I'm trying to create RESTFul API on my server using PHP. No problems with GET or POST requests, but I can't get PUT or DELETE requests working.
At first, I tried without configuring Apache: all I get is a 403 Unauthorized error. Then I use Limit:
<Limit GET HEAD POST PUT DELETE OPTIONS>
Require all granted
</Limit>
I get a 405 Method Not Allowed error.
From here, I've tried multiple configurations (AllowMethods, ...) but still get the 405 error.
When I activate upper level of Apache's logs, It indicate all is fine, but still return 405 code:
[authz_core:debug] [pid 43259] mod_authz_core.c(817): AH01626: authorization result of Require all granted: granted
[authz_core:debug] [pid 43259] mod_authz_core.c(817): AH01626: authorization result of <RequireAny>: granted
[http:trace3] [pid 43259] http_filters.c(1125): Response sent with status 405, headers:
[http:trace5] [pid 43259] http_filters.c(1134): Date: Thu, 06 May 2021 06:55:24 GMT
[http:trace5] [pid 43259] http_filters.c(1137): Server: Apache/2.4.41 (Ubuntu)
[http:trace4] [pid 43259] http_filters.c(955): Allow: GET,POST,OPTIONS,HEAD
[http:trace4] [pid 43259] http_filters.c(955): Content-Length: 306
[http:trace4] [pid 43259] http_filters.c(955): Content-Type: text/html; charset=iso-8859-1
I read sometimes server web applications like Jira can cause this, but I only install PhpMyAdmin.
How can I use PUT or DELETE requests ?
NOTE: Apache/2.4.41 (Ubuntu)
Fixed.
A global Apache2 configuration /etc/apache2/mods-enabled/userdir.conf define the following rules:
<Limit GET POST OPTIONS>
Require all granted
</Limit>
<LimitExcept GET POST OPTIONS>
Require all denied
</LimitExcept >
I'm not sure why the <Limit> was partially ignore in .htaccess (error 405 instead 403 when active) but work if granted all with no <Limit>.
Related
This is my first time posting so sorry in advance if I do things incorrectly. I will substitute ip's and usernames.
I have a windows Active Directory setup and I am trying to use this for authentication to a webpage I have on a separate Ubuntu 18.04 server. I am attempting to use apache2 (2.4.18) in order to set this up. Documentation online seems fairly straight forward but I have not been successful. First, I cannot use the <Location "/auth"> tags as it seems to simply not work at all. I have to use the <Directory /auth> tag.
The AD server uses a self signed certificate and I have had trouble getting it to trust it with LDAPTrustedGlobalCert. I was getting [Can't contact LDAP server] but LDAPVerifyServerCert Off seems to let me get past that hurdle for now.
The biggest issue that I have is I do not think the bind is working. When just loading the webpage I see this show up in the error log:
[authz_core:debug] [pid 2397] mod_authz_core.c(809): [client <myclientIP>:56969] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[authz_core:debug] [pid 2397] mod_authz_core.c(809): [client <myclientIP>:56969] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
From there I enter credentials to try and authenticate and I get:
[Thu Aug 27 08:36:22.831527 2020] [authnz_ldap:debug] [pid 2396] mod_authnz_ldap.c(520): [client <myClientIP>:56887] AH01691: auth_ldap authenticate: using URL ldaps://<myLDAPIP>/dc=my,dc=example,dc=com?uid
[Thu Aug 27 08:36:22.888784 2020] [authnz_ldap:info] [pid 2396] [client <myClientIP>:56887] AH01695: auth_ldap authenticate: user <myUser> authentication failed; URI /auth/ [LDAP: ldap_simple_bind() failed][Invalid credentials]
[Thu Aug 27 08:36:22.888825 2020] [auth_basic:error] [pid 2396] [client <myClientIP>:56887] AH01617: user <myUser>: authentication failure for "/auth/": Password Mismatch
This is my configuration for apache. I left commented lines in so you can see a couple of the many variations that I have tried:
LDAPVerifyServerCert Off
<Directory "/var/www/html/auth">
AuthType Basic
AuthName "Authentication required"
AuthBasicProvider ldap
AuthLDAPURL ldaps://<myLDAPIP>/dc=my,dc=example,dc=com?uid
#AuthLDAPURL ldaps://<myLDAPIP>:636/cn=Users,dc=my,dc=example,dc=com
AuthLDAPBindDN <myUser>
#AuthLDAPBindDN cn=<myUser>,dc=my,dc=example,dc=com
AuthLDAPBindPassword <myPassword>
Require valid-user
#require ldap-group cn=Users,dc=my,dc=example,dc=com
#require ldap-group cn=Users
LogLevel debug
</Directory>
I have searched all over and tried many configurations but I do not see why it does not work with this one. I have at least three other programs that use LDAPS with this Active Directory server. The difference is they all had built in support for it and I did not have to do anything with apache.
Any help would be appreciated!
Thanks in advance
I actually continued trying multiple configurations and finally found one that worked. Below Is the functioning code:
<Directory "/var/www/html/auth">
AuthType Basic
AuthName "Authentication required"
AuthBasicProvider ldap
AuthLDAPURL "ldaps://<myLDAPIP>/dc=my,dc=example,dc=com?sAMAccountName"
AuthLDAPBindDN "myUser#my.example.com"
AuthLDAPBindPassword "<Password>"
Require valid-user
LogLevel debug
</Directory>
*If your certificate is not trusted you can add LDAPVerifyServerCert Off which should be outside of the virtualhost block
I'm trying to allow all requests to a specific url for webhooks to a development platform. Require expr works partially.
This website should only be completly accessible for specifig users. Using
"Require expr %{REQUEST_URI} =~ m#^.*webhook.*$#" I'm trying to get this working. I also tried LocationMatch, which won't work for other circumstances.
AuthType Basic
AuthName "Please enter password"
require group xy yz
<IfModule mod_authz_core.c>
<RequireAny>
Require expr %{REQUEST_URI} =~ m#^.*webhook.*$#
...
</RequireAny>
</IfModule>
If I call the url example.com/webhook/xyz/ the request is not accepted and returns the realm login.
The log:
[Mon May 27 20:15:58.972495 2019] [authz_core:debug] [pid 15344] mod_authz_core.c(820): [client xxx.xxx.xxx.xxx:50341] AH01626: authorization result of Require group xy yz: denied (no authenticated user yet)
[Mon May 27 20:15:58.972519 2019] [authz_core:debug] [pid 15344] mod_authz_core.c(820): [client xxx.xxx.xxx.xxx:50341] AH01626: authorization result of Require expr %{REQUEST_URI} =~ m#^.*webhook.*$#: granted
[Mon May 27 20:15:58.972526 2019] [authz_core:debug] [pid 15344] mod_authz_core.c(820): [client xxx.xxx.xxx.xxx:50341] AH01626: authorization result of <RequireAny>: granted
[Mon May 27 20:15:58.972813 2019] [authz_core:debug] [pid 15344] mod_authz_core.c(820): [client xxx.xxx.xxx.xxx:50341] AH01626: authorization result of Require group xy yz: denied (no authenticated user yet)
[Mon May 27 20:15:58.972824 2019] [authz_core:debug] [pid 15344] mod_authz_core.c(820): [client xxx.xxx.xxx.xxx:50341] AH01626: authorization result of Require expr %{REQUEST_URI} =~ m#^.*webhook.*$#: denied
[Mon May 27 20:15:58.973126 2019] [authz_core:debug] [pid 15344] mod_authz_core.c(820): [client xxx.xxx.xxx.xxx:50341] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon May 27 20:15:58.973154 2019] [auth_basic:error] [pid 15344] [client xxx.xxx.xxx.xxx.47:50341] AH01614: client used wrong authentication scheme: /router.php
And I really don't know why he is denying this requests after it was granted. Maybe a redirect? PHP says $_SERVER['REQUEST_URI'] is still the same after I tried to grant my ip address. So I guess it's not a redirect issue. Any idea what can cause that problem or how to debug this?
I have an apache, which works as reverse proxy for a Netscale Gateway. Sometimes it works, but in many cases the request ends with a 500. The log always give the same error type:
[Mon Aug 20 12:51:24.541905 2018] [http:error] [pid 4919:tid 140600024221440] [client 192.168.22.194:40187] AH02430: Response header 'Set-Cookie' value of 'NSC_TASS=\x0fi\xd4a\xbd\x8e\xcf\xdek\x18\xcd:\x01\xc6d\xf1\xe6;HttpOnly;Path=/;Secure' contains invalid characters, aborting request
[Mon Aug 20 13:03:09.550947 2018] [http:error] [pid 5023:tid 140354590320384] [client 192.168.22.194:24541] AH02430: Response header 'Set-Cookie' value of 'NSC_TASS=le8M1TpPxu5GG1h8nEom8vsA\xe3\x06\x87\x8fnId=&janusWebEvent=PDClass.getJanusServerPage_webEvent_nextPhaseGC2%2C114078_pid_pdPreview_imgPath_res133136%2Fimg%2F_cid_10_clName_ADV_oidHi_10_oidLow_114073;HttpOnly;Path=/;Secure' contains invalid characters, aborting request
[Mon Aug 20 13:09:15.239058 2018] [http:error] [pid 5330:tid 140134346917632] [client 192.168.22.194:40606] AH02430: Response header 'Set-Cookie' value of 'NSC_TASS=\x95\x15\xa91e\xf8\xc8\x96\xdfI\x02\x89\xf4y\x05\xf2&;HttpOnly;Path=/;Secure' contains invalid characters, aborting request
I think it is the backslash in the cookie value, because backslashes are not allowed.
Can apache skip the validating of this or can I write a rule to rewrite the cookie value to a url-encoding\utf-8... value?
My config:
<VirtualHost *:80> # a balancer managed the ssl
ServerName ng.subdomain.domain.tld
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyRequests Off
#ProxyPreserveHost On
ProxyPass / https://ng.domain2.tld/
ProxyPassReverse / https://ng.domain2.tld/
#ProxyPass / wss://ng.domain2.tld/
#ProxyPassReverse / wss://ng.domain2.tld/
ProxyPassReverseCookieDomain ng.subdomain.domain.tld ng.domain2.tld
</VirtualHost>
Perhaps you can set the HttpProtocolOptions to LenientMethods, it might be set at Strict by default. This will only work if your proxy targter returns 501 for invalid restuls.
For more information see the Apache documentation on HttpProtocolOptions.
An easy fix would be to simply have the netscaler encrypt its session cookies.
https://support.citrix.com/article/CTX220162
To Encrypt session cookies as suggested above:
set lb parameter -useSecuredPersistenceCookie Enabled-cookiePassphrase
Example :
set lb parameter -useSecuredPersistenceCookie Enabled-cookiePassphrase test
I am getting the error in the error_log. I was able to figure out that I need to increase ProxyTimeout.
However, I was unable to find where may I change it. All I could do was adding this to the server.xml:
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="600000"
redirectPort="8443" />
Any idea how to exactly increase the ProxyTimeout?
I am using Ubuntu from AWS and Apache Tomcat v7
I have tried to add this into proxy-html.conf:
ProxyRequests On
<Proxy *>
AddDefaultCharset off
Order deny,allow
Allow from all
</Proxy>
ProxyPreserveHost Off
ProxyTimeout 1200
I have also added this into httpd.conf:
TimeOut 600
I have restarted the Tomcat server but neither of the above configurations helped.
Btw this is the exact error, I don't understand why there is proxy mentioned. I am not connecting through any proxy server... The issue happens when I submit a form, which triggers some tough processing. Then it times out in approx. 60 seconds. However, the program still runs, only the request times out.
Error:
[Thu Aug 13 07:34:21.677693 2015] [proxy_ajp:error] [pid 1515] (70007)The timeout specified has expired: AH01030: ajp_ilink_receive() can't receive header
[Thu Aug 13 07:34:21.677769 2015] [proxy_ajp:error] [pid 1515] [client 212.130.108.58:52206] AH00992: ajp_read_header: ajp_ilink_receive failed, referer: http://52.17.109.177/Visma_UploadInterface/MappingServlet
[Thu Aug 13 07:34:21.677782 2015] [proxy_ajp:error] [pid 1515] (70007)The timeout specified has expired: [client 212.130.108.58:52206] AH00878: read response failed from 127.0.0.1:8009 (localhost), referer: http://52.17.109.177/Visma_UploadInterface/MappingServlet
I have solved it by adding this two simple lines into httpd.conf file:
Timeout 600
ProxyTimeout 600
I also rebooted the whole server, not just Tomcat. No idea if that was necessary, but seems like it.
I have resolved it modified existing virtual host configuration.
<Proxy "unix:/run/php/php7.2-fpm-example.sock|fcgi://localhost">
ProxySet timeout= 600
</Proxy>
<FilesMatch \.php$>
SetHandler "proxy:fcgi://localhost"
</FilesMatch>
I configured httpd.conf for websockets, I am not able to establish a connection, I am getting “error reading status line from remote server”
Below are the errors and the configuration.
Configuration
<Location /socket.io/>
ProxyPass http://172.27.38.93:9090/socket.io/
ProxyPassReverse http://172.27.38.93:9090/socket.io/
</Location>
<Location /socket.io/1/websocket>
ProxyPass ws://172.27.38.93:9090/socket.io/1/websocket
ProxyPassReverse ws://172.27.38.93:9090/socket.io/1/websocket
</Location>
Error.log
[Tue Feb 04 22:04:05.675146 2014] [proxy_http:error] [pid 7342:tid 47546562103616] (20014)Internal error: [client 10.20.136.193:52095] AH01102: error reading status line from remote server 172.27.38.93:9090
[Tue Feb 04 22:04:05.675183 2014] [proxy:error] [pid 7342:tid 47546562103616] [client 10.20.136.193:52095] AH00898: Error reading from remote server returned by /socket.io/1/websocket/vTkhURqnBJdwnFRjbOt7
Pls let me know, what needs to be corrected.