Specific HTTP Redirect help - "Request exceeded the limit of 10 internal redirects" - apache

There are many threads about this problem. But none has my specific issue.
Intro to our setup: we run Nginx on port 80, which sits in front of Apache on port 8889.
We haven't changed anything in Nginx or Apache, and this setup has been working for a while. Which is why we're scratching our head for what happened to suddenly cause this starting this morning. We are now getting 500 errors in our website.
From looking at the log, I suppose they're not caused by Nginx but by Apache:
[Fri Aug 01 23:08:33 2014] [error] [client 100.99.98.97] Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace., referer: http://somedomain.com/acordes/2011/01/entre-palos-y-alegrias/
[Fri Aug 01 23:08:33 2014] [debug] core.c(3112): [client 100.99.98.97] r->uri = /beta/actionize, referer: http://somedomain.com/acordes/2011/01/entre-palos-y-alegrias/
[Fri Aug 01 23:08:33 2014] [debug] core.c(3118): [client 100.99.98.97] redirected from r->uri = /beta/actionize, referer: http://somedomain.com/acordes/2011/01/entre-palos-y-alegrias/
[Fri Aug 01 23:08:33 2014] [debug] core.c(3118): [client 100.99.98.97] redirected from r->uri = /beta/actionize, referer: http://somedomain.com/acordes/2011/01/entre-palos-y-alegrias/
[Fri Aug 01 23:08:33 2014] [debug] core.c(3118): [client 100.99.98.97] redirected from r->uri = /beta/actionize, referer: http://somedomain.com/acordes/2011/01/entre-palos-y-alegrias/
[Fri Aug 01 23:08:33 2014] [debug] core.c(3118): [client 100.99.98.97] redirected from r->uri = /beta/actionize, referer: http://somedomain.com/acordes/2011/01/entre-palos-y-alegrias/
[Fri Aug 01 23:08:33 2014] [debug] core.c(3118): [client 100.99.98.97] redirected from r->uri = /beta/actionize, referer: http://somedomain.com/acordes/2011/01/entre-palos-y-alegrias/
[Fri Aug 01 23:08:33 2014] [debug] core.c(3118): [client 100.99.98.97] redirected from r->uri = /beta/actionize, referer: http://somedomain.com/acordes/2011/01/entre-palos-y-alegrias/
[Fri Aug 01 23:08:33 2014] [debug] core.c(3118): [client 100.99.98.97] redirected from r->uri = /beta/actionize, referer: http://somedomain.com/acordes/2011/01/entre-palos-y-alegrias/
[Fri Aug 01 23:08:33 2014] [debug] core.c(3118): [client 100.99.98.97] redirected from r->uri = /beta/actionize, referer: http://somedomain.com/acordes/2011/01/entre-palos-y-alegrias/
[Fri Aug 01 23:08:33 2014] [debug] core.c(3118): [client 100.99.98.97] redirected from r->uri = /beta/actionize, referer: http://somedomain.com/acordes/2011/01/entre-palos-y-alegrias/
[Fri Aug 01 23:08:33 2014] [debug] core.c(3118): [client 100.99.98.97] redirected from r->uri = /beta/actionize, referer: http://somedomain.com/acordes/2011/01/entre-palos-y-alegrias/
In the .htaccess file of this domain, we have the following code:
Options -Indexes +FollowSymLinks -MultiViews
DirectoryIndex index index.php index.htm index.html
DefaultType application/x-httpd-php
RewriteEngine On
# If someone types just the folder name
RewriteRule ^beta$ http://%{HTTP_HOST}/beta/index [L,R=301]
# If someone types the correct file, just show it
RewriteRule ^beta/(.*)$ /beta/$1 [L]
# All other URLs..
RewriteCond %{REQUEST_URI} !^(mailman|pipermail|w3c)/
RewriteRule ^(.*)$ /beta/get?u=$1 [L,QSA]
The logic is simple. For all files that are .htm etc in the root, we just show them. For any URL that starts with /beta/[xyz] we also show the file as it exists in the hard "beta" folder in the root folder.
But for all other URLs starting with our domain, we want to forward the code to /beta/get? with the parameter being that part of URI.
Example, if someone types: http://EXAMPLE.com/xyz123, we want to actually redirect internally to: http://EXAMPLE.com/beta/get?u=xyz123
(Except when the words there mailman or pipermail etc, which are used for our specific mailing lists)
Just FYI, the NGINX.CONF file is as below:
#-------------------- START ------------------#
http {
server_name_in_redirect off;
server_names_hash_max_size 10240;
server_names_hash_bucket_size 1024;
gzip on;
gzip_static on;
gzip_disable "MSIE [1-6]\.";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 5; # Not a huge compression beyond this..so save CPU cycles
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript image/png image/gif image/jpeg;
connection_pool_size 256;
client_header_buffer_size 256k;
large_client_header_buffers 4 256k;
client_max_body_size 200M;
client_body_buffer_size 128k;
request_pool_size 64k;
output_buffers 16 256k;
open_file_cache max=5000 inactive=20s;
open_file_cache_valid 60s;
include mime.types;
default_type application/octet-stream;
error_log logs/error.log warn;
access_log off;
server_tokens off;
autoindex off;
sendfile off;
ignore_invalid_headers on; # Malware protection
reset_timedout_connection on; # DDoS protection
# Timeouts
client_header_timeout 5;
client_body_timeout 50;
send_timeout 50;
keepalive_timeout 65; # No need for default 65, but having some keepalive speeds things up
resolver_timeout 1s;
proxy_cache_path /dev/shm/proxy_cache levels=1:2 keys_zone=proxyone:200m inactive=1h max_size=2g;
proxy_cache_key "$scheme$host$request_uri$cookie___snippa$cookie___sniplang";
proxy_cache proxyone;
proxy_cache_min_uses 5;
proxy_cache_valid any 60s;
proxy_cache_valid 200 1m;
proxy_cache_valid 404 0s;
proxy_cache_valid 410 90d;
proxy_cache_valid 500 502 503 504 1s;
proxy_cache_valid 301 60m;
proxy_ignore_headers X-Accel-Expires Expires Cache-Control;
set_real_ip_from 192.168.1.0/24;
set_real_ip_from 192.168.2.1;
set_real_ip_from 127.0.0.1;
real_ip_header X-Real-IP;
server
{
listen 127.0.0.1:80;
listen 74.86.191.114:80;
listen 100.99.98.97:80;
listen 75.126.161.225:80;
listen 75.126.161.226:80;
listen 10.17.32.66:80;
server_name EXAMPLE.com www.EXAMPLE.com;
root /home/EXAMPLE/public_html;
index index.htm index.php index index.htm;
error_page 403 = #backend;
error_page 404 = #backend;
error_page 405 = #backend;
error_page 406 = #backend;
error_page 500 = #backend;
error_page 501 = #backend;
error_page 502 = #backend;
error_page 503 = #backend;
error_page 504 = #backend;
error_page 505 = #backend;
# IMPORTANT FILES
location = /\.htaccess { deny all; access_log off; log_not_found off; }
location ~ /\.ht { deny all; access_log off; log_not_found off; }
location = /favicon.ico { log_not_found off; access_log off; expires max; }
location = /robots.txt { allow all; log_not_found off; access_log off; expires max; }
location = /sitemap.gz { allow all; log_not_found off; access_log off; expires max; }
location = /crossdomain.xml { allow all; log_not_found off; access_log off; expires max; }
location / {
location ~.*\.(gif|jpg|png|ico|swf|rss|xml|htm|txt|js|css|gz|doc|xls|pdf|html|woff|eot|svg)$ {
expires max;
try_files $uri #backend;
log_not_found off;
}
proxy_pass http://100.99.98.97:8889;
include proxy.inc;
}
location #backend {
internal;
proxy_pass http://100.99.98.97:8889;
include proxy.inc;
}
} # End of EXAMPLE.COM server block
} # End of http block
What might be causing this? The loglevel debug in apache doesn't seem to be helping much. Much appreciate any advice or pointers!


You're rules are causing a loop. The rewrite engine re-applies all the rules over and over again until the URI stops changing. Try adding some more restirctions:
Options -Indexes +FollowSymLinks -MultiViews
DirectoryIndex index index.php index.htm index.html
DefaultType application/x-httpd-php
RewriteEngine On
# If someone types just the folder name
RewriteRule ^beta/?$ http://%{HTTP_HOST}/beta/index [L,R=301]
# If someone types the correct file, just show it
RewriteRule ^beta/(.+)$ /beta/$1 [L]
# All other URLs..
RewriteCond %{REQUEST_URI} !^(mailman|pipermail|w3c|beta)/
RewriteRule ^(.*)$ /beta/get?u=$1 [L,QSA]
Namely, an optional / at the end of just /beta, a + instead of a * to ensure there is at least one character after the /, and add beta to the conditions for the last rule.

Related

Portal for ArcGIS : Can't login due to url wrong port after nginx reverse proxy

I'm building an NginX reverse proxy (Ubuntu Server 22.04.1 - NginX 1.22.1) to open an internal Portal for ArcGIS to extranet.
The reverse proxy listen to 8054 and redirects to 2 internal servers using usual TLS 443 port
Everything works fine except a redirection occurring during Portal's login auth.
In Chrome's console, the info of faulty are :
Request URL: https://myserver.mydomain/portal/sharing/rest/portals/self/subscriptionInfo?f=json&token=ARYpO8uD2SRx5tjuhTElBoDT_ojo9YRwvsX7XI51s3GIfvhlMIGpOjRXKN0g8fXFHgfenkIdg-YtF9TtyWvOomu9TyUm2x8mY4SfTlWSX41E9lyP_I0NVWO-xdwGzJqWDU8GJ4oi5sg53mvRH2OMdUA1bwN0fE-jcSEmK4EsxxOHBe6HZbciuGUCh4s8rgDbz7fBlpIdrFBryxe-YbvooLvb1Q8BsVSZFZFYBlclLQk.&callback=dojo_request_script_callbacks.dojo_request_script0
Request Method: GET
Status Code: 404
Remote Address: 10.0.128.36:443
Referrer Policy: strict-origin-when-cross-origin
content-encoding: gzip
content-type: text/html
date: Wed, 25 Jan 2023 09:59:31 GMT
server: nginx
vary: Accept-Encoding
:authority: myserver.mydomain
:method: GET
:path: /portal/sharing/rest/portals/self/subscriptionInfo?f=json&token=ARYpO8uD2SRx5tjuhTElBoDT_ojo9YRwvsX7XI51s3GIfvhlMIGpOjRXKN0g8fXFHgfenkIdg-YtF9TtyWvOomu9TyUm2x8mY4SfTlWSX41E9lyP_I0NVWO-xdwGzJqWDU8GJ4oi5sg53mvRH2OMdUA1bwN0fE-jcSEmK4EsxxOHBe6HZbciuGUCh4s8rgDbz7fBlpIdrFBryxe-YbvooLvb1Q8BsVSZFZFYBlclLQk.&callback=dojo_request_script_callbacks.dojo_request_script0
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7,nl;q=0.6
dnt: 1
sec-ch-ua: "Not_A Brand";v="99", "Google Chrome";v="109", "Chromium";v="109"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
sec-fetch-dest: script
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Usual processed URL returns :
Request URL: https://myserver.mydomain:8054/portal/sharing/rest/oauth2/authorize?client_id=arcgisonline&display=default&response_type=token&state=%7B%22portalUrl%22%3A%22https%3A%2F%2Fmyserver.mydomain%3A8054%2Fportal%22%2C%22useLandingPage%22%3Atrue%7D&expiration=20160&locale=fr-fr&redirect_uri=https%3A%2F%2Fmyserver.mydomain%3A8054%2Fportal%2Fhome%2Faccountswitcher-callback.html&force_login=true&hideCancel=true&showSignupOption=true&canHandleCrossOrgSignIn=true&signuptype=esri
Request Method: GET
Status Code: 200
Remote Address: 10.0.128.36:8054
Referrer Policy: strict-origin-when-cross-origin
access-control-allow-headers: Origin, X-Requested-With, Content-Type, Accept
access-control-allow-methods: GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS
access-control-allow-origin: *
access-control-max-age: 1200
cache-control: no-cache, no-store, must-revalidate
content-encoding: gzip
content-length: 1416
content-type: text/html;charset=utf-8
date: Wed, 25 Jan 2023 10:51:05 GMT
expires: -1
pragma: no-cache
server: nginx/1.22.1
vary: Origin,Accept-Encoding
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
:authority: myserver.mydomain:8054
:method: GET
:path: /portal/sharing/rest/oauth2/authorize?client_id=arcgisonline&display=default&response_type=token&state=%7B%22portalUrl%22%3A%22https%3A%2F%2Fmyserver.mydomain%3A8054%2Fportal%22%2C%22useLandingPage%22%3Atrue%7D&expiration=20160&locale=fr-fr&redirect_uri=https%3A%2F%2Fmyserver.mydomain%3A8054%2Fportal%2Fhome%2Faccountswitcher-callback.html&force_login=true&hideCancel=true&showSignupOption=true&canHandleCrossOrgSignIn=true&signuptype=esri
:scheme: https
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
accept-encoding: gzip, deflate, br
accept-language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7,nl;q=0.6
cache-control: max-age=0
dnt: 1
referer: https://myserver.mydomain:8054/portal/home/signin.html?useLandingPage=true
sec-ch-ua: "Not_A Brand";v="99", "Google Chrome";v="109", "Chromium";v="109"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: same-origin
sec-fetch-user: ?1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
How can I catch, pass, redirect, return, or whatever, the url missing the port 8054 in order to continue auth processing ?
Here are the nginx general and server configs if it may help
Thanks for any help !
nginx.conf
<pre>
user www-data nginx;
worker_processes auto;
error_log /var/log/nginx/main_error.log;
pid /var/run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
worker_rlimit_core 4096;
events {
worker_connections 1024;
multi_accept on;
}
http {
include /etc/nginx/phpconf/php_processes.conf;
include /etc/nginx/mimetypes/mime.types;
client_body_buffer_size 16K;
client_header_buffer_size 1k;
client_max_body_size 12m;
large_client_header_buffers 4 8k;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log off;
access_log /var/log/nginx/main_access.log;
client_body_timeout 30;
client_header_timeout 10;
keepalive_timeout 75s;
send_timeout 60;
keepalive_requests 1000;
proxy_cache_path /var/nginx/cache1 levels=1:2 keys_zone=cache1:10m inactive=5m max_size=1G use_temp_path=off; # (20230113)
proxy_cache_path /var/nginx/cache2 levels=1:2 keys_zone=cache2:10m inactive=5m max_size=1G use_temp_path=off; # (20230113)
# copies data between one FD and other from within the kernel
# faster than read() + write()
sendfile on;
# Limit whole filesize sending at once
sendfile_max_chunk 512k; #(20220905)
# send headers in one piece, it is better than sending them one by one
tcp_nopush on;
tcp_nodelay on;
server_names_hash_bucket_size 64;
types_hash_max_size 2048;
default_type application/octet-stream;
gzip on;
gzip_comp_level 6;
gzip_min_length 256; #(20220605 previous 50)
gzip_proxied any;
gzip_vary on; #(20220605 previous disabled)
gzip_disable “MSIE [1–6]\.(?!.*SV1)”; #(20220605 previous disabled)
gzip_types
application/atom+xml
application/javascript
application/json
application/ld+json
application/manifest+json
application/rss+xml
application/vnd.geo+json
application/vnd.ms-fontobject
application/x-font-ttf
application/x-javascrip # (20200219)
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/bmp
image/svg+xml
image/png
image/jpeg
image/x-icon
text/cache-manifest
text/css
text/javascript # (20200219)
text/plain
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
gzip_buffers 16 8k; #(2020110 previous 4k 8k)
# allow the server to close connection on non responding client, this will free up memory
reset_timedout_connection on;
##
# Virtual Host Configs
##
# include /etc/nginx/conf.d/default.conf;
include /etc/nginx/conf.d/port8054.conf;
}
</pre>
port8054.conf
<pre>
server {
## Config base : 18/01/2023
listen 8054 ssl http2;
listen [::]:8054 ssl http2;
## Set TLS 1.2 (ArcGIS compliance)
ssl_certificate /etc/nginx/tls/intra/cacert.pem;
ssl_certificate_key /etc/nginx/tls/intra/cakey-stripped.key;
ssl_trusted_certificate /etc/nginx/tls/intra/rootcacert.pem;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384"; # previous : HIGH:!MD5:!ADH:!DH:!RC4:!RSA:!aNULL
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_buffer_size 1400;
## Set on after debug
ssl_stapling off;
ssl_stapling_verify off;
server_name myserver.mydomain:8054;
keepalive_timeout 75s;
keepalive_requests 1000;
# access_log /var/log/nginx/port8054-access.log;
## Record errors
error_log /var/log/nginx/port8054-error.log debug;
proxy_http_version 1.1;
## Overwrite proxy response headers
proxy_hide_header access-control-allow-methods;
proxy_hide_header access-control-allow-headers;
proxy_hide_header access-control-allow-origin;
add_header access-control-allow-methods "GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS";
add_header access-control-allow-headers "Origin, X-Requested-With, Content-Type, Accept";
add_header access-control-allow-origin "*";
proxy_hide_header x-aspnet-version;
proxy_hide_header x-powered-by;
proxy_set_header "Connection" "";
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
location ^~ /favicon.ico {
}
## PHP files processing
location ~ ^(.+\.php)(.*)$ {
include /etc/nginx/phpconf/fastcgi_params;
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
fastcgi_index index.php;
fastcgi_buffers 8 16k;
fastcgi_buffer_size 32k;
fastcgi_hide_header X-Powered-By;
fastcgi_hide_header X-CF-Powered-By;
## If error 404
try_files $fastcgi_script_name =404;
}
## Set cache for following contents (20201106)
location ~* \.(?:png|jpg|jpeg|gif|ico|svg|otf|ttf|woff|woff2|doc|pdf|css)$ {
include /etc/nginx/proxyparams/proxy_params;
proxy_cache cache1;
proxy_set_header Host $host;
# proxy_pass https://otherserver.mydomain/$1;
# proxy_ssl_verify off;
# add_header X-Cache-Status $upstream_cache_status;
# add_header Pragma "public";
# add_header Cache-Control "max-age=86400, public";
}
location ^~ /portal/ {
proxy_pass https://otherserver.mydomain/portal/;
}
location /10.9.1/{
proxy_pass https://otherserver.mydomain/portal/home/10.9.1/;
}
location /sharing/rest/ {
proxy_intercept_errors on;
proxy_pass https://otherserver.mydomain/portal/sharing/rest/;
}
location ^~ /oauth2/ {
proxy_pass https://otherserver.mydomain/portal/sharing/rest/oauth2/;
}
location /self/ {
proxy_pass https://otherserver.mydomain/portal/sharing/rest/portals/self/;
}
location ^~ /nodejs/ {
proxy_http_version 1.1;
include /etc/nginx/proxyparams/proxy_params;
proxy_pass https://thirdserver.mydomain/;
proxy_buffering on;
proxy_buffer_size 16k;
proxy_busy_buffers_size 24k;
proxy_buffers 64 4k;
client_max_body_size 12m;
}
}
</pre>

NGINX reverse proxy HTTP to HTTPS server issue

I'm facing issue with reverse proxy configured using nginx
The curl is showing that the request is reaching the endpoint and this last send the response and it stuck on nginx.
About to connect() to 127.0.0.1 port 80 (#0)
Trying 127.0.0.1...
Connected to 127.0.0.1 (127.0.0.1) port 80 (#0)
POST / HTTP/1.1
User-Agent: curl/7.29.0
Host: 127.0.0.1
Accept: /
Content-Type: text/xml
SOAPAction: http://tempuri.org/AOI
Content-Length: 1707
Expect: 100-continue
< HTTP/1.1 100 Continue
^C
[root#venom conf.d]#
Below my configuration
server {
listen 80 ;
server_name 80_proxy;
access_log /var/log/nginx/access.log main;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
client_header_buffer_size 1k;
client_body_buffer_size 16k;
large_client_header_buffers 4 8k;
server_tokens off;
error_page 497 https://$host:$server_port$request_uri;
root html;
index index.html index.htm;
proxy_redirect http:// $scheme://;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_hide_header X-Powered-By;
proxy_cookie_path / "/; secure; SameSite=Lax; Max-Age=172800";
chunked_transfer_encoding on;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_request_buffering off;
client_body_timeout 5;
proxy_connect_timeout 90;
proxy_buffering off;
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; always';
add_header Content-Security-Policy "script-src 'self';";
location / {
proxy_send_timeout 2100;
proxy_read_timeout 2100;
client_max_body_size 10M;
proxy_ssl_certificate /etc/ssl/cert.crt;
proxy_ssl_certificate_key /etc/ssl/cert.key;
proxy_ssl_trusted_certificate /etc/ssl/cert_ca.crt;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_ciphers HIGH:!aNULL:!MD5;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_pass https://10.34.22.33:801;
}
}
Thanks in advance

nginx / sails / SSL - receiving 200 OK before file upload complete

When I enable SSL on NGINX, and I upload a file larger than 7MB, the file upload does not complete. This works fine if I remove NGINX and just put the SSL directly onto sails. I get the following from the debug file as if I am receiving a status 200 before the file is complete:
2017/01/24 12:25:16 [debug] 2645#2645: *5 sendfile: 1899007 of 54230479 #4670513
2017/01/24 12:25:16 [debug] 2645#2645: *5 chain writer out: 0000564D9740D5D0
2017/01/24 12:25:16 [debug] 2645#2645: *5 event timer: 14, old: 1485260776372, new: 1485260776465
2017/01/24 12:25:16 [debug] 2645#2645: *5 http upstream request: "/api/v1/project/56cd9e2aeabf5be95d6e9b35/report/?"
2017/01/24 12:25:16 [debug] 2645#2645: *5 http upstream process header
2017/01/24 12:25:16 [debug] 2645#2645: *5 malloc: 0000564D9740F870:4096
2017/01/24 12:25:16 [debug] 2645#2645: *5 recv: eof:0, avail:1
2017/01/24 12:25:16 [debug] 2645#2645: *5 recv: fd:14 413 of 4096
2017/01/24 12:25:16 [debug] 2645#2645: *5 http proxy status 200 "200 OK"
2017/01/24 12:25:16 [debug] 2645#2645: *5 http proxy header: "Vary: X-HTTP-Method-Override"
2017/01/24 12:25:16 [debug] 2645#2645: *5 http proxy header: "X-Powered-By: Sails <sailsjs.org>"
2017/01/24 12:25:16 [debug] 2645#2645: *5 http proxy header: "Access-Control-Allow-Origin: "
2017/01/24 12:25:16 [debug] 2645#2645: *5 http proxy header: "Access-Control-Allow-Credentials: "
2017/01/24 12:25:16 [debug] 2645#2645: *5 posix_memalign: 0000564D97410880:4096 #16
2017/01/24 12:25:16 [debug] 2645#2645: *5 http proxy header: "Access-Control-Allow-Methods: "
2017/01/24 12:25:16 [debug] 2645#2645: *5 http proxy header: "Access-Control-Allow-Headers: "
2017/01/24 12:25:16 [debug] 2645#2645: *5 http proxy header: "Access-Control-Expose-Headers: "
2017/01/24 12:25:16 [debug] 2645#2645: *5 http proxy header: "Content-Type: application/json; charset=utf-8"
2017/01/24 12:25:16 [debug] 2645#2645: *5 http proxy header: "Content-Length: 94"
2017/01/24 12:25:16 [debug] 2645#2645: *5 http proxy header: "ETag: W/"5e-dbzI0uHc1qmLjPTL2hIz3A""
2017/01/24 12:25:16 [debug] 2645#2645: *5 http proxy header: "Date: Tue, 24 Jan 2017 12:25:16 GMT"
2017/01/24 12:25:16 [debug] 2645#2645: *5 http proxy header: "Connection: keep-alive"
2017/01/24 12:25:16 [debug] 2645#2645: *5 http proxy header done
2017/01/24 12:25:16 [debug] 2645#2645: *5 xslt filter header
2017/01/24 12:25:16 [debug] 2645#2645: *5 HTTP/1.1 200 OK^M
Server: nginx/1.11.8^M
Date: Tue, 24 Jan 2017 12:25:16 GMT^M
Content-Type: application/json; charset=utf-8^M
Content-Length: 94^M
Connection: keep-alive^M
Vary: X-HTTP-Method-Override^M
X-Powered-By: Sails <sailsjs.org>^M
Access-Control-Allow-Origin: ^M
Access-Control-Allow-Credentials: ^M
Access-Control-Allow-Methods: ^M
Access-Control-Allow-Headers: ^M
Access-Control-Expose-Headers: ^M
ETag: W/"5e-dbzI0uHc1qmLjPTL2hIz3A"^M
Below is my nginx.conf file:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 768;
}
http {
sendfile on;
send_timeout 60s;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 60s;
client_max_body_size 0;
client_body_buffer_size 32K;
ssl_dhparam /ssl/dhparam.pem;
client_body_in_file_only clean;
client_body_in_single_buffer on;
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
gzip on;
gzip_disable "msie6";
include /etc/nginx/sites-enabled/*;
}
Here is my sites-available\default file:
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name mysite.co.uk;
client_max_body_size 0;
client_body_buffer_size 32K;
location / {
client_body_temp_path /tmp/;
client_max_body_size 0;
client_body_buffer_size 32K;
keepalive_timeout 60s;
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
ssl_certificate /ssl/mykey.pem;
ssl_certificate_key /ssl/mykey.key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:128m;
ssl_session_tickets off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA$
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8;
}
Any ideas?

Apache 2.4.10 + mod_proxy_fcgi + PHP-FPM with CHROOT => 404 Error

First of all I've tried to set up a basic configuration for Apache 2.4, mod_proxy_fcgi and PHP-FPM on a Debian Jessie (Testing) machine.
Everything works fine when opening .php-files.
However, If I activate chroot for PHP-FPM I only get a "File not found." message inside my browser.
.
Configuration
partial content of apache2.conf
<FilesMatch \.php$>
SetHandler "proxy:unix:/var/run/php5-fpm.sock|fcgi://localhost"
</FilesMatch>
content of /var/wwww/html
x1#vm1:~$ ls -l /var/www/html/
-rw-r--r-- 1 www-data www-data 19 Jan 15 23:37 index.php
partial content of /etc/php5/fpm/pool.d/www*
prefix = /var/www/html
chroot = $prefix
chdir = /
catch_workers_output = yes
.Steps / logfiles for searching the error
Apache error.log
[proxy_fcgi:error] [pid 12615:tid 140653535131392] [client 1.2.3.4:123] AH01071: Got error 'Primary script unknown\n'
Apache Access.log
1.2.3.4- - [16/Jan/2015:01:22:58 +0100] "GET /index.php HTTP/1.1" 404 365 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
php5-fpm.log
[16-Jan-2015 01:22:55] NOTICE: configuration file /etc/php5/fpm/php-fpm.conf test is successful
[16-Jan-2015 01:22:56] NOTICE: fpm is running, pid 12781
[16-Jan-2015 01:22:56] NOTICE: ready to handle connections
[16-Jan-2015 01:22:56] NOTICE: systemd monitor interval set to 10000ms
Apache error.log with loglevel trace8 and PHP5-FPM chroot on
[core:trace6] [pid 9794:tid 140072171042560] core_filters.c(527): [client 1.2.3.4:61149] core_output_filter: flushing because of FLUSH bucket
[core:trace5] [pid 9794:tid 140072332166912] protocol.c(618): [client 1.2.3.4:61152] Request received from client: GET /index.php HTTP/1.1
[http:trace4] [pid 9794:tid 140072332166912] http_request.c(301): [client 1.2.3.4:61152] Headers received from client:
[http:trace4] [pid 9794:tid 140072332166912] http_request.c(305): [client 1.2.3.4:61152] Host: example.com
[http:trace4] [pid 9794:tid 140072332166912] http_request.c(305): [client 1.2.3.4:61152] Connection: keep-alive
[http:trace4] [pid 9794:tid 140072332166912] http_request.c(305): [client 1.2.3.4:61152] Cache-Control: max-age=0
[http:trace4] [pid 9794:tid 140072332166912] http_request.c(305): [client 1.2.3.4:61152] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
[http:trace4] [pid 9794:tid 140072332166912] http_request.c(305): [client 1.2.3.4:61152] User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
[http:trace4] [pid 9794:tid 140072332166912] http_request.c(305): [client 1.2.3.4:61152] Accept-Encoding: gzip, deflate, sdch
[http:trace4] [pid 9794:tid 140072332166912] http_request.c(305): [client 1.2.3.4:61152] Accept-Language: de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
[authz_core:debug] [pid 9794:tid 140072332166912] mod_authz_core.c(809): [client 1.2.3.4:61152] AH01626: authorization result of Require all granted: granted
[authz_core:debug] [pid 9794:tid 140072332166912] mod_authz_core.c(809): [client 1.2.3.4:61152] AH01626: authorization result of <RequireAny>: granted
[core:trace3] [pid 9794:tid 140072332166912] request.c(238): [client 1.2.3.4:61152] request authorized without authentication by access_checker_ex hook: /index.php
[proxy:trace2] [pid 9794:tid 140072332166912] proxy_util.c(1938): [client 1.2.3.4:61152] *: found reverse proxy worker for unix:/var/run/php5-fpm.sock|fcgi://localhost/var/www/html/index.php
[proxy:trace2] [pid 9794:tid 140072332166912] proxy_util.c(1972): [client 1.2.3.4:61152] *: rewrite of url due to UDS(/var/run/php5-fpm.sock): fcgi://localhost/var/www/html/index.php (proxy:fcgi://localhost/var/www/html/index.php)
[proxy:debug] [pid 9794:tid 140072332166912] mod_proxy.c(1155): [client 1.2.3.4:61152] AH01143: Running scheme unix handler (attempt 0)
[proxy_fcgi:debug] [pid 9794:tid 140072332166912] mod_proxy_fcgi.c(786): [client 1.2.3.4:61152] AH01076: url: fcgi://localhost/var/www/html/index.php proxyname: (null) proxyport: 0
[proxy_fcgi:debug] [pid 9794:tid 140072332166912] mod_proxy_fcgi.c(793): [client 1.2.3.4:61152] AH01078: serving URL fcgi://localhost/var/www/html/index.php
[proxy:debug] [pid 9794:tid 140072332166912] proxy_util.c(2131): AH00942: FCGI: has acquired connection for (*)
[proxy:debug] [pid 9794:tid 140072332166912] proxy_util.c(2184): [client 1.2.3.4:61152] AH00944: connecting fcgi://localhost/var/www/html/index.php to localhost:8000
[proxy:debug] [pid 9794:tid 140072332166912] proxy_util.c(2217): [client 1.2.3.4:61152] AH02545: fcgi: has determined UDS as /var/run/php5-fpm.sock
[proxy:debug] [pid 9794:tid 140072332166912] proxy_util.c(2385): [client 1.2.3.4:61152] AH00947: connected /var/www/html/index.php to httpd-UDS:0
[proxy_fcgi:error] [pid 9794:tid 140072332166912] [client 1.2.3.4:61152] AH01071: Got error 'Primary script unknown\n'
[proxy_fcgi:trace4] [pid 9794:tid 140072332166912] util_script.c(522): [client 1.2.3.4:61152] Headers from script 'index.php':
[proxy_fcgi:trace4] [pid 9794:tid 140072332166912] util_script.c(523): [client 1.2.3.4:61152] Status: 404 Not Found
[proxy_fcgi:trace1] [pid 9794:tid 140072332166912] util_script.c(602): [client 1.2.3.4:61152] Status line from script 'index.php': 404 Not Found
[proxy_fcgi:trace4] [pid 9794:tid 140072332166912] util_script.c(523): [client 1.2.3.4:61152] X-Powered-By: PHP/5.6.4-4
[proxy_fcgi:trace4] [pid 9794:tid 140072332166912] util_script.c(523): [client 1.2.3.4:61152] Content-type: text/html; charset=UTF-8
[proxy:debug] [pid 9794:tid 140072332166912] proxy_util.c(2146): AH00943: FCGI: has released connection for (*)
[headers:trace2] [pid 9794:tid 140072332166912] mod_headers.c(874): AH01502: headers: ap_headers_output_filter()
[http:trace3] [pid 9794:tid 140072332166912] http_filters.c(1045): [client 1.2.3.4:61152] Response sent with status 404, headers:
[http:trace5] [pid 9794:tid 140072332166912] http_filters.c(1052): [client 1.2.3.4:61152] Date: Thu, 15 Jan 2015 23:54:44 GMT
[http:trace5] [pid 9794:tid 140072332166912] http_filters.c(1055): [client 1.2.3.4:61152] Server: Apache
[http:trace4] [pid 9794:tid 140072332166912] http_filters.c(874): [client 1.2.3.4:61152] X-Powered-By: PHP/5.6.4-4
[http:trace4] [pid 9794:tid 140072332166912] http_filters.c(874): [client 1.2.3.4:61152] X-Frame-Options: SAMEORIGIN
[http:trace4] [pid 9794:tid 140072332166912] http_filters.c(874): [client 1.2.3.4:61152] X-XSS-Protection: 1; mode=block
[http:trace4] [pid 9794:tid 140072332166912] http_filters.c(874): [client 1.2.3.4:61152] X-Content-Security-Policy: allow 'self';
[http:trace4] [pid 9794:tid 140072332166912] http_filters.c(874): [client 1.2.3.4:61152] X-Frame-Options: DENY
[http:trace4] [pid 9794:tid 140072332166912] http_filters.c(874): [client 1.2.3.4:61152] Content-Length: 16
[http:trace4] [pid 9794:tid 140072332166912] http_filters.c(874): [client 1.2.3.4:61152] Keep-Alive: timeout=5, max=100
[http:trace4] [pid 9794:tid 140072332166912] http_filters.c(874): [client 1.2.3.4:61152] Connection: Keep-Alive
[http:trace4] [pid 9794:tid 140072332166912] http_filters.c(874): [client 1.2.3.4:61152] Content-Type: text/html; charset=UTF-8
Apache error.log with loglevel trace8 and PHP5-FPM chroot off
[core:trace5] [pid 9794:tid 140072323774208] protocol.c(618): [client 1.2.3.4:61135] Request received from client: GET /index.php HTTP/1.1
[http:trace4] [pid 9794:tid 140072323774208] http_request.c(301): [client 1.2.3.4:61135] Headers received from client:
[http:trace4] [pid 9794:tid 140072323774208] http_request.c(305): [client 1.2.3.4:61135] Host: example.com
[http:trace4] [pid 9794:tid 140072323774208] http_request.c(305): [client 1.2.3.4:61135] Connection: keep-alive
[http:trace4] [pid 9794:tid 140072323774208] http_request.c(305): [client 1.2.3.4:61135] Cache-Control: max-age=0
[http:trace4] [pid 9794:tid 140072323774208] http_request.c(305): [client 1.2.3.4:61135] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
[http:trace4] [pid 9794:tid 140072323774208] http_request.c(305): [client 1.2.3.4:61135] User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
[http:trace4] [pid 9794:tid 140072323774208] http_request.c(305): [client 1.2.3.4:61135] Accept-Encoding: gzip, deflate, sdch
[http:trace4] [pid 9794:tid 140072323774208] http_request.c(305): [client 1.2.3.4:61135] Accept-Language: de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
[authz_core:debug] [pid 9794:tid 140072323774208] mod_authz_core.c(809): [client 1.2.3.4:61135] AH01626: authorization result of Require all granted: granted
[authz_core:debug] [pid 9794:tid 140072323774208] mod_authz_core.c(809): [client 1.2.3.4:61135] AH01626: authorization result of <RequireAny>: granted
[core:trace3] [pid 9794:tid 140072323774208] request.c(238): [client 1.2.3.4:61135] request authorized without authentication by access_checker_ex hook: /index.php
[proxy:trace2] [pid 9794:tid 140072323774208] proxy_util.c(1938): [client 1.2.3.4:61135] *: found reverse proxy worker for unix:/var/run/php5-fpm.sock|fcgi://localhost/var/www/html/index.php
[proxy:trace2] [pid 9794:tid 140072323774208] proxy_util.c(1972): [client 1.2.3.4:61135] *: rewrite of url due to UDS(/var/run/php5-fpm.sock): fcgi://localhost/var/www/html/index.php (proxy:fcgi://localhost/var/www/html/index.php)
[proxy:debug] [pid 9794:tid 140072323774208] mod_proxy.c(1155): [client 1.2.3.4:61135] AH01143: Running scheme unix handler (attempt 0)
[proxy_fcgi:debug] [pid 9794:tid 140072323774208] mod_proxy_fcgi.c(786): [client 1.2.3.4:61135] AH01076: url: fcgi://localhost/var/www/html/index.php proxyname: (null) proxyport: 0
[proxy_fcgi:debug] [pid 9794:tid 140072323774208] mod_proxy_fcgi.c(793): [client 1.2.3.4:61135] AH01078: serving URL fcgi://localhost/var/www/html/index.php
[proxy:debug] [pid 9794:tid 140072323774208] proxy_util.c(2131): AH00942: FCGI: has acquired connection for (*)
[proxy:debug] [pid 9794:tid 140072323774208] proxy_util.c(2184): [client 1.2.3.4:61135] AH00944: connecting fcgi://localhost/var/www/html/index.php to localhost:8000
[proxy:debug] [pid 9794:tid 140072323774208] proxy_util.c(2217): [client 1.2.3.4:61135] AH02545: fcgi: has determined UDS as /var/run/php5-fpm.sock
[proxy:debug] [pid 9794:tid 140072323774208] proxy_util.c(2385): [client 1.2.3.4:61135] AH00947: connected /var/www/html/index.php to httpd-UDS:0
[proxy_fcgi:trace4] [pid 9794:tid 140072323774208] util_script.c(522): [client 1.2.3.4:61135] Headers from script 'index.php':
[proxy_fcgi:trace4] [pid 9794:tid 140072323774208] util_script.c(523): [client 1.2.3.4:61135] X-Powered-By: PHP/5.6.4-4
[proxy_fcgi:trace4] [pid 9794:tid 140072323774208] util_script.c(523): [client 1.2.3.4:61135] Content-type: text/html; charset=UTF-8
[filter:trace4] [pid 9794:tid 140072323774208] mod_filter.c(169): [client 1.2.3.4:61135] Content-Type 'text/html; charset=UTF-8' ...
[filter:trace4] [pid 9794:tid 140072323774208] mod_filter.c(181): [client 1.2.3.4:61135] ... did not match 'application/xml'
[filter:trace2] [pid 9794:tid 140072323774208] mod_filter.c(188): [client 1.2.3.4:61135] Content-Type condition for 'deflate' did not match
[filter:trace4] [pid 9794:tid 140072323774208] mod_filter.c(169): [client 1.2.3.4:61135] Content-Type 'text/html; charset=UTF-8' ...
[filter:trace4] [pid 9794:tid 140072323774208] mod_filter.c(181): [client 1.2.3.4:61135] ... did not match 'application/rss+xml'
[filter:trace2] [pid 9794:tid 140072323774208] mod_filter.c(188): [client 1.2.3.4:61135] Content-Type condition for 'deflate' did not match
[filter:trace4] [pid 9794:tid 140072323774208] mod_filter.c(169): [client 1.2.3.4:61135] Content-Type 'text/html; charset=UTF-8' ...
[filter:trace4] [pid 9794:tid 140072323774208] mod_filter.c(181): [client 1.2.3.4:61135] ... did not match 'application/x-javascript'
[filter:trace4] [pid 9794:tid 140072323774208] mod_filter.c(181): [client 1.2.3.4:61135] ... did not match 'application/javascript'
[filter:trace4] [pid 9794:tid 140072323774208] mod_filter.c(181): [client 1.2.3.4:61135] ... did not match 'application/ecmascript'
[filter:trace2] [pid 9794:tid 140072323774208] mod_filter.c(188): [client 1.2.3.4:61135] Content-Type condition for 'deflate' did not match
[filter:trace4] [pid 9794:tid 140072323774208] mod_filter.c(169): [client 1.2.3.4:61135] Content-Type 'text/html; charset=UTF-8' ...
[filter:trace4] [pid 9794:tid 140072323774208] mod_filter.c(181): [client 1.2.3.4:61135] ... did not match 'text/css'
[filter:trace2] [pid 9794:tid 140072323774208] mod_filter.c(188): [client 1.2.3.4:61135] Content-Type condition for 'deflate' did not match
[filter:trace4] [pid 9794:tid 140072323774208] mod_filter.c(169): [client 1.2.3.4:61135] Content-Type 'text/html; charset=UTF-8' ...
[filter:trace4] [pid 9794:tid 140072323774208] mod_filter.c(175): [client 1.2.3.4:61135] ... matched 'text/html'
[filter:trace2] [pid 9794:tid 140072323774208] mod_filter.c(188): [client 1.2.3.4:61135] Content-Type condition for 'deflate' matched
[proxy:debug] [pid 9794:tid 140072323774208] proxy_util.c(2146): AH00943: FCGI: has released connection for (*)
[headers:trace2] [pid 9794:tid 140072323774208] mod_headers.c(874): AH01502: headers: ap_headers_output_filter()
[http:trace3] [pid 9794:tid 140072323774208] http_filters.c(1045): [client 1.2.3.4:61135] Response sent with status 200, headers:
[...]
[http:trace5] [pid 9794:tid 140072323774208] http_filters.c(1052): [client 1.2.3.4:61135] Date: Thu, 15 Jan 2015 23:53:47 GMT
[http:trace5] [pid 9794:tid 140072323774208] http_filters.c(1055): [client 1.2.3.4:61135] Server: Apache
[http:trace4] [pid 9794:tid 140072323774208] http_filters.c(874): [client 1.2.3.4:61135] X-Powered-By: PHP/5.6.4-4
[http:trace4] [pid 9794:tid 140072323774208] http_filters.c(874): [client 1.2.3.4:61135] X-Frame-Options: SAMEORIGIN
[http:trace4] [pid 9794:tid 140072323774208] http_filters.c(874): [client 1.2.3.4:61135] Vary: Accept-Encoding
[http:trace4] [pid 9794:tid 140072323774208] http_filters.c(874): [client 1.2.3.4:61135] X-XSS-Protection: 1; mode=block
[http:trace4] [pid 9794:tid 140072323774208] http_filters.c(874): [client 1.2.3.4:61135] X-Content-Security-Policy: allow 'self';
[http:trace4] [pid 9794:tid 140072323774208] http_filters.c(874): [client 1.2.3.4:61135] X-Frame-Options: DENY
[http:trace4] [pid 9794:tid 140072323774208] http_filters.c(874): [client 1.2.3.4:61135] Content-Length: 2
[http:trace4] [pid 9794:tid 140072323774208] http_filters.c(874): [client 1.2.3.4:61135] Keep-Alive: timeout=5, max=100
[http:trace4] [pid 9794:tid 140072323774208] http_filters.c(874): [client 1.2.3.4:61135] Connection: Keep-Alive
[http:trace4] [pid 9794:tid 140072323774208] http_filters.c(874): [client 1.2.3.4:61135] Content-Type: text/html; charset=UTF-8
As you can see, there is no difference between those two up to the line
AH00947: connected /var/www/html/index.php to httpd-UDS:0
.
Does anyone encountered a similar problem a knows a solution?
Futhermore I've data from tcpdump (while PHP5-FPM was listening on a TCP port instead of using a socket and I've data from sniffing the socket.
If those are needed please let me know - I didn't wanted to make the question too large.
.
Edit:
I've done some further research in hope to localize the problem.
Maybee this helps us further...
PHP-FPM Status page
strace on the worker process (chroot = off)
accept(0, {sa_family=AF_INET, sin_port=htons(50759), sin_addr=inet_addr("127.0.0.1")}, [16]) = 5
clock_gettime(CLOCK_MONOTONIC, {1397, 223489054}) = 0
times({tms_utime=0, tms_stime=0, tms_cutime=0, tms_cstime=0}) = 1718096640
poll([{fd=5, events=POLLIN}], 1, 5000) = 1 ([{fd=5, revents=POLLIN}])
read(5, "\1\1\0\1\0\10\0\0", 8) = 8
read(5, "\0\1\1\0\0\0\0\0", 8) = 8
read(5, "\1\4\0\1\3\341\0\0", 8) = 8
read(5, "\t\30UNIQUE_IDVLmGr38AAQEAAAVjkB4AAAAE\21\1proxy-nokeepalive1\t&HTTP_HOSTexample.com\17\nHTTP_CONNECTIO"..., 993) = 993
read(5, "\1\4\0\1\0\0\0\0", 8) = 8
lstat("/var/www/html/index.php", {st_mode=S_IFREG|0644, st_size=538, ...}) = 0
lstat("/var/www/html", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat("/var/www", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat("/var", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
.
strace on the worker process (chroot = on)
accept(0, {sa_family=AF_INET, sin_port=htons(50751), sin_addr=inet_addr("127.0.0.1")}, [16]) = 5
clock_gettime(CLOCK_MONOTONIC, {1208, 313176419}) = 0
times({tms_utime=0, tms_stime=0, tms_cutime=0, tms_cstime=0}) = 1718077750
poll([{fd=5, events=POLLIN}], 1, 5000) = 1 ([{fd=5, revents=POLLIN}])
read(5, "\1\1\0\1\0\10\0\0", 8) = 8
read(5, "\0\1\1\0\0\0\0\0", 8) = 8
read(5, "\1\4\0\1\3\341\0\0", 8) = 8
read(5, "\t\30UNIQUE_IDVLmF8n8AAQEAAAVjkB0AAAAS\21\1proxy-nokeepalive1\t&HTTP_HOSTexample.com\17\nHTTP_CONNECTIO"..., 993) = 993
read(5, "\1\4\0\1\0\0\0\0", 8) = 8
lstat("/var/www/html/index.php", 0x7fff98aa5d20) = -1 ENOENT (No such file or directory)
stat("/var/www/html", 0x7fff98aa8160) = -1 ENOENT (No such file or directory)
stat("/var/www", 0x7fff98aa8160) = -1 ENOENT (No such file or directory)
stat("/var", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat("", 0x7fff98aa8160) = -1 ENOENT (No such file or directory)

When you are using directive
<FilesMatch \.php$>
SetHandler "proxy:unix:/var/run/php5-fpm.sock|fcgi://localhost"
</FilesMatch>
script path sended to proxy is full path of file matched by FilesMatch, but this path does not exists in chroot.
Setting doc_root in php.ini solves this problem

gss_display_name() failed: A required input parameter could not be read: An invalid name was supplied (, Unknown error)

I'm trying to setup Kerberos authentication on Apache 2.2.15-30 (CentOs 6.5), and am facing an issue that I'm not able to debug or solve. I can see the TGS request in the KDC log and Firefox sends the correct Authorization: Negotiate header, but something in Apache goes wrong and I'm getting an HTTP 500.
krb5kdc.log
Jul 02 20:59:03 infa.domain.local krb5kdc[1847](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.218.201: ISSUE: authtime 1404320175, etypes {rep=23 tkt=23 ses=23}, Administrator#DOMAIN.LOCAL for HTTP/infa.domain.local#DOMAIN.LOCAL
Apache error_log
[Wed Jul 02 20:59:01 2014] [debug] src/mod_auth_kerb.c(1940): [client 192.168.218.1] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Jul 02 20:59:03 2014] [debug] src/mod_auth_kerb.c(1940): [client 192.168.218.1] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Jul 02 20:59:03 2014] [debug] src/mod_auth_kerb.c(1279): [client 192.168.218.1] Acquiring creds for HTTP/infa.domain.local
[Wed Jul 02 20:59:03 2014] [debug] src/mod_auth_kerb.c(1692): [client 192.168.218.1] Verifying client data using KRB5 GSS-API
[Wed Jul 02 20:59:03 2014] [debug] src/mod_auth_kerb.c(1708): [client 192.168.218.1] Client didn't delegate us their credential
[Wed Jul 02 20:59:03 2014] [debug] src/mod_auth_kerb.c(1727): [client 192.168.218.1] GSS-API token of length 941 bytes will be sent back
[Wed Jul 02 20:59:03 2014] [debug] src/mod_auth_kerb.c(1139): [client 192.168.218.1] GSS-API major_status:01020000, minor_status:00000000
[Wed Jul 02 20:59:03 2014] [error] [client 192.168.218.1] gss_display_name() failed: A required input parameter could not be read: An invalid name was supplied (, Unknown error)
HTTP dump
GET http://infa.domain.local/server-status HTTP/1.1
Host: infa.domain.local
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cache-Control: max-age=0
HTTP/1.1 401 Authorization Required
Date: Wed, 02 Jul 2014 19:32:39 GMT
Server: Apache/2.2.15 (CentOS)
WWW-Authenticate: Negotiate
Content-Length: 484
Connection: close
Content-Type: text/html; charset=iso-8859-1
Proxy-Support: Session-Based-Authentication
GET http://infa.domain.local/server-status HTTP/1.1
Host: infa.domain.local
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cache-Control: max-age=0
Authorization: Negotiate YIID5QYGKwYBBQUCoIID2TCCA9WgCjAIBgYrBgEFAgWiggPFBIIDwWCCA70GBisGAQUCBQUBMBChDgQMRE9NQUlOLkxPQ0FMbIIDnTCCA5mhAwIBBaIDAgEMo4IDFzCCAxMwggIvoQMCAQGiggImBIICIm6CAh4wggIaoAMCAQ WhAwIBDqIHAwUAAAAAAKOCAU9hggFLMIIBR6ADAgEFoQ4bDERPTUFJTi5MT0NBTKIhMB+gAwIBAqEYMBYbBmtyYnRndBsMRE9NQUlOLkxPQ0FMo4IBCzCCAQegAwIBEqEDAgEBooH6BIH3jDiOe80e8vCv7Tmsd+t0spncJWnD v99vLDpi5PYc1Gj8vGH7xJxnz4dsr6WavFLmgYCRnvrF+Y+lU/QVF/AUNiqIG7ifGAJGD4IKHzcyYfNo9BLlNBGBckLdIhC3o2G8VfHWxv+Zo6DNfZUJsIVfoN2bls2C8K9K2pv/qd/FHR96+3JpCkRSb2tKqh2VQBA2mplvJML38nvHQkp5Y0rHQ ecbc0bHns1ddh/RLIlPcwdy8r7xDx7m5QUWH3gI6nSEhrcd/sIKoRJ88ezcMfqumXq2UxvBdBJAH86q9r9r/t74jXpyDFlRgF/Z6OLMwMdus2AkBNrbiaSBsTCBrqADAgEXooGmBIGj4DUpIRQjvddUEpp7sft5UjlnOPOCia9BSyxYBszOihLHr2D 2B6mL6fmqx7IcAVfVzV66B/gqQ4roAh0z4YKensKtqIAG7au2RsXtYNAjEgUFgh7dEE7kACUFoVB2VUK2mtjuHabbwMZ4gprrRIgDeFqROIhxWasVgxhak6dXQAKGEyvVlGoeLTJTPER5s2tcDRkoVTLFO0hBJxarNI/GTk1e1jCB3aEEAgIAi KKB1ASB0aCBzjCBy6EcMBqgBAIC/3ahEgQQSjwHqwdg2yuvh3nbGzDVuqKBqjCBp6ADAgEXooGfBIGccNThLwiDzyz8cJYPfI6hU505ydEQdRt6N036ZZ98Y49YfV+WWpCgXxhmL/8zhilAC2mQi5cvE5XOJOzGrWHnzl6AO1KfJQKjvogV zrFhdoPMVssGnBkrD40fsIA2uPJ2e0OeKRC/tOizUg8tVIdhkoivnh69Q1BDAx3JFjx3txRtDoSZHz6x4mlBSs72xFIlIkA7yhXH+nmml4yfpHIwcKAHAwUAUIEAAKIOGwxET01BSU4uTE9DQUyjJDAioAMCAQOhGzAZGwRIVFRQGxFpbmZh LmRvbWFpbi5sb2NhbKURGA8yMDE0MDcwMzAyNTYxNlqnBgIEU7ReW6gUMBICARICARECARACARcCARkCARo=
HTTP/1.1 500 Internal Server Error
Date: Wed, 02 Jul 2014 19:32:42 GMT
Server: Apache/2.2.15 (CentOS)
WWW-Authenticate: Negotiate oYIDqTCCA6WgAwoBAaEIBgYrBgEFAgWiggOSBIIDjgUBMBChDgQMRE9NQUlOLkxPQ0FMbYIDdjCCA3KgAwIBBaEDAgENooHVMIHSMIHPoQQCAgCIooHGBIHDoIHAMIG9oIG6MIG3oAMCAReiga8Egawhq77nnFYKOC2elIoQEMv 3HoPncmPLVp6/yr+HtLIuoyAsAUdbvyXars5ixGdPlg1IaceQQ3ThVvvsRthV86O4M2l55LfhlfIINZr7xQks3EKTAEA1OfsggBXdmShHV/29W2iLaQP60BvBlYCOGePMyMKp8jcgdNUQ6jLqq6No0Qk7Kro8IIjESMmVR3BAndbUfpDNYqO+IxY am/pl96xCQgu4iNznoglrYBf7ow4bDERPTUFJTi5MT0NBTKQaMBigAwIBAaERMA8bDUFkbWluaXN0cmF0b3KlggFjYYIBXzCCAVugAwIBBaEOGwxET01BSU4uTE9DQUyiJDAioAMCAQOhGzAZGwRIVFRQGxFpbmZhLmRvbWFpbi5sb 2NhbKOCARwwggEYoAMCARehAwIBAaKCAQoEggEGyeo+gzn7hHLgwIGfZiT3kfiua+yD1d0EDhyoAmctFzukkw7xqdyMZn+gfDna6O0WI7TC6Yv2pQqg1Ph76SZ11ZQu4xXn4FBPu3G9LwbPUxN9+cohhCTPmAX6SLyNu7n9UAKLsccjb kLq8HJjUgzfLus6AqUeerqjc3eSyr+r1onfQSL9JCNtpOUWtuxGIThTQfOXEYVlVyjMi37bnAFPMrxPERL/7m3vYm3x60HBu5KHy7xfbab8jftIsr33Z/2nnMxNi5LjqVBail4BpZiuRCMmko566KSLKWRSpvr6x/YUR5TPmhXjO3YGdi2VucDn6QW t81q2dQSYvAQnbuHDL84IQUY126aB+jCB96ADAgEXooHvBIHsmFwxE55S5Gi5VkPG0cS11MHsQvllqJAIxGMkzakyyYCfMKCpHFfyIf/2bIGPvSyCCWOqFxnMOA1a/c2d3eUk6Yr+H5c8PDFePxVbKijvZRVRVJ1pAifpm9kUoKcGMo0SH 9m0H4yu94/ESE7QbEcx7pQac1Udq894rgF7OmnQXZZ6mX2VUrIb0xHxaaj9oR8+zC8vGWyyqVSZhtURxQ8Anr+MifqWKPP2QpWFohptl/zl8bYmMqs1nEH3TIe1wvtOgeqGh6KumbC4rc9IVCN8rx+3XCVr/2BM27nURT21MUzwU1tbpQM LSqT0gFE=
Content-Length: 617
Connection: close
Content-Type: text/html; charset=iso-8859-1
kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
DOMAIN.LOCAL = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
forwardable = true
proxiable = true
supported_enctypes = rc4-hmac:normal
}
/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
proxiable = true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
[realms]
DOMAIN.LOCAL = {
kdc = infa.domain.local:88
admin_server = infa.domain.local:749
}
[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL
auth_kerb.conf
LoadModule auth_kerb_module modules/mod_auth_kerb.so
<Location /server-status>
#SSLRequireSSL
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbAuthRealms DOMAIN.LOCAL
Krb5KeyTab /etc/httpd/conf/http.keytab
KrbServiceName HTTP/infa.domain.local
require valid-user
</Location>
klist -e -k /etc/httpd/conf/http.keytabb
Keytab name: FILE:/etc/httpd/conf/http.keytab
KVNO Principal
---- --------------------------------------------------------------------------
0 HTTP/infa.domain.local#DOMAIN.LOCAL (arcfour-hmac)
Does anyone have an idea of what the problem might be? I'd be very thankful for any comments.
Thank you,
Martin

I got this exactmessage when the client's clock skew was too great. Setting the clock (and enabling ntp :-) got it working.