[opensuse] Using apache with two virtual hosts
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, (Folloup on "How can I share photos in intenrnet, with control?") Following instructions on: <https://en.opensuse.org/SDB:Apache_installation#Virtual_Hosts> <http://httpd.apache.org/docs/2.2/vhosts/ip-based.html> And ideas from Knurpht configuration and <http://www.linuxandubuntu.com/home/how-to-create-virtual-hosts-on-apache-server-to-host-multiple-websites> The internal and external vhosts are taken from the distribution provided "/etc/apache2/vhosts.d/vhost.template" file. I got the "external view working", but not the "internal view", with basically the same configuration. **** "External view", or external vhost - comments removed: *** (DYN.DNS is a placeholder for the actual fqdns name accessible from internet) File /etc/apache2/vhosts.d/DYN.DNS.conf: <VirtualHost *:50000> ServerAdmin webmaster@localhost ServerName DYN.DNS DocumentRoot /data/waterhoard/vhosts/DYN.DNS/htdocs ErrorLog /var/log/apache2/DYN.DNS-error_log CustomLog /var/log/apache2/DYN.DNS-access_log combined HostnameLookups Off UseCanonicalName Off ServerSignature On # Include /etc/apache2/conf.d/php5.conf # # or, to include all configuration snippets added by packages: # Include /etc/apache2/conf.d/*.conf ScriptAlias /cgi-bin/ "/data/waterhoard/vhosts/DYN.DNS/cgi-bin" <Directory "/data/waterhoard/vhosts/DYN.DNS/cgi-bin"> AllowOverride None Options +ExecCGI -Includes <IfModule !mod_access_compat.c> Require all granted </IfModule> <IfModule mod_access_compat.c> Order allow,deny Allow from all </IfModule> </Directory> <Directory "/data/waterhoard/vhosts/DYN.DNS/htdocs"> Options Indexes FollowSymLinks AllowOverride None <IfModule !mod_access_compat.c> Require all granted </IfModule> <IfModule mod_access_compat.c> Order allow,deny Allow from all </IfModule> </Directory> </VirtualHost> And /etc/apache2/listen.conf: Listen 80 Listen 50000 This is working, I get a "hello world" when browsing via internet. *** Now the internal config. *** /etc/apache2/vhosts.d/isengard.valinor.conf: <VirtualHost *:80> ServerAdmin webmaster@isengard.valinor ServerName isengard.valinor DocumentRoot /srv/www/htdocs/ ErrorLog /var/log/apache2/isengard.valinor-error_log CustomLog /var/log/apache2/isengard.valinor-access_log combined # don't loose time with IP address lookups HostnameLookups Off # needed for named virtual hosts UseCanonicalName Off ServerSignature On Include /etc/apache2/conf.d/*.conf ScriptAlias /cgi-bin/ "/srv/www/cgi-bin/" <Directory "/srv/www/cgi-bin/"> AllowOverride None Options +ExecCGI -Includes <IfModule !mod_access_compat.c> Require all granted </IfModule> <IfModule mod_access_compat.c> Order allow,deny Allow from all </IfModule> </Directory> <IfModule mod_userdir.c> UserDir public_html Include /etc/apache2/mod_userdir.conf </IfModule> <Directory "/srv/www/htdocs/"> Options Indexes FollowSymLinks Options Indexes FollowSymLinks AllowOverride None <IfModule !mod_access_compat.c> Require all granted </IfModule> <IfModule mod_access_compat.c> Order allow,deny Allow from all </IfModule> </Directory> </VirtualHost> ** Differences from the default: ** Isengard:/etc/apache2/vhosts.d # diff vhost.template isengard.valinor.conf 14,15c14,15 < ServerAdmin webmaster@dummy-host.example.com < ServerName dummy-host.example.com - ---
ServerAdmin webmaster@isengard.valinor ServerName isengard.valinor
20c20 < DocumentRoot /srv/www/vhosts/dummy-host.example.com - ---
DocumentRoot /srv/www/htdocs/
23,24c23,24 < ErrorLog /var/log/apache2/dummy-host.example.com-error_log < CustomLog /var/log/apache2/dummy-host.example.com-access_log combined - ---
ErrorLog /var/log/apache2/isengard.valinor-error_log CustomLog /var/log/apache2/isengard.valinor-access_log combined
43c43 < # Include /etc/apache2/conf.d/*.conf - ---
Include /etc/apache2/conf.d/*.conf
53c53 < ScriptAlias /cgi-bin/ "/srv/www/vhosts/dummy-host.example.com/cgi-bin/" - ---
ScriptAlias /cgi-bin/ "/srv/www/cgi-bin/"
58c58 < <Directory "/srv/www/vhosts/dummy-host.example.com/cgi-bin"> - ---
<Directory "/srv/www/cgi-bin/">
96c96 < <Directory "/srv/www/vhosts/dummy-host.example.com"> - ---
<Directory "/srv/www/htdocs/">
Isengard:/etc/apache2/vhosts.d # This "internal view", or internal vhost, does not work, and I do not understand why. On the client, I get this: links http://isengard.valinor gets: +------------------ Error ------------------+ | | | Error loading http://isengard.valinor/: | | | | Error reading from socket | | | | [ Cancel ] | +-------------------------------------------+ On restart of server - /var/log/apache2/error_log: Sun Dec 29 13:41:17.457008 2019] [mpm_prefork:notice] [pid 22184] AH00170: caught SIGWINCH, shutting down gracefully [Sun Dec 29 13:41:17.572333 2019] [apparmor:error] [pid 22368] (1)Operation not permitted: Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT' [Sun Dec 29 13:41:17.574198 2019] [apparmor:error] [pid 22370] (1)Operation not permitted: Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT' [Sun Dec 29 13:41:17.574315 2019] [mpm_prefork:notice] [pid 22363] AH00163: Apache/2.4.33 (Linux/SUSE) configured -- resuming normal operations [Sun Dec 29 13:41:17.574542 2019] [core:notice] [pid 22363] AH00094: Command line: '/usr/sbin/httpd-prefork -D SYSCONFIG -C PidFile /var/run/httpd.pid -C Include /etc/apache2/sysconfig.d//loadmodule.conf -C Include /etc/apache2/sysconfig.d//global.conf -f /etc/apache2/httpd.conf -c Include /etc/apache2/sysconfig.d//include.conf -D SYSTEMD -DFOREGROUND' [Sun Dec 29 13:41:17.575249 2019] [apparmor:error] [pid 22369] (1)Operation not permitted: Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT' [Sun Dec 29 13:41:17.576561 2019] [apparmor:error] [pid 22372] (1)Operation not permitted: Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT' [Sun Dec 29 13:41:17.576819 2019] [apparmor:error] [pid 22371] (1)Operation not permitted: Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT' On browsing (to the internal view): /var/log/apache2/isengard.valinor-access_log: 192.168.1.14 - - [29/Dec/2019:13:41:42 +0100] "GET / HTTP/1.1" 200 710 "-" "Links (2.20.1; Linux 4.12.14-lp151.28.36-default x86_64; GNU C 7.4.1; text)" 192.168.1.14 - - [29/Dec/2019:13:41:42 +0100] "GET / HTTP/1.1" 200 710 "-" "Links (2.20.1; Linux 4.12.14-lp151.28.36-default x86_64; GNU C 7.4.1; text)" 192.168.1.14 - - [29/Dec/2019:13:41:42 +0100] "GET / HTTP/1.1" 200 710 "-" "Links (2.20.1; Linux 4.12.14-lp151.28.36-default x86_64; GNU C 7.4.1; text)" /var/log/apache2/isengard.valinor-error_log: [Sun Dec 29 13:41:42.788877 2019] [apparmor:warn] [pid 22368] (1)Operation not permitted: [client 192.168.1.14:47426] aa_change_hatv call failed [Sun Dec 29 13:41:42.789642 2019] [apparmor:error] [pid 22368] (1)Operation not permitted: [client 192.168.1.14:47426] Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT' [Sun Dec 29 13:41:42.791215 2019] [apparmor:warn] [pid 22370] (1)Operation not permitted: [client 192.168.1.14:47428] aa_change_hatv call failed [Sun Dec 29 13:41:42.791905 2019] [apparmor:error] [pid 22370] (1)Operation not permitted: [client 192.168.1.14:47428] Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT' [Sun Dec 29 13:41:42.793221 2019] [apparmor:warn] [pid 22369] (1)Operation not permitted: [client 192.168.1.14:47430] aa_change_hatv call failed [Sun Dec 29 13:41:42.793810 2019] [apparmor:error] [pid 22369] (1)Operation not permitted: [client 192.168.1.14:47430] Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT' The apparmor error I think means it tries to associate to an IP that the machine doesn't have. But I'm not doing that, I use "*": <VirtualHost *:80> I have done a test: I copied /etc/apache2/vhosts.d/isengard.valinor.conf to isengard.valinor.bis.conf, listening on port 81. Works instantly. So the error is not in that file! - -- Cheers Carlos E. R. (from 15.1 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCXgimbBwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfVuYQAn0LlrC2I6vJ1Cf3pa93c JBTWuTP6AJ4qF1zU1eJptwogD4r1lIE6tT0+8Q== =27cy -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
I have done a test:
I copied /etc/apache2/vhosts.d/isengard.valinor.conf to isengard.valinor.bis.conf, listening on port 81. Works instantly.
So the error is not in that file!
For starters you could just put the apache2 apparmor profile in complain mode. aa-complain /etc/apparmor.d/usr.sbin.apache2 You can continue working on your apache setup and investigate the apparmor issue later. -- Per Jessen, Zürich (2.6°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 29/12/2019 14.57, Per Jessen wrote:
Carlos E. R. wrote:
I have done a test:
I copied /etc/apache2/vhosts.d/isengard.valinor.conf to isengard.valinor.bis.conf, listening on port 81. Works instantly.
So the error is not in that file!
For starters you could just put the apache2 apparmor profile in complain mode.
I tried stopping it, no difference. systemctl stop apparmor I get: Error loading http://isengard.valinor:80/: Connection refused /var/log/apache2/isengard.valinor-access_log: 192.168.1.16 - - [29/Dec/2019:14:11:14 +0100] "GET / HTTP/1.1" 200 710 "-" "Links (2.20.1; Linux 4.12.14-lp151.28.36-default x86_64; GNU C 7.4.1; text)" /var/log/apache2/isengard.valinor-error_log: [Sun Dec 29 14:11:14.779263 2019] [apparmor:warn] [pid 23178] (1)Operation not permitted: [client 192.168.1.16:56692] aa_change_hatv call failed [Sun Dec 29 14:11:14.779990 2019] [apparmor:error] [pid 23178] (1)Operation not permitted: [client 192.168.1.16:56692] Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT' And this using links browser on the apache machine, thus no firewall or routing involved. http://isengard.valinor:81/: works fine.
aa-complain /etc/apparmor.d/usr.sbin.apache2
You can continue working on your apache setup and investigate the apparmor issue later.
Same result. Isengard:~ # aa-complain /etc/apparmor.d/usr.sbin.apache2 Setting /etc/apparmor.d/usr.sbin.apache2 to complain mode. Isengard:~ # aa-logprof Reading log entries from /var/log/audit/audit.log. Updating AppArmor profiles in /etc/apparmor.d. Enforce-mode changes: Isengard:~ # - -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCXgi1zgAKCRC1MxgcbY1H 1f9FAJ9aCZLm6BucMK5PjQxxVWtDmy/qdwCfc0414X5DWS6MOgdsPDYnc8CdGaY= =b3Ay -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 29/12/2019 15.18, Carlos E. R. wrote:
On 29/12/2019 14.57, Per Jessen wrote:
Carlos E. R. wrote:
I have done a test:
I copied /etc/apache2/vhosts.d/isengard.valinor.conf to isengard.valinor.bis.conf, listening on port 81. Works instantly.
So the error is not in that file!
For starters you could just put the apache2 apparmor profile in complain mode.
I tried stopping it, no difference.
systemctl stop apparmor
I get:
Error loading http://isengard.valinor:80/: Connection refused
/var/log/apache2/isengard.valinor-access_log:
192.168.1.16 - - [29/Dec/2019:14:11:14 +0100] "GET / HTTP/1.1" 200 710 "-" "Links (2.20.1; Linux 4.12.14-lp151.28.36-default x86_64; GNU C 7.4.1; text)"
/var/log/apache2/isengard.valinor-error_log:
[Sun Dec 29 14:11:14.779263 2019] [apparmor:warn] [pid 23178] (1)Operation not permitted: [client 192.168.1.16:56692] aa_change_hatv call failed [Sun Dec 29 14:11:14.779990 2019] [apparmor:error] [pid 23178] (1)Operation not permitted: [client 192.168.1.16:56692] Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT'
Google has some hits of those aa errors, nothing conclusive. Example: <https://lists.rosenauer.org/pipermail/evergreen/2016-August/001937.html> It appears to be an old *SUSE bug, probably unrelated to my problem. Noise. Hum! Got it working on localhost. Fails on the LAN. I had replaced the "Listen 80" with "Listen 81". Current status: Browsing on localhost now works on both ports 80 and 81. Browsing from the LAN I get "Error reading from socket", both on ports 80 and 81. It is not the firewall, no entries in log. I have a guess what it might be (some "allow from"), but I need sustenace first. I'm getting a headache. . -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar)
Carlos E. R. wrote:
Current status:
Browsing on localhost now works on both ports 80 and 81.
Browsing from the LAN I get "Error reading from socket", both on ports 80 and 81. It is not the firewall, no entries in log.
I have a guess what it might be (some "allow from"),
No it isn't, that would give you a 403. what does "ss -ltn" say? I suspect your apache is only listening on localhost. -- Per Jessen, Zürich (0.5°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday, 2019-12-29 at 16:45 +0100, Per Jessen wrote:
Carlos E. R. wrote:
Current status:
Browsing on localhost now works on both ports 80 and 81.
Browsing from the LAN I get "Error reading from socket", both on ports 80 and 81. It is not the firewall, no entries in log.
I have a guess what it might be (some "allow from"),
No it isn't, that would give you a 403.
Ok...
what does "ss -ltn" say?
I suspect your apache is only listening on localhost.
State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 20 0.0.0.0:5000 0.0.0.0:* LISTEN 0 5 0.0.0.0:4713 0.0.0.0:* LISTEN 0 5 0.0.0.0:873 0.0.0.0:* LISTEN 0 50 0.0.0.0:139 0.0.0.0:* LISTEN 0 128 0.0.0.0:40399 0.0.0.0:* LISTEN 0 128 0.0.0.0:111 0.0.0.0:* LISTEN 0 128 0.0.0.0:8081 0.0.0.0:* LISTEN 0 20 0.0.0.0:4242 0.0.0.0:* LISTEN 0 20 0.0.0.0:4243 0.0.0.0:* LISTEN 0 20 0.0.0.0:4244 0.0.0.0:* LISTEN 0 32 0.0.0.0:53 0.0.0.0:* LISTEN 0 128 0.0.0.0:22 0.0.0.0:* LISTEN 0 5 127.0.0.1:631 0.0.0.0:* LISTEN 0 100 192.168.1.16:25 0.0.0.0:* LISTEN 0 100 127.0.0.1:25 0.0.0.0:* LISTEN 0 128 127.0.0.1:6010 0.0.0.0:* LISTEN 0 128 127.0.0.1:6011 0.0.0.0:* LISTEN 0 128 127.0.0.1:6012 0.0.0.0:* LISTEN 0 128 127.0.0.1:6013 0.0.0.0:* LISTEN 0 50 0.0.0.0:445 0.0.0.0:* LISTEN 0 5 0.0.0.0:16001 0.0.0.0:* LISTEN 0 10 0.0.0.0:9090 0.0.0.0:* LISTEN 0 5 [::]:4713 [::]:* LISTEN 0 5 [::]:873 [::]:* LISTEN 0 50 [::]:139 [::]:* LISTEN 0 128 [::]:111 [::]:* LISTEN 0 128 *:50000 *:* <=== LISTEN 0 128 *:80 *:* <=== LISTEN 0 128 *:81 *:* <=== LISTEN 0 128 [::]:8081 [::]:* LISTEN 0 50 *:1716 *:* LISTEN 0 32 [::]:53 [::]:* LISTEN 0 128 [::]:22 [::]:* LISTEN 0 5 [::1]:631 [::]:* LISTEN 0 100 [::1]:25 [::]:* LISTEN 0 128 [::1]:6010 [::]:* LISTEN 0 128 [::1]:6011 [::]:* LISTEN 0 128 [::]:52603 [::]:* LISTEN 0 128 [::1]:6012 [::]:* LISTEN 0 128 [::1]:6013 [::]:* LISTEN 0 50 [::]:445 [::]:* LISTEN 0 5 [::]:16001 [::]:* LISTEN 0 10 [::]:9090 [::]:* - -- Cheers, Carlos E. R. (from openSUSE 15.1 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCXgj2Exwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfVlBkAoIdA+hEl+xMNLG8ezUOA inq2hD/XAJ9We/K9jmE3IRgv7JflPmpYDKrxzA== =X8Gx -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
what does "ss -ltn" say?
I suspect your apache is only listening on localhost.
State Recv-Q Send-Q Local Address:Port Peer Address:Port [snip] LISTEN 0 128 *:50000 *:* <=== LISTEN 0 128 *:80 *:* <=== LISTEN 0 128 *:81 *:* <===
Okay, that's good - can you connect to those using telnet, from another internal machine? -- Per Jessen, Zürich (-1.7°C) http://www.cloudsuisse.com/ - your owncloud, hosted in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday, 2019-12-29 at 21:20 +0100, Per Jessen wrote: - -- Cheers, Carlos E. R. (from openSUSE 15.1 x86_64 at Telcontar) El 2019-12-29 a las 21:20 +0100, Per Jessen escribió:
Date: Sun, 29 Dec 2019 21:20:22 +0100 From: Per Jessen <per@computer.org> To: opensuse@opensuse.org Subject: Re: [opensuse] Using apache with two virtual hosts
Carlos E. R. wrote:
what does "ss -ltn" say?
I suspect your apache is only listening on localhost.
State Recv-Q Send-Q Local Address:Port Peer Address:Port [snip] LISTEN 0 128 *:50000 *:* <=== LISTEN 0 128 *:80 *:* <=== LISTEN 0 128 *:81 *:* <===
Okay, that's good - can you connect to those using telnet, from another internal machine?
cer@Telcontar:~> telnet isengard.valinor 80 Trying 192.168.1.16... Connected to isengard.valinor. Escape character is '^]'. hi? HTTP/1.1 400 Bad Request Date: Sun, 29 Dec 2019 20:41:35 GMT Server: Apache Vary: accept-language,accept-charset Apache does talk, but I do not know the language. cer@Telcontar:~> telnet isengard.valinor 50000 Trying 192.168.1.16... ^C cer@Telcontar:~> This one fails, is intentionally closed in the firewall. Only incoming from the router are accepted. -----BEGIN PGP SIGNATURE----- iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCXgkQHhwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfVW0wAnij/cbBKoCdd3l04nv9S 2MjlSPr1AJ9TvAcL7cwboeNFTpqBx42ddGMmZw== =c6W/ -----END PGP SIGNATURE-----
Carlos -- ...and then Carlos E. R. said... % ... % cer@Telcontar:~> telnet isengard.valinor 80 % Trying 192.168.1.16... % Connected to isengard.valinor. % Escape character is '^]'. % hi? ... % % Apache does talk, but I do not know the language. [snip] Try GET / when you connect. davidtg@gezebel:~> telnet justpickone.org 80 Trying 74.208.250.170... Connected to justpickone.org. Escape character is '^]'. GET / <html> <head> </head> <title>secure</title> <body bgcolor=#FFFFFF text=#001C66> secure </body> </html> Connection closed by foreign host. davidtg@gezebel:~> You need to send standard HTTP commands; a GET is the easiest. HTH & HNY :-D -- David T-G See http://justpickone.org/davidtg/email/ See http://justpickone.org/davidtg/tofu.txt -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday, 2019-12-29 at 18:21 -0500, David T-G wrote:
...and then Carlos E. R. said... % ... % cer@Telcontar:~> telnet isengard.valinor 80 % Trying 192.168.1.16... % Connected to isengard.valinor. % Escape character is '^]'. % hi? ... % % Apache does talk, but I do not know the language. [snip]
Try
GET /
cer@Telcontar:~> telnet isengard.valinor 80 Trying 192.168.1.16... Connected to isengard.valinor. Escape character is '^]'. GET / Connection closed by foreign host. cer@Telcontar:~> Well, that is the problem. When doing it in the same host, it responds correctly: cer@Isengard:~> telnet isengard.valinor 80 Trying 192.168.1.16... Connected to isengard.valinor. Escape character is '^]'. GET / <html><body> <h1>Welcome to Isengard</a></h1> <h3>Letras: \ | @ # € </h3> <h2> <a href="/ficheros" title="Ficheros">[ficheros]</a> <br> <a href="/ficheros/mirrors" title="Mirrors">[Mirrors]</a> <br> ... which is correct. In "/etc/apache2/global.conf" I changed: #LogLevel warn LogLevel debug Still I get the same useless log output - doesn't seem to be any more verbose: error_log: [Mon Dec 30 01:45:41.393474 2019] [mpm_prefork:notice] [pid 3535] AH00170: caught SIGWINCH, shutting down gracefully [Mon Dec 30 01:45:41.508018 2019] [apparmor:error] [pid 14984] (1)Operation not permitted: Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT' [Mon Dec 30 01:45:41.509358 2019] [mpm_prefork:notice] [pid 14978] AH00163: Apache/2.4.33 (Linux/SUSE) configured -- resuming normal operations [Mon Dec 30 01:45:41.509349 2019] [apparmor:error] [pid 14985] (1)Operation not permitted: Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT' [Mon Dec 30 01:45:41.509595 2019] [core:notice] [pid 14978] AH00094: Command line: '/usr/sbin/httpd-prefork -D SYSCONFIG -C PidFile /var/run/httpd.pid -C Include /etc/apache2/sysconfig.d//loadmodule.conf -C Include /etc/apache2/sysconfig.d//global.conf -f /etc/apache2/httpd.conf -c Include /etc/apache2/sysconfig.d//include.conf -D SYSTEMD -D FOREGROUND' [Mon Dec 30 01:45:41.510742 2019] [apparmor:error] [pid 14987] (1)Operation not permitted: Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT' [Mon Dec 30 01:45:41.511513 2019] [apparmor:error] [pid 14983] (1)Operation not permitted: Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT' [Mon Dec 30 01:45:41.511674 2019] [apparmor:error] [pid 14986] (1)Operation not permitted: Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT' isengard.valinor-access_log: 192.168.1.14 - - [30/Dec/2019:01:45:15 +0100] "GET / HTTP/1.0" 200 710 "-" "w3m/0.5.3+git20180125" 192.168.1.14 - - [30/Dec/2019:01:45:45 +0100] "GET / HTTP/1.0" 200 710 "-" "w3m/0.5.3+git20180125" /var/log/apache2/isengard.valinor-error_log: [Mon Dec 30 01:45:15.575394 2019] [apparmor:warn] [pid 14948] (1)Operation not permitted: [client 192.168.1.14:39928] aa_change_hatv call failed [Mon Dec 30 01:45:15.576162 2019] [apparmor:error] [pid 14948] (1)Operation not permitted: [client 192.168.1.14:39928] Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT' [Mon Dec 30 01:45:45.321874 2019] [apparmor:warn] [pid 14984] (1)Operation not permitted: [client 192.168.1.14:39940] aa_change_hatv call failed [Mon Dec 30 01:45:45.322739 2019] [apparmor:error] [pid 14984] (1)Operation not permitted: [client 192.168.1.14:39940] Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT' This apparmor thing seems to be a bug. A decade old bug. <https://www.drupal.org/forum/support/installing-drupal/2008-01-19/server-error-500-apparmor> <https://lists.rosenauer.org/pipermail/evergreen/2016-August/001937.html> No clue why it appears, but seems unrelated to my problem. Also no clue what may cause my problem. - -- Cheers, Carlos E. R. (from openSUSE 15.1 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCXglLNxwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfVLLgAoJTDzWxRhGlRMRCp52Ui EiYe3hQCAJ0Vdow2rb8iHLmwvIiCwvvtTp4j0w== =+1ID -----END PGP SIGNATURE-----
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 29/12/2019 14.57, Per Jessen wrote:
Carlos E. R. wrote:
I have done a test:
I copied /etc/apache2/vhosts.d/isengard.valinor.conf to isengard.valinor.bis.conf, listening on port 81. Works instantly.
So the error is not in that file!
For starters you could just put the apache2 apparmor profile in complain mode.
I tried stopping it, no difference.
systemctl stop apparmor
I get:
Error loading http://isengard.valinor:80/: Connection refused
Much better result - so clearly nothing is listening on that port.
/var/log/apache2/isengard.valinor-error_log:
[Sun Dec 29 14:11:14.779263 2019] [apparmor:warn] [pid 23178]
I thought you wrote you had disabled apparmor?
http://isengard.valinor:81/: works fine.
I think there is something interfering with your config, but I can't think of what. Excep for one, all of our customewr webservers are running 15.1, I don't recall any such issues.
aa-complain /etc/apparmor.d/usr.sbin.apache2
You can continue working on your apache setup and investigate the apparmor issue later.
Same result.
But now we know it is probably not a problem in apparmor. -- Per Jessen, Zürich (0.4°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday, 2019-12-29 at 16:43 +0100, Per Jessen wrote:
Carlos E. R. wrote:
On 29/12/2019 14.57, Per Jessen wrote:
Carlos E. R. wrote:
I have done a test:
I copied /etc/apache2/vhosts.d/isengard.valinor.conf to isengard.valinor.bis.conf, listening on port 81. Works instantly.
So the error is not in that file!
For starters you could just put the apache2 apparmor profile in complain mode.
I tried stopping it, no difference.
systemctl stop apparmor
I get:
Error loading http://isengard.valinor:80/: Connection refused
Much better result - so clearly nothing is listening on that port.
/var/log/apache2/isengard.valinor-error_log:
[Sun Dec 29 14:11:14.779263 2019] [apparmor:warn] [pid 23178]
I thought you wrote you had disabled apparmor?
I did. But there is a mod_apparmor apache module who refuses to give up and it is who produces this error. There is no corresponding audit entry when aa is off.
http://isengard.valinor:81/: works fine.
I think there is something interfering with your config, but I can't think of what. Excep for one, all of our customewr webservers are running 15.1, I don't recall any such issues.
Yeah. The situation is: 01) I had a working webserver, for the local LAN and localhost only. 02) I create a vhost for outside, which finally is working (just says "hey guys" in Spanish) 02b) The LAN view of the webserver stops working as soon as I create a vhost. I don't remember testing on localhost. I'll do (on 4) 03) I create another vhost for the port 80 and yet another on 81. It apparently works from localhost, but not from LAN.
aa-complain /etc/apparmor.d/usr.sbin.apache2
You can continue working on your apache setup and investigate the apparmor issue later.
Same result.
But now we know it is probably not a problem in apparmor.
There is that. 4) I now move /etc/apache2/vhosts.d/isengard.valinor to /etc/apache2.quitado/isengard.valinor. Same for isengard.valinor.bis, which holds the port 81 vhost. This should remove the LAN vhosts, and restablist the "default" view. I restart apache, and yet, localhost views with "links" continue working on ports 80 and 81! [...] (trimming the long thinking) How can it display the page? There is no configuration for port 81... Oh, ok, the default configuration is indeed working on localhost. /etc/apache2/listen.conf: Listen 80 Listen 81 Listen 50000 That's it. I comment out the 81, and now: cer@Isengard:~> w3m http://localhost:81 w3m: Can't load http://localhost:81. cer@Isengard:~> So, this is working as it should - with two exceptions. 11) I have a vhost, or view from internet, separate. It works. 12) I have the previous configuration, that works on localhost, but not from the LAN: links: Error reading from socket w3m: blank page. 13) Idea: while I created the LAN vhost, I renamed httpd.conf.local to httpd.conf.local.no - let's undo. [...] Nope, issue remains. 14) Second issue: The localhost view produces the correct web page, but none of the links work: +++.... Welcome to Isengard Letras: \ | @ # € [ficheros] [Mirrors] ....++- The links produce: +++.... Access forbidden! You don't have permission to access the requested object. It is either read-protected or not readable by the server. If you think this is a server error, please contact the webmaster. Error 403 localhost Apache ....++- The "default" configuration I have not touched, and it worked days ago. What to do? I don't know if I should try to restore the "default" configuration to listen on localhost and LAN (how?), or disable it (how?) and instead create another vhost that listens on both LAN and localhost. I think I should go for the second option, but how to disable the default view? - -- Cheers, Carlos E. R. (from openSUSE 15.1 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCXgkCJRwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfVy/wAn3+EYt182Po4cjfw0azy bLSdacG1AJ4g6px951FTyU4wSpkscw9JhYFfLQ== =/xjS -----END PGP SIGNATURE-----
Carlos E. R. wrote:
/var/log/apache2/isengard.valinor-error_log:
[Sun Dec 29 14:11:14.779263 2019] [apparmor:warn] [pid 23178]
I thought you wrote you had disabled apparmor?
I did. But there is a mod_apparmor apache module who refuses to give up and it is who produces this error. There is no corresponding audit entry when aa is off.
Afaik, apache's mod_apparmor does not work without apparmor.
The situation is:
01) I had a working webserver, for the local LAN and localhost only.
02) I create a vhost for outside, which finally is working (just says "hey guys" in Spanish)
02b) The LAN view of the webserver stops working as soon as I create a vhost. I don't remember testing on localhost. I'll do (on 4)
What is "the LAN view of the webserver" ?
4) I now move /etc/apache2/vhosts.d/isengard.valinor to
Not isengard.valinor.conf ? if it isn't called .conf, the default config will not include it. -- Per Jessen, Zürich (-1.7°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday, 2019-12-29 at 21:29 +0100, Per Jessen wrote:
Carlos E. R. wrote:
/var/log/apache2/isengard.valinor-error_log:
[Sun Dec 29 14:11:14.779263 2019] [apparmor:warn] [pid 23178]
I thought you wrote you had disabled apparmor?
I did. But there is a mod_apparmor apache module who refuses to give up and it is who produces this error. There is no corresponding audit entry when aa is off.
Afaik, apache's mod_apparmor does not work without apparmor.
Well, it prints messages. BUG.
The situation is:
01) I had a working webserver, for the local LAN and localhost only.
02) I create a vhost for outside, which finally is working (just says "hey guys" in Spanish)
02b) The LAN view of the webserver stops working as soon as I create a vhost. I don't remember testing on localhost. I'll do (on 4)
What is "the LAN view of the webserver" ?
Ok, I mean browsing with w3m or links from my desktop machine to my server machine, Isengard.
4) I now move /etc/apache2/vhosts.d/isengard.valinor to
Not isengard.valinor.conf ? if it isn't called .conf, the default config will not include it.
Paranoia. I know. But I was getting strange unexpected (by me) results, so I moved them out to another directory. I have changed things again, I explain in another post. - -- Cheers, Carlos E. R. (from openSUSE 15.1 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCXgkQyRwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfVt+EAn3+PRuZ6Uk4axaOesotA IGs2CkHEAJ0aJOAKi4x6xBmvArUv4oSAS51joQ== =N+po -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Sunday, 2019-12-29 at 21:29 +0100, Per Jessen wrote:
Carlos E. R. wrote:
/var/log/apache2/isengard.valinor-error_log:
[Sun Dec 29 14:11:14.779263 2019] [apparmor:warn] [pid 23178]
I thought you wrote you had disabled apparmor?
I did. But there is a mod_apparmor apache module who refuses to give up and it is who produces this error. There is no corresponding audit entry when aa is off.
Afaik, apache's mod_apparmor does not work without apparmor.
Well, it prints messages. BUG.
I doubt it, the module itself probably does not log anything, it is done by apparmor. I don't know how that setup works though, I've never used mod_apparmor. (we use mod_itk to run every request with user privileges only.) -- Per Jessen, Zürich (0.0°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday, 2019-12-30 at 09:14 +0100, Per Jessen wrote:
Carlos E. R. wrote:
On Sunday, 2019-12-29 at 21:29 +0100, Per Jessen wrote:
Carlos E. R. wrote:
/var/log/apache2/isengard.valinor-error_log:
[Sun Dec 29 14:11:14.779263 2019] [apparmor:warn] [pid 23178]
I thought you wrote you had disabled apparmor?
I did. But there is a mod_apparmor apache module who refuses to give up and it is who produces this error. There is no corresponding audit entry when aa is off.
Afaik, apache's mod_apparmor does not work without apparmor.
Well, it prints messages. BUG.
I doubt it, the module itself probably does not log anything, it is done by apparmor. I don't know how that setup works though, I've never used mod_apparmor. (we use mod_itk to run every request with user privileges only.)
The apache logs are written by apache itself. I don't know why mod_apparmor is installed. Either it was by default, or I thought it is a good idea months or years ago. But I have done no configuration of it. On the configuration files the word "apparmor" does not appear. A test: terminal 1: Isengard:~ # systemctl stop apparmor terminal 2: Isengard:~ # tail -f /var/log/audit/audit.log terminal 1: Isengard:~ # systemctl restart apache2 terminal 2: type=AVC msg=audit(1577710738.035:2546): apparmor="DENIED" operation="change_hat" info="unconfined can not change_hat" error=-1 profile="unconfined" pid=415 comm="httpd-prefork" type=AVC msg=audit(1577710738.035:2547): apparmor="DENIED" operation="change_hat" info="unconfined can not change_hat" error=-1 profile="unconfined" pid=416 comm="httpd-prefork" type=AVC msg=audit(1577710738.035:2548): apparmor="DENIED" operation="change_hat" info="unconfined can not change_hat" error=-1 profile="unconfined" pid=419 comm="httpd-prefork" type=AVC msg=audit(1577710738.035:2549): apparmor="DENIED" operation="change_hat" info="unconfined can not change_hat" error=-1 profile="unconfined" pid=417 comm="httpd-prefork" type=AVC msg=audit(1577710738.035:2550): apparmor="DENIED" operation="change_hat" info="unconfined can not change_hat" error=-1 profile="unconfined" pid=418 comm="httpd-prefork" As you can see, apparmor is stoped, yet it prints messages in audit log. (this command done later) terminal 1: Isengard:~ # systemctl status apparmor ● apparmor.service - Load AppArmor profiles Loaded: loaded (/usr/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: *inactive* (dead) since Mon 2019-12-30 13:58:17 CET; 16min ago Process: 326 ExecStop=/bin/true (code=exited, status=0/SUCCESS) Process: 24924 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=0/SUCCESS) Main PID: 24924 (code=exited, status=0/SUCCESS) CPU: 4ms (emphasis added by me) and: terminal 1: Isengard:~ # aa-status | less apparmor module is loaded. 52 profiles are loaded. 52 profiles are in enforce mode. ... apache2 ... 0 profiles are in complain mode. 11 processes have profiles defined. 11 processes are in enforce mode. /usr/sbin/dnsmasq (3423) /usr/sbin/nmbd (3418) /usr/sbin/nmbd (3506) /usr/sbin/smbd (3563) /usr/sbin/smbd (3699) /usr/sbin/smbd (3701) /usr/sbin/smbd (3746) /usr/sbin/avahi-daemon (1382) avahi-daemon /usr/sbin/nscd (1466) nscd /usr/sbin/ntpd (4175) ntpd /usr/sbin/ntpd (4181) ntpd 0 processes are in complain mode. 0 processes are unconfined but have a profile defined. terminal 3: cer@Telcontar:~> w3m http://isengard.valinor (fails) terminal 2: type=AVC msg=audit(1577710976.617:2551): apparmor="DENIED" operation="change_hat" info="unconfined can not change_hat" error=-1 profile="unconfined" pid=415 comm="httpd-prefork" type=AVC msg=audit(1577710976.617:2552): apparmor="DENIED" operation="change_hat" info="unconfined can not change_hat" error=-1 profile="unconfined" pid=415 comm="httpd-prefork" type=AVC msg=audit(1577710976.617:2553): apparmor="DENIED" operation="change_hat" info="unconfined can not change_hat" error=-1 profile="unconfined" pid=415 comm="httpd-prefork" /var/log/apache2/error_log: [Mon Dec 30 13:58:57.925094 2019] [mpm_prefork:notice] [pid 14978] AH00170: caught SIGWINCH, shutting down gracefully [Mon Dec 30 13:58:58.039971 2019] [mpm_prefork:notice] [pid 410] AH00163: Apache/2.4.33 (Linux/SUSE) configured -- resuming normal operations [Mon Dec 30 13:58:58.040292 2019] [core:notice] [pid 410] AH00094: Command line: '/usr/sbin/httpd-prefork -D SYSCONFIG -C PidFile /var/run/httpd.pid -C Include /etc/apache2 /sysconfig.d//loadmodule.conf -C Include /etc/apache2/sysconfig.d//global.conf -f /etc/apache2/httpd.conf -c Include /etc/apache2/sysconfig.d//include.conf -D SYSTEMD -D FO REGROUND' [Mon Dec 30 13:58:58.040685 2019] [apparmor:error] [pid 415] (1)Operation not permitted: Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT' [Mon Dec 30 13:58:58.041056 2019] [apparmor:error] [pid 416] (1)Operation not permitted: Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT' [Mon Dec 30 13:58:58.041251 2019] [apparmor:error] [pid 419] (1)Operation not permitted: Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT' [Mon Dec 30 13:58:58.041838 2019] [apparmor:error] [pid 417] (1)Operation not permitted: Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT' [Mon Dec 30 13:58:58.041885 2019] [apparmor:error] [pid 418] (1)Operation not permitted: Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT' /var/log/apache2/isengard.valinor-access_log: 192.168.1.14 - - [30/Dec/2019:14:02:56 +0100] "GET / HTTP/1.0" 200 710 "-" "w3m/0.5.3+git20180125" /var/log/apache2/isengard.valinor-error_log: [Mon Dec 30 14:02:56.618591 2019] [apparmor:warn] [pid 415] (1)Operation not permitted: [client 192.168.1.14:46472] aa_change_hatv call failed [Mon Dec 30 14:02:56.619391 2019] [apparmor:error] [pid 415] (1)Operation not permitted: [client 192.168.1.14:46472] Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT' However, all that is unrelated to apache not serving. If I try to open the page in localhost, it works: terminal 5: cer@Isengard:~> w3m http://localhost Welcome to Isengard Letras: \ | @ # € [ficheros] (success) terminal 2: type=AVC msg=audit(1577711903.555:2645): apparmor="DENIED" operation="change_hat" info="unconfined can not change_hat" error=-1 profile="unconfined" pid=416 comm="httpd-prefork" type=AVC msg=audit(1577711903.555:2646): apparmor="DENIED" operation="change_hat" info="unconfined can not change_hat" error=-1 profile="unconfined" pid=416 comm="httpd-prefork" type=AVC msg=audit(1577711903.555:2647): apparmor="DENIED" operation="change_hat" info="unconfined can not change_hat" error=-1 profile="unconfined" pid=416 comm="httpd-prefork" You see? The same apparmor errors when apache serves. /var/log/apache2/isengard.valinor-access_log: ::1 - - [30/Dec/2019:14:18:23 +0100] "GET / HTTP/1.0" 200 710 "-" "w3m/0.5.3+git20180125" /var/log/apache2/isengard.valinor-error_log: [Mon Dec 30 14:18:23.561741 2019] [apparmor:warn] [pid 416] (1)Operation not permitted: [client ::1:38492] aa_change_hatv call failed [Mon Dec 30 14:18:23.562458 2019] [apparmor:error] [pid 416] (1)Operation not permitted: [client ::1:38492] Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT' So I think we should forget about apparmor, and try to find out why apache does not serve the page to the LAN when using vhosts. I can try to remove the mod_apparmor module to make sure. [...] Well, I uninstalled it and apache does not work; same symptoms. /var/log/apache2/isengard.valinor-access_log: 192.168.1.14 - - [30/Dec/2019:14:27:56 +0100] "GET / HTTP/1.0" 200 710 "-" "w3m/0.5.3+git20180125" isengard.valinor-error_log: nothing. /var/log/apache2/error_log: nothing. Activating debug log. Still no error shown: /var/log/apache2/isengard.valinor-access_log: 192.168.1.14 - - [30/Dec/2019:14:32:19 +0100] "GET / HTTP/1.0" 200 710 "-" "w3m/0.5.3+git20180125" /var/log/apache2/isengard.valinor-error_log: [Mon Dec 30 14:32:19.705043 2019] [authz_core:debug] [pid 2430] mod_authz_core.c(809): [client 192.168.1.14:47308] AH01626: authorization result of Require all granted: gra nted [Mon Dec 30 14:32:19.705254 2019] [authz_core:debug] [pid 2430] mod_authz_core.c(809): [client 192.168.1.14:47308] AH01626: authorization result of <RequireAny>: granted Mail "Using apache with two virtual hosts - restarting" explains the current configuration of apache. The issue must be in /etc/apache2/vhosts.d/lan.conf: <VirtualHost *:80> ServerAdmin webmaster@isengard.valinor ServerName isengard.valinor # DocumentRoot: The directory out of which you will serve your # documents. By default, all requests are taken from this directory, but # symbolic links and aliases may be used to point to other locations. DocumentRoot /srv/www.vh/htdocs/ # if not specified, the global error log is used ErrorLog /var/log/apache2/isengard.valinor-error_log CustomLog /var/log/apache2/isengard.valinor-access_log combined # don't loose time with IP address lookups HostnameLookups Off # needed for named virtual hosts UseCanonicalName Off # configures the footer on server-generated documents ServerSignature On LogLevel debug # Optionally, include *.conf files from /etc/apache2/conf.d/ # # For example, to allow execution of PHP scripts: # # Include /etc/apache2/conf.d/php5.conf # # or, to include all configuration snippets added by packages: Include /etc/apache2/conf.d/*.conf # ScriptAlias: This controls which directories contain server scripts. # ScriptAliases are essentially the same as Aliases, except that # documents in the realname directory are treated as applications and # run by the server when requested rather than as documents sent to the client. # The same rules about trailing "/" apply to ScriptAlias directives as to # Alias. # ScriptAlias /cgi-bin/ "/srv/www.vh/cgi-bin/" # "/srv/www.vh/cgi-bin" should be changed to whatever your ScriptAliased # CGI directory exists, if you have one, and where ScriptAlias points to. # <Directory "/srv/www.vh/cgi-bin/"> AllowOverride None Options +ExecCGI -Includes <IfModule !mod_access_compat.c> Require all granted </IfModule> <IfModule mod_access_compat.c> Order allow,deny Allow from all </IfModule> </Directory> # UserDir: The name of the directory that is appended onto a user's home # directory if a ~user request is received. # # To disable it, simply remove userdir from the list of modules in APACHE_MODULES # in /etc/sysconfig/apache2. # <IfModule mod_userdir.c> # Note that the name of the user directory ("public_html") cannot simply be # changed here, since it is a compile time setting. The apache package # would have to be rebuilt. You could work around by deleting # /usr/sbin/suexec, but then all scripts from the directories would be # executed with the UID of the webserver. UserDir public_html # The actual configuration of the directory is in # /etc/apache2/mod_userdir.conf. Include /etc/apache2/mod_userdir.conf # You can, however, change the ~ if you find it awkward, by mapping e.g. # http://www.example.com/users/karl-heinz/ --> /home/karl-heinz/public_html/ #AliasMatch ^/users/([a-zA-Z0-9-_.]*)/?(.*) /home/$1/public_html/$2 </IfModule> # # This should be changed to whatever you set DocumentRoot to. # <Directory "/srv/www.vh/htdocs/"> # # Possible values for the Options directive are "None", "All", # or any combination of: # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews # # Note that "MultiViews" must be named *explicitly* --- "Options All" # doesn't give it to you. # # The Options directive is both complicated and important. Please see # http://httpd.apache.org/docs/2.4/mod/core.html#options # for more information. # Options Indexes FollowSymLinks # # AllowOverride controls what directives may be placed in .htaccess files. # It can be "All", "None", or any combination of the keywords: # Options FileInfo AuthConfig Limit # AllowOverride None # # Controls who can get stuff from this server. # <IfModule !mod_access_compat.c> Require all granted </IfModule> <IfModule mod_access_compat.c> Order allow,deny Allow from all </IfModule> </Directory> </VirtualHost> terminal 3: cer@Telcontar:~> telnet isengard.valinor 80 Trying 192.168.1.16... Connected to isengard.valinor. Escape character is '^]'. GET / Connection closed by foreign host. cer@Telcontar:~> - -- Cheers, Carlos E. R. (from openSUSE 15.1 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCXgoBVhwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfVJRQAnie9Oz9EqVDivaJgIjYC HtLhp+1bAJ9gHGuhmz5+RB+lm+gGOitLHB7bAg== =rFlL -----END PGP SIGNATURE-----
Carlos E. R. wrote:
I don't know why mod_apparmor is installed. Either it was by default, or I thought it is a good idea months or years ago.
It is not installed by default - afaik, it needs to be configured to match your requirements.
As you can see, apparmor is stoped, yet it prints messages in audit log.
Fyi, apparmor is not stopped by 'systemctl stop apparmor' .... you need to run "aa-teardown" (or something like that, I don't remember the command). -- Per Jessen, Zürich (1.2°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday, 2019-12-29 at 20:44 +0100, Carlos E. R. wrote: I have copied /srv/www/ to /srv/www.vh/. Then reduced /srv/www/ to the minimal expression, with a plain "/srv/www/htdocs/index.html" that simply displays "It works!". This one, surprise, does work from the LAN. /srv/www.vh/ contains the old index.html with links and such. Now I will create a new vhost for the LAN view. I will call it /etc/apache2/vhosts.d/lan.conf <VirtualHost *:80> DocumentRoot /srv/www.vh/htdocs/ ... On browsing to "localhost" I get the vhost view, not the default view. Good. Even the links work. But, on browsing from the LAN I get the "Error reading from socket" message. Why? At least, now I know that port 80 is serving the correct page (when it serves one) via vhost config, not default config (because default has a different page ("it works")). - -- Cheers, Carlos E. R. (from openSUSE 15.1 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCXgkn2Bwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfVp/MAn3w70phxygWpOO4ACanE 7NegxR3UAJ92kDB9dNbnBlrAeWb6CF/ngSsMSA== =U0OP -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday, 2019-12-29 at 14:13 +0100, Carlos E. R. wrote: I found that the router was acting up as well. I had this for the ssh: Server External Protocol Internal Server IP Address name porttcp port ssh 30000 tcp 22 192.168.1.16 and I found on the log that incoming was allways from 192.168.1.1, the external address was not logged. So for the web server I added: Server External Protocol Internal Server IP Address name porttcp port web 500000 tcp 500000 192.168.1.16 And then I opened in the server firewall port 50000 to the router address, 192.168.1.1. And it worked, when I did this: cer@Telcontar:~> links http://DYN.DNS:50000 the connection came from the router. Then I noticed entries in the firewall log: <0.4> 2019-12-29T22:31:58.114698+01:00 Isengard kernel - - - [1413795.209090] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=4c:cc:6a:61:50:a1:f8:8e:85:64:78:f2:08:00 SRC=176.*.*.* DST=192.168.1.16 LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=25397 DF PROTO=TCP SPT=30838 DPT=50000 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (0204055A0402080A05D6BC650000000001030 309) which were obviously outsiders. Maybe some of you guys testing? Or some unrelated people scanning and finding the port open? I don't know why the router is working differently now. Anyway, I had to open 50000 to the world. I may change to another port eventually ;-) - -- Cheers, Carlos E. R. (from openSUSE 15.1 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCXgkjHRwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfVL50AoIlBJ7dHY5KHQEkascpp btxFV0mpAKCWaWskAACuNP6QbUjDIS1hUZgcBw== =tRuG -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (3)
-
Carlos E. R. -
David T-G -
Per Jessen