[rt-users] Trouble/Error with Web deployment httpd/apache/mod_fcgid
Bill Cole
rtusers-20090205 at billmail.scconsult.com
Thu Dec 3 20:56:53 EST 2015
On 2 Dec 2015, at 12:45, dwdixon wrote:
> Got it, so I removed the ServerName from httpd.conf and set it back to
> the
> default of nothing set for ServerName in httpd.conf. The error you
> said was
> not serious was what triggered me to start messing with ServerName in
> httpd.conf so I think that was my problem there. I left ServerName
> set to
> rt-ir-sandbox.snip.snip.snip.edu and restarted httpd (no worries on
> the
> question about restarting httpd after each config change, but, yes- I
> have
> been restarting httpd after every config change).
>
> Once I removed the ServerName from httpd.conf and left it only in
> rt.conf
> I'm starting to see some strange(r) behavior, first when I restart
> httpd I'm
> getting:
>
> **********************************************************
> # service httpd restart
> Stopping httpd: [ OK ]
> Starting httpd: httpd: Could not reliably determine the server's fully
> qualified domain name, using 127.0.0.1 for ServerName
> [ OK ]
> **********************************************************
That mostly-harmless (because you don't want to use the default "main
server" of Apache for anything) error message probably is the result of
the primary non-loopback network interface having an IP address without
proper reverse resolution and/or a system hostname that doesn't resolve
to any IP address on any interface on the host. Or crap DNS servers or
garbage in /etc/hosts or the obnoxious NetworkMangler "tool" (it's a
tool alright...) deciding you didn't mean what you put in a config file.
> On the same (local) server from a private/incognito browser window I'm
> now
> getting the RT login page when I type in the fqdn
> (rt-ir-sandbox.snip.snip.snip.edu) in the address bar!! WHOO HOO
> PROGRESS!
>
> */****The problem was that even after running "make fixperms" (which
> apparently sets everything it touches to be owned by root:nobody) the
> apache
> user was not in the nobody group so the apache user couldn't access
> anything
> it needed to!!...so after manually making the apache user a member of
> the
> nobody group I magically got the RT login screen as I described
> above!...****/*
That's.... odd. The RT configure script should have figured out a better
ownership/permissions model and generated a Makefile that did the right
thing for you. There is some stuff in RT that's 640 or 750, but if
fixperms did the wrong thing it was because configure couldn't determine
the right owner and/or group, not because the apache user wasn't in the
right group.
> However...there is still some major strangeness/problems going on.
> When I
> type localhost in a new incognito browser I get nothing....
That's slightly odd: I'd expect that to get you the default (httpd.conf)
document root.
I STRONGLY recommend a long read of the Apache docs. Particularly:
https://httpd.apache.org/docs/2.4/dns-caveats.html
https://httpd.apache.org/docs/2.4/vhosts/details.html
https://httpd.apache.org/docs/2.4/vhosts/name-based.html
> also when trying
> to access the RT login page from a external resource to the server
> hosting
> RT I'm also getting nothing ("No data
> received...ERR_EMPTY_RESPONSE)...which
> is obviously a big problem.
That sounds like it could be an iptables issue, except that I'd expect
an error complaining about the connection.
Apache's logs should be helpful if you're getting a connection and
making a request but then not getting anything back.
> So PROGRESS is good, at least I'm now getting the RT login page
> locally on
> the server while using the fqdn in the local browser on the
> server...but
> something is still very much off...also here is my redacted
> RT_SiteConfig.pm
> ... I've had the WebDomain set to rt-ir-sandbox.snip.snip.snip.edu
> throughout this troubleshooting duration:
>
>
> *************************************************************************
> Set( $CommentAddress, 'RT-IR-Test-Comment at snip.edu' );
> Set( $CorrespondAddress, 'RT-IR-Test-Correspond at snip.edu' );
> Set( $DatabaseHost, 'localhost' );
> Set( $DatabaseName, 'rt4' );
> Set( $DatabasePassword, 'REDACTED' );
> Set( $DatabasePort, '' );
> Set( $DatabaseType, 'mysql' );
> Set( $DatabaseUser, 'rt_user' );
> Set( $Organization, 'rt-ir-sandbox.snip.snip.snip.edu' );
> Set( $OwnerEmail, 'RT-IR-Bounce at snip.edu' );
> Set( $SendmailPath, '/usr/sbin/sendmail' );
> Set( $WebDomain, 'rt-ir-sandbox.snip.snip.snip.edu' );
> Set( $WebPort, '80' );
> # Set( $WebBaseURL, 'hxxp://rt-ir-sandbox.snip.snip.snip.edu' ); #
> Presently commented out
> Set( $rtname, 'rt-ir-sandbox.snip.snip.snip.edu' );
> 1;
> ******************************************************************************
Seems reasonable, but I'd suggest 3 things:
1. Set( $DatabaseHost, '' );
This causes RT to connect over the mysql local socket rather than
TCP to localhost:3306, which means slightly better performance and one
more network listener you can kill (unless you need that mysqld for
other things that aren't local or are too dumb to use sockets)
2. Remove any mention of WebBaseURL. Unless you have RT behind a proxy
or have Apache doing HTTPS on a port other than 443, the code in
RT_Config.pm will build the correct value for you.
3. Set( $WebPort, '443' );
Yes, that also means you will need to set up HTTPS in Apache.
However, if your RT is serving anything other than you on the same host
(don't laugh, I've seen that) you're going to want it only every using
TLS. Even more true if you have it on a campus network of a major public
university known to operate intensive network sniffing and scanning
projects as research.
More information about the rt-users
mailing list