Apache 2.4 Basic Authentication slow - apache

I have a Debian Stretch server running Apache 2.4.
I want to use Basic Authentication to allow only a few users access to the served directory.
My configuration:
<Directory "/var/www/html">
AuthType Basic
AuthName "VPN Gateway Lpgin"
AuthBasicProvider file
AuthUserFile /var/www/.htpasswd
Options Indexes FollowSymLinks
AllowOverride None
<RequireAll>
Require ip 192.168.2.0/24
Require valid-user
</RequireAll>
</Directory>
This does work, but all requests now take over a minute to complete.
If I comment out the authentication line Require valid-user the requests are not slow at all.
[Tue Dec 25 11:29:08.272751 2018] [ssl:info] [pid 17970] [client 192.168.2.16:55447] AH01964: Connection to child 4 established (server localhost:443)
[Tue Dec 25 11:29:08.274989 2018] [socache_shmcb:debug] [pid 17970] mod_socache_shmcb.c(532): AH00835: socache_shmcb_retrieve (0xf3 -> subcache 19)
[Tue Dec 25 11:29:08.275157 2018] [socache_shmcb:debug] [pid 17970] mod_socache_shmcb.c(884): AH00849: match at idx=0, data=0
[Tue Dec 25 11:29:08.275267 2018] [socache_shmcb:debug] [pid 17970] mod_socache_shmcb.c(907): AH00850: shmcb_subcache_retrieve discarding expired entry
[Tue Dec 25 11:29:08.275292 2018] [socache_shmcb:debug] [pid 17970] mod_socache_shmcb.c(542): AH00836: leaving socache_shmcb_retrieve successfully
[Tue Dec 25 11:29:08.275632 2018] [ssl:debug] [pid 17970] ssl_engine_kernel.c(2115): [client 192.168.2.16:55447] AH02043: SSL virtual host for servername localhost found
[Tue Dec 25 11:29:08.275965 2018] [ssl:debug] [pid 17970] ssl_engine_kernel.c(2115): [client 192.168.2.16:55447] AH02043: SSL virtual host for servername localhost found
[Tue Dec 25 11:29:08.276057 2018] [core:debug] [pid 17970] protocol.c(2219): [client 192.168.2.16:55447] AH03155: select protocol from , choices=h2,h2-16,h2-15,h2-14,spdy/3.1,spdy/3,http/1.1 for server localhost
[Tue Dec 25 11:29:08.475832 2018] [socache_shmcb:debug] [pid 17970] mod_socache_shmcb.c(495): AH00831: socache_shmcb_store (0x0a -> subcache 10)
[Tue Dec 25 11:29:08.475990 2018] [socache_shmcb:debug] [pid 17970] mod_socache_shmcb.c(849): AH00847: insert happened at idx=0, data=(0:32)
[Tue Dec 25 11:29:08.476020 2018] [socache_shmcb:debug] [pid 17970] mod_socache_shmcb.c(854): AH00848: finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0/198
[Tue Dec 25 11:29:08.476044 2018] [socache_shmcb:debug] [pid 17970] mod_socache_shmcb.c(516): AH00834: leaving socache_shmcb_store successfully
[Tue Dec 25 11:29:08.476100 2018] [ssl:debug] [pid 17970] ssl_engine_kernel.c(2042): [client 192.168.2.16:55447] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
[Tue Dec 25 11:29:08.477457 2018] [ssl:debug] [pid 17970] ssl_engine_kernel.c(366): [client 192.168.2.16:55447] AH02034: Initial (No.1) HTTPS request received for child 4 (server localhost:443)
[Tue Dec 25 11:29:08.478096 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of Require ip 192.168.2.0/24: granted
[Tue Dec 25 11:29:08.478225 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Tue Dec 25 11:29:08.478257 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of <RequireAll>: denied (no authenticated user yet)
[Tue Dec 25 11:29:08.478281 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Dec 25 11:29:26.504306 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of Require ip 192.168.2.0/24: granted
[Tue Dec 25 11:29:26.504552 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of Require valid-user : granted
[Tue Dec 25 11:29:26.504589 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of <RequireAll>: granted
[Tue Dec 25 11:29:26.504620 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of <RequireAny>: granted
[Tue Dec 25 11:29:26.505318 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of Require ip 192.168.2.0/24: granted
[Tue Dec 25 11:29:26.505459 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Tue Dec 25 11:29:26.505490 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of <RequireAll>: denied (no authenticated user yet)
[Tue Dec 25 11:29:26.506120 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Dec 25 11:29:44.539755 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of Require ip 192.168.2.0/24: granted
[Tue Dec 25 11:29:44.539958 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of Require valid-user : granted
[Tue Dec 25 11:29:44.539994 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of <RequireAll>: granted
[Tue Dec 25 11:29:44.540022 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of <RequireAny>: granted
[Tue Dec 25 11:29:44.541340 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of Require ip 192.168.2.0/24: granted
[Tue Dec 25 11:29:44.541494 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Tue Dec 25 11:29:44.541583 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of <RequireAll>: denied (no authenticated user yet)
[Tue Dec 25 11:29:44.541615 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Dec 25 11:30:02.576180 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of Require ip 192.168.2.0/24: granted
[Tue Dec 25 11:30:02.576362 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of Require valid-user : granted
[Tue Dec 25 11:30:02.576396 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of <RequireAll>: granted
[Tue Dec 25 11:30:02.576426 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of <RequireAny>: granted
[Tue Dec 25 11:30:05.134078 2018] [deflate:debug] [pid 17970] mod_deflate.c(853): [client 192.168.2.16:55447] AH01384: Zlib: Compressed 13343 to 2899 : URL /index.php
[Tue Dec 25 11:30:10.141799 2018] [ssl:debug] [pid 17970] ssl_engine_io.c(1044): [client 192.168.2.16:55447] AH02001: Connection closed to child 4 with standard shutdown (server localhost:443)
It seems to get stuck on authentication but I do not know why.
Tested different browsers and all of them display slow loading if Basic Authentication is enabled.
How to debug this?
EDIT: I also noticed Apache's CPU usage going through the roof hogging 100% while authenticating.


Try moving the Require Valid user outside the Require all
Example
<Location "/secure">
AuthType basic
AuthName "private area"
AuthBasicProvider dbm
AuthDBMType SDBM
AuthDBMUserFile "/www/etc/dbmpasswd"
Require valid-user
Order Allow,Deny
Deny from all
Satisfy Any
</Location>
Source reference material used


Apache2 slow basic auth / slow .htpasswd
it is because you using slow algoritm for password, just use md5 simple algoritm
htpasswd -c -m file login


my Apache slowed it downed because of the bcrypt encryption of 17 times
htpasswd -B -C 17 -n RDG
(encypt with bcrypt 17 times and display the results on stdout which is the terminal for user RDG)
htpasswd -B -C 5 -n RDG
(encypt with bcrypt 5 times and display the results on stdout which is the terminal for user RDG)
When i take the RDG user with the 5 times encrypted password then Apache response as fast as usual. All other answers above didn't work for me.

Related

server certificate does NOT include an ID which matches the server name by django

my django application(ssl) is strange...
This is the application structure. there is 4 apps.
mysite
|-app1
|-app2
|-app3
|-app4
main app is app1. now, there is response follows.
mysite
|-app1 ...500 server error
|-app2 ...200 ok
|-app3 ...200 ok
|-app4 ...200 ok
Below is the actual url
app1: https://www.henojiya.net/vietnam_research/
app2: https://www.henojiya.net/gmarker/
app3: https://www.henojiya.net/shopping/
app4: https://www.henojiya.net/kanban/
mmm...
# tail -f /var/log/httpd/error_log
openssl??
[Tue Aug 25 22:28:49.164124 2020] [suexec:notice] [pid 8122:tid 140202116692224] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Aug 25 22:28:49.183968 2020] [lbmethod_heartbeat:notice] [pid 8122:tid 140202116692224] AH02282: No slotmem from mod_heartmonitor
[Tue Aug 25 22:28:49.186372 2020] [mpm_event:notice] [pid 8122:tid 140202116692224] AH00489: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_wsgi/4.7.1 Python/3.6 configured -- resuming normal operations
[Tue Aug 25 22:28:49.186393 2020] [core:notice] [pid 8122:tid 140202116692224] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
# tail -f ssl_error_log
server certificate does NOT include an ID which matches the server name ??
[wsgi:error] [pid 5344:tid 140508085110528] [remote 54.67.71.54:39392] File "/var/www/html/venv/lib/python3.6/site-packages/pandas/__init__.py", line 17, in <module>
[Tue Aug 25 18:28:39.109567 2020] [wsgi:error] [pid 5344:tid 140508085110528] [remote 54.67.71.54:39392] "Unable to import required dependencies:\\n" + "\\n".join(missing_dependencies)
[Tue Aug 25 18:28:39.109575 2020] [wsgi:error] [pid 5344:tid 140508085110528] [remote 54.67.71.54:39392] ImportError: Unable to import required dependencies:
[Tue Aug 25 18:28:39.109578 2020] [wsgi:error] [pid 5344:tid 140508085110528] [remote 54.67.71.54:39392] numpy: Interpreter change detected - this module can only be loaded into one interpreter per process.
[Tue Aug 25 21:03:53.627872 2020] [ssl:warn] [pid 7430:tid 139632467552512] AH01909: 153.126.200.229:443:0 server certificate does NOT include an ID which matches the server name
[Tue Aug 25 21:03:53.645213 2020] [ssl:warn] [pid 7430:tid 139632467552512] AH01909: 153.126.200.229:443:0 server certificate does NOT include an ID which matches the server name
[Tue Aug 25 21:33:53.554592 2020] [ssl:warn] [pid 7769:tid 140223441197312] AH01909: 153.126.200.229:443:0 server certificate does NOT include an ID which matches the server name
[Tue Aug 25 21:33:53.571588 2020] [ssl:warn] [pid 7769:tid 140223441197312] AH01909: 153.126.200.229:443:0 server certificate does NOT include an ID which matches the server name
[Tue Aug 25 22:28:49.166069 2020] [ssl:warn] [pid 8122:tid 140202116692224] AH01909: 153.126.200.229:443:0 server certificate does NOT include an ID which matches the server name
[Tue Aug 25 22:28:49.183859 2020] [ssl:warn] [pid 8122:tid 140202116692224] AH01909: 153.126.200.229:443:0 server certificate does NOT include an ID which matches the server name
apache log...
# cd /etc/httpd/conf
# ls
httpd-le-ssl.conf
httpd.conf
magic
(httpd.conf)
<VirtualHost *:80>
ServerName www.henojiya.net
DocumentRoot "/var/www/html"
(httpd-le-ssl.conf)
<VirtualHost *:443>
ServerName www.henojiya.net
DocumentRoot "/var/www/html"
I hitted the wall... help me! thanks

I uploaded the view.py again and it was fine.
mysite
|-app1 ...200 ok
|-app2 ...200 ok
|-app3 ...200 ok
|-app4 ...200 ok
I think I was thinking too much.
In the first place, it is stranged that there is only one 500 error.
"View.py" may have been uploaded in a corrupted state.

ProxyRemote works with HTTP URL but not with HTTPS

ProxyRemote Directive doesn't work with HTTPS:
<VirtualHost *:443>
ServerName foo.foo
SSLProxyEngine on
SSLProxyVerify none
#SSLProxyVerifyDepth 10
SSLProxyCheckPeerCN off
# SAAS: disable hostname check
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLProxyCACertificatePath /etc/ssl/certs/
ProxyRemote * https://10.27.73.178:443/
ProxyPass /api/ https://foo.gw.dev/api/
ProxyPassReverse /api/ https://foo.gw.dev/api/
SSLEngine on
SSLCertificateFile /storage/user/conf/ssl/web_cert.pem
SSLCertificateKeyFile /storage/user/conf/ssl/web_key.pem
SSLCertificateChainFile /storage/user/conf/ssl/web_chain.pem
SSLCACertificatePath /storage/user/conf/ssl/
SSLVerifyClient none
</VirtualHost>
It works if I specify http URL, like
ProxyRemote * http://10.27.73.178:3128/
I think it is a certificate checking issue, where exactly should I specify the proxy CA certificate?
I get the following error logs:
[Wed Nov 27 14:35:40.961981 2019] [proxy_http:trace1] [pid 32633:tid 140286441285376] mod_proxy_http.c(1931): [client 127.0.0.1:54302] HTTP: serving URL https://foo.gw.dev/api/
[Wed Nov 27 14:35:40.961989 2019] [proxy:debug] [pid 32633:tid 140286441285376] proxy_util.c(2302): AH00942: HTTPS: has acquired connection for (foo.gw.dev)
[Wed Nov 27 14:35:40.961993 2019] [proxy:debug] [pid 32633:tid 140286441285376] proxy_util.c(2355): [client 127.0.0.1:54302] AH00944: connecting https://foo.gw.dev/api/ to foo.gw.dev:443
[Wed Nov 27 14:35:40.962067 2019] [proxy:debug] [pid 32633:tid 140286441285376] proxy_util.c(2564): [client 127.0.0.1:54302] AH00947: connected /api to 10.27.73.178:443
[Wed Nov 27 14:35:40.962086 2019] [proxy:trace2] [pid 32633:tid 140286441285376] proxy_util.c(2999): HTTPS: fam 2 socket created to connect to foo.gw.dev
[Wed Nov 27 14:35:41.172521 2019] [proxy:debug] [pid 32633:tid 140286441285376] proxy_util.c(3033): AH02824: HTTPS: connection established with 10.27.73.178:443 (foo.gw.dev)
[Wed Nov 27 14:35:41.172570 2019] [proxy:debug] [pid 32633:tid 140286441285376] proxy_util.c(2660): AH00948: CONNECT: sending the CONNECT request for foo.gw.dev:443 to the remote proxy 10.27.73.178:443 (10.27.73.178)
[Wed Nov 27 14:35:41.383758 2019] [proxy:error] [pid 32633:tid 140286441285376] (104)Connection reset by peer: AH00958: HTTPS: attempt to connect to foo.gw.dev:443 via http CONNECT through 10.27.73.178:443 (foo.gw.dev) failed
[Wed Nov 27 14:35:41.383798 2019] [proxy_http:error] [pid 32633:tid 140286441285376] [client 127.0.0.1:54302] AH01114: HTTP: failed to make connection to backend: 10.27.73.178
[Wed Nov 27 14:35:41.383802 2019] [proxy:debug] [pid 32633:tid 140286441285376] proxy_util.c(2317): AH00943: HTTPS: has released connection for (foo.gw.dev)

Apache Active Directory mod_authnz_ldap not working

I have been trying to get AD auth on a virtualhost page working for the past several days, to no avail. Help...
CentOS 7
Apache 2.4.6
mod_ldap and mod_authnz_ldap installed and loading
<VirtualHost *:80>
DocumentRoot /var/www/wwwtest/public
ServerName wwwtest.example.com
ErrorLog logs/wwwtest.example.com-error_log
CustomLog logs/wwwtest.example.com-access_log common
<Directory /var/www/wwwtest/public>
Allow from all
Order Allow,Deny
Options Indexes MultiViews FollowSymLinks
AllowOverride None
AuthType Basic
AuthName "login"
AuthBasicProvider ldap
AuthLDAPBindDN ldapuser#EXAMPLE.COM
AuthLDAPBindPassword ldappassword
AuthLDAPURL "ldap://ldap01.example.com:3268/ou=employees,ou=users,dc=example,dc=com?sAMAccountName?sub?(objectClass=user)"
AuthLDAPBindAuthoritative off
Require valid-user
</Directory>
</VirtualHost>
I have trace8 enabled in /etc/httpd/conf/httpd.conf
And this is what I see in /var/log/httpd/wwwtest.example.com-error.log
[Wed Oct 21 12:12:56.213178 2015] [http:trace4] [pid 20648] http_request.c(301): [client 172.16.250.250:49559] Headers received from client:
[Wed Oct 21 12:12:56.213263 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559] Host: wwwtest.example.com
[Wed Oct 21 12:12:56.213278 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559] User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:41.0) Gecko/20100101 Firefox/41.0
[Wed Oct 21 12:12:56.213284 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
[Wed Oct 21 12:12:56.213289 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559] Accept-Language: en-US,en;q=0.5
[Wed Oct 21 12:12:56.213293 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559] Accept-Encoding: gzip, deflate
[Wed Oct 21 12:12:56.213297 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559] DNT: 1
[Wed Oct 21 12:12:56.213301 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559] Connection: keep-alive
[Wed Oct 21 12:12:56.213305 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559] Cache-Control: max-age=0
[Wed Oct 21 12:12:56.213309 2015] [http:trace4] [pid 20648] http_request.c(305): [client 172.16.250.250:49559] Authorization: Basic RTAxMDEwMTAxOkNvbmNvcmRpYTIwMTU=
[Wed Oct 21 12:12:56.213530 2015] [authz_core:debug] [pid 20648] mod_authz_core.c(809): [client 172.16.250.250:49559] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Wed Oct 21 12:12:56.213556 2015] [authz_core:debug] [pid 20648] mod_authz_core.c(809): [client 172.16.250.250:49559] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Wed Oct 21 12:12:56.213644 2015] [authnz_ldap:debug] [pid 20648] mod_authnz_ldap.c(501): [client 172.16.250.250:49559] AH01691: auth_ldap authenticate: using URL ldap://ldap01.example.com:3268/ou=employees,ou=users,dc=example,dc=edu?sAMAccountName?sub?(objectClass=user)
[Wed Oct 21 12:12:56.213705 2015] [authnz_ldap:trace1] [pid 20648] mod_authnz_ldap.c(522): [client 172.16.250.250:49559] auth_ldap authenticate: final authn filter is (&(objectClass=user)(sAMAccountName=TESTUSER))
[Wed Oct 21 12:12:56.215123 2015] [ldap:debug] [pid 20648] util_ldap.c(372): AH01278: LDAP: Setting referrals to On.
[Wed Oct 21 12:12:56.216479 2015] [ldap:trace2] [pid 20648] util_ldap.c(591): [client 172.16.250.250:49559] ldap_simple_bind() failed with server down (try 1)
[Wed Oct 21 12:12:56.217336 2015] [ldap:trace2] [pid 20648] util_ldap.c(591): [client 172.16.250.250:49559] ldap_simple_bind() failed with server down (try 2)
[Wed Oct 21 12:12:56.217358 2015] [ldap:trace2] [pid 20648] util_ldap.c(606): [client 172.16.250.250:49559] attempt to re-init the connection
[Wed Oct 21 12:12:56.217398 2015] [ldap:debug] [pid 20648] util_ldap.c(372): AH01278: LDAP: Setting referrals to On.
[Wed Oct 21 12:12:56.218332 2015] [ldap:trace2] [pid 20648] util_ldap.c(591): [client 172.16.250.250:49559] ldap_simple_bind() failed with server down (try 3)
[Wed Oct 21 12:12:56.219355 2015] [ldap:trace2] [pid 20648] util_ldap.c(591): [client 172.16.250.250:49559] ldap_simple_bind() failed with server down (try 4)
[Wed Oct 21 12:12:56.219392 2015] [ldap:trace2] [pid 20648] util_ldap.c(606): [client 172.16.250.250:49559] attempt to re-init the connection
[Wed Oct 21 12:12:56.219430 2015] [ldap:debug] [pid 20648] util_ldap.c(372): AH01278: LDAP: Setting referrals to On.
[Wed Oct 21 12:12:56.219444 2015] [authnz_ldap:debug] [pid 20648] mod_authnz_ldap.c(539): [client 172.16.250.250:49559] AH01694: auth_ldap authenticate: user TESTUSER authentication failed; URI / [LDAP: ldap_simple_bind() failed][Can't contact LDAP server] (not authoritative)
[Wed Oct 21 12:12:56.219454 2015] [auth_basic:error] [pid 20648] [client 172.16.250.250:49559] AH01618: user TESTUSER not found: /
[Wed Oct 21 12:12:56.219469 2015] [core:trace3] [pid 20648] request.c(119): [client 172.16.250.250:49559] auth phase 'check user' gave status 401: /
[Wed Oct 21 12:12:56.219530 2015] [http:trace3] [pid 20648] http_filters.c(992): [client 172.16.250.250:49559] Response sent with status 401, headers:
[Wed Oct 21 12:12:56.219532 2015] [http:trace5] [pid 20648] http_filters.c(999): [client 172.16.250.250:49559] Date: Wed, 21 Oct 2015 19:12:56 GMT
[Wed Oct 21 12:12:56.219534 2015] [http:trace5] [pid 20648] http_filters.c(1002): [client 172.16.250.250:49559] Server: Apache/2.4.6 (CentOS)
[Wed Oct 21 12:12:56.219536 2015] [http:trace4] [pid 20648] http_filters.c(835): [client 172.16.250.250:49559] WWW-Authenticate: Basic realm=\\”login\\”
[Wed Oct 21 12:12:56.219538 2015] [http:trace4] [pid 20648] http_filters.c(835): [client 172.16.250.250:49559] Content-Length: 381
[Wed Oct 21 12:12:56.219540 2015] [http:trace4] [pid 20648] http_filters.c(835): [client 172.16.250.250:49559] Keep-Alive: timeout=5, max=100
[Wed Oct 21 12:12:56.219541 2015] [http:trace4] [pid 20648] http_filters.c(835): [client 172.16.250.250:49559] Connection: Keep-Alive
[Wed Oct 21 12:12:56.219542 2015] [http:trace4] [pid 20648] http_filters.c(835): [client 172.16.250.250:49559] Content-Type: text/html; charset=iso-8859-1
I can do ldapsearch with these credentials and it returns user objects from our DC, so the credentials are correct. I ran Wireshark on the DC. It never saw any LDAP packets from this web server. I ran tcpdump on the web server and it never sent any LDAP packets when I attempted to auth...
We got AD auth via PHP working in like 10 minutes, but I had previously been working on this for days...so sure, it auth works now, but I want to know why mod_ldap and mod_authnz_ldap aren't working...or...what isn't working.
Also, I'm kinda new with Apache...so the problem is more than likely something I'm misunderstanding.
Thanks in advance.
UPDATE: Apparently it works just fine in Debian. (Apache 2.2.22, bu still) sigh

SOLVED: Clearly I'm still new at Linux as well.
It was, of course, an issue with SELinux. Even though I had set it from Enforcing to Permissive (and then eventually to Disabled), I didn't know that the only way to make that change is apparently by rebooting (or, setenforce 0). Rebooted, and it all worked fine because SELinux was now disabled. I then found that SELinux logs are at /var/log/audit/audit.log. There, were a bunch of:
type=AVC msg=audit(1445466425.176:1849): avc: denied { name_connect } for pid=21184 comm="httpd" dest=389 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket
So to allow httpd to access ldap, I followed this post which says:
# getsebool -a | grep ldap
authlogin_nsswitch_use_ldap --> off
httpd_can_connect_ldap --> off
# setsebool httpd_can_connect_ldap 1
# getsebool -a | grep ldap
authlogin_nsswitch_use_ldap --> off
httpd_can_connect_ldap --> on
After that, auth worked perfectly with Firewalld enabled and with SELinux Enforcing. That also explains why a tcpdump showed no ldap bind attempts.
So yeah, hopefully this helps out anyone else that may have been stuck.
Bottom line: learn more about SELinux.

Apache Kerberos not Authenticating from Windows Client

With a number of great websites for reference, I setup an Apache 2.4 environment on Solaris 11 using the auth_gss_module for Kerberos authentication. The problem I have is not being able to access an authorized page using IE, Chrome, or Firefox on Windows 7 or Windows Server 2008. I have been successful accessing the secured page with curl and python scripts and also Safari and Firefox browsers on OS X 10.10. I have listed output from both successful and failed attempts with Kerberos authentication. I am not sure if it might be a configuration setting within AD that needs to be changed or maybe a encryption difference. I am looking for suggestions on what to do next. Thank you..
A key tab was created for me by the AD admin and this is the contents of the key tab
cyoull#host0ad903.abc.def.net:/local_apps/apache4/conf/certs$ klist -k host0ad903_keytab
Keytab name: FILE:host0ad903_keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 HTTP/host0ad903.abc.def.net#ABC.DEF.NET
On OS X, this is the list of kerberos tickets from the klist command.
Chriss-MacBook-Air:~ chris$ klist
Credentials cache: API:EF1241C7-A883-44A8-9729-969775673BCA
Principal: cyoull#ABC.DEF.NET
Issued Expires Principal
Sep 25 07:22:52 2015 Sep 25 17:22:40 2015 krbtgt/ABC.DEF.NET#ABC.DEF.NET
Chriss-MacBook-Air:~ chris$ klist
Credentials cache: API:EF1241C7-A883-44A8-9729-969775673BCA
Principal: cyoull#ABC.DEF.NET
Issued Expires Principal
Sep 25 07:22:52 2015 Sep 25 17:22:40 2015 krbtgt/ABC.DEF.NET#ABC.DEF.NET
Sep 25 07:23:06 2015 Sep 25 17:22:40 2015 HTTP/host0ad903.abc.def.net#ABC.DEF.NET
Valid starting Expires Service principal
18/09/2015 10:17 18/09/2015 20:17 krbtgt/ABC.DEF.NET#ABC.DEF.NET
renew until 25/09/2015 10:17, Etype(skey, tkt): ArcFour with HMAC/md5, AES-256 CTS mode with 96-bit SHA-1 HMAC
18/09/2015 10:17 18/09/2015 20:17 HTTP/host0ad903.abc.def.net#ABC.DEF.NET
renew until 25/09/2015 10:17, Etype(skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
This is the Apache log after successfully accessing the secured page with Kerberos authentication from Safari on OS X
[Fri Sep 25 07:23:06.348043 2015] [core:debug] [pid 24214:tid 18] mod_auth_gss.c(620): [client 10.93.68.187:56071] gss_authenticate: type = GSSAPI
[Fri Sep 25 07:23:06.348054 2015] [core:debug] [pid 24214:tid 18] mod_auth_gss.c(632): [client 10.93.68.187:56071] No authentication data found
[Fri Sep 25 07:23:06.348063 2015] [core:debug] [pid 24214:tid 18] mod_auth_gss.c(592): [client 10.93.68.187:56071] note_gss_auth_failure: auth_name = <undefined>
[Fri Sep 25 07:23:06.590334 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(620): [client 10.93.68.187:56073] gss_authenticate: type = GSSAPI
[Fri Sep 25 07:23:06.590347 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(334): [client 10.93.68.187:56073] authenticate_user_gss called
[Fri Sep 25 07:23:06.590362 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(373): [client 10.93.68.187:56073] Using keytab: KRB5_KTNAME=/local_apps/apache4/conf/certs/host0ad903_keytab
[Fri Sep 25 07:23:06.590508 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(411): [client 10.93.68.187:56073] Client wants GSS mech: spnego
[Fri Sep 25 07:23:06.590524 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(288): [client 10.93.68.187:56073] acquire_server_creds for HTTP#host0ad903.abc.def.net
[Fri Sep 25 07:23:06.621760 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(438): [client 10.93.68.187:56073] got server creds for: HTTP#host0ad903.abc.def.net
[Fri Sep 25 07:23:06.639432 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(549): [client 10.93.68.187:56073] Authenticated user (final result) : cyoull#ABC.DEF.NET
This is the Apache log file after a successful attempt with a Python script on Windows Server 2008
[Thu Sep 17 16:29:48.890889 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(620): [client 10.115.2.117:50526] gss_authenticate: type = GSSAPI
[Thu Sep 17 16:29:48.890900 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(632): [client 10.115.2.117:50526] No authentication data found
[Thu Sep 17 16:29:48.890909 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(592): [client 10.115.2.117:50526] note_gss_auth_failure: auth_name = <undefined>
[Thu Sep 17 16:29:48.908047 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(620): [client 10.115.2.117:50526] gss_authenticate: type = GSSAPI
[Thu Sep 17 16:29:48.908056 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(334): [client 10.115.2.117:50526] authenticate_user_gss called
[Thu Sep 17 16:29:48.908080 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(373): [client 10.115.2.117:50526] Using keytab: KRB5_KTNAME=/local_apps/apache4/conf/certs/host0ad903_keytab
[Thu Sep 17 16:29:48.908188 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(411): [client 10.115.2.117:50526] Client wants GSS mech: kerberos_v5
[Thu Sep 17 16:29:48.908203 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(288): [client 10.115.2.117:50526] acquire_server_creds for HTTP#host0ad903.abc.def.net
[Thu Sep 17 16:29:48.910360 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(438): [client 10.115.2.117:50526] got server creds for: HTTP/host0ad903.abc.def.net#ABC.DEF.NET
[Thu Sep 17 16:29:48.917847 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(524): [client 10.115.2.117:50526] Authenticated user before AuthGSSStripDomainAT: cyoull#ABC.DEF.NET
[Thu Sep 17 16:29:48.917863 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(533): [client 10.115.2.117:50526] Authenticated user before AuthGSSForceCase: coy
[Thu Sep 17 16:29:48.917873 2015] [core:debug] [pid 32125:tid 21] mod_auth_gss.c(549): [client 10.115.2.117:50526] Authenticated user (final result) : cyoull#ABC.DEF.NET
This is the Kerberos tickets on the Windows 7 client
U:\>klist
Current LogonId is 0:0xa84757
Cached Tickets: (2)
#0> Client: cyoull # ABC.DEF.NET
Server: krbtgt/ABC.DEF.NET # ABC.DEF.NET
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
Start Time: 9/25/2015 9:19:28 (local)
End Time: 9/25/2015 19:19:28 (local)
Renew Time: 10/2/2015 9:19:28 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
#1> Client: cyoull # ABC.DEF.NET
Server: HTTP/host0ad903.abc.def.net # ABC.DEF.NET
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
Start Time: 9/25/2015 9:19:30 (local)
End Time: 9/25/2015 19:19:28 (local)
Renew Time: 10/2/2015 9:19:28 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Using the developer tools in Firefox I see three GET requests and in the apache log file it looks as if the kerberos negotiation tries more than once then fails with a 401 Unauthorized
[Fri Sep 25 08:54:28.205356 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(620): [client 10.211.8.122:52459] gss_authenticate: type = GSSAPI
[Fri Sep 25 08:54:28.205366 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(632): [client 10.211.8.122:52459] No authentication data found
[Fri Sep 25 08:54:28.205374 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(592): [client 10.211.8.122:52459] note_gss_auth_failure: auth_name = <undefined>
[Fri Sep 25 08:54:28.471160 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(620): [client 10.211.8.122:52459] gss_authenticate: type = GSSAPI
[Fri Sep 25 08:54:28.471170 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(334): [client 10.211.8.122:52459] authenticate_user_gss called
[Fri Sep 25 08:54:28.471187 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(373): [client 10.211.8.122:52459] Using keytab: KRB5_KTNAME=/local_apps/apache4/conf/certs/host0ad903_keytab
[Fri Sep 25 08:54:28.471290 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(411): [client 10.211.8.122:52459] Client wants GSS mech: spnego
[Fri Sep 25 08:54:28.471307 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(288): [client 10.211.8.122:52459] acquire_server_creds for HTTP#host0ad903.abc.def.net
[Fri Sep 25 08:54:28.474953 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(438): [client 10.211.8.122:52459] got server creds for: HTTP#host0ad903.abc.def.net
[Fri Sep 25 08:54:28.475143 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(650): [client 10.211.8.122:52459] Authentication failed.
[Fri Sep 25 08:54:28.475157 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(592): [client 10.211.8.122:52459] note_gss_auth_failure: auth_name = <undefined>
[Fri Sep 25 08:54:28.540288 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(620): [client 10.211.8.122:52459] gss_authenticate: type = GSSAPI
[Fri Sep 25 08:54:28.540296 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(334): [client 10.211.8.122:52459] authenticate_user_gss called
[Fri Sep 25 08:54:28.540310 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(373): [client 10.211.8.122:52459] Using keytab: KRB5_KTNAME=/local_apps/apache4/conf/certs/host0ad903_keytab
[Fri Sep 25 08:54:28.540344 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(411): [client 10.211.8.122:52459] Client wants GSS mech: <unknown>
[Fri Sep 25 08:54:28.540353 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(288): [client 10.211.8.122:52459] acquire_server_creds for HTTP#host0ad903.abc.def.net
[Fri Sep 25 08:54:28.543031 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(438): [client 10.211.8.122:52459] got server creds for: HTTP/host0ad903.abc.def.net#abc.def.net
[Fri Sep 25 08:54:28.543188 2015] [core:error] [pid 24150:tid 24] [client 10.211.8.122:52459] gss_accept_sec_context() failed: Invalid token was supplied (Unknown error)
[Fri Sep 25 08:54:28.543336 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(650): [client 10.211.8.122:52459] Authentication failed.
[Fri Sep 25 08:54:28.543349 2015] [core:debug] [pid 24150:tid 24] mod_auth_gss.c(592): [client 10.211.8.122:52459] note_gss_auth_failure: auth_name = <undefined>

Have you configured the web browsers on Windows to actually do HTTP Negotiate with this server? For example, in Firefox you need to set:
network.negotiate-auth.trusted-uris = abc.def.net
or another pattern that would match the URL. Chrome similarly has to be told to be willing to authenticate to the particular server, e.g. with:
--auth-server-whitelist="*.foo.com"
or via group policy.
If that’s not the problem, then please do this:
ipconfig /flushdns
klist purge
Run Wireshark and capture the HTTP, DNS, and Kerberos traffic during a failure (ports 80, 53, and 88).
Post the resulting pcap file.

Apache 2.4.6 mod_proxy_fcgi and PHP-FPM returning 404 error

I have PHP 5.3.3 with PHP-FPM running at 172.17.0.163:20533. I tested it with nginx and with cgi-fcgi:
$ SCRIPT_FILENAME=/www/localhost/test.php REQUEST_METHOD=GET cgi-fcgi -bind -connect 172.17.0.163:20533
returns
X-Powered-By: PHP/5.3.3
Content-type: text/html
hello, it works!
So, PHP-FPM is working.
Unfortunately, Apache 2.4 has some issues with PHP-FPM:
<VirtualHost *>
UseCanonicalName Off
VirtualDocumentRoot "/www/%0"
RewriteEngine On
RewriteRule ^/(.*\.php(/.*)?)$ fcgi://172.17.0.163:20533/www/%{SERVER_NAME}/$1 [P]
</VirtualHost>
Opening http:// localhost/test.php returns a "404 Not found" error. Non PHP files are working. Looking at the apache error logs, everything looks fine.
[Fri Nov 15 18:53:00.426776 2013] [mpm_event:info] [pid 1959:tid 140474380953408] AH00490: Server built: Nov 13 2013 14:23:31
[Fri Nov 15 18:53:00.426787 2013] [core:notice] [pid 1959:tid 140474380953408] AH00094: Command line: '/usr/local/sbin/httpd'
[Fri Nov 15 18:53:00.426917 2013] [proxy:debug] [pid 3028:tid 140474380953408] proxy_util.c(1694): AH00925: initializing worker proxy:reverse shared
[Fri Nov 15 18:53:00.426950 2013] [proxy:debug] [pid 3028:tid 140474380953408] proxy_util.c(1734): AH00927: initializing worker proxy:reverse local
[Fri Nov 15 18:53:00.427010 2013] [proxy:debug] [pid 3028:tid 140474380953408] proxy_util.c(1769): AH00930: initialized pool in child 3028 for (*) min=0 max=25 smax=25
[Fri Nov 15 18:53:00.427101 2013] [proxy:debug] [pid 3030:tid 140474380953408] proxy_util.c(1694): AH00925: initializing worker proxy:reverse shared
[Fri Nov 15 18:53:00.427421 2013] [proxy:debug] [pid 3029:tid 140474380953408] proxy_util.c(1694): AH00925: initializing worker proxy:reverse shared
[Fri Nov 15 18:53:00.427445 2013] [proxy:debug] [pid 3029:tid 140474380953408] proxy_util.c(1734): AH00927: initializing worker proxy:reverse local
[Fri Nov 15 18:53:00.427488 2013] [proxy:debug] [pid 3029:tid 140474380953408] proxy_util.c(1769): AH00930: initialized pool in child 3029 for (*) min=0 max=25 smax=25
[Fri Nov 15 18:53:00.427129 2013] [proxy:debug] [pid 3030:tid 140474380953408] proxy_util.c(1734): AH00927: initializing worker proxy:reverse local
[Fri Nov 15 18:53:00.428326 2013] [proxy:debug] [pid 3030:tid 140474380953408] proxy_util.c(1769): AH00930: initialized pool in child 3030 for (*) min=0 max=25 smax=25
[Fri Nov 15 18:53:01.627599 2013] [rewrite:trace2] [pid 3028:tid 140474150618880] mod_rewrite.c(468): [client 172.17.42.1:57951] 172.17.42.1 - - [localhost/sid#7fc2bd82e7f8][rid#7fc2bd7a10a0/initial] init rewrite engine with requested uri /test.php
[Fri Nov 15 18:53:01.627664 2013] [rewrite:trace3] [pid 3028:tid 140474150618880] mod_rewrite.c(468): [client 172.17.42.1:57951] 172.17.42.1 - - [localhost/sid#7fc2bd82e7f8][rid#7fc2bd7a10a0/initial] applying pattern '^/(.*\\.php(/.*)?)$' to uri '/test.php'
[Fri Nov 15 18:53:01.627718 2013] [rewrite:trace2] [pid 3028:tid 140474150618880] mod_rewrite.c(468): [client 172.17.42.1:57951] 172.17.42.1 - - [localhost/sid#7fc2bd82e7f8][rid#7fc2bd7a10a0/initial] rewrite '/test.php' -> 'fcgi://172.17.0.163:20533/www/localhost/test.php'
[Fri Nov 15 18:53:01.627747 2013] [rewrite:trace2] [pid 3028:tid 140474150618880] mod_rewrite.c(468): [client 172.17.42.1:57951] 172.17.42.1 - - [localhost/sid#7fc2bd82e7f8][rid#7fc2bd7a10a0/initial] forcing proxy-throughput with fcgi://172.17.0.163:20533/www/localhost/test.php
[Fri Nov 15 18:53:01.627759 2013] [rewrite:trace1] [pid 3028:tid 140474150618880] mod_rewrite.c(468): [client 172.17.42.1:57951] 172.17.42.1 - - [localhost/sid#7fc2bd82e7f8][rid#7fc2bd7a10a0/initial] go-ahead with proxy request proxy:fcgi://172.17.0.163:20533/www/localhost/test.php [OK]
[Fri Nov 15 18:53:01.627776 2013] [proxy_fcgi:trace1] [pid 3028:tid 140474150618880] mod_proxy_fcgi.c(90): [client 172.17.42.1:57951] canonicalising URL //172.17.0.163:20533/www/localhost/test.php
[Fri Nov 15 18:53:01.627776 2013] [proxy_fcgi:debug] [pid 3028:tid 140474150618880] mod_proxy_fcgi.c(120): [client 172.17.42.1:57951] AH01060: set r->filename to proxy:fcgi://172.17.0.163:20533/www/localhost/test.php
[Fri Nov 15 18:53:01.628070 2013] [proxy:trace2] [pid 3028:tid 140474150618880] proxy_util.c(1857): [client 172.17.42.1:57951] *: found reverse proxy worker for fcgi://172.17.0.163:20533/www/localhost/test.php
[Fri Nov 15 18:53:01.628082 2013] [proxy:debug] [pid 3028:tid 140474150618880] mod_proxy.c(1100): [client 172.17.42.1:57951] AH01143: Running scheme fcgi handler (attempt 0)
[Fri Nov 15 18:53:01.628096 2013] [proxy_fcgi:debug] [pid 3028:tid 140474150618880] mod_proxy_fcgi.c(944): [client 172.17.42.1:57951] AH01076: url: fcgi://172.17.0.163:20533/www/localhost/test.php proxyname: (null) proxyport: 0
[Fri Nov 15 18:53:01.628107 2013] [proxy_fcgi:debug] [pid 3028:tid 140474150618880] mod_proxy_fcgi.c(954): [client 172.17.42.1:57951] AH01078: serving URL //172.17.0.163:20533/www/localhost/test.php
[Fri Nov 15 18:53:01.628134 2013] [proxy:debug] [pid 3028:tid 140474150618880] proxy_util.c(2020): AH00942: FCGI: has acquired connection for (*)
[Fri Nov 15 18:53:01.628147 2013] [proxy:debug] [pid 3028:tid 140474150618880] proxy_util.c(2072): [client 172.17.42.1:57951] AH00944: connecting //172.17.0.163:20533/www/localhost/test.php to 172.17.0.163:20533
[Fri Nov 15 18:53:01.628224 2013] [proxy:debug] [pid 3028:tid 140474150618880] proxy_util.c(2194): [client 172.17.42.1:57951] AH00947: connected /www/localhost/test.php to 172.17.0.163:20533
[Fri Nov 15 18:53:01.628248 2013] [proxy:trace2] [pid 3028:tid 140474150618880] proxy_util.c(2446): FCGI: fam 2 socket created to connect to *
[Fri Nov 15 18:53:01.629453 2013] [proxy_fcgi:trace4] [pid 3028:tid 140474150618880] util_script.c(521): [client 172.17.42.1:57951] Headers from script 'test.php':
[Fri Nov 15 18:53:01.629552 2013] [proxy_fcgi:trace4] [pid 3028:tid 140474150618880] util_script.c(522): [client 172.17.42.1:57951] Status: 404 Not Found
[Fri Nov 15 18:53:01.629583 2013] [proxy_fcgi:trace1] [pid 3028:tid 140474150618880] util_script.c(599): [client 172.17.42.1:57951] Status line from script 'test.php': 404 Not Found
[Fri Nov 15 18:53:01.629595 2013] [proxy_fcgi:trace4] [pid 3028:tid 140474150618880] util_script.c(522): [client 172.17.42.1:57951] X-Powered-By: PHP/5.3.3
[Fri Nov 15 18:53:01.629608 2013] [proxy_fcgi:trace4] [pid 3028:tid 140474150618880] util_script.c(522): [client 172.17.42.1:57951] Content-type: text/html
[Fri Nov 15 18:53:01.629680 2013] [proxy:debug] [pid 3028:tid 140474150618880] proxy_util.c(2035): AH00943: FCGI: has released connection for (*)
It seems as if mod_proxy_fcgi is not sending the script path correctly?! Has anyone an idea?
UPDATE 16 Nov 2013
I tested it with Apache 2.2.25 and mod_fastcgi 2.4.6:
<VirtualHost *>
UseCanonicalName Off
VirtualDocumentRoot "/www/%0"
AddHandler php5-fastcgi .php
FastCgiExternalServer /www/localhost -host 172.17.0.163:20533
</VirtualHost>
Works like a charm. I guess Apache 2.4.6 with mod_proxy_fcgi is buggy.
Update 17 Nov 2013
I tested it with Apache 2.4.6 and mod_proxy_fcgi and PHP 5.4.21. It works. So, there seems to be a problem with PHP 5.3.3 together with Apache 2.4.6 and mod_proxy_fcgi.

Using PHP 5.3.27 fixes all the issues.