Issues enabling HTTP2 on CentOS/Apache VPS - ERR2_INADEQUATE_TRANSPORT_SECURITY - apache

After reading of the performance benefits of HTTP2 vs HTTP1.1 - I've attempted to enable HTTP2 on our CentOS v7.9.2009 / Apache server following these steps:
1) Using EasyApache4, ensure mod_mpm_prefork is disabled and enable mod_http2, provision
2) Check /etc/apache2/conf.d/http2.conf for the following, and add if not exists:
<IfModule http2_module>
LogLevel http2:info
Protocols h2 h2c http/1.1
</IfModule>
3) Restart HTTP Server
Unfortunately after carrying out all of the above steps (I also did a graceful server reboot just to check) I'm getting the following browser error upon loading our homepage (or in fact any page on the website) in Google Chrome:
ERR2_INADEQUATE_TRANSPORT_SECURITY
After switching mod_http2 off again via EasyApache4, the above error goes away and the website again functions as normal.
I'm not sure it matters or helps at all but the website itself is Wordpress/WooCommerce.
I can't seem to find any info online about this error linked with enabling mod_http2 and/or Centos so I'm a bit stuck and would really appreciate any help or guidance.
Thanks in advance,

Related

How to use dejavu for elasticsearch on local running it from opensource.appbase.io

I wanted to use the wonderful dejavu software to audit a local elasticsearch instance.
Wondefull idea, but currently it looks that it's not easy as it should be. But I found a way to do it, and that's what I want to share with Community.
Basically you can run dejavu from the opensource.appbase.io but first you need to set SSL to access your local ES. Here is how I did it in less than 1 hour (saving you other 4 hours of googling/reasearch/try&fail).
This is little bit like issue https://github.com/appbaseio/dejavu/issues/106 but running it from the dejavu's website instead of local extension.
Just in case, I've tested this on Chrome and Firefox, both succesfully. I've done it all in Windows, but I suppose Linux should work because nothing described here is Windows-specific.
Bad news: the google extension fails (no idea because the error reporting does not exist)
More: I don't want to deal with Docker, that is the other "easy" way that is provided.
So this is what I did:
1.- here is the link to the main web site: https://opensource.appbase.io/dejavu/
2.- click to run it live. Here is the link: https://opensource.appbase.io/dejavu/live?default=true
It will start inmediately, but won't be able to get any data. Don't worry.
3.- point it to local, in my case was http://localhost:9200 plus my ES index document. Failed, but don't worry.
If you look at the console and network tools of your browser, dejavu looks to be trying SSL to connect with your ES. Here is where setting SSL on your ES (or in front of it) became required.
There are several ways to do this. In my case (because it was not for production) I've used Apache httpd, specifically the already packaged (portable) version of xampp, so it's just about minutes to have it downloaded and running. I donwloaded from here: https://portableapps.com/apps/development/xampp
4.- after installed Apache, open a new tab in your browser and try the SSL like https://localhost and it will give you a correct warning about the certificate. Just trust on it to check SSL is up and running. Don't worry about the warning.
5.- to set the SSL to redirect ES requests correctly, here you have these simple settings to add in apache config file, then restart apache. I took the idea from here: Elasticsearch with apache2 ssl proxy
<Proxy http://127.0.0.1:9200>
ProxySet connectiontimeout=5 timeout=90
</Proxy>
<LocationMatch "^(/_aliases|.*/_search|.*/_mapping|/_nodes|/_settings)$">
ProxyPassMatch http://127.0.0.1:9200
ProxyPassReverse http://127.0.0.1:9200
</LocationMatch>
6.- now it is required to set the cross-origin authorization at your ES. Add these lines into your elasticsearch.yml file and restart ES. The instructions comes from dejavu's github site: https://github.com/appbaseio/dejavu
http.cors.allow-origin: "https://opensource.appbase.io"
http.cors.enabled: true
http.cors.allow-headers : X-Requested-With,X-Auth-Token,Content-Type,Content-Length,Authorization,Access-Control-Allow-Origin
http.cors.allow-credentials: true
7.- test how is it going: get your index mapping with something like this: https://localhost/your_es_doc_index/_mapping
You will get the JSON maping of your index. Everything is working (Apache and ES)
8.- now, in your dejavu, point it to https://localhost:443 (yes, the port must be set because if not it will assume to do https://localhost:9200, believe it or not). Don't forget to set your ES index document in the "header" box ni dejavu. Now click in "Connect".
After couple of seconds, you will have the list of your types ready and accesible in dejavu

Neo4j not functional through apache proxy

I am able to run neo4j fine through port 7474 on my server including cypher queries. Though when I access neo4j through the apache proxy it will load just fine but any requests done through cypher will only return an "Unknown error". I have other proxies such as rstudio running just fine.
I have tried the default values on the neo4j website for proxy configuration with no success. I am at a loss for what to try. Please let me know for more information needed, or how I can get additional information on the cypher error.
I tried the sample Query:
CREATE (n {name:"World"}) RETURN "hello", n.name
And this returns "Unknown error" when done through the proxy, but when done through port 7474 it works fine
This is a Linux Ubuntu LTR 12.04.4 machine.
Neo4j 2.1.1
Apache 2.2.22
Sorry if this is vague but I have not found any help for this issue nor do I know what additional information would be relevant.
Thank you.
Update:
It now works with the case provided by Stefan (Thank you!). But I am unsure how to change it from being on the root of my domain to "/database/" in your example you can change it to "/neo4j" How would I change the other parts of this config file for this to function?
As it looks now (non functional with change of proxy from "/"):
ProxyPass /database/ http://localhost:7474/
ProxyPassReverse /database/ http://localhost:7474/
RedirectMatch permanent ^/database /database/
<Location /db/manage>
AddOutputFilterByType SUBSTITUTE application/json
Substitute "s|http://localhost:7474|http://localhost:8080|n"
</Location>
I tried to change the substitute rule from "localhost:8080" to "localhost:8080/database" and to "/database" to no avail.
In closing what worked is to make it a subdomain and still have it on the root. Not sure why this has to be the case, but it is functional. Thank you again Stefan!
Some time ago I've setup a example config for using mod_proxy and mod_substitute, see https://github.com/sarmbruster/vagrant_neo4j_modproxy. See esp the Apache config file.
Be aware that mod_substitute will not work with huge responses > 1M.

HHVM through Apache mod_fastcgi on debian

I've been able to rather easily get facebooks hhvm working from prebuilt debian packages as well as compile it, and afterwards to run it behind apache as a proxy. The problem with the proxy setup is though, that I can't get response headers other than http status code 200 - like 304 for example - through. It's not the proxy config of apache, but something wrt hhvm and apache interact, or even in hhvm.
Anyway, HHVM officially stopped supporting the standalone server, and they're moving over to fastcgi, and as all of our servers are running Debian, I don't have access to mod_proxy_fastcgi without compiling it (the only backports I found of apache 2.4 don't have mod_proxy_fastcgi backported unfortunately).
So I'm currently trying to get HHVM to run behind the old mod_fastcgi with apache 2.2. But currently I'm only getting "connect() failed" in the error log of apache, while hhvm is listening on :::1080
The important part of my apache config is
RemoveHandler application/x-httpd-php
FastCgiExternalServer /home/www/hhvm/hostname/htdocs/php5.fcgi -flush -host ip6-localhost:1080
AddType application/x-hhtpd-fastphp5 .php
Action application/x-httpd-fastphp5 /php5.fcgi
Alias /php5.fcgi /home/www/hhvm/hostname/htdocs/php5.fcgi
netstat also lists hhvm as listening on :::1080 and I can connect to it via telnet
Any Ideas on what I need to change so it works?
Looks like a IP6 port problem. Try \[ip6-localhost\]:1080 . Not sure if this has side effects in Apache.
How do ports work with IPv6?

Cannot load socket.io.js with apache proxy setup

I feel like this question might be a duplicate but from all similar threads I have checked still wasn't able to find a answer.
I have vhost setup to proxy /node/ request to NodeJS/Socket.IO server.
ProxyRequests On
ProxyPass /node http://192.168.2.151:1337/
ProxyPassReverse /node http://192.168.2.151:1337/
This setup successfully serves everything from Apache, expect requests: http://domain.com/node/
Everything works fine when it comes to NodeJS.
I just can't get this line:
<script src="/node/socket.io/socket.io.js"></script>
to load socket.io.js, it always spits out what NodeJS server has to say.
The setup:
index.html is served by Apache. http://domain.com/index.html
index.html is simple HTML with script tag for loading socket.io.js (like I wrote above).
When I request http://domain.com/index.html script src is loaded but the content is NodeJS servers response instead of socket.io.js.
I have 'npm install socket.io' in the directory where NodeJS server is running from.
I have tried to serve index.html with NodeJS as well, regardless - socket.io.js content is still NodeJS responce.
Did anyone had this problem? Or could link me to an answer? :)
Cheers!
Look at this question and all of the answers at serverfault: Configuring Apache2 to proxy WebSocket?.
The problem is that mod_proxy doesn't support WebSockets and just makes it an HTTP request. You could use a different port and avoid proxying, switch to Nginx, try haproxy or use various other Apache module alternatives. For instance, mod_proxy_wstunnel is basically mod_proxy with WebSockets support. See the serverfault link above for details on all of the solutions.

Monit Daemon: Apache-Status connection failure

I'm setting up a cluster of servers for the company I work at, and I'm using Monit to monitor that all server processes are running and working as they should.
For Apache monitoring, I wanna use the mod_status feature which is explained here. However, this has turned out quite difficult. As no matter how I configure both Monit and Apache, Monit just keeps reporting a connection failure error (connection failed to 127.0.0.1:80 [APACHESTATUS via TCP]).
I followed the instructions on the Monit Wiki without much luck. The Apache status page (http://127.0.0.1/server-status?auto) page works in any browser I test it with. I've also tried changing host the from 127.0.0.1 to localhost without any luck.
I've tested this setup with Monit versions 4.8.x, 4.10x, and 5.0-beta6, all with the same result. Also, there's not much useful info on Google to help either, as most results are about more trivial and simple problems.
Am I missing something? Or am I just plain stupid maybe?
Try to change the authorization in Apache:
Order allow,deny
Allow from all
Check Apache access.log and error.log files - which kind of error is reported ?