Apache 2.4: SSL handshake not working correct for WebSockets?


I am using Apache as a "WebSocket Relay" that allows local clients to
connect to local ​Apache using "ws://" and Apache then maps this to
"wss://" and passes the request on to the actual serving backend.

I have defined a Virtual Host for this:
SSLProxyEngine On
ProxyRequests Off

<Proxy "*">
Order deny,allow
Deny from all
Allow from

ProxyPass /websocket/ wss://

So a local request to Apache for ws://​​websoc

basic_ncsa_auth with bcrypt?

Is there any opportunity to get basic_ncsa_auth working with bcrypt?

Best practice for restricting access to exact IP addresses


I am wanting to restrict a subdirectory of a website to a single, maybe
two, IP addresses.

I will refer to this documentation:
under the section "Access control by host".

This document suggests that 'Allow', 'Order', and 'Deny' are deprecated,
so I am avoiding using these going forwards. It decided to exercise this
restriction with mod_authz_host.

ProxyPassMatch returns 404

I have an application running on <a href="" title=""></a>. I want to
route all traffic on my domain to this application and for this, I am
setting a proxypassmatch ProxyPassMatch ^/marmotta/(.*)$
http://localhost:8084/marmotta/$1 which is not working. When doing a
request on <a href="" title=""></a> on the server itself, I can
download the page but when doing <a href="" title=""></a>, I am
getting a 404.

AH00052 error in apache

Hi All,

When I am starting apache, its started successfully and also listening to
that port.
But when I am sending request from browser to apache. It is not responding
and giving error AH00052.

[Wed Nov 29 11:14:04.956827 2017] [core:notice] [pid 2097152018:tid
7876215824606887940] AH00052: child pid 738197672 exit signal signal #31

What is the reason for this error ? and how to solve it.
Attaching my configuration file.


Libtool lock error


While building apache, I am getting this error:
libtool: compile: Waiting for mod_lbmethod_bytraffic.o.lock to be removed
libtool: compile: Waiting for mod_lbmethod_bytraffic.o.lock to be removed
libtool: compile: Waiting for mod_lbmethod_bytraffic.o.lock to be removed
libtool: compile: Waiting for mod_lbmethod_bytraffic.o.lock to be removed
libtool: compile: Waiting for mod_lbmethod_bytraffic.o.lock to be removed
libtool: compile: Waiting for mod_lbmethod_bytraffic.o.lock to be removed
libtool: compile: Waiting for mod_lbmethod_bytraffic.o.lock to be removed

This time I am getting error

Worker MPM with kill


I started apache server which has worker as mpm in debug mode. I killed the
process with kill -9 then it kills the process and stop debug. But when I
am using kill -term PID then it is not killing process. Whereas kill -term
PID is woking with prefork debug.

If I want to use kill -term PID in debug mode of worker then how to do that.


how to free memory allocated using apr_palloc() - C Apache module

As written in the subject, is there a way to deallocate memory which has
been allocated using apr_palloc() and what is the best practice to do that?

thank you

Using variables with mod_substitute to rewrite dynamically


I’m trying to substitute a server name dynamically in xml responses
Substitute s||${SERVER_NAME}|n
to now success. Apache complains conf variable is not defined, but it is there in VirtualHost.

So far I was able only to use <IF> and put a specific substitute for a specific host. The reason I need it dynamically is that I have thousands of proxy rules through <Location> directives, I want to be able move those rules from one environment to another without updating a hardcoded value.


Remote_Port not recognized by SetEnvIf?


I'm trying to make a test using the REMOTE_PORT variable introduced in
2.4.26 according to the docs:
<a href="" title=""></a>

Problem I find is I can set this up easily with mod_rewrite.

RewriteEngine on
RewriteRule .* - [E=REMOTE_PORT:%{REMOTE_PORT},NE]
Header set RPHdrname %{REMOTE_PORT}e

But SetEnvIf does not recognize Remote_Port.
Docs do not say it supports it, but since it is recent, I had hoped
docs were not updated since 2.4.26 or similar.

Tested this, perhaps incorrectly or in a too convoluted way, I will
appreciate your feedback:

SetEnvIf Rem

Aapche with c99 or c11

Hi All,

I have compiled my apache with c99 and its working fine. I am planning to
use c11 compiler also.
Is there any impact will occur if I use c11 in place of c99 ?

Few more questions :
1) My apr is not supporting sendfile,random and mmap. What will be the
impact ?
2) When I am sending request from apache j-meter to my apache server then
for http is working fine with good TPS but for https, TPS is not good
because for most of the request it is taking connection time of
7000-9000ms. Is there anything am I missing in ssl configuration so that it
shouldn't connect continuously.


Apache 2.4, ipmatch and ipv6

Dear all,

I am struggling with a SetEnvIf Directive and ipv6:

<If "-R fe80::216:3eff:feaf:525b/64">
SetEnvIf showindex=1

Error message:

Cannot parse condition clause: syntax error, unexpected ':', expecting
$end: -ipmatch requires subnet/netmask as constant argument

It seems that ipmatch cannot handle ipv6 adresses? Is this true?

My version:

Server version: Apache/2.4.10 (Debian)
Server built: Feb 24 2017 18:40:28

On proxy insert header from database using client certificate CN as a key

Dear all,

I'd like to perform the following task on Apache proxy:
* take some value from client certificate (either common name or email);
* query some database by this value as a key;
* use resulting value in a new header inserted into connection.

Is it possible to solve it using only Apache modules? What modules
should I look into?

(Plan B is to pre-generate Apache config with many If's on
%{SSL:SSL_CLIENT_S_DN_CN}, but of course I'd like cleaner solution.)

extract auth header from query string

i have a user who is connecting to a websocket that requires a basic
authenticaion header. they're doing this from the browser's javascript as

wss://user: ... at myhost dot com/endpoint

that's not supported in all browsers (Safari on iphone). as a workaround,
perhaps they can use:


then apache can rewrite to the correct url and add the needed Authorization

Any help on implementing or other ideas would be most appreciated.


Logging SSL Handshake Duration

Hi Everyone,

I am looking for a way to determine the time spent on a SSL Handshake in an access log. So far i’ve discovered only env-vars and log formats (like %D) returning the overall time spent on a request. The background here is that i sometimes get requests which take up to 10 seconds, all of them being initial requests, so the handshake has to be done. The actual request to the application gets independently logged and does take some milliseconds.

SSI conditionals AFTER apache auth?

Evening everyone,

I'm trying to make it so that only certain elements on a web page are
visible to users logged in, and are otherwise not displayed using
mod_include flow control
The only way I've been able to do that so far is to detect the cookie
that the apache auth sets, which works sort of. Of course if I just
manually set the cookie in my browser then the stuff shows and just
confuses the whole setup I put.

Strrange behavior of VirtualHosts in Apache (Apache 2.2.15 - CentOS6)


there is a short explanation about virtual hosts in Apache ...
<a href="" title=""></a>

the `hostname` gives a different donmain name than what should be hosted ...

yum update puts back removed Apache modules

It seems as though “yum” update has replaced Apache modules installed in the default installation, that we had removed after the initial install because they weren’t used.

Is there some way to prevent that from happening?


decompressing gzipped response?

I'm using Apache HTTPClient 4.5.3 to make some HTTP requests, but I am
getting a gzipped response back I have tried many things I found online but
non of them worked. I still get gibberish when I print the response. Below
are the relevant code.

Apache 2.4 DoS?


I am running old PHP under Apache httpd-2.4.

During a typical day:

Server load: 0.03 0.03 0.05
Total accesses: 16028 - Total Traffic: 1.4 GB
CPU Usage: u20.92 s1.24 cu.01 cs.23 - .00163% CPU load
.0116 requests/sec - 1104 B/second - 92.7 kB/request
2 requests currently being processed, 8 idle workers

Though, ever few weeks, we see sudden increase in workers who never seem to

[Fri Nov 10 02:43:20.019924 2017] [mpm_prefork:error] [pid 13584] AH00161:
server reached MaxRequestWorkers setting, consider raising the
MaxRequestWorkers setting

user@server[/var/www]$ ps aux | grep [h]t

Proxying WebSockets + Event MPM


I was wondering if idle websocket connections still tie up a thread or not
when using the event MPM + proxy mode. According to this thread -
<a href="" title=""></a>
was experimental support in trunk (back in 2015) to offload them. Did this
ever make it to 2.4 and if so, starting from which version? Thanks.

Apache Reverse Proxy and NTLM Authentication Help!


I am using apache 2.4.8 on a ubuntu 16.04 LTS. I am using apache as a
reverse proxy. I have a website that is using NTLM authentication.

The traffic seems to be proxied right as I get the authentication popup
window, but the window keeps popping up even after supplying correct

After researching it turned out to be related with maintaining persistent
connections. So, I added "KeepAlive On" to the virtual hosts config file,
but this doesn't seem to have helped.

I see many posts talking about these issues, but nothing recent.

RES: Receiving only 8000 bytes in CGI programs using post method

Hi again!

I forgot to mention some very important information:

When we are in non-secure mode, via port 8086, on localhost or on the same network the content is not cut and CGI reads all content.

When we are out of the network where the APACHE server is running, through port 8086 in non-secure mode, the content is cut off and the CGI only reads the first 8000 bytes.

So we can not read all the content when we are remote and not secure, without SSL.

Any suggestion?

Receiving only 8000 bytes in CGI programs using post method


We have an Apache / 2.4.27 (Win32) OpenSSL / 1.0.2l running on Win7. The server serves the Web pages on port 80 and port 443.

Here is the brief description of the problem we are in.

When we use the Apache server to service non-secure web pages (server running on port 8086) all bytes are sent to CGI programs during the publishing method. Always returns response 200, and does not return response 413.

X-Forwarded-For header is missing

Hi Team,

I configured apache http web server to redirect incoming WEBSERVICE call to
another backend application server, X-Forwarded-For is missing(webserver
ip) in backend call.

I have configured below in my webserver httpd.conf file.

ProxyPass /TestProject <a href="" title=""></a>
ProxyPassReverse /TestProject <a href="" title=""></a>


Reverse Proxy migration

HI ,

All our Atlassian applications are hosted in windows 2012 and they are
running behind Appache HTTP Reverse proxy (version-Apache/2.4.20 (Win64)
OpenSSL/1.0.2h) which is also a windows server..
The reverse proxy also using by some other applications for proxying.

Now, The current reverse proxy got corrupted and we have to move the
reverse proxy configuration to new windows server as it is now in old

Please find the attached files for your reference.

Here we may need your advise to move the reverse proxy configuration and
settings to be done in new server with detailed steps.

SSI conditionals not accepting "||" or "&&"

Good afternoon all,

I've been tinkering with setting up SSI's in some HTML of mine, and
one thing I'm trying to do is have the server decide if it should post
a signup link, or display a logged-in users name (using perl cgi

how to run one module before another

How can I decide the order of two module or at least having one always
running before another one?


Apache creates Semaphore


Semaphore is used in multi process environment to share resources within
processes. But when I am starting apache in debug mode i:e single process
then still it creates semaphore. May I know the reason why it is creating
semaphore in debug mode also.


Apache "marking down" a back-end server

Hello Everyone,

I am seeing one interesting behavior of Apache httpd.

We have multiple Apache httpds in front of set of Tomcat JVMs. I found
that sometimes *one of the httpds marking one of the JVMs down* for
180 Sec("retry" value). As a result, users logged on that JVM are
getting 5xx error. First, I suspected that long GCs are causing it but
it was not the case. We have 5 Sec of "ping" timeout and GCs during
problem period was 500ms-700ms. Also there were plenty of threads
available in the JVM to cater new requests.

mdns and/or dns-sd for virtual servers


I would like to have an internal apache server that when I build a virtualhost, apache, or the host os can send out mdns (or DNS-SD) advertisements.

Thus, an internal site deployment can automagically notifiy all hosts in the LAN of its new presence.

I see references to mod_domain, and mod_dnssd, but both of them seem to be in alpha or early beta status. is this still the case?

Apache with Semaphore


When I am starting apache in debug mode then it creates semaphore. In
another terminal I am giving command "httpd -k stop" to stop apache. It
stops successfully but it is not removing semaphore.

Why apache is not sending signal to remove semaphore in debug mode after
stop it.


header out working in local apache but not on development environment

I used this apache C function

* apr_table_addn(r->err_headers_out , "Remote-Proxy-User",
I can see the result in my chrome dev tool when I use it in an apache
running locally but It does not work in the development environment.
what could be the reason?
Thank you

Start apache with tomcat

Hi All,

I am using tomcat-7.0.82 and httpd-2.4.25.

Following are my configuration :

in server.xml

<!-- Define an AJP 1.3 Connector on port 8009 -->

<Connector port="5644" enableLookups="false" redirectPort="8443"
protocol="AJP/1.3" URIEncoding="UTF-8" />

in httpd.conf

Listen 5643

Loaded mod_proxy_ajp and mod_proxy

Include /home/ananya/apache-2.4.25/other/ajp.conf

in ajp.conf

ProxyRequests Off

<Proxy *>

Require all granted


ProxyPass / ajp://

ProxyPassReverse / ajp://

I started both tomcat and apache server.

Re: [users@httpd] RE: [ANNOUNCE] Apache HTTP Server 2.4.29 Released

I’m not sure if this is what is referred to in the Apache 2.4.29 announcement, but please note that the Apache Portable Runtime v1.6.3 release resolved memory safety issues I found in functions used within HTTP server. This was released in conjunction with 2.4.29.

Using HTTP server linked to prior versions of APR exposes the risks outlined in my email sent to this list on Monday.

Best Regards,

The 2.4.29 changes document doesn't reference any CVE articles, though the announcement indicates that this is a security release.

Module per crypt/decrypt using base64 coding

HI all,

is there a module that does it? I want to see its source code?


How can I detect if SSLEngine is ON?


I am using virtualmin to run my site, and there is no method to set an apache template separately for an ssl site. that i am aware of. I am asking them this right now.

Independently, my question to this list is “in the apache configuration, how do I tell if SSLEngine is set to ON”.

rpmbuild of httpd-2.4.29


I have finished  rpmbuild of httpd-2.4.29 perfectly and installed it
successfully using the rpm.
Thank you all relative to this release.

CentOS 7.4
kernel: 3.10.0-693.5.2

Yours truly,
Kazuhiko Kohmoto

How do I configure two subversion repositories on one apache server?

Hi I have two svn repositories on the same apache server under two virtual
hosts on port 9000. Both hosts have their own certificates. The problem
is, when I try to try and do an svn up I get this error below.

Memory Safety Issues Handling SDBM

Apache HTTP Server security may be impacted by missing bounds checks in the SDBM implementation from APR prior to version 1.6.3 (released October 22, 2017) [1]. SDBM can be used in various parts of Apache HTTP Server including most notably for authentication and object caching.

ErrorDocument doesn't work with non-pathed (root) URL?

I've got a virtual server with Wordpress installed in it (base dir install). Apache 2.4.6 (latest for RHEL). Apps group has a requirement that their entire site be protected (only certain "users" can access), and so a complex RequireAny was set up. That has been working fine for some time.

Now, the application group would like to add a custom page for any 403 for people who do not meet the RequireAny requirements. I've added an ErrorDocument (pointing to a different vserver, since this site is otherwise protected from even serving a 403).

Apache HTTP Server 2.4.29 Released

Apache HTTP Server 2.4.29 Released

October 23, 2017

The Apache Software Foundation and the Apache HTTP Server Project
are pleased to announce the release of version 2.4.29 of the Apache
HTTP Server ("Apache"). This version of Apache is our latest GA
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of innovation by the project, and is
recommended over all previous releases.

log in socket.c in APR

Hi All,

I want to add log statement in apr to check some function in apr. When I am
adding ap_log_perror in socket.c in apr, it is giving error..

Is there nay way to print logs of apr. please help.


Undefined Symbol Prevents from Loading

I am building Apache 2.4.28 on RedHat Linux 2.6.32-573.el6.x86_64 for use as a reverse proxy server, to upgrade from Apache 2.4.23.

SSL Session Timeout value



- My backend service is configured to TLS1.1 initially. Client support
all TLS versions.
- Upon sending a request SSL handshake happens like this.
*Client Hello TLS1.2 Server Hello TLS1.1*
- Then i configure backend service to TLS1.2
- Upon sending a request handshake fails.
*Client Hello TLS1.1 *(Due to previous session memory of 1.1 backend
service) And *connection fails*.

Full cache locking requested


In the Apache docs here:

<a href="" title=""></a>

it says: 'When a cached entry becomes stale'

It seems that this does not include the first call: the first uncached fragment is not protected by the cache lock, so all requests for the first fragment will hit the origin.

In the case of live video streaming players keep requesting the last (new) fragment as it is produced by an encoder.

Unfortunately, other caching tools (Nginx, Varnish) must be used as Apache itself cannot be used.

Is ‘full cache llocking’ something that has been discussed

SSL hooks


I am looking at this file
<a href="" title=""></a>
and see that there are 3 hooks defined for handling SSL connections. Are
these available for modules/handlers to use?

Can my module register to thees hooks and manipulate SSL context?


Apache load module path


I have LoadModules configured under the default RedHat httpd directory.

LoadModule proxy_module /usr/lib64/httpd/modules/mod_proxy.

I would like the modules to be changed to another

Should I just update the new modules path in the httpd.conf file and
restart httpd?

Please let me know if it is correct. Are there any additional steps

URI query string in a post method

Hello All,
I have an application where the client is sending a post method / form to
an apache reverse proxy and the request contains a uri query string.
Apache is throwing a 400 bad request on this. is there a way to tell
apache to ignore a malformed post method? I understand you cannot rewrite
it as they would lose their post data.

thx in advance,

how to include ssl lib when running apxs

I am compiling my apache c module using this

sudo apxs -i -a -c mod_ex.c

now I need to use the lib openssl

what should I use to include this lib,

I tried with adding this option:

-I /usr/include/openssl

but it still seems that it does find some function.

Please how shall I do to include it?

Assistance with file + ldap auth config moving from httpd 2.2 to 2.4


    I am trying to move a web application from httpd 2.2 to httpd 2.4 ,
and I need some assistance with a particular configuration

    The Authorization / Authentication schema in httpd 2.2 is as follows
(this goes inside a <Directory> tag ):

    AuthUserFile /etc/hobbit/hobbitpasswd
    AuthGroupFile /etc/hobbit/hobbitgroup
    AuthType Basic
    AuthName "Hobbit user"

    AuthBasicProvider file ldap
    AuthzLDAPAuthoritative off
    AuthLDAPBindDN " ... at arsyslan dot es"

Where does ap_rprintf actually print out?

Writing an apache C module I tried this function:

<a href="" title=""></a>

but I dont know where it does print out. Does it in any specific file?

I called it this way:

ap_rprintf(r, "print out!");
and checked in the error.log nor in the access.log

how to exit a C Apache module

I tried with the C exit() but it returns a page with this content:

*The connection was resetThe connection to the server was reset while the
page was loading. The site could be temporarily unavailable or too busy.
Try again in a few moments. If you are unable to load any pages, check
your computer’s network connection. If your computer or network is
protected by a firewall or proxy, make sure that Firefox is permitted to
access the Web.*

What should I use instead for exiting my module without doing anything else?

thank you

apr_socket_accept error


When I am starting my apache-2.4.25, I am getting following error.

[Wed Oct 11 13:05:23.521575 2017] [core:error] [pid 1744830478]
(4104)Socket operation on non-socket: AH02179: apr_socket_accept: (client

What are the reasons for this error.
Help will be apreciated.


how to deploy custom C modules on Apache

I created my custom module starting from an existing module source code;
now I need to deploy it in the development environment and later on the
test environment.

Please I need to know the steps to do that.

what should I do other than

1) launching this command:

/usr/bin/apxs2 -i -n mymod

2) configuring conf and load files and adding the proper <Location> tag

3) enable the module and restart apache

high count h2 idle streams

Hello List,

found today an abnormality in my apachestatus for some servers.
There are a lot of "h2  idle, streams" in apachestatus.

httpd 2.4.28 installed


CentOS Linux release 7.4.1708 (Core)
kernel:  3.10.0-693.2.2.el7.x86_64

httpd 2.4.28 was successfully installed via rpm form.
Thank you all for this great job.

Yous truly,
Kazuhiko Kohmoto

how to get the expiration date of a cookie

I cannot find a place where is written how to get the expiration date of
the cookie I set.
Please anyone knows how to do that?


Server version: Apache/2.2.15


I’ve just subscribe to Apache forum recently.
Please advise URL for posting to the forum.
I apologize for piggy-back on ... at gmail dot com’s<mailto: ... at gmail dot com's> email below.

We have recently upgraded our server to : Apache Server version: Apache/2.2.15
and have encountered this phenomenon:

The old server, will display page_name.html.n file from the document root; where ‘n’ is some digit
So, page_name.html.n would display as a html page successfully.
But on the new server Apache Server version: Apache/2.2.15.
It would prompt to open or save and won’t displ

Difference in Apache version

Hello all,

- I am running Apache httpd version *2.2.29* and server built on Aug 23
2015 13:19:54 .

/usr/local/apache2/bin/httpd -v

*Server version: Apache/2.2.29 (Unix)*

*Server built: Aug 23 2015 13:19:54*

- But the server-status page shows a different version and built.

[image: Inline image 1]

- Can you please advise what is wrong with my configuration?

Syndicate content