Not to sound angry or anything, but where is htpasswd? I just realized that I was using the htpasswd from the normal apache install, and that secureweb doesn''t come with one... UTILITIES such as htpasswd/etc, the source is in the source rpm, and the man page is in the binary... not good. PHP, with support for databases. Otherwise what is the *******ing point of shipping it with PhP? Server Side includes will accomplish 90% of what your castrated PhP does. You should at least ship a PhP with MySQL support (very popular) and one with PostGreSQL support (which you ship on your cd''s fer the love of appleauce). It''s "--with-mysql", all you have to add, it''s not difficult. You guys just got several millions dollars of investment capital, and are about to ink a deal with Compaq. I fear redhat is going to implode if they are bjorking simple things like apache. Will RedHat be fixing these issues (htpasswd, PhP among others) and if so when, if not, what is your return policy on software? :( Sorry for the hostility within but it is frustrating to see a good company slide downhill. -seifried
Is there any follow up on this? Why is this missing? Do I need to install apache also to get everything needed? ;) - Stacey Brewer (slb@wildtech.com) At 12:38 PM 1/28/99 -0700, you wrote:>Not to sound angry or anything, but where is htpasswd? I just realized that >I was using the htpasswd from the normal apache install, and that secureweb >doesn''t come with one... > >UTILITIES such as htpasswd/etc, the source is in the source rpm, and the man >page is in the binary... not good. > >PHP, with support for databases. Otherwise what is the *******ing point of >shipping it with PhP? Server Side includes will accomplish 90% of what your >castrated PhP does. You should at least ship a PhP with MySQL support (very >popular) and one with PostGreSQL support (which you ship on your cd''s fer >the love of appleauce). It''s "--with-mysql", all you have to add, it''s not >difficult. > >You guys just got several millions dollars of investment capital, and are >about to ink a deal with Compaq. I fear redhat is going to implode if they >are bjorking simple things like apache. Will RedHat be fixing these issues >(htpasswd, PhP among others) and if so when, if not, what is your return >policy on software? :( > >Sorry for the hostility within but it is frustrating to see a good company >slide downhill. > >-seifried > > > > >-- > PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES! > http://www.redhat.com http://archive.redhat.com > To unsubscribe: mail redhat-secure-server-request@redhat.com with > "unsubscribe" as the Subject.
On Sun, 21 Feb 1999, Stacey Brewer wrote:> Is there any follow up on this? > > Why is this missing?htpasswd was inadvertantly not packaged in a binary form with secure web server. However, the sources are included in the secureweb-source package that comes on your CD. Binaries are also available in a stock Red Hat 5.x system in the apache package, if you are wary about compiling things from source. While the oversight is unfortunate, we have deemed its omission alone wasn''t worth doing a full product update release. However, there will be another "service release" of Secure Web Server 2.0 in the near future where this bug will be remedied. In the near term, if you need htpasswd functionality, please get it from the suggested channels above. If anyone is still uncomfortable with these methods, I have provided Red HAt 5.x (glibc 2.0) binaries in my home ftp directory at: ftp://ftp.redhat.com/home/pbrown The binary names are htpasswd and htdigest, respectively. You can place them in /usr/bin on your system, make sure when you finish ftping them you make them executable (chmod +x) because the transfer process will remove this property. Also please remember that if you have real important and pressing problems with the product, going through the official support channels is supposed to insure that you get some sort of reponse. PLEASE let me know if this is not the case. The list is more a place for getting some collaborative ideas and the creative juices flowing, and while it can act as a support net, I hope it doesn''t *have* to act as one. If it does, there is a problem that we need to correct on our end. --- -Preston Brown Red Hat Software, Inc. pbrown@redhat.com
Chris Manders
1999-Feb-22 22:21 UTC
Getting a CGI-BIN directory working in a virtual host.
Hi,
I have already asked this question, and have received several replies.
Never-the-less, the problem persists, even after chasing alot of
permissions and other possibilities down. Some of the answers,
including the one posted here as follow-up some time ago, were correct
in their way, but do not do what I am looking for; the execution of a
cgi script in a /home directory under a virtualhost directory. All
directories are owned by nobody (I have tried many users) and the
directories are all chmod 755, with the scripts being the same.
So, let me paint a better picture, :), as that might have been the
issue; not describing the problem well enough.
I have a few virtual hosts on my Secure Server. All has been terrific
and no problems configuring generally. The problem is with a
non-SSL virtual site. The script is a guestbook CGI. But I have also
tried MailMan, and this does not execute even in the non-virtual
sites, or virtual sites, even after declaring a separate <Directory>
block in access.conf. It seems to be finding the file, but cannot
execute it for some reason.
I get the following error in the error logfile for this virtual site:
[Fri Feb 19 23:20:55 1999] [error] Premature end of script headers:
/home/rajeesh/aqua/cgi-bin/test2.cgi
I did have errors about the place it was looking until I commented out
the ScriptAlias directive in the srm.conf file like:
# ScriptAlias: This controls which directories contain server scripts.
# Format: ScriptAlias fakename realname
#ScriptAlias /cgi-bin/ /home/httpd/cgi-bin/
This allows the CGI file to be found in the correct location I
specified in the VirtualHost in my httpd.conf file, but the error
above still occurs in the error file. So, I know that the script and
directory are ok. On a standalone, non-SSL web server with the same
directory NFS mounted the script executes beautifully. But not in the
virtualhost.
I am assuming that I need to do something in the access.conf in a
directory directive, but I have tried many combinations to no effect.
Any ideas?
I have enclosed my conf files for a view-see.
Thanks in advance.
--Chris
SRM.CONF:
##
## srm.conf -- Apache HTTP server configuration file
##
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
DocumentRoot /home/httpd/html
# UserDir: The name of the directory which is appended onto a user''s
home
# directory if a ~user request is recieved.
UserDir public_html
# DirectoryIndex: Name of the file or files to use as a pre-written HTML
# directory index. Separate multiple entries with spaces.
DirectoryIndex index.html index.shtml index.cgi
# FancyIndexing is whether you want fancy directory indexing or standard
FancyIndexing on
# AddIcon tells the server which icon to show for different files or filename
# extensions
AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*
AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py
AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
AddIcon /icons/bomb.gif core
AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^
# DefaultIcon is which icon to show for files which do not have an icon
# explicitly set.
DefaultIcon /icons/unknown.gif
# AddDescription allows you to place a short description after a file in
# server-generated indexes.
# Format: AddDescription "description" filename
# ReadmeName is the name of the README file the server will look for by
# default. Format: ReadmeName name
#
# The server will first look for name.html, include it if found, and it will
# then look for name and include it as plaintext if found.
#
# HeaderName is the name of a file which should be prepended to
# directory indexes.
ReadmeName README
HeaderName HEADER
# IndexIgnore is a set of filenames which directory indexing should ignore
# Format: IndexIgnore name1 name2...
IndexIgnore .??* *~ *# HEADER* README* RCS
# AccessFileName: The name of the file to look for in each directory
# for access control information.
AccessFileName .htaccess
# TypesConfig describes where the mime.types file (or equivalent) is
# to be found.
TypesConfig /etc/mime.types
# DefaultType is the default MIME type for documents which the server
# cannot find the type of from filename extensions.
DefaultType text/plain
# AddEncoding allows you to have certain browsers (Mosaic/X 2.1+) uncompress
# information on the fly. Note: Not all browsers support this.
AddEncoding x-compress Z
AddEncoding x-gzip gz
# AddLanguage allows you to specify the language of a document. You can
# then use content negotiation to give a browser a file in a language
# it can understand. Note that the suffix does not have to be the same
# as the language keyword --- those with documents in Polish (whose
# net-standard language code is pl) may wish to use "AddLanguage pl
.po"
# to avoid the ambiguity with the common suffix for perl scripts.
AddLanguage en .en
AddLanguage fr .fr
AddLanguage de .de
AddLanguage da .da
AddLanguage el .el
AddLanguage it .it
# LanguagePriority allows you to give precedence to some languages
# in case of a tie during content negotiation.
# Just list the languages in decreasing order of preference.
LanguagePriority en fr de
# Redirect allows you to tell clients about documents which used to exist in
# your server''s namespace, but do not anymore. This allows you to tell
the
# clients where to look for the relocated document.
# Format: Redirect fakename url
# Aliases: Add here as many aliases as you need (with no limit). The format is
# Alias fakename realname
# Note that if you include a trailing / on fakename then the server will
# require it to be present in the URL. So "/icons" isn''t
aliased in this
# example.
Alias /icons/ /home/httpd/icons/
# ScriptAlias: This controls which directories contain server scripts.
# Format: ScriptAlias fakename realname
#ScriptAlias /cgi-bin/ /home/httpd/cgi-bin/
#ScriptAlias /aquamarine-nepal-cgi-bin/ /home/rajeesh/aquamarine-nepal/cgi-bin/
# If you want to use server side includes, or CGI outside
# ScriptAliased directories, uncomment the following lines.
# AddType allows you to tweak mime.types without actually editing it, or to
# make certain files to be certain types.
# Format: AddType type/subtype ext1
# For example, the PHP3 module (not part of the Apache distribution)
# will typically use:
#AddType application/x-httpd-php3 .php3
#AddType application/x-httpd-php3-source .phps
# The following is for PHP/FI (PHP2):
#AddType application/x-httpd-php .phtml
# AddHandler allows you to map certain file extensions to "handlers",
# actions unrelated to filetype. These can be either built into the server
# or added with the Action command (see below)
# Format: AddHandler action-name ext1
# To use CGI scripts:
AddHandler cgi-script .cgi
# To use server-parsed HTML files
AddType text/html .shtml
AddHandler server-parsed .shtml
# Uncomment the following line to enable Apache''s send-asis HTTP file
# feature
#AddHandler send-as-is asis
# If you wish to use server-parsed imagemap files, use
AddHandler imap-file map
# To enable type maps, you might want to use
#AddHandler type-map var
# To enable the perl module (if you have it installed), remove comments
# that say "#PERL#" in the following section
#
#PERL#Alias /perl/ /home/httpd/perl/
#PERL#<Location /perl>
#PERL#SetHandler perl-script
#PERL#PerlHandler Apache::Registry
#PERL#Options +ExecCGI
#PERL#</Location>
# Action lets you define media types that will execute a script whenever
# a matching file is called. This eliminates the need for repeated URL
# pathnames for oft-used CGI file processors.
# Format: Action media/type /cgi-script/location
# Format: Action handler-name /cgi-script/location
# MetaDir: specifies the name of the directory in which Apache can find
# meta information files. These files contain additional HTTP headers
# to include when sending the document
#MetaDir .web
# MetaSuffix: specifies the file name suffix for the file containing the
# meta information.
#MetaSuffix .meta
# Customizable error response (Apache style)
# these come in three flavors
#
# 1) plain text
#ErrorDocument 500 "The server made a boo boo.
# n.b. the (") marks it as text, it does not get output
#
# 2) local redirects
#ErrorDocument 404 /missing.html
# to redirect to local url /missing.html
#ErrorDocument 404 /cgi-bin/missing_handler.pl
# n.b. can redirect to a script or a document using server-side-includes.
#
# 3) external redirects
#ErrorDocument 402 http://some.other_server.com/subscription_info.html
#
# mod_mime_magic allows the server to use various hints from the file itself
# to determine its type.
#MimeMagicFile /etc/httpd/conf/magic
# The following directives disable keepalives and HTTP header flushes.
# The first directive disables it for Netscape 2.x and browsers which
# spoof it. There are known problems with these.
# The second directive is for Microsoft Internet Explorer 4.0b2
# which has a broken HTTP/1.1 implementation and does not properly
# support keepalive when it is used on 301 or 302 (redirect) responses.
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0
force-response-1.0
# The following directive disables HTTP/1.1 responses to browsers which
# are in violation of the HTTP/1.0 spec by not being able to grok a
# basic 1.1 response.
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
###
### ACCESS.CONF
###
##
## access.conf -- Apache HTTP server configuration file
##
# access.conf: Global access configuration
# Online docs at http://www.apache.org/
# This file defines server settings which affect which types of services
# are allowed, and in what circumstances.
# Each directory to which Apache has access, can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories).
# First, we configure the "default" to be a very restrictive set of
# permissions.
<Directory />
Options None
AllowOverride None
</Directory>
## Added for trying to get script to execute in /home directory
<Directory /home>
Options All
AllowOverride All
</Directory>
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something''s not working as
# you might expect, make sure that you have specifically enabled it
# below.
# This should be changed to whatever you set DocumentRoot to.
<Directory /home/httpd/html>
# This may also be "None", "All", or any combination of
"Indexes",
# "Includes", "FollowSymLinks", "ExecCGI", or
"MultiViews".
# Note that "MultiViews" must be named *explicitly* --- "Options
All"
# doesn''t give it to you.
Options All
#Options Indexes FollowSymLinks Includes ExecCGI
# This controls which options the .htaccess files in directories can
# override. Can also be "All", or any combination of
"Options", "FileInfo",
# "AuthConfig", and "Limit"
AllowOverride All
# Controls who can get stuff from this server.
order allow,deny
allow from all
</Directory>
# /home/httpd/cgi-bin should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
<Directory /home/httpd/cgi-bin>
AllowOverride All
Options All
#Options ExecCGI
</Directory>
<Directory /home/httpd/html/secure/cgi-bin>
AllowOverride All
Options All
</Directory>
<Directory /home/httpd/html/secure/cgi-bin/>
AllowOverride All
Options ExecCGI All
</Directory>
<Directory /home/httpd/html/aqua/cgi-bin>
AllowOverride All
Options ExecCGI All
</Directory>
# Allow server status reports, with the URL of http://servername/server-status
# Change the ".your_domain.com" to match your domain to enable.
#<Location /server-status>
#SetHandler server-status
#order deny,allow
#deny from all
#allow from .your_domain.com
#</Location>
# There have been reports of people trying to abuse an old bug from pre-1.1
# days. This bug involved a CGI script distributed as a part of Apache.
# By uncommenting these lines you can redirect these attacks to a logging
# script on phf.apache.org. Or, you can record them yourself, using the script
# support/phf_abuse_log.cgi.
<Location /cgi-bin/phf*>
deny from all
ErrorDocument 403 http://phf.apache.org/phf_abuse_log.cgi
</Location>
# You may place any other directories or locations you wish to have
# access information for after this one.
###
### HTTPD.CONF
###
##
## httpd.conf -- Apache HTTP server configuration file
##
# This is the main server configuration file. See URL http://www.apache.org/
# for instructions.
# Do NOT simply read the instructions in here without understanding
# what they do, if you are unsure consult the online docs. You have been
# warned.
# Originally by Rob McCool
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule'' lines at this location so
the
# directives contained in it are actually available _before_ they are used.
# Please read the file README.DSO in the Apache 1.3 distribution for more
# details about the DSO mechanism and run `httpd -l'' for the list of
already
# built-in (statically linked and thus always available) modules in your httpd
# binary.
#
# Example:
# LoadModule foo_module libexec/mod_foo.so
#
# Note that modules that were disabled/not shipped in Secure Web Server
# 1.0 have been commented out. You will have to uncomment them to enable them.
#
# Documentation for modules is in "/home/httpd/manual/mod" in HTML
format.
#LoadModule mmap_static_module modules/mod_mmap_static.so
LoadModule env_module modules/mod_env.so
LoadModule config_log_module modules/mod_log_config.so
LoadModule agent_log_module modules/mod_log_agent.so
LoadModule referer_log_module modules/mod_log_referer.so
#LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule mime_module modules/mod_mime.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule status_module modules/mod_status.so
LoadModule info_module modules/mod_info.so
LoadModule includes_module modules/mod_include.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule dir_module modules/mod_dir.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule asis_module modules/mod_asis.so
LoadModule imap_module modules/mod_imap.so
LoadModule action_module modules/mod_actions.so
#LoadModule speling_module modules/mod_speling.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule proxy_module modules/libproxy.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule access_module modules/mod_access.so
LoadModule auth_module modules/mod_auth.so
LoadModule anon_auth_module modules/mod_auth_anon.so
#LoadModule dbm_auth_module modules/mod_auth_dbm.so
LoadModule db_auth_module modules/mod_auth_db.so
LoadModule digest_module modules/mod_digest.so
#LoadModule cern_meta_module modules/mod_cern_meta.so
LoadModule expires_module modules/mod_expires.so
LoadModule headers_module modules/mod_headers.so
LoadModule usertrack_module modules/mod_usertrack.so
#LoadModule example_module modules/mod_example.so
#LoadModule unique_id_module modules/mod_unique_id.so
LoadModule setenvif_module modules/mod_setenvif.so
## Additional modules:
#LoadModule php_module modules/mod_php.so
#LoadModule php3_module modules/libphp3.so
LoadModule perl_module modules/libperl.so
# Reconstruction of the complete module list from all available modules
# (static and shared ones) to achieve correct module execution order.
# [WHENEVER YOU CHANGE THE LOADMODULE SECTION ABOVE UPDATE THIS, TOO]
ClearModuleList
#AddModule mod_mmap_static.c
AddModule mod_env.c
AddModule mod_log_config.c
AddModule mod_log_agent.c
AddModule mod_log_referer.c
#AddModule mod_mime_magic.c
AddModule mod_mime.c
AddModule mod_negotiation.c
AddModule mod_status.c
AddModule mod_info.c
AddModule mod_include.c
AddModule mod_autoindex.c
AddModule mod_dir.c
AddModule mod_cgi.c
AddModule mod_asis.c
AddModule mod_imap.c
AddModule mod_actions.c
#AddModule mod_speling.c
AddModule mod_userdir.c
AddModule mod_proxy.c
AddModule mod_alias.c
AddModule mod_rewrite.c
AddModule mod_access.c
AddModule mod_auth.c
AddModule mod_auth_anon.c
#AddModule mod_auth_dbm.c
AddModule mod_auth_db.c
AddModule mod_digest.c
#AddModule mod_cern_meta.c
AddModule mod_expires.c
AddModule mod_headers.c
AddModule mod_usertrack.c
#AddModule mod_example.c
#AddModule mod_unique_id.c
AddModule mod_so.c
AddModule mod_setenvif.c
AddModule mod_ssl.c
## Additional Modules
#AddModule mod_php.c
#AddModule mod_php3.c
#AddModule libperl.c
# ServerType is either inetd, or standalone.
ServerType standalone
# If you are running from inetd, go to "ServerAdmin".
# Port: The port the standalone listens to. For ports < 1023, you will
# need httpd to be run as root initially.
Port 80
##
## SSL Support
##
## When we also provide SSL we have to listen to the
## standard HTTP port (see above) and to the HTTPS port
##
Listen 80
Listen 443
# HostnameLookups: Log the names of clients or just their IP numbers
# e.g. www.apache.org (on) or 204.62.129.132 (off)
# The default is off because it''d be overall better for the net if
people
# had to knowingly turn this feature on.
HostnameLookups on
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
# User/Group: The name (or #number) of the user/group to run httpd as.
# On SCO (ODT 3) use User nouser and Group nogroup
# On HPUX you may not be able to use shared memory as nobody, and the
# suggested workaround is to create a user www and use that user.
# NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET)
# when the value of (unsigned)Group is above 60000;
# don''t use Group nobody on these systems!
User nobody
Group nobody
# ServerAdmin: Your address, where problems with the server should be
# e-mailed.
ServerAdmin root@baylinks.com
# ServerRoot: The directory the server''s config, error, and log files
# are kept in.
# NOTE! If you intend to place this on a NFS (or otherwise network)
# mounted filesystem then please read the LockFile documentation,
# you will save yourself a lot of trouble.
ServerRoot /etc/httpd
# BindAddress: You can support virtual hosts with this option. This option
# is used to tell the server which IP address to listen to. It can either
# contain "*", an IP address, or a fully qualified Internet domain
name.
# See also the VirtualHost directive.
#BindAddress *
# ErrorLog: The location of the error log file. If this does not start
# with /, ServerRoot is prepended to it.
ScriptLog logs/cgi-log
ErrorLog logs/error_log
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
# The location of the access logfile (Common Logfile Format).
# If this does not start with /, ServerRoot is prepended to it.
CustomLog logs/access_log common
# If you would like to have an agent and referer logfile uncomment the
# following directives.
#CustomLog logs/referer_log referer
#CustomLog logs/agent_log agent
# If you prefer a single logfile with access, agent and referer information
# (Combined Logfile Format) you can use the following directive.
#CustomLog logs/access_log combined
# PidFile: The file the server should log its pid to
PidFile /var/run/httpsd.pid
# ScoreBoardFile: File used to store internal server process information.
# Not all architectures require this. But if yours does (you''ll know
because
# this file is created when you run Apache) then you *must* ensure that
# no two invocations of Apache share the same scoreboard file.
ScoreBoardFile /var/run/httpsd.scoreboard
# The LockFile directive sets the path to the lockfile used when Apache
# is compiled with either USE_FCNTL_SERIALIZED_ACCEPT or
# USE_FLOCK_SERIALIZED_ACCEPT. This directive should normally be left at
# its default value. The main reason for changing it is if the logs
# directory is NFS mounted, since the lockfile MUST BE STORED ON A LOCAL
# DISK. The PID of the main server process is automatically appended to
# the filename.
#
#LockFile /var/lock/httpsd.lock
# ServerName allows you to set a host name which is sent back to clients for
# your server if it''s different than the one the program would get
(i.e. use
# "www" instead of the host''s real name).
#
# Note: You cannot just invent host names and hope they work. The name you
# define here must be a valid DNS name for your host. If you don''t
understand
# this, ask your network administrator.
#ServerName new.host.name
# UseCanonicalName: (new for 1.3) With this setting turned on, whenever
# Apache needs to construct a self-referencing URL (a url that refers back
# to the server the response is coming from) it will use ServerName and
# Port to form a "canonical" name. With this setting off, Apache will
# use the hostname:port that the client supplied, when possible. This
# also affects SERVER_NAME and SERVER_PORT in CGIs.
UseCanonicalName on
# CacheNegotiatedDocs: By default, Apache sends Pragma: no-cache with each
# document that was negotiated on the basis of content. This asks proxy
# servers not to cache the document. Uncommenting the following line disables
# this behavior, and proxies will be allowed to cache the documents.
#CacheNegotiatedDocs
# Timeout: The number of seconds before receives and sends time out
Timeout 300
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
KeepAlive On
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We reccomend you leave this number high, for maximum performance.
MaxKeepAliveRequests 100
# KeepAliveTimeout: Number of seconds to wait for the next request
KeepAliveTimeout 15
# Server-pool size regulation. Rather than making you guess how many
# server processes you need, Apache dynamically adapts to the load it
# sees --- that is, it tries to maintain enough server processes to
# handle the current load, plus a few spare servers to handle transient
# load spikes (e.g., multiple simultaneous requests from a single
# Netscape browser).
# It does this by periodically checking how many servers are waiting
# for a request. If there are fewer than MinSpareServers, it creates
# a new spare. If there are more than MaxSpareServers, some of the
# spares die off. These values are probably OK for most sites ---
MinSpareServers 8
MaxSpareServers 20
# Number of servers to start --- should be a reasonable ballpark figure.
StartServers 10
# Limit on total number of servers running, i.e., limit on the number
# of clients who can simultaneously connect --- if this limit is ever
# reached, clients will be LOCKED OUT, so it should NOT BE SET TOO LOW.
# It is intended mainly as a brake to keep a runaway server from taking
# Unix with it as it spirals down...
MaxClients 150
# MaxRequestsPerChild: the number of requests each child process is
# allowed to process before the child dies.
# The child will exit so as to avoid problems after prolonged use when
# Apache (and maybe the libraries it uses) leak. On most systems, this
# isn''t really needed, but a few (such as Solaris) do have notable
leaks
# in the libraries.
MaxRequestsPerChild 100
# Proxy Server directives. Uncomment the following line to
# enable the proxy server:
#ProxyRequests On
# To enable the cache as well, edit and uncomment the following lines:
#CacheRoot /var/cache/httpd
#CacheSize 5
#CacheGcInterval 4
#CacheMaxExpire 24
#CacheLastModifiedFactor 0.1
#CacheDefaultExpire 1
#NoCache a_domain.com another_domain.edu joes.garage_sale.com
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, in addition to the default. See also the VirtualHost command
#Listen 3000
#Listen 12.34.56.78:80
# VirtualHost: Allows the daemon to respond to requests for more than one
# server address, if your server machine is configured to accept IP packets
# for multiple addresses. This can be accomplished with the ifconfig
# alias flag, or through kernel patches like VIF.
# Any httpd.conf or srm.conf directive may go into a VirtualHost command.
# See also the BindAddress entry.
#<VirtualHost host.some_domain.com>
#ServerAdmin webmaster@host.some_domain.com
#DocumentRoot /www/docs/host.some_domain.com
#ServerName host.some_domain.com
#ErrorLog logs/host.some_domain.com-error_log
#TransferLog logs/host.some_domain.com-access_log
#</VirtualHost>
# VirtualHost: Allows the daemon to respond to requests for more than one
# server address, if your server machine is configured to accept IP packets
# for multiple addresses. This can be accomplished with the ifconfig
# alias flag, or through kernel patches like VIF.
# Any httpd.conf or srm.conf directive may go into a VirtualHost command.
# See alto the BindAddress entry.
########################################
#
<VirtualHost www.aqua.com>
ScriptAlias /cgi-b1n/ /home/httpd/html/aqua/cgi-bin/
ServerAdmin webmaster@aqua.com
DocumentRoot /home/rajeesh/aqua
ServerName WWW.Aqua.COM
ErrorLog logs/aqua.com-error_log
TransferLog logs/aqua.com-access_log
</VirtualHost>
##
## SSL Support
##
## Note that all SSL options can apply to virtual hosts, which
## is where we are going to put them now. We disable SSL globally
## and enable only inside a virtual host only.
##
<IfModule mod_ssl.c>
# we disable SSL on a global scale
SSLDisable
# configure the path/port for the SSL session cache server [RECOMMENDED].
# Additionally sets the session cache timeout, in seconds (set to 15 for
# testing, use a higher value in real life) [RECOMMENDED]
SSLCacheServerPath /usr/sbin/ssl_gcache
SSLCacheServerPort 12345
SSLSessionCacheTimeout 300
<VirtualHost Secure:443>
# setup the general virtual server configuration
#
# If you don''t wish for secure documents to be served from your
regular
# HTML directory, please create another directory like "html-ssl"
and
# change your DocumentRoot to point there.
DocumentRoot /home/httpd/html/secure
# define ServerName if your secure hostname is different than your
# regular one
#ServerName secure.host.name
ServerAdmin webmaster@me.com
ErrorLog /var/log/httpd/error_log-ssl
TransferLog /var/log/httpd/access_log-ssl
# enable SSL for this virtual host
SSLEnable
# this forbids access except when SSL is in use. Very handy for defending
# against configuration errors that expose stuff that should be protected
SSLRequireSSL
# point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again.
##SSLCertificateFile /etc/httpd/conf/httpsd.crt
SSLCertificateFile /etc/httpd/conf/baylinks/httpsd.crt
# if the key is not combined with the certificate, use this
# directive to point at the key file. [OPTIONAL]
##SSLCertificateKeyFile /etc/httpd/conf/httpsd.key
SSLCertificateKeyFile /etc/httpd/conf/httpsd.key
# set the CA certificate verification path where
# to find CA certificates for client authentication or
# alternatively one huge file containing all of them
# (file must be PEM encoded) [OPTIONAL]
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath /etc/ssl
SSLCACertificateFile /etc/ssl/ca-cert-bundle.pem
# set client verification level: [RECOMMENDED]
# 0|none: no certificate is required
# 1|optional: the client may present a valid certificate
# 2|require: the client must present a valid certificate
# 3|optional_no_ca: the client may present a valid certificate
# but it is not required to have a valid CA
SSLVerifyClient none
# set how deeply to verify the certificate issuer chain
# before deciding the certificate is not valid. [OPTIONAL]
#SSLVerifyDepth 10
# list the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list. [OPTIONAL]
#SSLRequiredCiphers RC4-MD5:RC4-SHA:IDEA-CBC-MD5:DES-CBC3-SHA
# these two can be used on a per-directory basis to require or
# ban specific ciphers. Note that (at least in the current version)
# SSL will not attempt to renegotiate if a cipher is banned
# (or not required). [OPTIONAL]
#SSLRequireCipher RC4-MD5
#SSLBanCipher RC4-MD5
# translate the client X.509 into a Basic Authorisation.
# This means that the standard Auth/DBMAuth methods can be used for
# access control. The user name is the `one line'' version of
# the client''s X.509 certificate. Note that no password is
# obtained from the user. Every entry in the user file needs
# this password: `xxj31ZMTZzkVA''. [OPTIONAL]
#SSLFakeBasicAuth
# a home for miscellaneous rubbish generated by SSL. Much of it
# is duplicated in the error log file. Put this somewhere where
SSLLogFile /var/log/httpd/sslstat_log
# define custom SSL logging [RECOMMENDED]
CustomLog /var/log/httpd/ssl_log "%t %h %{version}c %{cipher}c
%{subjectdn}c %{issuerdn}c \"%r\" %b"
</VirtualHost>
</IfModule>
Matthew Prentice
1999-Feb-24 16:53 UTC
Re: Getting a CGI-BIN directory working in a virtual host.
Your srm.conf file has an incorrect line. # ScriptAlias: This controls which directories contain server scripts. # Format: ScriptAlias fakename realname #ScriptAlias /cgi-bin/ /home/httpd/cgi-bin/ #ScriptAlias /aquamarine-nepal-cgi-bin/ /home/rajeesh/aquamarine-nepal/cgi-bin/ The last line should read ScriptAlias /cgi-bin/ /home/rajeesh/aquamarine-nepal/cgi-bin/ A better place to put the line would be in your httpd.conf in the virtualhost section for the correct server. Matthew R. Prentice matthew@comcorent.com Vice President, ComCor Enterprises Inc. 402-572-4356 Omaha, Nebraska, USA
Chris Manders
1999-Feb-24 18:05 UTC
Re: Getting a CGI-BIN directory working in a virtual host.
Hi, Good point. If you look at my httpd.conf below the srm.conf you will indeed see that I had thought of that. I have been trying multiple combinations, and that was the latest. :) I have eliminated that line from the srm.conf and made sure it is exclusively in the httpd.conf. Thanks. However, my problem is really with execution of cgi scripts. Where to set permissions? I have tried alot of places, but none work the way the non-ssl version works. I suppose it is secure... :) Still, the idea is that I can''t use cgi scripts in _any_ virtual host or even the _default_. !!! This is the problem. It gives me an error each time that there is a problem parsing the script headers. But, the same exact cgi script nfs mounted on another box with a non-ssl server works like a charm without modification. More ideas? Thanks again. --Chris On Wed, 24 Feb 1999, Matthew Prentice wrote:> >Your srm.conf file has an incorrect line. > ># ScriptAlias: This controls which directories contain server scripts. ># Format: ScriptAlias fakename realname > >#ScriptAlias /cgi-bin/ /home/httpd/cgi-bin/ >#ScriptAlias /aquamarine-nepal-cgi-bin/ >/home/rajeesh/aquamarine-nepal/cgi-bin/ > >The last line should read >ScriptAlias /cgi-bin/ /home/rajeesh/aquamarine-nepal/cgi-bin/ > >A better place to put the line would be in your httpd.conf in the >virtualhost section for the correct server. > > >Matthew R. Prentice matthew@comcorent.com >Vice President, ComCor Enterprises Inc. 402-572-4356 >Omaha, Nebraska, USA > > > > >-- > PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES! > http://www.redhat.com http://archive.redhat.com > To unsubscribe: mail redhat-secure-server-request@redhat.com with > "unsubscribe" as the Subject. >
Preston Brown
1999-Feb-24 19:05 UTC
Re: Getting a CGI-BIN directory working in a virtual host.
On Wed, 24 Feb 1999, Chris Manders wrote:> Still, the idea is that I can''t use cgi scripts in _any_ virtual host > or even the _default_. !!! This is the problem. It gives me an error > each time that there is a problem parsing the script headers. But, the > same exact cgi script nfs mounted on another box with a non-ssl server > works like a charm without modification.Make sure you don''t have mod_perl 1.16 enabled. It is broken. You can get mod_perl 1.17 from my home directory at: ftp://ftp.redhat.com/home/pbrown. We haven''t put this out as an official update, but reports are that it works very well. Or, de-install mod_perl if you don''t use it. --- -Preston Brown Red Hat Software, Inc. pbrown@redhat.com
Chris Manders
1999-Feb-24 21:27 UTC
Re: Getting a CGI-BIN directory working in a virtual host.
Hi, Thanks for the response and ideas. I will update the perl mod soon. I have indeed tried it both ways, with and without. So, I am sure that this new update will help, but it still leaves me wondering why a cgi will not execute in a virtual directory I have defined with the ScriptAlias directive explicitly. The fact is is that it finds the script, but then gives up after complaining about the ''script headers'', which is bogus. Is it simply that I have 1) not got a working, current mod_perl or 2) does mod_perl _have_ to be loaded to use CGI scripts? This would seem strange... Any other ideas? Thanks --Chris On Wed, 24 Feb 1999, Preston Brown wrote:>On Wed, 24 Feb 1999, Chris Manders wrote: > >> Still, the idea is that I can''t use cgi scripts in _any_ virtual host >> or even the _default_. !!! This is the problem. It gives me an error >> each time that there is a problem parsing the script headers. But, the >> same exact cgi script nfs mounted on another box with a non-ssl server >> works like a charm without modification. > >Make sure you don''t have mod_perl 1.16 enabled. It is broken. > >You can get mod_perl 1.17 from my home directory at: > >ftp://ftp.redhat.com/home/pbrown. We haven''t put this out as an official >update, but reports are that it works very well. > >Or, de-install mod_perl if you don''t use it. > >--- > -Preston Brown > Red Hat Software, Inc. > pbrown@redhat.com > > >-- > PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES! > http://www.redhat.com http://archive.redhat.com > To unsubscribe: mail redhat-secure-server-request@redhat.com with > "unsubscribe" as the Subject. >********************************************************* - Chris Manders (Senior Systems Analyst) - UNIX and PC Front-end and Back-end Technical Support - "Committed to Excellence, Intelligence and Satisfaction" - OSes: Linux, FreeBSD, NetBSD, BeOS, MacOS, SunOS, Solaris, - HP-UX, AIX, Windows NT/95/98, Server Products, and much more ...
I had a similar problem before installing mod_perl 1.17. Basically, as soon as mod_perl is enabled in the config file, the server cannot exec() anything anymore and logs the premature end of headers or just segfaults, your mileage may vary. If you don''t need mod_perl, you can comment the related lines in httpd.conf, otherwise just install the new version.> > Thanks for the response and ideas. I will update the perl mod soon. > > I have indeed tried it both ways, with and without. So, I am sure that > this new update will help, but it still leaves me wondering why a cgi > will not execute in a virtual directory I have defined with the > ScriptAlias directive explicitly. The fact is is that it finds the > script, but then gives up after complaining about the ''script > headers'', which is bogus. >-- Regards, L.C. Network Admin @ InfoStreet (818) 776 8080 x213
Preston Brown
1999-Feb-25 00:24 UTC
Re: Getting a CGI-BIN directory working in a virtual host.
On Wed, 24 Feb 1999, Chris Manders wrote:> Is it simply that I have 1) not got a working, current mod_perl or 2) > does mod_perl _have_ to be loaded to use CGI scripts? This would seem > strange...If you have mod_perl 1.16, it will mess up all your CGI scripts, whether or not you execute them under mod_perl. No, you don''t need mod_perl to run CGI scripts. --- -Preston Brown Red Hat Software, Inc. pbrown@redhat.com