The Apache Haus Forum

Advanced search  

News:

Welcome to Apache Haus Distribution Forum

Pages: 1 [2] 3 4 ... 10
 11 
 on: June 10, 2021, 04:57:59 PM 
Started by AJPRO2021 - Last post by AJPRO2021
Since we've upgraded Tomcat Web Services from 2.4.46 to 2.4.47/48 is when we've started to have Gateway Timeout problem.

Here are the version of the Tomcat running on the windows 2016 64bit server.

Apache Tomcat/9.0.46 --> (apache-tomcat-9.0.46-windows-x64)
Apache/2.4.48 (Win32) OpenSSL/1.1.1k --> (httpd-2.4.48-o111k-x86-vc15)

for the longest, we have had enabled the SSL in httpd.conf and configured the httpd-ssl.conf environment to run with our own internal certificate.

==================================
httpd.conf
==================================
Code: [Select]
# Secure (SSL/TLS) connections
# Note: The following must must be present to support
#       starting without SSL on platforms with no /dev/random equivalent
#       but a statically compiled-in mod_ssl.
#
<IfModule ssl_module>
Include conf/extra/httpd-ssl.conf
#Include conf/extra/httpd-ahssl.conf
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
<IfModule http2_module>
    ProtocolsHonorOrder On
    Protocols h2 h2c http/1.1
</IfModule>

=====================================
 httpd-ssl.conf
=====================================

Listen 443

SSLPassPhraseDialog  builtin

SSLSessionCache        "shmcb:${SRVROOT}/logs/ssl_scache(512000)"
SSLStaplingCache       "shmcb:${SRVROOT}/logs/ssl_stapling_data(512000)"
SSLSessionCacheTimeout  600

<VirtualHost _default_:443>
DocumentRoot "${SRVROOT}/htdocs"
ServerName ecsma.epssdri.com:443
ServerAdmin
Redirect permanent /index.html /ostcs/csas.exe

ErrorLog "${SRVROOT}/logs/error.log"
TransferLog "${SRVROOT}/logs/access.log"

SSLEngine on
SSLProtocol TLSv1.2
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384
SSLHonorCipherOrder on
SSLInsecureRenegotiation on

SSLCompression off

SSLCertificateFile "${SRVROOT}/conf/ssl/escm.cer"
SSLCertificateKeyFile "${SRVROOT}/conf/ssl/escm.cer"


<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>

<Directory "${SRVROOT}/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

BrowserMatch ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog "${SRVROOT}/logs/ssl_request.log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>                             
   

=====================================

All major Apache Tomcat/9.0.46 and Apache Web Service’s timeouts have been raised beyond the limit.

Our Application stops communicating at exactly 01:06:21 (min) and due to lack of responds Tomcat closes the session at 03:02:01 (min) into the process.

We have ran Wireshark capture on both client and server site and we have found no abnormality with communication between the client/host.

we had no choice but to revert back to Apache 2.4.46 to stabilize our environment.

I believe the major change is with OpenSSL 1.1.1k vs 1.1.1g which was packaged with 2.4.46 release; Not sure if this what is causing the failure!

Any feed back from anyone will be greatly appreciated.

Thanks.

 12 
 on: May 26, 2021, 05:58:09 AM 
Started by Gregg - Last post by Gregg
This release is a bug fix & stability release.

This release includes:
APR Version:        1.7.0
APU Version:        1.6.1
Brotli Version:    1.0.7
Jansson Version:    2.13.1
Libcurl Version:   7.76.1
LibXML2 Version:    2.9.10
LUA Version:        5.2.4
NGHTTP2 Version:    1.43.0
OpenSSL Version:    1.1.1k or LibreSSL 3.3.3
PCRE Version:       8.44
SQLite3 Version:    3.35.5
ZLib Version:       1.2.10

LibreSSL users:
These releases include a post 2.4.48 patch for mod_md to allow it to compile with LibreSSL. A patch for viewing is supplied in the zip file.

You can get your copy of the new Apache HTTP Server from our download page.

Change Log for Apache 2.4.48

Change Logs for LibreSSL
3.3.0
3.3.1
3.3.2
3.3.3

 13 
 on: April 29, 2021, 07:18:09 PM 
Started by Gregg - Last post by Gregg
This release is a bug fix & stability release.

This release includes:
APR Version:        1.7.0
APU Version:        1.6.1
Brotli Version:    1.0.7
Jansson Version:    2.13.1
Libcurl Version:   7.76.1
LibXML2 Version:    2.9.10
LUA Version:        5.2.4
NGHTTP2 Version:    1.43.0
OpenSSL Version:    1.1.1k or LibreSSL 3.2.5
PCRE Version:       8.44
SQLite3 Version:    3.35.5
ZLib Version:       1.2.10

You can get your copy of the new Apache HTTP Server from our download page.

Change Log for Apache 2.4.47

 14 
 on: April 27, 2021, 09:57:52 AM 
Started by ErrorReporter - Last post by mario
Further to Greggs' reply, it is recommended to turn that of for OpenSSL in the apache settings

SSLCompression Off

 15 
 on: April 27, 2021, 09:55:37 AM 
Started by carlosdb - Last post by mario
Yes you can use it in production. A lot of people do that, including me.

I only tweak the SSL config and some security headers.

Code: [Select]
Header always set Strict-Transport-Security "max-age=15553000; preload"
SSLUseStapling On
SSLSessionCache shmcb:C:/Windows/Temp/ssl_gcache_data(512000)
SSLStaplingCache shmcb:C:/Windows/Temp/ssl_stapling_data(512000)
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384
SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384

SSLOpenSSLConfCmd ECDHParameters secp521r1
SSLOpenSSLConfCmd Curves sect571r1:sect571k1:secp521r1:sect409k1:sect409r1:secp384r1

H2Direct On

SSLOpenSSLConfCmd SignatureAlgorithms rsa_pss_rsae_sha512:rsa_pss_rsae_sha256:ECDSA+SHA512:ECDSA+SHA256:RSA+SHA512:RSA+SHA256
SSLOpenSSLConfCmd ClientSignatureAlgorithms rsa_pss_rsae_sha512:rsa_pss_rsae_sha256:ECDSA+SHA512:ECDSA+SHA256:RSA+SHA512:RSA+SHA256

Code: [Select]
<IfModule mod_headers.c>
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-XSS-Protection "1; mode=block"
    Header always set Expect-CT "max-age=86400, enforce"
Header always set Feature-Policy "geolocation 'none'; midi 'none'; camera 'none'; usb 'none'; magnetometer 'none'; accelerometer 'none'; vr 'none'; speaker 'none'; ambient-light-sensor 'none'; gyroscope 'none'; microphone 'none'"
    Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline' data:; font-src 'self' 'unsafe-inline' fonts.gstatic.com data:; style-src 'self' 'unsafe-inline' fonts.googleapis.com; script-src 'self' 'unsafe-inline' 'unsafe-eval';"
    Header always set Access-Control-Allow-Origin "*"
    Header always set X-Content-Type-Options nosniff
</IfModule>

 16 
 on: April 26, 2021, 10:12:55 PM 
Started by ErrorReporter - Last post by Gregg
LibreSSL has removed that option since it was used in the CRIME attack against TLS.
So "Setting Compression mode unsupported; not implemented by the SSL library" is not a bug.

 17 
 on: April 26, 2021, 05:12:34 PM 
Started by ErrorReporter - Last post by ErrorReporter
Hello! I think I find a bug...
When I use httpd-2.4.46-lre325-x64-vs16 I got error "Setting Compression mode unsupported; not implemented by the SSL library"
With version httpd-2.4.46-o111k-x64-vc15/httpd-2.4.46-o111j-x64-vc15 no errors.

 18 
 on: April 26, 2021, 12:20:53 PM 
Started by carlosdb - Last post by carlosdb
Hello community!!

This is my very first post on this forum, I came across to this site to figure out what's the best option for a personal project I'm running. My question is if I can use Apache Haus for an application that is running in production and if it comes with enough security configuration applied in order to run my site safely.

I have explored the possibility to use IIS but I read performance issues, so it would be nice to know a bit more about your preference of using Apache Haus rather than IIS.

I'm new on this world so any help will be much appreciated.  :D

Many thanks!

 19 
 on: April 22, 2021, 07:44:56 PM 
Started by EHCanadian83 - Last post by EHCanadian83
Thanks :)

 20 
 on: April 20, 2021, 06:54:40 PM 
Started by EHCanadian83 - Last post by Gregg
OK, I've uploaded new builds of the module and tested to make sure they download.
Thank you for reporting the issue  :)

Pages: 1 [2] 3 4 ... 10