I've been dealing with this whole day and still can't figure it out.
I've setup Zabbix on one machine, and I want to monitor the Apache server on another machine.
I've completed all the steps described in the docs: http://www.zabbix.com/wiki/templates/apache
and still I get no data in the Apache Template. When checking the logs on the Apache server, I can see in access.log:
IPADDR - - [16/Jul/2012:13:29:08 +0000] "GET /server-status?auto HTTP/1.0" 404 13826 "-" "Python-urllib/1.17"
I think it might has something to do with Virtual Servers and additional sites I have on that machine, but I can't figure it out, and nothing mentioned in the docs...
The Apache checks are not as clever as you may think.
Can Zabbix communicate with your apache server? Link it to a template with something simple like "uptime" and verify that it indeed gets data.
Next, verify that there aren't any firewall rules prevent the zabbix server from communicating with your web server. Can you curl your homepage from the zabbix host without problems?
Are the apache checks active checks? If so you'll need to make sure active checks are enabled in the /etc/zabbix/zabbix-agentd.conf file and that the "Hostname" within the conf is unique and matching up correctly with what you have in the zabbix server.
If that fails, change the DebugLevel to 4 in /etc/zabbix-agentd.conf and tail the zabbix log. Look and see if it is having trouble with any checks.
This is an apache configuration problem, zabbix can't do anything if /server-status yields a 404 error.
Maybe the <Location /server-status>...</Location> directive is not at the right place in apache's configuration.
Try to move it inside the <VirtualHost> section of the specific virtual server to which the GET /server-status is routed.
Also make sure that mod_status is enabled.
Related
We are running apache and using nagios to query http for alerting / monitoring purposes. We have a few webservers that required more sensitive settings for mod_reqtimeout.c and on those servers we periodically / sporadically get alerts about "UNKNOWN 500 read timeout". Nothing is actually wrong with the webserver / apache when this is happening and we think we have narrowed down the problem to our relatively strict settings for:
RequestReadTimeout header=
We have quite a few vhosts configured on some of these servers and are trying to find a way to modify our global header read timeout setting to ignore certain IP addresses, for example the IP address of our nagios server.
Otherwise a way to have it only apply to certain domains, without having to specifically add the setting into every vhost entry where it needs to exist.
Is there a resource available that talks about how to limit a global parameter to ignore certain IPs or page requests?
Although you can define the timeout at both the server config and virtual host level, in my testing with Apache 2.4.41 I wasn't able to apply a configuration at the server config level and then override it at the virtual host. It just continued to apply the server config values. So I ended up increasing values in the server config.
If you are on Ubuntu then you probably have defaults defined in /etc/apache2/mods-available/reqtimeout.conf for the whole server which then means you aren't able to set values for a virtual host without first changing the configuration here.
There's a short thread about this on the apache users list.
According to the [official documentation][1]
[1]: https://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html, you should be able to override the global config in vhost config.
Context: server config, virtual host
Trying to get shibboleth working on a Docker container, using Apache as a reverse proxy. Problems occur because I am using port 80 for the public Apache instance and port 8000 for the internal instance, which confuses shibboleth:
2017-10-03 07:34:23 ERROR OpenSAML.MessageDecoder.SAML2POST [5]: POST targeted at (https://dashboard.hpc.unimelb.edu.au/Shibboleth.sso/SAML2/POST), but delivered to (https://dashboard.hpc.unimelb.edu.au:8000/Shibboleth.sso/SAML2/POST)
The first URL is the external URL which the end user sees. The second URL is what the docker container sees when it gets the proxied request (with the HTTP host name forwarded).
Note I used "ShibURLScheme https" on the internal apache instance to ensure it believes https is being used, as the reverse proxy ensures all requests are https.
Is there anyway I call tell Shibboleth that this is OK, the URLs really are the same? Maybe by rewriting the URL shibboleth sees or something?
Thanks
There are two things I would check:
Make sure the ServerName directive in your Apache conf file is set to
https://dashboard.hpc.unimelb.edu.au:80. Notice the :80. Omitting
the port number completely may work too. You want Apache and vis-a-vis, shibd to see the ServerName that the client is using. You should also make sure you have a UseCanonicalName On directive as part of this.
This is likely less of a problem, but make sure your sp-metadata given to the IdP is correct. You should add entries for the FQDN(s) that the client sees. Please note that most of that documentation page isn't applicable to your scenario, but adding the correct metadata entries is vital.
It looks like your ServerName in Apache isn't correct, so I'd start there.
We have a win2003 server that run both IIS 7 and apache (using wamp server 2.2).
We put on both server a page named test.html that show us a message that say "You are on IIS page" and "You are on WAMP page" to show us if everything is working correctly.
Both running real great locally. IIS is listening on port 80 and apache on port 8082. The problems come remotly. Both services are running and wamp is fully online (green icon + "put online" option activate).
Locally, on the server, doing http://localhost/test.html and http://localhost:8082/test.html show the correct pages. If we replace localhost by real IP address (for example purpose, let say http://10.2.5.16/test.html and http://10.2.5.16:8082/test.html), still work. (not actual address but address used for real is the same used by dns web service)
Remotly, from any other PC, doing http://10.2.5.16/test.html and http://10.2.5.16:8082/test.html, the first give us the website normally, the second give us a HTTP 403 FORBIDEN (tried using both htaccess and windows permission, still have 403). The same way, using http://www.ourdomain.com/test.html and http://www.ourdomain.com:8082/test.html give us the exact same result (first ok, second 403)
Is it possible to make it work correctly?
Thanks in advance.
edit: Just to add to the solution :
the firewall was blocking me, add the wamp on this port allowed
in my configuration, i had in my directory statement Require local, which needed to be set to Require all granted
for the rest, the solution was pretty it.
Thanks again.
The fact that you can get to the sites locally tells me both servers are setup correctly and listening on respective ports.
Upon further questions, the OP indicated that the Servername Directive, is pointing to localhost and it should be changed as.
ServerName localhost:8082
To
ServerName example.com:8082 # or add "ServerAlias example.com:8082" to your existing.
Where as example.com is your site DNS. Then in your [System32\drivers\etc\hosts] point that DNS to the ip of your Remote host.
403 is happening because the request from the remote is not matched against any Servername or ServerAlias and it falls to the default handler which normally has stricket permissions. If you look closely in logs(/logs/apache/access.log), there should be something about "access denied by server configuration /somelocation like your default DocRoot"
If you make request for http://example.com and you have correct ip in your hostfile, you can trace what happens to that request in the remote host and where it ends up(firewalls, Apache etc). Apache is good at logging and you just need to find relevant log entries!
In my apache instillation, I keep seeing the following line in my access logs:
"POST http://yourinfo.allrequestsallowed.net/ HTTP/1.1" 200
It's really freaking me out because this site is not being hosted on my server (I checked the IP just to be 100% sure). I added a "Deny all" line since the site is still in development, and now the HTTP 200 response changed to 403, like the domain is being hosted on my server.
I'm incredibly confused and scared. Does anybody know what's going on? Can I Deny all to this domain that's apparently pointing to my server?
You may want to check to make sure you don't have ProxyRequests On set anywhere where it's not supposed to. Typically a request like that is for a forward proxy and the troubling bit is that you returned a 200 response which could indicate that the request was successfully proxied.
Take a look at this wiki page about Proxy abuse.
My server is properly configured not to proxy, so why is Apache returning a 200 (Success) status code?
That status code indicates that Apache successfully sent a response to the client, but not necessarily that the response was retrieved from the foreign website.
RFC2616 section 5.1.2 mandates that Apache must accept requests with absolute URLs in the request-URI, even for non-proxy requests. This means that even when proxying is turned off, Apache will accept requests that look like proxy requests. But instead of retrieving the content from the foreign site, Apache will serve the content at the corresponding location on your website. Since the hostname probably doesn't match a name for your site, Apache will look for the content on your default host.
But it's probably worthwhile to check that you aren't proxying. Otherwise, it's not really that big of a deal.
After Jon Lin pointed me in the right direction, I figured it out.
After disabling mod_proxy and enabling mod_security, I added the following to my virtual host configuration:
SecRuleEngine On
SecRule REQUEST_LINE "://" drop,phase:1
And then restarted apache. It quits the connection and returns any amount of data, which uses less resources and bandwidth during Brute Force and DDOS attacks.
Also, it shows as an HTTP 404 Response in the access logs.
EDIT: I updated the rule to drop all types or proxies (https,https,ftp). I don't know how many protocols can be used this way, but I'd rather be safe than sorry.
so far I developed completey locally, having everything (Apache, Openfire, JSJaC application) on my laptop, running quite fine. Now I want to use remote server for Apache/Openfire. I did basically the same steps, incl. the whole http-bind stuff. I test the setting with simpleclient.html provided by JSJaC.
Now here's the deal, if I use the simpleclient directly on the remote server - e.g., http://here.domain.org/simpleclient.html - it works. If I use it locally - e.g., http://[local_machine]/simpleclient.html - and with the same settings I get an 503 (service unavailable). It seems to be more a network/Apache issue than Openfire/JSJaC one, but I'm not an expert.
My parameters for the simpleclient:
HTTP Base: http://here.domain.org/http-bind/
JabberServer: here.domain.org
So in my apache virtual host conf file I have the lines:
AddDefaultCharset UTF-8
ProxyReqests On
ProxyPass /http-bind/ http://127.0.0.1:7070/http-bind/
So basically the http bind works since I can connect when the simpleclient.html resides on the server. What I tried so far:
checked if 7070 open from extern: yes
checked etc/hosts - here the relevant lines
127.0.0.1 localhost
123.123.123.123 here.domain.org here
checked Apache conf for restrictions: can't find any, basically i have an "Allow from all" everywhere (but I'm not completely sure where to look at)
By the way, with,e.g., Pidgin I can connect from my laptop to the remote server. Just the JSJaC simpleclient won't do. So I assume it's the http-bind that causes the trouble. I would understand if port 7070 weren't open, but it is.
Any hints or help are much appreciated!
Christian
Ok, I got it. It was a cross-domain scripting issue. I started looking into the JSJaC library and noticed that it makes XmlHttpRequests which by default won't work across different domains. I therefore had to allow this with Apache on the Openfire-Server. I added the follwing entries in the VirtualHost conf file:
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Methods "POST, GET, OPTIIONS"
Header always set Access-Control-Allow-Credentials true
Header always set Access-Control-Allow-Headers "Content-Type, *"
Of course the mod_headers module must be loaded for this.
I'm not sure which entries are actually required, I didn't try every combinations. I think the always is needed since the request to the http-bind address is a proxy thingy.