Apache :: Set Up SSL Listening On Port 443 - Client Authentication
Oct 29, 2014
I am setting up apache 2.4 as a service locally through localhost on a windows 2008 R2 standard server. I have set up SSL listening on port 443 and works correctly, however I am having trouble figuring out how to get apache to authenticate my CAC card.
I have downloaded the DOD certs and put them into various types of files including pem, base 64, der etc and I have yet to figure out a way to get the client certificates validated.
I have left out the information about the SSLCertificateChainFile, SSLCACertificateFile and SSLCARevocationPath as I am sure this must be where my problem is.
Is it possible to get this done through localhost. Here is the error I am getting in the error log.
[Wed Oct 29 11:37:05.675491 2014] [ssl:error] [pid xxxx:tid xxx] [client 127.0.0.1:59282] AH02039: Certificate Verification: Error (20): unable to get local issuer certificate
I am using a self created self signed server ceritficate. Here are some details from my httpd-ssl.conf file:
I have been trying to set ssl client authentication with Apache.I basically have a server certificate issued by a recognized CA. For the normal ssl authentication I use the following configuration (and it works fine):
I seem to have a strange problem (I am hoping that if I fix this, it will fix another problem I am having).
For some reason (I most probably did by accident) when I run the command lsof -i tcp:80. The information that comes up says that my IP address xx.xxx.xxx.172 is being used to listen to port 80. Yet the IP address that was asignned to me is xx.xxx.xxx.171. I am wondering how I would go about removing wrong IP address so that the right one is listening to the correct port.
What is apsc? I found an apsc.conf (in /etc/sw-cp-server/conf.d) the file contains the line "listen 6308 ssl;". So far that explains why sw-cp-server is listening on that particular tcp port.
Which service is provided by apsc? Can I change it to listen only to 127.0.0.1? I like my server to have a minimum of open ports to the public.
IP-Pair1 is supposed to host admin and customer access. = Plesk-admin-interface (lighhttpd?) on 80/443 instead of 8443 (ssh on 22, ftp ...)
IP-Pair2 is supposed to host visitor access. = Plesk webspaces (nginx/apache) on 80/443
So I want to stop nginx from grabbing ports 80/443 of IP-Pair1 and listen to IP-Pair2 addresses only. Then I want to set plesk-admin interface to listen to 80/443 on IP-Pair1 only.
I'm running Apache 2.2 on Windows 7. I'm a casual user of the Apache server, and the server I'm running is only used to develop a Silverlight application on the local machine, nothing more. The following problem is apparently a non-systematic error (sometimes the server can startup, sometimes it cannot. If it cannot, it sometimes can after a reboot (a service startup race condition?))
I get error when starting the server: "The requested operation has failed!"
When I run "http.exe" from a command prompt I get:
Quote:
httpd.exe: Could not reliably determine the server's fully qualified domain name, using 10.0.0.100 for ServerName (OS 10048)Only one usage of each socket address (protocol/network address/port) is normally permitted. : make_sock: could not bind to address 0.0.0.0:80 No listening sockets available, shutting down Unable to open logs
It does not write anything in the "error.log". It cannot? why? rights? but it could yesterday! anything changed from yesterday, no nothing!
I have tried to start the server many times today, and it has not written anything in error.log. Looking in the log there are many entries from yesterday, when the server probably worked!?
Okay there most be something using port 80 then!
Output from "netstat -o -n -a | findstr :80" is nothing! netstat says there is nothing listening on port 80.
I'm running SQL Server 2008 Express, and "Reporting Service" would be a prime candidate for listening on port 80, but netstat says it is not!
I'm using the ZoneAlarm firewall (the Apache server has been given full trust and permissions), and it has worked previously, I belive it cannot be the problem.
I'm using Avast anti-virus, but everything is disabled in it, and I'm only using it to run a virus check from time to time.
(I don't think it has anything to do with the "fully qualified domain name", because the setting it is complaining about has always been the same, also when the server is actually working, from time to time)
"Client does not support authentication protocol requested by server; consider upgrading MySQL client"
I upgraded from MySQL 4 to 5 and everything was fine for about a week. On Monday, I get the error above. From what I've read, this is the oldpassword/new password hash error that I can fix in about 2 minutes on my server. However, this is on a Parcom server, and Parcom has been sloooowww to react.
Can anyone think of another reason why this would be coming up? It's running fine on 3 other PCs that I run as a backup. I've dropped the database twice and rebuilt it twice, still with the same error. Ditto for the user/pass.
I have a machine at home running the UniformServer wamp package on Win2K3 Standard server and I'm hosting a simple family picture gallery using Gallery 2.3. I put the gallery in a subdirectory of root so I could have a public homepage and a gallery that is password protected. I did this using .htaccess and .htpasswd.
My issue is when I browse to mydomain.com and click the link to the gallery [url], the password box pops up, and when I enter the appropriate credentials, the domain name reverts to the IP and another password box pops up. If I log in a second time, I'm fine. If I cancel that second login, it still lets me in, but prompts me to login that second time for every click going forward until I authenticate.
I have a couple of directories on my server that require authentication (MySQL DBD and AuthUserFile). Both work fine with SSL off. When I use SSL on directories without authentication that also works fine. However, when I put the 2 together, authentication is by-passed. I cannot seem to get the configuration right to do both. Here is my VH conf file (sanitized):
I'd appreciate if you can point out some links, or if anyone is willing to help me for a fee, we can talk about it.
I have a web application called MyApp
- Each MyApp user has 5gb hosting, and a web interface to manage their files.
- Therefore MyApp user gets a user account on linux machine and has access to only one directory /repo/usr/<user_id> and nowhere else. (suexec?)
- If that MyApp user creates a subdomain from any folder inside his home folder (he can do that using web interface), that folder is readable by www-data user not writable.
- That myapp user is able to mount/unmount his own ftp drives using curlftpfs.
- In short, users can only mess with their own files and they have no access nor rights to any other file that is outside of their home dir.
In short, this is a kind of hosting company server setup. Right now, we will have to manage all this from -only- one powerful server.
Apache Suexec, so that each VHosts runs under there own username FTP for each of the vhosts.
I have made a username aplushost and FTP works fine when i login, however when i try and get Suexec to work it shows a 403 permision dined, even know the whole directroy path is with correct permsions.
"/home/aplushost/www"
However if i chown the directroy "aplushost" to apaches username , currently "nobody" i have tried with "apache" and many others the page is displayed correctly.
The weird thing is that the www directroy can still be set to the aplushost username and files work inside.
However due to changing the privalages of the folder aplushost ftp now fails to login due to the folder not being owned by the ftp user "aplushost".
So im stuck between only having one item working at a time.
i have put some content of my config files.
----------httpd.conf vhosts------------------ <VirtualHost 87.117.196.247> DocumentRoot "/home/aplushost/www" ServerName aplushost.co.uk SuexecUserGroup aplushost aplushost <Directory "/home/aplushost/www"> allow from all Options +Indexes </Directory> </VirtualHost>
If a User logs in with username only, all works correct. If a user use the DomainUsername format, the login is rejected with "user not found".Should it not work with both login styles ? Or is there a option to reformat or rewrite the username before authentication without the "Domain part ?
I was wondering if there's a simple way to implement some kind of authencation bruteforce protection in apache for windows? Right now my authentication never stops asking if user inputs the wrong credentials, this makes me think i'm vounrable for bruteforce attacks which could eventually get through if given the time.
I have to create a structure in which there is a client, a server and an authentication authority.
The authentication authority verifies the identity of both the client and server before they can communicate, so that the client can access the content offered by the server. Everything must be made using HTTP with SSL (HTTPS).
For now I have installed xampp on my pc with ubuntu, I performed the initial configuration and was able to view a test page locally hosted by entering the URL of the virtual server "www.server.it" (added to the configuration of apache2).
In web application we are facing high vulnerability issue based on the session validation.
We can download the files from the server whenever we are passing the link even without login. The links are directly hit into the server and download the files any type of files extension such as .txt, .xml, .zip and so on.
Need the solution for this issue: How will we resolve the issue using validate the session in apache side?
Scenario as below:
When user manually passing the request if user logged they should access the files When user manually passing the request if user is not login they shouldn't access the files
Here both the scenarios they can access the files but we want to restrict when the request is coming to apache without login.
EX: [URL] ....
When i tried above link I can able to view the file in browser. Even able to download all different fies extension which are having in the under tomcat webapps dir.
How we can restrict this in apache code or any other files in apache side or is there any way to validate the request is logged one or not?.
I am running apache currently on my QNAP server, and have enabled webserver and LDAP. We have set up users on LDAP. I have created a landing page for access from the internet. I want to configure Apache to authenticate the users using LDAP before granting access to the landing directory.
I have started this with the apache configuration below: My apache config file -
When I access my page, I get the authentication prompt. But when I enter my LDAP login and password, I get thrown out of the system with the error:
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, admin@NAS and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.
Looks like my apache configuration is a problem as I am able access my LDAP and everything with LDAP seems to be working fine except Apache configuration to authenticate against LDAP.
A couple of directories on the website need authentication against LDAP. The setup has been working for many years and all of a sudden is giving some issues.
The page asks for authentication and once login details are entered, either it throws an error "Page has moved" or "Please refresh your browser or reload the page".
As far as I am aware no configuration has been changed for LDAP or for Apache. The website runs on Windows Server 2003.
I am very much new to Apache and cannot seem to find any errors logged.
Im having a problem where local authentication will not work when when the configured LDAP server is unavailble. When the ldap server is online I can authenticate fine against ldap and local file. However, when the ldap server is offline, I cannot authenticate with the user1 account. The browser just sits at a blank screen.
Ive searched a lot on this and found many examples, all very similar to my config below, but I still cannot failback authentication to local file when ldap is unavailable. Im running Apache/2.2.10. I have also tested this on 2.2.16 with the same results.
I have several applications that use authentication and expect REMOTE_USER to be set by Apache for authentication/authorization.
I am putting a reverse proxy, with shibboleth in front of these applications, on a separate server.
Currently, REMOTE_USER is not sent. I have tried a few things, and I am currently sending it inside another header, but I have some applications that are closed sources and this will not work.
Is this possible to do? I am running this with Apache 2.4.7, I believe, on the Windows platform.
I have a class project that we are working on where we have to configure and implement an Apache server with ssl using ldap for authentication. I have documentation of literally everything I have done in the configuration. Everything seems to be fine with the config that I can tell. The client gets a prompt for username and password when they access the server ip address. However, once the correct username and password are entered, then the client receives a 500 internal server error message instead of the webpage: "Internal Server Error...The server encountered an internal error or misconfiguration and was unable to complete your request.
If you enable ssl in apache, you can verify a client certificate. If so apache will create a environment variable for you with the name 'SSL_CLIENT_VERIFY' with values 'NONE, SUCCESS, GENEROUS or FAILED:reason'. URL....What is the meaning of this different values?
Pretty new to Apache and recently enabled teh Apache Server Status module.
A column is confusing me, after CONN/CHILD/SLOT is CLIENT, most of the addresses in this column are my own local addresses but I have a few which I don't recognise and show up on whois.net as follows;
203.188.201.201 = Yahoo Mail 199.87.232.177 = No Result 141.44.51.95 = Query terms are ambiguous 58.218.204.102 = CHINANET-JS