httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christian Völker <C.Voel...@gmx.net>
Subject [users@httpd] Execution of CGIs through https: causes segmentation faults
Date Sat, 24 Jan 2004 13:15:18 GMT
Hello,

I have problems running CGIS through https:.
The CGIs work fine as long as I use http. They
always give segmentation faults in the error_log
as soon as try to call them through https from
local or remote browser, Mozilla or IE.

I can reproduce the problem with the test-cgi
provided with Apache. Static pages get delivered
properly by https:, including framesests.


QUESTION
Any hint what I might try next or what might be
the reason behind this behaviour is appreciated.


GOAL
Actually I want to run the Nagios monitoring
software which includes a web interface based
CGIs which are displayed in a frameset. As the
information displayed might be security sensitive
I want to secure the site by basic authentication.
To prevent clear test passwords to be sent, I want
the whole thing run under SSL. This also suggested
by the author of Nagios.


SETUP
I run MacOS X 10.2.8 (Jaguar) with current updates
on an elder G3 300MHz Minitower with 256MB RAM and
a disk of 40Gig. The machine is approved for usage
with this software by Apple (though it has an an
unusual poor uptime of about three days in average;
it is not a memory issue, but I could not figure out
what it is so far).

Apache as provided by Apple already includes mod_ssl,
so I did not bother to compile it myself. OpenSSL is
available already as well. This is part of the output
of test-cgi:

SERVER_SOFTWARE = Apache/1.3.27 (Darwin) mod_ssl/2.8.13 OpenSSL/0.9.6i
GATEWAY_INTERFACE = CGI/1.1
SERVER_PROTOCOL = HTTP/1.1
SERVER_PORT = 80
REQUEST_METHOD = GET

I have also appended an extract of my httpd.conf at
the end. it contains everything that I changed and
that I feel to be meaningful regarding my issue.


KNOWLEDGE
I use mod_ssl for the first time. I have used basic
authentication in test environments before. I am new
to Nagios but spent about two weeks with it already.
I am not a CGI-Programmer or a programmer of any kind
(I can read code in several languages). I have a wor-
king knowledge of the shell, file permissions, reload
the .conf file after editing, reading Apache logs, etc.


WHAT I TRIED SO FAR
I couldnt get the whole stuff running as it should,
so I stripped it down to the basics. The problem is
independent from Nagios, it occurs also with the
text-cgi provided with Apache. The problem also
occurs without usage of authentication. It does not
occur with static pages.

I found some similar problem descriptions in the list
archives I searched but there were no useful comments
on them in the threads. Still I dont feel stupid with
my problem. The FAQs dont give me a clue either.

I tried to alter many of the SSL commands as well as
the virtual host Configuration and the position of
the Directory and Blocks and Alias definitions within
the httpd.conf. Actually I tested all that for many
hours so I dont know everything I tried any more,
but here are some of the things I remind:

- IP and port based virtual hosts instead of name based
   virtual hosts.
- ALIAS and SCRIPTALIAS definition either within the
   virtual host section or before.
- SSLSessionCache turned off.
- SSLRandomSeed changed to /dev/urandom
- SSLOptions + an - StdEnvVars
- with or without SSLRequireSSL command per Directory
- removal of BrowserMatch commands
- always at least tested with Mozilla and IE running
   on separate client machine
- calling the CGI as either authenticated user (opening
   the webroot from the Browser first - see httpd.conf)
   or opening the cgi directly in a fresh browser window
   without authentication

In most cases I got the segmentation fault entry for
a child process in the error_log of Apache. For these
requests the sslengine_log showed info entries only,
stating that the request was given to the child process.

A few times there was an exit status entry instead of
the segmentation fault in the error_log but I forgot
to look into the sslengine_log. I could not reproduce
these situations.

Thanks for your response, Christian




httpd.conf # partial

### Section 1: Global Environment

... # Everything as usual

### Section 2: 'Main' server configuration

ServerName full.qualifiedname.com # name changed, no security risks 
whatsoever
ServerAdmin qualified@address.com # spamprevention, sorry
DocumentRoot "/Library/WebServer/Documents"
UseCanonicalName On
HostnameLookups Off
ServerSignature On

User www
Group www
# Port 80

# SSL Support
<IfModule mod_ssl.c>
	Listen 443
	Listen 80
	SSLEngine On
</IfModule>

<IfModule mod_setenvif.c>
     BrowserMatch "Mozilla/2" nokeepalive
     BrowserMatch ".*MSIE.*" nokeepalive force-response-1.0 \
	             downgrade-1.0 ssl-unclean-shutdown
     BrowserMatch "RealPlayer 4\.0" force-response-1.0
     BrowserMatch "Java/1\.0" force-response-1.0
     BrowserMatch "JDK/1\.0" force-response-1.0
</IfModule>

<IfModule mod_ssl.c>
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
</IfModule>

...

<Directory />
     Options FollowSymLinks
     AllowOverride None
</Directory>
<Directory "/Library/WebServer/Documents">
     Options Indexes FollowSymLinks MultiViews
     AuthName Nagios
     AuthType Basic
     AuthUserFile /usr/local/nagios/etc/htpasswd.users
     require valid-user
     AllowOverride None
     Order allow,deny
     Allow from all
</Directory>

<IfModule mod_alias.c>
     # If the fakename is slash-terminated, then the realname must also 
be
     # slash terminated, and if the fakename omits the  trailing slash, 
the
     # realname must also omit it.
     Alias /icons/ "/usr/share/httpd/icons/"
     <Directory "/usr/share/httpd/icons">
         Options Indexes MultiViews
         AllowOverride None
         Order allow,deny
         Allow from all
     </Directory>
     Alias /manual/ "/Library/WebServer/Documents/manual/"
     <Directory "/Library/WebServer/Documents/manual">
         Options Indexes FollowSymlinks MultiViews
         AllowOverride None
         Order allow,deny
         Allow from all
     </Directory>
     ScriptAlias /cgi-bin/ "/Library/WebServer/CGI-Executables/"
     <Directory "/Library/WebServer/CGI-Executables">
         AllowOverride None
         Options None
         Order allow,deny
         Allow from all
     </Directory>
	ScriptAlias /nagios/cgi-bin /usr/local/nagios/sbin
	<Directory "/usr/local/nagios/sbin">
         AllowOverride AuthConfig
		Options ExecCGI
         Order deny,allow
         Deny from all
         Allow from 134.100.3 134.100.31
#	    AuthName Nagios
#	    AuthType Basic
#	    AuthUserFile /usr/local/nagios/etc/htpasswd.users
#	    require valid-user
	</Directory>
	Alias /nagios /usr/local/nagios/share
	<Directory "/usr/local/nagios/share">
         AllowOverride AuthConfig
		Options None
#	    AuthName Nagios
#	    AuthType Basic
#	    AuthUserFile /usr/local/nagios/etc/htpasswd.users
#	    require valid-user
	</Directory>
</IfModule>

### Section 3: Virtual Hosts

<IfModule mod_ssl.c>
# Initial Directives for SSL from developer.apple.com
   SSLPassPhraseDialog builtin
   SSLCertificateFile /etc/httpd/ssl.key/server.crt
   SSLCertificateKeyFile /etc/httpd/ssl.key/server.key
   SSLProtocol all -SSLv3
   SSLCipherSuite 
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
   SSLMutex file:/var/run/ssl_mutex
# SSLSessionCache dbm:/var/run/ssl_scache
# SSLSessionCacheTimeout 300
   SSLRandomSeed startup file:/dev/urandom 512
   SSLRandomSeed connect file:/dev/urandom 512
# SSLRandomSeed startup builtin
# SSLRandomSeed connect builtin
   SSLLog /var/log/httpd/ssl_engine_log 		
   SSLLogLevel info

<VirtualHost 123.234.12.34:80>
# <VirtualHost full.qualifiedname.com:80>
   SSLEngine off
</VirtualHost>

<VirtualHost 123.234.12.34:443>
# <VirtualHost full.qualifiedname.com:443>
   ServerName monitor27.rrz.uni-hamburg.de
   <Directory "/Library/WebServer/CGI-Executables">
     SSLOptions +StdEnvVars
   </Directory>
   <Directory "/usr/local/nagios/sbin">
#    SSLRequireSSL
#    SSLOptions +StdEnvVars
   </Directory>
   <Files ~ "\.(cgi|shtml|phtml|php|php3?)$">
     SSLOptions +StdEnvVars
   </Files>
</VirtualHost>
</IfModule>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message