I'm trying to let my Apache2 docker box(Ubuntu based) works with AD authentication, but I'm getting the error message
Fri Nov 18 14:59:38.508164 2016] [authnz_ldap:debug] [pid 2906:tid 140020857906944] mod_authnz_ldap.c(516): [client 192.168.56.1:61467] AH01691: auth_ldap authenticate: using URL ldap://192.168.56.150/CN=Users,DC=comp,DC=local?sAMAccountName?sub?(objectClass=user)
[Fri Nov 18 14:59:38.508181 2016] [authnz_ldap:trace1] [pid 2906:tid 140020857906944] mod_authnz_ldap.c(537): [client 192.168.56.1:61467] auth_ldap authenticate: final authn filter is (&(objectClass=user)(sAMAccountName=testuser01))
[Fri Nov 18 14:59:38.508350 2016] [ldap:trace5] [pid 2906:tid 140020857906944] util_ldap.c(329): [client 192.168.56.1:61467] LDC 7f593ab9e0a0 init
[Fri Nov 18 14:59:38.548846 2016] [ldap:trace5] [pid 2906:tid 140020857906944] util_ldap.c(186): [client 192.168.56.1:61467] LDC 7f593ab9e0a0 unbind
[Fri Nov 18 14:59:38.549037 2016] [authnz_ldap:info] [pid 2906:tid 140020857906944] [client 192.168.56.1:61467] AH01695: auth_ldap authenticate: user testuser01 authentication failed; URI /repos [LDAP: ldap_start_tls_s() failed][Connect error]
[Fri Nov 18 14:59:38.549047 2016] [core:trace3] [pid 2906:tid 140020857906944] request.c(119): [client 192.168.56.1:61467] auth phase 'check user' gave status 500: /repos
[Fri Nov 18 14:59:38.549088 2016] [http:trace3] [pid 2906:tid 140020857906944] http_filters.c(1006): [client 192.168.56.1:61467] Response sent with status 500, headers:
As you can see my AD server IP is 192.168.56.150. STL force enabled, Apache configuration is:
<VirtualHost *:80>
ServerAdmin webmaster#localhost
LogLevel trace8
ErrorLog ${APACHE_LOG_DIR}/svn-error.log
CustomLog ${APACHE_LOG_DIR}/svn-access.log combined
<Location / >
DAV svn
SVNParentPath /var/www/svn
SVNReposName "Subversion Repository"
AuthBasicProvider ldap
AuthType Basic
AuthName "AD Authorization Realm"
AuthLDAPURL "ldap://192.168.56.150/CN=Users,DC=comp,DC=local?sAMAccountName?sub?(objectClass=user)" STARTTLS
AuthLDAPBindDN cn=coops,cn=users,dc=comp,dc=local
AuthLDAPBindPassword 123456
Require valid-user
Require ldap-group CN=developers,CN=Users,DC=comp,DC=local
AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN off
</Location>
</VirtualHost>
LDAPTrustedMode STARTTLS
LDAPVerifyServerCert on
LDAPTrustedGlobalCert CA_BASE64 /etc/apache2/certs/caroot.crt
I'm able to access AD from some LDAP client.
Anybody knows why my Apache server doesn't work?
Related
ProxyRemote Directive doesn't work with HTTPS:
<VirtualHost *:443>
ServerName foo.foo
SSLProxyEngine on
SSLProxyVerify none
#SSLProxyVerifyDepth 10
SSLProxyCheckPeerCN off
# SAAS: disable hostname check
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLProxyCACertificatePath /etc/ssl/certs/
ProxyRemote * https://10.27.73.178:443/
ProxyPass /api/ https://foo.gw.dev/api/
ProxyPassReverse /api/ https://foo.gw.dev/api/
SSLEngine on
SSLCertificateFile /storage/user/conf/ssl/web_cert.pem
SSLCertificateKeyFile /storage/user/conf/ssl/web_key.pem
SSLCertificateChainFile /storage/user/conf/ssl/web_chain.pem
SSLCACertificatePath /storage/user/conf/ssl/
SSLVerifyClient none
</VirtualHost>
It works if I specify http URL, like
ProxyRemote * http://10.27.73.178:3128/
I think it is a certificate checking issue, where exactly should I specify the proxy CA certificate?
I get the following error logs:
[Wed Nov 27 14:35:40.961981 2019] [proxy_http:trace1] [pid 32633:tid 140286441285376] mod_proxy_http.c(1931): [client 127.0.0.1:54302] HTTP: serving URL https://foo.gw.dev/api/
[Wed Nov 27 14:35:40.961989 2019] [proxy:debug] [pid 32633:tid 140286441285376] proxy_util.c(2302): AH00942: HTTPS: has acquired connection for (foo.gw.dev)
[Wed Nov 27 14:35:40.961993 2019] [proxy:debug] [pid 32633:tid 140286441285376] proxy_util.c(2355): [client 127.0.0.1:54302] AH00944: connecting https://foo.gw.dev/api/ to foo.gw.dev:443
[Wed Nov 27 14:35:40.962067 2019] [proxy:debug] [pid 32633:tid 140286441285376] proxy_util.c(2564): [client 127.0.0.1:54302] AH00947: connected /api to 10.27.73.178:443
[Wed Nov 27 14:35:40.962086 2019] [proxy:trace2] [pid 32633:tid 140286441285376] proxy_util.c(2999): HTTPS: fam 2 socket created to connect to foo.gw.dev
[Wed Nov 27 14:35:41.172521 2019] [proxy:debug] [pid 32633:tid 140286441285376] proxy_util.c(3033): AH02824: HTTPS: connection established with 10.27.73.178:443 (foo.gw.dev)
[Wed Nov 27 14:35:41.172570 2019] [proxy:debug] [pid 32633:tid 140286441285376] proxy_util.c(2660): AH00948: CONNECT: sending the CONNECT request for foo.gw.dev:443 to the remote proxy 10.27.73.178:443 (10.27.73.178)
[Wed Nov 27 14:35:41.383758 2019] [proxy:error] [pid 32633:tid 140286441285376] (104)Connection reset by peer: AH00958: HTTPS: attempt to connect to foo.gw.dev:443 via http CONNECT through 10.27.73.178:443 (foo.gw.dev) failed
[Wed Nov 27 14:35:41.383798 2019] [proxy_http:error] [pid 32633:tid 140286441285376] [client 127.0.0.1:54302] AH01114: HTTP: failed to make connection to backend: 10.27.73.178
[Wed Nov 27 14:35:41.383802 2019] [proxy:debug] [pid 32633:tid 140286441285376] proxy_util.c(2317): AH00943: HTTPS: has released connection for (foo.gw.dev)
I have a Debian Stretch server running Apache 2.4.
I want to use Basic Authentication to allow only a few users access to the served directory.
My configuration:
<Directory "/var/www/html">
AuthType Basic
AuthName "VPN Gateway Lpgin"
AuthBasicProvider file
AuthUserFile /var/www/.htpasswd
Options Indexes FollowSymLinks
AllowOverride None
<RequireAll>
Require ip 192.168.2.0/24
Require valid-user
</RequireAll>
</Directory>
This does work, but all requests now take over a minute to complete.
If I comment out the authentication line Require valid-user the requests are not slow at all.
[Tue Dec 25 11:29:08.272751 2018] [ssl:info] [pid 17970] [client 192.168.2.16:55447] AH01964: Connection to child 4 established (server localhost:443)
[Tue Dec 25 11:29:08.274989 2018] [socache_shmcb:debug] [pid 17970] mod_socache_shmcb.c(532): AH00835: socache_shmcb_retrieve (0xf3 -> subcache 19)
[Tue Dec 25 11:29:08.275157 2018] [socache_shmcb:debug] [pid 17970] mod_socache_shmcb.c(884): AH00849: match at idx=0, data=0
[Tue Dec 25 11:29:08.275267 2018] [socache_shmcb:debug] [pid 17970] mod_socache_shmcb.c(907): AH00850: shmcb_subcache_retrieve discarding expired entry
[Tue Dec 25 11:29:08.275292 2018] [socache_shmcb:debug] [pid 17970] mod_socache_shmcb.c(542): AH00836: leaving socache_shmcb_retrieve successfully
[Tue Dec 25 11:29:08.275632 2018] [ssl:debug] [pid 17970] ssl_engine_kernel.c(2115): [client 192.168.2.16:55447] AH02043: SSL virtual host for servername localhost found
[Tue Dec 25 11:29:08.275965 2018] [ssl:debug] [pid 17970] ssl_engine_kernel.c(2115): [client 192.168.2.16:55447] AH02043: SSL virtual host for servername localhost found
[Tue Dec 25 11:29:08.276057 2018] [core:debug] [pid 17970] protocol.c(2219): [client 192.168.2.16:55447] AH03155: select protocol from , choices=h2,h2-16,h2-15,h2-14,spdy/3.1,spdy/3,http/1.1 for server localhost
[Tue Dec 25 11:29:08.475832 2018] [socache_shmcb:debug] [pid 17970] mod_socache_shmcb.c(495): AH00831: socache_shmcb_store (0x0a -> subcache 10)
[Tue Dec 25 11:29:08.475990 2018] [socache_shmcb:debug] [pid 17970] mod_socache_shmcb.c(849): AH00847: insert happened at idx=0, data=(0:32)
[Tue Dec 25 11:29:08.476020 2018] [socache_shmcb:debug] [pid 17970] mod_socache_shmcb.c(854): AH00848: finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0/198
[Tue Dec 25 11:29:08.476044 2018] [socache_shmcb:debug] [pid 17970] mod_socache_shmcb.c(516): AH00834: leaving socache_shmcb_store successfully
[Tue Dec 25 11:29:08.476100 2018] [ssl:debug] [pid 17970] ssl_engine_kernel.c(2042): [client 192.168.2.16:55447] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
[Tue Dec 25 11:29:08.477457 2018] [ssl:debug] [pid 17970] ssl_engine_kernel.c(366): [client 192.168.2.16:55447] AH02034: Initial (No.1) HTTPS request received for child 4 (server localhost:443)
[Tue Dec 25 11:29:08.478096 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of Require ip 192.168.2.0/24: granted
[Tue Dec 25 11:29:08.478225 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Tue Dec 25 11:29:08.478257 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of <RequireAll>: denied (no authenticated user yet)
[Tue Dec 25 11:29:08.478281 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Dec 25 11:29:26.504306 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of Require ip 192.168.2.0/24: granted
[Tue Dec 25 11:29:26.504552 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of Require valid-user : granted
[Tue Dec 25 11:29:26.504589 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of <RequireAll>: granted
[Tue Dec 25 11:29:26.504620 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of <RequireAny>: granted
[Tue Dec 25 11:29:26.505318 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of Require ip 192.168.2.0/24: granted
[Tue Dec 25 11:29:26.505459 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Tue Dec 25 11:29:26.505490 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of <RequireAll>: denied (no authenticated user yet)
[Tue Dec 25 11:29:26.506120 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Dec 25 11:29:44.539755 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of Require ip 192.168.2.0/24: granted
[Tue Dec 25 11:29:44.539958 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of Require valid-user : granted
[Tue Dec 25 11:29:44.539994 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of <RequireAll>: granted
[Tue Dec 25 11:29:44.540022 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of <RequireAny>: granted
[Tue Dec 25 11:29:44.541340 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of Require ip 192.168.2.0/24: granted
[Tue Dec 25 11:29:44.541494 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Tue Dec 25 11:29:44.541583 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of <RequireAll>: denied (no authenticated user yet)
[Tue Dec 25 11:29:44.541615 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Dec 25 11:30:02.576180 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of Require ip 192.168.2.0/24: granted
[Tue Dec 25 11:30:02.576362 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of Require valid-user : granted
[Tue Dec 25 11:30:02.576396 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of <RequireAll>: granted
[Tue Dec 25 11:30:02.576426 2018] [authz_core:debug] [pid 17970] mod_authz_core.c(809): [client 192.168.2.16:55447] AH01626: authorization result of <RequireAny>: granted
[Tue Dec 25 11:30:05.134078 2018] [deflate:debug] [pid 17970] mod_deflate.c(853): [client 192.168.2.16:55447] AH01384: Zlib: Compressed 13343 to 2899 : URL /index.php
[Tue Dec 25 11:30:10.141799 2018] [ssl:debug] [pid 17970] ssl_engine_io.c(1044): [client 192.168.2.16:55447] AH02001: Connection closed to child 4 with standard shutdown (server localhost:443)
It seems to get stuck on authentication but I do not know why.
Tested different browsers and all of them display slow loading if Basic Authentication is enabled.
How to debug this?
EDIT: I also noticed Apache's CPU usage going through the roof hogging 100% while authenticating.
Try moving the Require Valid user outside the Require all
Example
<Location "/secure">
AuthType basic
AuthName "private area"
AuthBasicProvider dbm
AuthDBMType SDBM
AuthDBMUserFile "/www/etc/dbmpasswd"
Require valid-user
Order Allow,Deny
Deny from all
Satisfy Any
</Location>
Source reference material used
Apache2 slow basic auth / slow .htpasswd
it is because you using slow algoritm for password, just use md5 simple algoritm
htpasswd -c -m file login
my Apache slowed it downed because of the bcrypt encryption of 17 times
htpasswd -B -C 17 -n RDG
(encypt with bcrypt 17 times and display the results on stdout which is the terminal for user RDG)
htpasswd -B -C 5 -n RDG
(encypt with bcrypt 5 times and display the results on stdout which is the terminal for user RDG)
When i take the RDG user with the 5 times encrypted password then Apache response as fast as usual. All other answers above didn't work for me.
I use Apache server on Ubuntu 14.04. In order redirect all requests from mypage.com to mypage.com:8080/myapp I use mod_proxy. My 000-default.conf looks as follows:
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
ProxyPass / http://mypage.com:8080/myapp/ retry=0 timeout=10
ProxyPassReverse / http://mypage.com:8080/myapp/
ServerName mypage.com
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>
And that is my ports.conf
# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf
Listen 80
Listen 81
<IfModule ssl_module>
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
And everything works fine until in a several days I always get 503 Service Unavailable error page. and this is written in error.log before error occurs
[Sun Oct 25 21:22:27.779422 2015] [core:error] [pid 14595] [client 38.104.233.252:45239] AH00126: Invalid URI in request GET HTTP/1.1 HTTP/1.1
[Mon Oct 26 02:30:20.925532 2015] [core:error] [pid 15416] [client 190.252.95.102:53508] AH00126: Invalid URI in request GET: index.php HTTP/1.0
[Mon Oct 26 08:22:27.771751 2015] [proxy:error] [pid 15402] (111)Connection refused: AH00957: HTTP: attempt to connect to 127.0.1.1:8080 (mypage.com) failed
[Mon Oct 26 08:22:27.774040 2015] [proxy:error] [pid 15402] AH00959: ap_proxy_connect_backend disabling worker for (mypage.com) for 0s
[Mon Oct 26 08:22:27.774111 2015] [proxy_http:error] [pid 15402] [client 5.28.160.27:48692] AH01114: HTTP: failed to make connection to backend: mypage.com
[Mon Oct 26 10:55:51.655213 2015] [proxy:error] [pid 15406] (111)Connection refused: AH00957: HTTP: attempt to connect to 127.0.1.1:8080 (mypage.com) failed
[Mon Oct 26 10:55:51.655422 2015] [proxy:error] [pid 15406] AH00959: ap_proxy_connect_backend disabling worker for (mypage.com) for 0s
[Mon Oct 26 10:55:51.655470 2015] [proxy_http:error] [pid 15406] [client 169.57.5.20:60000] AH01114: HTTP: failed to make connection to backend: mypage.com
[Mon Oct 26 13:32:00.442031 2015] [proxy:error] [pid 15408] (111)Connection refused: AH00957: HTTP: attempt to connect to 127.0.1.1:8080 (mypage.com) failed
[Mon Oct 26 13:32:00.442356 2015] [proxy:error] [pid 15408] AH00959: ap_proxy_connect_backend disabling worker for (mypage.com) for 0s
[Mon Oct 26 13:32:00.442413 2015] [proxy_http:error] [pid 15408] [client 217.168.189.15:50222] AH01114: HTTP: failed to make connection to backend: mypage.com, referer: http://mypage.com/admn
[Mon Oct 26 13:32:12.245050 2015] [proxy:error] [pid 15402] (111)Connection refused: AH00957: HTTP: attempt to connect to 127.0.1.1:8080 (mypage.com) failed
[Mon Oct 26 13:32:12.245179 2015] [proxy:error] [pid 15402] AH00959: ap_proxy_connect_backend disabling worker for (mypage.com) for 0s
[Mon Oct 26 13:32:12.245190 2015] [proxy_http:error] [pid 15402] [client 217.168.189.15:50225] AH01114: HTTP: failed to make connection to backend: mypage.com, referer: http://mypage.com/admn
[Mon Oct 26 13:34:44.343614 2015] [mpm_prefork:notice] [pid 991] AH00169: caught SIGTERM, shutting down
[Mon Oct 26 13:36:07.703185 2015] [mpm_prefork:notice] [pid 991] AH00163: Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.11 configured -- resuming normal operations
[Mon Oct 26 13:36:07.708761 2015] [core:notice] [pid 991] AH00094: Command line: '/usr/sbin/apache2'
[Tue Oct 27 01:20:23.236327 2015] [mpm_prefork:notice] [pid 991] AH00169: caught SIGTERM, shutting down
[Tue Oct 27 01:20:24.265160 2015] [mpm_prefork:notice] [pid 3247] AH00163: Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.11 configured -- resuming normal operations
[Tue Oct 27 01:20:24.265243 2015] [core:notice] [pid 3247] AH00094: Command line: '/usr/sbin/apache2'
[Tue Oct 27 01:41:17.177723 2015] [mpm_prefork:notice] [pid 3247] AH00169: caught SIGTERM, shutting down
[Tue Oct 27 01:41:18.219244 2015] [mpm_prefork:notice] [pid 11636] AH00163: Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.11 configured -- resuming normal operations
[Tue Oct 27 01:41:18.219351 2015] [core:notice] [pid 11636] AH00094: Command line: '/usr/sbin/apache2'
After I restart my machine it works fine again. Then in 7-10 days it crashes again. Tried a lots of things in internet but always get this error at most in several weeks. Struggling with already for some months.
SELinux is disabled.
The problem is not with Apache because its still serving a 503 page
The problem is with the application running on port number 8080, you are reverse proxying / to http://mypage.com:8080/myapp/ and when Apache is trying to proxy the request its not getting back the response from the 8080 app and so its trowing the message 'Service Unavailable' . Its inferred from the underlying part of the log.
[Mon Oct 26 13:32:00.442031 2015] [proxy:error] [pid 15408] (111)Connection refused: AH00957: HTTP: attempt to connect to 127.0.1.1:8080 (mypage.com) failed
[Mon Oct 26 13:32:00.442356 2015] [proxy:error] [pid 15408] AH00959: ap_proxy_connect_backend disabling worker for (mypage.com) for 0s
[Mon Oct 26 13:32:00.442413 2015] [proxy_http:error] [pid 15408] [client 217.168.189.15:50222] AH01114: HTTP: failed to make connection to backend: mypage.com, referer: http://mypage.com/admn
[Mon Oct 26 13:32:12.245050 2015] [proxy:error] [pid 15402] (111)Connection refused: AH00957: HTTP: attempt to connect to 127.0.1.1:8080 (mypage.com) failed
So check and post(if necessary) the logs of the server running on port number 8080
I'm trying to run the below command from my linux server
curl -T helloworld.txt -u user:pwd http://<ip>/record/helloworld.txt
Not able to upload a helloworld.txt file to my http url
Error:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /record/helloworld.txt
on this server.</p>
<hr>
<address>Apache/2.2.3 (Red Hat) Server at <ip> Port 80</address>
</body>
</html>
httpd.conf:
Alias /record /usr/bin/Test/web/record
<Directory /usr/bin/Test/web/record>
DAV On
Options Indexes MultiViews FollowSymLinks
EnableSendfile off
AllowOverride None
Order allow,deny
allow from all
</Directory>
<Location "/record">
DAV On
AuthType Basic
AuthName "user"
AuthUserFile /usr/bin/Test/web/.htpasswd
Require valid-user
RewriteEngine off
</Location>
httpd error logs:
[Thu Aug 27 16:54:39 2015] [notice] caught SIGTERM, shutting down
[Thu Aug 27 16:54:39 2015] [notice] SELinux policy enabled; httpd running as context root:system_r:httpd_t:s0
[Thu Aug 27 16:54:39 2015] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Aug 27 16:54:39 2015] [notice] Digest: generating secret for digest authentication ...
[Thu Aug 27 16:54:39 2015] [notice] Digest: done
[Thu Aug 27 16:54:39 2015] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations
[Thu Aug 27 16:56:41 2015] [error] [client <ip>] Unable to PUT new contents for /record/helloworld.txt. [403, #0]
[Thu Aug 27 16:56:41 2015] [error] [client <ip>] (13)Permission denied: An error occurred while opening a resource. [500, #0]
Even though I found some similar reports on SO no suggestion solved my issue. So I decided to raise a question myself.
I am running Confluence (and Jira) as WARs on a Tomcat instance on Ubuntu. The application is accessible via http://localhost:8080/confluence. I would like to configure apache as a proxy to allow public access via http://confluence.<servername>.de. Following the instructions on https://confluence.atlassian.com/display/DOC/Using+Apache+with+mod_proxy#UsingApachewithmod_proxy-complex I did the following steps:
appended the attributes proxyName="confluence.<servername>.de" and proxyPort="80" to the Connector element in /var/lib/tomcat7/conf/server.xml.
Defined a virtual host in /etc/apache2/sites-enabled/confluence.conf
The confluence.conf has the following content:
<VirtualHost *:80>
ServerName confluence.<servername>.de
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://localhost:8080/confluence
ProxyPassReverse / http://localhost:8080/confluence
ProxyHTMLURLMap / /confluence/
<Location />
Order allow,deny
Allow from all
</Location>
</VirtualHost>
With this configuration I cannot invoke http://localhost:8080/confluence due to this (wget) output:
--2014-12-23 08:38:13-- http://localhost:8080/confluence
Resolving localhost (localhost)... ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:8080... failed: Connection refused.
Connecting to localhost (localhost)|127.0.0.1|:8080... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://confluence.<servername>.de/confluence/ [following]
--2014-12-23 08:38:13-- http://confluence.<servername>.de/confluence/
Resolving confluence.<servername>.de (confluence.<servername>.de)... 92.51.163.197
Connecting to confluence.<servername>.de (confluence.<servername>.de)|92.51.163.197|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2014-12-23 08:38:13 ERROR 404: Not Found.
If I remove the attributes proxyName and proxyPort this access is possible. However, the invocation via http://confluence.<servername>.de still yields errors. The output of Apache log suggests that the URL rewrite is corrupt:
[Tue Dec 23 08:50:47.952647 2014] [authz_core:debug] [pid 24715:tid 140609413170944] mod_authz_core.c(828): [client 37.201.226.149:11808] AH01628: authorization result: granted (no directives)
[Tue Dec 23 08:50:47.952809 2014] [proxy:debug] [pid 24715:tid 140609413170944] mod_proxy.c(1104): [client 37.201.226.149:11808] AH01143: Running scheme http handler (attempt 0)
[Tue Dec 23 08:50:47.952838 2014] [proxy:debug] [pid 24715:tid 140609413170944] proxy_util.c(2020): AH00942: HTTP: has acquired connection for (localhost)
[Tue Dec 23 08:50:47.952851 2014] [proxy:debug] [pid 24715:tid 140609413170944] proxy_util.c(2072): [client 37.201.226.149:11808] AH00944: connecting http://localhost:8080/confluence to localhost:8080
[Tue Dec 23 08:50:47.953069 2014] [proxy:debug] [pid 24715:tid 140609413170944] proxy_util.c(2206): [client 37.201.226.149:11808] AH00947: connected /confluence to localhost:8080
[Tue Dec 23 08:50:47.953176 2014] [proxy:debug] [pid 24715:tid 140609413170944] proxy_util.c(2483): (111)Connection refused: AH00957: HTTP: attempt to connect to [::1]:8080 (localhost) failed
[Tue Dec 23 08:50:47.953277 2014] [proxy:debug] [pid 24715:tid 140609413170944] proxy_util.c(2610): AH00962: HTTP: connection complete to [::1]:8080 (localhost)
[Tue Dec 23 08:50:47.956860 2014] [proxy:debug] [pid 24715:tid 140609413170944] proxy_util.c(2035): AH00943: http: has released connection for (localhost)
[Tue Dec 23 08:50:47.988123 2014] [authz_core:debug] [pid 24715:tid 140609402681088] mod_authz_core.c(828): [client 37.201.226.149:11808] AH01628: authorization result: granted (no directives)
[Tue Dec 23 08:50:47.988231 2014] [proxy:debug] [pid 24715:tid 140609402681088] mod_proxy.c(1104): [client 37.201.226.149:11808] AH01143: Running scheme http handler (attempt 0)
[Tue Dec 23 08:50:47.988250 2014] [proxy:debug] [pid 24715:tid 140609402681088] proxy_util.c(2020): AH00942: HTTP: has acquired connection for (localhost)
[Tue Dec 23 08:50:47.988264 2014] [proxy:debug] [pid 24715:tid 140609402681088] proxy_util.c(2072): [client 37.201.226.149:11808] AH00944: connecting http://localhost:8080/confluenceconfluence/ to localhost:8080
[Tue Dec 23 08:50:47.988277 2014] [proxy:debug] [pid 24715:tid 140609402681088] proxy_util.c(2206): [client 37.201.226.149:11808] AH00947: connected /confluenceconfluence/ to localhost:8080
[Tue Dec 23 08:50:47.990134 2014] [proxy:debug] [pid 24715:tid 140609402681088] proxy_util.c(2035): AH00943: http: has released connection for (localhost)
Am I missing anything? By the way, if I adjust the virtual host configuration in a way that the URL http://<servername>.de/confluence is used as a proxy everything works fine.
Any suggestion would be greatly appreciated.
My personal preference is to deploy applications in subfolders and set up proxy like:
ProxyPass "/confluence/" "http://localhost:8080/confluence/"
ProxyPassReverse "/confluence/" "http://localhost:8080/confluence/"
No need for ProxyHTMLURLMap, that's probably why you see "AH00944: connecting http://localhost:8080/confluenceconfluence/ to localhost:8080"
Setting up like you intended might be a little tricky, since you need the fully qualified domain name of your machine to be confluence.servername.de and you need an A record in your local DNS for this as well. I second Slash's question: can you ping confluence.servername.de?
When this is taken care of, you may also want to look into using these directives, as needed:
ProxyRequests Off
ProxyVia Off
RemoteIPHeader X-Forwarded-For
RequestHeader unset Accept-Encoding
ProxyHTMLEnable On
ProxyHTMLExtended On
<Proxy *>
Require all granted
</Proxy>