Postings by Hajo Locke

ssl stapling error - sectigo

Hello List,

Apache is 2.4.39, System is Ubuntu 18.04 and 16.04

since yesterday evening we have massive mod_ssl problems with ssl stapling:

Apr 24 11:20:59 myhostname apache2[16094]: [ssl:error] [pid 16094]
AH01941: stapling_renew_response: responder error

We had complaints about slow webpages, this forced us to deactivate
stapling on all our servers.
Affected are certificates of sectigo (previously comodo) with ocsp-url
<a href="" title=""></a>
I cant confirm for other providers, we use comodo/sectigo the most.

But it seems there is no basic problem on our system/network because i
can manu

CVE-2019-0211 - Apache 2.2


i have still a bunch of apache 2.2 servers. ;(
Is apache 2.2 exploitable by CVE-2019-0211 ?
Description says that first affected version is 2.4.17, but may be 2.2
was not analyzed.


HTTP Method Patch

Hello list,

this is Apache 2.4.34

I was asked if Apache is supporting HTTP Request Methode PATCH.
To be honest i did not really found something useful in the web.
Is Apache supporting this method and is an additionally modul required?
Iam not aware of allowing or forbidding PATCH in httpd.conf


ErrorDocument with URL containing URL encoded chars

Hello List,

have a interesting problem here.
I have a .htaccess with Errordocument containing Text to be displayed:

ErrorDocument 404 "not existing"

This works with standard URLs like <a href="" title=""></a>
I get response 404 and in Browser displayed text is correct.

Now i try URLs like this: <a href="" title=""></a>
The URL encoded part of URL seems to be a problem for errordocument.

define variables by vhost only

Hello List,

iam looking for a way to use define to create variables limited to
vhosts (apache 2.4).
Currently i have some vhosts and use this syntax:

define myvar mycontent.

Name of variables is in all vhosts the same, "mycontent" is different
and vhost related. Later i use this variable in .htaccess files for users:

Addhandler ${myvar} .php

Unfortunately define-directive defines the variable for complete server
and not to vhost only.

proxy_fcgi - force flush to client

Hello List,

currently i compare features and behaviour of proxy_fcgi to classical
methods like mod_fastcgi/mod_php.

mod_php/fastcgi have options to send every output from backend
immediately to client.

minimal custom modul with no functionality

Hello List,

i try to remove mod_php and switch to php-cgi with proxy_fcgi and mpm_event.
An example setup is running well.  But by removing i want to
keep support for php_value/php_flag directives  in .htaccess
This is done by php-htscanner extension.

h2load http/2 benchmarkingresults using different mpm/php configurations

Hello List,

separatly from other mail with proxy_fcgi/enablereuse problem i want to
tell about my results.

problems benchmarking php-fpm/proxy_fcgi with h2load

Hello list,

i do some http/2 benchmarks on my machine and have problems to finish at
least one test.

System is Ubuntu16.04, libnghttp2-14 1.7.1, Apache 2.4.29, mpm_event

I start h2load with standard-params:

h2load  -n100000 -c100 -m10 <a href="" title=""></a>

first steps are really quick and i can see a progress to 50-70%. but
after that requests by h2load to server decrease dramatically.
it seems that h2load ist stopping requests to server, but i dont see any
reason for that on serverside.

high count h2 idle streams

Hello List,

found today an abnormality in my apachestatus for some servers.
There are a lot of "h2  idle, streams" in apachestatus.

Configuration help - addhandler <> mod_proxy_fcgi

Hello List,

currently i use classic mod_fastcgi (fastcgiexternalserver) with
php-fpm, which is quite reliable.
A disadvantage of this setup is, that not every response-header set by
.htaccess will really send to client.
Something like this is the current setup:

<IfModule mod_fastcgi.c>
    AddHandler myphp-cgi .php
    Action myphp-cgi /cgi-fpm/php71-fpm

The big advantage is, that my users are able to use addhandler by
.htaccess to choose any provided php-version.

Now i try to switch from mod_fastcgi to new recommend way of mod_proxy_fcgi

The basic variants with SetHandle

http/2 vs. Headername

Apache 2.4.25


i have a small .htaccess with following content to view Foldercontents:
Options +Indexes
Headername /foo/bar.htm
This is working by http, but fails in https if browser uses http/2.
Firefox: Secure Connection Failed

I dont see **any error in my logs, http/2 Browsers just stop loading.
When disabling http/2, also https is working.
What to do now?


apache 2.4 includes vi .swp files


found an interesting difference between include behaviour of apache 2.2
and 2.4

Have an include in apache2.conf:

Include /etc/apache2/conf.d/

When editing a conf file in this folder by vi, vi creates a new swp file.
lets say i edit a file logging.conf, so vi creates a file .logging.conf.swp

When running "apachectl configtest" at this particular time, apache 2.4
tries to include the .logging.conf.swp which fails, because
.logging.conf.swp is binary and invalid.
This prevents apache 2.4 from sucessfully start and leads to downtime.

Apache 2.2 tries not to include this .swp file a

http/2 Misdirected Request

Apache 2.4.25


have an issue with http/2 and response "421 Misdirected Request".
I read this to inform about issues with multiple hosts and same

apache 2.4 handling of subdomains with unallowed characters

Hello list,

i have some subdomains with unallowed characters, in my case the underscore.

In apache 2.2 subdomains like this worked:
In apache 2.4 this produces a 400 servererror (bad request)

It seems that apache 2.4's handling of allowed/not allowed chars is more

Is there a config-option to relax this behaviour to 2.2 standard?

postconf with symlinked files


since some days we use postfix 3.1.0
We have some failoversystems and use a which is symlinked into a
When using postconf to change a parameter, symlink is replaced
by regular file.
This behaviour is documented here: <a href="" title=""></a>

What is the reason for this behvaiour? A symlinked file may have some
advantages. In our case it spares editing the after failover,
because always fits to current master-server (myhostname,
Is there a way to keep type of fileobject except avoiding postconf?


apache 2.4 wildcardsubdomains

Hello List,

in apache 2.2 we had a typical vhost like this to realize

<VirtualHost *:80>
ServerName *
ServerAlias *
DocumentRoot /var/www/wildcardexample/public_html

In apache 2.4 wildcards are not allowed in servername.

spdy/http/2 and mod_php


iam planning to upgrade my apache2.2 to 2.4., i have 2 questions before
where i need your help.

former SPDY Implementation conflicts with non-threadsafe Moduls like
mod_php. To use SPDY it is necessary to use worker-mpm and php-cgi.
Now HTTP/2 is new standard and i would like to know if HTTP/2
Implementation has same conflicts with non-threadsafe Moduls like
mod_php. As far as i know HTTP/2 is based on SPDY.

I have some non-standard Modules compiled and packaged for Apache2.2.

mod_rewrite vs. mod_jk


i have a small mod_jk.conf and want to use mod_rewrite also:

JkMount /* ajp13
JkUnmount /test/* ajp13
RewriteEngine On
RewriteRule ^/$ /java_app/ [L]

Rewriting by mod_rewrite only works with urls which are unmounted by

strange 32bit apache-problem


one of my machines i upgraded tu ubuntu 14.04 32bit.
there is a apache 2.2.27 running on it (non ubuntu-repo).
i have a textfile which is 512byte long, it contains just some chars,
just one long line with a linebreak at the end.

If i request this file by wget from the same machine, all is looking
fine and readable.
If i request this file from a other machine, then file seems to be
corrupted. response-header and filesize are still ok.

filesmatch suspends AccessFileName?


interesting thing here.

weird pstree postgrey


i wonder about the weird pstree look when running postgrey in 12.04.
postgrey is shown with path and not daemon name:


in previous version postgrey was shown in pstree with its deamon name:


What is reason for this and how to fix this?


german umlauts in filename

Hello List,

i have some files with german umlauts ö ä ü in filename and want to request
them by http.
filename is coded in latin1, in console/ftp etc.

mod_status, disable server-status for users

Hello List,

ist there any possibility to hide server-status page provided by mod-status
for my users?
every user with .htaccess is able to use sethandler and able to view
complete status.
how to disable this?


keepalivetimeout - odd behaviour

Apache 2.2.14


try to linkcheck my domain with <a href="" title=""></a>
The linkchecker tells in some cases that my server would answer with 500:
Error: 500 Server closed connection without sending any data back
All i see in Log is no error but successful request to /robots.txt from
When changing keepalivetimeout from 1 to 3 the error is gone and every test
of the linkchecker shows a correct analysis.
When changing back to 1, again only 50% of requests are successful.
Sounds strange to me...
Somebody has an explanation?


securing sshd with selinux

Hello List,

dont have experience with selinux, but i want to know if it would be a
practicable way to secure sshd with selinux.
i have some webservers and want to grant ssh-access to some users. my plan
ist to make new server where users are able to log in. the homes from
webserver are mounted in by nfs etc.
i dont like chroot-env for ssh, a lot of disadvantages...
also i dont like if users would scrabble folders that doesn't concern them.
so i thought it would be possible to restrict users by selinux so they dont
are able to see too much...

reload separate fcgid-application


is there a possibility to reload a separate fcgid-application (mod_fcgid) if
something has changed?
May be the php.ini for my wrapper-script has changed and i want to reload
this application for vhost without disturbing other apps.
Is this possible? I think a reload of apache stops all fcgid-applications
and force to restart them, is this notice correct?

loadbalancing apache/tomcat

Hello List,

following situation: i have 1 apache which is connected by mod_jk to
multiple tomcat servers.
Now it seems to get necessary that i also need to balance the
What is best practice in my case?
I think about nginx in first line which is connected to apache-servers and
tomcatservers as backends.
in nginx-conf i should be able to devide requests to adequate servers,
mod_jk is not needed any more because nginx is connected directly to
is this a well setup or should be putted into practice in an other way?


mailbox_size_limit is smaller than message_size_limit - 64bit issue?


i got following error in my log:

postfix/local[8755]: fatal: configuration error: mailbox_size_limit
is smaller than message_size_limit
postfix/master[8737]: warning: process /usr/lib/postfix/local pid 8755 exit
status 1
postfix/master[8737]: warning: /usr/lib/postfix/local: bad command
startup -- throttling

but values are:
mailbox_size_limit = 4096000000
message_size_limit = 102400000

using 32bit machine i can set
mailbox_size_limit = 4096000000
without problems.
on this 64bit machine postfix 2.5.1 local throws errors.

mailbox_size_limit = 0
works but is not what i

smtpd_sasl_path tcp-socket?


my ambition is to completely separate mx and mail storage

i use smtpd_sasl_type dovecot.
In dovecot2 i can use a tcp-socket for auth-service.
i want to use this tcp-socket in postfix by smtpd_sasl_path
an assignment like:

smtpd_sasl_path = inet:localhost:1434

seems to work but it is not documented.
is it recommend to use the dovecout auth-service this way?
Are there alternatives if not?