[LP8.6/Win] bloated apache error logs

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

[LP8.6/Win] bloated apache error logs

Jon Harris
Hi List

I noticed that my Apache error.log  is  getting pretty huge. Its generating errors like this:

[Tue Mar 03 07:55:01 2015] [error] [client 192.168.100.102] client denied by server configuration: C:/inetpub/wwwroot/site1/SiteSettings.inc

This error is caused by simple includes and library commands:

library('/sitesettings.inc') ;

For security, I don't want apache to directly serve include files, but clearly we need them to make the sites work.

The odd thing is that the include (and library) commands are actually working fine, the only issue is the error.log.

In my httpd.conf file I have this block:

<Files *.inc>
   Order allow,deny
   Deny from all
</Files>

Should I remove this block and add .inc to the list of lasso extensions?

This is the block for Lasso:

<Location ~ "^.*\.[Ll][Aa][Ss][Ss][Oo]$">
        SetHandler lasso8-handler
</Location>

What is best practice on this?

Any pointers appreciated.

Jon Harris



#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: [LP8.6/Win] bloated apache error logs

stevepiercy
First, are you using logrotate?  If not, do.  Although this has
nothing to do with your question, this is the standard practice
to avoid massive log files in the first place.
https://httpd.apache.org/docs/2.4/programs/rotatelogs.html

I would also recommend everyone get Ivan Ristic's recently made
free book, "Apache Security".  Ten years later, even though
specific configuration directives may have changed, the concepts
have not.
https://www.feistyduck.com/books/apache-security/

Moving on to your problem, if you want Lasso to process a file
that has a specific extension, then it must be allowed in Lasso
SiteAdmin > Setup > Site > File Extensions > Lasso Page
Settings.  From the Lasso 8.6 Setup Guide:

     ...to specify what Lasso pages extensions are allowed for
use with Lasso.
     By default, the list will include .htm, .html, .inc. .incl,
.las, .lasso
     and .LassoApp. This applies to all Lasso pages which are
served via
     Lasso or referenced within an Lasso tag (e.g. [Include]).
Files with
     extensions not listed here cannot be processed or included
by Lasso.

So you don't need to add ".inc", unless you previously removed it.

Your Apache configuration directive is correct, but I would use
quotes around the argument.

     <Files "*.inc">
         Order allow,deny
         Deny from all
     </Files>

So I don't see anything wrong.  However, as I understand your
problem, you think that the presence of the above directive
causes excessive error log entries, like this one:

     [Tue Mar 03 07:55:01 2015] [error] [client 192.168.100.102]
client denied by server configuration: C:/inetpub/wwwroot/site1/SiteSettings.inc

Let's prove it!  Comment out the directive, restart Apache, load
the page that includes the file 'SiteSettings.inc', and see if
the error still appears in the Apache error log file.

You should be aware of how <Directory>, <Location> and <Files>
sections work together when a request is received, which can
vary between major versions of Apache.
http://httpd.apache.org/docs/current/sections.html

It's also possible that rewrite rules are causing subrequests
(like [library] and [include] tags) to be processed by Apache in
a way you did not intend or want.

Also make sure that you are not authenticated as a Lasso
administrative user.  As an Administrator, you can do more than
a normal unauthenticated user.

Ultimately without looking at the entire Apache configuration,
troubleshooting these kinds of issues could be extremely
difficult, if not impossible.

--steve


On 3/3/15 at 8:08 AM, [hidden email] (Jon Harris) pronounced:

>Hi List
>
>I noticed that my Apache error.log  is  getting pretty huge.
>Its generating errors like this:
>
>[Tue Mar 03 07:55:01 2015] [error] [client 192.168.100.102]
>client denied by server configuration: C:/inetpub/wwwroot/site1/SiteSettings.inc
>
>This error is caused by simple includes and library commands:
>
>library('/sitesettings.inc') ;
>
>For security, I don't want apache to directly serve include
>files, but clearly we need them to make the sites work.
>
>The odd thing is that the include (and library) commands are
>actually working fine, the only issue is the error.log.
>
>In my httpd.conf file I have this block:
>
><Files *.inc>
>Order allow,deny
>Deny from all
></Files>
>
>Should I remove this block and add .inc to the list of lasso extensions?
>
>This is the block for Lasso:
>
><Location ~ "^.*\.[Ll][Aa][Ss][Ss][Oo]$">
>SetHandler lasso8-handler
></Location>
>
>What is best practice on this?
>
>Any pointers appreciated.
>
>Jon Harris
>
>
>
>#############################################################
>
>This message is sent to you because you are subscribed to
>the mailing list Lasso [hidden email]
>Official list archives available at http://www.lassotalk.com
>To unsubscribe, E-mail to: <[hidden email]>
>Send administrative queries to  <[hidden email]>

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Steve Piercy              Website Builder              Soquel, CA
<[hidden email]>               <http://www.StevePiercy.com/>


#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

RE: [LP8.6/Win] bloated apache error logs

Jon Harris
Hi Steve

Thanks for the reply. No I am not using logrotate -  I will look at this. The log file was 1.7Gb, so I do need to do something.

To be honest, I am not that great on Apache on Windows. On Centos, I use "cronolog" which works really nicely.

I removed the <files> code block and found apache did serve .inc files, basically as .txt files, so the visitor would  see the entire file contents in the browser.

www.thesite.com/sitesettings.inc

I did find a more specific version, so my files block is now:

<Files  ~ "\.inc$">
  Order allow,deny
  Deny from all
</Files>

I didn't actually check the log file, but I will now and see what it does, but I would predict that no errors will appear.

I do have a few rewrite rules, which gave me lots of problems, mainly because they are case-sensitive, even though windows itself isn't. I am also using modsecurity - I don't this is relevant as when I disabled modsecurity - the errors still appeared.

Incidentally, the reason we moved from IIS to Apache, is that we do find Apache is more stable. We were getting a lot of "Lasso Connector could not communicate with Lasso Service" under IIS.

Regards
Jon


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Steve Piercy - Website Builder
Sent: 03 March 2015 08:54
To: [hidden email]
Subject: Re: [LP8.6/Win] bloated apache error logs

First, are you using logrotate?  If not, do.  Although this has nothing to do with your question, this is the standard practice to avoid massive log files in the first place.
https://httpd.apache.org/docs/2.4/programs/rotatelogs.html

I would also recommend everyone get Ivan Ristic's recently made free book, "Apache Security".  Ten years later, even though specific configuration directives may have changed, the concepts have not.
https://www.feistyduck.com/books/apache-security/

Moving on to your problem, if you want Lasso to process a file that has a specific extension, then it must be allowed in Lasso SiteAdmin > Setup > Site > File Extensions > Lasso Page Settings.  From the Lasso 8.6 Setup Guide:

     ...to specify what Lasso pages extensions are allowed for use with Lasso.
     By default, the list will include .htm, .html, .inc. .incl, .las, .lasso
     and .LassoApp. This applies to all Lasso pages which are served via
     Lasso or referenced within an Lasso tag (e.g. [Include]).
Files with
     extensions not listed here cannot be processed or included by Lasso.

So you don't need to add ".inc", unless you previously removed it.

Your Apache configuration directive is correct, but I would use quotes around the argument.

     <Files "*.inc">
         Order allow,deny
         Deny from all
     </Files>

So I don't see anything wrong.  However, as I understand your problem, you think that the presence of the above directive causes excessive error log entries, like this one:

     [Tue Mar 03 07:55:01 2015] [error] [client 192.168.100.102] client denied by server configuration: C:/inetpub/wwwroot/site1/SiteSettings.inc

Let's prove it!  Comment out the directive, restart Apache, load the page that includes the file 'SiteSettings.inc', and see if the error still appears in the Apache error log file.

You should be aware of how <Directory>, <Location> and <Files> sections work together when a request is received, which can vary between major versions of Apache.
http://httpd.apache.org/docs/current/sections.html

It's also possible that rewrite rules are causing subrequests (like [library] and [include] tags) to be processed by Apache in a way you did not intend or want.

Also make sure that you are not authenticated as a Lasso administrative user.  As an Administrator, you can do more than a normal unauthenticated user.

Ultimately without looking at the entire Apache configuration, troubleshooting these kinds of issues could be extremely difficult, if not impossible.

--steve


On 3/3/15 at 8:08 AM, [hidden email] (Jon Harris) pronounced:

>Hi List
>
>I noticed that my Apache error.log  is  getting pretty huge.
>Its generating errors like this:
>
>[Tue Mar 03 07:55:01 2015] [error] [client 192.168.100.102] client
>denied by server configuration:
>C:/inetpub/wwwroot/site1/SiteSettings.inc
>
>This error is caused by simple includes and library commands:
>
>library('/sitesettings.inc') ;
>
>For security, I don't want apache to directly serve include files, but
>clearly we need them to make the sites work.
>
>The odd thing is that the include (and library) commands are actually
>working fine, the only issue is the error.log.
>
>In my httpd.conf file I have this block:
>
><Files *.inc>
>Order allow,deny
>Deny from all
></Files>
>
>Should I remove this block and add .inc to the list of lasso extensions?
>
>This is the block for Lasso:
>
><Location ~ "^.*\.[Ll][Aa][Ss][Ss][Oo]$"> SetHandler lasso8-handler
></Location>
>
>What is best practice on this?
>
>Any pointers appreciated.
>
>Jon Harris
>
>
>
>#############################################################
>
>This message is sent to you because you are subscribed to the mailing
>list Lasso [hidden email] Official list archives available
>at http://www.lassotalk.com To unsubscribe, E-mail to:
><[hidden email]>
>Send administrative queries to  <[hidden email]>

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Steve Piercy              Website Builder              Soquel, CA
<[hidden email]>               <http://www.StevePiercy.com/>


#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email] Official list archives available at http://www.lassotalk.com To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

RE: [LP8.6/Win] bloated apache error logs

stevepiercy
Your new <Files> directive looks OK.

IMO, mod_security is more trouble than it's worth, especially if
you are not well-versed in Apache configuration.  I prefer a
more simple Apache configuration together with fail2ban and
iptables on Linux, so my server blocks attacks in real time at
the firewall before they hit the web server and Lasso.  You
could look for their counterparts on Windows, or dive in with
learning some Linux stuff (recommended).

To deal with case-sensitivity in rewrite rules, use the proper
flag [NC].
http://httpd.apache.org/docs/2.4/rewrite/flags.html#flag_nc

Anyway, you're on the right path.  Observe, make a written note,
flip a switch.  Repeat cycle, until all switches have been
flipped off and the system still runs.  Or go the reverse
direction: turn off everything, observe, note, turn on one
thing, etc.  Put your high school chemistry scientific methods
into practice.

--steve


On 3/3/15 at 9:24 AM, [hidden email] (Jon Harris) pronounced:

>Hi Steve
>
>Thanks for the reply. No I am not using logrotate -  I will
>look at this. The log file was 1.7Gb, so I do need to do something.
>
>To be honest, I am not that great on Apache on Windows. On
>Centos, I use "cronolog" which works really nicely.
>
>I removed the <files> code block and found apache did serve
>.inc files, basically as .txt files, so the visitor would  see
>the entire file contents in the browser.
>
>www.thesite.com/sitesettings.inc
>
>I did find a more specific version, so my files block is now:
>
><Files  ~ "\.inc$">
>Order allow,deny
>Deny from all
></Files>
>
>I didn't actually check the log file, but I will now and see
>what it does, but I would predict that no errors will appear.
>I do have a few rewrite rules, which gave me lots of problems,
>mainly because they are case-sensitive, even though windows
>itself isn't. I am also using modsecurity - I don't this is
>relevant as when I disabled modsecurity - the errors still appeared.
>
>Incidentally, the reason we moved from IIS to Apache, is that
>we do find Apache is more stable. We were getting a lot of
>"Lasso Connector could not communicate with Lasso Service"
>under IIS.
>
>Regards
>Jon
>
>
>-----Original Message-----
>From: [hidden email]
>[mailto:[hidden email]] On Behalf Of Steve
>Piercy - Website Builder
>Sent: 03 March 2015 08:54
>To: [hidden email]
>Subject: Re: [LP8.6/Win] bloated apache error logs
>
>First, are you using logrotate?  If not, do.  Although this has
>nothing to do with your question, this is the standard practice
>to avoid massive log files in the first place.
>https://httpd.apache.org/docs/2.4/programs/rotatelogs.html
>
>I would also recommend everyone get Ivan Ristic's recently made
>free book, "Apache Security".  Ten years later, even though
>specific configuration directives may have changed, the
>concepts have not.
>https://www.feistyduck.com/books/apache-security/
>
>Moving on to your problem, if you want Lasso to process a file
>that has a specific extension, then it must be allowed in Lasso
>SiteAdmin > Setup > Site > File Extensions
>>Lasso Page Settings.  From the Lasso 8.6 Setup Guide:
>
>...to specify what Lasso pages extensions are allowed for use with Lasso.
>By default, the list will include .htm, .html, .inc. .incl, .las, .lasso
>and .LassoApp. This applies to all Lasso pages which are served via
>Lasso or referenced within an Lasso tag (e.g. [Include]). Files with
>extensions not listed here cannot be processed or included by Lasso.
>
>So you don't need to add ".inc", unless you previously removed it.
>
>Your Apache configuration directive is correct, but I would use
>quotes around the argument.
>
><Files "*.inc">
>Order allow,deny
>Deny from all
></Files>
>
>So I don't see anything wrong.  However, as I understand your
>problem, you think that the presence of the above directive
>causes excessive error log entries, like this one:
>
>[Tue Mar 03 07:55:01 2015] [error] [client 192.168.100.102]
>client denied by server configuration: C:/inetpub/wwwroot/site1/SiteSettings.inc
>
>Let's prove it!  Comment out the directive, restart Apache,
>load the page that includes the file 'SiteSettings.inc', and
>see if the error still appears in the Apache error log file.
>
>You should be aware of how <Directory>, <Location> and <Files>
>sections work together when a request is received, which can
>vary between major versions of Apache.
>http://httpd.apache.org/docs/current/sections.html
>
>It's also possible that rewrite rules are causing subrequests
>(like [library] and [include] tags) to be processed by Apache
>in a way you did not intend or want.
>
>Also make sure that you are not authenticated as a Lasso
>administrative user.  As an Administrator, you can do more than
>a normal unauthenticated user.
>
>Ultimately without looking at the entire Apache configuration,
>troubleshooting these kinds of issues could be extremely
>difficult, if not impossible.
>
>--steve
>
>
>On 3/3/15 at 8:08 AM, [hidden email] (Jon Harris) pronounced:
>
>>Hi List
>>
>>I noticed that my Apache error.log  is  getting pretty huge.
>>Its generating errors like this:
>>
>>[Tue Mar 03 07:55:01 2015] [error] [client 192.168.100.102]
>>client denied by server configuration: C:/inetpub/wwwroot/site1/SiteSettings.inc
>>
>>This error is caused by simple includes and library commands:
>>
>>library('/sitesettings.inc') ;
>>
>>For security, I don't want apache to directly serve include
>>files, but clearly we need them to make the sites work.
>>
>>The odd thing is that the include (and library) commands are
>>actually working fine, the only issue is the error.log.
>>
>>In my httpd.conf file I have this block:
>>
>><Files *.inc>
>>Order allow,deny
>>Deny from all
>></Files>
>>
>>Should I remove this block and add .inc to the list of lasso extensions?
>>
>>This is the block for Lasso:
>>
>><Location ~ "^.*\.[Ll][Aa][Ss][Ss][Oo]$"> SetHandler
>>lasso8-handler </Location>
>>
>>What is best practice on this?
>>
>>Any pointers appreciated.
>>
>>Jon Harris
>>
>>
>>
>>#############################################################
>>
>>This message is sent to you because you are subscribed to the
>>mailing list Lasso [hidden email] Official list
>>archives available at http://www.lassotalk.com To unsubscribe,
>>E-mail to: <[hidden email]>
>>Send administrative queries to  <[hidden email]>
>
>-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
>Steve Piercy              Website Builder              Soquel, CA
><[hidden email]>               <http://www.StevePiercy.com/>
>
>
>#############################################################
>
>This message is sent to you because you are subscribed to
>the mailing list Lasso [hidden email] Official list
>archives available at http://www.lassotalk.com To unsubscribe,
>E-mail to: <[hidden email]>
>Send administrative queries to  <[hidden email]>
>
>#############################################################
>
>This message is sent to you because you are subscribed to
>the mailing list Lasso [hidden email]
>Official list archives available at http://www.lassotalk.com
>To unsubscribe, E-mail to: <[hidden email]>
>Send administrative queries to  <[hidden email]>

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Steve Piercy              Website Builder              Soquel, CA
<[hidden email]>               <http://www.StevePiercy.com/>


#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

RE: [LP8.6/Win] bloated apache error logs

Jon Harris
Hi Steve

Thanks for the advice. I am currently reading Chris Hadfield's book (a good read), so I am "working the problem". Unfortunately, this is a "live" server, so I will setup a test one so I can play with this. (our dev server is IIS, so that's no use). I actually think this might be a bug in either the connector or Apache itself. It's a frustrating issue as on the face of it everything is working.

I put mod_security on with a bunch of rules designed to stop form injections etc, etc after a PCI scan reported a couple of issues. I use Fail2Ban/iptables on Centos. But on Windows there doesn't seem to be an equivalent. We do use the "Windows Firewall with Advanced Security" but that doesn't help with dynamic threats.

Regards
Jon


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Steve Piercy - Website Builder
Sent: 03 March 2015 09:48
To: [hidden email]
Subject: RE: [LP8.6/Win] bloated apache error logs

Your new <Files> directive looks OK.

IMO, mod_security is more trouble than it's worth, especially if you are not well-versed in Apache configuration.  I prefer a more simple Apache configuration together with fail2ban and iptables on Linux, so my server blocks attacks in real time at the firewall before they hit the web server and Lasso.  You could look for their counterparts on Windows, or dive in with learning some Linux stuff (recommended).

To deal with case-sensitivity in rewrite rules, use the proper flag [NC].
http://httpd.apache.org/docs/2.4/rewrite/flags.html#flag_nc

Anyway, you're on the right path.  Observe, make a written note, flip a switch.  Repeat cycle, until all switches have been flipped off and the system still runs.  Or go the reverse
direction: turn off everything, observe, note, turn on one thing, etc.  Put your high school chemistry scientific methods into practice.

--steve


On 3/3/15 at 9:24 AM, [hidden email] (Jon Harris) pronounced:

>Hi Steve
>
>Thanks for the reply. No I am not using logrotate -  I will look at
>this. The log file was 1.7Gb, so I do need to do something.
>
>To be honest, I am not that great on Apache on Windows. On Centos, I
>use "cronolog" which works really nicely.
>
>I removed the <files> code block and found apache did serve .inc files,
>basically as .txt files, so the visitor would  see the entire file
>contents in the browser.
>
>www.thesite.com/sitesettings.inc
>
>I did find a more specific version, so my files block is now:
>
><Files  ~ "\.inc$">
>Order allow,deny
>Deny from all
></Files>
>
>I didn't actually check the log file, but I will now and see what it
>does, but I would predict that no errors will appear.
>I do have a few rewrite rules, which gave me lots of problems, mainly
>because they are case-sensitive, even though windows itself isn't. I am
>also using modsecurity - I don't this is relevant as when I disabled
>modsecurity - the errors still appeared.
>
>Incidentally, the reason we moved from IIS to Apache, is that we do
>find Apache is more stable. We were getting a lot of "Lasso Connector
>could not communicate with Lasso Service"
>under IIS.
>
>Regards
>Jon
>
>
>-----Original Message-----
>From: [hidden email]
>[mailto:[hidden email]] On Behalf Of Steve Piercy -
>Website Builder
>Sent: 03 March 2015 08:54
>To: [hidden email]
>Subject: Re: [LP8.6/Win] bloated apache error logs
>
>First, are you using logrotate?  If not, do.  Although this has nothing
>to do with your question, this is the standard practice to avoid
>massive log files in the first place.
>https://httpd.apache.org/docs/2.4/programs/rotatelogs.html
>
>I would also recommend everyone get Ivan Ristic's recently made free
>book, "Apache Security".  Ten years later, even though specific
>configuration directives may have changed, the concepts have not.
>https://www.feistyduck.com/books/apache-security/
>
>Moving on to your problem, if you want Lasso to process a file that has
>a specific extension, then it must be allowed in Lasso SiteAdmin >
>Setup > Site > File Extensions
>>Lasso Page Settings.  From the Lasso 8.6 Setup Guide:
>
>...to specify what Lasso pages extensions are allowed for use with Lasso.
>By default, the list will include .htm, .html, .inc. .incl, .las,
>.lasso and .LassoApp. This applies to all Lasso pages which are served
>via Lasso or referenced within an Lasso tag (e.g. [Include]). Files
>with extensions not listed here cannot be processed or included by Lasso.
>
>So you don't need to add ".inc", unless you previously removed it.
>
>Your Apache configuration directive is correct, but I would use quotes
>around the argument.
>
><Files "*.inc">
>Order allow,deny
>Deny from all
></Files>
>
>So I don't see anything wrong.  However, as I understand your problem,
>you think that the presence of the above directive causes excessive
>error log entries, like this one:
>
>[Tue Mar 03 07:55:01 2015] [error] [client 192.168.100.102] client
>denied by server configuration:
>C:/inetpub/wwwroot/site1/SiteSettings.inc
>
>Let's prove it!  Comment out the directive, restart Apache, load the
>page that includes the file 'SiteSettings.inc', and see if the error
>still appears in the Apache error log file.
>
>You should be aware of how <Directory>, <Location> and <Files> sections
>work together when a request is received, which can vary between major
>versions of Apache.
>http://httpd.apache.org/docs/current/sections.html
>
>It's also possible that rewrite rules are causing subrequests (like
>[library] and [include] tags) to be processed by Apache in a way you
>did not intend or want.
>
>Also make sure that you are not authenticated as a Lasso administrative
>user.  As an Administrator, you can do more than a normal
>unauthenticated user.
>
>Ultimately without looking at the entire Apache configuration,
>troubleshooting these kinds of issues could be extremely difficult, if
>not impossible.
>
>--steve
>
>
>On 3/3/15 at 8:08 AM, [hidden email] (Jon Harris) pronounced:
>
>>Hi List
>>
>>I noticed that my Apache error.log  is  getting pretty huge.
>>Its generating errors like this:
>>
>>[Tue Mar 03 07:55:01 2015] [error] [client 192.168.100.102] client
>>denied by server configuration:
>>C:/inetpub/wwwroot/site1/SiteSettings.inc
>>
>>This error is caused by simple includes and library commands:
>>
>>library('/sitesettings.inc') ;
>>
>>For security, I don't want apache to directly serve include files, but
>>clearly we need them to make the sites work.
>>
>>The odd thing is that the include (and library) commands are actually
>>working fine, the only issue is the error.log.
>>
>>In my httpd.conf file I have this block:
>>
>><Files *.inc>
>>Order allow,deny
>>Deny from all
>></Files>
>>
>>Should I remove this block and add .inc to the list of lasso extensions?
>>
>>This is the block for Lasso:
>>
>><Location ~ "^.*\.[Ll][Aa][Ss][Ss][Oo]$"> SetHandler lasso8-handler
>></Location>
>>
>>What is best practice on this?
>>
>>Any pointers appreciated.
>>
>>Jon Harris
>>
>>
>>
>>#############################################################
>>
>>This message is sent to you because you are subscribed to the mailing
>>list Lasso [hidden email] Official list archives available
>>at http://www.lassotalk.com To unsubscribe, E-mail to:
>><[hidden email]>
>>Send administrative queries to  <[hidden email]>
>
>-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
>Steve Piercy              Website Builder              Soquel, CA
><[hidden email]>               <http://www.StevePiercy.com/>
>
>
>#############################################################
>
>This message is sent to you because you are subscribed to the mailing
>list Lasso [hidden email] Official list archives available
>at http://www.lassotalk.com To unsubscribe, E-mail to:
><[hidden email]>
>Send administrative queries to  <[hidden email]>
>
>#############################################################
>
>This message is sent to you because you are subscribed to the mailing
>list Lasso [hidden email] Official list archives available
>at http://www.lassotalk.com To unsubscribe, E-mail to:
><[hidden email]>
>Send administrative queries to  <[hidden email]>

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Steve Piercy              Website Builder              Soquel, CA
<[hidden email]>               <http://www.StevePiercy.com/>


#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email] Official list archives available at http://www.lassotalk.com To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: [LP8.6/Win] bloated apache error logs

Mark Palmer
In reply to this post by Jon Harris
You can just turn off logging, may not be a great idea but it's an
option.

In httpd.conf comment out

#CustomLog logs/access_log common
#ErrorLog logs/error_log

Regards

Mark Palmer
E: [hidden email]
T: 01902 620500 and 01285 610035
W: www.pageworks.co.uk
On 3 Mar 2015, at 8:08, Jon Harris wrote:

> Hi List
>
> I noticed that my Apache error.log  is  getting pretty huge. Its
> generating errors like this:
>
> [Tue Mar 03 07:55:01 2015] [error] [client 192.168.100.102] client
> denied by server configuration:
> C:/inetpub/wwwroot/site1/SiteSettings.inc
>
> This error is caused by simple includes and library commands:
>
> library('/sitesettings.inc') ;
>
> For security, I don't want apache to directly serve include files, but
> clearly we need them to make the sites work.
>
> The odd thing is that the include (and library) commands are actually
> working fine, the only issue is the error.log.
>
> In my httpd.conf file I have this block:
>
> <Files *.inc>
> Order allow,deny
> Deny from all
> </Files>
>
> Should I remove this block and add .inc to the list of lasso
> extensions?
>
> This is the block for Lasso:
>
> <Location ~ "^.*\.[Ll][Aa][Ss][Ss][Oo]$">
> SetHandler lasso8-handler
> </Location>
>
> What is best practice on this?
>
> Any pointers appreciated.
>
> Jon Harris
>
>
>
> #############################################################
>
> This message is sent to you because you are subscribed to
> the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

RE: [LP8.6/Win] bloated apache error logs

Jon Harris
Hi Mark

Thanks. If I can't fix it -  I was actually considering just turning off the error logging.

I was going to investigate associating the .inc files with Lasso, at least Apache won't serve them as .txt files, although I'm not sure what referencing footer.inc, etc will do.

It's an odd problem. I have checked using the FF "tamper data" plug-in and there are no 404 errors for undelivered files, so why does apache think an error has occurred?

If I find anything out, I'll post something back.

Regards
Jon




-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Mark Palmer
Sent: 03 March 2015 10:10
To: [hidden email]
Subject: Re: [LP8.6/Win] bloated apache error logs

You can just turn off logging, may not be a great idea but it's an option.

In httpd.conf comment out

#CustomLog logs/access_log common
#ErrorLog logs/error_log

Regards

Mark Palmer
E: [hidden email]
T: 01902 620500 and 01285 610035
W: www.pageworks.co.uk
On 3 Mar 2015, at 8:08, Jon Harris wrote:

> Hi List
>
> I noticed that my Apache error.log  is  getting pretty huge. Its
> generating errors like this:
>
> [Tue Mar 03 07:55:01 2015] [error] [client 192.168.100.102] client
> denied by server configuration:
> C:/inetpub/wwwroot/site1/SiteSettings.inc
>
> This error is caused by simple includes and library commands:
>
> library('/sitesettings.inc') ;
>
> For security, I don't want apache to directly serve include files, but
> clearly we need them to make the sites work.
>
> The odd thing is that the include (and library) commands are actually
> working fine, the only issue is the error.log.
>
> In my httpd.conf file I have this block:
>
> <Files *.inc>
> Order allow,deny
> Deny from all
> </Files>
>
> Should I remove this block and add .inc to the list of lasso
> extensions?
>
> This is the block for Lasso:
>
> <Location ~ "^.*\.[Ll][Aa][Ss][Ss][Oo]$">
> SetHandler lasso8-handler
> </Location>
>
> What is best practice on this?
>
> Any pointers appreciated.
>
> Jon Harris
>
>
>
> #############################################################
>
> This message is sent to you because you are subscribed to the mailing
> list Lasso [hidden email] Official list archives available
> at http://www.lassotalk.com To unsubscribe, E-mail to:
> <[hidden email]>
> Send administrative queries to  <[hidden email]>

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email] Official list archives available at http://www.lassotalk.com To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

RE: [LP8.6/Win] bloated apache error logs

stevepiercy
I would recommend against turning off Apache logging.  How else
would you know there is a problem?  The better option is
logrotate, which is a single line configuration in Apache per
log file.

This is not a 404 error.  The file exists.

This is a "client denied by server configuration" error, which
is usually something to do with authentication or
authorization.  mod_security is a usual suspect, but there are
others, including denying a range of IP addresses, or an
overriding <Directory> with incorrect Allow or Deny blocks.

--steve


On 3/3/15 at 10:46 AM, [hidden email] (Jon Harris) pronounced:

>Hi Mark
>
>Thanks. If I can't fix it -  I was actually considering just
>turning off the error logging.
>
>I was going to investigate associating the .inc files with
>Lasso, at least Apache won't serve them as .txt files, although
>I'm not sure what referencing footer.inc, etc will do.
>
>It's an odd problem. I have checked using the FF "tamper data"
>plug-in and there are no 404 errors for undelivered files, so
>why does apache think an error has occurred?
>
>If I find anything out, I'll post something back.
>
>Regards
>Jon
>
>
>
>
>-----Original Message-----
>From: [hidden email]
>[mailto:[hidden email]] On Behalf Of Mark Palmer
>Sent: 03 March 2015 10:10
>To: [hidden email]
>Subject: Re: [LP8.6/Win] bloated apache error logs
>
>You can just turn off logging, may not be a great idea but it's an option.
>
>In httpd.conf comment out
>
>#CustomLog logs/access_log common
>#ErrorLog logs/error_log
>
>Regards
>
>Mark Palmer
>E: [hidden email]
>T: 01902 620500 and 01285 610035
>W: www.pageworks.co.uk
>On 3 Mar 2015, at 8:08, Jon Harris wrote:
>
>>Hi List
>>
>>I noticed that my Apache error.log  is  getting pretty huge.
>>Its generating errors like this:
>>
>>[Tue Mar 03 07:55:01 2015] [error] [client 192.168.100.102]
>>client denied by server configuration:
>>C:/inetpub/wwwroot/site1/SiteSettings.inc
>>
>>This error is caused by simple includes and library commands:
>>
>>library('/sitesettings.inc') ;
>>
>>For security, I don't want apache to directly serve include
>>files, but clearly we need them to make the sites work.
>>
>>The odd thing is that the include (and library) commands are
>>actually working fine, the only issue is the error.log.
>>
>>In my httpd.conf file I have this block:
>>
>><Files *.inc>
>>Order allow,deny
>>Deny from all
>></Files>
>>
>>Should I remove this block and add .inc to the list of lasso extensions?
>>
>>This is the block for Lasso:
>>
>><Location ~ "^.*\.[Ll][Aa][Ss][Ss][Oo]$">
>>SetHandler lasso8-handler
>></Location>
>>
>>What is best practice on this?
>>
>>Any pointers appreciated.
>>
>>Jon Harris
>>
>>
>>
>>#############################################################
>>
>>This message is sent to you because you are subscribed to the
>>mailing list Lasso [hidden email] Official list
>>archives available at http://www.lassotalk.com To unsubscribe,
>>E-mail to: <[hidden email]>
>>Send administrative queries to  <[hidden email]>
>
>#############################################################
>
>This message is sent to you because you are subscribed to
>the mailing list Lasso [hidden email] Official list
>archives available at http://www.lassotalk.com To unsubscribe,
>E-mail to: <[hidden email]>
>Send administrative queries to  <[hidden email]>
>
>#############################################################
>
>This message is sent to you because you are subscribed to
>the mailing list Lasso [hidden email]
>Official list archives available at http://www.lassotalk.com
>To unsubscribe, E-mail to: <[hidden email]>
>Send administrative queries to  <[hidden email]>

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Steve Piercy              Website Builder              Soquel, CA
<[hidden email]>               <http://www.StevePiercy.com/>


#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: [LP8.6/Win] bloated apache error logs

jasonhuck
In reply to this post by Jon Harris
I don't recall who sorted this out originally, but we've had this in our
vhost configurations for years. Seems to do the trick.

# disallow direct serving of .inc files
# this method should avoid cluttering up apache's
# error logs with subrequests.
# -------------------------------------------------------------------
RewriteCond %{REQUEST_URI}  ^.*\.inc$  [NC]
RewriteRule (.*)  - [L,NS,F]


(Of course, for this to work, you need to have mod_rewrite loaded and
enabled with "RewriteEngine On".)

- jason



On Tue, Mar 3, 2015 at 5:46 AM, Jon Harris <[hidden email]>
wrote:

> Hi Mark
>
> Thanks. If I can't fix it -  I was actually considering just turning off
> the error logging.
>
> I was going to investigate associating the .inc files with Lasso, at least
> Apache won't serve them as .txt files, although I'm not sure what
> referencing footer.inc, etc will do.
>
> It's an odd problem. I have checked using the FF "tamper data" plug-in and
> there are no 404 errors for undelivered files, so why does apache think an
> error has occurred?
>
> If I find anything out, I'll post something back.
>
> Regards
> Jon
>
>
>
>
> -----Original Message-----
> From: [hidden email] [mailto:
> [hidden email]] On Behalf Of Mark Palmer
> Sent: 03 March 2015 10:10
> To: [hidden email]
> Subject: Re: [LP8.6/Win] bloated apache error logs
>
> You can just turn off logging, may not be a great idea but it's an option.
>
> In httpd.conf comment out
>
> #CustomLog logs/access_log common
> #ErrorLog logs/error_log
>
> Regards
>
> Mark Palmer
> E: [hidden email]
> T: 01902 620500 and 01285 610035
> W: www.pageworks.co.uk
> On 3 Mar 2015, at 8:08, Jon Harris wrote:
>
> > Hi List
> >
> > I noticed that my Apache error.log  is  getting pretty huge. Its
> > generating errors like this:
> >
> > [Tue Mar 03 07:55:01 2015] [error] [client 192.168.100.102] client
> > denied by server configuration:
> > C:/inetpub/wwwroot/site1/SiteSettings.inc
> >
> > This error is caused by simple includes and library commands:
> >
> > library('/sitesettings.inc') ;
> >
> > For security, I don't want apache to directly serve include files, but
> > clearly we need them to make the sites work.
> >
> > The odd thing is that the include (and library) commands are actually
> > working fine, the only issue is the error.log.
> >
> > In my httpd.conf file I have this block:
> >
> > <Files *.inc>
> > Order allow,deny
> > Deny from all
> > </Files>
> >
> > Should I remove this block and add .inc to the list of lasso
> > extensions?
> >
> > This is the block for Lasso:
> >
> > <Location ~ "^.*\.[Ll][Aa][Ss][Ss][Oo]$">
> >       SetHandler lasso8-handler
> > </Location>
> >
> > What is best practice on this?
> >
> > Any pointers appreciated.
> >
> > Jon Harris
> >
> >
> >
> > #############################################################
> >
> > This message is sent to you because you are subscribed to the mailing
> > list Lasso [hidden email] Official list archives available
> > at http://www.lassotalk.com To unsubscribe, E-mail to:
> > <[hidden email]>
> > Send administrative queries to  <[hidden email]>
>
> #############################################################
>
> This message is sent to you because you are subscribed to
>   the mailing list Lasso [hidden email] Official list archives
> available at http://www.lassotalk.com To unsubscribe, E-mail to: <
> [hidden email]>
> Send administrative queries to  <[hidden email]>
>
> #############################################################
>
> This message is sent to you because you are subscribed to
>   the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>
>

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: [LP8.6/Win] bloated apache error logs

Johan Solve
In reply to this post by Mark Palmer
loglevel crit is less of a sledgehammer and works for this

2015-03-03 11:09 GMT+01:00 Mark Palmer <[hidden email]>:

> You can just turn off logging, may not be a great idea but it's an option.
>
> In httpd.conf comment out
>
> #CustomLog logs/access_log common
> #ErrorLog logs/error_log
>
> Regards
>
> Mark Palmer
> E: [hidden email]
> T: 01902 620500 and 01285 610035
> W: www.pageworks.co.uk
>
> On 3 Mar 2015, at 8:08, Jon Harris wrote:
>
>> Hi List
>>
>> I noticed that my Apache error.log  is  getting pretty huge. Its
>> generating errors like this:
>>
>> [Tue Mar 03 07:55:01 2015] [error] [client 192.168.100.102] client denied
>> by server configuration: C:/inetpub/wwwroot/site1/SiteSettings.inc
>>
>> This error is caused by simple includes and library commands:
>>
>> library('/sitesettings.inc') ;
>>
>> For security, I don't want apache to directly serve include files, but
>> clearly we need them to make the sites work.
>>
>> The odd thing is that the include (and library) commands are actually
>> working fine, the only issue is the error.log.
>>
>> In my httpd.conf file I have this block:
>>
>> <Files *.inc>
>> Order allow,deny
>> Deny from all
>> </Files>
>>
>> Should I remove this block and add .inc to the list of lasso extensions?
>>
>> This is the block for Lasso:
>>
>> <Location ~ "^.*\.[Ll][Aa][Ss][Ss][Oo]$">
>>         SetHandler lasso8-handler
>> </Location>
>>
>> What is best practice on this?
>>
>> Any pointers appreciated.
>>
>> Jon Harris
>>
>>
>>
>> #############################################################
>>
>> This message is sent to you because you are subscribed to
>> the mailing list Lasso [hidden email]
>> Official list archives available at http://www.lassotalk.com
>> To unsubscribe, E-mail to: <[hidden email]>
>> Send administrative queries to  <[hidden email]>
>
>
> #############################################################
>
> This message is sent to you because you are subscribed to
>  the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>



--
Mvh
Johan Sölve
____________________________________
Montania System AB
Halmstad   Stockholm
http://www.montania.se

Johan Sölve
Mobil +46 709-51 55 70
[hidden email]

Kristinebergsvägen 17, S-302 41 Halmstad, Sweden
Telefon +46 35-136800 |  Fax +46 35-136801

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>