[EMAIL PROTECTED] mod_rewrite on 2.0.50

[Sai Jai Ganesh Gurubaran]

Hi,
I am a newbie.
We have set up Apache 2.0.50 as a forward proxy.
Want to redirect a particular (external) page to our internal page.
i.e. for  http://www.abc.com/suggestions.htm to
http://myanotherserver/suggestion.htm

For this I tried mod_rewrite.
The following code in the httpd.conf


#Apache as a Proxy
ProxyRequests On

RewriteEngine On
RewriteLogLevel 9
RewriteLog rewrite.log
RewriteCond %{HTTP_HOST} ^www.abc.com [NC]
RewriteCond %{REQUEST_URI} ^/suggestions.htm
RewriteRule ^(.+) http://myanotherserver/suggestion.htm [L,R]


The problem here is:
1. if Proxy is not present then mod_rewrite rules are applied
(seen through the log). Since Proxy is not there we don't get the
content :(
2. If proxy is on, rewrite rules are not applied but
http://www.abc.com/suggestions.htm content is fetched

Am I missing out some thing? (it has to be)

I tried the same with 2.2.3 and it works smooth (with ProxyRequests On).
But we need to make this work on 2.0.50

Any help will be highly appreciated 

Regards,
Sai

***
The information in this message is confidential and may be legally
privileged. It is intended solely for the addressee. Access to this 
message by anyone else is unauthorized. If you are not the 
intended recipient, any disclosure, copying, or distribution of the 
message, or any action or omission taken by you in reliance on 
it is prohibited and may be unlawful. Please immediately contact 
the sender if you have received this message in error. This email 
does not constitute any commitment from Cordys Holding BV or 
any of its subsidiaries except when expressly agreed in a written 
agreement between the intended recipient and 
Cordys Holding BV or its subsidiaries.
***



-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] mod_rewrite on 2.0.50

[Nick Kew]

On Tuesday 03 October 2006 08:43, Sai Jai Ganesh Gurubaran wrote:
> Hi,
> I am a newbie.
> We have set up Apache 2.0.50 as a forward proxy.

Why such an old version?

> Want to redirect a particular (external) page to our internal page.
> i.e. for  http://www.abc.com/suggestions.htm to
> http://myanotherserver/suggestion.htm

That's a reverse proxy.

> #Apache as a Proxy
> ProxyRequests On

If that's open to the outside, it's a serious security hole.

See http://www.apacheweek.org/tutorials/reverseproxies

-- 
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.prenhallprofessional.com/title/0132409674

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [EMAIL PROTECTED] mod_rewrite on 2.0.50

[Sai Jai Ganesh Gurubaran]

Hi Nick,

Answering your questions:
1. why 2.0.50??
 That is the  recommended version of the current application we
are using is running on :(.


Thanks for pointing out the security aspect of it.


Ok, I got the definition of reverse and forward wrong :)

But still my original problem remains.



-Original Message-
From: Nick Kew [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, October 03, 2006 1:50 PM
To: users@httpd.apache.org
Subject: Re: [EMAIL PROTECTED] mod_rewrite on 2.0.50

On Tuesday 03 October 2006 08:43, Sai Jai Ganesh Gurubaran wrote:
> Hi,
> I am a newbie.
> We have set up Apache 2.0.50 as a forward proxy.

Why such an old version?

> Want to redirect a particular (external) page to our internal page.
> i.e. for  http://www.abc.com/suggestions.htm to
> http://myanotherserver/suggestion.htm

That's a reverse proxy.

> #Apache as a Proxy
> ProxyRequests On

If that's open to the outside, it's a serious security hole.

See http://www.apacheweek.org/tutorials/reverseproxies

-- 
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.prenhallprofessional.com/title/0132409674

-
The official User-To-User support forum of the Apache HTTP Server
Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


***
The information in this message is confidential and may be legally
privileged. It is intended solely for the addressee. Access to this 
message by anyone else is unauthorized. If you are not the 
intended recipient, any disclosure, copying, or distribution of the 
message, or any action or omission taken by you in reliance on 
it is prohibited and may be unlawful. Please immediately contact 
the sender if you have received this message in error. This email 
does not constitute any commitment from Cordys Holding BV or 
any of its subsidiaries except when expressly agreed in a written 
agreement between the intended recipient and 
Cordys Holding BV or its subsidiaries.
***



-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Re: sending .jpg on another box

[Josiane BERNILLON]

Mike - EMAIL IGNORED a écrit :

On Mon, 02 Oct 2006 18:35:03 +0200, Josiane BERNILLON wrote:

  

Mike - EMAIL IGNORED a écrit :


I have two boxes on my intranet each running
Apache 2.0 under FC4.  My Linksys firewall directs
port 80 to BoxA.  Both boxes are also running
iptables, including libipq.

BoxA has my html tree. I have a number of .jpg
files, some as large as 10 meg.  The various
directories containing the .html files contain
soft links to the directories, in another tree
containing, the .jpg files.

All this is operated by a complex CGI, written in
C++.  Most of the .html files the client sees are
generated by this CGI.

I would like to move the .jpg tree to BoxB,
transparent to the client. In broad terms, how
should I do this?  What should I read to get the
particulars?

Thanks for your help.

Mike.



-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

  
  

Maybe one way to this :

- let's say jour .jpg files are in /../.../imgs/ on BoxA
on BoxB:
- create a /../.../imgs2/ on BoxB
- copy your .jpg into .../img2/
- start an NFS server on BoxB (I don't work on FC4, but if you don't 
know anytaing about NFS, you can  look here 


- share .../img2/ for BoxA

on BoxA
- create a .../.../imgs3
- mount .../img2/ on /img3/
- change your soft links in the html tree to .../img3/

No problem for users.

If they could wait some minutes, and if you have some BACKUP of your .jpg
on BoxA
- remove all .jpg from .../imgs/...
- mount .../img2/ on /imgs/
then you don't need to change soft links.

jobern



[...]

This looks like a good possibility.  It also appears
from Apache documentation that ProxyPassReverse under
virtual host might be able to accomplish what I need.
Is this true?  If so, how do the two methods compare
with regard to efficiency and security?

Thanks,
Mike.
  

I think it's true, but I never use it and could't help you on this topic.
I just give you a quick way to free space on your BoxA disk without 
reconfiguring your Apaches servers

--
Josiane

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[EMAIL PROTECTED] suEXEC verbosity

[Fabio Corazza]

Hi everyone,
 we are using a CGI under Apache that is spawned under a different user
through mod_suexec.

Everything is fine except the verbosity of the suEXEC mechanism, which
writes a notice for every request that is passed to the CGI:

[2006-10-03 11:52:11]: uid: (501/tmctaux) gid: (501/501) cmd:
imagescaler.cgi
[2006-10-03 11:52:11]: notice: AP_SUEXEC_UMASK of 002 allows write
permission to group and/or other
[2006-10-03 11:52:11]: uid: (501/tmctaux) gid: (501/501) cmd:
imagescaler.cgi
[2006-10-03 11:52:11]: notice: AP_SUEXEC_UMASK of 002 allows write
permission to group and/or other

I'd like to get rid of those notices since in production this logfile
will become HUGE (we receive a LOT of requests to that CGI).

I couldn't find any directive that can adjust the verbosity of the
suexec_log file, so if you have a solution for this issue or either a
workaround I would greatly appreciate your help.




Regards,

-- 
Fabio Corazza - Engineering
NewBay Software, Ltd.
Wilson House, Fenian Street, Dublin 2, Ireland
Phone: +353 1 634 5490 - e-mail: [EMAIL PROTECTED]

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] suEXEC verbosity

[Joshua Slive]

On 10/3/06, Fabio Corazza <[EMAIL PROTECTED]> wrote:

Hi everyone,
 we are using a CGI under Apache that is spawned under a different user
through mod_suexec.

Everything is fine except the verbosity of the suEXEC mechanism, which
writes a notice for every request that is passed to the CGI:

[2006-10-03 11:52:11]: uid: (501/tmctaux) gid: (501/501) cmd:
imagescaler.cgi
[2006-10-03 11:52:11]: notice: AP_SUEXEC_UMASK of 002 allows write
permission to group and/or other
[2006-10-03 11:52:11]: uid: (501/tmctaux) gid: (501/501) cmd:
imagescaler.cgi
[2006-10-03 11:52:11]: notice: AP_SUEXEC_UMASK of 002 allows write
permission to group and/or other

I'd like to get rid of those notices since in production this logfile
will become HUGE (we receive a LOT of requests to that CGI).

I couldn't find any directive that can adjust the verbosity of the
suexec_log file, so if you have a solution for this issue or either a
workaround I would greatly appreciate your help.


Those messages are generated within suexec and since suexec is not
run-time configurable (for security reasons) they are not
configurable.  You would need to edit the source code and recompile
(being careful to heed the warnings about not messing with suexec
unless you know what you are doing).

Joshua.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Force authentication

[António Mota]

Hi Nick, nive to ear from you...

I took your sugestion and look at the access.log (i wouldn't think of
that...) and i think the problem wath's not what i thought.

As you know, my Apache server is used as a proxy reverse server, and
it seems the problem is with that. Im my server i have a few pages
that are indeed atuthenticated each time i visit them.

127.0.0.1 - abcd [03/Oct/2006:13:38:07 +0100] "GET /rproxy.html HTTP/1.1" 304 -

(abc is the user)

and if i dinamically delete that user from the file next time he/she
will be asked from authentication again. That is the beahaviour i
expected.

However when i proxy-reverse to other pages the authentication is never checked

127.0.0.1 - - [03/Oct/2006:13:55:52 +0100] "GET
/url=http://www.gtinformatica.pt HTTP/1.1" 302 132

In this case, http://www.gtinformatica.pt is outside my server and
needs no authentication, but since it passes thru my server i was
expecting that it also be authenticated...

Any help on this?

Thanks a lot.





2006/10/2, Nick Kew <[EMAIL PROTECTED]>:

On Monday 02 October 2006 21:40, António Mota wrote:
> Hello:
>
> I'm trying to do some basic authentication that checks for user
> existence on every request, something like this:
>
> 1) User asks page
> 2) Server answer with a 401
> 3) Browser ask for User id/pwd
> 4) Browser sends User id/pwd
> 5) Server looks into user file if user id/pwd exists

Yep.

> so far so good, but i was expecting that steps 4) and 5) will repeat
> for every request from the Browser from now on.

Yep.  Browser remembers credentials.

> But it seems that does
> not happen.

Hmm?

> I have my user file updated by a external application (at the moment
> it's me updating manually between requests) so i expected that if i
> deleted the user id/pwd from the file between subsquent 4) - 5) the
> server will detect that the user id was not on the file anymore and
> ask again for a user id/pwd or signal the browser of invalid
> credencials.

What's in your access log?  Either your authentication module is
cacheing something, or (very likely) the browser is.

> But that doesen´t happen, it seems step 5) isn't executed anymore
> (unless i clear the TTP Authentication ofcourse).

what do you mean by that?

--
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.prenhallprofessional.com/title/0132409674

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





--
Melhores cumprimentos / Kind regards
António Santos Mota

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[EMAIL PROTECTED] A mod_gunzip for Apache 2.x ?

[saf]

Hello,

I need a module which unzip gzipped files so that I can then use filters 
to filter out some data in this gzipped html files.

Because when I have a test.html.gz file, the module should only gunzip 
*.html.gz files as OutputFilter to save performance. Then I can parse 
and change some contents of this files and re-compress them with the 
module DEFLATE.

Does there exists a gunzip module in apache 2.x?
Currently I use mod_ext_filter to run manually the command /bin/gunzip 
but this mean one fork per HTTP request! So the performance is currently 
very bad!

-- 
Best regards,
Stephan FERRARO
Root of TrashMail.net - http://www.trashmail.net/
GnuPG public key: gpg --keyserver www.keyserver.net --recv-key 94B2664F


signature.asc
Description: Digital signature

[EMAIL PROTECTED] Block wget attempts from my site

[Norman Khine]

Hello,

What is the best way to block someone from ripping/mirroring stuff from my site
with wget? Is there an Apache way to do this, have seen it done with
.htaccess but perhaps there is a way to do this from Apache.

mod-security, snort perhaps? How does this fit with VirtualHosts and can these 
be specific per host?

Any comments and advise much appreciated.

Cheers

Norma



-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] A mod_gunzip for Apache 2.x ?

[Nick Kew]

On Tuesday 03 October 2006 14:23, saf wrote:
> Hello,
>
> I need a module which unzip gzipped files so that I can then use filters
> to filter out some data in this gzipped html files.
>
> Because when I have a test.html.gz file, the module should only gunzip
> *.html.gz files as OutputFilter to save performance. Then I can parse
> and change some contents of this files and re-compress them with the
> module DEFLATE.

It's called mod_deflate, and has both inflate and deflate filters.

-- 
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.prenhallprofessional.com/title/0132409674

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] Block wget attempts from my site

[Nick Kew]

On Tuesday 03 October 2006 14:17, Norman Khine wrote:
> Hello,
>
> What is the best way to block someone from ripping/mirroring stuff from my
> site with wget?

Make your contents available in a convenient form, so users have
no need of things like wget.  Remember there are a lot of people
on expensive dialup lines, and they don't want to spend a time
"live" looking for what they need on your site when they can browse 
it more easily and cheaply, as well as faster, offline.

> Is there an Apache way to do this, have seen it done with  
> .htaccess but perhaps there is a way to do this from Apache.

That's confused.  WTF is .htaccess if not an Apache way to do this?
Anything you can do with .htaccess can also be done in httpd.conf.

> mod-security, snort perhaps? How does this fit with VirtualHosts and can
> these be specific per host?

Well, you could use a rewritecond based on user-agent.  But that would
be BAD.

-- 
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.prenhallprofessional.com/title/0132409674

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] A mod_gunzip for Apache 2.x ?

[saf]

On Tue, Oct 03, 2006 at 03:16:03PM +0100, Nick Kew wrote:
> On Tuesday 03 October 2006 14:23, saf wrote:
> > Hello,
> >
> > I need a module which unzip gzipped files so that I can then use filters
> > to filter out some data in this gzipped html files.
> >
> > Because when I have a test.html.gz file, the module should only gunzip
> > *.html.gz files as OutputFilter to save performance. Then I can parse
> > and change some contents of this files and re-compress them with the
> > module DEFLATE.
> 
> It's called mod_deflate, and has both inflate and deflate filters.

Thanks, I did not know that it can also do inflate.
I will try it out. Thanks very much for your help.

-- 
Best regards,
Stephan FERRARO
Root of TrashMail.net - http://www.trashmail.net/
GnuPG public key: gpg --keyserver www.keyserver.net --recv-key 94B2664F


signature.asc
Description: Digital signature

RE: [EMAIL PROTECTED] Block wget attempts from my site

[Boyle Owen]

> -Original Message-
> From: Norman Khine [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, October 03, 2006 3:17 PM
> To: users@httpd.apache.org
> Subject: [EMAIL PROTECTED] Block wget attempts from my site
> 
> Hello,
> 
> What is the best way to block someone from ripping/mirroring 
> stuff from my site
> with wget? Is there an Apache way to do this, have seen it done with
> .htaccess but perhaps there is a way to do this from Apache.
> 
> mod-security, snort perhaps? How does this fit with 
> VirtualHosts and can these be specific per host?
> 
> Any comments and advise much appreciated.

As Nick points out, it would be nice if people didn't need these things,
but sometimes you get some idiot who downloads a 10MB page of reference
data every minute in order to screen-scrape one number that he thinks
might change some time in the future. So you need to protect yourself...


Start with the User-agent header (see
http://httpd.apache.org/docs/2.2/mod/mod_setenvif.html#browsermatch
etc.)

eg,

BrowserMatchNoCase ^wget restrictRobot
Deny from env=restrictRobot

(You can do pretty much the same thing in mod_rewrite)

Of course, this can be easily spoofed so then you're in to trapping
client IPs and blocking based on that. But then their on dial-up or ADSL
and keep changing the IP, so you need to use heuristics...

A good trap is a hidden URL (nothing visible to click on, but the href
is in the HTML) that only a robot sees and hits. It calls a server-sided
program that writes the client-IP to a file. Then, for each request, you
check this file (RewriteCond and RewriteMap) and drop the request if
from bad IP (RewriteRule ^/(.*) - [F]).

This can become quite a sport...

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 
> 
> Cheers
> 
> Norma
> 
> 
> 
> -
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: [EMAIL PROTECTED]
>"   from the digest: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
 
 
This message is for the named person's use only. It may contain confidential, 
proprietary or legally privileged information. No confidentiality or privilege 
is waived or lost by any mistransmission. If you receive this message in error, 
please notify the sender urgently and then immediately delete the message and 
any copies of it from your system. Please also immediately destroy any 
hardcopies of the message. You must not, directly or indirectly, use, disclose, 
distribute, print, or copy any part of this message if you are not the intended 
recipient. The sender's company reserves the right to monitor all e-mail 
communications through their networks. Any views expressed in this message are 
those of the individual sender, except where the message states otherwise and 
the sender is authorised to state them to be the views of the sender's company.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] A mod_gunzip for Apache 2.x ?

[Neil A. Hillard]

Hi,

Nick Kew wrote:
> On Tuesday 03 October 2006 14:23, saf wrote:
>> I need a module which unzip gzipped files so that I can then use filters
>> to filter out some data in this gzipped html files.
>>
>> Because when I have a test.html.gz file, the module should only gunzip
>> *.html.gz files as OutputFilter to save performance. Then I can parse
>> and change some contents of this files and re-compress them with the
>> module DEFLATE.
> 
> It's called mod_deflate, and has both inflate and deflate filters.

Isn't that only true for 2.2?  Although (as Nick and I know) you can use
2.2's mod_deflate on 2.0 if you really need must.

HTH,


Neil.

-- 
Neil Hillard[EMAIL PROTECTED]
AgustaWestland  http://www.whl.co.uk/

Disclaimer: This message does not necessarily reflect the
views of Westland Helicopters Ltd.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] suEXEC verbosity

[Fabio Corazza]

Joshua Slive wrote:
> Those messages are generated within suexec and since suexec is not
> run-time configurable (for security reasons) they are not
> configurable.  You would need to edit the source code and recompile
> (being careful to heed the warnings about not messing with suexec
> unless you know what you are doing).
> 
> Joshua.

Ok, that's what I did. Inside suexec.c, I just commented the following code:

log_no_err("uid: (%s/%s) gid: (%s/%s) cmd: %s\n",
   target_uname, actual_uname,
   target_gname, actual_gname,
   cmd);

and:

if ((~AP_SUEXEC_UMASK) & 0022) {
log_err("notice: AP_SUEXEC_UMASK of %03o allows "
 "write permission to group and/or other\n", AP_SUEXEC_UMASK);
   }

While the second one can be safe to delete (it's just a notice about the
umask, since I use the umask setting I don't want to be noticed in
regard of that), the first one may possibly cause some problems, since
the comment above it states:

/*
 * Log the transaction here to be sure we have an open log
 * before we setuid().
 */

What it concerns me is: if I delete the logging of the transactions,
will suEXEC be able to open the log file if any other error happens?



Regards,

-- 
Fabio Corazza - Engineering
NewBay Software, Ltd.
Wilson House, Fenian Street, Dublin 2, Ireland
Phone: +353 1 634 5490 - e-mail: [EMAIL PROTECTED]

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] redirect and rewriting puzzle

[Dan Buettner]

Thanks Joshua.  Worked out great.

Dan

Joshua Slive wrote:

On 10/2/06, Dan Buettner <[EMAIL PROTECTED]> wrote:

Launched a new site last week, built on Rails, Apache and mongrel.
Now have collected a number of 404 errors from the logs, and wish to
redirect them to the appropriate page in Rails.

My situatrion is, we're using URL rewriting to direct anything that is
not a file to the mongrel Rail balancer.  But I wish to incorporate some
404 URLs which of course do not exist into the config.

Is there a way to write a RewriteCond such that if a URL is not
mapped/redirected in a file, THEN do the rewrite?

My config:

   RewriteEngine On

   RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
   RewriteRule ^/(.*)$ balancer://prod_app%{REQUEST_URI} [P,QSA,L]

(which leaves Apache serving static content and mongrel doing Rails)

and later:
Include /opt/csw/apache2/etc/general_url_redirect.txt

Sample from the general_url_redirect.txt file:
RedirectPermanent   /about/eventscalendar.htm   
http://www.site.com/calendar


What I'd like is to be able to do something aking to this:

   RewriteCond ^(.*)$ $1!mapped:general_url_redirect.txt

Suggestions welcomed.


You're looking at the problem from the wrong angle.

All you need to do is replace the RedirectPermanent in Include with
RewriteRule ^/about/evenscalendar.htm http://www.site.com/claendar
[R=permanent,L]
and be sure to put the Include BEFORE the existing RewriteRules.  The
"L" flag stops rewriting at this point so it will never get to your
rails stuff.

Joshua.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] suEXEC verbosity

[Joshua Slive]

On 10/3/06, Fabio Corazza <[EMAIL PROTECTED]> wrote:


What it concerns me is: if I delete the logging of the transactions,
will suEXEC be able to open the log file if any other error happens?


Sorry, but I'm not going to give you advice on hacking suexec.  The
consequences if I made a mistake or if you misinterpreted by advice
would be too nasty.

So my advice would be, if you don't understand the suexec source code
well enough to answer these questions yourself, you probably shouldn't
be touching it.

Joshua.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] suEXEC verbosity

[Fabio Corazza]

Joshua Slive wrote:
> On 10/3/06, Fabio Corazza <[EMAIL PROTECTED]> wrote:
> 
>> What it concerns me is: if I delete the logging of the transactions,
>> will suEXEC be able to open the log file if any other error happens?
> 
> Sorry, but I'm not going to give you advice on hacking suexec.  The
> consequences if I made a mistake or if you misinterpreted by advice
> would be too nasty.

I'm testing the "silenced" suexec on a test environment, so even if it
would be nasty, it wouldn't bother too much.

> So my advice would be, if you don't understand the suexec source code
> well enough to answer these questions yourself, you probably shouldn't
> be touching it.

I'll find some information around. Thanks anyway.



Regards,

-- 
Fabio Corazza - Engineering
NewBay Software, Ltd.
Wilson House, Fenian Street, Dublin 2, Ireland
Phone: +353 1 634 5490 - e-mail: [EMAIL PROTECTED]

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[EMAIL PROTECTED] combining AllowEncodedSlashes, reverse proxy, and apache 1.x

[Matt Liggett]

Introduction

 At Socialtext[1], we use, in many installations, Apache 2 (hereafter
 "front end") as a server for static content and a reverse proxy for
 Apache 1 with mod_perl (hereafter "back end").  It recently came up,
 in the course of developing a REST API[2], that we need to be able
 to handle URIs with encoded '/' (%2F) characters in them[3].

 In addition to needing this all to work with Apache 2 acting as a
 front end, it also needs to work in an alternate configuration where
 Apache 1 runs alone.

AllowEncodedSlashes bug

 According to the docs[4],

   Allowing encoded slashes does not imply decoding. Occurrences of
   %2F or %5C (only on according systems) will be left as such in the
   otherwise decoded URL string.

 but it is our experience that if a URL like in [3] is passed to
 Apache 2, it gets passed to the reverse proxy as

   /data/workspaces/ambivalent/pages/either/or

 which seems to be a bug.[5]

 In addition to this, I believe it's important not to decode '%25' if
 one has AllowEncodedSlashes turned on, otherwise the URLs
 '/foo/%252F' and '/foo/%2F' become indistinguishable.[6]

 The assorted backports of AllowEncodedSlashes to Apache 1 have these
 bugs as well.

Changed URL decoding behaviour in 2.0.55.

 Prior to 2.0.55, the rewrite rule for our reverse proxy looked like

   RewriteMap escape int:escape
   RewriteRule (.*) http://BACK_END${escape:$1}

 where BACK_END is the back end hostname and port.  This was because
 the URL was getting decoded prior to this rule, and an encoded '%43'
 would become a '?', which would parse incorrectly on the back end.

 As of 2.0.55, this extra decoding seems cleaned up, _except_ for
 '%2F' if AllowEncodedSlashes is on.  That is, the bug described
 above is still present.

 As a result, it seems that if we want standard decode/escape
 sementics on the front-end, we must insist on 2.0.55+.

Do we need all this?

 It would seem that we need patched versions of Apache 2.0.55+ and Apache 1
 as described above to solve the problem in both configurations (with
 and without Apache 2 acting as reverse proxy).  Have we
 overcomplicated the problem?  If so is there a simpler combination
 of configuration, versions, or patches that accomplishes the same
 result?

 Have I misunderstood anything above?  Requiring specially patched
 versions of both Apaches is a bit of a hardship, so we want to make
 sure we aren't being super dumb here.

Thanks.


[1] http://www.socialtext.com/
[2] https://www.socialtext.net/st-rest-docs/index.cgi
[3] An example would be the canonical URI of a page named 'either/or'
   in the workspace 'ambivalent':
 /data/workspaces/ambivalent/pages/either%2For
[4] http://httpd.apache.org/docs/2.0/mod/core.html#allowencodedslashes
[5] I have a patch that fixes ap_unescape_url_keep2f() and can submit
   it.
[6] I have a patch for this behaviour too, but the docs would need to
   be modified if it were to be accepted.
--
Matt Liggett
Senior Software Engineer
Socialtext, Inc.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] suEXEC verbosity

[Fabio Corazza]

Fabio Corazza wrote:
[snip]
> Everything is fine except the verbosity of the suEXEC mechanism, which
> writes a notice for every request that is passed to the CGI:
[snip]

With the help of a colleague we wrote a patch to get rid of excessive
verbosity of suEXEC, for whom they intend to run it on high-load web
servers with a lot of requests going through the invoked script (it may
be desirable not to have 4 lines printed to the log for every request).

Basically we suppress the output that is generated every time that the
script is invoked (we just open the file), and we suppress the umask
notice as well.

It didn't produce any nasty effect in our environment.

Any comment is appreciated.



Regards,

-- 
Fabio Corazza - Engineering
NewBay Software, Ltd.
Wilson House, Fenian Street, Dublin 2, Ireland
Phone: +353 1 634 5490 - e-mail: [EMAIL PROTECTED]
--- httpd-2.2.3/support/suexec.c	2006-07-12 04:38:44.0 +0100
+++ httpd-2.2.3.suexecmod/support/suexec.c	2006-10-03 18:05:49.0 +0100
@@ -143,13 +143,9 @@ static const char *const safe_env_lst[] 
 NULL
 };
 
-
-static void err_output(int is_error, const char *fmt, va_list ap)
+static void suexec_open_logs()
 {
 #ifdef AP_LOG_EXEC
-time_t timevar;
-struct tm *lt;
-
 if (!log) {
 if ((log = fopen(AP_LOG_EXEC, "a")) == NULL) {
 fprintf(stderr, "suexec failure: could not open log file\n");
@@ -157,6 +153,17 @@ static void err_output(int is_error, con
 exit(1);
 }
 }
+#endif /* AP_LOG_EXEC */
+return;
+}
+
+static void err_output(int is_error, const char *fmt, va_list ap)
+{
+#ifdef AP_LOG_EXEC
+time_t timevar;
+struct tm *lt;
+
+suexec_open_logs();
 
 if (is_error) {
 fprintf(stderr, "suexec policy violation: see suexec log for more "
@@ -441,10 +448,7 @@ int main(int argc, char *argv[])
  * Log the transaction here to be sure we have an open log
  * before we setuid().
  */
-log_no_err("uid: (%s/%s) gid: (%s/%s) cmd: %s\n",
-   target_uname, actual_uname,
-   target_gname, actual_gname,
-   cmd);
+suexec_open_logs();
 
 /*
  * Error out if attempt is made to execute as root or as
@@ -588,11 +592,7 @@ int main(int argc, char *argv[])
 /*
  * umask() uses inverse logic; bits are CLEAR for allowed access.
  */
-if ((~AP_SUEXEC_UMASK) & 0022) {
-log_err("notice: AP_SUEXEC_UMASK of %03o allows "
-"write permission to group and/or other\n", AP_SUEXEC_UMASK);
-}
-umask(AP_SUEXEC_UMASK);
+ umask(AP_SUEXEC_UMASK);
 #endif /* AP_SUEXEC_UMASK */
 
 /*

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[EMAIL PROTECTED] Re: Re: sending .jpg on another box

[Mike - EMAIL IGNORED]

On Tue, 03 Oct 2006 11:25:34 +0200, Josiane BERNILLON wrote:

[...]
> I think it's true, but I never use it and could't help you on this topic.
> I just give you a quick way to free space on your BoxA disk without 
> reconfiguring your Apaches servers
> --
> Josiane
> 

This is good, but in my case, reconfiguration is not
a problem.  After more reading, I found that a single
line added to the configuration:

   RewriteRule (/.*jpg) http://BoxB.net$1 [P]

worked with no apparent problem.

Mike.



-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[EMAIL PROTECTED] Multiple search bases with mod_auth_ldap / Apache 2.0

[James Gotner]

Hello,

  I am wondering if there is a way to specify multiple AuthLDAPUrls
using mod_auth_ldap.  I have two AD domains that I need to authenticate
against, but there are schema differences between where the users are
stored on each domain.  Thanks.

Apache 2.0.55 on Ubuntu 6.06

Entries needed:
ldaps://domain.edu/OU=Domain Users,dc=domain,dc=edu?sAMAccountName
ldaps://other.domain.edu/OU=Users,dc=other,dc=domain,dc=edu?sAMAccountNa
me

-- James


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] combining AllowEncodedSlashes, reverse proxy, and apache 1.x

[Joshua Slive]

I'm not really an expert in this stuff, but a couple comments anyway...

On 10/3/06, Matt Liggett <[EMAIL PROTECTED]> wrote:


AllowEncodedSlashes bug

  According to the docs[4],

Allowing encoded slashes does not imply decoding. Occurrences of
%2F or %5C (only on according systems) will be left as such in the
otherwise decoded URL string.

  but it is our experience that if a URL like in [3] is passed to
  Apache 2, it gets passed to the reverse proxy as

/data/workspaces/ambivalent/pages/either/or

  which seems to be a bug.[5]


I don't believe that is really a bug.  The docs mean that activating
AllowEncodedSlashes does not in itself do any decoding.  But if you
have other stuff in the works that does decoding, all bets are off.

And in general, I don't think the unescaping algorithm has a bug
either.  RFC2396 section 2.4.2 says " If the
  given URI scheme defines a canonicalization algorithm, then
  unreserved characters may be unescaped according to that algorithm."

The slash is not a reserved character and hence can be unescaped,
according to my reading.  And there are good reasons for doing just
that.

If I were you, the first thing I would try is to make your back-end
application deal with this, either by accepting a raw slash, or by
generating URLs that use some other character in place of slash.

But I have to admit that the escaping unescaping in mod_proxy and
mod_rewrite has always mystified me, and I wish it was better
documented and more configurable.

Joshua.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[EMAIL PROTECTED] how to comment out a large section in httpd.conf?

[Bing Du]

Hi,

The document http://httpd.apache.org/docs/2.0/configuring.html says:

==
Directives in the configuration files are case-insensitive, but arguments
to directives are often case sensitive. Lines that begin with the hash
character "#" are considered comments, and are ignored. Comments may not
be included on a line after a configuration directive. Blank lines and
white space occurring before a directive are ignored, so you may indent
directives for clarity.
==

Any way to do block comments, such as using /* and */ rather than add '#'
for each line?

Thanks in advance,

Bing

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] how to comment out a large section in httpd.conf?

[Joshua Slive]

On 10/3/06, Bing Du <[EMAIL PROTECTED]> wrote:

Hi,

The document http://httpd.apache.org/docs/2.0/configuring.html says:

==
Directives in the configuration files are case-insensitive, but arguments
to directives are often case sensitive. Lines that begin with the hash
character "#" are considered comments, and are ignored. Comments may not
be included on a line after a configuration directive. Blank lines and
white space occurring before a directive are ignored, so you may indent
directives for clarity.
==

Any way to do block comments, such as using /* and */ rather than add '#'
for each line?


No.  You can use  ... , but the stuff
inside probably still needs to be syntactically correct, so use it
with care.

Joshua.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] how to comment out a large section in httpd.conf?

[Nick Kew]

On Tuesday 03 October 2006 19:57, Bing Du wrote:
> Hi,
>
> The document http://httpd.apache.org/docs/2.0/configuring.html says:
>
> ==
> Directives in the configuration files are case-insensitive, but arguments
> to directives are often case sensitive. Lines that begin with the hash
> character "#" are considered comments, and are ignored. Comments may not
> be included on a line after a configuration directive. Blank lines and
> white space occurring before a directive are ignored, so you may indent
> directives for clarity.
> ==
>
> Any way to do block comments, such as using /* and */ rather than add '#'
> for each line?

Solution 1; google for mod_comment.

Solution 2:  Hack it with 

-- 
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.prenhallprofessional.com/title/0132409674

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[EMAIL PROTECTED] preserving internal links on a rewrite

[Michele Romano]

Hello,
I am having trouble with a RewriteRule and I was hoping someone can lead 
me in the right direction, as I haven't been able to track down an 
answer on my own.


I am setting up a rewrite that includes a target (eg. 
http://www.somedomain.com/filename.cfm#locationOnPage to relocate to 
http://www.somedomain.com/directory/filename.cfm#locationOnPage) and I 
can't seem to get the target information to work (ie. locationOnPage)


This is the code I currently have:

RewriteRule ^([a-zA-Z0-9_]+\.cfm)(.+) /directory/$1$2

there never seems to be any information on $2... Is it possible to 
preserve the target?


Thanks,
Michele Romano


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] preserving internal links on a rewrite

[Joshua Slive]

On 10/3/06, Michele Romano <[EMAIL PROTECTED]> wrote:

Hello,
I am having trouble with a RewriteRule and I was hoping someone can lead
me in the right direction, as I haven't been able to track down an
answer on my own.

I am setting up a rewrite that includes a target (eg.
http://www.somedomain.com/filename.cfm#locationOnPage to relocate to
http://www.somedomain.com/directory/filename.cfm#locationOnPage) and I
can't seem to get the target information to work (ie. locationOnPage)

This is the code I currently have:

RewriteRule ^([a-zA-Z0-9_]+\.cfm)(.+) /directory/$1$2

there never seems to be any information on $2... Is it possible to
preserve the target?


I don't believe so.  Check your access log, and you'll find that the
browser isn't even sending the fragment (the part with the #) to the
server.  It resolves it internally.

An old discussion of this issue is at
http://www.w3.org/Protocols/HTTP/Fragment/draft-bos-http-redirect-00.txt

Joshua.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [EMAIL PROTECTED] preserving internal links on a rewrite

[Michele Romano]

thanks Joshua, you are correct, I don't see the fragment in the logs. 
that is really unfortunate that I can't do a redirect for a URL that has 
a fragment.


Thanks,
Michele


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[EMAIL PROTECTED] Would like to use SSI for one particular file name instead of all types. IS that possible

[Randy Paries]

HelloI am running apache2i am trying to figure a way to use SSI based on the file name and not the file extension.I can make it work fine if i do 
	AddOutputFilter INCLUDES .shtml or 
	AddOutputFilter INCLUDES .htmlbut i do not want to rename all my files to .shtml and i do not want to parse all my html files.XBitHack will not work for me either.so is there a way i can have apache just parse something like 
main.html?ThanksRandy

Re: [EMAIL PROTECTED] Would like to use SSI for one particular file name instead of all types. IS that possible

[Joshua Slive]

On 10/3/06, Randy Paries <[EMAIL PROTECTED]> wrote:

Hello

I am running apache2

i am trying to figure a way to use SSI based on the file name and not the
file extension.




so is there a way i can have apache just parse something like main.html?



SetOutputFilter INCLUDES


(But be aware this will apply to any file named main.html in the
 section where you place this or in any subdirectories.)

Joshua.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[EMAIL PROTECTED] Modifying environment variables passed to CGI's.

[Jason Lingel]

Is there a way to modify an environment variable that gets passed to a CGI?  For example, I'm doing Kerberos authentication and the realm gets appended to the REMOTE_USER variable, e.g., REMOTE_USER=
[EMAIL PROTECTED].  I just want username and not the realm.  I would prefer not to do this in the CGI because the CGIs are already written (legacy in house application).TIA.

Re: [EMAIL PROTECTED] Modifying environment variables passed to CGI's.

[Rob Wilkerson]

On Oct 3, 2006, at 7:08 PM, Jason Lingel wrote:

Is there a way to modify an environment variable that gets passed  
to a CGI?  For example, I'm doing Kerberos authentication and the  
realm gets appended to the REMOTE_USER variable, e.g., REMOTE_USER=  
[EMAIL PROTECTED]  I just want username and not the realm.  I  
would prefer not to do this in the CGI because the CGIs are already  
written (legacy in house application).


TIA.


I just did this using mod_rewrite by setting the E flag.

RewriteRule /.* - [E=varname:value]

In my case, I needed to pass the request uri to ColdFusion (which  
doesn't appear to pass it along as it should).  I did so using this  
capability (I was already using mod_rewrite).


RewriteRule /.* /my/redirect.cfm [E=MY_REQUEST_URI:%{REQUEST_URI},PT]

Worked like a charm.

Hope this helps.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[EMAIL PROTECTED] can i have my own login screen using apache authentication/ mod_auth_mysql

[Randy Paries]

i am using apache Apache/2.0.54I am also using mod_auth_mysql for my authenticationIs there a way that i can go to my own html screen instead of the popup for user authentication?Thanks for anyhellp in just pointing me in the right direction
Thanks

[EMAIL PROTECTED] Apache 2.0.59 Reverse Proxy - Set Content Length ( for HTTPS POSTS) to prevent proxy erros

[ABAPGUY]

Hi all ,
running our Apache 2.0 Reverse Proxy over https we noticed that HTTP 1.1 connections to the backend server are causing Proxy errors for POSTs only (all GETs are fine) .
We want to set Content-Length or Content-Chunking for POSTs as this is a known problem for web servers
(especially with KeepAlives ) .
 
In the Apache 2.2 documentation
http://httpd.apache.org/docs/2.2/env.html
 it talks about proxy-sendchunked, proxy-sendcl (these are defined in mod_proxy_http.c in 2.0)
 
I set (1 at a time) with 
SetEnv proxy-sendchunked
or
SetEnv proxy-sendcl 
 
in the httpd.conf . 
Is that all it takes ? Do they work with 2.0 ?
 
Regards
Daniel