From dan.taylor at seegreen.uk  Tue Aug  1 00:10:18 2017
From: dan.taylor at seegreen.uk (Dan Taylor)
Date: Mon, 31 Jul 2017 23:10:18 +0100
Subject: [mpm-itk] MPM-ITK / CentOS7 / Apache 2.4.25
Message-ID: <CABFEa6mGmQQcOFW6yBNJ0uYWf6d90S_t6WQZTU9TwktzZQjrrQ@mail.gmail.com>

Hello,

We've been using MPM-ITK for a while now but only just came to use a site
on SSL
and are having some problems. we're using the Fedora build for CentOS7:
https://centos.pkgs.org/7/epel-x86_64/httpd-itk-2.4.7.
04-1.el7.x86_64.rpm.html

If we disable MPM-ITK SSL works fine, with it enabled all SSL sites hang,
then
we get an error in log:
[Mon Jul 31 22:19:22.321438 2017] [unixd:alert] [pid 22302] (1) Operation
not permitted:
AH02156: setgid: unable to set group id to Group 0

This looks like when we use SSL it maybe tries to run as root, instead of
the assigned userid

The VHost looks like this:

<VirtualHost *:80>
ServerAdmin testsite at example.com
ServerName testsite.example.com <http://testsite.seegreen.net>
DocumentRoot /home/testsite/public/
ErrorLog /home/testsite/logs/error.log
CustomLog /home/testsite/logs/access.log combined
AssignUserID testsite testsite
</VirtualHost>

<VirtualHost *:443>
ServerAdmin testsite at example.com
ServerName testsite.example.com <http://testsite.seegreen.net>
DocumentRoot /home/testsite/public/
ErrorLog /home/testsite/logs/error.log
CustomLog /home/testsite/logs/access.log combined
AssignUserID testsite testsite
SSLEngine On
SSLCertificateFile /etc/pki/tls/certs/example-com.crt
SSLCertificateKeyFile /etc/pki/tls/private/example-com.key
SSLCertificateChainFile /etc/pki/tls/certs/rapidsslchain.crt
</VirtualHost>



Any help or guidance would be awesome!

Dan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.err.no/pipermail/mpm-itk/attachments/20170731/52357c14/attachment.htm>

From pavel.polacek at ujep.cz  Tue Aug  1 08:17:01 2017
From: pavel.polacek at ujep.cz (Pavel Polacek)
Date: Tue, 1 Aug 2017 08:17:01 +0200 (CEST)
Subject: [mpm-itk] MPM-ITK / CentOS7 / Apache 2.4.25
In-Reply-To: <CABFEa6mGmQQcOFW6yBNJ0uYWf6d90S_t6WQZTU9TwktzZQjrrQ@mail.gmail.com>
References: <CABFEa6mGmQQcOFW6yBNJ0uYWf6d90S_t6WQZTU9TwktzZQjrrQ@mail.gmail.com>
Message-ID: <alpine.DEB.2.11.1708010814170.27804@norraena>

     Hello,

   it could be security context of certificate file. If you upload 
certificate through home dir, then file inherit security context and 
apache can't touch this files.

     Polish


On Mon, 31 Jul 2017, Dan Taylor wrote:

> Hello,
>
> We've been using MPM-ITK for a while now but only just came to use a site
> on SSL
> and are having some problems. we're using the Fedora build for CentOS7:
> https://centos.pkgs.org/7/epel-x86_64/httpd-itk-2.4.7.
> 04-1.el7.x86_64.rpm.html
>
> If we disable MPM-ITK SSL works fine, with it enabled all SSL sites hang,
> then
> we get an error in log:
> [Mon Jul 31 22:19:22.321438 2017] [unixd:alert] [pid 22302] (1) Operation
> not permitted:
> AH02156: setgid: unable to set group id to Group 0
>
> This looks like when we use SSL it maybe tries to run as root, instead of
> the assigned userid
>
> The VHost looks like this:
>
> <VirtualHost *:80>
> ServerAdmin testsite at example.com
> ServerName testsite.example.com <http://testsite.seegreen.net>
> DocumentRoot /home/testsite/public/
> ErrorLog /home/testsite/logs/error.log
> CustomLog /home/testsite/logs/access.log combined
> AssignUserID testsite testsite
> </VirtualHost>
>
> <VirtualHost *:443>
> ServerAdmin testsite at example.com
> ServerName testsite.example.com <http://testsite.seegreen.net>
> DocumentRoot /home/testsite/public/
> ErrorLog /home/testsite/logs/error.log
> CustomLog /home/testsite/logs/access.log combined
> AssignUserID testsite testsite
> SSLEngine On
> SSLCertificateFile /etc/pki/tls/certs/example-com.crt
> SSLCertificateKeyFile /etc/pki/tls/private/example-com.key
> SSLCertificateChainFile /etc/pki/tls/certs/rapidsslchain.crt
> </VirtualHost>
>
>
>
> Any help or guidance would be awesome!
>
> Dan
>



From dan.taylor at seegreen.uk  Tue Aug  1 10:44:22 2017
From: dan.taylor at seegreen.uk (Dan Taylor)
Date: Tue, 1 Aug 2017 09:44:22 +0100
Subject: [mpm-itk] MPM-ITK / CentOS7 / Apache 2.4.25
In-Reply-To: <alpine.DEB.2.11.1708010814170.27804@norraena>
References: <CABFEa6mGmQQcOFW6yBNJ0uYWf6d90S_t6WQZTU9TwktzZQjrrQ@mail.gmail.com>
 <alpine.DEB.2.11.1708010814170.27804@norraena>
Message-ID: <CABFEa6=Lh-Q+dETR0H6SAxxgEfxZ6AB1ZtW3drVbfSFdh4oZRw@mail.gmail.com>

Thanks for the suggestion, we tried disabling SELinux and setting file
permissions on
the certificate files to 777 - just for the purpose of testing, but that
made no difference.

We tried not setting the AssignUserID in the vhost, but that made no
difference too, but
when we stop load loading the mpm-itk module it immediately starts working.


On 1 August 2017 at 07:17, Pavel Polacek <pavel.polacek at ujep.cz> wrote:

>     Hello,
>
>   it could be security context of certificate file. If you upload
> certificate through home dir, then file inherit security context and apache
> can't touch this files.
>
>     Polish
>
>
> On Mon, 31 Jul 2017, Dan Taylor wrote:
>
> Hello,
>>
>> We've been using MPM-ITK for a while now but only just came to use a site
>> on SSL
>> and are having some problems. we're using the Fedora build for CentOS7:
>> https://centos.pkgs.org/7/epel-x86_64/httpd-itk-2.4.7.
>> 04-1.el7.x86_64.rpm.html
>>
>> If we disable MPM-ITK SSL works fine, with it enabled all SSL sites hang,
>> then
>> we get an error in log:
>> [Mon Jul 31 22:19:22.321438 2017] [unixd:alert] [pid 22302] (1) Operation
>> not permitted:
>> AH02156: setgid: unable to set group id to Group 0
>>
>> This looks like when we use SSL it maybe tries to run as root, instead of
>> the assigned userid
>>
>> The VHost looks like this:
>>
>> <VirtualHost *:80>
>> ServerAdmin testsite at example.com
>> ServerName testsite.example.com <http://testsite.seegreen.net>
>> DocumentRoot /home/testsite/public/
>> ErrorLog /home/testsite/logs/error.log
>> CustomLog /home/testsite/logs/access.log combined
>> AssignUserID testsite testsite
>> </VirtualHost>
>>
>> <VirtualHost *:443>
>> ServerAdmin testsite at example.com
>> ServerName testsite.example.com <http://testsite.seegreen.net>
>> DocumentRoot /home/testsite/public/
>> ErrorLog /home/testsite/logs/error.log
>> CustomLog /home/testsite/logs/access.log combined
>> AssignUserID testsite testsite
>> SSLEngine On
>> SSLCertificateFile /etc/pki/tls/certs/example-com.crt
>> SSLCertificateKeyFile /etc/pki/tls/private/example-com.key
>> SSLCertificateChainFile /etc/pki/tls/certs/rapidsslchain.crt
>> </VirtualHost>
>>
>>
>>
>> Any help or guidance would be awesome!
>>
>> Dan
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.err.no/pipermail/mpm-itk/attachments/20170801/719e39f4/attachment.htm>

From alex.hha at gmail.com  Thu Aug  3 16:38:22 2017
From: alex.hha at gmail.com (Alex Domoradov)
Date: Thu, 3 Aug 2017 17:38:22 +0300
Subject: [mpm-itk] MPM-ITK / CentOS7 / Apache 2.4.25
In-Reply-To: <CABFEa6=Lh-Q+dETR0H6SAxxgEfxZ6AB1ZtW3drVbfSFdh4oZRw@mail.gmail.com>
References: <CABFEa6mGmQQcOFW6yBNJ0uYWf6d90S_t6WQZTU9TwktzZQjrrQ@mail.gmail.com>
 <alpine.DEB.2.11.1708010814170.27804@norraena>
 <CABFEa6=Lh-Q+dETR0H6SAxxgEfxZ6AB1ZtW3drVbfSFdh4oZRw@mail.gmail.com>
Message-ID: <CAK90gp56jqZCnpUSc1v65BoOLxEqiDBMZwGP2zdGoPiOuNP=aA@mail.gmail.com>

I have tested your example and it works fine, at least inside docker
container

# uname -a
Linux 9d0e647aa13b 4.4.0-83-generic #106-Ubuntu SMP Mon Jun 26 17:54:43 UTC
2017 x86_64 x86_64 x86_64 GNU/Linux

# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)

# httpd -v
Server version: Apache/2.4.6 (CentOS)
Server built:   Apr 12 2017 21:03:28

I have created a simple php script

# cat uid.php
<?php
    echo exec('id');

And then test with curl

# curl -i https://ssltest.example.com/uid.php
HTTP/1.1 200 OK
Date: Thu, 03 Aug 2017 14:31:09 GMT
Server: Apache/2.4.6 (CentOS) mpm-itk/2.4.7-04 OpenSSL/1.0.1e-fips
PHP/5.4.16
X-Powered-By: PHP/5.4.16
Content-Length: 56
Content-Type: text/html; charset=UTF-8

uid=1000(ssltest) gid=1000(ssltest) groups=1000(ssltest)



On Tue, Aug 1, 2017 at 11:44 AM, Dan Taylor <dan.taylor at seegreen.uk> wrote:

> Thanks for the suggestion, we tried disabling SELinux and setting file
> permissions on
> the certificate files to 777 - just for the purpose of testing, but that
> made no difference.
>
> We tried not setting the AssignUserID in the vhost, but that made no
> difference too, but
> when we stop load loading the mpm-itk module it immediately starts working.
>
>
> On 1 August 2017 at 07:17, Pavel Polacek <pavel.polacek at ujep.cz> wrote:
>
>>     Hello,
>>
>>   it could be security context of certificate file. If you upload
>> certificate through home dir, then file inherit security context and apache
>> can't touch this files.
>>
>>     Polish
>>
>>
>> On Mon, 31 Jul 2017, Dan Taylor wrote:
>>
>> Hello,
>>>
>>> We've been using MPM-ITK for a while now but only just came to use a site
>>> on SSL
>>> and are having some problems. we're using the Fedora build for CentOS7:
>>> https://centos.pkgs.org/7/epel-x86_64/httpd-itk-2.4.7.
>>> 04-1.el7.x86_64.rpm.html
>>>
>>> If we disable MPM-ITK SSL works fine, with it enabled all SSL sites hang,
>>> then
>>> we get an error in log:
>>> [Mon Jul 31 22:19:22.321438 2017] [unixd:alert] [pid 22302] (1)
>>> Operation
>>> not permitted:
>>> AH02156: setgid: unable to set group id to Group 0
>>>
>>> This looks like when we use SSL it maybe tries to run as root, instead of
>>> the assigned userid
>>>
>>> The VHost looks like this:
>>>
>>> <VirtualHost *:80>
>>> ServerAdmin testsite at example.com
>>> ServerName testsite.example.com <http://testsite.seegreen.net>
>>> DocumentRoot /home/testsite/public/
>>> ErrorLog /home/testsite/logs/error.log
>>> CustomLog /home/testsite/logs/access.log combined
>>> AssignUserID testsite testsite
>>> </VirtualHost>
>>>
>>> <VirtualHost *:443>
>>> ServerAdmin testsite at example.com
>>> ServerName testsite.example.com <http://testsite.seegreen.net>
>>> DocumentRoot /home/testsite/public/
>>> ErrorLog /home/testsite/logs/error.log
>>> CustomLog /home/testsite/logs/access.log combined
>>> AssignUserID testsite testsite
>>> SSLEngine On
>>> SSLCertificateFile /etc/pki/tls/certs/example-com.crt
>>> SSLCertificateKeyFile /etc/pki/tls/private/example-com.key
>>> SSLCertificateChainFile /etc/pki/tls/certs/rapidsslchain.crt
>>> </VirtualHost>
>>>
>>>
>>>
>>> Any help or guidance would be awesome!
>>>
>>> Dan
>>>
>>>
>
> _______________________________________________
> mpm-itk mailing list
> mpm-itk at err.no
> http://lists.err.no/mailman/listinfo/mpm-itk
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.err.no/pipermail/mpm-itk/attachments/20170803/68dd6126/attachment.htm>

From jean at phpnet.org  Thu Aug  3 16:50:11 2017
From: jean at phpnet.org (Jean Weisbuch)
Date: Thu, 3 Aug 2017 16:50:11 +0200
Subject: [mpm-itk] MPM-ITK / CentOS7 / Apache 2.4.25
In-Reply-To: <CAK90gp56jqZCnpUSc1v65BoOLxEqiDBMZwGP2zdGoPiOuNP=aA@mail.gmail.com>
References: <CABFEa6mGmQQcOFW6yBNJ0uYWf6d90S_t6WQZTU9TwktzZQjrrQ@mail.gmail.com>
 <alpine.DEB.2.11.1708010814170.27804@norraena>
 <CABFEa6=Lh-Q+dETR0H6SAxxgEfxZ6AB1ZtW3drVbfSFdh4oZRw@mail.gmail.com>
 <CAK90gp56jqZCnpUSc1v65BoOLxEqiDBMZwGP2zdGoPiOuNP=aA@mail.gmail.com>
Message-ID: <7b8b6ddc-8498-b792-7ab6-8505a5ec8ca7@phpnet.org>

I had such an error while running ITK on a VServer container running 
without the "SETUID" and "SETGID" BCapabilities.


Le 03/08/2017 ? 16:38, Alex Domoradov a ?crit :
> I have tested your example and it works fine, at least inside docker 
> container
>
> # uname -a
> Linux 9d0e647aa13b 4.4.0-83-generic #106-Ubuntu SMP Mon Jun 26 
> 17:54:43 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
>
> # cat /etc/redhat-release
> CentOS Linux release 7.3.1611 (Core)
>
> # httpd -v
> Server version: Apache/2.4.6 (CentOS)
> Server built:   Apr 12 2017 21:03:28
>
> I have created a simple php script
>
> # cat uid.php
> <?php
>     echo exec('id');
>
> And then test with curl
>
> # curl -i https://ssltest.example.com/uid.php
> HTTP/1.1 200 OK
> Date: Thu, 03 Aug 2017 14:31:09 GMT
> Server: Apache/2.4.6 (CentOS) mpm-itk/2.4.7-04 OpenSSL/1.0.1e-fips 
> PHP/5.4.16
> X-Powered-By: PHP/5.4.16
> Content-Length: 56
> Content-Type: text/html; charset=UTF-8
>
> uid=1000(ssltest) gid=1000(ssltest) groups=1000(ssltest)
>
>
>
> On Tue, Aug 1, 2017 at 11:44 AM, Dan Taylor <dan.taylor at seegreen.uk 
> <mailto:dan.taylor at seegreen.uk>> wrote:
>
>     Thanks for the suggestion, we tried disabling SELinux and setting
>     file permissions on
>     the certificate files to 777 - just for the purpose of testing,
>     but that made no difference.
>
>     We tried not setting the AssignUserID in the vhost, but that made
>     no difference too, but
>     when we stop load loading the mpm-itk module it immediately starts
>     working.
>
>
>
>     On 1 August 2017 at 07:17, Pavel Polacek <pavel.polacek at ujep.cz
>     <mailto:pavel.polacek at ujep.cz>> wrote:
>
>             Hello,
>
>           it could be security context of certificate file. If you
>         upload certificate through home dir, then file inherit
>         security context and apache can't touch this files.
>
>             Polish
>
>
>         On Mon, 31 Jul 2017, Dan Taylor wrote:
>
>             Hello,
>
>             We've been using MPM-ITK for a while now but only just
>             came to use a site
>             on SSL
>             and are having some problems. we're using the Fedora build
>             for CentOS7:
>             https://centos.pkgs.org/7/epel-x86_64/httpd-itk-2.4.7
>             <https://centos.pkgs.org/7/epel-x86_64/httpd-itk-2.4.7>.
>             04-1.el7.x86_64.rpm.html
>
>             If we disable MPM-ITK SSL works fine, with it enabled all
>             SSL sites hang,
>             then
>             we get an error in log:
>             [Mon Jul 31 22:19:22.321438 2017 <tel:321438%202017>]
>             [unixd:alert] [pid 22302] (1) Operation
>             not permitted:
>             AH02156: setgid: unable to set group id to Group 0
>
>             This looks like when we use SSL it maybe tries to run as
>             root, instead of
>             the assigned userid
>
>             The VHost looks like this:
>
>             <VirtualHost *:80>
>             ServerAdmin testsite at example.com <mailto:testsite at example.com>
>             ServerName testsite.example.com
>             <http://testsite.example.com> <http://testsite.seegreen.net>
>             DocumentRoot /home/testsite/public/
>             ErrorLog /home/testsite/logs/error.log
>             CustomLog /home/testsite/logs/access.log combined
>             AssignUserID testsite testsite
>             </VirtualHost>
>
>             <VirtualHost *:443>
>             ServerAdmin testsite at example.com <mailto:testsite at example.com>
>             ServerName testsite.example.com
>             <http://testsite.example.com> <http://testsite.seegreen.net>
>             DocumentRoot /home/testsite/public/
>             ErrorLog /home/testsite/logs/error.log
>             CustomLog /home/testsite/logs/access.log combined
>             AssignUserID testsite testsite
>             SSLEngine On
>             SSLCertificateFile /etc/pki/tls/certs/example-com.crt
>             SSLCertificateKeyFile /etc/pki/tls/private/example-com.key
>             SSLCertificateChainFile /etc/pki/tls/certs/rapidsslchain.crt
>             </VirtualHost>
>
>
>
>             Any help or guidance would be awesome!
>
>             Dan
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.err.no/pipermail/mpm-itk/attachments/20170803/f7dfe994/attachment.htm>

From dan.taylor at seegreen.uk  Fri Aug  4 12:33:17 2017
From: dan.taylor at seegreen.uk (Dan Taylor)
Date: Fri, 4 Aug 2017 11:33:17 +0100
Subject: [mpm-itk] MPM-ITK / CentOS7 / Apache 2.4.25
In-Reply-To: <CAK90gp56jqZCnpUSc1v65BoOLxEqiDBMZwGP2zdGoPiOuNP=aA@mail.gmail.com>
References: <CABFEa6mGmQQcOFW6yBNJ0uYWf6d90S_t6WQZTU9TwktzZQjrrQ@mail.gmail.com>
 <alpine.DEB.2.11.1708010814170.27804@norraena>
 <CABFEa6=Lh-Q+dETR0H6SAxxgEfxZ6AB1ZtW3drVbfSFdh4oZRw@mail.gmail.com>
 <CAK90gp56jqZCnpUSc1v65BoOLxEqiDBMZwGP2zdGoPiOuNP=aA@mail.gmail.com>
Message-ID: <CABFEa6mXCY9e_9d4xOUw+s=h-RwC0MPfE9rkWYAPmwRoenRzsQ@mail.gmail.com>

Thanks for trying, I'm not sure how you managed to get that setup working
(we couldn't), according to the
MPM-ITK documentation 2.4.7-04 doesn't work with versions of apache before
2.4.7

We're running Apache 2.4.25, and PHP 5.6.28 - so maybe it's something the
different versions that's stopping
it from working.

Thanks

On 3 August 2017 at 15:38, Alex Domoradov <alex.hha at gmail.com> wrote:

> I have tested your example and it works fine, at least inside docker
> container
>
> # uname -a
> Linux 9d0e647aa13b 4.4.0-83-generic #106-Ubuntu SMP Mon Jun 26 17:54:43
> UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
>
> # cat /etc/redhat-release
> CentOS Linux release 7.3.1611 (Core)
>
> # httpd -v
> Server version: Apache/2.4.6 (CentOS)
> Server built:   Apr 12 2017 21:03:28
>
> I have created a simple php script
>
> # cat uid.php
> <?php
>     echo exec('id');
>
> And then test with curl
>
> # curl -i https://ssltest.example.com/uid.php
> HTTP/1.1 200 OK
> Date: Thu, 03 Aug 2017 14:31:09 GMT
> Server: Apache/2.4.6 (CentOS) mpm-itk/2.4.7-04 OpenSSL/1.0.1e-fips
> PHP/5.4.16
> X-Powered-By: PHP/5.4.16
> Content-Length: 56
> Content-Type: text/html; charset=UTF-8
>
> uid=1000(ssltest) gid=1000(ssltest) groups=1000(ssltest)
>
>
>
> On Tue, Aug 1, 2017 at 11:44 AM, Dan Taylor <dan.taylor at seegreen.uk>
> wrote:
>
>> Thanks for the suggestion, we tried disabling SELinux and setting file
>> permissions on
>> the certificate files to 777 - just for the purpose of testing, but that
>> made no difference.
>>
>> We tried not setting the AssignUserID in the vhost, but that made no
>> difference too, but
>> when we stop load loading the mpm-itk module it immediately starts
>> working.
>>
>>
>> On 1 August 2017 at 07:17, Pavel Polacek <pavel.polacek at ujep.cz> wrote:
>>
>>>     Hello,
>>>
>>>   it could be security context of certificate file. If you upload
>>> certificate through home dir, then file inherit security context and apache
>>> can't touch this files.
>>>
>>>     Polish
>>>
>>>
>>> On Mon, 31 Jul 2017, Dan Taylor wrote:
>>>
>>> Hello,
>>>>
>>>> We've been using MPM-ITK for a while now but only just came to use a
>>>> site
>>>> on SSL
>>>> and are having some problems. we're using the Fedora build for CentOS7:
>>>> https://centos.pkgs.org/7/epel-x86_64/httpd-itk-2.4.7.
>>>> 04-1.el7.x86_64.rpm.html
>>>>
>>>> If we disable MPM-ITK SSL works fine, with it enabled all SSL sites
>>>> hang,
>>>> then
>>>> we get an error in log:
>>>> [Mon Jul 31 22:19:22.321438 2017] [unixd:alert] [pid 22302] (1)
>>>> Operation
>>>> not permitted:
>>>> AH02156: setgid: unable to set group id to Group 0
>>>>
>>>> This looks like when we use SSL it maybe tries to run as root, instead
>>>> of
>>>> the assigned userid
>>>>
>>>> The VHost looks like this:
>>>>
>>>> <VirtualHost *:80>
>>>> ServerAdmin testsite at example.com
>>>> ServerName testsite.example.com <http://testsite.seegreen.net>
>>>> DocumentRoot /home/testsite/public/
>>>> ErrorLog /home/testsite/logs/error.log
>>>> CustomLog /home/testsite/logs/access.log combined
>>>> AssignUserID testsite testsite
>>>> </VirtualHost>
>>>>
>>>> <VirtualHost *:443>
>>>> ServerAdmin testsite at example.com
>>>> ServerName testsite.example.com <http://testsite.seegreen.net>
>>>> DocumentRoot /home/testsite/public/
>>>> ErrorLog /home/testsite/logs/error.log
>>>> CustomLog /home/testsite/logs/access.log combined
>>>> AssignUserID testsite testsite
>>>> SSLEngine On
>>>> SSLCertificateFile /etc/pki/tls/certs/example-com.crt
>>>> SSLCertificateKeyFile /etc/pki/tls/private/example-com.key
>>>> SSLCertificateChainFile /etc/pki/tls/certs/rapidsslchain.crt
>>>> </VirtualHost>
>>>>
>>>>
>>>>
>>>> Any help or guidance would be awesome!
>>>>
>>>> Dan
>>>>
>>>>
>>
>> _______________________________________________
>> mpm-itk mailing list
>> mpm-itk at err.no
>> http://lists.err.no/mailman/listinfo/mpm-itk
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.err.no/pipermail/mpm-itk/attachments/20170804/4a78394f/attachment.htm>

From dan.taylor at seegreen.uk  Tue Aug 15 23:16:18 2017
From: dan.taylor at seegreen.uk (Dan Taylor)
Date: Tue, 15 Aug 2017 22:16:18 +0100
Subject: [mpm-itk] MPM-ITK / CentOS7 / Apache 2.4.25
In-Reply-To: <CABFEa6mXCY9e_9d4xOUw+s=h-RwC0MPfE9rkWYAPmwRoenRzsQ@mail.gmail.com>
References: <CABFEa6mGmQQcOFW6yBNJ0uYWf6d90S_t6WQZTU9TwktzZQjrrQ@mail.gmail.com>
 <alpine.DEB.2.11.1708010814170.27804@norraena>
 <CABFEa6=Lh-Q+dETR0H6SAxxgEfxZ6AB1ZtW3drVbfSFdh4oZRw@mail.gmail.com>
 <CAK90gp56jqZCnpUSc1v65BoOLxEqiDBMZwGP2zdGoPiOuNP=aA@mail.gmail.com>
 <CABFEa6mXCY9e_9d4xOUw+s=h-RwC0MPfE9rkWYAPmwRoenRzsQ@mail.gmail.com>
Message-ID: <CABFEa6ndihYek-Wx0FDTcMseZq-a1QW81U=fKwy0vUoM1=+FxQ@mail.gmail.com>

I finally figured this out. The HTTP2 module which is enabled by default in
Apache 2.4.27
stops MPM-ITK dealing with SSL requests properly.

Disabling that module gets SSL working MPM-ITK on that version of Apache.
It would be
nice if they played better together though :)

Thanks

Dan




On 4 August 2017 at 11:33, Dan Taylor <dan.taylor at seegreen.uk> wrote:

> Thanks for trying, I'm not sure how you managed to get that setup working
> (we couldn't), according to the
> MPM-ITK documentation 2.4.7-04 doesn't work with versions of apache before
> 2.4.7
>
> We're running Apache 2.4.25, and PHP 5.6.28 - so maybe it's something the
> different versions that's stopping
> it from working.
>
> Thanks
>
> On 3 August 2017 at 15:38, Alex Domoradov <alex.hha at gmail.com> wrote:
>
>> I have tested your example and it works fine, at least inside docker
>> container
>>
>> # uname -a
>> Linux 9d0e647aa13b 4.4.0-83-generic #106-Ubuntu SMP Mon Jun 26 17:54:43
>> UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
>>
>> # cat /etc/redhat-release
>> CentOS Linux release 7.3.1611 (Core)
>>
>> # httpd -v
>> Server version: Apache/2.4.6 (CentOS)
>> Server built:   Apr 12 2017 21:03:28
>>
>> I have created a simple php script
>>
>> # cat uid.php
>> <?php
>>     echo exec('id');
>>
>> And then test with curl
>>
>> # curl -i https://ssltest.example.com/uid.php
>> HTTP/1.1 200 OK
>> Date: Thu, 03 Aug 2017 14:31:09 GMT
>> Server: Apache/2.4.6 (CentOS) mpm-itk/2.4.7-04 OpenSSL/1.0.1e-fips
>> PHP/5.4.16
>> X-Powered-By: PHP/5.4.16
>> Content-Length: 56
>> Content-Type: text/html; charset=UTF-8
>>
>> uid=1000(ssltest) gid=1000(ssltest) groups=1000(ssltest)
>>
>>
>>
>> On Tue, Aug 1, 2017 at 11:44 AM, Dan Taylor <dan.taylor at seegreen.uk>
>> wrote:
>>
>>> Thanks for the suggestion, we tried disabling SELinux and setting file
>>> permissions on
>>> the certificate files to 777 - just for the purpose of testing, but that
>>> made no difference.
>>>
>>> We tried not setting the AssignUserID in the vhost, but that made no
>>> difference too, but
>>> when we stop load loading the mpm-itk module it immediately starts
>>> working.
>>>
>>>
>>> On 1 August 2017 at 07:17, Pavel Polacek <pavel.polacek at ujep.cz> wrote:
>>>
>>>>     Hello,
>>>>
>>>>   it could be security context of certificate file. If you upload
>>>> certificate through home dir, then file inherit security context and apache
>>>> can't touch this files.
>>>>
>>>>     Polish
>>>>
>>>>
>>>> On Mon, 31 Jul 2017, Dan Taylor wrote:
>>>>
>>>> Hello,
>>>>>
>>>>> We've been using MPM-ITK for a while now but only just came to use a
>>>>> site
>>>>> on SSL
>>>>> and are having some problems. we're using the Fedora build for CentOS7:
>>>>> https://centos.pkgs.org/7/epel-x86_64/httpd-itk-2.4.7.
>>>>> 04-1.el7.x86_64.rpm.html
>>>>>
>>>>> If we disable MPM-ITK SSL works fine, with it enabled all SSL sites
>>>>> hang,
>>>>> then
>>>>> we get an error in log:
>>>>> [Mon Jul 31 22:19:22.321438 2017] [unixd:alert] [pid 22302] (1)
>>>>> Operation
>>>>> not permitted:
>>>>> AH02156: setgid: unable to set group id to Group 0
>>>>>
>>>>> This looks like when we use SSL it maybe tries to run as root, instead
>>>>> of
>>>>> the assigned userid
>>>>>
>>>>> The VHost looks like this:
>>>>>
>>>>> <VirtualHost *:80>
>>>>> ServerAdmin testsite at example.com
>>>>> ServerName testsite.example.com <http://testsite.seegreen.net>
>>>>> DocumentRoot /home/testsite/public/
>>>>> ErrorLog /home/testsite/logs/error.log
>>>>> CustomLog /home/testsite/logs/access.log combined
>>>>> AssignUserID testsite testsite
>>>>> </VirtualHost>
>>>>>
>>>>> <VirtualHost *:443>
>>>>> ServerAdmin testsite at example.com
>>>>> ServerName testsite.example.com <http://testsite.seegreen.net>
>>>>> DocumentRoot /home/testsite/public/
>>>>> ErrorLog /home/testsite/logs/error.log
>>>>> CustomLog /home/testsite/logs/access.log combined
>>>>> AssignUserID testsite testsite
>>>>> SSLEngine On
>>>>> SSLCertificateFile /etc/pki/tls/certs/example-com.crt
>>>>> SSLCertificateKeyFile /etc/pki/tls/private/example-com.key
>>>>> SSLCertificateChainFile /etc/pki/tls/certs/rapidsslchain.crt
>>>>> </VirtualHost>
>>>>>
>>>>>
>>>>>
>>>>> Any help or guidance would be awesome!
>>>>>
>>>>> Dan
>>>>>
>>>>>
>>>
>>> _______________________________________________
>>> mpm-itk mailing list
>>> mpm-itk at err.no
>>> http://lists.err.no/mailman/listinfo/mpm-itk
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.err.no/pipermail/mpm-itk/attachments/20170815/b49fa646/attachment.htm>