The Apache Haus Forum

Advanced search  


Welcome to Apache Haus Distribution Forum

Pages: 1 ... 8 9 [10]
 on: December 19, 2019, 12:20:07 PM 
Started by Rezoyen - Last post by Rezoyen
If I were to setup several applications on an apache webserver what would be the most secure way to route requests and prevent file traversals? Is it through virtualhosts, permanent redirects, and a document root for each app?

As an example lets say I have and then and rather than dropping through a shared app you have to allow direct access to app1 and app2 separately and lock down their directories separately and route file traversing back to the central application file respective to either app1 or app2. I've heard .htaccess can do this but I don't like the idea of introducing an additional attack vector when it may be possible to get the same results in a more secure and cached form.

I'm reading through the documentation but they don't seem to take an opinionated approach - so feel free to point me to a topic in the official docs and I can followup on the reading.

 on: November 19, 2019, 11:23:25 AM 
Started by mario - Last post by mario
So far I use

 on: November 15, 2019, 10:19:41 AM 
Started by xeon - Last post by mario
Thank you for the feedback.
The binaries are fully compatible with ours.

 on: November 14, 2019, 11:52:46 PM 
Started by xeon - Last post by xeon
Hi all
Just wanted to share that mod_svn modules for Apache on Windows are available by a guy over at ApacheLounge. Thanks Gregg for the tip

Here is the link

I just installed the mod_svn modules for Subversion 1.13.0 on top of the latest Apache, everything seems ok

 on: October 20, 2019, 08:57:41 PM 
Started by Gregg - Last post by Gregg
Announcing the release of Apache 2.4.41 with LibreSSL 3.0.2

I really do not understand the LibreSSL versioning. It seems to be different from most or in other words, it is just a number and new sources are out. This is a new major version, but what does it offer that 2.9 didn't? Does it even offer TLS/1.3? No.

The numbers have change in the names of the LibreSSL DLLs, again.
crypto-45.dll now so you can remove crypto-44.dll
ssl-47.dll now so you can remove ssl-46.dll
tls-19.dll now so you can remove tls-18.dll

The Change log can be viewed Here

It is mainly just a "plethora" of bug fixes. We will see if the Visual Studio optimizations work out. It just may be worthy of a major version bump after all. I have however thought they just do not like double digit numbers in their versioning (like 2.10.2) for some time now.

Get your copy today from our download page.

 on: August 15, 2019, 12:26:22 AM 
Started by Gregg - Last post by Gregg
See for the details.

 on: August 15, 2019, 12:24:10 AM 
Started by Gregg - Last post by Gregg
Isn't that special!

Not 24 hours after Apache 2.4.41 released nghttp2 released version 1.39.2 to fix these vulnerabilities. Argh!

Normally I just let it go because it's usually some minor bug fix but NO, it fixes a remotely exploitable Denial of Service vulnerability that I would classify as "High Severity" if using mod_http2.

I found out about it not from the usual places I get information like this but from El Reg of all places. If you look at this list of applications affected you will notice it says Apache is not affected, but nghttp2 is which mod_http2 uses. I think it's best to just play it safe and update.

I've already put new downloads on the download page but anyone who downloaded a non-r2 package (within last 36 hours +/- as of this post) should update the nghttp2.dll file in Apache's bin folder.

Replacement DLL Apache 2.4.41 VC14 (with OpenSSL 1.0.2s or LibreSSL 2.9.2)


Replacement DLL Apache 2.4.41 VC15 (with OpenSSL 1.1.1c)


  • Download the proper zip file for your version of Apache
  • Shutdown Apache
  • Copy DLL from the zip file into Apache's bin folder overwriting the existing dll
  • Start Apache

 on: August 13, 2019, 07:14:41 AM 
Started by Gregg - Last post by Gregg
Announcing the release of Apache 2.4.41

The big news for this release is mod_md 2.0. A good amount of bugs fixed as well.

As for mod_md, a small list of the many changes and new features;

now supports the ACMEv2 protocol
new challenge method 'tls-alpn-01' implemented
challenge type 'tls-sni-01' has been removed
managed domains are now in Apache's 'server-status' page

If you use mod_md it's probably a good idea to review the change log and mod_md's manual page.

Versioning Information;

APR Version:        1.7.0
APU Version:        1.6.1
Brotli Version:    1.0.7
Jansson Version:    2.12
Libcurl Version:   7.65.3
LibXML2 Version:    2.9.9
LUA Version:        5.2.4
NGHTTP2 Version:    1.37.0
OpenSSL Version:    1.0.2s, 1.1.1c or LibreSSL 2.9.2
PCRE Version:       8.43
SQLite3 Version:    3.29.0
ZLib Version:       1.2.10

You can get your copy of the new Apache HTTP Server from our download page.

Change Log for Apache 2.4.41

 on: May 31, 2019, 08:59:40 AM 
Started by Gregg - Last post by mario
Thanks a lot for building!

 on: May 30, 2019, 07:59:58 PM 
Started by Gregg - Last post by Gregg
Announcing the release of Apache 2.4.39 with updated OpenSSL or LibreSSL

OpenSSL releases updated from 1.0.2r to 1.0.2s or 1.1.1b to 1.1.1c
LibreSSL releases updated from 2.8.3 to 2.9.2*

Other dependency updates include;

APR 1.6.5 to 1.7.0
Libcurl from 7.63.0 tp 7.65.0
NGHTTP2 from 1.37.0 to 1.38.0
SQLite library from 3.27.2 to 3.28.0

You can get your copy of the new Apache HTTP Server from our download page.

* LibreSSL users, the DLL files crypto, ssl & tls have changed (every new minor version) so you can delete your lower numbered files.

Pages: 1 ... 8 9 [10]