Re: [users@httpd] FcgidAccessChecker hangs.

[Jeff Trawick]

On Sun, Nov 11, 2012 at 8:41 PM, Peter Danenberg  wrote:

> Thanks for looking into this, Jeff; I've attached an strace with
> mod_fcgid (strace-fcgid), one with mod_fastcgi (strace-fastcgi) and
> one with mod_fcgid and relative time stamps so you can see where it
> hangs (strace-fcgid-with-relative-time).
>

Ouch.  Is your script running in there somewhere?  I just saw httpd
activity but no activity of your script.  (s/script/application/)

Perhaps the most straightforward way to get a trace is to start httpd,
identify the mod_fastcgi or mod_fcgid daemon process, start strace -fp
DAEMON-PID, and then make the request.

How to identify the mod_fcgid daemon: At startup, it logs a message at
LogLevel info which says "mod_fcgid: Process manager  started", where
 is the pid.

mod_fastcgi?  I don't know.  But you may be very used to gdb and strace
before this is over, so maybe you can pick the child that doesn't look like
the others ;)

--/--

OTOH, how much effort is required to get your chicken-scheme script running
on Linux?



>
> It looks like the immediate call is:
>
>   rt_sigtimedwait(~[ILL TRAP ABRT BUS FPE KILL SEGV USR2 PIPE CONT
>   STOP SYS RTMIN RT_1], NULL, NULL, 8) = 1
>



>
> > On Sunday, November 11, 2012, Peter Danenberg wrote:
> >
> > > Digging a little deeper, mod_fcgid hangs on line 318 of
> > > fcgid_bridge.c:
> > >
> > >   ap_scan_script_header_err_core(r, sbuf, getsfunc_fcgid_BRIGADE,
> > >  brigade_stdout)
> > >
> > > I don't know enough about ap_scan_script_header_err_core yet to figure
> > > out why this might be the case.
> >
> >
> > Can You compare an strace/truss/dtruss of your script running with the
> > alternative modules?
> >
> > >
> > > > The following trivial script,[1] which simply returns a 200 header,
> > > > hangs under FcgidAccessChecker:
> > > >
> > > >   (call-with-dynamic-fastcgi-query
> > > >(λ (query)
> > > >  (display-status-&c.)))
> > > >
> > > > The same script works fine under mod_fastcgi with
> > > > FastCgiAccessChecker; or handled as an fcgid-script or
> fastcgi-script.
> > > >
> > > > The output from error_log is as follows:
> > > >
> > > >   [Sun Nov 11 01:39:44 2012] [info] mod_fcgid: server
> > > >   localhost:/usr/local/var/html/scm/api/access.scm(15965)
> > > >   started
> > > >
> > > >   [Sun Nov 11 01:40:24 2012] [warn] [client 127.0.0.1] mod_fcgid:
> read
> > > >   data timeout in 40 seconds
> > > >
> > > >   [Sun Nov 11 01:40:24 2012] [error] [client 127.0.0.1] Premature
> end of
> > > >   script headers: access.scm
> > > >
> > > >   [Sun Nov 11 01:40:24 2012] [warn] [client 127.0.0.1] mod_fcgid:
> user
> > > >   (null) access check failed, respond 500, URI /scm/api/access.scm
> > > >
> > > >   [Sun Nov 11 01:40:26 2012] [debug] fcgid_pm_main.c(357): mod_fcgid:
> > > >   gracefully terminated 1 processes
> > > >
> > > > How can I diagnose the problem? I find it interesting that it works
> > > > under mod_fastcgi but not mod_fcgid; I'm not sure whether that
> implies
> > > > the problem is in mod_fcgid, however.
> > > >
> > > >
> > > > Footnotes:
> > > > [1]  The script is written in Chicken Scheme, by the way.
> > > >
> > > >
> > > > -
> > > > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> 
> > > > For additional commands, e-mail: users-h...@httpd.apache.org
> 
> > > >
> > >
> > >
> > > -
> > > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > > For additional commands, e-mail: users-h...@httpd.apache.org
> 
> > >
> > >
> >
> > --
> > Born in Roswell... married an alien...
> > http://emptyhammock.com/
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>



-- 
Born in Roswell... married an alien...
http://emptyhammock.com/

Re: [users@httpd] Using mod_ext_filter mode=input

[Jon Belanger]

Does anyone still maintain this?  Any ideas?

Thank you,
Jon

From: Jon Belanger 
mailto:jon.belan...@fidelissecurity.com>>
Reply-To: "users@httpd.apache.org" 
mailto:users@httpd.apache.org>>
Date: Thursday, November 8, 2012 5:23 PM
To: "users@httpd.apache.org" 
mailto:users@httpd.apache.org>>
Subject: [users@httpd] Using mod_ext_filter mode=input

I'm trying to intercept file upload requests using the mod_ext_filter module in 
input mode.

I've tried a few test commands to write the STDIN to a file, for example:

/usr/bin/tee /tmp/ext_filter_debug

And also tried a test script that does basically the same thing:

#!/bin/sh
cat -  > /tmp/ext_filter_debug

If I send a large file I can see the request append /tmp/ext_filter_debug file, 
but as soon as the request completes, the file goes down to 0 bytes in both 
instances.  I don't understand how this is even possible given that the module 
should have no idea what file I'm writing to.

Interestingly if I try this:

 #!/bin/sh
cat -  > /tmp/ext_filter_debug
cat /tmp/ext_filter_debug

The /tmp/ext_filter_debug file hangs out a while longer, duration depending on 
size, but then eventually goes to zero.

Eventually, I want to parse the request and encrypt the uploading file using 
openssl smime, but I don't understand how to work with the incoming request.  
The only error I see logged is:

(9) Bad file descriptor: apr_file_close(child input)

To /var/log/apach2/error.log.  I tried LogLevel=debug and DebugLevel=9. 
LogStderr helps to see if I have a problem in the cmd script itself, but 
otherwise isn't much help.

Can any provide any examples for this use case?

Thank you,
Jon Belanger

Re: [users@httpd] ProxyPass and authentication

[Radosław Smogura]

Hello,

I checked logs for Apache version change
5th April 2012  Apache/2.2.21 (Linux/SUSE) mod_ssl/2.2.21 
OpenSSL/1.0.0e PHP/5.3.8 DAV/2 SVN/1.6.17 mod_perl/2.0.5 Perl/v5.14.2
3th September 2012  Apache/2.2.21 (Linux/SUSE) mod_ssl/2.2.21 
OpenSSL/1.0.0e PHP/5.3.8 DAV/2 SVN/1.6.18 mod_perl/2.0.5 Perl/v5.14.2


It's looks like SVN only reports version change. Is this module managed 
by Apache or by SVN team? Can module be written such a way that failed 
authentication may result in passing requests to PrxyPass? I don't know 
about HTTPD API, but maybe some change in function result (e. g. backed 
thinks not found) can cause it?


When I comment ProxyPass / balancer:// line I can login to SVN, via web 
browswer, then if I uncomment this and restart server I can still browse 
SVN, but when I clear active logins from Firefox I get Glassfish 404.


Regards

On 03.11.2012 23:27, Igor Cicimov wrote:

On 04/11/2012 4:39 AM, "Radosław Smogura"  wrote:
 >
 > Hello,
 >
 > I have problem with access to /svn-rs path - I get 404 not found
page from Glassfish server instead of authentication request from
Apache.
 > Checking with FireBug I see headers WWW-Authenticate Basic
realm="My realm", and in addition Powered-By Servlet/3.0 JSP/2.2
 > for Glassfish's 404.
 >
 > In addition I don't see my requests are logged as well in Apache
logs, and Glassfish ones.
 >

First increase apace LogLevel to debug


Here are snips of my config

 >
 >  ServerName X
 > ServerAlias X Y Z
 > UseCanonicalName off
 > SetOutputFilter deflate
 >
 > #Snips logging and SSL
 >
 > ProxyPass /svn-rs !
 > ProxyPass / balancer://cluster-1-ajp-s/
 > ProxyPassReverse / balancer://cluster-1-ajp-s/
 >
 >
 > SetOutputFilter DEFLATE
 > DAV svn
 > SVNParentPath /srv/svn-rs
 >
 > AuthType Basic
 > Require ldap-dn DN
 > #Snips
 >
 >
 >
 > When I comment ProxyPass / ajp:// or I will down Glassfish
everything works as expected.
 >
 > I haven't used this path for some time, but I'm sure it was 
working

on 1th April 2012 (I checked in logs), today this stopped to work.
 >

Hard to believe that, things work or not ... except if something has
changed and they suddenly stop. So what has changed since April???


Can someone explain me what I do wrong?

 >
 > Kind regards,
 > Radosław Smogura
 >
 >
 >
-
 > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org [3]
 > For additional commands, e-mail: users-h...@httpd.apache.org [4]
 >


Links:
--
[1] mailto:m...@smogura.eu
[2] http://217.118.26.142
[3] mailto:users-unsubscr...@httpd.apache.org
[4] mailto:users-h...@httpd.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Using mod_ext_filter mode=input

[Jeff Trawick]

On Mon, Nov 12, 2012 at 9:06 AM, Jon Belanger <
jon.belan...@fidelissecurity.com> wrote:

> Does anyone still maintain this?  Any ideas?
>

Hi Jon,

The issue of the unexpected error (and message) matches this recent fix to
trunk and 2.4.x:

http://svn.apache.org/viewvc?view=revision&revision=1364606

 The patch looks quite simple to try with 2.2.x.  Can you how much that
helps?  (I don't know what else would happen besides the message.)

With the patch in place, I successfully ran the first example you gave,
like so:

extfilterdefine tee \
  cmd="/usr/bin/tee /tmp/ext_filter_debug" \
  mode=input

setinputfilter tee

Is it possible that your testing showed the file going to zero because of
some other request hitting the server (with no body)?



> Thank you,
> Jon
>
> From: Jon Belanger 
> Reply-To: "users@httpd.apache.org" 
> Date: Thursday, November 8, 2012 5:23 PM
> To: "users@httpd.apache.org" 
> Subject: [users@httpd] Using mod_ext_filter mode=input
>
> I'm trying to intercept file upload requests using the mod_ext_filter
> module in input mode.
>
> I've tried a few test commands to write the STDIN to a file, for example:
>
> /usr/bin/tee /tmp/ext_filter_debug
>
> And also tried a test script that does basically the same thing:
>
> #!/bin/sh
> cat -  > /tmp/ext_filter_debug
>
> If I send a large file I can see the request append /tmp/ext_filter_debug
> file, but as soon as the request completes, the file goes down to 0 bytes
> in both instances.  I don't understand how this is even possible given that
> the module should have no idea what file I'm writing to.
>
> Interestingly if I try this:
>
>  #!/bin/sh
> cat -  > /tmp/ext_filter_debug
> cat /tmp/ext_filter_debug
>
> The /tmp/ext_filter_debug file hangs out a while longer, duration
> depending on size, but then eventually goes to zero.
>
> Eventually, I want to parse the request and encrypt the uploading file
> using openssl smime, but I don't understand how to work with the incoming
> request.  The only error I see logged is:
>
> *(9) Bad* file *descriptor*: apr_file_close(*child* input)
>
> To /var/log/apach2/error.log.  I tried LogLevel=debug and DebugLevel=9.
> LogStderr helps to see if I have a problem in the cmd script itself, but
> otherwise isn't much help.
>
> Can any provide any examples for this use case?
>
> Thank you,
> Jon Belanger
>



-- 
Born in Roswell... married an alien...
http://emptyhammock.com/