Re: [opensuse] Using apache with two virtual hosts

30 Dec 2019

      -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Monday, 2019-12-30 at 09:14 +0100, Per Jessen wrote:
...
Carlos E. R. wrote:
...
On Sunday, 2019-12-29 at 21:29 +0100, Per Jessen wrote:
...
Carlos E. R. wrote:
...
...
...
/var/log/apache2/isengard.valinor-error_log:
[Sun Dec 29 14:11:14.779263 2019] [apparmor:warn] [pid 23178]
I thought you wrote you had disabled apparmor?
I did. But there is a mod_apparmor apache module who refuses to give
up and it is who produces this error. There is no corresponding
audit entry when aa is off.
Afaik, apache's mod_apparmor does not work without apparmor.
Well, it prints messages. BUG.
I doubt it, the module itself probably does not log anything, it is done
by apparmor.  I don't know how that setup works though, I've never used
mod_apparmor. (we use mod_itk to run every request with user privileges
only.)
The apache logs are written by apache itself.  I don't know why mod_apparmor
is installed.  Either it was by default, or I thought it is a good idea
months or years ago. But I have done no configuration of it.  On the
configuration files the word "apparmor" does not appear.

A test:

terminal 1:
Isengard:~ # systemctl stop apparmor

terminal 2:
Isengard:~ # tail -f /var/log/audit/audit.log

terminal 1:
Isengard:~ # systemctl restart apache2

terminal 2:
type=AVC msg=audit(1577710738.035:2546): apparmor="DENIED" operation="change_hat" info="unconfined can not change_hat" error=-1 profile="unconfined" pid=415 comm="httpd-prefork"
type=AVC msg=audit(1577710738.035:2547): apparmor="DENIED" operation="change_hat" info="unconfined can not change_hat" error=-1 profile="unconfined" pid=416 comm="httpd-prefork"
type=AVC msg=audit(1577710738.035:2548): apparmor="DENIED" operation="change_hat" info="unconfined can not change_hat" error=-1 profile="unconfined" pid=419 comm="httpd-prefork"
type=AVC msg=audit(1577710738.035:2549): apparmor="DENIED" operation="change_hat" info="unconfined can not change_hat" error=-1 profile="unconfined" pid=417 comm="httpd-prefork"
type=AVC msg=audit(1577710738.035:2550): apparmor="DENIED" operation="change_hat" info="unconfined can not change_hat" error=-1 profile="unconfined" pid=418 comm="httpd-prefork"

As you can see, apparmor is stoped, yet it prints messages in audit log.

(this command done later)
terminal 1:
Isengard:~ # systemctl status apparmor
● apparmor.service - Load AppArmor profiles
    Loaded: loaded (/usr/lib/systemd/system/apparmor.service; enabled; 
vendor preset: enabled)
    Active: *inactive* (dead) since Mon 2019-12-30 13:58:17 CET; 16min ago
   Process: 326 ExecStop=/bin/true (code=exited, status=0/SUCCESS)
   Process: 24924 ExecStart=/lib/apparmor/apparmor.systemd reload 
(code=exited, status=0/SUCCESS)
  Main PID: 24924 (code=exited, status=0/SUCCESS)
       CPU: 4ms

(emphasis added by me)

and:

terminal 1:
Isengard:~ # aa-status | less
apparmor module is loaded.
52 profiles are loaded.
52 profiles are in enforce mode.
...
apache2
...
0 profiles are in complain mode.
11 processes have profiles defined.
11 processes are in enforce mode.
    /usr/sbin/dnsmasq (3423)
    /usr/sbin/nmbd (3418)
    /usr/sbin/nmbd (3506)
    /usr/sbin/smbd (3563)
    /usr/sbin/smbd (3699)
    /usr/sbin/smbd (3701)
    /usr/sbin/smbd (3746)
    /usr/sbin/avahi-daemon (1382) avahi-daemon
    /usr/sbin/nscd (1466) nscd
    /usr/sbin/ntpd (4175) ntpd
    /usr/sbin/ntpd (4181) ntpd
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

terminal 3:
cer@Telcontar:~> w3m http://isengard.valinor
(fails)

terminal 2:
type=AVC msg=audit(1577710976.617:2551): apparmor="DENIED" operation="change_hat" info="unconfined can not change_hat" error=-1 profile="unconfined" pid=415 comm="httpd-prefork"
type=AVC msg=audit(1577710976.617:2552): apparmor="DENIED" operation="change_hat" info="unconfined can not change_hat" error=-1 profile="unconfined" pid=415 comm="httpd-prefork"
type=AVC msg=audit(1577710976.617:2553): apparmor="DENIED" operation="change_hat" info="unconfined can not change_hat" error=-1 profile="unconfined" pid=415 comm="httpd-prefork"

/var/log/apache2/error_log:
[Mon Dec 30 13:58:57.925094 2019] [mpm_prefork:notice] [pid 14978] AH00170: caught SIGWINCH, shutting down gracefully
[Mon Dec 30 13:58:58.039971 2019] [mpm_prefork:notice] [pid 410] AH00163: Apache/2.4.33 (Linux/SUSE) configured -- resuming normal operations
[Mon Dec 30 13:58:58.040292 2019] [core:notice] [pid 410] AH00094: Command line: '/usr/sbin/httpd-prefork -D SYSCONFIG -C PidFile /var/run/httpd.pid -C Include /etc/apache2
/sysconfig.d//loadmodule.conf -C Include /etc/apache2/sysconfig.d//global.conf -f /etc/apache2/httpd.conf -c Include /etc/apache2/sysconfig.d//include.conf -D SYSTEMD -D FO
REGROUND'
[Mon Dec 30 13:58:58.040685 2019] [apparmor:error] [pid 415] (1)Operation not permitted: Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT'
[Mon Dec 30 13:58:58.041056 2019] [apparmor:error] [pid 416] (1)Operation not permitted: Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT'
[Mon Dec 30 13:58:58.041251 2019] [apparmor:error] [pid 419] (1)Operation not permitted: Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT'
[Mon Dec 30 13:58:58.041838 2019] [apparmor:error] [pid 417] (1)Operation not permitted: Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT'
[Mon Dec 30 13:58:58.041885 2019] [apparmor:error] [pid 418] (1)Operation not permitted: Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT'

/var/log/apache2/isengard.valinor-access_log:
192.168.1.14 - - [30/Dec/2019:14:02:56 +0100] "GET / HTTP/1.0" 200 710 "-" "w3m/0.5.3+git20180125"

/var/log/apache2/isengard.valinor-error_log:
[Mon Dec 30 14:02:56.618591 2019] [apparmor:warn] [pid 415] (1)Operation not permitted: [client 192.168.1.14:46472] aa_change_hatv call failed
[Mon Dec 30 14:02:56.619391 2019] [apparmor:error] [pid 415] (1)Operation not permitted: [client 192.168.1.14:46472] Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT'

However, all that is unrelated to apache not serving.  If I try to open the
page in localhost, it works:

terminal 5:
cer@Isengard:~> w3m http://localhost

Welcome to Isengard

Letras: \ | @ # €

[ficheros]

(success)

terminal 2:

type=AVC msg=audit(1577711903.555:2645): apparmor="DENIED" operation="change_hat" info="unconfined can not change_hat" error=-1 profile="unconfined" pid=416 comm="httpd-prefork"
type=AVC msg=audit(1577711903.555:2646): apparmor="DENIED" operation="change_hat" info="unconfined can not change_hat" error=-1 profile="unconfined" pid=416 comm="httpd-prefork"
type=AVC msg=audit(1577711903.555:2647): apparmor="DENIED" operation="change_hat" info="unconfined can not change_hat" error=-1 profile="unconfined" pid=416 comm="httpd-prefork"

You see? The same apparmor errors when apache serves.

/var/log/apache2/isengard.valinor-access_log:
::1 - - [30/Dec/2019:14:18:23 +0100] "GET / HTTP/1.0" 200 710 "-" "w3m/0.5.3+git20180125"

/var/log/apache2/isengard.valinor-error_log:
[Mon Dec 30 14:18:23.561741 2019] [apparmor:warn] [pid 416] (1)Operation not permitted: [client ::1:38492] aa_change_hatv call failed
[Mon Dec 30 14:18:23.562458 2019] [apparmor:error] [pid 416] (1)Operation not permitted: [client ::1:38492] Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT'

So I think we should forget about apparmor, and try to find out why apache
does not serve the page to the LAN when using vhosts.

I can try to remove the mod_apparmor module to make sure.

[...]

Well, I uninstalled it and apache does not work; same symptoms.

/var/log/apache2/isengard.valinor-access_log:
192.168.1.14 - - [30/Dec/2019:14:27:56 +0100] "GET / HTTP/1.0" 200 710 "-" "w3m/0.5.3+git20180125"

isengard.valinor-error_log: nothing.

/var/log/apache2/error_log: nothing.

Activating debug log. Still no error shown:

/var/log/apache2/isengard.valinor-access_log:
192.168.1.14 - - [30/Dec/2019:14:32:19 +0100] "GET / HTTP/1.0" 200 710 "-" "w3m/0.5.3+git20180125"

/var/log/apache2/isengard.valinor-error_log:
[Mon Dec 30 14:32:19.705043 2019] [authz_core:debug] [pid 2430] mod_authz_core.c(809): [client 192.168.1.14:47308] AH01626: authorization result of Require all granted: gra
nted
[Mon Dec 30 14:32:19.705254 2019] [authz_core:debug] [pid 2430] mod_authz_core.c(809): [client 192.168.1.14:47308] AH01626: authorization result of <RequireAny>: granted

Mail "Using apache with two virtual hosts - restarting" explains the current
configuration of apache. The issue must be in /etc/apache2/vhosts.d/lan.conf:

<VirtualHost *:80>
     ServerAdmin webmaster@isengard.valinor
     ServerName isengard.valinor

     # DocumentRoot: The directory out of which you will serve your
     # documents. By default, all requests are taken from this directory, but
     # symbolic links and aliases may be used to point to other locations.
     DocumentRoot /srv/www.vh/htdocs/

     # if not specified, the global error log is used
     ErrorLog /var/log/apache2/isengard.valinor-error_log
     CustomLog /var/log/apache2/isengard.valinor-access_log combined

     # don't loose time with IP address lookups
     HostnameLookups Off

     # needed for named virtual hosts
     UseCanonicalName Off

     # configures the footer on server-generated documents
     ServerSignature On

     LogLevel debug

     # Optionally, include *.conf files from /etc/apache2/conf.d/
     #
     # For example, to allow execution of PHP scripts:
     #
     # Include /etc/apache2/conf.d/php5.conf
     #
     # or, to include all configuration snippets added by packages:
     Include /etc/apache2/conf.d/*.conf

     # ScriptAlias: This controls which directories contain server scripts.
     # ScriptAliases are essentially the same as Aliases, except that
     # documents in the realname directory are treated as applications and
     # run by the server when requested rather than as documents sent to the client.
     # The same rules about trailing "/" apply to ScriptAlias directives as to
     # Alias.
     #
     ScriptAlias /cgi-bin/ "/srv/www.vh/cgi-bin/"

     # "/srv/www.vh/cgi-bin" should be changed to whatever your ScriptAliased
     # CGI directory exists, if you have one, and where ScriptAlias points to.
     #
     <Directory "/srv/www.vh/cgi-bin/">
         AllowOverride None
         Options +ExecCGI -Includes
         <IfModule !mod_access_compat.c>
             Require all granted
         </IfModule>
         <IfModule mod_access_compat.c>
             Order allow,deny
             Allow from all
         </IfModule>
     </Directory>

     # UserDir: The name of the directory that is appended onto a user's home
     # directory if a ~user request is received.
     #
     # To disable it, simply remove userdir from the list of modules in APACHE_MODULES
     # in /etc/sysconfig/apache2.
     #
     <IfModule mod_userdir.c>
         # Note that the name of the user directory ("public_html") cannot simply be
         # changed here, since it is a compile time setting. The apache package
         # would have to be rebuilt. You could work around by deleting
         # /usr/sbin/suexec, but then all scripts from the directories would be
         # executed with the UID of the webserver.
         UserDir public_html
         # The actual configuration of the directory is in
         # /etc/apache2/mod_userdir.conf.
         Include /etc/apache2/mod_userdir.conf
         # You can, however, change the ~ if you find it awkward, by mapping e.g.
         # http://www.example.com/users/karl-heinz/ --> /home/karl-heinz/public_html/
         #AliasMatch ^/users/([a-zA-Z0-9-_.]*)/?(.*) /home/$1/public_html/$2
     </IfModule>

     #
     # This should be changed to whatever you set DocumentRoot to.
     #
     <Directory "/srv/www.vh/htdocs/">

         #
         # Possible values for the Options directive are "None", "All",
         # or any combination of:
         #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
         #
         # Note that "MultiViews" must be named *explicitly* --- "Options All"
         # doesn't give it to you.
         #
         # The Options directive is both complicated and important.  Please see
         # http://httpd.apache.org/docs/2.4/mod/core.html#options
         # for more information.
         #
         Options Indexes FollowSymLinks

         #
         # AllowOverride controls what directives may be placed in .htaccess files.
         # It can be "All", "None", or any combination of the keywords:
         #   Options FileInfo AuthConfig Limit
         #
         AllowOverride None

         #
         # Controls who can get stuff from this server.
         #
         <IfModule !mod_access_compat.c>
             Require all granted
         </IfModule>
         <IfModule mod_access_compat.c>
             Order allow,deny
             Allow from all
         </IfModule>

     </Directory>

</VirtualHost>

terminal 3:

cer@Telcontar:~> telnet isengard.valinor 80
Trying 192.168.1.16...
Connected to isengard.valinor.
Escape character is '^]'.
GET /
Connection closed by foreign host.
cer@Telcontar:~>

- -- 
Cheers,
        Carlos E. R.
        (from openSUSE 15.1 x86_64 at Telcontar)

-----BEGIN PGP SIGNATURE-----

iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCXgoBVhwccm9iaW4ubGlz
dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfVJRQAnie9Oz9EqVDivaJgIjYC
HtLhp+1bAJ9gHGuhmz5+RB+lm+gGOitLHB7bAg==
=rFlL
-----END PGP SIGNATURE-----