I'm totally new to the apache httpd stuff
I setup my host ServerHost1 as a file server with httpd
# httpd -v
Server version: Apache/2.4.6 (Red Hat Enterprise Linux)
Server built: Dec 2 2014 08:09:42
I have put the file TestFile.txt under /var/www/html/TestDir/TestFile.txt
I modified part of the httpd.conf as follow
<Directory />
Order deny,allow
Allow from all
</Directory>
On a test host TestHost1 with full Internet access, I can downloaded my file with wget
TestHost1]# wget http://ServerHost1/TestDir/TestFile.txt
--2016-03-17 13:39:12-- http://ServerHost1/TestDir/TestFile.txt
Resolving ServerHost1 (ServerHost1)... <IP address>
Connecting to ServerHost1 (ServerHost1)|<IP address>|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2859976598 (2.7G) [application/octet-stream]
Saving to: ‘TestFile.txt’
2% [> ] 60,645,376 24.0MB/s
On the host sitting on a semi-isolated network TestHost2, I have to use proxy for wget to work. It works fine with google
TestHost2]# wget google.ca
--2016-03-17 13:53:26-- http://google.ca/
Resolving proxy.com (proxy.com)... <ProxyIP>
Connecting to proxy.com (proxy.com)|<ProxyIP>|:3128... connected.
Proxy request sent, awaiting response... 301 Moved Permanently
Location: http://www.google.ca/ [following]
--2016-03-17 13:53:26-- http://www.google.ca/
Reusing existing connection to proxy.com:3128.
Proxy request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’
[ <=> ] 19,928 --.-K/s in 0.1s
2016-03-17 13:53:27 (159 KB/s) - ‘index.html’ saved [19928]
However when I try to get my file from ServerHost1, it gets ERROR 503: Service Unavailable
TestHost2]# wget http://ServerHost1/TestDir/TestFile.txt
--2016-03-17 13:57:13-- http://ServerHost1/TestDir/TestFile.txt
Resolving proxy.com (proxy.com)...<ProxyIP>
Connecting to proxy.com (proxy.com)|<ProxyIP>|:3128... connected.
Proxy request sent, awaiting response... 503 Service Unavailable
2016-03-17 13:57:13 ERROR 503: Service Unavailable.
So the question is
(1) Why am I seeing 503 ServiceUnavailable when the file is apparently available (since I can downloaded from testhost1)?
(2) How do I configure my httpd.conf file so that TestHost2 can wget the file from ServerHost1?
Maybe try with ProxyRequests as described in Apache docs https://httpd.apache.org/docs/2.4/mod/mod_proxy.html
Related
I'm trying to build OpenCog from here and when I issue this command
octool -rdcpav -l default
It builds everything but it then gets to the step of installing Link-Grammar and this happens
[octool] Installing Link-Grammar....
--2020-06-13 10:09:36-- http://www.abisource.com/downloads/link-grammar/current/
Resolving www.abisource.com (www.abisource.com)... 130.89.149.216
Connecting to www.abisource.com (www.abisource.com)|130.89.149.216|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://www.abisource.com/downloads/link-grammar/current/ [following]
--2020-06-13 10:09:37-- https://www.abisource.com/downloads/link-grammar/current/
Connecting to www.abisource.com (www.abisource.com)|130.89.149.216|:443... connected.
OpenSSL: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
Unable to establish SSL connection.
I'm on ubuntu 20.04 LTS
www.abisource.com supports only TLS version 1.0, which is now broken (or at least weakened) and way obsolete. According to its headers it is Apache 2.2.15 (Fedora) which dates from 2010!
This therefore appears to be the same problem as OpenSSL v1.1.1 ssl_choose_client_version unsupported protocol except Ubuntu instead of Debian and wget (used by octool) instead of openvpn. Try the accepted anser there: edit /etc/ssl/openssl.cnf under [system_default_sect] to downgrade MinProtocol=TLSv1 and possibly CipherString=DEFAULT:#SECLEVEL=1 -- the server's DHE key is 1k, and I don't recall if that works at level 2, although its cert is absurdly RSA 4k!
UPDATE: Okay, I downloaded and installed Ubuntu 20.04 including source for libssl1.1 and looked at it, and they did NOT keep the Debian approach here, they changed it. Specifically, they didn't change the openssl.cnf file to require TLSv1.2, instead they compiled OpenSSL/libssl to make the default SECLEVEL 2 and to have SECLEVEL 2 force TLSv1.2 (which it doesn't upstream).
However, you can still fix it by adding the desired (weak) configuration to openssl.cnf:
somewhere in the default section, i.e. before the first line beginning with [, add a line
openssl_conf = openssl_configuration
I like putting it at the very top, but that's just me.
technically at any section boundary, but much-easiest at the end, add three new sections:
[openssl_configuration]
ssl_conf = ssl_configuration
[ssl_configuration]
system_default = tls_system_default
[tls_system_default]
CipherString = DEFAULT:#SECLEVEL=1
Note that since MinProtocol wasn't already there you don't need to add it (the code default is okay) but you can if you want.
Now it works:
$ wget https://www.abisource.com/
--2020-06-20 05:11:11-- https://www.abisource.com/
Resolving www.abisource.com (www.abisource.com)... 130.89.149.216
Connecting to www.abisource.com (www.abisource.com)|130.89.149.216|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7687 (7.5K) [text/html]
Saving to: ‘index.html’
index.html 100%[===================>] 7.51K --.-KB/s in 0.002s
2020-06-20 05:11:12 (3.90 MB/s) - ‘index.html’ saved [7687/7687]
This is, as you commented, a global change. You can change it for this specific operation by editting your copy of octool to add the option --ciphers=DEFAULT:#SECLEVEL=1 to the wget command(s). With the original openssl.cnf:
$ wget --ciphers=DEFAULT:#SECLEVEL=1 https://www.abisource.com/
--2020-06-20 05:15:21-- https://www.abisource.com/
Resolving www.abisource.com (www.abisource.com)... 130.89.149.216
Connecting to www.abisource.com (www.abisource.com)|130.89.149.216|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7687 (7.5K) [text/html]
Saving to: ‘index.html.1’
index.html.1 100%[===================>] 7.51K --.-KB/s in 0s
2020-06-20 05:15:22 (330 MB/s) - ‘index.html.1’ saved [7687/7687]
(sorry for my bad english)
I did the follow istructions:
https://support.google.com/domains/answer/6147083?hl=it
(i made a dynamic dns)
i made a script in linux with:
https://username:password#domains.google.com/nic/update?hostname=www.systemcamera.org
i hoped it's ok, but the domain doesn't works, when i type www.systemcamera.org doesn't works, but when i type the ip address it's works
in the script i typed:
wget
https://username:pswd.google.com/nic/update?hostname=www.systemcamera.org
-O dns_update_result$
i runned (./script), but i don't find my website
the result when i run the script:
--2018-06-26 13:14:31-- https://5RodFTlBOsTBB1gL:password#domains.google.com/nic/update?hostname=www.systemcamera.org
Resolving domains.google.com (domains.google.com)... 172.217.23.110, 2a00:1450:4002:800::200e
Connecting to domains.google.com (domains.google.com)|172.217.23.110|:443... connected.
HTTP request sent, awaiting response... 401 Unauthorized
Authentication selected: Basic realm="Google Domains Dynamic Dns (www.systemcamera.org)"
Reusing existing connection to domains.google.com:443.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/plain]
Saving to: ‘dns_update_results.txt’
dns_update_results.txt [ <=> ] 19 --.-KB/s in 0s
I am installing the datapusher service for CKAN.
CKAN has been configured to use an NGINX reverse proxy that routes client requests, following instructions here. SSL certificate is installed and configured in NGINX.
When trying to use the datapusher app to upload a file, it fails and Apache log gives this error:
Mon Apr 03 13:49:10.979179 2017] [:error] [pid 15468] 2017-04-03 13:49:10,979 CRITI [ckanext.datapusher.plugin] {'status_code': 403, 'message': 'An Error occurred while sending the job: 403 Client Error: Forbidden', 'details': u'<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\\n<html><head>\\n<title>403 Forbidden</title>\\n</head><body>\\n<h1>Forbidden</h1>\\n<p>You don\\'t have permission to access /job\\non this server.</p>\\n<hr>\\n<address>Apache/2.4.7 (Ubuntu) Server at 127.0.0.1 Port 8800</address>\\n</body></html>\\n'}
When testing access to the datapusher's 8800 port through openssl this is the output:
[Mon Apr 03 13:49:10.981049 2017] [:error] [pid 15468] [remote 127.0.0.1:6855] Error - <type 'exceptions.TypeError'>: notify() takes exactly 3 arguments (2 given)
open:/etc/ckan> openssl s_client -connect 127.0.0.1:8800
CONNECTED(00000003)
140385459791520:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 275 bytes
The datapusher docs give a workaround for bypassing SSL here, using the SSL_Verify config. I tried this and there was no change.
I think that I need to either:
1. Force the nginx reverse proxy to allow SSL connections through port 8800 (in addition to 443). Or...
2. Configure ckan/datapusher/apache/nginx to bypass SSL/https on port 880.
Any suggestions?
I believe the 403 error is at the point that CKAN sends a request to DataPusher to ask it to load a particular resource. DataPusher is running on Apache only and thus is on HTTP (not HTTPS) so there should be no issue with SSL. Check your CKAN config is the default:
ckan.datapusher.url = http://127.0.0.1:8800/
DataPusher's SSL_VERIFY setting is for a later request - when datapusher makes a request to CKAN at ckan.site_url, which for you will go via nginx over HTTPS. You may need this setting, depending on whether the SSL in your python is compatible. Reading the code it suggests you need quotes and make sure the key is all caps. i.e. in your datapusher_settings.py:
SSL_VERIFY = 'False'
I'm hosting a Ghost blog using Digital Ocean. My droplet is Ubuntu Ghost 0.8.0 on 14.04.
Yesterday I successfully installed a TLS/SSL certificate from LetsEncrypt in order to enable HTTPS. The site was working fine then and this morning.
Today I uploaded a new Ghost theme and restarted Ghost in order to access it. I now get the response 502 Bad Gateway when I try to access the site.
Each request for the site adds an instance of the following errors to mynginx error log.
Would someone walk me through what these 2 error messages mean? I'd really appreciate it.
Please note that I've substituted my actual domain name with example.com
2016/06/16 17:28:45 [error] 8125#0: *13 connect() failed (111: Connection refused) while connecting to upstream, client: 98.247.253.8, server: example.com, request: "GET /favicon.ico HTTP/1.1", upstream: "http://127.0.0.1:2368/favicon.ico", host: “example.com”, referrer: "https://example.com/“
2016/06/16 17:30:14 [error] 8125#0: *18 connect() failed (111: Connection refused) while connecting to upstream, client: 98.247.253.8, server: example.com, request: "GET / HTTP/1.1", upstream: "http://127.0.0.1:2368/", host: “example.com”
I have a apache which uses SSL and ProxyReverse which transfers the incomming request to a simple rest webservice running on a tomcat. The problem I am now facing is that my apache returns an HTTP 413 Request Entity Too Large if send an POST Request with a JSON body to my webservice.
The Request has the following headers:
Accept: application/json, application/*+json
Content-Type: application/json;charset=UTF-8
Content-Length: 146226
User-Agent: Java/1.7.0_45
Connection: keep-alive
Host: myhost
Linux Version (AWS):
[root#myhost ~]# uname -r
Linux myhost 4.4.8-20.46.amzn1.x86_64 #1 SMP Wed Apr 27 19:28:52 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
Apache Version:
[root#myhost ~]# httpd -version
Server version: Apache/2.2.31 (Unix)
Server built: Mar 7 2016 23:50:21
In my opinion this is really strange because the content length is not really large so i don't know why my apache just refuse that request...
I really hope you can help me with that! :)
I just found the answer by myself I just increase the the SSLRenegBufferSize in my apache conf and now everything works fine:
<Location />
Allow from all
SSLRenegBufferSize 20982000
SSLVerifyClient require
SSLVerifyDepth 5
</Location>