a coder's questions

Working on fixing the "certificate is not from a trusted authority" error when logging on to RDP against a Server 2022 instance. It's thinking I am using a self-signed certificate, however I have a valid certificate from InCommon.

As mentioned, I have the correct PEM encoded security certificate from a valid provider.

I added this certificate to Console - Remote Desktop - Certificates:

Rebooted for good measure, but am still getting the same "certificate is not from a trusted certifying authority" error.

What steps am I missing?

I'm attempting to set up my first guest set up under KVM and am having trouble getting the network working.

The host machine "vm_host_box" has a static IP of 4.4.4.185.
The guest I am setting up needs to have a static IP of 4.4.4.200.

I currently have zero connectivity to anything (including gateway) from the guest VM. Note that the guest VM is a minimal install and I'm not able to install any additional packages due to not having network for yum.

Here's what I can see from the host:

[root@vm_host_box ~]# cat /etc/sysconfig/network-scripts/ifcfg-em1 
TYPE=Ethernet
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
NAME=em1
UUID=some-string-here
DEVICE=em1
ONBOOT=yes
DNS1=4.4.10.1
DOMAIN=vmhostbox.my.domain
IPV6INIT=no
IPADDR=4.4.4.185
PREFIX=23
GATEWAY=4.4.4.2

list of other ifcfg-* files:

[root@vm_host_box network-scripts]# ls ifcfg-*
ifcfg-em1  ifcfg-em2  ifcfg-em3  ifcfg-em4  ifcfg-lo

ip addr details:

[root@vm_host_box ~]# ip addr show em1
2: em1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN qlen 1000
    link/ether 14:18:77:69:b6:9a brd ff:ff:ff:ff:ff:ff
    inet 4.4.4.185/23 brd 170.140.203.255 scope global em1
       valid_lft forever preferred_lft forever

[root@vm_host_box ~]# ip addr show virbr0
6: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN qlen 1000
    link/ether 52:54:00:11:3f:7e brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever

brctl shows a bridge, but there is an interface listed and I'm not sure how it was added.

[root@vm_host_box ~]# brctl show
bridge name bridge id       STP enabled interfaces
virbr0      8000.525400113f7e   yes     virbr0-nic

Here's the virsh details for the default network. I'm unclear about the range of IPs. Will virsh be creating a new subnet, or am I telling it what IP's to look out for?

[root@vm_host_box ~]# virsh net-list --all
 Name                 State      Autostart     Persistent
----------------------------------------------------------
 default              active     yes           yes



[root@vm_host_box ~]# virsh net-edit default

<network>
  <name>default</name>
  <uuid>0b06b7c0-708f-4925-a8f6-84587bf96575</uuid>
  <forward mode='nat'/>
  <bridge name='virbr0' stp='on' delay='0'/>
  <mac address='52:54:00:11:3f:7e'/>
  <ip address='192.168.122.1' netmask='255.255.255.0'>
    <dhcp>
      <range start='192.168.122.2' end='192.168.122.254'/>
    </dhcp>
  </ip>
</network>

Here's what I am showing under KVM's Connection Details screens:

and

Here is the config after starting the Guest (labeled "rhel7")

Any pointers would be greatly appreciated.

Long story short, I discovered expire_log_days = 3 a little too late. My /var/log directory is completely filled with old mysql-bin files, and per google/SE search, it is strongly recommended not to manually delete them.

The trouble is, I can't get into a MySQL shell to PURGE them, nor am I able to start the service with the new config setting expire_log_days.

I removed some older non-MySQL logs (about 500mb worth), but am still unable to get mysql to start.

Is there a less painful way out of this?

[root@box mariadb]# systemctl restart mariadb.service
Job for mariadb.service failed because the control process exited with error code. See "systemctl status mariadb.service" and "journalctl -xe" for details.
[root@box mariadb]# journalctl -xe
-- Subject: Unit session-203.scope has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit session-203.scope has begun starting up.
Dec 07 14:01:35 my.sql.box systemd[1]: Starting MariaDB database server...
-- Subject: Unit mariadb.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit mariadb.service has begun starting up.
Dec 07 14:01:36 my.sql.box mysqld_safe[23884]: 161207 14:01:36 mysqld_safe Logging to '/var/log/mariadb/mariadb.log'.
Dec 07 14:01:36 my.sql.box mysqld_safe[23884]: 161207 14:01:36 mysqld_safe Starting mysqld daemon with databases from /data/db/mysql
Dec 07 14:01:36 my.sql.box mysqld_safe[23884]: 161207 14:01:36 mysqld_safe mysqld from pid file /var/run/mariadb/mariadb.pid ended
Dec 07 14:01:37 my.sql.box systemd[1]: mariadb.service: control process exited, code=exited status=1
Dec 07 14:01:37 my.sql.box systemd[1]: Failed to start MariaDB database server.
-- Subject: Unit mariadb.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit mariadb.service has failed.
-- 
-- The result is failed.
Dec 07 14:01:37 my.sql.box systemd[1]: Unit mariadb.service entered failed state.
Dec 07 14:01:37 my.sql.box systemd[1]: mariadb.service failed.
Dec 07 14:01:37 my.sql.box audispd[4973]: node=my.sql.box type=SERVICE_START msg=audit(1481137297.301:1657): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=
Dec 07 14:01:37 my.sql.box polkitd[4981]: Unregistered Authentication Agent for unix-process:23850:300226 (system bus name :1.460, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_U

[root@box log]# systemctl status mariadb.service
● mariadb.service - MariaDB database server
   Loaded: loaded (/usr/lib/systemd/system/mariadb.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Wed 2016-12-07 14:09:17 EST; 7s ago
  Process: 24840 ExecStartPost=/usr/libexec/mariadb-wait-ready $MAINPID (code=exited, status=1/FAILURE)
  Process: 24838 ExecStart=/usr/bin/mysqld_safe --basedir=/usr (code=exited, status=0/SUCCESS)
  Process: 24810 ExecStartPre=/usr/libexec/mariadb-prepare-db-dir %n (code=exited, status=0/SUCCESS)
 Main PID: 24838 (code=exited, status=0/SUCCESS)

Dec 07 14:09:12 my.sql.box systemd[1]: Starting MariaDB database server...
Dec 07 14:09:13 my.sql.box mysqld_safe[24838]: 161207 14:09:13 mysqld_safe Logging to '/var/log/mariadb/mariadb.log'.
Dec 07 14:09:13 my.sql.box mysqld_safe[24838]: 161207 14:09:13 mysqld_safe Starting mysqld daemon with databases from /data/db/mysql
Dec 07 14:09:16 my.sql.box mysqld_safe[24838]: 161207 14:09:16 mysqld_safe mysqld from pid file /var/run/mariadb/mariadb.pid ended
Dec 07 14:09:17 my.sql.box systemd[1]: mariadb.service: control process exited, code=exited status=1
Dec 07 14:09:17 my.sql.box systemd[1]: Failed to start MariaDB database server.
Dec 07 14:09:17 my.sql.box systemd[1]: Unit mariadb.service entered failed state.
Dec 07 14:09:17 my.sql.box systemd[1]: mariadb.service failed.
[root@box log]# 

I'm looking at upgrading hard drives in a PowerEdge R720 and need a little guidance.

Current configuration:

OS: CentOS 6.5
Drives: 
2 x 300gb drives (RAID 1)
4 x 600gb drives (RAID 5)

I have 6 new 1.2TB SAS drives that need to be swapped in.

1. Can I add a 1.2TB drive where a 600GB drive used to live?

2. Since #1 would take a while, would it be possible to swap all the drives out at once while retaining the RAID config? All data will already be backed up elsewhere, just wondering if swapping them out all at once will kill the existing RAID config or if that is saved on the Perc H710 card.

Recently installed RHEL7 on a PowerEdge R320 with the following drives:

2 x 300GB sas 15k
2 x 1TB sas 7.2k

When setting up LVM during installation I purposefully left over several hundred GB free in case I needed to expand later.

I'm now seeing that I need to expand one of the volumes created during install.

The problem is pvs is only showing what I created, and is not showing any usable free space.

[user@box ~] pvdisplay
  --- Physical volume ---
  PV Name               /dev/sda2
  VG Name               rhel_os
  PV Size               165.79 GiB / not usable 0   
  Allocatable           yes (but full)
  PE Size               4.00 MiB
  Total PE              42443
  Free PE               0
  Allocated PE          42443
  PV UUID               sDdEfu-qagM-qq35-OGfF-HpPw-Bizd-LcXazt

  --- Physical volume ---
  PV Name               /dev/sdb1
  VG Name               rhel_data
  PV Size               139.71 GiB / not usable 4.00 MiB
  Allocatable           yes 
  PE Size               4.00 MiB
  Total PE              35766
  Free PE               1
  Allocated PE          35765
  PV UUID               Jgjcad-idBE-wxXc-tGGf-SY8m-qb8T-nBi9ar

parted shows the free space:

[user@box ~]# parted
GNU Parted 3.1
Using /dev/sda
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) print free                                                       
Model: DELL PERC H710 (scsi)
Disk /dev/sda: 299GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Disk Flags: 

Number  Start   End     Size    Type     File system  Flags
        18.4kB  1049kB  1030kB           Free Space
 1      1049kB  301MB   300MB   primary  xfs          boot
 2      301MB   178GB   178GB   primary               lvm
        178GB   299GB   121GB            Free Space

and /dev/sdb:

[user@box ~]# parted /dev/sdb
(parted) print free
Model: DELL PERC H710 (scsi)
Disk /dev/sdb: 1000GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Disk Flags: 

Number  Start   End     Size    Type     File system  Flags
        32.3kB  1049kB  1016kB           Free Space
 1      1049kB  150GB   150GB   primary               lvm
        150GB   1000GB  850GB            Free Space

1) What do I need to do to make use of the free 850GB?

2) In the future, how could I have placed all of the Free Space into the physical volume (thus making it easier to use with LVM)?

I need to mount a directory on a Windows Server 2012 system with rw access for local user apache. If I mount with defaults:

server2012:/sharedir            /appfolder            nfs     defaults

The resulting permissions are:

drwx------.   2 4294967294 4294967294   64 Mar  7 13:40 appfolder

Apache is not able to read or write to this folder.

Setting uid/gid in fstab results in:

[~]# mount /appfolder
mount.nfs: an incorrect mount option was specified

If I try to change permissions on /appfolder as root, I get

[~]# chown -R apache:apache /appfolder/
chown: changing ownership of ‘/appfolder’: Permission denied

What do I need to do to either mount the Windows NFS share as apache, or change permissions to apache after the fact?

I created the Windows Server 2012 share using:

PS C:\Windows\system32> nfsshare testshare2=C:\testshare2 -o anon=yes anonuid=0 anongid=0 rw=uuu.uuu.uuu.uuu
testshare2 was shared successfully

Where uuu.uuu.uuu.uuu is the IP of my Ubuntu system.

Next, from the Ubuntu machine I mounted the Windows NFS share as follows:

sudo mount -t nfs xxx.xxx.xxx.xxx:/testshare2 /mnt/testshare2

Where xxx.xxx.xxx.xxx is the IP of the Windows Server 2012 machine.

No errors are shown when mounting, but when I ls the mounted directory, the following appears:

ls: cannot open directory /mnt/testshare2/: Input/output error

I'm not showing any errors in Ubuntu's syslog.

Here are properties of the share in Server 2012:

Edit 1: I get the same input/output error when attempting to mount the Server 2012 NFS share from a RHEL7 machine. Mount works fine I just can't ls directory or touch files.

Edit 2: In Server 2012, the NFS log shows a successful mount to both Ubuntu and RHEL machines.

Migrating a system from CentOS6 to RHEL7 with SELinux running Enforced. A php script makes a call to /usr/bin/processdata.sh to generate some data behind the scenes. This worked fine with the old system but the php exec call chokes with SELinux set to enabled.

Here is the sh permission

-rwxrwx--x. root root unconfined_u:object_r:bin_t:s0   /usr/bin/process_data.sh

This audit error is seen at the same time the php page is called:

ausearch -l -i | grep httpd

type=SYSCALL msg=audit(02/27/2016 14:07:52.662:23480) : arch=x86_64 syscall=socket success=no exit=-97(Address family not supported by protocol) a0=inet6 a1=SOCK_DGRAM a2=ip a3=0x672e76656473626e items=0 ppid=15686 pid=3852 auid=unset uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=unset comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(02/27/2016 14:07:52.662:23480) : avc: denied { module_request } for pid=3852 comm=httpd kmod="net-pf-10" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system

Here are my current httpd bools:

httpd_can_network_relay        (off  ,  off)  Allow httpd to can network relay
httpd_can_connect_mythtv       (off  ,  off)  Allow httpd to can connect mythtv
httpd_can_network_connect_db   (off  ,  off)  Allow httpd to can network connect db
httpd_use_gpg                  (off  ,  off)  Allow httpd to use gpg
httpd_dbus_sssd                (off  ,  off)  Allow httpd to dbus sssd
httpd_enable_cgi               (on   ,   on)  Allow httpd to enable cgi
httpd_verify_dns               (off  ,  off)  Allow httpd to verify dns
httpd_dontaudit_search_dirs    (off  ,  off)  Allow httpd to dontaudit search dirs
httpd_anon_write               (off  ,  off)  Allow httpd to anon write
httpd_use_cifs                 (off  ,  off)  Allow httpd to use cifs
httpd_enable_homedirs          (off  ,  off)  Allow httpd to enable homedirs
httpd_unified                  (off  ,  off)  Allow httpd to unified
httpd_mod_auth_pam             (off  ,  off)  Allow httpd to mod auth pam
httpd_run_stickshift           (off  ,  off)  Allow httpd to run stickshift
httpd_use_fusefs               (off  ,  off)  Allow httpd to use fusefs
httpd_can_connect_ldap         (off  ,  off)  Allow httpd to can connect ldap
httpd_can_network_connect      (on   ,   on)  Allow httpd to can network connect
httpd_mod_auth_ntlm_winbind    (off  ,  off)  Allow httpd to mod auth ntlm winbind
httpd_tty_comm                 (off  ,  off)  Allow httpd to tty comm
httpd_sys_script_anon_write    (off  ,  off)  Allow httpd to sys script anon write
httpd_graceful_shutdown        (on   ,   on)  Allow httpd to graceful shutdown
httpd_can_connect_ftp          (off  ,  off)  Allow httpd to can connect ftp
httpd_run_ipa                  (off  ,  off)  Allow httpd to run ipa
httpd_read_user_content        (off  ,  off)  Allow httpd to read user content
httpd_use_nfs                  (off  ,  off)  Allow httpd to use nfs
httpd_can_connect_zabbix       (off  ,  off)  Allow httpd to can connect zabbix
httpd_tmp_exec                 (off  ,  off)  Allow httpd to tmp exec
httpd_run_preupgrade           (off  ,  off)  Allow httpd to run preupgrade
httpd_manage_ipa               (off  ,  off)  Allow httpd to manage ipa
httpd_can_sendmail             (on   ,   on)  Allow httpd to can sendmail
httpd_builtin_scripting        (on   ,   on)  Allow httpd to builtin scripting
httpd_dbus_avahi               (off  ,  off)  Allow httpd to dbus avahi
httpd_can_check_spam           (off  ,  off)  Allow httpd to can check spam
httpd_can_network_memcache     (off  ,  off)  Allow httpd to can network memcache
httpd_can_network_connect_cobbler (off  ,  off)  Allow httpd to can network connect cobbler
httpd_use_sasl                 (off  ,  off)  Allow httpd to use sasl
httpd_serve_cobbler_files      (off  ,  off)  Allow httpd to serve cobbler files
httpd_execmem                  (off  ,  off)  Allow httpd to execmem
httpd_ssi_exec                 (off  ,  off)  Allow httpd to ssi exec
httpd_use_openstack            (off  ,  off)  Allow httpd to use openstack
httpd_enable_ftp_server        (off  ,  off)  Allow httpd to enable ftp server
httpd_setrlimit                (off  ,  off)  Allow httpd to setrlimit

Is something off in my selinux config that I'm not seeing?

I need to set a bootloader password and am apprehensive about changing the existing config (per warning about potentially making a system unbootable).

RH documentation says to add the following lines:

cat <<EOF
set superusers="john"
password john johnspassword
EOF

The current /etc/grub.d/01_users file already has this at the top:

#!/bin/sh -e
cat << EOF
if [ -f \${prefix}/user.cfg ]; then
  source \${prefix}/user.cfg
  if [ -n "\${GRUB2_PASSWORD}" ]; then
    set superusers="root"
    export superusers
    password_pbkdf2 root \${GRUB2_PASSWORD}
  fi
fi
EOF

Should I append the first part below the existing EOF, replace the existing content altogether, or something else?

Using this guide I am attempting to add a bootloader password to a CentOS7 install.

When prompted, enter the password that was selected and insert the returned password hash into the appropriate grub2 configuration file(s) under /etc/grub.d immediately after the superuser account. (Use the output from grub2-mkpasswd-pbkdf2 as the value of password-hash):

I've created the "superusers-accountpassword-hash" using grub2-mkpasswd-pbkdf2, but am not seeing where to add this line:

password_pbkdf2 superusers-accountpassword-hash

The only files in /etc/grub.d/ are binaries. The guide says not to use /etc/grub.cfg since this is overwritten by grub2-mkconfig -o /boot/grub2/grub.cfg

Where does the password_pbkdf2 directive go?

I'm rolling out a test installation of EL7 with Apache 2.4. I copied my existing /etc/httpd/conf.d/ssl.conf to the new system, set up selinux, verified all the cert paths were kosher and systemctl httpd start started the service. Apache is running error free.

The problem is that my ssl.conf file is ignored. I'm being shown the default Apache page using

I tried moving /etc/httpd/conf.d/ssl.conf to /etc/httpd/conf.modules.d/ (first removing the existing 00-ssl.conf file), with the same result.

Where am I getting it wrong?

Edit 1 The error log shows this:

AH01630: client denied by server configuration: /www/virtualhosts/example.com

Where my ssl config has this:

DocumentRoot /www/virtualhosts/example.com

and

ll /www/virtualhosts/example.com
total 4
-rw-r--r--. 1 apache apache 21 Dec 18 14:32 index.php

index.php consists of:

<p>Hello World

I'm at a loss.

I need to set selinux permissions on a non-default httpd directory: /www/virtualhosts/site01, ect.

So I issue:

[mybox]# semanage fcontext -a -t http_sys_content_t "/www(/.*)?"

And get:

ValueError: Type http_sys_content_t is invalid, must be a file or device type

What needs to happen to configure selinux to work with my non-default httpd directory?

I have DRAC5 installed on a PowerEdge server running CentOS. I'm able to SSH into the DRAC and issue racadm commands.

When I issue

connect com2

I briefly see a prompt:

A second later the screen goes blank and my quit key sequence does not work (neither does anything else - screen is unresponsive to all keys).

After closing out of the terminal and logging back into racadm for a second try with connect com2, it shows:

connect: com2 port is currently in use

After resetting racadm I can again try to connect com2, but get the same thing as above (blank/unresponsive screen).

Here is my config:

# racadm getconfig -g cfgSerial
cfgSerialBaudRate=57600
cfgSerialConsoleEnable=1
cfgSerialConsoleQuitKey=^q
cfgSerialConsoleIdleTimeout=300
cfgSerialConsoleNoAuth=0
cfgSerialConsoleCommand=
cfgSerialHistorySize=8192
cfgSerialCom2RedirEnable=1
cfgSerialTelnetEnable=0
cfgSerialSshEnable=1

I'd like to be able to view the console to remotely enter a password on an encrypted system.

Just installed OpenManage 8 on a CentOS 6.5 system. I access the login page with https://1.2.3.4/1311 and that loads up without a problem.

I enter the system hostname (my.domain.tld), username and password, then click Submit. OpenManage returns

Login failed.  
Hostname / IP address is Blank. 
Please enter a valid Hostname/IP address.

I've tried using the system's IP address, and verified that I am entering a valid username and password.

Coincidentally, I can click on Manage Web Server, and am able to log in using the same credentials (I'm not asked to enter a hostname on that login page).

Why is OpenManage complaining about a missing hostname when I am absolutely submitting a valid hostname on the login form? I've restarted openmanage, and tried restarting the server also. Same problem happens across multiple browsers and clients (hostname blank).

edit: I just yum removed/installed srvadmin-all, still getting the same problem.

Both firefox and chrome are showing that javascript files from my server are served as MIME type text/html. The javascript files have a .js extension.

First, mime_module is installed and active:

apachectl -M | grep mime
 mime_magic_module (shared)
 mime_module (shared)
Syntax OK

Second, I have this in my conf file:

AddType text/css .css
AddType text/javascript .js

I tried adding this:

<Files "*.js">
    ForceType text/javascript
</Files>

and restarted apache, but the javascript files still show as "text/html" in Chrome and Firefox. Nothing shows in error.log and access.log isn't returning anything useful:

1.2.3.4 - - [03/Mar/2015:10:42:00 -0500] "GET /some/dir/js/app-min.js HTTP/1.1" 200 14642

Here are headers on one of the .js files (as seen in Firefox)

Connection: close
Content-Type: text/html; charset=UTF-8
Server: Apache
Strict-Transport-Security: max-age=63072000; includeSubDomains
Transfer-Encoding: chunked
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Permitted-Cross-Domain-Policies: master-only
X-WebKit-CSP: default-src 'self'
X-XSS-Protection: 1; mode=block

This file shows as type html in Firefox inspector.

Here's the header of the same file as served by my laptop's apache instance:

Connection: Keep-Alive
Date: Tue, 03 Mar 2015 15:43:52 GMT
Keep-Alive: timeout=5, max=95
Server: Apache/2.4.7 (Ubuntu)

This file shows as type js in Firefox inspector. Note that the local instance of Apache (2.4) is not responding with Content-Type.

Why is the main server defying AddType? I've added this to both the httpd.conf and ssl.conf (though my site forces 443). I've restarted apache (no syntax errors).

I'm trying to add a user via puppet (v 3.2.4), and get this notice on --noop:

Notice: /Stage[main]/Usergroup/Group[user_one]/ensure: current_value absent, should be present (noop)

Here's my manifest:

# usersgroups
class usergroup {

  group { "user_one":
      ensure => present,
      gid => 500,
  }
  group { "dev_website_1":
      ensure => present,
      gid => 501,
  }
  group { "dev_website_2":
      ensure => present,
      gid => 502,
  }

  user { "user_one":
      ensure => present,
      uid => 500,
      gid => 500,
      groups => ["dev_website_1", "dev_website_2"]
  }

}
include usergroup

Should I replace "ensure => present" with "current_value => present"

I have a problem with CSS files being incorrectly marked text/html by Apache. The file type is mismatched in the browser, and is ignored causing display failures.

I'm using Apache 2.2.3 on a RHEL 5 server.

I've tried adding this to httpd.conf and reloading config with service httpd reload:

AddType text/css .css

No change as seen by the browser. My css file is still showing text/html (even when I use php curl to probe the mime type.. it makes no difference, the server is sending out a text/html file)

I then commented out the following lines from httpd.conf, to make sure something screwy wasn't going on with magic:

LoadModule mime_magic_module modules/mod_mime_magic.so

<IfModule mod_mime_magic.c>
  MIMEMagicFile /usr/share/magic.mime
  MIMEMagicFile conf/magic
</IfModule>

Once those were set aside, I saved & reloaded the config. No change. The .css files are still coming across as text/html.

Virtualhost standard config:

<VirtualHost 1.2.3.4:80>
    ServerName my.site.com
    ServerAdmin [email protected]
    DocumentRoot /var/www/mysite/
    # Log info redacted #
</VirtualHost>

Virtualhost SSL config:

<VirtualHost 1.2.3.4:443>

        ServerName my.site.com
        ServerAdmin [email protected]
        DocumentRoot /var/www/mysite/

        # Log info redacted #
        # SSL Certificate config redacted #

        <Files ~ "\.(cgi|shtml|phtml|php3?)$">
            SSLOptions +StdEnvVars
        </Files>

        SetEnvIf User-Agent ".*MSIE.*" \
                 nokeepalive ssl-unclean-shutdown \
                 downgrade-1.0 force-response-1.0

        CustomLog logs/ssl_request_log \
                  "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

Here's what I'm getting from shell:

[boxor]# file --mime install.css
install.css: text/x-c; charset=us-ascii

Here's what I'm getting from php:

$file = 'https://my.site.com/traq/install/install.css';
echo mime_content_type($file);

$file = $_SERVER['DOCUMENT_ROOT] . '/traq/install/install.css';
echo mime_content_type($file);

returns:

text/html; charset=UTF-8

text/plain

Wrong on all three counts.

Here is a line from my apache access log (with Content-type added):

1.2.3.4 - - [10/Oct/2012:08:32:38 -0400] "GET /traq/install//install.css HTTP/1.1" 200 2600 "http://my.site.com/traq/install/" "text/html" "Mozilla/5.0 blahblah Firefox/15.0.1"

A non-existent css file included on the same page is also returned as "text/html":

1.2.3.4 - - [10/Oct/2012:09:11:11 -0400] "GET /traq/install/idontexist.css HTTP/1.1" 200 2600 "http://my.site.com/traq/install/" "text/html" "Mozilla/5.0 blahblah Firefox/15.0.1"

So... What am I overlooking here?

I'm working on setting up Trac to use wsgi, and am running into trouble getting mod_wsgi working. I downloaded and installed mod_sgi.

[box]# apachectl configtest

httpd: Syntax error on line 214 of /etc/httpd/conf/httpd.conf: Can't locate API module structure `mod_wsgi' in file /etc/httpd/modules/mod_wsgi.so: /etc/httpd/modules/mod_wsgi.so: undefined symbol: mod_wsgi

Line 214 of httpd.conf:

LoadModule mod_wsgi modules/mod_wsgi.so

Here is mod_wsgi.so as found on the filesystem:

[box]# locate mod_wsgi.so
/usr/lib64/httpd/modules/mod_wsgi.so

What might I be overlooking?

I'm trying to get a simple www. to non www. redirect set up. Here's the .htaccess

DirectoryIndex index.php
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www.domain.org [NC]
RewriteRule ^(.*)$ http://domain.org/$1 [L,R=301]

RewriteBase /

########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below

## This attempts to block the most common type of exploit `attempts` to Joomla!
#

## Deny access to extension xml files (uncomment out to activate)
#<Files ~ "\.xml$">
#Order allow,deny
#Deny from all
#Satisfy all
#</Files>


## End of deny access to extension xml files
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]

#
########## End - Rewrite rules to block out some common exploits


RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/index.php
RewriteCond %{REQUEST_URI} (/|\.php|\.html|\.htm|\.feed|\.pdf|\.raw|/[^.]*)$  [NC]
RewriteRule (.*) index.php
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]

Accessing the www.domain.org page results in page not found. If I modify the top lines like this:

RewriteCond %{HTTP_HOST} ^domain.org [NC]
RewriteRule ^(.*)$ http://domain123.org/$1 [L,R=301]

The redirect works great (it goes to http://domain123.org)

There are no RewriteCond's for domain.org in the apache httpd.conf file (where the virtualhosts are configured, specifically domain.org).

apachectl -S:

VirtualHost configuration:
xxx.xxx.xxx.xxx:443    domain.org (/etc/httpd/conf.d/ssl.conf:173)
xxx.xxx.xxx.xxx:80     domain.org (/etc/httpd/conf/httpd.conf:1011)
Syntax OK

Relevant sections of each config: ssl.conf:

<VirtualHost xxx.xxx.xxx.xxx:443>

DocumentRoot /blah/blah/
ServerName domain.org

ErrorLog /blah/blah/
CustomLog /blah/blah/
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /blah/blah/
SSLCertificateKeyFile /blah/blah/
SSLCACertificateFile /blah/blah/

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

http.conf:

<VirtualHost xxx.xxx.xxx.xxx:80>

    ServerName domain.org
    ServerAdmin [email protected]
    DocumentRoot /blah/blah/
    ErrorLog /blah/blah/
    CustomLog /blah/blah/

</VirtualHost>

Help greatly appreciated!

I'm working on a solution to a problem where users could potentially access images (in this case PDF files) stored in a folder off the server root. Normally, my application validates users through PHP scripts and sessions. What isn't happening right now is preventing non-logged in users from potentially accessing the PDFs.

The solution I'm looking for would (I think) need to be tied in with Apache. I saw an interesting solution using RewriteMap & RewriteRule, however the example involved putting this in an .htaccess file in the PDF directory. Can't do that with Apache (error: RewriteMap not allowed here). I believe the rewrite directives need to go in my httpd.conf, which I have access to.

So the example I found (that resulted in 'rewritemap not allowed here') is here:

RewriteEngine On
RewriteMap auth prg:auth.php
RewriteRule (.*) ${auth:$1}

auth.php just checks PHP session and redirects to a login script if needed.

I'm reading that I have to place this in my httpd.conf. How would I specify that the RewriteMap should only occur on a specific directory (including subdirectories)?