You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Pete Beebe <pe...@yahoo.com> on 2009/04/13 22:33:04 UTC
[users@httpd] HTTP misconfiguration?
Hello, I'm running Apache/2.2.6 on a NIX system as a front-end which redirects port 80 requests to 443 and then hands off traffic to a Tomcat instance.
This morning I was informed that the website was "down". I confirmed that the expected page(s) were not accessible. Instead, to my alarm, I found the contents of the httpd_ssl.conf file displayed in place of the default pages. Not so good.
Restarting the httpd service corrected this issue however I'm trying to determine specifically what could have caused this to occur.
Would anyone have info I could read up on as to how this happened and suggestions (other than suggestion of upgrading the http server version which is obvious). I'd be happy to pass on any obfuscated info as needed.
TIA,
Pete
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] HTTP misconfiguration?
Posted by André Warnier <aw...@ice-sa.com>.
Hi.
Probably nothing to do with your problem, and I am not quite sure it
really matters because I have not analysed your configuration in detail,
but in principle ...
This line
DocumentRoot /d01/tomcat/webapps/zeABC
means that you are allowing Apache to serve the files that are below
that directory, including what is below WEB-INF in that directory, for
example the web.xml of your application.
Pete Beebe wrote:
> Thank you, Tony,
>
> HTTPD was installed form the 2.2.6 source against a RHES4.0 OS.
>
> The end-user that reported the issue simply stated "web site down" whereas when I navigated to the default pages I was looking at the contents of the http-ssl.conf file with no error message.
>
> The only recent changes to the Apache install was an update to the ssl.conf file's certificate names and adjusting the proxy_pass/rewrite commands in order to properly pass traffic from Apache to Tomcat's webapp. I thought that perhaps the proxy_pass/rewrite bit might have been the issue but figured if it was configured wrong a more persistent error would be evident.
>
> Config params for the source compile were:
>
> "./configure" \
> "-prefix=/d01/apache" \
> "--enable-ssl" \
> "--enable-proxy" \
> "--enable-dav" \
> "--enable-dav-fs" \
> "--enable-dav-lock" \
> "--enable-vhost-alias" \
> "--enable-rewrite" \
> "--enable-so" \
> "--with-include-apr" \
> "--with-ssl=/usr/include/openssl" \
> "--with-mpm=worker" \
>
> The Apache server listens on two NICs for two sites which both run on a Tomcat back-end.
>
> -----------
> HTTPD.CONF:
> -----------
>
> ServerRoot "/d01/apache"
> Listen 80
> <IfModule !mpm_netware_module>
> User daemon
> Group daemon
> </IfModule>
> ServerAdmin jondoe.admin@jondoe.com DocumentRoot "/d01/apache/htdocs"
> <Directory />
> Options FollowSymLinks
> AllowOverride None
> Order deny,allow
> Deny from all
> </Directory>
> <Directory "/d01/apache/htdocs">
> Options Indexes FollowSymLinks
> AllowOverride None
> Order allow,deny
> Allow from all
> </Directory>
> <IfModule dir_module>
> DirectoryIndex index.html
> </IfModule>
> <FilesMatch "^\.ht">
> Order allow,deny
> Deny from all
> Satisfy All
> </FilesMatch>
> ErrorLog logs/error_log
> LogLevel warn
> LoadModule jk_module modules/mod_jk.so
> Include "/d01/apache/conf/mod_jk.conf"
> <IfModule log_config_module>
> LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
> LogFormat "%h %l %u %t \"%r\" %>s %b" common
> <IfModule logio_module>
> # You need to enable mod_logio.c to use %I and %O
> LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
> </IfModule>
> CustomLog logs/access_log common
> </IfModule>
> <IfModule alias_module>
> ScriptAlias /cgi-bin/ "/d01/apache/cgi-bin/"
> </IfModule>
> <IfModule cgid_module>
> </IfModule>
> <Directory "/d01/apache/cgi-bin">
> AllowOverride None
> Options None
> Order allow,deny
> Allow from all
> </Directory>
> DefaultType text/plain
> <IfModule mime_module>
> TypesConfig conf/mime.types
> AddType application/x-compress .Z
> AddType application/x-gzip .gz .tgz
> </IfModule>
> Include conf/extra/httpd-mpm.conf
> Include conf/extra/httpd-ssl.conf
> <IfModule ssl_module>
> SSLRandomSeed startup builtin
> SSLRandomSeed connect builtin
> </IfModule>
> Alias /abc /d01/tomcat/webapps/zeABC
> <Directory /d01/tomcat/webapps/zeABC>
> Options FollowSymLinks Includes
> DirectoryIndex index.html
> AddHandler server-parsed shtml
> order allow,deny
> allow from all
> </Directory>
>
> <VirtualHost 10.0.0.11:80>
> ServerAdmin jondoe.admin@jondoe.com
> DocumentRoot /d01/tomcat/webapps/zeABC
> ServerName www.zeABC.com
> ServerAlias zeABC.com
> ScriptAlias /cgi-bin/ /home/zeABC/cgi-bin/
> RewriteEngine on
> RewriteCond %{SERVER_PORT} !^443$
> # RewriteRule ^(.*)$ https://www.zeABC.com/abc/$1 [L,R]
> RewriteRule ^(.*)$ https://www.zeABC.com/zeABC$1 [L,R]
> </VirtualHost>
> <VirtualHost 10.0.0.12:80>
> ServerAdmin jondoe.admin@jondoe.com
> DocumentRoot /d01/tomcat/webapps/zeABC
> ServerName www.XYZ.com
> ServerAlias XYZ.com
> ScriptAlias /cgi-bin/ /home/zeABC/cgi-bin/
> RewriteEngine on
> RewriteRule ^(.*) https://www.XYZ.com/abc
> </VirtualHost>
> ServerTokens Minimal
>
> --------------
> HTTP-SSL.CONF:
> --------------
> Listen 443
> AddType application/x-x509-ca-cert .crt
> AddType application/x-pkcs7-crl .crl
> SSLPassPhraseDialog builtin
> SSLSessionCache "shmcb:/d01/apache/logs/ssl_scache(512000)"
> SSLSessionCacheTimeout 300
> SSLMutex "file:/d01/apache/logs/ssl_mutex"
> <VirtualHost 10.0.0.11:443>
> DocumentRoot "/home/ABC_ssl/tmp"
> ServerName www.ABC.com
> ServerAdmin jondoe.admin@jondoe.org
> ErrorLog logs/ssl_error_log
> CustomLog logs/ssl_access_log combined
> <Directory "/home/ABC_ssl/tmp">
> Options Indexes FollowSymLinks MultiViews
> AllowOverride None
> Order allow,deny
> Allow from all
> </Directory>
> ScriptAlias /cgi-bin/ "/home/ABC_ssl/cgi-bin/"
> <Directory "/home/ABC_ssl/cgi-bin">
> AllowOverride None
> Options None
> Order allow,deny
> Allow from all
> SSLOptions +StdEnvVars
> </Directory>
> ProxyPass /ABC/ http://10.0.0.11:9001/ABC/
> ProxyPassReverse /ABC/ http://10.0.0.11:9001/ABC/
> SSLEngine on
> SSLProtocol -ALL +SSLv3 +TLSv1
> SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
> SSLCertificateFile /d01/apache/conf/ssl.crt/www_ABC_com.2009.crt
> SSLCertificateKeyFile /d01/apache/conf/ssl.key/www.ABC.com.key
> SSLCACertificateFile /d01/apache/conf/ssl.prm/intermediate.crt
> SSLCertificateChainFile /d01/apache/conf/ssl.crt/www_ABC_com.ca-bundle
> <Location />
> SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
> ErrorDocument 403 http://www.ABC.com/error_4035.cfm
> </Location>
> SetEnvIf User-Agent ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown
> </VirtualHost>
> <VirtualHost 10.0.0.12:443>
> DocumentRoot "/home/xyz"
> ServerName www.XYZ.com
> ServerAdmin jondoe.admin@jondoe.org
> <Directory "/home/xyz">
> Options Indexes FollowSymLinks MultiViews
> AllowOverride None
> Order allow,deny
> Allow from all
> </Directory>
> ScriptAlias /cgi-bin/ "/home/xyz/cgi-bin/"
> <Directory "/home/xyz/cgi-bin">
> AllowOverride None
> Options None
> Order allow,deny
> Allow from all
> SSLOptions +StdEnvVars
> </Directory>
> RewriteEngine on
> RewriteRule ^/abc /ABC/XYZOMG/ [R]
> ProxyPass /ABC/ http://10.0.0.11:9001/ABC/
> ProxyPassReverse /ABC/ http://10.0.0.11:9001/ABC/
>
> SSLEngine on
> SSLProtocol -ALL +SSLv3 +TLSv1
> SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
> SSLCertificateFile /d01/apache/conf/ssl.crt/www_XYZ_com.crt
> SSLCertificateKeyFile /d01/apache/conf/ssl.key/www.XYZ.com.key
> SSLCACertificateFile /d01/apache/conf/ssl.prm/intermediate.crt
> SSLCertificateChainFile /d01/apache/conf/ssl.crt/www_XYZ_com.ca-bundle
> <Location />
> SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
> ErrorDocument 403 http://www.ABC.com/error_4035.cfm
> </Location>
> SetEnvIf User-Agent ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown
> </VirtualHost>
>
>> From: Tony Stevenson <to...@pc-tony.com>
>> Subject: Re: [users@httpd] HTTP misconfiguration?
>> Pete,
>>
>> I would suggest initially you tell us about your install of
>> of HTTPD, is from source, or from a vendor package?
>> Ca you show us your config? Either an anonomised one, or
>> one that covers the main httpd config, along with your ssl
>> config.
>>
>> Is it possible that you have an overlapping config, that
>> exposes your config files. i.e. a misconfigured docroot, or
>> symlinks?
>>
>> Also, what error were you getting when the "site was
>> down" 40x?, 50x? - Specifics can help us here.
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] HTTP misconfiguration?
Posted by Pete Beebe <pe...@yahoo.com>.
Thank you, Tony,
HTTPD was installed form the 2.2.6 source against a RHES4.0 OS.
The end-user that reported the issue simply stated "web site down" whereas when I navigated to the default pages I was looking at the contents of the http-ssl.conf file with no error message.
The only recent changes to the Apache install was an update to the ssl.conf file's certificate names and adjusting the proxy_pass/rewrite commands in order to properly pass traffic from Apache to Tomcat's webapp. I thought that perhaps the proxy_pass/rewrite bit might have been the issue but figured if it was configured wrong a more persistent error would be evident.
Config params for the source compile were:
"./configure" \
"-prefix=/d01/apache" \
"--enable-ssl" \
"--enable-proxy" \
"--enable-dav" \
"--enable-dav-fs" \
"--enable-dav-lock" \
"--enable-vhost-alias" \
"--enable-rewrite" \
"--enable-so" \
"--with-include-apr" \
"--with-ssl=/usr/include/openssl" \
"--with-mpm=worker" \
The Apache server listens on two NICs for two sites which both run on a Tomcat back-end.
-----------
HTTPD.CONF:
-----------
ServerRoot "/d01/apache"
Listen 80
<IfModule !mpm_netware_module>
User daemon
Group daemon
</IfModule>
ServerAdmin jondoe.admin@jondoe.com DocumentRoot "/d01/apache/htdocs"
<Directory />
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
</Directory>
<Directory "/d01/apache/htdocs">
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
<FilesMatch "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>
ErrorLog logs/error_log
LogLevel warn
LoadModule jk_module modules/mod_jk.so
Include "/d01/apache/conf/mod_jk.conf"
<IfModule log_config_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
# You need to enable mod_logio.c to use %I and %O
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
CustomLog logs/access_log common
</IfModule>
<IfModule alias_module>
ScriptAlias /cgi-bin/ "/d01/apache/cgi-bin/"
</IfModule>
<IfModule cgid_module>
</IfModule>
<Directory "/d01/apache/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
DefaultType text/plain
<IfModule mime_module>
TypesConfig conf/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
</IfModule>
Include conf/extra/httpd-mpm.conf
Include conf/extra/httpd-ssl.conf
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
Alias /abc /d01/tomcat/webapps/zeABC
<Directory /d01/tomcat/webapps/zeABC>
Options FollowSymLinks Includes
DirectoryIndex index.html
AddHandler server-parsed shtml
order allow,deny
allow from all
</Directory>
<VirtualHost 10.0.0.11:80>
ServerAdmin jondoe.admin@jondoe.com
DocumentRoot /d01/tomcat/webapps/zeABC
ServerName www.zeABC.com
ServerAlias zeABC.com
ScriptAlias /cgi-bin/ /home/zeABC/cgi-bin/
RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
# RewriteRule ^(.*)$ https://www.zeABC.com/abc/$1 [L,R]
RewriteRule ^(.*)$ https://www.zeABC.com/zeABC$1 [L,R]
</VirtualHost>
<VirtualHost 10.0.0.12:80>
ServerAdmin jondoe.admin@jondoe.com
DocumentRoot /d01/tomcat/webapps/zeABC
ServerName www.XYZ.com
ServerAlias XYZ.com
ScriptAlias /cgi-bin/ /home/zeABC/cgi-bin/
RewriteEngine on
RewriteRule ^(.*) https://www.XYZ.com/abc
</VirtualHost>
ServerTokens Minimal
--------------
HTTP-SSL.CONF:
--------------
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/d01/apache/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
SSLMutex "file:/d01/apache/logs/ssl_mutex"
<VirtualHost 10.0.0.11:443>
DocumentRoot "/home/ABC_ssl/tmp"
ServerName www.ABC.com
ServerAdmin jondoe.admin@jondoe.org
ErrorLog logs/ssl_error_log
CustomLog logs/ssl_access_log combined
<Directory "/home/ABC_ssl/tmp">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
ScriptAlias /cgi-bin/ "/home/ABC_ssl/cgi-bin/"
<Directory "/home/ABC_ssl/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
SSLOptions +StdEnvVars
</Directory>
ProxyPass /ABC/ http://10.0.0.11:9001/ABC/
ProxyPassReverse /ABC/ http://10.0.0.11:9001/ABC/
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile /d01/apache/conf/ssl.crt/www_ABC_com.2009.crt
SSLCertificateKeyFile /d01/apache/conf/ssl.key/www.ABC.com.key
SSLCACertificateFile /d01/apache/conf/ssl.prm/intermediate.crt
SSLCertificateChainFile /d01/apache/conf/ssl.crt/www_ABC_com.ca-bundle
<Location />
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
ErrorDocument 403 http://www.ABC.com/error_4035.cfm
</Location>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown
</VirtualHost>
<VirtualHost 10.0.0.12:443>
DocumentRoot "/home/xyz"
ServerName www.XYZ.com
ServerAdmin jondoe.admin@jondoe.org
<Directory "/home/xyz">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
ScriptAlias /cgi-bin/ "/home/xyz/cgi-bin/"
<Directory "/home/xyz/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
SSLOptions +StdEnvVars
</Directory>
RewriteEngine on
RewriteRule ^/abc /ABC/XYZOMG/ [R]
ProxyPass /ABC/ http://10.0.0.11:9001/ABC/
ProxyPassReverse /ABC/ http://10.0.0.11:9001/ABC/
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile /d01/apache/conf/ssl.crt/www_XYZ_com.crt
SSLCertificateKeyFile /d01/apache/conf/ssl.key/www.XYZ.com.key
SSLCACertificateFile /d01/apache/conf/ssl.prm/intermediate.crt
SSLCertificateChainFile /d01/apache/conf/ssl.crt/www_XYZ_com.ca-bundle
<Location />
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
ErrorDocument 403 http://www.ABC.com/error_4035.cfm
</Location>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown
</VirtualHost>
> From: Tony Stevenson <to...@pc-tony.com>
> Subject: Re: [users@httpd] HTTP misconfiguration?
> Pete,
>
> I would suggest initially you tell us about your install of
> of HTTPD, is from source, or from a vendor package?
> Ca you show us your config? Either an anonomised one, or
> one that covers the main httpd config, along with your ssl
> config.
>
> Is it possible that you have an overlapping config, that
> exposes your config files. i.e. a misconfigured docroot, or
> symlinks?
>
> Also, what error were you getting when the "site was
> down" 40x?, 50x? - Specifics can help us here.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] HTTP misconfiguration?
Posted by Tony Stevenson <to...@pc-tony.com>.
Pete,
I would suggest initially you tell us about your install of of HTTPD,
is from source, or from a vendor package?
Ca you show us your config? Either an anonomised one, or one that
covers the main httpd config, along with your ssl config.
Is it possible that you have an overlapping config, that exposes your
config files. i.e. a misconfigured docroot, or symlinks?
Also, what error were you getting when the "site was down" 40x?, 50x?
- Specifics can help us here.
Cheers,
Tony
On 13 Apr 2009, at 21:33, Pete Beebe wrote:
>
> Hello, I'm running Apache/2.2.6 on a NIX system as a front-end
> which redirects port 80 requests to 443 and then hands off traffic
> to a Tomcat instance.
>
> This morning I was informed that the website was "down". I
> confirmed that the expected page(s) were not accessible. Instead,
> to my alarm, I found the contents of the httpd_ssl.conf file
> displayed in place of the default pages. Not so good.
>
> Restarting the httpd service corrected this issue however I'm trying
> to determine specifically what could have caused this to occur.
>
> Would anyone have info I could read up on as to how this happened
> and suggestions (other than suggestion of upgrading the http server
> version which is obvious). I'd be happy to pass on any obfuscated
> info as needed.
>
> TIA,
>
> Pete
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
Cheers,
Tony
-----------------------------------------
Tony Stevenson
tony@pc-tony.com // pctony@apache.org // pctony@freenode.net
http://blog.pc-tony.com/
1024D/51047D66 ECAF DC55 C608 5E82 0B5E 3359 C9C7 924E 5104 7D66
-----------------------------------------
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org