When running OWASP ZAP web security tool, I get the following flag: Secure page can be cached in browser. Cache control is not set in HTTP header nor HTML header. Sensitive content can be recovered from browser storage.
I was surprised since i had the no cache header in both html code and httpd header.
After investigating the flag, i noticed that the response was a generic 302 found error response from Apach (located in apache/src/modules/http/http_protocol.c).
I have added a patch to code when adding the cache-control & pragma html headers with no-cache - and that had solved the security flag (patch attached).
full response given:
header:
HTTP/1.1 302 Found
Date: Sat, 30 Nov 2013 10:44:40 GMT
Server: Apache
X-Frame-Options: DENY
Location: https://*****
Content-Length: 376
Content-Type: text/html; charset=iso-8859-1
body:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://******">here</a>.</p>
<hr>
<address>Apache Server at 10.209.0.81 Port 443</address>
</body></html>
In conclusion:
Issue is "Secure page can be cached in browser." (found by owasp zap) for https page response "302 Found" from Apache.
I am having an issue where I have a server that Directadmin is installed on. I go to the a url that is on the server and all i see is the default page of apache saying congrats, it is installed. Although there is no file like that in the public_html any longer and I can see my files in the public_html folder of that specific site.
I have a dedicated server with 1gb ram, now I see 468.02 MB used for Cached memory, this is the first time. Why could this be? I have not changed any settings except for turning off safe mode for an account.
Using version 0.9.5 with the default settings. The cache fills up the shared memory in less than a day. I noticed the cached script is stuck at 176, what happens after this? Will it cache content to disk in the temporary folder (/tmp/eaccelerator/) when the shared memory is full?
I recently reorganized my music site, putting my songs in their own directory (off of public_html), and now a couple of search engines are generating a boatload of 404 errors.
Can I redirect the file requests to the new location and, if so, how?
Sometime Apache Test Page opened insted to Home page of website, also sometime Network TCP/IP error occured to same site.
I didn't change any setting of httpd.conf last period. also because this problems manily happened in countries which access internet via proxy I check site via [url] and it's working fine
As many of you may know mod_cache does not cache directory index files, this can be fixed with mod_rewrite but the index page of the domain (the homepage) seems to be impossible to cache it. The following rules cache the folders but not the homedir (this means that www.thedomain.com/folder is cached but www.thedomain.com is not): DirectorySlash Off RewriteEngine On RewriteCond %{REQUEST_URI} ([^.*]) RewriteCond "%{DOCUMENT_ROOT}%{REQUEST_URI}/index.htm" -f RewriteRule "^(.*)$" "$1/index.htm" [NC,L] RewriteCond %{REQUEST_URI} ^([^.*])$ RewriteCond "%{DOCUMENT_ROOT}%{REQUEST_URI}/index.html" -f RewriteRule "^(.*)$" "$1/index.html" [NC,L] RewriteCond %{REQUEST_URI} ^([^.*])$ RewriteCond "%{DOCUMENT_ROOT}%{REQUEST_URI}/index.php" -f RewriteRule "^(.*)$" "$1/index.php" [NC,L]
Note that DirectorySlash should be off (or mod_dir not loaded) in order to work also with URL that end with no slash
As I said before this will work for any folder but it does not work for public homedir directory. So when a user visit [url] it does not work (unless you type the name of the index file: [url]
For me it is critical to make this work in someway, the index homepage is the main page that needs to be cached in my case (and in many others).
Do you know any solution for this? I found the first message about this in the Internet in 2002 but I'm using last version of apache httpd and still does not work.
If you have no idea about how to fix it, maybe you know some other easy alternative. Lighttpd + mod_cache + mod_deflate are not compatible: "mod_cache can be used in conjunction with other lighttpd plugins (except mod_deflate and mod_secdownload)"
Im using AJAX on my site and i need to access a seperate server instance on a different port. AJAX wont allow me to do that so i want to use Apache as a proxy but only for one page.
... and nothing works. My webserver gets hosed, and my otherwise working system gives me an error when I try to get a page from it. I am, by the way, using Mac 10.6.8, with Apache 2.2 on both server and client.
There is a page on a separate SharePoint environment, under http://domain.edu/yyy/yyy/yyy/yyy. We have a subdomain called http://123.domain. edu . We need the home page of http://123.domain,edu to point to the SharePoint site, so when users type http://123.domain.edu , they are redirected to http://domain.edu/yyy/yyy/yyy/yyy.
The trick is this - we need all sub-directories NOT to redirect. So, whatever is under http://123.domain.edu/subdirectory should not redirect at all. Is this doable? Also, if it is, I have no clue where to go to make any changes, so any instructions would be great. So far, I have found the text file httpd.conf that I can edit, but I have no clue about the rest.
I want to add an advertising banner to every web page served.
The problem is I cannot seem to make the OutputSed command recognise absolute paths. I can make it work with a relative path for both the image and the <a> href, but not absolute, which is awkward as the webite wiill have different directories for content created by FTP for hosting results of different tournaments.
This is what I have in my vhost.conf file for the banner image:
Code:
<Directory "/var/www/fencing-results.co.uk"> Options Indexes FollowSymLinks AllowOverride all Order allow,deny Allow from all AddOutputFilter Sed htm OutputSed "s/<body>/<body><img src="/var/www/fencing-results.co.uk/banner.jpg">/g" </Directory>
Source site is very chaotic (static pages + wp pages) and there are no clear rule for redirection (no regex ).So I need to redirect every single page but syntax:
Redirect 301 esp.site.com/oldpage http:// es.site.com/newpage doesn't work!I think "esp.site.com" in source page is not acceptable syntax..which is the correct syntax ? Can I manage all from one .htaccess file in main root (www) or should I create "esp" directory (and point old subdomain to it - one for every language) and put .htaccess in every directory with redirection ?
a question on mod_proxy. We're using mod_proxy as a simple reverse proxy (ProxyPass & ProxyPassReverse) to reverse-proxy various back-end PHP and Mono/.NET apps.
One problem we see is that when the back-end PHP app suffers an error (e.g. a 404 or 500) , then mod_proxy ignores the nicely-formatted custom error page served up by our PHP app, and instead serves a very plain generic mod_proxy 404 or 500 error page back to the client. Is there a way to configure mod_proxy to serve up the 500/404 error page content which is created by the back-end app ?
(We thought ProxyErrorOverride might work, but it seems to be intended for the opposite scenario, where I want to *ignore* the 404 page content from the back-end and show a mod_proxy-defined error page instead.We're using apache 2.2 on 64-bit CentOS 6.5 ( httpd-2.2.15-31.el6.centos.x86_64 )
I'm looking for a way to add a script in the header tag of a web page without using a CMS or anything like that.it should be the first script that is running when the page is rendered.I'm running Apache 2.2.25 and Tomcat 7.0.50 - both Win32 versions.
There are two reasons for an approach like that.
(1) - I expect it to work regardless the CMS I'm working with; the same expectation is for Tomcat and Java applications. (2) - I'm able to start this as early as possible => includes monitoring the performance of the CMS itself.
I recently configured a Centos 6.5 server with Java JDK1.8 and the bundled Tomcat server X64 application. I confirmed the web server port is not already in use and also installed the Tomcat APR libraires. The application starts fine and all the logs show no severe errors however when I navigate to te URL I see a blank page. All the configuration files are in tthe correct place and whether I use just :8080 or /licenseserver the page is still blank. If I run the element inspector in the browser it shows 404 file not found.