[rt-users] Trouble/Error with Web deployment httpd/apache/mod_fcgid

Bill Cole rtusers-20090205 at billmail.scconsult.com
Thu Dec 3 20:56:53 EST 2015 

On 2 Dec 2015, at 12:45, dwdixon wrote:

> Got it, so I removed the ServerName from httpd.conf and set it back to 
> the
> default of nothing set for ServerName in httpd.conf.  The error you 
> said was
> not serious was what triggered me to start messing with ServerName in
> httpd.conf so I think that was my problem there.  I left ServerName 
> set to
> rt-ir-sandbox.snip.snip.snip.edu and restarted httpd (no worries on 
> the
> question about restarting httpd after each config change, but, yes- I 
> have
> been restarting httpd after every config change).
>
> Once I removed the ServerName from httpd.conf and left it only in 
> rt.conf
> I'm starting to see some strange(r) behavior, first when I restart 
> httpd I'm
> getting:
>
> **********************************************************
> # service httpd restart
> Stopping httpd:                                            [  OK  ]
> Starting httpd: httpd: Could not reliably determine the server's fully
> qualified domain name, using 127.0.0.1 for ServerName
>                                                         [  OK  ]
> **********************************************************

That mostly-harmless (because you don't want to use the default "main 
server" of Apache for anything) error message probably is the result of 
the primary non-loopback network interface having an IP address without 
proper reverse resolution and/or a system hostname that doesn't resolve 
to any IP address on any interface on the host. Or crap DNS servers or 
garbage in /etc/hosts or the obnoxious NetworkMangler "tool" (it's a 
tool alright...) deciding you didn't mean what you put in a config file.

> On the same (local) server from a private/incognito browser window I'm 
> now
> getting the RT login page when I type in the fqdn
> (rt-ir-sandbox.snip.snip.snip.edu) in the address bar!!  WHOO HOO 
> PROGRESS!
>
> */****The problem was that even after running "make fixperms" (which
> apparently sets everything it touches to be owned by root:nobody) the 
> apache
> user was not in the nobody group so the apache user couldn't access 
> anything
> it needed to!!...so after manually making the apache user a member of 
> the
> nobody group I magically got the RT login screen as I described
> above!...****/*

That's.... odd. The RT configure script should have figured out a better 
ownership/permissions model and generated a Makefile that did the right 
thing for you. There is some stuff in RT that's 640 or 750, but if 
fixperms did the wrong thing it was because configure couldn't determine 
the right owner and/or group, not because the apache user wasn't in the 
right group.

> However...there is still some major strangeness/problems going on.  
> When I
> type localhost in a new incognito browser I get nothing....

That's slightly odd: I'd expect that to get you the default (httpd.conf) 
document root.

I STRONGLY recommend a long read of the Apache docs. Particularly:

https://httpd.apache.org/docs/2.4/dns-caveats.html
https://httpd.apache.org/docs/2.4/vhosts/details.html
https://httpd.apache.org/docs/2.4/vhosts/name-based.html


> also when trying
> to access the RT login page from a external resource to the server 
> hosting
> RT I'm also getting nothing ("No data 
> received...ERR_EMPTY_RESPONSE)...which
> is obviously a big problem.

That sounds like it could be an iptables issue, except that I'd expect 
an error complaining about the connection.

Apache's logs should be helpful if you're getting a connection and 
making a request but then not getting anything back.

> So PROGRESS is good, at least I'm now getting the RT login page 
> locally on
> the server while using the fqdn in the local browser on the 
> server...but
> something is still very much off...also here is my redacted 
> RT_SiteConfig.pm
> ... I've had the WebDomain set to rt-ir-sandbox.snip.snip.snip.edu
> throughout this troubleshooting duration:
>
>
> *************************************************************************
> Set( $CommentAddress, 'RT-IR-Test-Comment at snip.edu' );
> Set( $CorrespondAddress, 'RT-IR-Test-Correspond at snip.edu' );
> Set( $DatabaseHost, 'localhost' );
> Set( $DatabaseName, 'rt4' );
> Set( $DatabasePassword, 'REDACTED' );
> Set( $DatabasePort, '' );
> Set( $DatabaseType, 'mysql' );
> Set( $DatabaseUser, 'rt_user' );
> Set( $Organization, 'rt-ir-sandbox.snip.snip.snip.edu' );
> Set( $OwnerEmail, 'RT-IR-Bounce at snip.edu' );
> Set( $SendmailPath, '/usr/sbin/sendmail' );
> Set( $WebDomain, 'rt-ir-sandbox.snip.snip.snip.edu' );
> Set( $WebPort, '80' );
> # Set( $WebBaseURL, 'hxxp://rt-ir-sandbox.snip.snip.snip.edu' );  #
> Presently commented out
> Set( $rtname, 'rt-ir-sandbox.snip.snip.snip.edu' );
> 1;
> ******************************************************************************

Seems reasonable, but I'd suggest 3 things:

1. Set( $DatabaseHost, '' );
    This causes RT to connect over the mysql local socket rather than 
TCP to localhost:3306, which means slightly better performance and one 
more network listener you can kill (unless you need that mysqld for 
other things that aren't local or are too dumb to use sockets)

2. Remove any mention of WebBaseURL. Unless you have RT behind a proxy 
or have Apache doing HTTPS on a port other than 443, the code in 
RT_Config.pm will build the correct value for you.

3. Set( $WebPort, '443' );
    Yes, that also means you will need to set up HTTPS in Apache. 
However, if your RT is serving anything other than you on the same host 
(don't laugh, I've seen that) you're going to want it only every using 
TLS. Even more true if you have it on a campus network of a major public 
university known to operate intensive network sniffing and scanning 
projects as research.

More information about the rt-users mailing list