| Author |
|
quintin
Joined: 01 Apr 2009
Posts: 7
|
 Posted: Wed 01 Apr '09 14:15 Post subject: Upgrading Apache 2.0 to Apache 2.2 - Invalid URI |
 |
|
Hi,
We have the following environment:
Windows 2003 32bit Std
PHP 5.2.4
Apache 2.0.63
We have several scripts running on PHP and we would like to upgrade to Apache 2.2.11 as we believe it will give us better performance.
When upgrading to Apache2.2.11 from 2.0.63 I am seeing the following events being logged in the apache error log file - Invalid URI method and the strange thing is that when information is passed via POST to a PHP script all the information is displayed rather than POST /connect/abx.php such as the following entry:
[Mon Mar 23 12:03:33 2009] [error] [client 172.16.130.6] Invalid URI in request license=bcdefg&email=taylorabc@abcz.comPOST /connect/abx.php HTTP/1.1
This issue is happening intermittently and is also being logged in the access log file.
The same modules that were enabled in Apache 2.0 are enabled in 2.2.
The issue does not manifest itself in Apache 2.0 and I did run whireshark to capture the traffic and did not see anything wrong. The modules that I am running in Apache 2.2 are: -
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule asis_module modules/mod_asis.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule dir_module modules/mod_dir.so
LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule setenvif_module modules/mod_setenvif.so
Any ideas? |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7407
Location: EU, Germany, Next to Hamburg
|
| Posted: Tue 07 Apr '09 9:40 Post subject: |
|
|
Do you use .htaccess or a rewrite rule?
Do you also put GET parameters to the POST action? |
|
| Back to top |
|
quintin
Joined: 01 Apr 2009
Posts: 7
|
| Posted: Tue 07 Apr '09 9:59 Post subject: |
|
|
Hi James,
Yes we make use of .htaccess but we do not make use of rewrite rules.
No, we do not place GET params to the POST action although using wireshark to sniff the packets I was seeing GET and POST params from different clients within the same frame. According to my knowledge this is occurring because of the MTU size, but these packets are being processed ok by both Apache 2.0 and Apache 2.2 as when I check the logs I can see them being processed ok.
The problem is happening intermittently but very frequent, therefore at the moment I am stuck and cannot use Apache 2.2 cause of this issue.
Thanks. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7407
Location: EU, Germany, Next to Hamburg
|
| Posted: Tue 07 Apr '09 10:05 Post subject: |
|
|
For testing you should disable using .htaccess if you can on a dev server.
Does that maybe depend on some specific URLs or is it elsewhere? |
|
| Back to top |
|
quintin
Joined: 01 Apr 2009
Posts: 7
|
| Posted: Tue 07 Apr '09 10:15 Post subject: |
|
|
The post requests are sending authentication params. Can I disable .htaccess when clients are trying to authenticate?
Thanks. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7407
Location: EU, Germany, Next to Hamburg
|
| Posted: Tue 07 Apr '09 10:24 Post subject: |
|
|
You use the .htacces only for auth? Yes, you can disable it. The client can handle that.
is there anything else in the .htaccess than auth?
Which auth do you use? |
|
| Back to top |
|
quintin
Joined: 01 Apr 2009
Posts: 7
|
| Posted: Tue 07 Apr '09 13:28 Post subject: |
|
|
We use basic auth. I have disabled .htaccess config from the VD's and during the 15min test I have not experienced the issue wherease before I can see it immediately. Requests were being served correctly.
Does this mean that the problem is related with the authentication module in Apache or .htaccess file? I cannot leave the area without authentication.
How can it be fixed?
Thanks! |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7407
Location: EU, Germany, Next to Hamburg
|
| Posted: Tue 07 Apr '09 14:02 Post subject: |
|
|
Maybe the .htaccess or the password file does not have a 2.2 compatible syntax.
With which encryption did you make the password file? |
|
| Back to top |
|
quintin
Joined: 01 Apr 2009
Posts: 7
|
| Posted: Wed 08 Apr '09 17:59 Post subject: |
|
|
I have recreated the htaccess file and did not work. I have also recreated it using MD5 encryption as before I was not specifying encryption to it (using the default encyption over windows). I am using group authentication as I have two users accessing the same directory and this is specified as
AuthType Basic
AuthName "GroupName"
AuthUserFile "D:/apache/htaccess"
AuthGroupFile "D:/apache/group.txt"
Require group GroupName
AllowOverride None
options Indexes
Order allow,deny
I have tried to change the AllowOverride from None to AuthConfig, but without success.
When I disable authentication by disabling require group GroupName everything works fine, so definitely something within the authentication module is not right.
Thanks. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7407
Location: EU, Germany, Next to Hamburg
|
| Posted: Wed 08 Apr '09 18:26 Post subject: |
|
|
I've never worked with groups, but this is how I create my passwords.
Under Windows you can use only md5 or plain text. I use mostly md5.
.htaccess
| Code: |
AuthName Intern
AuthType Basic
AuthUserFile C:/apache/.passwd
require valid-user
|
the names in the .passwd i create with htpasswd.exe in apache\bin folder
| Code: |
htpasswd -nbm myName myPassword >> C:\apache\.passwd
|
.passwd
| Code: |
myName:$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/
|
MD5 passwords: "$apr1$" + the result of an Apache-specific algorithm using an iterated (1,000 times) MD5 digest of various combinations of a random 32-bit salt and the password.
Maybe you can try that out. Hope it helps.
.......................
edit:
Note: C:\apache is not the document root
Not not place the .passwd file inside the document root or protect it like the .htaccess file
in httpd.conf find
<FilesMatch "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>
and change it to
<FilesMatch "^\.(ht|pass)">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>
Thanks Gregg for the hint |
|
| Back to top |
|
quintin
Joined: 01 Apr 2009
Posts: 7
|
| Posted: Mon 13 Apr '09 12:19 Post subject: |
|
|
This is the way how I am actually creating the htaccess file. I have also created the passwords in plaintext rather than MD5 but the problem still persists.
Changed the 'require group' to 'require valid-user' but still no effect. Disabling the require field i.e. authentication will then work fine, but cannot leave the directory unauthenticated.
Any further recommendations pls?
Thanks. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7407
Location: EU, Germany, Next to Hamburg
|
| Posted: Mon 13 Apr '09 13:48 Post subject: |
|
|
*argh!*
I didn't see an important thing!
That is in your .htaccess file? If yes I think that causes the problem.
Or am I wrong and that is in the httpd.conf ? |
|
| Back to top |
|
quintin
Joined: 01 Apr 2009
Posts: 7
|
| Posted: Mon 13 Apr '09 14:42 Post subject: |
|
|
AllowOverride None is specified in the directory in httpd.conf as follows:
AuthType Basic
AuthName "GroupName"
AuthUserFile "D:/apache/htaccess"
AuthGroupFile "D:/apache/group.txt"
Require group GroupName
AllowOverride None
options Indexes
Order allow,deny
I have tried AllowOverride AuthConfig but the this did not change the scenario.
Could this problem be related with an Apache specific module?
Thanks. |
|
| Back to top |
|
