DevHeads.net

Postings by Hajo Locke

proxy_fcgi - force flush to client

Hello List,

currently i compare features and behaviour of proxy_fcgi to classical
methods like mod_fastcgi/mod_php.

mod_php/fastcgi have options to send every output from backend
immediately to client.

minimal custom modul with no functionality

Hello List,

i try to remove mod_php and switch to php-cgi with proxy_fcgi and mpm_event.
An example setup is running well.  But by removing libphp7.so i want to
keep support for php_value/php_flag directives  in .htaccess
This is done by php-htscanner extension.

h2load http/2 benchmarkingresults using different mpm/php configurations

Hello List,

separatly from other mail with proxy_fcgi/enablereuse problem i want to
tell about my results.

problems benchmarking php-fpm/proxy_fcgi with h2load

Hello list,

i do some http/2 benchmarks on my machine and have problems to finish at
least one test.

System is Ubuntu16.04, libnghttp2-14 1.7.1, Apache 2.4.29, mpm_event

I start h2load with standard-params:

h2load  -n100000 -c100 -m10 <a href="https://example.com/phpinfo.php" title="https://example.com/phpinfo.php">https://example.com/phpinfo.php</a>

first steps are really quick and i can see a progress to 50-70%. but
after that requests by h2load to server decrease dramatically.
it seems that h2load ist stopping requests to server, but i dont see any
reason for that on serverside.

high count h2 idle streams

Hello List,

found today an abnormality in my apachestatus for some servers.
There are a lot of "h2  idle, streams" in apachestatus.

Configuration help - addhandler <> mod_proxy_fcgi

Hello List,

currently i use classic mod_fastcgi (fastcgiexternalserver) with
php-fpm, which is quite reliable.
A disadvantage of this setup is, that not every response-header set by
.htaccess will really send to client.
Something like this is the current setup:

<IfModule mod_fastcgi.c>
    AddHandler myphp-cgi .php
    Action myphp-cgi /cgi-fpm/php71-fpm
</IfModule>

The big advantage is, that my users are able to use addhandler by
.htaccess to choose any provided php-version.

Now i try to switch from mod_fastcgi to new recommend way of mod_proxy_fcgi

The basic variants with SetHandle

http/2 vs. Headername

Apache 2.4.25

Hello,

i have a small .htaccess with following content to view Foldercontents:
###
Options +Indexes
Headername /foo/bar.htm
###
This is working by http, but fails in https if browser uses http/2.
Chrome Message: ERR_SPDY_PROTOCOL_ERROR
Firefox: Secure Connection Failed

I dont see **any error in my logs, http/2 Browsers just stop loading.
When disabling http/2, also https is working.
What to do now?

Thanks,
Hajo

apache 2.4 includes vi .swp files

Hello,

found an interesting difference between include behaviour of apache 2.2
and 2.4

Have an include in apache2.conf:

Include /etc/apache2/conf.d/

When editing a conf file in this folder by vi, vi creates a new swp file.
lets say i edit a file logging.conf, so vi creates a file .logging.conf.swp

When running "apachectl configtest" at this particular time, apache 2.4
tries to include the .logging.conf.swp which fails, because
.logging.conf.swp is binary and invalid.
This prevents apache 2.4 from sucessfully start and leads to downtime.

Apache 2.2 tries not to include this .swp file a

http/2 Misdirected Request

Apache 2.4.25

Hello,

have an issue with http/2 and response "421 Misdirected Request".
I read this to inform about issues with multiple hosts and same
certificate.

apache 2.4 handling of subdomains with unallowed characters

Hello list,

i have some subdomains with unallowed characters, in my case the underscore.

In apache 2.2 subdomains like this worked: sub_domain.domain.com
In apache 2.4 this produces a 400 servererror (bad request)

It seems that apache 2.4's handling of allowed/not allowed chars is more
strict.

Is there a config-option to relax this behaviour to 2.2 standard?

postconf with symlinked files

Hello,

since some days we use postfix 3.1.0
We have some failoversystems and use a main.cf which is symlinked into a
drbd-area.
When using postconf to change a main.cf parameter, symlink is replaced
by regular file.
This behaviour is documented here: <a href="http://www.postfix.org/postconf.1.html" title="http://www.postfix.org/postconf.1.html">http://www.postfix.org/postconf.1.html</a>

What is the reason for this behvaiour? A symlinked file may have some
advantages. In our case it spares editing the main.cf after failover,
because main.cf always fits to current master-server (myhostname,
relayhost).
Is there a way to keep type of fileobject except avoiding postconf?

Thanks,
Hajo

apache 2.4 wildcardsubdomains

Hello List,

in apache 2.2 we had a typical vhost like this to realize
wildcardsubdomains:

<VirtualHost *:80>
ServerName *.example.com
ServerAlias *.example.com
DocumentRoot /var/www/wildcardexample/public_html
</VirtualHost>

In apache 2.4 wildcards are not allowed in servername.

spdy/http/2 and mod_php

Hello,

iam planning to upgrade my apache2.2 to 2.4., i have 2 questions before
where i need your help.

former SPDY Implementation conflicts with non-threadsafe Moduls like
mod_php. To use SPDY it is necessary to use worker-mpm and php-cgi.
Now HTTP/2 is new standard and i would like to know if HTTP/2
Implementation has same conflicts with non-threadsafe Moduls like
mod_php. As far as i know HTTP/2 is based on SPDY.

I have some non-standard Modules compiled and packaged for Apache2.2.

mod_rewrite vs. mod_jk

Hello,

i have a small mod_jk.conf and want to use mod_rewrite also:

JkMount /* ajp13
JkUnmount /test/* ajp13
RewriteEngine On
RewriteRule ^/$ /java_app/ [L]

Rewriting by mod_rewrite only works with urls which are unmounted by
JkUnmount.

strange 32bit apache-problem

Hello,

one of my machines i upgraded tu ubuntu 14.04 32bit.
there is a apache 2.2.27 running on it (non ubuntu-repo).
i have a textfile which is 512byte long, it contains just some chars,
just one long line with a linebreak at the end.

If i request this file by wget from the same machine, all is looking
fine and readable.
If i request this file from a other machine, then file seems to be
corrupted. response-header and filesize are still ok.

filesmatch suspends AccessFileName?

Hello,

interesting thing here.

weird pstree postgrey

Hello,

i wonder about the weird pstree look when running postgrey in 12.04.
postgrey is shown with path and not daemon name:

init─┬─/usr/sbin/postg
├─atd

in previous version postgrey was shown in pstree with its deamon name:

|-postgrey

What is reason for this and how to fix this?

Thanks,
Hajo

german umlauts in filename

Hello List,

i have some files with german umlauts ö ä ü in filename and want to request
them by http.
filename is coded in latin1, in console/ftp etc.

mod_status, disable server-status for users

Hello List,

ist there any possibility to hide server-status page provided by mod-status
for my users?
every user with .htaccess is able to use sethandler and able to view
complete status.
how to disable this?

Thanks,
Hajo

keepalivetimeout - odd behaviour

Apache 2.2.14

Hello,

try to linkcheck my domain with <a href="http://validator.w3.org/checklink" title="http://validator.w3.org/checklink">http://validator.w3.org/checklink</a>
The linkchecker tells in some cases that my server would answer with 500:
Error: 500 Server closed connection without sending any data back
All i see in Log is no error but successful request to /robots.txt from
klink.w3.org.
When changing keepalivetimeout from 1 to 3 the error is gone and every test
of the linkchecker shows a correct analysis.
When changing back to 1, again only 50% of requests are successful.
Sounds strange to me...
Somebody has an explanation?

Thanks,
Hajo

securing sshd with selinux

Hello List,

dont have experience with selinux, but i want to know if it would be a
practicable way to secure sshd with selinux.
i have some webservers and want to grant ssh-access to some users. my plan
ist to make new server where users are able to log in. the homes from
webserver are mounted in by nfs etc.
i dont like chroot-env for ssh, a lot of disadvantages...
also i dont like if users would scrabble folders that doesn't concern them.
so i thought it would be possible to restrict users by selinux so they dont
are able to see too much...

reload separate fcgid-application

Hello,

is there a possibility to reload a separate fcgid-application (mod_fcgid) if
something has changed?
May be the php.ini for my wrapper-script has changed and i want to reload
this application for vhost without disturbing other apps.
Is this possible? I think a reload of apache stops all fcgid-applications
and force to restart them, is this notice correct?

loadbalancing apache/tomcat

Hello List,

following situation: i have 1 apache which is connected by mod_jk to
multiple tomcat servers.
Now it seems to get necessary that i also need to balance the
apache-applications.
What is best practice in my case?
I think about nginx in first line which is connected to apache-servers and
tomcatservers as backends.
in nginx-conf i should be able to devide requests to adequate servers,
mod_jk is not needed any more because nginx is connected directly to
tomcats.
is this a well setup or should be putted into practice in an other way?

Thanks,
Hajo

mailbox_size_limit is smaller than message_size_limit - 64bit issue?

Hello,

i got following error in my log:

postfix/local[8755]: fatal: main.cf configuration error: mailbox_size_limit
is smaller than message_size_limit
postfix/master[8737]: warning: process /usr/lib/postfix/local pid 8755 exit
status 1
postfix/master[8737]: warning: /usr/lib/postfix/local: bad command
startup -- throttling

but values are:
mailbox_size_limit = 4096000000
message_size_limit = 102400000

using 32bit machine i can set
mailbox_size_limit = 4096000000
without problems.
on this 64bit machine postfix 2.5.1 local throws errors.

only
mailbox_size_limit = 0
works but is not what i

smtpd_sasl_path tcp-socket?

Hello,

my ambition is to completely separate mx and mail storage

i use smtpd_sasl_type dovecot.
In dovecot2 i can use a tcp-socket for auth-service.
i want to use this tcp-socket in postfix by smtpd_sasl_path
an assignment like:

smtpd_sasl_path = inet:localhost:1434

seems to work but it is not documented.
is it recommend to use the dovecout auth-service this way?
Are there alternatives if not?

Thanks,
Hajo

ssl-vhost-mixing issue

Apache 2.2.14

Hello List,

have a question to ssl and two vhosts.

i have 2 ip-based vhosts for enabling ssl for one domain in httpd.conf

<VirtualHost ip1.ip1.ip1.ip1:443>
Servername example.com
SSLCertificateFile crt1
</VirtualHost>

<VirtualHost ip2.ip2.ip2.ip2:443>
Servername example.com
SSLCertificateFile crt2
</VirtualHost>

document-root and Servername for the two vhosts are identical.

webdav antivir

Hello,

would like to activate virus scanning and block uploads for my webdav
clients.
Is there a practicable way to do this?
is someone using mod_clamav for apache?
<a href="http://software.othello.ch/mod_clamav/" title="http://software.othello.ch/mod_clamav/">http://software.othello.ch/mod_clamav/</a>
seems to be not very up to date.

Re: mod_dav - practical use

Thanks for your help.

Re: mod_dav - practical use

ahh, sure... but i would need a new backend for every dav user. which software is recommend for this kind of backend? have no idea at the moment.

Thanks,
Hajo

mod_dav - practical use

Hello List,

a question to mod_dav. Some providers offer mod_dav to edit files which are
also editable/writeable by ftp-user?
In most cases ftp-users/apacheuser are different to avoid security problems.