The Apache Haus Forum

Advanced search  

News:

Welcome to Apache Haus Distribution Forum

Pages: [1] 2 3 ... 10
 1 
 on: June 12, 2021, 09:24:45 AM 
Started by AJPRO2021 - Last post by mario
I don't see there anything how you connect tot the tomcat server nor any proxy settings.

 2 
 on: June 11, 2021, 04:13:44 PM 
Started by AJPRO2021 - Last post by AJPRO2021
These are the only modules that has been enabled.

======================

LoadModule access_compat_module modules/mod_access_compat.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule allowmethods_module modules/mod_allowmethods.so
LoadModule asis_module modules/mod_asis.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule dir_module modules/mod_dir.so
LoadModule env_module modules/mod_env.so
LoadModule include_module modules/mod_include.so
LoadModule info_module modules/mod_info.so
LoadModule isapi_module modules/mod_isapi.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule status_module modules/mod_status.so

======================

 3 
 on: June 11, 2021, 09:34:00 AM 
Started by AJPRO2021 - Last post by mario
How do you connect to Tomcat? mod_jk or mod_proxy_ajp or mod_proxy_http ?

 4 
 on: June 10, 2021, 04:57:59 PM 
Started by AJPRO2021 - Last post by AJPRO2021
Since we've upgraded Tomcat Web Services from 2.4.46 to 2.4.47/48 is when we've started to have Gateway Timeout problem.

Here are the version of the Tomcat running on the windows 2016 64bit server.

Apache Tomcat/9.0.46 --> (apache-tomcat-9.0.46-windows-x64)
Apache/2.4.48 (Win32) OpenSSL/1.1.1k --> (httpd-2.4.48-o111k-x86-vc15)

for the longest, we have had enabled the SSL in httpd.conf and configured the httpd-ssl.conf environment to run with our own internal certificate.

==================================
httpd.conf
==================================
Code: [Select]
# Secure (SSL/TLS) connections
# Note: The following must must be present to support
#       starting without SSL on platforms with no /dev/random equivalent
#       but a statically compiled-in mod_ssl.
#
<IfModule ssl_module>
Include conf/extra/httpd-ssl.conf
#Include conf/extra/httpd-ahssl.conf
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
<IfModule http2_module>
    ProtocolsHonorOrder On
    Protocols h2 h2c http/1.1
</IfModule>

=====================================
 httpd-ssl.conf
=====================================

Listen 443

SSLPassPhraseDialog  builtin

SSLSessionCache        "shmcb:${SRVROOT}/logs/ssl_scache(512000)"
SSLStaplingCache       "shmcb:${SRVROOT}/logs/ssl_stapling_data(512000)"
SSLSessionCacheTimeout  600

<VirtualHost _default_:443>
DocumentRoot "${SRVROOT}/htdocs"
ServerName ecsma.epssdri.com:443
ServerAdmin
Redirect permanent /index.html /ostcs/csas.exe

ErrorLog "${SRVROOT}/logs/error.log"
TransferLog "${SRVROOT}/logs/access.log"

SSLEngine on
SSLProtocol TLSv1.2
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384
SSLHonorCipherOrder on
SSLInsecureRenegotiation on

SSLCompression off

SSLCertificateFile "${SRVROOT}/conf/ssl/escm.cer"
SSLCertificateKeyFile "${SRVROOT}/conf/ssl/escm.cer"


<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>

<Directory "${SRVROOT}/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

BrowserMatch ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog "${SRVROOT}/logs/ssl_request.log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>                             
   

=====================================

All major Apache Tomcat/9.0.46 and Apache Web Service’s timeouts have been raised beyond the limit.

Our Application stops communicating at exactly 01:06:21 (min) and due to lack of responds Tomcat closes the session at 03:02:01 (min) into the process.

We have ran Wireshark capture on both client and server site and we have found no abnormality with communication between the client/host.

we had no choice but to revert back to Apache 2.4.46 to stabilize our environment.

I believe the major change is with OpenSSL 1.1.1k vs 1.1.1g which was packaged with 2.4.46 release; Not sure if this what is causing the failure!

Any feed back from anyone will be greatly appreciated.

Thanks.

 5 
 on: May 26, 2021, 05:58:09 AM 
Started by Gregg - Last post by Gregg
This release is a bug fix & stability release.

This release includes:
APR Version:        1.7.0
APU Version:        1.6.1
Brotli Version:    1.0.7
Jansson Version:    2.13.1
Libcurl Version:   7.76.1
LibXML2 Version:    2.9.10
LUA Version:        5.2.4
NGHTTP2 Version:    1.43.0
OpenSSL Version:    1.1.1k or LibreSSL 3.3.3
PCRE Version:       8.44
SQLite3 Version:    3.35.5
ZLib Version:       1.2.10

LibreSSL users:
These releases include a post 2.4.48 patch for mod_md to allow it to compile with LibreSSL. A patch for viewing is supplied in the zip file.

You can get your copy of the new Apache HTTP Server from our download page.

Change Log for Apache 2.4.48

Change Logs for LibreSSL
3.3.0
3.3.1
3.3.2
3.3.3

 6 
 on: April 29, 2021, 07:18:09 PM 
Started by Gregg - Last post by Gregg
This release is a bug fix & stability release.

This release includes:
APR Version:        1.7.0
APU Version:        1.6.1
Brotli Version:    1.0.7
Jansson Version:    2.13.1
Libcurl Version:   7.76.1
LibXML2 Version:    2.9.10
LUA Version:        5.2.4
NGHTTP2 Version:    1.43.0
OpenSSL Version:    1.1.1k or LibreSSL 3.2.5
PCRE Version:       8.44
SQLite3 Version:    3.35.5
ZLib Version:       1.2.10

You can get your copy of the new Apache HTTP Server from our download page.

Change Log for Apache 2.4.47

 7 
 on: April 27, 2021, 09:57:52 AM 
Started by ErrorReporter - Last post by mario
Further to Greggs' reply, it is recommended to turn that of for OpenSSL in the apache settings

SSLCompression Off

 8 
 on: April 27, 2021, 09:55:37 AM 
Started by carlosdb - Last post by mario
Yes you can use it in production. A lot of people do that, including me.

I only tweak the SSL config and some security headers.

Code: [Select]
Header always set Strict-Transport-Security "max-age=15553000; preload"
SSLUseStapling On
SSLSessionCache shmcb:C:/Windows/Temp/ssl_gcache_data(512000)
SSLStaplingCache shmcb:C:/Windows/Temp/ssl_stapling_data(512000)
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384
SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384

SSLOpenSSLConfCmd ECDHParameters secp521r1
SSLOpenSSLConfCmd Curves sect571r1:sect571k1:secp521r1:sect409k1:sect409r1:secp384r1

H2Direct On

SSLOpenSSLConfCmd SignatureAlgorithms rsa_pss_rsae_sha512:rsa_pss_rsae_sha256:ECDSA+SHA512:ECDSA+SHA256:RSA+SHA512:RSA+SHA256
SSLOpenSSLConfCmd ClientSignatureAlgorithms rsa_pss_rsae_sha512:rsa_pss_rsae_sha256:ECDSA+SHA512:ECDSA+SHA256:RSA+SHA512:RSA+SHA256

Code: [Select]
<IfModule mod_headers.c>
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-XSS-Protection "1; mode=block"
    Header always set Expect-CT "max-age=86400, enforce"
Header always set Feature-Policy "geolocation 'none'; midi 'none'; camera 'none'; usb 'none'; magnetometer 'none'; accelerometer 'none'; vr 'none'; speaker 'none'; ambient-light-sensor 'none'; gyroscope 'none'; microphone 'none'"
    Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline' data:; font-src 'self' 'unsafe-inline' fonts.gstatic.com data:; style-src 'self' 'unsafe-inline' fonts.googleapis.com; script-src 'self' 'unsafe-inline' 'unsafe-eval';"
    Header always set Access-Control-Allow-Origin "*"
    Header always set X-Content-Type-Options nosniff
</IfModule>

 9 
 on: April 26, 2021, 10:12:55 PM 
Started by ErrorReporter - Last post by Gregg
LibreSSL has removed that option since it was used in the CRIME attack against TLS.
So "Setting Compression mode unsupported; not implemented by the SSL library" is not a bug.

 10 
 on: April 26, 2021, 05:12:34 PM 
Started by ErrorReporter - Last post by ErrorReporter
Hello! I think I find a bug...
When I use httpd-2.4.46-lre325-x64-vs16 I got error "Setting Compression mode unsupported; not implemented by the SSL library"
With version httpd-2.4.46-o111k-x64-vc15/httpd-2.4.46-o111j-x64-vc15 no errors.

Pages: [1] 2 3 ... 10