I have an SSL cert valid for the www. and . subdomains on a domain. That’s up and working great. All traffic on http redirects to https, and all bare domain traffic redirects to the www. version. In short, everything ends up on https://www. So far so good.

However, I also have a .com. That currently has an apache level redirect (can’t change DNS currently)

At the moment going to the https://www.***.com address shows that the certificate isn’t valid, which is of course correct – it’s only for www and . on .co.uk.

Question

How do I get the https://www.***.com to redirect to https://www.***.co.uk without a valid SSL cert for the .com, and without changing the DNS?

Technical details

All domains point to same server. A vhost is set up for the ssl version and non ssl version, both with aliases for www and no www for the .co.uk and .com.

A rewrite rule like:

RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

pushes everything to https.

You can’t send redirects without a vlid certificate. The redirect is done in either the HTTP protocol by returning a 301 or 302 response, or in html content with a meta header. For this data to be sent, the SSL connection needs to be set up first, with a valid certificate. So don’t be ridiculously cheap and get an almost-free startssl certificate for the .com.

And if you don’t want to point that domain to a separate IP, you need to set up SNI support in apache to deal with multiple certs on one IP.

Check more discussion of this question.

I try to install Apache Benchmark using Is there a way to install Apache Bench (ab) without installing apache solutions on my centos but when i run yumdownloader httpd, i get error:

root@local [~/httpd]# yumdownloader httpd
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: yum.phx.singlehop.com
 * elrepo: repos.lax-noc.com
 * extras: centos.tcpdiag.net
 * updates: mirror.stanford.edu
No Match for argument httpd
Nothing to download

What is it? and how can i fixed it?

Edit 1:
i try to use Michael Hampton way but i get this errors:

root@local [~]# yum provides /usr/bin/ab
Loaded plugins: fastestmirror, security
Loading mirror speeds from cached hostfile
 * base: yum.phx.singlehop.com
 * elrepo: repos.lax-noc.com
 * extras: centos.tcpdiag.net
 * updates: mirror.stanford.edu
No Matches foundroot@local [~]# yum install httpd-tools
Loaded plugins: fastestmirror, security
Loading mirror speeds from cached hostfile
 * base: yum.phx.singlehop.com
 * elrepo: repos.lax-noc.com
 * extras: centos.tcpdiag.net
 * updates: mirror.stanford.edu
Setting up Install Process
No package httpd-tools available.
Error: Nothing to do

You can discover which package contains the program you want using yum provides:

yum provides /usr/bin/ab

Then you will see that ab is in the httpd-tools package.

And now you can install it:

yum install httpd-tools

Check more discussion of this question.

Yesterday I found that my Apache log file in my development machine was almost 50 GB in size.

Is there a way to limit the site of the Apache log file?

This is typically done using logrotate. Example logrotate configuration for Apache:

/var/log/httpd/*log {
    daily
    rotate 30
    compress
    missingok
    notifempty
    sharedscripts
    postrotate
      /bin/kill -HUP `cat /var/run/httpd.pid 2>/dev/null` 2> /dev/null || true
    endscript
}

Check more discussion of this question.

When checking the logfiles of some of my customers I found this as username for authenticated users. We have a .htusers file used for basic web auth, all other users in the serverlog I found in the .htusers, but not the @^Y@.@{phqsp~{2'/2|pq{jvk@-1('@lvo)&1--1.(/1)'@./* user.

Server version is 2.2.22 on 64b Opensuse 12

First question: was this user able to receive the content protected by the .htusers file?

Next one: anyone having more information about this break-in attempt? I found nothing on Google except lots of access-logs from all over the world.

Edit:
Just to add the logentries:

x.y.z.x - @^Y@.@{phqsp~{2'/2|pq{jvk@-1('@lvo)&1--1.(/1)'@./* [06/Jan/2013:16:53:16 +0000] "GET xxxxxxxxxxxxxxx HTTP/1.1" 200 676 "xxxxxxxxxxxxxxx" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11"

x.y.z.x - @^Y@.@{phqsp~{2'/2|pq{jvk@-1('@lvo)&1--1.(/1)'@./* [06/Jan/2013:16:53:16 +0000] "GET xxxxxxxxxxxxxxx HTTP/1.1" 200 523 "xxxxxxxxxxxxxxx" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11"

x.y.z.x - @^Y@&@{phqsp~{2'/2|pq{jvk@-1('@lvo)&1--1.(/1)'@./* [06/Jan/2013:16:57:47 +0000] "GET xxxxxxxxxxxxxxx HTTP/1.1" 200 11 "xxxxxxxxxxxxxxx" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11"

I think there’s some bad news if the xxxxxx’ed-out ressources are located in the protected area. The http status code 200 in your logs tells that your server has happily sent out the ressource to the client x.y.z.x. If basic-auth had failed in any way, a 401 (forbidden) would have been returned instead.

The number next to the 200 tells you how many bytes have been sent in the answer. Check if the ressources behind the xxxxxx’es are actually 676, 523 and 11 bytes in size for another hint if the data was successfully accessed.

Update / Solution:

As it turned out in the comments, the mentioned accesses were to ressources in unprotected areas, thus resulting in http status code 200 (OK). The confusing fact that a unknown user name is shown in the logs is due to the possibilty to set the “Authorization” header in a http request regardless of whether authorization was requested by the server at all or whether the username is known on the server. So apparently this is the work of some webcrawler or bot having set the auth header by default. Maybe innocent, maybe not, but obviously not as harmful as it seems at a first glance to the logfile.

Check more discussion of this question.

We have a VERY busy cluster of servers. Our 16 app servers serve our application off of a local SSD on each machine, but they also process images which are then served off of our cdn. Because of this, we have a couple central image servers that we nfs mount from our app servers.
We recently had an issue with the image servers in which we were required to shut them down. No big deal, our CDN will still serve the majority of our images so no one should notice the downtime. Not quite..

Instead of continuing normal operations, the app servers instead shot up in load and crashed, or became unresponsive. After a day of digging, we narrowed the problem down to our nfs mount. Even though there were no reads or writes going to the nfs mount, the simple fact that it was down was causing apache to freeze up completely.
No big deal, we did some research and found that we were mounting our nfs volume as a hard mount, and we needed to switch to a soft mount, use intr, and set both a timeo value as well as a retr value. We set the number of retries to 0, and set the timeo=1 (it’s in tenths of a second, so I believe 1 is as low as we can go). With these settings in place we shut down the image servers to replicate the earlier crash and waited to see what happened.

The result was better, but only in that the entire system didn’t crash,but service because so slow that it may as well have been down. It seems that even at 1 tenth of a second, this is far too long for the nfs mount to timeout, so we end up with a huge backlog of connections at the load balancer, and maybe 1/10th capacity.

To verify my result, I unmounted the nfs mount from 4 of the 16 app servers, and request levels to those 4 servers were completely normal.

So, is there a way to set a lower timeout for the nfs mount, or to dismount the drive upon error, and have it auto remount after the down server comes back online? Or, is there another solution I am overlooking that doesn’t add a bunch of complexity to our system?

The first thing I would do is set the retrans option to 1 (or 0, but I don’t know if that will work as expected). This should lower the time it takes to actually timeout

Check more discussion of this question.

I am trying to show stack traces or at least some sort of errors rendered to the HTML response while using a WSGI script. A ModuleNotFound exception is raised when I tried to import a module the script can’t seem to find (which is fine for now), but all that is reported in the HTTP response is a rather vague Internal Server Error status 500 error which looks like Apache’s work.

How can I get a stack trace to show up?

Other information: I’m using Windows Server for this with Apache 2.2 (standalone, non-WAMP) as a service and CherryPy 3.2.2. I am using another machine on the same local network to edit the script through network sharing; I am unfamiliar with remote WSGI debugging, but if someone knows how to debug this without having to rely on apache’s error logs, I’d love some suggestions. I’ve tried lots of configuration options for CherryPy to no avail, so I’d love to hear if anyone is familiar with exactly this.

Please let me know if you have any ideas; thanks!

It was as simple as cleverly wrapping everything in a big try/except and including modules inside of the main reply function (yucky) and replying with a string formatted version of an exception.

Needless to say I ultimately ended up making a Django project for this (probably for the best).

Django gets the job done and then some.

Check more discussion of this question.

Not sure my question’s title is explicit, so I’ll try and explain it the best I can.

I have a dedicated web hosting server running Linux (Gentoo). There are a couple websites hosted on it, and therefore a couple domain names from multiple providers have their DNS zone settings set to point to my server.

There is one particular website that used to be hosted on this server, but was then removed. However, it looks like its domain name is still pointing to my server. If I cat /var/log/messages :

Jan 16 03:13:36 stock named[25829]: client XX.XX.XX.XX#XXXXX: query (cache) 'the-goddamn-domain.com/A/IN' denied
Jan 16 03:13:36 stock named[25829]: client XX.XX.XX.XX#XXXXX: query (cache) 'the-goddamn-domain.com/A/IN' denied
Jan 16 03:13:36 stock named[25829]: client XX.XX.XX.XX#XXXXX: query (cache) 'the-goddamn-domain.com/A/IN' denied
Jan 16 03:13:36 stock named[25829]: client XX.XX.XX.XX#XXXXX: query (cache) 'the-goddamn-domain.com/A/IN' denied
Jan 16 03:13:36 stock named[25829]: client XX.XX.XX.XX#XXXXX: query (cache) 'the-goddamn-domain.com/A/IN' denied
Jan 16 03:13:36 stock named[25829]: client XX.XX.XX.XX#XXXXX: query (cache) 'the-goddamn-domain.com/A/IN' denied
Jan 16 03:13:36 stock named[25829]: client XX.XX.XX.XX#XXXXX: query (cache) 'the-goddamn-domain.com/A/IN' denied
Jan 16 03:13:36 stock named[25829]: client XX.XX.XX.XX#XXXXX: query (cache) 'the-goddamn-domain.com/A/IN' denied
Jan 16 03:13:36 stock named[25829]: client XX.XX.XX.XX#XXXXX: query (cache) 'the-goddamn-domain.com/A/IN' denied
Jan 16 03:13:36 stock named[25829]: client XX.XX.XX.XX#XXXXX: query (cache) 'the-goddamn-domain.com/A/IN' denied
Jan 16 03:13:36 stock named[25829]: client XX.XX.XX.XX#XXXXX: query (cache) 'the-goddamn-domain.com/A/IN' denied
Jan 16 03:13:36 stock named[25829]: client XX.XX.XX.XX#XXXXX: query (cache) 'the-goddamn-domain.com/A/IN' denied
Jan 16 03:13:36 stock named[25829]: client XX.XX.XX.XX#XXXXX: query (cache) 'the-goddamn-domain.com/MX/IN' denied
Jan 16 03:13:36 stock named[25829]: client XX.XX.XX.XX#XXXXX: query (cache) 'the-goddamn-domain.com/MX/IN' denied
Jan 16 03:13:36 stock named[25829]: client XX.XX.XX.XX#XXXXX: query (cache) 'the-goddamn-domain.com/MX/IN' denied
Jan 16 03:13:36 stock named[25829]: client XX.XX.XX.XX#XXXXX: query (cache) 'the-goddamn-domain.com/MX/IN' denied
Jan 16 03:13:36 stock named[25829]: client XX.XX.XX.XX#XXXXX: query (cache) 'the-goddamn-domain.com/MX/IN' denied
Jan 16 03:13:36 stock named[25829]: client XX.XX.XX.XX#XXXXX: query (cache) 'the-goddamn-domain.com/MX/IN' denied
Jan 16 03:13:36 stock named[25829]: client XX.XX.XX.XX#XXXXX: query (cache) 'the-goddamn-domain.com/MX/IN' denied
Jan 16 03:13:36 stock named[25829]: client XX.XX.XX.XX#XXXXX: query (cache) 'the-goddamn-domain.com/MX/IN' denied
Jan 16 03:13:36 stock named[25829]: client XX.XX.XX.XX#XXXXX: query (cache) 'the-goddamn-domain.com/MX/IN' denied

As you can see, I have dozens of these a second.

Can I do anything to forbid these requests (except contacting the owner and asking him to change his DNS zone settings) ? The server already denies them, but I guess it still tries and wastes a couple of microseconds for each of them, which all added up is no good to me. I thought of banning the IPs but they always seem to change (guess the requests come from multiple DNS servers around the world).

You are asking “Can I do anything to forbid these requests?” but it seems that you are already doing it. Isn’t that exactly what 'the-goddamn-domain.com/A/IN' denied means?

If you are thinking of adding something else to do the filtering in front of the DNS server to save microseconds, then it doesn’t make much sense to do it. The new filter will still waste cycles filtering the request before it lets it through to the real DNS server. What you have right now is the optimal solution.

If are worried about the disk space wasted on logging, then there might be a way to silence the error message from the logs. If nothing else, you can simply filter out the message in your syslog configuration.

Or you can simply add the zone back with only an SOA record in.

Check more discussion of this question.

I am trying to redirect all requests for my default language (nl) to /nl….. (without showing the redirect to the user). So example.com should redirect to example.com/nl without visibly altering the url in the browser. Here is what I tried:

    RewriteEngine On
    RewriteCond %{REQUEST_URI} !^/en.*
    RewriteCond %{REQUEST_URI} !^/nl.*
    RewriteRule ^(.*)$  nl$1 [R,L]

The redirect is visible to the user (/nl/index.php) and in addition it results in a ‘too many redirect’.

If I try [P,L] I get: no permission to access ‘\’ on this server.

What is the correct way to achieve what I want?

There’s shouldn’t be an [R] after the RewriteRule as this tells Apache to send a 302 redirect rather than internally rewriting the URL.

The second part of the RewriteRule should start with a slash unless this is in a Directory context (such as in a .htaccess file or a <Directory > block). Without the slash, you are rewriting the URL to something like http://example.comnl/index.php rather than http://example.com/nl/index.php.

RewriteEngine On
RewriteCond %{REQUEST_URI} !^/en.*
RewriteCond %{REQUEST_URI} !^/nl.*
RewriteRule ^(.*)$  /nl$1 [L]

Check more discussion of this question.

My ELB keeps taking my instances out of service, because the HTTP health check is failing.

We have a DNS wildcard, and redirect everything to www:

vhost.conf:

ServerName www.example.com
ServerAlias *.example.com
RewriteEngine on
RewriteCond %{HTTP_HOST} !^www\.example\.com$ [NC]
RewriteRule ^ http://www.example.com/$1 [R=301,L]

This works fine for actual browsers, but the HTTP health check to / fails, presumably because it’s getting a 302.

Is the best option to use a TCP health check, or is there a way to get HTTP to work?

This question has been asked on the AWS forums and the answer was to set up a default vhost that handles traffic on the bare IP address and doesn’t do any redirects. This will mean that normal users who hit your IP address will not be redirected either.

You could alternatively specify the path part of the URL that you want the ELB to request and ignore that path by adding another RewriteCond:

RewriteCond %{HTTP_HOST} !^www\.example\.com$ [NC]
RewriteCond %{REQUEST_URI} !^/health-check$
RewriteRule ^ http://www.example.com/$1 [R=301,L]

Normal users who hit that URL will not be redirected.

You could also use the same technique to detect the User-Agent of the ELB.

RewriteCond %{HTTP_HOST} !^www\.example\.com$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^ELB-HealthChecker
RewriteRule ^ http://www.example.com/$1 [R=301,L]

Normal users who spoof their User-Agent will not be redirected.

Or the internal IP address of the ELB.

RewriteCond %{HTTP_HOST} !^www\.example\.com$ [NC]
RewriteCond %{REMOTE_ADDR} !^10\.
RewriteRule ^ http://www.example.com/$1 [R=301,L]

For this option to work, you will require either mod_rpaf (for Apache 2.2) or mod_remoteip (for Apache 2.4) to modify the REMOTE_ADDR variable to contain the correct part of the contents of the X-Forwarded-For header. As long as you set that up correctly, it shouldn’t be possible for a normal user to avoid the redirect response.

Check more discussion of this question.

In last days my apache is being attacked by many connections from proxies. I’ve identified the source but could not block the attack effectively.

The attacker seems to be using pyloris or a variation of this to attack my apache on port 80.

I installed nginx and varnish but not enough to support the extra load.

I also added a rule in iptables to drop packets that contain the string “X-Forwarded-For” but does not block all the proxies.

Does anyone have a suggestion?

Usually pyloris attacks are utilised using TOR network. As first step I would suggest you to block ip addresses of TOR network and check if it helps at all.

Here is a list of TOR network’s ip addresses

Let us know if it helps

—- Edited —–

Please try this one, it should work:

iptables -I INPUT 1 -p tcp –dport 80 -m string –string “X-Forwarded-For” –algo kmp -j DROP

I have seen pyloris packets contain a keep alive flag. It was something like “Keep-Alive: 300″ so having

iptables -I INPUT 1 -p tcp –dport 80 -m string –string “Keep-Alive” –algo kmp -j DROP

would help even more.

Check more discussion of this question.