I am trying to add a KeepAlive statement to my htaccess. I've set it like this:
<IfModule mod_headers.c> Header set Connection keep-alive </IfModule>
I i tested this, I got the response close on the connection!
Does someone know how to resolve this?
I am on magento 1.7.
For those who search for an answer:
KeepAlive have to be activated by your Hoster. Then you can enable it in your htaccess.
Related
my payment gateway is blocked by mod_security when trying to access Woocommerce endpoint.
receiving 403 permission denied when trying to access the "/wc-api/my_gateway_payment_callback" endpoint.
im on an Litespeed shared host.
when disabling the mod_security from .htaccess
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
it solves the issue but exposes Wordpress admin to attacks, so i want to be more specific.
i tried to add a LocationMatch
<LocationMatch "/wc-api/my_gateway_payment_callback">
<IfModule mod_security.c>
SecRule REQUEST_URI "#beginsWith /wc-api/my_gateway_payment_callback/" \"phase:2,id:1000,nolog,pass, allow, msg:'Update URI accessed'"
</IfModule>
</LocationMatch>
or
<IfModule mod_security.c>
SecRule REQUEST_URI "#beginsWith /my_gateway_payment_callback" \"phase:2,id:1000,nolog,pass, allow, msg:'Update URI accessed'"
</IfModule>
but they dont work and im still getting the 403 error.
I can spot multiple problems here:
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
Are you really using ModSecurity v1? That is VERY old and suggests you are using Apache 1 as ModSecurity v1 is not compatible with ModSecurity v1. If not this should be:
<IfModule mod_security2.c>
SecRuleEngine Off
</IfModule>
Next you say:
it solves the issue but exposes Wordpress admin to attacks
I don't see how it can solve the issue unless you are on REALLY old software, so suspect this is a red herring.
so i want to be more specific. i tried to add a LocationMatch
Good idea to be more specific. However LocationMatch runs quite late in Apache process - after ModSecurity rules will have run so this will not work. However you don’t really need LocationMatch since your rule already scopes it to that location. So let’s look at the next two pieces:
SecRule REQUEST_URI "#beginsWith /wc-api/my_gateway_payment_callback/" \"phase:2,id:1000,nolog,pass, allow, msg:'Update URI accessed'"
SecRuleRemoveById 3000
You shouldn't need to remove the rule if you allow it on the previous lines. Typically you would only do one or the other.
or
<IfModule mod_security.c>
SecRule REQUEST_URI "#beginsWith /my_gateway_payment_callback" > \
"phase:2,id:1000,nolog,pass, allow, msg:'Update URI accessed'"
</IfModule>
but they dont work and im still getting the 403 error.
You have pass (which means continue on to the next rule) and allow (which means skip all future rules). It seems to me you only want the latter and not the former. As these are conflicting, I suspect ModSecurity will action the former first hence why it is not working.
However the better way is to look at the Apache error logs to see what rule it's failing on (is it rule 3000 as per your other LocationMatch workaround?) and just disable that one rule rather than disable all rules for that route.
So all in all I'm pretty confused with your question as seems to be a lot of inconsistencies and things that are just wrong in there...
The question that I have might be pretty basic, but I can't find any solution. I'm trying to make keep-alive works, but it seem as if it was impossible as long as I get "Connection: keep-alive, close" as Response Headers.
I have the following code in my .htaccess, but it doesn't make any change:
<ifModule mod_headers.c>
Header set Connection keep-alive
</ifModule>
What can I do?
You are getting both keep-alive and close because you need to edit this at the server conf level (ie: your vhost or httpd.conf)
If you simply do this through .htaccess it'll append the keep-alive to the close coming from your .conf. If you have access to the confs, try to update it to the following:
KeepAlive On
KeepAliveTimeout 15
MaxKeepAliveRequests 100
First of all, I know (Putting Node under Apache) this is not the approach to go but due to time constraint I cannot experiment.
I am trying to use Server Sent events for a mobile application. After reading all over Net, I figured out that Nodejs is the server to go for. My 80/443 port is occupied by Apache Web server, so I want Node To run behind Apache.
The Problems which I am facing are:-1. I am not able to get the close/end events on refreshing browser or closing browser rather I get after a fixed certain amount of delay, so not able to maintain when the client shuts down connection in Nodejs.
req.on("close", function() {
removeConnection(res);
console.log('Connection closed');
});
2. Apache is sending Keep-Alive:timeout=5, max=100 which I dont want as I want client to be connected forever till anyone closes connection, due to this Browser automatically closes connection and I start getting net::ERR_INCOMPLETE_CHUNKED_ENCODING. How Can I modify this value only for Node Proxy Requests.I have added ProxyPass /events http://localhost:5000/events
ProxyPassReverse /events http://localhost:5000/eventsResponse Headers
Access-Control-Allow-Headers:key,origin, x-requested-with, content- type,Accept,Content-Type
Access-Control-Allow-Methods:PUT, GET, POST, DELETE, OPTIONS
Access-Control-Allow-Origin:*
Connection:Keep-Alive
Content-Type:text/event-stream; charset=utf-8
custom:header
Date:Wed, 13 Jan 2016 18:12:48 GMT
Keep-Alive:timeout=5, max=100
Server:Apache/2.4.7 (Ubuntu)
Transfer-Encoding:chunked
X-Powered-By:Express
Note:- All this is happening when I am using Apache to proxy to Node, else if I directly hit Node (which I cannot in prod due to blocked port) everything works fine.
The KeepAlive settings by default allowed only in server or virtual host configuration.
But during the request processing, apache2 use environment variables (based on apache configuration) to determine the current settings.
Fortunately with mod_rewrite, you can alter apache environment variables on request basis, so you can disable keepalive on specific request.
For example:
#Load rewrite module
LoadModule rewrite_module modules/mod_rewrite.so
#Enable mod_rewrite functionality
RewriteEngine On
#rewrite rule inside locationmatch
<LocationMatch ".*\/sse\/.*">
#This is not required, used only for debug purposes
Header set X-Intelligence "KEEPALIVEOFF"
#Here goes the mod rewrite environment variable trick
RewriteRule .* - [E=nokeepalive:1]
</LocationMatch>
I have enabled the keep-alive option in my WHM
but I still get "close" when I have checked by many tools like this
http://www.giftofspeed.com/check-keep-alive/
http://gtmetrix.com/
And I have added the code in .htaccess file but the option is still not working
<ifModule mod_headers.c>
Header set Connection keep-alive
</ifModule>
And when I create php file to print "HTTP_CONNECTION"
I get "close"
Thanks a lot
You have to reconfigure apache to have it handle keepalive.
The most relevant settings are:
KeepAlive On
Keepalivetimeout 5
MaxKeepaliveRequests 100
See the documentation here:
http://httpd.apache.org/docs/current/en/mod/core.html#keepalive
And a discussion which points to some caveats here:
https://abdussamad.com/archives/169-Apache-optimization:-KeepAlive-On-or-Off.html
Firstly I tried adding multiple ifmodule but it does not work.
<ifModule mod_headers.c>
Header set Access-Control-Allow-Origin: http://domainurl1.com
</ifModule>
<ifModule mod_headers.c>
Header set Access-Control-Allow-Origin: http://domainurl2.com
</ifModule>
When try to add multiple ifmodule only last one(http://domainurl2.com) works others not.
then I try following code it works but i think it is not secure to allow everyone
<ifModule mod_headers.c>
Header set Access-Control-Allow-Origin: “*”
</ifModule>
I have 5 domain that i have to allow.
Are there any solutions for adding multiple domains that i want to allow?
Try this if you want a quick fix
<ifModule mod_headers.c>
Header add Access-Control-Allow-Origin "http://domainurl1.com"
Header add Access-Control-Allow-Origin "http://domainurl2.com"
</ifModule>
However, this is not the recommended solution by W3C, instead you should make the server read the Origin header from the client, then compare it to a list of allowed domains and finally send the value of the Origin header back to the client as the Access-Control-Allow-Origin header. Check http://www.w3.org/TR/cors/#access-control-allow-origin-response-hea for more details.