Im trying to migrate 164 of our domains over from Apache 13x to 223 Id like to offline all of the sites until

CheapWebHosting.co.nz

Ive got an apache server at a colo w- redundant DNS setup at other colos acrosss the US Im trying to figure out
Thinking about maybe writing mod_vhost_dbd typically such modules are restricted to setting DocumentRoot by ServerName|Alias
I enabled php support for whole site and want disable it for one Directory how I can do it

la la la

but i want two variables being passed

doesn't matter
/whatever/can/be/long/too

so i should do it like that then seperate the string into two strings in my php

and that way you're not restricted to having only 2 parts, there's as many as necessary
yep

annoying having to do that, but i guess if theres no other way

php, however sucky, is a better place to do string munging that mod_rewrite in htaccess
it's not the only way, just better than what you've got imho
http://wiki.apache.org/httpd/Rewrite/Common/VirtualHandler
a href="http://wiki.apache.org/httpd/Rewrite/Common/VirtualHandler"http://wiki.apache.org/httpd/Rewrite/Common/VirtualHandler/a
why the slap spazers?
where's my lighter gone?

php, however sucky, is a better place to do string munging

nes pa?

you used php webhosting and better in the same sentence... :P

hey guys.. i'm using proxypass to redirect requests to my python webserver.. but its adding expires header to it
which is causing isseus with the dynamic pages.. how can i disable it from doing so?

php is almost but not quite entirely unlike a programming language? oh wait, that's hitchkikers, and doesn't include better.

noodl can u explain this please

heh

Action foo-action /script.php virtual

SetHandler foo-action

:P~

heh

foo-action is where the folder name goes?

Oh, I'll tell you where the folder name goes...

lol

hehe
foo-action is an arbitrary handler name

ah i get it
it's just the name of the handler
that doesn't explain how i do it though

I need some biased opinion here, people.

blame php

PHP should be presumed to be at fault until conclusively proven otherwise. And even thereafter, if it's convenient

did you say you were using 1.3? excuse my memory please, the beer's catching up with me..

Your modem doesn't speak English.

debian suxors
that sort of thing?

excuse

The Token fell out of the ring. Call us when you find it.

start a holy war

pine sucks! use mutt, fool!!

start a holy war

You geeks should get off of IRC and have actual human relationships. But, I know you can't.

ouch

Smack!!

step zero

step zero is to insert a linux or BSD CD

there's a few to be getting on with

that's hitting below the belt fajita

you wish she'd hit below the belt
:P

heh

jpeg

jpeg is gonna be down this weekend... you up for lunch on saturday?

it's the leet version of apache

not too hard.

o_o

you wish pradalover would hit you below the belt

oh, factoid changed

who did what now?

as in the 1337 version

what happened to the big nerd from st. louis?

megaspaz got decked by a girl?
unsurprising.

wow... that was when jpeg came to cali and we met up with chipig

blame megaspaz

Why bother when we take that for granted

what's next?

next is making a non-existant subdomain map to www ...

fajita blame bill gates

what?

fajita blame windows

huh?

boring
anyway

blame

blame daveman

fajita++

huhu

heh

no blame can ever be rightfully attributed to myself.
blame just deflects off my icy walls
megaspaz :P~

as that page says, you're a stinky hippy and you can't use the virtual argument to Actions
Action rather

megaspaz, do you go out much [anymore]?

hrm...
define much...
:P~~

-_-

yeah, so we were asked for biased opinions, and I'll bet we disqualified #apache as worthy of giving serious informed arguments...

are you a working slave too much these days?

ah that...

huh what?
jpeg, oh, is this in a serious context?
or just another facet of the blame game?

um... yeah.. i think so... at least until i get a first born to sacrifice...

o.O
¬_¬
blah

*shrug*

I'll SWING by and abduct you and take you out to lunch or something
so we can assign blame to everyone else, and whatnot :P~

I need some biased opinion here, people.

good old lunchbot

dunno what that was about...

hilarious?
I think that's efnet's topic

PHP vs. Ruby on Rails vs. something
I want to start web development

oh shit, he's actually here!

yay!

oh. modperl ftw!

rails

rails is ggetting a lot of good press. I've rolled mischko's own from some custom code and pieces laying around.

noodl can u do it for me

black people ftw!

big nerd from st louis? I resemble that remark.

ah
another one

rails rails rails!

you too, arreyder?

hmm?

jpeg held that title
*holds

nigga, what?

Daveman--

I moved here (iowa) from there the first time I cam here

huhu
Daveman+++

Maryland Heights, out by MasterCard and Ozzy's

oh shit, someone's messaging me
:o

arreyder, ah yes, I'm in richmond heights. small world.

yup
I miss Delmar loop
probably sucks now anyway

yeah, it's ok.

seems that the php channel is too busy, what php monitoring tools would you guys suggest i take a look at?

it's frickin hot here.

it been 10 years or more

do what sorry?

I was a loop rat in those days, or a little before. I was a cicero's regular.

can u tell me the exact command i need please

ubuntu-rocks1: they're probably ignoring you on purpose

0am and i'm
i can't think

thought i had already.. Options MultiViews but that will probably require changes to your script, as discussed

thumbs - hehe! it wasn't a silly question, i promise!

might be set anyway. try disabling your rules and try /tunes/bleh

ubuntu-rocks1: I beg to differ

they ever get that MTA lite rail going?

this open source stuff can be fun but frustrating also

ah ok i can see this requires effort on my part so i'll go to bed and do it tommorow, thanks

ubuntu-rocks1: yep, just step away now and then. take a break

really tired cos it's almost 4am
nn guys

nite Saberu

everything you google is always almost 100% of what you want, you have to do a lot of searching for error messages i find. just wish i had more experience with this stuff. i'm IT support and our main web guy left in jan this year. i pretty much had to pick up the pieces
never have enough time to get really verse in what's under the hood, just know enough to support the setup! just trying ubuntu, probably switching from gentoo as i had a hell of a time trying to compile hosting the kernel with iptables support, never go it working!

night Saberu-sleeps
see you in .th, wibblies out :p

then along came feisty, 20 mins and i have iptables pre-installed!

!google wibblies

http://www.wibblies.com/

Google Returned 550 Results for wibblies, first 1:
wibblies.com: http://www.wibblies.com/

http://books.lulu.com/browse/search.php?fSubmitSearch=1&fSearch=(keywords%3Apoetry)&fPageNumber=536&fKeywords=poetry
a href="http://books.lulu.com/browse/search.php?fSubmitSearch=1&fSearch=(keywords%3Apoetry)&fPageNumber=536&fKeywords=poetry"http://books.lulu.com/browse/search.php?fSubmitSearch=1&fSearch=(keywords%3Apoetry)&fPageNumber=536&fKeywords=poetry/a

I'm trying to migrate 164 of our domains over from Apache 1.3.x to 2.2.3. I'd like to "offline" all of the sites, until we migrate them one-by-one. Is it possible to set a catchall so as we migrate sites, we can turn them on one-by-one on the new server?

megaspaz, it's been a long day so the brain is overloading!

default vhost

The first-listed virtual host is always the default one when using name based virtual hosts. See http://www.onlamp.com/pub/a/apache/2004/01/08/apacheckbk.html for more details.

thumbs, Sure, but let's say I migrate 10 of the sites over... how can I then tell that catchall to ignore those 10, and pass the requests to the now-updates sites on the 2.2 box?

cause you already migrated them

Uhm... ok, no.
Let me try rephrasing this again.

you dont have to tell it, only the undefined servernames will hit the default

Apache 1.3.x)

For 164 domains. Let's say I flip that Squid config to point to the 2.2.x box.
Now every single domain host request is a 404
Now every single request is a 404

flip the squid last!!!

megaspaz, Because I'd get about 90,000 404's per-minute.

not if you migrate right

I can't migrate them without making the flip public, because there's no way to test them

wow

[computersolution] if your table is in the red for "overhead" does that mean your running out of space?

Exactly

you betcha

test internal with hostfiles

ewww...

ok... /me leaves setuid to his own delusions

megaspaz, I'm afraid I'm not following you then.

of course you're not

If I flip squid last, there's no way to test that the migration is a.) hitting the right box (i.e. I'm going to be shutting down squid on the 1.3.x box, using the one on the 2.x.x box)
Using hostfiles is completely unmanageable in this situation, for this number of domains and subsequent vhosts below those domains
Bleh, I'll just set the default vhost on the 2.2 box to be a "Sites under migration" page, point squid to the 2.2.x box, and migrate one by one, restarting as I go, to point to the new vhosts I add to the 2.2.x box

you do that. buh bye.

How can I redirect all ErrorDocuments to that default "Site Maintenance" page?
Just point ErrorDocument 404 maint.html?
and so on?

that's one way. another would be AliasMatch if you've got content you want hidden

Ah, good idea...

rails uses rewrite for this.. RewriteCond /maintenance.html -f // RewriteRule . /maintenance.html

AliasMatch ^/.* /index.html

AliasMatch

Ow! Quit it, arreyder!

sorry!

You will be!!

fajita, shush

aside from nagios, what apache monitoring tool would you folks recommend?

munin

munin is http://munin.projects.linpro.no/ and a nice network monitoring tool

mod_status

mod_status is http://httpd.apache.org/docs-2.0/mod/mod_status.html or http://httpd.apache.org/docs/mod/mod_status.html

apachetop

apachetop is http://www.webta.org/projects/apachetop/ ask me about "Realtime Apache monitoring tool Apache top"

thanks guys

what happened to the scheduled flame fest pauliukas enquired about?

eh?

pfft, i was looking forward to that

start a flame war

pine sucks! use mutt, fool!!

start a flame war

I love my new Macbook! I should have got this years ago!

why that was tame...
start a flame war

linux is for windows haters. bsd is for unix hosting lovers.

gryzor++

flame

sorry...

uhh
cheetos

huh?

fajita

i am a she.

taco

ftp

ftp is Fire The Pillock who let that get anywhere near the server

what does she mean by that?
nevermind, let me ask this question...
Can someone become knowledgable about networking (to the point that they're definately not considered a noob and have a fairly good reputation) without taking any sort of classes?
Relying pretty much on google alone
and of course a server, LAN, and an internet to practice on
and a router

a router is like 20 bucks

certainly, I'm self educated in all things dealing with 1's and 0's

you mean all computer-related things?

hehe

networking is the only thing I'd claim expertise in though

no, arreyder taught himself binary arithmetic

heh, that also :P

Can you tell me about how you learned about it? Some common sources, how long it took to reach the point you're at, what you did for practice, what to focus on, etc.?
and please don't just say "google.com"
I know it's tempting
lol

infinite curiousity for how things work, and I took a lot of things apart

physically took them apart or analysed things?

there was no google, I didnt even have internet

books, and tinkering. lots of trips to the library

hmm, ok

forestry degree here

I didn't think about going to the library, I just always went to Barnes and Noble

yeah
libraries are great for free stuff

yep free computer access even

Do you recommend any specific book about Networking?

networking for dummies? :P

yeah, hang on
http://www.kohala.com/start/tcpipiv1.html
a href="http://www.kohala.com/start/tcpipiv1.html"http://www.kohala.com/start/tcpipiv1.html/a
all these are great, and rici agree so I must be right
hah, they are green and they grow...
good enough.

good enough is !not perfect but it is good enough

failed astrophysics degree

is that not-not?
!not?

wow

I had figured that if I accessed the machine in my lan from its DNS name, it'd be treated as an incoming connection from the internet

-- failed physics degree also

it's notnotnot

haha that's good to know

well, didnt fail. said "F this! too hard!" in my 4th year

I attended one year at a community college on my associates in general science but haven't been back

1st year.. couldn't keep up with the maths

lots of crazy stuff happened that got in the way

got an accidental math degree out of it though

haha that's nice

mmm... maths

the calculus just got way wierd

what's the highest math you took?

it gets wierder... ;-)

yeah it did, and at first it sucked. then it just all clicked in calc 4 one day

calc 4?
jees
I haven't gotten past trig

probability uses a lot of calc... funny that prob was required and i haven't used it for jack shit since...
nor calculus for that matter...

how old are you if you don't mind saying?

dang two nights in a row.

hehe

lol

i said last night, you didn;t

younger than rici who is old as dirt

or instead, how long have you been learning about networking/'computers'?

younger than niq who if you could tell age by the color and size of one's beard, he'd be like 100...

26 years in july since I first put my fingers on a computer

you leave niq's beard alone!

arreyder's a friggin' welp
:P

or I started young

c'mon... it's there for the taking... :P

my apache is running as www-data, but it can't access ~qiyong/public_html, how can I get around that?

mine

mine is work

userdir

userdir is http://httpd.apache.org/docs-2.0/mod/mod_userdir.html#userdir or http://httpd.apache.org/docs/mod/mod_userdir.html#userdir or See userdir without ~

public_html

public_html is http://httpd.apache.org/docs-2.0/howto/public_html.html

well then I've got plenty of time to catch up

chmod o+x ~qiyong

no!
ok
yes...
yesno!

heh heh

noodl, i don't wnat that

noyes!

maybenoyesno

permissions

Files need to be readable by the Apache user (e.g. 644). Directories and scripts need the X bit too (e.g. 755). That includes *all* parent directories of a resource. If you have a symlink, check both the source and targetIf you have AllowOverride for an unreadable directory, the error message will refer to .htaccess. See also selinux

make sure that dir tree and files are read able and the directories executable for the user www-data

then i guess you really don't want to access ~boogerfoo/public_html...

only alternative is chgrp www-date ~ && chmod 710 ~

possibly a better alternative as well...
noodl++ # chock full of good idears today

yesno

heh heh

I'm not that old. 37. My brother gave me his timex sinclair when I was 11. I got my own apple ][e a couple years after that with paper route and lawn mowing money
so there :P
now forget all that.

*poof*

lol

no long term storage so you had to program everything every time with those tiny rubber keys

tapes!
cassette tapes even

one of my earliest memories is sitting in the back of a car programming aquarius basic on a steamed up window
yeah, it had tapes
or rather you could play it tapes
10 LET SOMEFOO EQUAL "bleh"

I remember typingin lines for hours on the membrane keyboard typing in plot and hplot statements to make a picture

and off it went
fun

then when I asked my brother how to save it, he said you cant

hahaha
on my Ubuntu machine, it says in the top right that there is no network connection, though there is; I'm using the internet
it's been like that for days

it's monitoring the wrong interface

I need to use the rewrite engine, someone has given me some rules to add, where would I add them?

you using dilal up?

ie, which file (using apache2)

no, ethernet

created equal

or VirtualHost, for example). Put directives somewhere that makes sense to you, and where you will be able to find them next time.

right click on it, see if you can change it to monitor eth0
or use ifconfig to figure out what interface you are using for sure

I know I'm using eth0, but I don't see anywhere it lets me change what it's monitoring
Connections, General, DNS, and Hosts

I was just guessing at being able to do that. #ubuntu folks could probably say for sure how to do it

oh well, it's not really bothering me, I was just curious why it said that

when I put "rewriteEngine on" in the config apache fails to start

what's the error say?

Invalid command 'RewriteCond', perhaps misspelled or defined by a module not included in the server hosting configuration

well then load mod_rewrite

but I did add "RewriteRule" just a line above,

mod_header
mod_headers

mod_headers is http://httpd.apache.org/docs/2.2/mod/mod_headers.html http://httpd.apache.org/docs/2.0/mod/mod_headers.html http://httpd.apache.org/docs/1.3/mod/mod_headers.html

i think... anyway...

hmm

actually, how would I 'load' mod rewrite?

what distro are you using?

so i should use mod_headers to remove output of mod_proxy?

er... dunno
just the first thing that popped into my head
seems like that should do what you asked
whether it's right nor not... meh...

T`: yes. use mod_headers to unset them
T`: are you certain mod_proxy is setting those headers though?
T`: either way it can unset them, but I kinda doubt it is the origin

what programming languages do you know well?

fortran, c, pascal, rexx, perl -- dont bother with any of them, cept perl.
I'm more of an admin these days. I just code for utilities and fun.

I learned C, though I haven't used it for much or practiced with it too much

i think every one else around here does the hard core dev thing

I heard Python is good; I got it with Ubuntu

better to consult with them on stuff like that

I like the interactive part

oh, tcl, cant leave that out

what's that?

korn...

can I reload the apache config without restarting?
ie killall -HUP apache ?

tool command language

what can you do with that?

tcl is http://www.tcl.tk/

and Perl

Check out #perl or http://www.perlmonks.org. To test a perl script, use \\ at a shell prompt. DO NOT use "perl scriptname.pl" as, that will mask shebang errors. .

perl can do anything...

apachectl graceful

apachectl graceful is how you restart apache without dropping any client connections. Workers in keepalive will retain old config until they time out. Be patient, or set KeepAliveTimeout lower
apachectl graceful is how you restart apache without dropping any client connections. Workers in keepalive will retain old config until they time out. Be patient, or set KeepAliveTimeout lower

is it like Python?

and has been asked to do way more than it should be doing

lol
yeah yeah I know I'm a noob
bare with it please

it is in that it is an interpreted language i guess
not compiled, not sure if interpreted is the correct term

it is

arreyder, hi... well i checked headers coming from localhost:8080 and they didhn't have the expires header
arreyder, then i looked at the mod_proxy one and it had it..

T`: never would have guessed that, should be able to unset them though with mod_headers

arreyder, and the rfc says a transparent proxy can add expires header but has to set it to the current time
arreyder, but issue is some users clocks are backwards, etc..
arreyder, so its causing issues

T`: this is not transparent though

arreyder, oh.. do you think its a bug? the apache is pretty old i think

but still a proxy could set them
T`: nah just me never noticing it before, I'm going to have to have a look now myself

Apache/1.3.33
arreyder, do you want to take a look at my config please?

sure, real quick, bed time

https://chil.in/pics/a.conf

T`: what I am looking for?

wibblies!

arreyder, anything wrong you see?
arreyder, i mean i'm just trying to see why the headers are getting added in the first place..
heh

heh, easier for me when you tell me what is broken. I'm not that good yet.

yea the config doesn't complain..

ok, no then I dont know why it is setting them. but I know how to remove them

arreyder, do you have a sample config which can do that?

which headers you want banished into the nether?

expires

expires is ?a hint to the client about when it should next request the file

T`: Header unset expires
after making sure mod_headers is loaded

If I have two rewrite rules, and a rewritecond that goes with each, how do I tell apache which cond goes with which rule ?

minerale, look at my example in that link i posted

value" let me check
i cannot recall if you need the rest
hmm, just the expires for unset

then..

that might help with removing expires only on webpages

sleepy time

thanks! night

welcome, g'luck

hi
so i have a very weird problem i never experienced before
we have a moderatly high traffic webserver here that has started to freak out today

And?

it just stops answering requests
the load on the server goes down, cpu goes unused and the server doesn't ACKs TCP connections on port 80
very weird
if it was a load problem, i would expect the server's load to go up and cpu or memory to be consumed, but that's not happening

Running out of available ports?

(and god knows we've had load problems)

TTL too high?

ttl? dns ttl?

You probably need to poke at sysctl

you know a good resource for dealing with this? i digged through the (really old 1.3) docs on httpd.apache.org but couldn't find much for linux
debian gnu/linux sarge, to be more precise
bunch of goodies for my ol' friend freebsd though

sysctl -a and try some lower-level socket optimizations
Can you reproduce it?

koumbit.org has been flashing all day

hit it iwth ab
*with

i need to keep sitting down in front of it and hit /etc/init.d/apache restart every five minutes
no need to ab it
oh, i know what i'll do... there's a dns server on this thing
two, even
i'll take them off, surely that'll help?

step one

whatever the problem, step one is to look in the error log (and any other logs that may apply, such as suexec, mod_rewrite, or mod_security).

yeah... i stared at the error.log for a while, nothing there
well, "nothing"... when there's nothing, it means the server host is dead again and i need to restart it

blame php

PHP should be presumed to be at fault until conclusively proven otherwise. And even thereafter, if it's convenient

mod_rewrite's internal redirect status: 0/10.
haha
yes, it's probably php
php4 + apache 1.3
a backport even
god i hate this thing
i find setuid directions interesting though... but i don't know where to start... sysctl -a is a bit crowded...

http://www.spec.org/mail2001/results/res2002q2/mail2001-20020506-00018.html

you've checked obvious things like full filesystems?

you cant't fix a problem without knowing what it is.. try LogLevel debug in apache in case it's apache's fault, or otherwise try a network sniffer like wireshark what it's geborkened

http://rafb.net/p/ppHf1x17.html

s/what/when.

http://www.shell-tips.com/2006/11/25/fine-tuning-a-linux-apache-mysql-php-lamp-server/
ep
this is a heavily loaded webserver, wouldn't running with loglevel debug be ill-advised?

yep

tcpdump is also not really practical...

anarcat, Not while debugging

okay, anarcat.

do you have mod_status? anything unusual in that display?
hung children, perhaps?

i'm really open to suggestions, but I just hosed the server 3 hours ago by trying to bump MaxClients up (i thought that users were stuck in the queue...)
good idea, i'll look into mod_status again
http://stats.koumbit.net/koumbit.net/homere.koumbit.net.html

what happened when you bumped maxclients?

oh, the monitor broke...

ran out of memory?

the server got overwhelmed, load jumped pass 300 and nothing responded anymore

premature optimization

excuse

premature optimization is a curse
Your modem doesn't speak English.

some brave sysadmin was able to run a killall apache that took about an hour to take effect while another was running to the datacenter
bunch of fun

sounds like you've got a cgi or php script or something hanging

i optimised this server to death, but the hardware configuration changed recently (more ram and less vservers around) so i though maxclients was needing another boost
oooh, there's a lot of php happening in there

increasing MaxClient when you're running out of memory is exactly the wrong step..
bincreasing MaxClient when you're running out of memory is exactly the wrong step../b

we're not running out of memory, but of cpu, but anyways, yes.

It sounds like you're backlogging httpd processes
I doubt your server is as heavily loaded as mine, and we're handling requests just fine
A few thousand per-minute

we have around 3-4/s

is it permissible to have multiple ServerAlias entries in a VirtualHost block? I've got 16 different names I need entered in one block, and it would be easier on the eyes to put them on multiple lines.

yes

RainbowW, yes

ServerAlias blah1 blah2 blah3

I do that to consolidate the domains

etc...

no i mean

ServerName blah.com
ServerAlais blah.net
ServerAlais blah.org

yes as setuid indicates

s/ai/ia/

megaspaz, You can chain them on one line?

you can do it all on one serveralias line...
yes yes yes yes...

megaspaz, i know you can but because of the length i don't want to do that :-)

iirc, you can have two different certificates on the same IP

use \

can any one confirm this? ^^

that's a line continuation character
no

can't*

that apache processes graph shows some down times but there looks like there was a long period of it working, is that for real?

yes, it's for real

zircu, no

and the recent blank is because the ssh tunnel just crashed

this server has been running for years

zircu, Every public IP can have only one SSL on it

with increasing load
http://wiki.koumbit.net/homere.koumbit.net

it doesn't show you restarting it every five minutes
at least, not obviously

ah thanks for confirming that, i thought that was the case

it's starting happening like today
i suspect some kind of attack too...

zircu, there's no other way to do it

yeah, i was looking at that

like a syn thing

starting at about 1 p.m. wed

i'm not a security specialist, and there's a lot of noise...

setuid, that makes absolutely no sense. what do huge shared-hosting sites that run zillions of e-commerce shopping carts do about that?

RainbowW, They have public IPs

are those the times when it was "freaking"

RainbowW, http://info.ssl.com/Article.aspx?id=10076

about 1-3 p.m., and then a downtime at about 4
or was that when you increased maxclients?

that strikes me as insanely stupid

you can only have one SSL cert per IP
RainbowW, Think about it, there's physically no way around it
How is the originating request supposed to know which IP it came from?

you getting a sense of deja vu?
:P

they get lots of ip numbers

0 CRIT homere.koumbit.net HTTP CRITICAL - Socket timeout after 10

again

this question is almost as old as i am

rici, https vhosts?

yeah
anarcat, what is maxclients set to?

rici, I'm trying to find something @apache.org on it, to point Rainbow to

ssl vhosts

Its gotta be faq'd somewhere

When using SSL, each virtual host must have either its own IP address or its own port. Or both. or for details see http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#vhosts2 or http://www.onlamp.com/pub/a/apache/2005/02/17/apacheckbk.html or see SNI or consider wildcard certificates or http://wiki.cacert.org/wiki/VhostTaskForce or see ip based vhosts

Or that

is this the better room to ask questions about httpd?

do /topic and then ask that question with a straight face

thanks for the double reassurance.. i kind of new this but wasn't sure if their was an alternative

well there are alternatives, but they are at the mercy of browser compatibility

http://rafb.net/p/k7gFcx17.html

so i guess the peak at midnight was you upping that value?

okay that slightly more detailed explanation makes more sense. it does, however, strike me as a likely place for improvement in the next version of that specification. :-)

ipv6 has got to be the answer

There's a module for ap2 that attempts to work around it

but that's a topic for a different universe

I forget the name

oh no, i'm not going there.. i just want the same site be able to use ssl, we have valid crs files and on top of things it will only be a temp solution

no
i don't know what that peak is

it's wierd then

oh wait
i upped the maxclients around 20h30EDT

you could try creating certs with altSubject

i think those graphs are UTC, so yes, that would make sense

or you could try apache2.2 and mod_ssl with tls

(stupid timezones
okay, so the ssh tunnel is back

the stuff happening at 1-3 p.m. UTC looks like you were maxing out on children

hmm

if your hosts are all have the same domain, you could do wildcard certs

so with 2.2 I'm trying to set up a load balancer with sticky sessions (I think by the TCP packets) to a set of machines, each with a local apache, jetty, and mysql instance. apache currently talks to the local jetty over mod_proxy_ajp.

i thought certs didn't allow wild cards

the load balancer isn't clever enough to detect if jetty fails though, so the apache servers are also going to have to do failover to all the other nodes if jetty goes down

eh?

you mean i was hitting MaxClients?

you can buy wildcard certs now

ssl vhosts

^^
the complete factoid... :P

so I was looking for something like that in mod_proxy, but the documentation isn't really that great unfortunately
1. is there a way to say 'this server, if its down go over here, and keep trying to go back'

megaspaz, What's that other module though, there's some trickery to use one public IP and get more than one ssl vhost
I can't remember the name, but we talked about it here about 2 years ago

shit

shit is solid excrement... please don't use such language!

my irc logs go back that far, but I can't remember the right strings to grep

you expect me to remember something 2 years ago?

hahahah

2. can I do sticky sessions if that happens based on some tcp or ssl value rather than requiring a cookie value

yes

and I already looked at the error log ;-)

if you look at the netstat graph, there's some correlation
but not with cpu
so you're maybe being targetting with a DoS

that's what i thought too

have you looked for patterns in your access logs based on those times?

well, i've seen a lot from google, proxad and some china thing

too bad you're not running freebsd

i thought the china guy was bizarre
yes

you could put in an accept filter

thanks!

i've gotten dos's from china

accept filter?

accept filter is Jrun before the OS informs the app (Apache) that there is a new connection.

they control stuff going in but aren't too picky about stuff going out

hehe

all my attacks come from china, korea, and germany

hey, how do i figure out what modules are installed on my box?
bhey, how do i figure out what modules are installed on my box?/b

when i start apache2 i get a warning that it can't reliably determine the server's fqdn. where is that set?

RainbowW, http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts2

httpd -M

httpd -M lists both statically and dynamically loaded modules for apache version 2.2 and higher

accept filter runs in the kernel and doesn't tell accept() -- i.e. apache -- that there's a connection until the first line finishes

i'm trying to figure out if i have mod-fastcgi or mod mod-fcgid

so that's a likely explanation... how can i figure out what the attack is?

it cuts down on DoS a lot

httpd -M or httpd -l

thank you

riiight... i remember that now

and if i don't have httpd?

what is phreaking?

phreaking is [from `phone phreak'] n. 1. The art and science of cracking the phone network (so as, for example, to make free long-distance calls). 2. By extension, security-cracking in any other context (especially, but not exclusively, on communications networks). At one time phreaking was a semi-respectable activity among hackers; there was a gentleman's agreement that phreaking as an intellectual game and a form of exploration was OK,

...

well, i'm glad this channel's there

is there any reference for more sophisticated use of the 2.2 proxy stuff?

uh what?

does apache2 = httpd?

yes

egads... yes...

sorry, i am terrible at sysadmining

debian-- # renaming binaries and confuggling the newbies

yes, from what I've seen

however, there is still the possibility that some php is hanging
for example, it might be getting a delayed connection to a database

damn, i don't have fastcgi installed

well, mysql.koumbit.net has never been so good

then the connections will last longer so there will be more of them

right

and you'll hit maxclients and start dropping connections

how would you define hacking?

since the php is waiting, it's not consuming cycles so your cpu will go down.

in fact, we used to have problems with the server that mysql.k.n was on, then swapped out a bunch of services off of it and now it's happied
*happier

so that's definitely a possibility you should check
mod_status might help

http://stats.koumbit.net/koumbit.net/mysql.koumbit.net.html

if you saw, for example, a bunch of children in the same request

well, there was a spike on mysql, it seems

how can you tell which port a program is using?

hum hum

for example, AIM

sockstat -4 on freebsd, netstat -p -e -n -A inet -a on linux

what about windows?

http://goodbye-microsoft.com?

hahaha

ok, so that's a possibility, rici
a clear one, even

can anyone help me install fastcgi? i feel like i'm out of my depth
it's not much, but i'll pay $15 (paypal)

what's the application?

instiki
http://www.gra2.com/article.php/install-instiki-in-apache-using-fastcgi

ruby.. k

yeah

which version of apache are you running?

Apache/2.2.3
debian

debian is "we complicate it for you so you don't have to" or see /usr/share/doc/apache*/README.Debian* or http://wiki.apache.org/httpd/Platform/DebianLike

hehehe

yeah, seems to be a peak on mysql conns at the same time as your apache peak
dunno, but it's certainly something to look at.

k, two steps. install the fastcgi devkit from fastcgi.com, then build mod_fcgid from fastcgi.coremail.cn, then install the ruby fastcgi gem (that's three steps but i can't be bothered to go back and fix this start of this line)

probably about all i can help you with, sorry. hope it helped a bit.

hmm, i didn't try out aptitude
just trying that

you helped a lot!
i think what i'll do is finish what i started some time ago which is to migrate all the remaining vservers from mysql.koumbit.net into our new servers and offload that
i need to keep an eye on apache on the other side at the other time
bi need to keep an eye on apache on the other side at the other time /b

ok downloading devkit
./configure

./configure is used as part of a source build..

thanks... i had no idea
sudo make

shush

fajita is really fun :P

be nice to the bot

Yeah! Or I'll rip your arms off!

what does it mean when netstat says that the foreign host is MAINCOMPUTER:0
where MAINCOMPUTER is my computer's name, I think

sudo make install
ok step one done (i think)

at a guess that's a dns name for localhost

ok, downloaded step 2

i doubt netstat would come up with MAINCOMPUTER out of the blue, unlss it's the doze version of course

i don't have a $mod_fcgid_dir set

funge the first line of the Makefile

builddir?
also not sure what my apache2 install directory is
/usr/sbin/apache2 ?

/usr/sbin/apache2 is ,the executable but i mean the main directory

no, that's the binary
see:
distro layouts

distro layouts is http://wiki.apache.org/httpd/Info/DistrosDefaultLayout

bah

humbug

debian--

I want to know why a 64-bit Debian install, installs a non-threaded, 32-bit MySQL server
debian_packagers--

because debian package maintainers are retarded?

Correct!

What is correct depends entirely on what you're trying to do

They take the short bus to work

/etc/apache2/ then?

tias

tias is Try it and See - if you want to know if something will work, give it a go. If not, then you can ask why it didn't work as expected

i'm confused
not about tias, but i've tried a few directories without success

try some tea
i know i did

you're trying to build mod_fcgid at this point?

yes

what's "the short bus"?

it's the bus that the "special" kids ride

what's not working? build errors please..
hehe, there's short buses for most kids round my way

nym@hardsun:~/mod_fcgid.2.1$ make
Makefile:13: /var/www/build/special.mk: No such file or directory
*** No rule to make target `/var/www/build/special.mk'. Stop.

k, then you need to find httpd's build directory
no doubt debian hides it somewhere

ok, how do i do that?

Did everyone hear... Mr. Wizard is dead! ;(

is there a /etc/apach2/build ?

yes
no

Lots of people dying of/getting cancer these days

old news

locate special.mk

My wife works in Oncology Research at Pfizer, and she's amazed at how steep the rise in cases is now
RainbowW, Old? It was posted 5 hours ago

tried that, no results (even with updatedb)

debian--

isn't there a debian package for fcgi?

/usr/share/apache2/build/

dunno then, try #debian.. maybe someone there will have some clue as to which silly name they gave to it, or if they installed it at all

dunno

libapache2-mod-fcgid (oldstable: 1.05-1);

thinking of which.. is there perhaps a httpd dev package?

there is
i know

Speaking of debian--, check this out: http://rafb.net/p/bSbjxW36.html
That's from the MySQL 5.0 Server debian/rules file
ugh
I need to rebuild MySQL with proper 64-bitness
I need a bop-a-bush doll that is a debian developer

what's the problem with the rules file, out of curiosity?
(apart from the non-static build?)
well, would you look at that:
http://stats.koumbit.net/koumbit.net/homere.koumbit.net-netstat.html
bit red "failed" connexions

woo, 2,515 ftp attempts on our port 21 from a single IP in the last 10 minutes

lovely

huh?

Please state the nature of your computing emergency

cheese!

In the 1960s, the United States sent men to the moon. They discovered that it is not, in fact made of cheese. Nobody has been back since. Behold the power of cheese.

hehehe

/var/www/sites/code/.htaccess: Option Indexes not allowed here, referer: http://doxygen.pilot-link.org/files.html
But I put Options +Indexes in /var/www/sites/code/pilot-link/.htaccess
Why is it still barking?

ok so i'm making some headway
i'm getting this though
nym@hardsun:/etc/apache2/mods-available$ apache2 -M
Syntax error on line 4 of /etc/apache2/mods-enabled/fastcgi.conf:
FastCgiIpcDir /var/lib/apache2/fastcgi: access for server (uid 1001, gid 1001) failed: write not allowed
i assume the server is trying to write to /var/lib/apache2/fastcgi

chown 1001 /var/lib/apache2/fastcgi?

which is an empty dir

sure looks like it

it's owned by www-data:www-data

okay

AllowOverride Options

964B/s, 1h24m38s remaining
ugh... security.d.o is sloow

noodl, In which .htaccess?
anarcat, netselect-apt

uh?
what's that?

anarcat, It builds a sources.list that points to the fastest mirrors to your location

including security?

I believe so
Try it in /tmp/

ack

no.. the point of AllowOverride it to determine what can be done in htacess files, so it can only be set in Directory blocks in httpd.conf

noodl, Ah

alrighty, night night time
see ya'll tomorrow

noodl, That didn't seem to work ;(
oops, I typod

there's no mirrors for security.d.o, btw

http://www.mirrorservice.org/sites/security.debian.org/

http://www.debian.org/mirror/ftpmirror
This archive is not an official mirror as debian does not encourage mirrors of their security archive. Sync's every six hours, keep the master site in your apt sources too.
well, it sure is faster anyways, thanks setuid

Sure
Migrating 164 domains and about 500 subdomains, is a pain in the ass
gallery here, wordpress there, drupal here, mediawiki there, mysql here, shell tools there, mod_perl here, blah blah.

eh
web sucks :P

Yes it does

i *think* fastcgi is installed
what's your paypal
i appreciate the help, even though i ended up going a different route

do setup a server like MySpace how much disk space would the server actually need???

about 1TB

ryanCH, Several terabytes

really?

Don't forget those media files and hot/near-line backups

hmm

Why you'd want to build a site like PedophiliaSpace^WMySpace, I don't know

LOL
LOL "PedophiliaSpace"

I'm having trouble with apache (zomgnowaiiiii)

1.) whiny teenage girls, 2.) FBI agents posing as #1, and 3.) pedophiles hunting for #1, being caught by #2

Just set up a vhost for a rails application
It proxies to a cluster of mongrel servers

"We will have solar energy as soon as the utility companies solve one technical problem--how to run a sunbeam through a meter."

as I understand it, the way I set up the virtual host, it should only serve on elliottcable.com - but it's showing up on ANY url that points to my server (for instance, fxts.org)

hmmm
what file system should be used for a several terabyte system?

just several terabytes? I could host myspace! lol well at least hold a copy. no way I could support that kind of b/w.

zfs, buggy as shit

hehe

Let them work out the immediate showstoppers first

Anyway, anybody know what I should look at? Is this a common easily answerable pitfall?
You can see the problem by visiting elliottcable.com and then fxts.org - I can pastie conf if it'll help
uYou can see the problem by visiting elliottcable.com and then fxts.org - I can pastie conf if it'll help/u

elliottcable, "sorry, that subdomain don't exist"

I just changed it to that so it would at least load (I needed my open id to go through so I could login to the pastie)

Use rafb.net/paste

forget payment.. didn't take long enough

http://attachr.com/8146
vh stuff is towards the bottom

And so what is the issue?

... as far as I understand, lines 163/164 mean that nothing except elliottcable.com will read/run anything inside that vhost block
if that made any sense?
yet, other domains or localhost or my IP that point to the server all also show the app defined in that vhost

Do you have a default vhost block?

that's my whole conf right there

Then that's why

ah?

You lack a default virtualhost

How exactly do I set that up. What directive do I need?
Google answered me

http://answers.yahoo.com/question/index?qid=20070610031633AA9wMEj

thanks!

hello, do you guys see what's wrong with this rewirte rule? RewriteRule ^admin [L] index.php?class=admin

[L] should be the third argument

RewriteRule ^admin index.php?class=admin [L] like this?

yep

thanks

listening to the business end of the cure's pornography album.. must fight this sickness.

while i'm trying to set up a server to sell porn. so there you go.

... ?

haha
same RainbowW d-:
minus the sell bit

no reason to hassle with it if you can't make some money :-)

hehe

esp in the states where the laws are crazy

DirectoryMatch /path/.*/(a|b)

thank you very much

we all gotta make a living. i'm not in love with porn -- i just want to feed the family
and the jesus loves porn stars guys don't have a comeback for that

no judgement here.. each to their own. i just hope apache is a suitable server for such activities
playboy.com host an apache mirror, for which we're thankful

What do you do with a B.A. en English?

Would you like fries with that?

I can't pay the bills yet, cause I have no skills yet.
heart this song.
heard this song?

no.

sad )-:
heard The Internet Is For Porn?

and, a large site that you might have subscribed to (that i work for) pumps 400 megabits/sec with apache. so i'd say it's okay. :-)
crap. gotta love windows. (blah)

anyone know the easiest way to get SMTP working on windows XP, liek is there a free smtp server i can point it to that doesnt require username or password

use your internet operators smtp server

lamp++ clockwork

smtp server relaying from anywhere without smtp auth is open relay and it's bad (short version)
other possibility is sending straight to recipients MX servers
though on consumer connections (adsl etc) it's (at least in this part of the world) common to block outgoing trafic to port 25 to any other host than service providers smtp server. actually that is required by authorities in Finland...

is there a good guide around for compiling apache?
I'm looking at the docs and a few things are a bit confusing, just wondering if there's a good explanation somewhere

I'm not sure about guide but ask if you have some questions?

ok, well I'm not 100% sure what I don't know yet..
I want to compile in the modules I need, I don't wanna have to load any DSOs
like mod_rewrite and whatever else I may need

why build-in modules?

Hi, i am running apache in front of tomcat right now. for a short time peak over a few days, i need a reverse proxy in front of it. considering performance would you recommend to use squid or use mod_proxy and mod_(mem|disk)_cache?

lamp, I heard it's faster than loading them at runtime
if they're compiled statically

Hi. I am running apache2 on debian etch. After 1 month it got really slow, and this happened once before. After restart it works. Has anyone had similar experience?

I doubt that one never notices difference in real life. DSO gives you a lot of flexibility, I would rather compile everything on DSO and then load only the required modules

I was only planning on compiling the ones I needed
I'm also compiling it with suexec, which seems a bit complicated
do all the suexec config options get specified to ./configure as well?

if that's your choise, go a head. hopefully you don't need changes to modules frequently I haven't used suexec much, but atleast --enable-suexec is needed

yeah, and I won't need to change modules
I just want a really basic apache, it will be serving one purpose on a high-traffic server

if that's how you want to build it, then you can take a look which modules are built if you don't set any --enable/disable arguments (except one for suexec), then add few --enable/disable-mod's if needed

cheers

hey jMCg

jMCg is very wgron

jMCg is very rhgit

morning all

Morning Roobarb-Work

howdy rhubarb

back on track?

he decided to commit suicide, after talking with you yesterday.

understandable
arghl now i get forbidden

forbidden

look in the error log or Directory permissions don't permit read, or index.html is missing and Options Indexes is not in effect, or Deny from all is in effect for the directory. Look in the error log http://www.onlamp.com/pub/a/apache/2004/04/22/apacheckbk.html

no please, not again
no noob support here please....
i dont want that theme 3 days in a row, then i really get nuts

pay attention to fajita

Yeah! Or I'll rip your arms off!

you damned n00b
:P

'sup?
jMCg++ # :P

nothing just that all that last plans didnt worked.. with the proxypass i get the problem that it DIRECTLY says forbidden
it seems that the user request isnt passed trough

block?

with the proper stuff in it, of course?

Allow from all, for instance.

would you like to give short description about the problem?

oh.... not really... but i do other proxypass which works fine, do i need something special?
oh hardcore...... "short"

http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#access

right....
yeah
wait
ok now i dont get forbidden
i just get the svn
but not as svn hrhr
http://paste.debian.net/30443
you said yesterday some lines could be unnecessary?

can anybody help me to get a SSL certificate to work with apache2? any guides?

ssl

ssl is *Secure Sockets Layer. Ask me about mod_ssl or ssl vhosts see also http://httpd.apache.org/docs/2.2/ssl/

mod_ssl

mod_ssl is http://httpd.apache.org/docs-2.0/ssl/ or http://www.modssl.org/ (for 1.3) or http://httpd.apache.org/docs-2.0/mod/mod_ssl.html or http://cvs.apache.org/~mads/ac2004/MO18mod_ssl.pdf or see mod_gnutls for an alternative

ssl vhosts

lots 'o reading for you
^

this proxypassing to same vhost sounds little hairy

yango, :-)
yango, can I find a page with a guide?

look at the links fajita posted

which part of SSL is causing you trouble ?

I havent start yet :-)

bonjour, Vapula.

well, short of creating a certificate, take a look at http://www.linux-corner.info/httpd.conf

oh, bonjour

my plan is to run Certifacte on my RT webpage

LoadModule context

server config

is there any place you will prefer to create a certifacte?

I have a nice issue, where Apache2 vhosts indexes are either php or cgi. When I access http://myserver/index.php, all is well and the php file is interpreted ; however, when accessing http://myserver/ it gives away the source of index.php. Is this a common issue ?

is Apache bound to my LAN IP ?

line 34

no, its run on *:80

https:// is port 443 by default

you could also put in a proxypass in the macro: ProxyPass /$Name http://svn.scrubs.wbx/svn/$Name with corresponding reverse

Roobarb-Work, ok

then you don't need the ProxyPass /svn/ !
anyway, i gtg

It will be very easy If I could find a site that have guide how to integrate SSL certifacte...

thanks everyone
finally, the problem was a stupid bot looping on php/mysql intensive pages
we blacklisted it using a crude rewrite rule
http://wiki.koumbit.net/ApacheBlacklisting

thx, i try that

umm, the config I pasted is a fully working SSL website with an automatic redirect from http:// to https://

Roobarb-Work, iam looking at it ..
but how should create a certificate?
or request?

request is to their local DNS server; it at no point goes over the public Internet

would you, in one sentence, describe to me EXACTLY WTF IS GETTY'S PROBLEM..?

LOL

..because so far, I didn't manage to understand it from his descriptions...

i want my svns under http://svn.wbx/$svnname

I just know 302 here, 403 there, 301 over here, proxy here and some other stuff yet somewhere else.

i dropped the SVNParentPath idea already cause that is definitly technical impossible

you have 2 options. #1) Buy a certificate from somewhere like Verisign or Thawte, or #2) USe a "self-sugned" certificate and your own CA
*self-signed
.wbx

Roobarb-work, I will buy. What about the intergration?

Roobarb-Work: huh?

Aha.. interesting... how many people have it like that [like myself], despite the fact of it's technical impossibility....
Roobarb-Work: intranet

you dont have that in a vhost, as far as i remember

read this: http://www.verisign.com/support/ssl-certificates-support/page_dev019501.html
the key file you create is SSLCertificateKeyFile and the certiciate you buy is SSLCertificateFile

I do.

aside from that, you will need to chaneg any occurance of "www.example.com" to the Common Name you choose for your certificate

ok, its required that I have openssl installed for request

I pasted it to you, two days ago.

of course, and mod_ssl

yeah i remember, but that setup doesnt worked for me, you also remember

what about if the page is www.mysite.com/RT ?

the Common Name should be "www.mysite.com"

Roobarb-Work, What about getting the certifacte from versign ?

yes, I do.. and thus consider YOU a technical impossibility.

READ the page I pasted.

lots of threads underline this
you are really the only setup i heard of where this worked
on the net you just find unsolved threads to the theme
but anyway, i dont need that SVNParentPath really, it just drops of the security level i need

What the difrens between mod_ssl and ApacheSSL?

eveyone uses mod_ssl

ok, thanks
Roobarb-work, one more question..
Roobarb-work, that site with certifacte will be used from Internal IP and and the external IP. Will it make some problems?

unknow990:

is Apache bound to my LAN IP ?

as long as your clients use the Common Name you choose, no.

brb
back again
where can I see if it bound to my internal IP?

Fajita, Where can I see whic adresse my apache is bound?

i don't know

netstat -plant | grep httpd
as root

nothing showed

# netstat -plant | grep httpd
0 0.0.0.0:* LISTEN
43 0.0.0.0:* LISTEN
you should see something like that

no, I got nothing

are you running it as root, ans is Apache actually running ?

yes, iam running that with root access and my apache2 is running

ok, try grepping for apache

Roobarb-Work, Please tell how

ps aux | grep httpd

look here http://paste.debian.net/30446

Apache is listening on all interfaces on your machine.

Roobarb-Work, is that wrong?

no. I'm just interpreting the data for you

Roobarb-Work, hehe thanks :-)
Roobarb,Work, So my apache is bound to all interfaces?

is there an echo in here?

Roobarb-Work, Do you know RT ?

RT ?

RT is a web-based problem tracking system at http://bestpractical.com/rt/index.html or See http://RT.cpan.org/ for an example

I do now

I will update my RT to newst one, do know how easy I can make that?

I kave no idea
*have

ok,
fajita, where do you know http://RT.cpan.org/ ?

i don't know, unknow990

fajita is a bot

Roobarb-Work, hehe okay :-)
but its like this site want to make http://RT.cpan.org/

"If you use the same certificate for all sites (now possible by having them all mentioned in the certificate using subjectAltName), there's no problem." --- about ssl and multiple certificates
have you heard something about that?

only Opera 8 supports it

oh, that's SNI?

yeah
SNI

SNI is Server Name Indication - A way to run https namevirtualhosts. It is currently only supported by Opera 8.0. or See http://journal.paul.querna.org/articles/2005/04/24/tls-server-name-indication?postid=70

have you tried Opera 9?

I've never used any version of Opera

hehe
then don't blindly believe in fajita's factoids
but needs to test
We (Google security team) observed a long tail of Apache server versions; the top three detected were 1.3.37 (15%), 1.3.33 (7.91%), and 2.0.54 (6.25%)
so much for up to date versions

Roobarb-Work, do you know whic chanel I can get help to RT?

A comment after that "Everyone runs 1.3.37 just for the number of it."

no, I don't

Related Topic: