment »

some RewriteCond/RewriteRule links

Posted by jpluimers on 2015/12/21

Apache configuration can be tough, so here are some links related to RewriteRule.

One day I hope to write a more in depth article around some of them (:

–jeroen

Posted in *nix, Apache2, Power User | Leave a Comment »

NameBasedSSLVHostsWithSNI – Httpd Wiki

Posted by jpluimers on 2015/12/02

For my link archive:

# Ensure that Apache listens on port 443
Listen 443
    
# Listen for virtual host requests on all IP addresses
NameVirtualHost *:443

# Go ahead and accept connections for these vhosts
# from non-SNI clients
SSLStrictSNIVHostCheck off


  # Because this virtual host is defined first, it will
  # be used as the default if the hostname is not received
  # in the SSL handshake, e.g. if the browser doesn't support
  # SNI.
  DocumentRoot /www/example1
  ServerName www.example.com

  # Other directives here




  DocumentRoot /www/example2
  ServerName www.example2.org

  # Other directives here

One more time as WordPress screws XML:


# Ensure that Apache listens on port 443
Listen 443
# Listen for virtual host requests on all IP addresses
NameVirtualHost *:443
# Go ahead and accept connections for these vhosts
# from non-SNI clients
SSLStrictSNIVHostCheck off
<VirtualHost *:443>
# Because this virtual host is defined first, it will
# be used as the default if the hostname is not received
# in the SSL handshake, e.g. if the browser doesn't support
# SNI.
DocumentRoot /www/example1
ServerName http://www.example.com
# Other directives here
</VirtualHost>
<VirtualHost *:443>
DocumentRoot /www/example2
ServerName http://www.example2.org
# Other directives here
</VirtualHost>

view raw

apache-sni-vhost.conf

hosted with ❤ by GitHub

–jeroen
Source: NameBasedSSLVHostsWithSNI – Httpd Wiki

Posted in *nix, Apache2, Power User | Leave a Comment »

StartSSL indeed offers free Class1 certificates for any subdomain

Posted by jpluimers on 2015/11/20

Thanks Craine for answering:

StartSSL does in fact offer free SSL certs for subdomains, though they are Class 1 certificates.

It works: just start the process for the domain, then when you get to the step for entering a subdomain, enter any one (of course www works, but you can do the process multiple times so register certificates for multiple subdomains).

–jeroen

via: tls – Free second-level domain SSL certificate – Information Security Stack Exchange

Posted in *nix, *nix-tools, Apache2, https, Power User, Security | Leave a Comment »

Hiding email behind a 30x redirect.

Posted by jpluimers on 2014/06/24

Last week, I thanked Jaykul for helping me out on PowerShell.

But he taught me another thing that was new for me: on his site, he has hidden his email address behind a 302-redirect.

I didn’t even realize that was possible until I saw his site start my mail program without initially showing a mailto in the url. A quick check showed me he was using a 302-redirect: Read the rest of this entry »

Posted in *nix, Apache2, bash, Development, Linux, Power User, Scripting, Software Development, SuSE Linux, wget | Leave a Comment »

Apache2 on openSUSE 12.x: some notes

Posted by jpluimers on 2014/04/24

Getting Apache configured on a *nix installation like openSUSE installation is always a bit of a challenge.

A few things I observed: Read the rest of this entry »

Posted in *nix, Apache2, Linux, openSuSE, Power User, SuSE Linux | 2 Comments »

« Previous Entries
Next Entries »