I have configured Apache2 to use Client Certificate AUthentication using:
SSLVerifyClient require
It works, I can access my site with a valid Client Certificate.
However, when users connect to it without having a ClientCertificate installed, they get a confusing error from the browser.
(Chrome says 'ERR_SSL_PROTOCOL_ERROR', Firefox says 'ssl_error_handshake_failure_alert', Internet explorer only says 'Internet Explorer cannot display the Webpage'.
I want to show the users a custom ErrorDocument when they try to access without a valid Client Certificate.
The problem is that the site doesn't return a http error code, but aborts the request, so I can't use Apaches' 'ErrorDocument'.
last part of ssl_error_log is this:
[Wed Aug 31 11:11:57 2011] [info] [client 192.168.2.156] SSL library error 1 in handshake (server url:443)
[Wed Aug 31 11:11:57 2011] [info] SSL Library Error: 336105671 error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate No CAs known to server for verification?
[Wed Aug 31 11:11:57 2011] [info] [client 192.168.2.156] Connection closed to child 1 with abortive shutdown (server url:443)
How do I return a valid ErrorDocument for this?
SSLVerifyClient optional
RewriteCond %{SSL:SSL_CLIENT_VERIFY} !=SUCCESS
RewriteRule ^/ http://localhost:8080/missing_cert.html [P,L]
Related
I am installing the datapusher service for CKAN.
CKAN has been configured to use an NGINX reverse proxy that routes client requests, following instructions here. SSL certificate is installed and configured in NGINX.
When trying to use the datapusher app to upload a file, it fails and Apache log gives this error:
Mon Apr 03 13:49:10.979179 2017] [:error] [pid 15468] 2017-04-03 13:49:10,979 CRITI [ckanext.datapusher.plugin] {'status_code': 403, 'message': 'An Error occurred while sending the job: 403 Client Error: Forbidden', 'details': u'<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\\n<html><head>\\n<title>403 Forbidden</title>\\n</head><body>\\n<h1>Forbidden</h1>\\n<p>You don\\'t have permission to access /job\\non this server.</p>\\n<hr>\\n<address>Apache/2.4.7 (Ubuntu) Server at 127.0.0.1 Port 8800</address>\\n</body></html>\\n'}
When testing access to the datapusher's 8800 port through openssl this is the output:
[Mon Apr 03 13:49:10.981049 2017] [:error] [pid 15468] [remote 127.0.0.1:6855] Error - <type 'exceptions.TypeError'>: notify() takes exactly 3 arguments (2 given)
open:/etc/ckan> openssl s_client -connect 127.0.0.1:8800
CONNECTED(00000003)
140385459791520:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 275 bytes
The datapusher docs give a workaround for bypassing SSL here, using the SSL_Verify config. I tried this and there was no change.
I think that I need to either:
1. Force the nginx reverse proxy to allow SSL connections through port 8800 (in addition to 443). Or...
2. Configure ckan/datapusher/apache/nginx to bypass SSL/https on port 880.
Any suggestions?
I believe the 403 error is at the point that CKAN sends a request to DataPusher to ask it to load a particular resource. DataPusher is running on Apache only and thus is on HTTP (not HTTPS) so there should be no issue with SSL. Check your CKAN config is the default:
ckan.datapusher.url = http://127.0.0.1:8800/
DataPusher's SSL_VERIFY setting is for a later request - when datapusher makes a request to CKAN at ckan.site_url, which for you will go via nginx over HTTPS. You may need this setting, depending on whether the SSL in your python is compatible. Reading the code it suggests you need quotes and make sure the key is all caps. i.e. in your datapusher_settings.py:
SSL_VERIFY = 'False'
Since a few days, my Apache 2 error log is showing a lot messages like the following (IP addresses and URIs redacted):
[Thu Dec 12 13:46:42 2013] [error] [client 111.222.333.444] 0
[Thu Dec 12 13:52:27 2013] [error] [client 222.333.444.555] 0, referer: http://www.mydomain.com/
[Thu Dec 12 13:52:27 2013] [error] [client 222.333.444.555] 0, referer: http://www.mydomain.com/
[Thu Dec 12 13:53:54 2013] [error] [client 333.444.555.666] 0, referer: http://www.mydomain.com/subdirectory/
[Thu Dec 12 13:46:42 2013] [error] [client 444.555.666.777] 0
[Thu Dec 12 13:54:07 2013] [error] [client aaaa:1111:2222:ffff::] 0, referer: http://www.otherdomain.com/subdirectory/
What is this 0? There are no other messages shown (besides sometimes some other, normal messages, but very rarely).
The IP addresses are both IPv4 and IPv6. I checked the access log for the same date/time and IP addresses. Most of the times, there was an access for the exact same moment from this IP for different URIs on my webpage. But sometimes, there wasn't an access according to the access log.
It's a shared hosting environment, so I can't access the Apache settings (but I have ssh access to my home directory if this helps). I already googled and searched the Apache documentation, but didn't found anything (it's hard to search for "0"...)
/edit: I also asked the webhoster, they said they don't know what it's causing. I cross checked it with the Apache access log, these are requests to PHP scripts (mostly Joomla), but also requests to images as well as JS and CSS files. So I assume it's not a PHP script which is causing this.
If your error_log directive is unset errors will be written in your Apache log file for current VirtualHost.
So double check your PHP configuration (php.ini) or write a simple page with phpinfo()
If this is true, you should look inside your code (may be even into index.php).
Pay attention to this: usually there are two separate php.ini files for Apache /etc/php5/apache2/php.ini and CLI configuration /etc/php5/cli/php.ini.
Please also consider that, if you want change your PHP configuration, you can use ini_set function.
ini_set('error_log', '/var/log/php/error_new.log');
Remember: the destination directory must exist and your web server (or php engine) must have all permission to write into.
error_log format is not customizable, I suspect that it can be set to some higher level: debug or trace, where it can produce additional information.
Also please take into account, that error_log contains debug info from CGI/PHP/Perl scripts, so that 'zero' can be produced by some script that executed through apache as its module.
I have a situation where I need to route requests to Apache through an internal Proxy Server before redirecting to an external Site, the setup is something like this:
Browser Request --> Apache --> Internal Proxy Server --> External Site
Without the Proxy Server I accomplished the redirect using a rewrite handled as a Proxy( [P] )
RewriteRule ^/somepath/(.*) http://www.externalsite.com/$1 [P,QSA,L]
I found setting up apache behind a forward proxy which looked like it was what I wanted to setup, and suggested I try the following directives:
ProxyPass /somepath/ http://www.externalsite.com/
ProxyPassReverse /somepath/ http://www.externalsite.com/
ProxyRemote http://www.externalsite.com/ http://internal.proxy.ip.addy:8080
When I set this up I got a 503 and the following Apache log entries:
[Thu Apr 11 07:47:14 2013] [debug] mod_proxy_http.c(1973): proxy: HTTP: serving URL http://www.externalsite.com/somefile.html
[Thu Apr 11 07:47:14 2013] [debug] proxy_util.c(2011): proxy: HTTP: has acquired connection for (www.externalsite.com)
[Thu Apr 11 07:47:14 2013] [debug] proxy_util.c(2067): proxy: connecting http://www.externalsite.com/somefile.html to www.externalsite.com:80
[Thu Apr 11 07:47:14 2013] [debug] proxy_util.c(2193): proxy: connected http://www.externalsite.com/somefile.html to internal.proxy.ip.addy:8080
[Thu Apr 11 07:47:14 2013] [debug] proxy_util.c(2444): proxy: HTTP: fam 2 socket created to connect to www.externalsite.com
[Thu Apr 11 07:47:35 2013] [error] (OS 10060)A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. : proxy: HTTP: attempt to connect to internal.proxy.ip.addy:8080 (www.externalsite.com) failed
Nothing was logged in the proxy server logs, and I know the proxy server works if I set it explicitly in the browser and load that externalsite.com
Any thoughts?
Ended up being a vmware IP address issue when connecting to the proxy... The above directives do seem to correctly proxy apache through to the proxy server.
I had a problem running CVS2SVN on my server. I have run it successfully before but I got a sort error in pass 5 so this time I added a sort option that pointed to a sort program on my system. (sort="C:/cygwin/bin/sort.exe"). It worked great and CVS2SVN appeared to complete successfully. So I went to my desktop to check out the files (svn co file:///C:/repo_name) and I got this error:
svn: unable to open an ra_local session to url. svn: Unable to open
repository 'file:///C:/repo_name'
When I tried to access my other repositories I got the same message. I checked the Apache log file and I found these messages:
The Apache2.2 service is restarting. Starting the Apache2.2 service.
The Apache2.2 service is running. Init: Session Cache is not
configured [hint: SSLSessionCache]
[Wed Oct 26 15:37:33 2011] [warn] pid file C:/Program Files
(x86)/Apache Software Foundation/Apache2.2/logs/httpd.pid
overwritten -- Unclean shutdown of previous Apache run?
[Wed Oct 26 15:37:40 2011] [error] Internal error: pcfg_openfile()
called with NULL filename
[Wed Oct 26 15:37:40 2011] [error] [client 147.16.148.223] (9)Bad file
descriptor: Could not open password file: (null)
[Wed Oct 26 15:38:37 2011] [error] [client 147.17.209.173]
(20014)Internal error: Can't open file 'c:\projects\svn\format':
The system cannot find the file specified.
[Wed Oct 26 15:38:37 2011] [error] [client 147.17.209.173] Could not
fetch resource information. [500, #0]
[Wed Oct 26 15:38:37 2011] [error] [client 147.17.209.173] Could not
open the requested SVN filesystem [500, #720002]
I have found that if I log on to the server I can check out the files but I when I try to check them back in I get
Error: Commit failed (details follow): Error: Could not open the
requested SVN filesystem
Prior to this, I had been trying to get SSL certificates working on my server and had been changing options in my Apache httpd file. It is currently set to the bare minimum with only one Virtual host *:80 and the following:
<Location /svn >
DAV svn
SVNListParentPath on
SVNPath "c:\projects\svn"
AuthName "Subversion repository (Basic)"
AuthType Basic
</Location>
<Location /webSVN/>
Options FollowSymLinks
AuthType Basic
AuthName "Subversion Repository (web)"
</Location>
I commented out the Include ssl.conf line that brings in all the SSL settings.
Please help! I need to be able to access my repositories from my desktop!
I recently changed my root password, but when I restart Ldap (openldap-2.2.13) I couldn't log in with Ldap users to any application that is on this server.
in /var/log/httpd/ssl_error_log I can find a lot of error like:
[Tue Jun 01 02:27:24 2010] [warn] [client 89.138.98.214] [26762] auth_ldap authenticate: user foo authentication failed; URI /svn-clients/clients/myclient/ [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]
I guess there is a linkage between user root and the Ldap configuration, I also changed the
rootpw entry in slapd.conf, but this doesn't seem to make things better.
The server is not running. I would restart on the commandline and immediately check for error messages in /var/log/daemon.log