Cannot Renew Apache LetsEncrypt Cert

Ok so I forgot to renew my Let’s Encrypt Server Certificate, and well I just can’t startup Apache. Here is the present CentOS is giving me instead:

service httpd status Redirecting to /bin/systemctl status httpd.service ● httpd.service - The Apache HTTP Server    Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)    Active: failed (Result: exit-code) since Sat 2019-03-23 18:55:50 PDT; 6s ago      Docs: man:httpd(8)            man:apachectl(8)   Process: 3216 ExecStop=/bin/kill -WINCH $  {MAINPID} (code=exited, status=1/FAILURE)   Process: 32430 ExecReload=/usr/sbin/httpd $  OPTIONS -k graceful (code=exited, status=0/SUCCESS)   Process: 3213 ExecStart=/usr/sbin/httpd $  OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)  Main PID: 3213 (code=exited, status=1/FAILURE)  Mar 23 18:55:50 localhost.localdomain systemd[1]: Starting The Apache HTTP Server... Mar 23 18:55:50 localhost.localdomain httpd[3213]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name...message Mar 23 18:55:50 localhost.localdomain systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE Mar 23 18:55:50 localhost.localdomain kill[3216]: kill: cannot find process "" Mar 23 18:55:50 localhost.localdomain systemd[1]: httpd.service: control process exited, code=exited status=1 Mar 23 18:55:50 localhost.localdomain systemd[1]: Failed to start The Apache HTTP Server. Mar 23 18:55:50 localhost.localdomain systemd[1]: Unit httpd.service entered failed state. Mar 23 18:55:50 localhost.localdomain systemd[1]: httpd.service failed. Hint: Some lines were ellipsized, use -l to show in full. 

So for the life of me I don’t know what is going wrong. I can’t get this to start… and therefor I also cannot renew my certificate. Have I been Hakerd?

Suddenly I think I am in Logans Run and everyone else is winning but me……………

I know its 2019 and I have my options, but I’m still using Apache cause my distro had it, and its worked like this forever you see.

I get lazy I admit it. Sometimes my life is busy, sometimes the client want so much I’m tired, and I forget to go to meetups, free workshops, or even to wash the dog.

Zimbra behind a Apache Reverse Proxy

I mention my network architecture.

My service provider has not made zone delegations to manage my DNS, and currently I only have one PTR record pointing to one of my servers which has a real IP on the Internet. The PTR registry is www and is accessible from the internet as

The IP that I have assigned to that registry is 200.x.x.x. where I have hosted an Apache Web server.

Within my LAN I have a Zimbra mail server, and I would like to be able to publish it in order to use the webmail from the outside. Example:

How can I configure the Apache web server to do reverse proxy?

Distributing 3-BSD code under the Apache license v2 only

Alice and Bob write a piece of source code (call it Source1) and publish it under the 3-BSD license. Later, Bob and Charlie are working on a software project, licensed under AL2 (Apache License v2). Bob wants to add Source1 to the new project’s source (with/without modifications).

So far, this is possible and easy – Source1 be introduced and distributed under 3-BSD while the project as a whole and the non-Source1 part of the code in particular are distributed under AL2; no problem.

However, for various reasons which we shall not go into, all code in the new project must be distributed under AL2. Every file, every function, everything.

What can Bob do so as to be able to meet this condition (other than not use Source1)?

Bonus question: Same scenario, except Source1 has not actually been published; it has just been decided and set in writing that it may be published under the terms of the 3-BSD license. Does this change things?

Apache: handle compression for large static XML files

My site (hosted by Apache 2.4 on ubuntu 14.04) must provide some large XML files (more than 200Mb). I choose to compress them to speed up the download process (.tar.gz) but recently my users need the flat version (no compression). Would it be safe to enable gzip compression for xml files and left them uncompressed? I mean, for small XML files, Apache effort should be insignificant but with large files?

Apache HTTP access log shows own IP instead of client IP [on hold]

I’m using CPanel and WHM to manage a few sites.

The Apache access logs are located in:


Inside that directory I got two files, ie:

I use these logs to check for brute force attacks on wp-login.php using fail2ban.

When I check the file, from requests originated from HTTPS it has:

CLIENT_IP - - [19/Mar/2019:17:14:15 +0000] "GET /wp-login.php HTTP/1.1" 500 251 "-" "python-requests/2.18.4" 

But when I check the HTTP Access log file instead of the CLIENT_IP it contains my own public ip on it:

MY_PUBLIC_IP - - [19/Mar/2019:17:27:14 +0000] "POST /wp-login.php HTTP/1.1" 500 251 "-" "python-requests/2.18.4" 

I’ve checked “Global Configurations” in WHM >> Home >> Service Configuration >> Apache Configuration.

Both LogFormat combined and common are with default values:

Combined: '%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"' Common: '%h %l %u %t \"%r\" %>s %b' 

How to show the Client IP in the access log (non SSL requests)?

Implement versioning of a RESTful API with PHP/Slim and Apache

I want to create a RESTful API with Apache/PHP and the Slim Framework (3.x). The API should support URI-based versioning like <host>/rest/api/v1/<resource> and <host>/rest/api/latest/<resource>.

Overall I found a solution which works, but I not really happy with my solution and I’m want to known what can I make better. I’m a rookie/newbie about Slim. I’m looking for new ideas and how I can improve my knowledge about Slim.

Every new version should be a new project, which a own independent code base. The version dispatching should be done by the Apache server and no in the PHP/Slim code. I found some example which implements different versions of the API in on project by using the group-method. But I’m not very happy with this solution. I feel better to have independent projects for independent versions.

  • General improvements or comments?
  • Do you have a better/simpler solution?
  • Do you see problems in my solution?
  • Improvements for .htaccess / rewrite rules
  • Links to real implementations of a RESTful API with Slim
  • ….

I’m looking forward for your answers and I’ll be curious to see what’s new.

The implementation of all version of the API are in the Apache htdoc folder with following structure

rest  +--api      +-v1         +-.htaccess         +-index.php      +-v2         +-.htaccess         +-index.php      +-.htaccess      +-index.html 

The implementation of the API are in the file index.php. Map calls like /rest/api/v1/books to my implementation I create in every version folder a .htaccess file which includes rules for the rewrite Apache module:

RewriteEngine On RewriteRule ^ index.php [QSA,L] 

In index.php I create some routes

$  app->get('/books', function ... $  app->get('/books/{id}', function ... 

Everything works fine if I use a explicit version in the URI (<host>/rest/api/v2/books). For convenience if I create an alias latest (/rest/api/latest/books), which redirect the alias-call to the latest version of the API version.

Therefore I create the file rest/api/.htaccess which rewrites the URI to an implementation:

RewriteEngine On RewriteRule ^latest.*$   ./v2/index.php [QSA,L] 

The rewrite rule works fine and the v2 implementation are called. But the routes don’t match anymore. I found out that the original path is now part of the path.

/rest/api/v2/books -> /books /rest/api/latest/books -> /rest/api/latest/books 

If I modified the rules like this, it works – but I don’t like to implement every rule twice.

$  app->get('/rest/api/latest/books', function ... $  app->get('/rest/api/latest/books/{id}', function ... 

Therefore I wrote a middleware function which trims /rest/api/latest from the path before the routes are matched.

$  app->add(function (Request $  request, Response $  response, callable $  next) {     $  uri = $  request->getUri();     $  path = $  uri->getPath();     if (substr($  path,0,16) == "/rest/api/latest") {         $  uri = $  uri->withPath(substr($  path,16));         return $  next($  request->withUri($  uri), $  response);     }     return $  next($  request, $  response); }); 

Now I can use the same rules for both cases, explicit version call and implicit version call.

Ubuntu 14.04 Apache Backports for CVE-2018-17199 & CVE-2016-4975

A Trustwave scan of our client’s server, shows a Fail on 2 Apache vulnerabilities. CVE-2016-4975 and CVE-2018-17199.

Generally all the vulnerabilities they point out, are remediated by keeping up on the standard Trusty Ubuntu repositories and backport patches. But these two show that they have not been patched yet, and unsure if they will be.

Can someone explain if this is actually a concern, how I can remediate it, or if it requires going outside of the normal Ubuntu repository and upgrading Apache?


What does apache return when a GET comes in for a file that’s in the process of being replaced?

I can’t find the answer on google and this seems pretty difficult to test with certainty. So, I am really hoping that someone out there just knows what actually happens.

What happens if a GET comes in for a file at the exact moment the file is being replaced? (EDIT: The file is being replaced by ant’s <copy> task.)

Is this transparently handled by some filesystem locking, and apache simply waits for replacement to complete before returning the replacement file? Does it return the pre-replacement file? Or does it return the file in its intermediary state?

This particular instance is Apache/2.4.7 on Ubuntu-14.04.

mod_deflate and other mods aren’t working on apache + centos

I don’t have much experience in server administration. Following tutorials and blogs out there I’m trying to add some lines in my .htaccess file on the site to enable GZIP compression and Leverage browser cache.

The lines are

<IfModule mod_deflate.c>   # Compress HTML, CSS, JavaScript, Text, XML and fonts   AddOutputFilterByType DEFLATE application/javascript   AddOutputFilterByType DEFLATE application/rss+xml   AddOutputFilterByType DEFLATE application/   AddOutputFilterByType DEFLATE application/x-font   AddOutputFilterByType DEFLATE application/x-font-opentype   AddOutputFilterByType DEFLATE application/x-font-otf   AddOutputFilterByType DEFLATE application/x-font-truetype   AddOutputFilterByType DEFLATE application/x-font-ttf   AddOutputFilterByType DEFLATE application/x-javascript   AddOutputFilterByType DEFLATE application/xhtml+xml   AddOutputFilterByType DEFLATE application/xml   AddOutputFilterByType DEFLATE font/opentype   AddOutputFilterByType DEFLATE font/otf   AddOutputFilterByType DEFLATE font/ttf   AddOutputFilterByType DEFLATE image/svg+xml   AddOutputFilterByType DEFLATE image/x-icon   AddOutputFilterByType DEFLATE text/css   AddOutputFilterByType DEFLATE text/html   AddOutputFilterByType DEFLATE text/javascript   AddOutputFilterByType DEFLATE text/plain   AddOutputFilterByType DEFLATE text/xml    # Remove browser bugs (only needed for really old browsers)   BrowserMatch ^Mozilla/4 gzip-only-text/html   BrowserMatch ^Mozilla/4\.0[678] no-gzip   BrowserMatch \bMSIE !no-gzip !gzip-only-text/html   Header append Vary User-Agent </IfModule> <IfModule mod_gzip.c>   mod_gzip_on Yes   mod_gzip_dechunk Yes   mod_gzip_item_include file .(html?|txt|css|js|php|pl)$     mod_gzip_item_include handler ^cgi-script$     mod_gzip_item_include mime ^text/.*   mod_gzip_item_include mime ^application/x-javascript.*   mod_gzip_item_exclude mime ^image/.*   mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.* </IfModule>  # Leverage Browser Caching <IfModule mod_expires.c>   ExpiresActive On   ExpiresByType image/jpg "access 1 year"   ExpiresByType image/jpeg "access 1 year"   ExpiresByType image/gif "access 1 year"   ExpiresByType image/png "access 1 year"   ExpiresByType text/css "access 1 month"   ExpiresByType text/html "access 1 month"   ExpiresByType application/pdf "access 1 month"   ExpiresByType text/x-javascript "access 1 month"   ExpiresByType application/x-shockwave-flash "access 1 month"   ExpiresByType image/x-icon "access 1 year"   ExpiresDefault "access 1 month" </IfModule> <IfModule mod_headers.c>   <filesmatch "\.(ico|flv|jpg|jpeg|png|gif|css|swf)$  ">   Header set Cache-Control "max-age=2678400, public"   </filesmatch>   <filesmatch "\.(html|htm)$  ">   Header set Cache-Control "max-age=7200, private, must-revalidate"   </filesmatch>   <filesmatch "\.(pdf)$  ">   Header set Cache-Control "max-age=86400, public"   </filesmatch>   <filesmatch "\.(js)$  ">   Header set Cache-Control "max-age=2678400, private"   </filesmatch> </IfModule>  # LBROWSERCSTART Browser Caching <IfModule mod_expires.c> ExpiresActive On ExpiresByType image/gif "access 1 year" ExpiresByType image/jpg "access 1 year" ExpiresByType image/jpeg "access 1 year" ExpiresByType image/png "access 1 year" ExpiresByType image/x-icon "access 1 year" ExpiresByType text/css "access 1 month" ExpiresByType text/javascript "access 1 month" ExpiresByType text/html "access 1 month" ExpiresByType application/javascript "access 1 month" ExpiresByType application/x-javascript "access 1 month" ExpiresByType application/xhtml-xml "access 1 month" ExpiresByType application/pdf "access 1 month" ExpiresByType application/x-shockwave-flash "access 1 month" ExpiresDefault "access 1 month" </IfModule> # END Caching LBROWSERCEND 

This should work and the content should be compressed, etc but is not. I keep getting warnings about it.

When I run following command to check if mod_deflate is installed, the result is that it is installed.

# apachectl -t -D DUMP_MODULES | grep deflate   deflate_module (shared) 

I can see also the in /etc/httpd/modules/

If it is matter here is the version of the apache

# httpd -v Server version: Apache/2.4.6 (CentOS) 

Anyone wiling to point me why doesn’t work and how can I get it work?

Servidor apache slave

A dúvida é bem simples, portanto desculpe -me pela ignorância. Estou montando um website com o apache e o mesmo vai receber milhares de acesso, a dúvida seria, o que fazer quando o limite de acesso do apache se esgotar? Existe alguma forma de colocar servidores simultâneos?