Re: [users@httpd] RE: URGENT help required

[Daniel Gruno]

On 22-03-2012 05:56, karthiek.maralla wrote:


Hi,

I am getting following error when running a report through java in 
oc4j server.


...bla bla bla...

Any help would be greatly appreciated

Sending the letter again does still not make this the right place to ask 
for help.

Have you tried the OC4J forums, for example?
https://forums.oracle.com/forums/forum.jspa?forumID=46&start=0

With regards,
Daniel.

Re: [users@httpd] Uploading a file using HTTp to apache web server.

[Daniel Gruno]

On 22-03-2012 09:48, Sharmistha Chatterjee wrote:

Hi,
I am new to apache web server. My objective is to upload a file from a 
C program.

I am facing an issue in uploading a file to APACHE web server on
Linux. I am not able to find the uploaded file at the server.
My post request has the following data and the HTTP response is also
OK. if I dont specift  /x.txt in the uri.
But if I specify /x.txt thenit is  HTTP 404

POST /x.txt  HTTP/1.1 \r\n

User Agent : My server  \r\n

Host: x.x.x.x:80 \r\n

Accept:  */* \r\n

Content-Length:  5 \r\n

Content-Type : text\plain \r\n\r\n

Hello \r\n\r\n

The error log on paache shows.

[error][client x.x.x.x] File does not exist /home/users/priya/
public_html/x.txt

where  /home/users/priya/public_html has been set to
document_directory in httpd.conf

Please help me , I am not able to fix this issue.

Regards,
Sharmistha
The POST request type is not an upload method per se, but rather one of 
several methods of delivering data in a request. If you wish to upload a 
file, you should either use POST to send data to a script on your 
server, which reads the data and saves it, or use the PUT method with a 
DAV service.


For example: You have upload.php on your server which reads the POST 
contents and saves it as a file;


POST /upload.php?save-as=t.txt HTTP/1.1
Host: somehost
Content-Length: 5
Content-Type: text/plain

Hello


The script will then read your contents and save it using some 
php/whatever-language method you define.


With regards,
Daniel.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] allow from based on database query (2.4)

[Daniel Gruno]

On 24-03-2012 02:38, John Karr wrote:

I have an application that uses both ip and credentials authentication,
currently to update the "allow from" I have to edit a file and restart the
server. My next release will be using Apache 2.4 with dbd authentication, I
was wondering if there were a way to either have apache get its' ip address
list for "allow from" from the database or to dynamically update the list
apache was using without needing to restart the server.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

I have a way, but it's not necessarily pretty, and someone should 
probably shoot me for mentioning this.
What you can do, since the dawn of Man (or, since mod_rewrite), is use 
RewriteMap creatively and run it through a program, that checks if the 
IP is on a white-list, and if not, rewrite the URI to serve a static 
"forbidden!" file. The idea is that, as you can pass on any httpd 
argument, header etc in a rewrite, you can pass on both the IP and the 
request URI to a program, that then splits it up, checks the IP, and if 
it checks out, passes back the URI.


First off, you would need to apply something like this to your 
configuration:


RewriteMap checkip prg:/path/to/checkip.pl
RewriteRule - ${checkip:%{REMOTE_ADDR}:%{REQUEST_URI}}


You would then have a corresponding program (checkip.pl) running (httpd 
takes care of running this in the background for you):

#!/usr/bin/perl
$| = 1; # Turn off I/O buffering

sub DatabaseLookup {
#doStuffHere();
}

while () { #For each incoming IP request, look it up in the db.
($ip, $uri)  = split(/:/); #Separate the IP and the URI in the 
string httpd gave us


#Run some checks here to see if the IP matches one on our list
if (DatabaseLookup($ip) == 1) {
print($uri); # Allow the request through, unaltered
}
else { # If the IP isn't on our list, then...
print("/forbidden.html\n"); # Redirect to some static error file
}
}

As mentioned, this is probably but one of the methods you could use, and 
it's prone to be a bottleneck if you have a lot of requests going on at 
once - but I've tested it and it works, so that's at least something.


I'm done - send in the firing squad.

With regards,
Daniel.

Re: [users@httpd] allow from based on database query (2.4)

[Daniel Gruno]

On 25-03-2012 00:12, John Karr wrote:


I hadn't want to mention what I was thinking of doing as an 
alternative, because I really hoped that there was a better answer 
that I had failed to read/find the documentation on!


My two solutions in mind were (a) the application that maintains the 
ip list writes out a fresh copy of the ip allow from config file and a 
cron job periodically restarts apache (b) my stored procedure that 
apache uses for checking passwords takes the ip address as an added 
parameter and have the database check the ip address. I don't like (a) 
because it will require me to restart the server frequently or accept 
a long potential delay in updates to the ip table. I don't like (b) 
because I would rather a user from an unauthorized address be 
completely blocked and not even redirected to login and when working 
on the config I would prefer separate queries/stored_procedures for ip 
and credentials.



It's still only early Monday morning - perhaps some wiz kid will wake up 
and give the right answer soon.
In the meantime; httpd comes with a set of modules and directives that 
will satisfy 99% of the population, but there will always be things that 
have either not been thought of, or are better suited as third party 
modules. There is, after all, a very useful API built into httpd that 
you can make use of rather easy and fast if you have special needs for 
your web server. So, when in doubt, make a module!


And so I did; I made an example module that takes a text file (with a 
caching mechanism for only reading it if/when it updates), rifles 
through it, and checks if an IP is on the list or not. The example 
module source code can be found at 
http://www.humbedooh.com/mod_gatekeeper.zip and works with 2.4. The 
simple directives that you can put into place are:



GKEngine on
GKAllow ip /foo/bar/allowed_ips.txt
GKDeny ip /foo/bar/denied_ips.txt

This is somewhat like writing a new .htaccess with updated rules 
whenever the IP list changes, but it has the advantage of being 
significantly faster in its execution since it only reads changes to 
your list when they occur.


One could (and I probably will) continue to work on this module, 
eventually allowing one to make more complex requirements using mod_dbd 
as a database gateway, such as:


GKAllow REMOTE_HOST in mod_dbd using "SELECT `ip` FROM 
`grantedlist` WHERE `ip` = ?"
GKAllow REMOTE_USER,REMOTE_PASSWORD in mod_dbd using "SELECT `user` 
FROM `grantedusers` WHERE `user` = ? AND `password` = MD5(?)"

GKDeny from file /foo/bar/deny.txt


I'm guessing this is more along the lines you had in mind? If so, I'll 
likely continue to work on this module over the course of the summer, 
and if it wasn't exactly what you had in mind, any input or opinions you 
may have are of course very welcome either on users@, or private to 
humbed...@apache.org.


With regards,
Daniel.

Re: [users@httpd] allow from based on database query (2.4)

[Daniel Gruno]

On 26-03-2012 16:41, brainbuz wrote:


mod_gatekeeper sounds like it does exactly what I was looking for I 
will try it.


I took the liberty of taking this example one step further, implementing 
it into the mod_auth group so you can use it within a Require block. The 
module in its current form can be found at 
http://people.apache.org/~humbedooh/authz_dynamic.html and the 
directives would look something like this:


# Require a line from /foo/bar/allowed_ips.txt to match the IP:
Require fromfile REMOTE_ADDR /foo/bar/allowed_ips.txt

# Or require an SQL statement to return a result. (all values are 
escaped, don't worry)

DBDriver mysql
DBDParams host=localhost,dbname=mydatabase,user=root
Require fromdb REMOTE_ADDR "SELECT `ip` FROM `ips` WHERE `ip` = '%s' 
LIMIT 1"


This new example requires mod_dbd loaded in order to work, but also 
offers the option of being able to check against a database of your 
choice for the list of IPs to allow/deny.


*Note:* This is a (personal) work in progress (or rather, it's a 
proposed solution), so there will be places that need more work in order 
to become effective, but if you just need something basic to compare IPs 
against a list or a database, it'll work better than the previous 
gatekeeper example.


With regards,
Daniel.

Re: [users@httpd] Read HTTP header and body

[Daniel Gruno]

On 05-04-2012 12:01, Evgeny Shvidky wrote:


Hello,

I am implementing on "C" a new module in Apache HTTP server.

I succeeded to receive an appropriate HTTP request by my module handler.

How can I read a full HTTP header (not only the first line) and a body 
(if exists) of received HTTP request?


Thanks,

Evgeny

Assuming you just want to flip through the various headers and read the 
request body, and not literally save the exact image of a request, you 
can do so with a few "simple" functions. If you, however, want an exact 
duplicate of the request, you're better off looking at modules like 
mod_logio (or dumpio), that use filters to get the exact request and body.


Now, as I was saying, I have some snippets of code for an ongoing 
project (an introduction to developing modules for Apache 2.4), that you 
may find useful. The direct link is 
http://www.humbedooh.com/apache/modguide.html.en#snippets and you should 
just forget everything else in that document, as it's purely a work in 
progress (you should probably burn this email after reading as well..!)


With regards,
Daniel.

Re: [users@httpd] test against env variable previously defined by SetEnvIf

[Daniel Gruno]

On 10-04-2012 17:15, Pierre-Rudolf Gerlach wrote:
> Hello,
>
> I have a website hosted in a shared environment, so I only have access
> to a .htaccess file to configure stuff. I'm running on Apache 2.4.1.
>
> I would like to to something like
>  - test the user-agent against a regexp and set a variable according to this
>  - test if this variable is set and do something it it is
>
> My problem is : although the variable is set, I can't figure out how
> to test it in the  directive. I tried with %{ENV:myvar} and
> env('myvar') (and other stuff that threw me errors)
>
> Here's a sample .htaccess to demonstrate my problem :
>
>
> # Set a value to a variable named "myvar"
> SetEnvIf dummy .* myvar=value
>
> 
> SetEnvIf dummy .* myres=WIN
> 
> 
> SetEnvIf dummy .* myres2=WIN
> 
> 
> SetEnvIf dummy .* myres3=myvarIsEmpty
> 
> 
> SetEnvIf dummy .* myres4=myvarIsEmpty
> 
>
> Header set test_safari "%{myvar}e"
> Header set test_myvar "%{myres}e"
> Header set test_myvar2 "%{myres2}e"
> Header set test_myvar3 "%{myres3}e"
> Header set test_myvar4 "%{myres4}e"
>
>
> The response headers are :
>
> Server:Apache/2.4.1 (Unix)
> test_myvar:value
> test_myres:(null)
> test_myres2:(null)
> test_myres3:myvarIsEmpty
> test_myres4:myvarIsEmpty
>
>
> How would I have a "WIN" printed ?
>
>
> Thanks
>
You seem to have an error in your second If-statement (a missing quote).
I tested an If-clause on my 2.4 using the following example:

SetEnvIf dummy .* myvar=value

 Require all denied


And lo and behold, I got access denied, so it should be working as
intended, provided you fix your type :)

With regards,
Daniel.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] test against env variable previously defined by SetEnvIf

[Daniel Gruno]

On 10-04-2012 17:36, Pierre-Rudolf Gerlach wrote:
>
> My bad for the missing quote, I changed the values in the exemple
> without re-testing it, sorry.
>
> You example works for a deny. However, if I slightly modify it,
> replacing "Require all denied" by a variable setting, like this
>
> SetEnvIf dummy .* myvar=value
> 
>  SetEnvIf dummy .* myothervar=othervalue
> 
> Header set myvar %{myvar}e
> Header set myothervar %{myothervar}e
>
> I get the problem : "myothervar" is not set. (null in the response
> headers). I don't really get what difference it would make ?
>
> Thanks, regards
>
I have tried inputting exactly what you wrote into my configuration, and
the output I got was:

  HTTP/1.1 200 OK
  ...
  myvar: value
  myothervar: othervalue
  Content-Type: text/html

So it _should_ work, unless you have some other directives interfering
with it.
The only other explanation I can think of is that I'm using 2.4.2-dev
instead of 2.4.1, perhaps something changed since 2.4.1?

With regards,
Daniel.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] test against env variable previously defined by SetEnvIf

[Daniel Gruno]

On 10-04-2012 18:59, Pierre-Rudolf Gerlach wrote:
> I just tried from a fresh checkout of branch 2.4.x (Apache 2.4.3-dev),
> using the shipped default config, and still myothervar is null.
> Same result with tags/2.4.2 ...
>
> Do you confirm you did just create a .htaccess with the content of my
> previous email ? If so, I guess I don't have any ideas left.
>
I must admit, I did not create a .htaccess, but put it in my httpd.conf
instead, which
is what makes it work. It would seem that somehow, in a .htaccess
context, the SetEnvIf
inside the  clause gets either ignored or...something else. I'll
have to get back to you
on that :)

With regards,
Daniel.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] test against env variable previously defined by SetEnvIf

[Daniel Gruno]

On 10-04-2012 17:49, Daniel Gruno wrote:
> On 10-04-2012 17:36, Pierre-Rudolf Gerlach wrote:
>> My bad for the missing quote, I changed the values in the exemple
>> without re-testing it, sorry.
>>
>> You example works for a deny. However, if I slightly modify it,
>> replacing "Require all denied" by a variable setting, like this
>>
>> SetEnvIf dummy .* myvar=value
>> 
>>  SetEnvIf dummy .* myothervar=othervalue
>> 
>> Header set myvar %{myvar}e
>> Header set myothervar %{myothervar}e
>>
>> I get the problem : "myothervar" is not set. (null in the response
>> headers). I don't really get what difference it would make ?
>>
>> Thanks, regards
>>
I obviously needed to think outside the box for a bit before it hit me:
This is 2.4, we can use SetEnv!

SetEnvIf dummy .* myvar=value

 SetEnv myothervar othervalue

Header set myvar %{myvar}e
Header set myothervar %{myothervar}e

This should work very well within a .htaccess context.
What's probably best, for future reference, is if you try to solve
things using  to match a criteria,
followed by SetEnv to set the variables, so you don't have to rely on
SetEnvIf.

With regards,
Daniel.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] 302 http status code after setting the redirects

[Daniel Gruno]

On 12-04-2012 10:19, aparna Puram wrote:
> Hello All,
>
> We have implemented the redirects from http to https
>
> RewriteEngine On
> RewriteCond %{HTTPS} off
> RewriteRule (.*) https://dnsname.com%{REQUEST_URI}
>
> this server can be accessing using 3 different names.
>
> localhostname
> and there are 2dns names for accessing the server.
>
> After implementing this we are seeing the following 302 status codes
> in the access logs
>
> Ipadrress - - [12/Apr/2012:12:04:55 +0200] "GET
> //readData.pl?IPBName=IPB_64 HTTP/1.1" 302 279 "-"
> "Java/1.5.0_17" 0
>
>
> Can any one please let me know what could be causing the issue?
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
A 302 status code is simply the redirect status code given due to your
rewrite rule.
See http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html (section
10.3) for an explanation on 3xx status codes.
If your site works as expected, I wouldn't pay any attention to it :)

With regards,
Daniel.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] httpd-2.2.22 LogLevel arguments, in documentation, not accepted

[Daniel Gruno]

On 18-04-2012 19:23, Josh Narins wrote:
>
> The documentation for LogLevel[0] and references to LogLevel in the
> documentation for mod_rewrite[1] say that LogLevel takes arguments like
>
>  
>
> LogLevel |[|module|:]|level|[|module|:|level|] ...|
>
> | |
>
> I am setting the LogLevel at server scope. f I try anything other than
> LogLevel (emerg|alert|crit|error|warn|notice|info|debug) I get one of
> these two errors:
>
>  
>
> LogLevel takes one argument, Level of verbosity in
> error logging
>
> or
>
> LogLevel requires level keyword: one of
> emerg/alert/crit/error/warn/notice/info/debug
>
>  
>
> What I think I need is something like "LogLevel debug rewrite:trace3"
> or even "LogLevel trace3," but neither works.
>
>  
>
> I know my mod_rewrite directives aren't working, and I am having a
> difficult time figuring out why. This is part of an effort to port
> from apache-1.3, where the same rewrite directives worked.
>
>  
>
> Thanks in advance.
>
>  
>
> httpd-2.2.22
>
> RHEL5 2.6.18-194.3.1.0.1.el5 SMP x86_64
>
>  
>
> [0] - http://httpd.apache.org/docs/current/mod/core.html#loglevel
>
> [1] - http://httpd.apache.org/docs/current/mod/mod_rewrite.html#logging
>
>
>
> *Josh Narins*
> Director of Application Development
> SeniorBridge
>
> 845 Third Ave
> 7th Floor
> New York, NY 10022
> Tel: (212) 994-6194
> Fax: (212) 994-4260
> Mobile: (917) 488-6248
> jnar...@seniorbridge.com
> seniorbridge.com 
>
> SeniorBridge
>
>
>
> 
> *SeniorBridge Statement of Confidentiality:* The contents of this
> email message are intended for the exclusive use of the addressee(s)
> and may contain confidential or privileged information. Any
> dissemination, distribution or copying of this email by an unintended
> or mistaken recipient is strictly prohibited. In said event, kindly
> reply to the sender and destroy all entries of this message and any
> attachments from your system. Thank you. 
Those arguments only work with 2.4, you are looking at the wrong
documentation.
http://httpd.apache.org/docs/2.2/mod/core.html#loglevel will show you
the docs for 2.2

With regards,
Daniel.

[users@httpd] Syntax highlighting of httpd configurations

[Daniel Gruno]

Hi everybody on users@,
As you may or may not know, there's been some work in the trunk branch
of the httpd documentation, allowing for syntax highlighting of both the
various C/Perl/Lua code as well as the configuration examples shown in
the docs. The thought being, that it will make it easier to sift through
all the data that is being presented and easily identify the things you
need for your own work, as well as getting a better view of the
code/example as a whole.

On a strictly personal level, I'm curious as to what people think about
this new feature, so I have set up a small survey at
http://surveys.humbedooh.com/highlighting.plua where you can give this
new idea a thumbs up or down, as well as see an example of the new
highlighting as it looks on the docs page.

As said, this is a strictly personal interest in the matter, and thus
non-binding and not affiliated with ASF or the HTTPd project in any way
in this context - it is a personal interest in seeing whether others
feel like I do about adding some user friendliness to the documentation.

With regards,
Daniel.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Confusing apache configuration

[Daniel Gruno]

On 06/27/2012 03:29 PM, Robert Decker wrote:
> Hello. I'm having trouble figuring out how to configure apache for the
> following:
> 
> www.server.com/mstar should go through mod_passenger
> 
> but anything else, such as:
> www.server.com/
> www.server.com/index.hmtl
> etc
> should go through mod_proxy.
> 
> So, I would need something to check if it has /mstar as the first
> component of the path and if so, have it served through passenger. But
> anything else should go through mod_proxy.
> 
> something like:
> 
> 
> ServerName beta.server.com
> 
> DocumentRoot /home/ruby/webapps/m-star/current/public
> 
> 
> PassengerEnabled on
> RailsBaseURI /mstar
> # This relaxes Apache security settings.
> AllowOverride all
> # MultiViews must be turned off.
> Options -MultiViews FollowSymLinks
> Order allow,deny
> Allow from all
> 
> 
> ProxyPass / http://beta.server.com:8890
> ProxyPassReverse / http://beta.server.com:8890
> 
> PassengerEnabled off
> Order allow,deny
> Allow from all
> 
> 
> 
> However, this of course is not working.
> 
> Can you give me some pointers on what to look at in the apache
> configurations to accomplish this?
> 
What you might find useful is to use ProxyPassMatch with a negative
lookahead. Try replacing your ProxyPass directive with:

ProxyPassMatch ^/(?!mstar)(.*) http://beta.server.com:8890/$1

This will effectively proxy only URIs that do not start with /mstar.

With regards,
Daniel.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Load-balancing with Mod_Proxy and SSL problem

[Daniel Gruno]

On 07/12/2012 02:42 PM, Jehan Badshah wrote:
> HI
> 
> *for loadbalancing I added following lines in httpd-ssl.conf file *
> 
> 
> //certificates etc
> 
> //loadbalancing lines
> ProxyPass / balancer://sakaiCluster/ stickysession=JSESSIONID
> nofailover=On timeout=60
> 
> BalancerMember ajp://192.168.1.101:8009
>  route=tom121
> BalancerMember ajp://192.168.1.102:8009
>  route=tom122
>
> 
> 
> 
> *when I am running apache then getting following syntax error*
> 
> AH00526: Syntax error on line 247 of httpd-ssl.conf:
> ProxyPass Can't find 'byrequests' lb method
> 
> 
> *Following are Loaded Modules:*
>  core_module (static)
>  so_module (static)
>  http_module (static)
>  mpm_event_module (static)
>  authn_file_module (shared)
>  authn_core_module (shared)
>  authz_host_module (shared)
>  authz_groupfile_module (shared)
>  authz_user_module (shared)
>  authz_core_module (shared)
>  access_compat_module (shared)
>  auth_basic_module (shared)
>  socache_shmcb_module (shared)
>  reqtimeout_module (shared)
>  filter_module (shared)
>  mime_module (shared)
>  log_config_module (shared)
>  env_module (shared)
>  headers_module (shared)
>  setenvif_module (shared)
>  version_module (shared)
>  slotmem_shm_module (shared)
>  ssl_module (shared)
>  unixd_module (shared)
>  status_module (shared)
>  autoindex_module (shared)
>  dir_module (shared)
>  alias_module (shared)
>  proxy_module (shared)
>  proxy_balancer_module (shared)
>  proxy_ajp_module (shared)
>  proxy_http_module (shared)
> 
> Any help ?
> 
> 
> Regards
> 
> Jehan
> 
> 
You need to load mod_lbmethod_byrequests :)

LoadModule lbmethod_byrequests_module /path/mod_lbmethod_byrequests.so

With regards,
Daniel.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] unsubscribe

[Daniel Gruno]

On 07/12/2012 02:55 PM, Jim Osborne wrote:
> unsubscribe
Please unsubscribe by writing to users-unsubscr...@httpd.apache.org instead.

With regards,
Daniel.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Deny access to all directory files BUT a certain suffix?

[Daniel Gruno]

On 08/05/2012 11:31 PM, Tom Browder wrote:
> I see lots of examples of denying access to files in a directory with
> a certain suffix, but I want to deny access to ALL files EXCEPT those
> with one suffix (.html).
> 
> I have tried this (Apache 2.2.14):
> 
>   
> 
> SSLOptions +StdEnvVars +StrictRequire +OptRenegotiate
> 
> SSLVerifyClient require
> SSLVerifyDepth 1
> 
> # do NOT allow dir listings
> Options -Indexes
> 
> # do not allow access to any but .html files
> 
>   Order allow,deny
>   Deny from all
> 
> 
>   
> 
> But I still can see the README.txt file I have in that directory (I
> know most recommend not putting any files there that are not to be
> seen).
> 
> I must have something messed up (probably the regex, but it does work
> for me in a Perl script) but I don't know the correct way.
> 
> Thanks for any help.
> 
> Best regards,
> 
> -Tom
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 
Try 
It might need some work, as it will only block files that follow the
prefix.suffix standard, but it's a working start :)

With regards,
Daniel.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] VirtualHost Redirect with an exception

[Daniel Gruno]

On 12/18/2012 12:18 PM, Coert Waagmeester wrote:
> 
> 
> On 2012/12/18 11:53 AM, Coert Waagmeester wrote:
>> Hello all,
>>
>> We run a webserver with multiple domains pointing to it.
>>
>> Only one DNS name is used to serve our website.
>> All the other DNS names (which exist for purposes other than www) I
>> redirect to our main DNS name.
>>
>> 
>>  ServerName mysvcname.net
>>  ServerAlias www.mysvcname.net
>>  Redirect / http://www.mywwwname.net
>> 
>>
>> This works perfectly, but on one of the machines where I have this
>> Redirect, I am running mailman which used to listen on
>> mysvcname.net/mailman which also gets Redirected now wrongly.
>>
>> Can I add an exception in someway that mysvcname.net gets redirected,
>> but mysvcname.net/mailman stays as it should?
>>
>>
>> Thank you in advance,
>> Coert Waagmeester
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>>
>>
>>
> I have googled some, and everything points to RewriteCond
> Going to try that.
> 
> 
> Thanks,
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 

Use RedirectMatch with a negative lookahead instead, for better
performance and clarity:

RedirectMatch ^/(?!mailman)(.*) /$1

With regards,
Daniel.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] OutputFilter redirecting reply for modification

[Daniel Gruno]

On 12/21/2012 05:21 PM, n.weidm...@lombardodier.com wrote:
> Hi,
> 
> Is there an existing module that can be used as an output filter to send
> the response to another web server to get the final response to send
> back to the client.
...
> Here comes what I want to achieve.
> 
> 4. The output filter intercepts the respons and if the type of the
> document is PDF for exemple, it sends it to another server for filtering.
> 5. It gets back the respons from this other server
> 6. It sends back to the client the response of this second server
> instead of the original response returned by mod_proxy.
> 
> If the file does not need to be filtered (not PDF in my exemple), then
> the output filter does not send it to the other server for filtering,
> but sends
> it back directly with no modification to the client.
> 
> Is there such a module?
> 

Yes, two options spring to mind; mod_lua from trunk or mod_ext_filter.
If you're not comfortable using trunk builds, mod_ext_filter is the best
way to go. For more info on this module, please visit
http://httpd.apache.org/docs/2.4/mod/mod_ext_filter.html

With regards,
Daniel.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Setting Directory Listings Only To One Subnet

[Daniel Gruno]

On 01/09/2013 01:36 PM, Steve Penner wrote:
> A friend of mine posted the message below the '' for me recently.  He 
> told me that it went unanswered, although he told me it might have gone 
> unanswered because it was a holiday time.
> 
> I would like to confirm that what I want to do is not possible:
> 
> 
> 
> I have directory "abc" from the document root whose content is available to 
> all,
> including subnet 192.168.1.
> 
> But ONLY subnet 192.168.1 can do a directory listing.
> 
> What's my set up in httpd.conf?
> 
>
>   Options +Indexes
>   AllowOverride None
>   Order allow,deny 
>   Allow from all
> 
>
> 
> 
> 
> Server: Apache2.4.3  for Windows
> OS: Win7(64-bit)
> server running on  ASUS G74SX
> using dynamic DNS
> connection to Internet:  aDSL line rate: up 1022 Kbps, down 4904 Kbps
> server interfaced to PHP 5.4.8, MySQL 5.0.10
> 
> 
> --
> SP
> 
>  
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 

If you want only 192.168.1.* to do directory listings, but you want the
content to be available to everybody, you need to use an If clause:


Options -Indexes

Options +Indexes




With regards,
Daniel.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] writing modules - missing sources?

[Daniel Gruno]

On 01/13/2013 12:44 PM, Piotr Suwala wrote:
> Hello.
> 
> I've got question for you concerned with writing modules for apache:
> How can I start doing it? Where can I find any helpful info for this, 
> tutorials about configuring enviroment?
> 
We have a brief guide on writing modules for httpd 2.4 at
http://httpd.apache.org/docs/trunk/developer/modguide.html

As said in another post, you might want to check out Nick's book also.

With regards,
Daniel.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Conflict between Alias, , and RewriteRule hides local directory from Apache httpd?

[Daniel Gruno]

Top posting, as this is a long email.
Please see:
http://httpd.apache.org/docs/current/rewrite/flags.html#flag_pt

With regards,
Daniel.

On 01/28/2013 09:17 AM, Hedley Finger wrote:
> I am trying to run the web app LedgerSMB on a standalone computer with
> localhost as the server. Apache httpd, and LedgerSMB Perl scripts, are
> installed as follows:
> 
> C:\Program_Files\Apache\
> C:\Program_Files\LedgerSMB\
> 
> 
> There are two configuration files in conf/, 
> 
> httpd.conf
> ledgersmb-httpd.conf
> 
> 
> When localhost is entered into the browser, httpd correctly returns the
> "It Works!" confirmation page.
> 
> When localhost/ledgersmb is entered, an Alias directive and Rewrite Rule
> are supposed to return C:\Program_Files\LedgerSMB\login.pl
> :
> 
> Alias  /ledgersmb  C:/Program_Files/LedgerSMB/
> 
> RewriteEngine On
> RewriteRule ^/ledgersmb/?$ /ledgersmb/login.pl  [R]
> ...
> 
> 
> 
> 
> Instead a 404 Not Found, "The requested URL /ledgersmb was not found on
> this server." message returns.  As one would expect,
> localhost/ledgersmb/login.conf also returns a 404.  In either case, the
> logs/error.log reports:
> 
> [Mon Jan 28 18:00:12 2013] [error] [client 127.0.0.1] File does not
> exist: C:/Program_Files/Apache/htdocs/ledgersmb
> 
> 
> It looks as though
> 
> DocumentRoot "C:/Program_Files/Apache/htdocs"
> 
> 
> is overriding 
> 
> Alias  /ledgersmb  C:/Program_Files/LedgerSMB/
> 
> RewriteRule ^/ledgersmb/?$ /ledgersmb/login.pl  [R]
> 
> 
> I am going nuts trying to solver this problem.  A search of the httpd
> user archives did not return a similar problem -- or I could not thinnk
> of the right search keywords Nor were the FAQs and documentation of any
> help.
> 
> Can anyone point out the obvious detail that is eluding me?  The
> directives in the two *.conf files is appended below, minus comment lines.
> 
> Regards,
> Hedley
> 
> 
> CONTENTS OF ledgersmb-httpd.conf
> 
> Alias  /ledgersmb  C:/Program_Files/LedgerSMB/
> 
> 
> 
>   RewriteEngine On
> 
>   RewriteRule ^/ledgersmb/?$ /ledgersmb/login.pl  [R]
> 
>   RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
> 
>   AllowOverride All
>   AddHandler cgi-script .pl
>   Options ExecCGI Includes FollowSymlinks
> 
>   Order Deny,Allow
>   Allow from 127.0.0.1
>   Allow from localhost
>   Deny from All
> 
>   
> Order Deny,Allow
> Deny from All
>   
> 
> 
> 
>   Order Deny,Allow
>   Deny from All
> 
> 
> 
>   ...
> 
> 
> CONTENTS OF httpd.conf
> 
> 
> ServerRoot "C:/Program_Files/Apache"
> 
> Listen 80
> 
> LoadModule actions_module modules/mod_actions.so
> LoadModule alias_module modules/mod_alias.so
> LoadModule asis_module modules/mod_asis.so
> LoadModule auth_basic_module modules/mod_auth_basic.so
> #LoadModule auth_digest_module modules/mod_auth_digest.so
> #LoadModule authn_alias_module modules/mod_authn_alias.so
> #LoadModule authn_anon_module modules/mod_authn_anon.so
> #LoadModule authn_dbd_module modules/mod_authn_dbd.so
> #LoadModule authn_dbm_module modules/mod_authn_dbm.so
> LoadModule authn_default_module modules/mod_authn_default.so
> LoadModule authn_file_module modules/mod_authn_file.so
> #LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
> #LoadModule authz_dbm_module modules/mod_authz_dbm.so
> LoadModule authz_default_module modules/mod_authz_default.so
> LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
> LoadModule authz_host_module modules/mod_authz_host.so
> #LoadModule authz_owner_module modules/mod_authz_owner.so
> LoadModule authz_user_module modules/mod_authz_user.so
> LoadModule autoindex_module modules/mod_autoindex.so
> #LoadModule cache_module modules/mod_cache.so
> #LoadModule cern_meta_module modules/mod_cern_meta.so
> LoadModule cgi_module modules/mod_cgi.so
> #LoadModule charset_lite_module modules/mod_charset_lite.so
> #LoadModule dav_module modules/mod_dav.so
> #LoadModule dav_fs_module modules/mod_dav_fs.so
> #LoadModule dav_lock_module modules/mod_dav_lock.so
> #LoadModule dbd_module modules/mod_dbd.so
> #LoadModule deflate_module modules/mod_deflate.so
> LoadModule dir_module modules/mod_dir.so
> #LoadModule disk_cache_module modules/mod_disk_cache.so
> #LoadModule dumpio_module modules/mod_dumpio.so
> LoadModule env_module modules/mod_env.so
> #LoadModule expires_module modules/mod_expires.so
> #LoadModule ext_filter_module modules/mod_ext_filter.so
> #LoadModule file_cache_module modules/mod_file_cache.so
> #LoadModule filter_module modules/mod_filter.so
> #LoadModule headers_module modules/mod_headers.so
> #LoadModule ident_module modules/mod_ident.so
> #LoadModule imagemap_module modules/mod_imagemap.so
> LoadModule include_module modules/mod_include.so
> #LoadModule info_module modules/mod_info.so
> LoadModule isapi_module modules/mod_isapi.so
> #LoadModule ldap_module modules/mod_ldap.so
> #LoadModule logio_module modules/mod_lo

Re: [users@httpd] Get parameters at the end of URL on Apache Web Server

[Daniel Gruno]

On 11/09/2015 11:24 AM, Marcel Florian wrote:
> Hello guys,
> 
> I have a URL with the following syntax:
> 
> |https://www.domain.com/pay/a1b2c |
> 
> In the |/pay| directory I have a simple payment form. I am using
> JavaScript to get the URL appendix |a1b2c| and process it in order to
> get further data to display in the payment form:
> 
> |varurl =window.location.href;varappendix =url.split("/").pop();...|
> 
> But if I open the URL in the browser, Apache says (of course):
> 
> |NotFoundTherequested URL /pay/a1b2c was notfound on thisserver.|
> 
> How can I solve this problem? Which Apache config do I need? 
> 
> Thank you! 
> 
> Best, Marcel
> 

Either use "AcceptPathInfo On" or use a rewrite rule to redirect to your
payment form. Or possibly redirect to /pay/?a1b2c and use
document.location.search.substr(1) to fetch the arguments in javascript.

with regards,
Daniel.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Get parameters at the end of URL on Apache Web Server

[Daniel Gruno]

On 11/10/2015 08:40 AM, Marcel Florian wrote:
> Thank you Daniel, "AcceptPathInfo On” seems to be the right approach.
> Where can I set this on Apache?

Anywhere, really. You can set it in the virtual host stanza, in a
.htacess file, or globally.

With regards,
Daniel.

> 
> Best,
> 
> Marcel
> 
>> On 09 Nov 2015, at 11:27, Daniel Gruno > <mailto:humbed...@apache.org>> wrote:
>>
>> On 11/09/2015 11:24 AM, Marcel Florian wrote:
>>> Hello guys,
>>>
>>> I have a URL with the following syntax:
>>>
>>> |https://www.domain.com/pay/a1b2c <http://www.domain.com/pay/a1b2c>|
>>>
>>> In the |/pay| directory I have a simple payment form. I am using
>>> JavaScript to get the URL appendix |a1b2c| and process it in order to
>>> get further data to display in the payment form:
>>>
>>> |varurl =window.location.href;varappendix =url.split("/").pop();...|
>>>
>>> But if I open the URL in the browser, Apache says (of course):
>>>
>>> |NotFoundTherequested URL /pay/a1b2c was notfound on thisserver.|
>>>
>>> How can I solve this problem? Which Apache config do I need? 
>>>
>>> Thank you! 
>>>
>>> Best, Marcel
>>>
>>
>> Either use "AcceptPathInfo On" or use a rewrite rule to redirect to your
>> payment form. Or possibly redirect to /pay/?a1b2c and use
>> document.location.search.substr(1) to fetch the arguments in javascript.
>>
>> with regards,
>> Daniel.
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> <mailto:users-unsubscr...@httpd.apache.org>
>> For additional commands, e-mail: users-h...@httpd.apache.org
>> <mailto:users-h...@httpd.apache.org>
> 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] TimeOut

[Daniel Gruno]

On 11/16/2015 05:50 PM, Rose, John B wrote:
> Looking in the Security Tips document for Apache this is said …
> 
>   * The |TimeOut
> | directive
> should be lowered on sites that are subject to DoS attacks. Setting
> this to as low as a few seconds may be appropriate. As |TimeOut
> | is
> currently used for several different operations, setting it to a low
> value introduces problems with long running CGI scripts.'
> 
> The default is 60 seconds, I have had a discussion where I was told
> maybe 2-5 seconds is a good setting. 
> 
> What is commonly used nowadays in 2.4 on robust networks and architectures?
> 
> thanks

For guarding against slow loris and the likes, please see
https://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html instead.

With regards,
Daniel.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Refiring requests to proxy backend

[Daniel Gruno]

I think you need two phases here, as mod_lua doesn't itself do the
proxying, but delegates it to mod_proxy.

First, http://modlua.org/recipes/loadbalancing will show you how to proxy.

Secondly, you could then set up a handler for the specific HTTP code
using ErrorDocument or an output filter.

I haven't tried this myself (the 'act on return code'), but it should work.

With regards,
Daniel.

On 12/18/2015 04:23 PM, Jim Jagielski wrote:
> I'm not a mod_lua expert, esp as it relates to exposing the
> full Apache httpd API... it is possible that using r.handler
> and specifying the proxy may work.
> 
>> On Dec 18, 2015, at 8:05 AM, Jose Thomas  wrote:
>>
>> Jim,
>>
>> Sorry, I could not find the documentation on how to do this using mod_lua. 
>> Can you please point me there ? 
>>
>> In my current setup which is on httpd 2.2 - we use modpython. For routing 
>> requests (based on a header) we use a simple python script. For refiring the 
>> request (when a custom response code is received), another python script is 
>> configured in a "PythonOutputFilter". That script internally uses the python 
>> requests library. 
>>
>> We are upgrading to httpd 2.4 and wanted to see if this code can be ported 
>> to mod_lua. I have already ported the first script (routing) to lua. Where i 
>> am clueless, is how to resend the request to backend for the 2nd script in a 
>> "LuaOutputFilter".
>>
>> Thanks & regards,
>> Jose
>>
>> On Fri, Dec 18, 2015 at 5:08 PM, Jim Jagielski  wrote:
>> In general, if you prepend the URL w/ 'proxy:' and then
>> use it in a subrequest, it will be processed as a proxy
>> request.
>>> On Dec 17, 2015, at 9:21 AM, Jose Thomas  wrote:
>>>
>>> All,
>>>
>>> I am using httpd 2.4 with mod_proxy (http) routing requests to multiple 
>>> backends.
>>>
>>> I have a strange requirement. If a backend responds with a custom response 
>>> code - i need to re-execute the request to a different backend.
>>>
>>> What would be the right way to implement this functionality ?
>>>
>>> I was looking at mod_lua for a solution. The idea is to use a 
>>> "LuaOutputFilter" to check the response code, and then re-execute the 
>>> request with a different backend. How can i refire the request ? Should i 
>>> use a lua httpclient library for this ? Is there a easier way to do this ?
>>>
>>> Any other suggestions/comments are welcome.
>>>
>>> Version of stack
>>> * Apache 2.4.6
>>> * Lua 5.1.4
>>>
>>> Regards,
>>> Jose
>>> 
>>>
>>>
>>>
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>>
>>
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Refiring requests to proxy backend

[Daniel Gruno]

I'm interested in knowing how you did it in mod_python. Do you use an
external http lib and process the result yourself? That's certainly also
possible with mod_lua.

With regards,
Daniel.

On 12/18/2015 05:12 PM, Daniel Gruno wrote:
> I think you need two phases here, as mod_lua doesn't itself do the
> proxying, but delegates it to mod_proxy.
> 
> First, http://modlua.org/recipes/loadbalancing will show you how to proxy.
> 
> Secondly, you could then set up a handler for the specific HTTP code
> using ErrorDocument or an output filter.
> 
> I haven't tried this myself (the 'act on return code'), but it should work.
> 
> With regards,
> Daniel.
> 
> On 12/18/2015 04:23 PM, Jim Jagielski wrote:
>> I'm not a mod_lua expert, esp as it relates to exposing the
>> full Apache httpd API... it is possible that using r.handler
>> and specifying the proxy may work.
>>
>>> On Dec 18, 2015, at 8:05 AM, Jose Thomas  wrote:
>>>
>>> Jim,
>>>
>>> Sorry, I could not find the documentation on how to do this using mod_lua. 
>>> Can you please point me there ? 
>>>
>>> In my current setup which is on httpd 2.2 - we use modpython. For routing 
>>> requests (based on a header) we use a simple python script. For refiring 
>>> the request (when a custom response code is received), another python 
>>> script is configured in a "PythonOutputFilter". That script internally uses 
>>> the python requests library. 
>>>
>>> We are upgrading to httpd 2.4 and wanted to see if this code can be ported 
>>> to mod_lua. I have already ported the first script (routing) to lua. Where 
>>> i am clueless, is how to resend the request to backend for the 2nd script 
>>> in a "LuaOutputFilter".
>>>
>>> Thanks & regards,
>>> Jose
>>>
>>> On Fri, Dec 18, 2015 at 5:08 PM, Jim Jagielski  wrote:
>>> In general, if you prepend the URL w/ 'proxy:' and then
>>> use it in a subrequest, it will be processed as a proxy
>>> request.
>>>> On Dec 17, 2015, at 9:21 AM, Jose Thomas  wrote:
>>>>
>>>> All,
>>>>
>>>> I am using httpd 2.4 with mod_proxy (http) routing requests to multiple 
>>>> backends.
>>>>
>>>> I have a strange requirement. If a backend responds with a custom response 
>>>> code - i need to re-execute the request to a different backend.
>>>>
>>>> What would be the right way to implement this functionality ?
>>>>
>>>> I was looking at mod_lua for a solution. The idea is to use a 
>>>> "LuaOutputFilter" to check the response code, and then re-execute the 
>>>> request with a different backend. How can i refire the request ? Should i 
>>>> use a lua httpclient library for this ? Is there a easier way to do this ?
>>>>
>>>> Any other suggestions/comments are welcome.
>>>>
>>>> Version of stack
>>>> * Apache 2.4.6
>>>> * Lua 5.1.4
>>>>
>>>> Regards,
>>>> Jose
>>>> 
>>>>
>>>>
>>>>
>>>
>>>
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>>> For additional commands, e-mail: users-h...@httpd.apache.org
>>>
>>>
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>>
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Refiring requests to proxy backend

[Daniel Gruno]

On 12/18/2015 05:30 PM, Jose Thomas wrote:
> Daniel,
> 
> I have successfully implemented the router in lua using a lua script
> called from a "LuaHookFixups" directive.
> 
> LuaHookFixups /var/www/lua/myscript.lua router
> 
> -- /var/www/lua/myscript.lua
> function router(r)
> local route = get_route(r)
> if route then
> r.filename = "proxy:balancer://" .. route .. r.uri
> end
> return apache2.DECLINED
> end
> 
> 
> For the second requirement- i wired up a LuaOutputFilter which can catch
> the custom response code. What i was not able to figure out was how to
> send the request back to the backend.
> 
> LuaOutputFilter myfilter /var/www/lua/myscript.lua output_filter
> 
> function output_filter(r)
> if r.status ~= 399 then
> return
> end
> 
> coroutine.yield()
> while bucket ~= nil do
> coroutine.yield(bucket)
> end
> coroutine.yield()
> end
> 
> Is it possible to retry the request again from the output filter ?

Not via httpd itself currently (I'm looking into hacking that), but you
can use an external http lib to fire off another request to the backend.

I'll keep you posted if I find a smart way to re-fire mod_proxy on demand.

With regards,
Daniel.

> 
> Regards,
> Jose
> 
> On Fri, Dec 18, 2015 at 9:42 PM, Daniel Gruno  <mailto:humbed...@apache.org>> wrote:
> 
> I think you need two phases here, as mod_lua doesn't itself do the
> proxying, but delegates it to mod_proxy.
> 
> First, http://modlua.org/recipes/loadbalancing will show you how to
> proxy.
> 
> Secondly, you could then set up a handler for the specific HTTP code
> using ErrorDocument or an output filter.
> 
> I haven't tried this myself (the 'act on return code'), but it
> should work.
> 
> With regards,
> Daniel.
> 
> On 12/18/2015 04:23 PM, Jim Jagielski wrote:
> > I'm not a mod_lua expert, esp as it relates to exposing the
> > full Apache httpd API... it is possible that using r.handler
> > and specifying the proxy may work.
> >
> >> On Dec 18, 2015, at 8:05 AM, Jose Thomas  <mailto:jos...@gmail.com>> wrote:
> >>
> >> Jim,
> >>
> >> Sorry, I could not find the documentation on how to do this using
> mod_lua. Can you please point me there ?
> >>
> >> In my current setup which is on httpd 2.2 - we use modpython. For
> routing requests (based on a header) we use a simple python script.
> For refiring the request (when a custom response code is received),
> another python script is configured in a "PythonOutputFilter". That
> script internally uses the python requests library.
> >>
> >> We are upgrading to httpd 2.4 and wanted to see if this code can
> be ported to mod_lua. I have already ported the first script
> (routing) to lua. Where i am clueless, is how to resend the request
> to backend for the 2nd script in a "LuaOutputFilter".
> >>
> >> Thanks & regards,
> >> Jose
> >>
> >> On Fri, Dec 18, 2015 at 5:08 PM, Jim Jagielski  <mailto:j...@jagunet.com>> wrote:
> >> In general, if you prepend the URL w/ 'proxy:' and then
> >> use it in a subrequest, it will be processed as a proxy
> >> request.
> >>> On Dec 17, 2015, at 9:21 AM, Jose Thomas  <mailto:jos...@gmail.com>> wrote:
> >>>
> >>> All,
> >>>
> >>> I am using httpd 2.4 with mod_proxy (http) routing requests to
> multiple backends.
> >>>
> >>> I have a strange requirement. If a backend responds with a
> custom response code - i need to re-execute the request to a
> different backend.
> >>>
> >>> What would be the right way to implement this functionality ?
> >>>
> >>> I was looking at mod_lua for a solution. The idea is to use a
> "LuaOutputFilter" to check the response code, and then re-execute
> the request with a different backend. How can i refire the request ?
> Should i use a lua httpclient library for this ? Is there a easier
> way to do this ?
> >>>
> >>> Any other suggestions/comments are welcome.
> >>>
> >>> Version of stack
> >>> * Apache 2.4.6
> >>> * Lua 5.1.4
> >>>
>   

Re: [users@httpd] Re: Dual private access: allow use of either client cert. or one-time password?

[Daniel Gruno]

My actual reply is stuck in moderation, as I sent it from the wrong address.

Have patience, it'll be there soon enough :)

On 01/11/2016 01:21 PM, Tom Browder wrote:
> Anyone?
> 
> On Tuesday, January 5, 2016, Tom Browder  > wrote:
> 
> First, Happy New Year, all!
> 
> My site currently successfully uses client TLS certs. for access to
> its private area. I would like to add the capability of a one-time
> password sent to the user's e-mail to authenticate the user and then
> allow that user access to the private area for a limited time.
> 
> I believe I know how to control the password and session handling, but
> how should the directory block in my httpd conf file look?
> 
> My current directory configuration block for TLS only looks like this
> (Apache 2.4.16):
> 
>   
>SSLOptions +StrictRequire
>SSLVerifyClient require
>SSLVerifyDepth 1
># do NOT allow dir listings
>Options -Indexes
>   
> 
> Is it possible to allow another authentication method to the above?
> 
> If so, can anyone give me a secure example?
> 
> Thanks so much.
> 
> Best regards,
> 
> -Tom
> 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: Dual private access: allow use of either client cert. or one-time password?

[Daniel Gruno]

In short, see 
https://serverfault.com/questions/577835/apache-ssl-certificate-and-basic-auth-combination-password-if-no-certificate
 (longer email is pending moderation, I believe)

With belated regards,
Daniel

On 2016-01-11 13:21, Tom Browder  wrote: 
> Anyone?
> 
> On Tuesday, January 5, 2016, Tom Browder  wrote:
> 
> > First, Happy New Year, all!
> >
> > My site currently successfully uses client TLS certs. for access to
> > its private area. I would like to add the capability of a one-time
> > password sent to the user's e-mail to authenticate the user and then
> > allow that user access to the private area for a limited time.
> >
> > I believe I know how to control the password and session handling, but
> > how should the directory block in my httpd conf file look?
> >
> > My current directory configuration block for TLS only looks like this
> > (Apache 2.4.16):
> >
> >   
> >SSLOptions +StrictRequire
> >SSLVerifyClient require
> >SSLVerifyDepth 1
> ># do NOT allow dir listings
> >Options -Indexes
> >   
> >
> > Is it possible to allow another authentication method to the above?
> >
> > If so, can anyone give me a secure example?
> >
> > Thanks so much.
> >
> > Best regards,
> >
> > -Tom
> >
> 
--
Sent via Pony Mail for users@httpd.apache.org. 
View this email online at:
https://pony-poc.apache.org/list.html?users@httpd.apache.org

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: Dual private access: allow use of either client cert. or one-time password?

[Daniel Gruno]

User is un-subbed from this list now...*sigh*

On 01/11/2016 02:39 PM, IdealGourmet wrote:
> DON'T SEND MORE EMAIL HERE!!
> 
> -Mensaje original-
> De: Tom Browder [mailto:tom.brow...@gmail.com] 
> Enviado el: lundi 11 janvier 2016 14:34
> Para: users@httpd.apache.org
> Asunto: Re: [users@httpd] Re: Dual private access: allow use of either client 
> cert. or one-time password?
> 
> On Mon, Jan 11, 2016 at 6:37 AM, Daniel Gruno  wrote:
>> In short, see 
>> https://serverfault.com/questions/577835/apache-ssl-certificate-and-ba
>> sic-auth-combination-password-if-no-certificate (longer email is 
>> pending moderation, I believe)
> 
> Thanks, Daniel.  My bad, I forgot to check there.  It seems to answer most of 
> my questions.  I'll work on another strawman directory entry for critique.
> 
> Best regards,
> 
> -Tom
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] mod_lua and subprocess_env

[Daniel Gruno]

On 02/14/2017 12:38 PM, Andrei Ivanov wrote:
> Hi,
> I'm trying to create a lua authorization script but I can't seem to
> access the request environment:
> 
> require 'apache2'
> 
> function authz_check_remote_ip_in_client_san(r)
> r:err("remote_ip_in_client_san running...");
> r:alert("uri: " .. r.uri);
> r:alert("useragent_ip: " .. r.useragent_ip);
> local ip = r.subprocess_env["REMOTE_ADDRESS"];
> r:crit("REMOTE_ADDRESS: " .. (ip or "N/A"));
> r:emerg("SSL_CLIENT_SAN_IPaddr: " ..
> (r.subprocess_env["SSL_CLIENT_SAN_IPaddr"] or "N/A"));


use r:ssl_var_lookup("SSL_CLIENT_SAN_IPaddr") instead.
r:ssl_var_lookup does the special SSL vars.

With regards,
Daniel.

> 
> return apache2.AUTHZ_GRANTED
> end
> 
> The logs show entries like this for the values accessed from
> r.subprocess_env:
> REMOTE_ADDRESS: N/A
> SSL_CLIENT_SAN_IPaddr: N/A
> 
> 
> LuaScope thread
> LuaAuthzProvider remote_ip_in_client_san
> /etc/httpd/authz/authz_check_remote_ip_in_client_san.lua
> authz_check_remote_ip_in_client_san
> 
> Require remote_ip_in_client_san
> 
> # these don't seem to work so I'm trying to implement them in a LUA
> script
> #NSSRequire %{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}
> #Require expr "%{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}"
> 
> 
> What am I doing wrong?
> 
> Thank you in advance.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] mod_lua and subprocess_env

[Daniel Gruno]

On 02/14/2017 01:16 PM, Andrei Ivanov wrote:
> On Tue, Feb 14, 2017 at 1:59 PM, Daniel Gruno  <mailto:humbed...@apache.org>> wrote:
> 
> On 02/14/2017 12:38 PM, Andrei Ivanov wrote:
> > Hi,
> > I'm trying to create a lua authorization script but I can't seem to
> > access the request environment:
> >
> > require 'apache2'
> >
> > function authz_check_remote_ip_in_client_san(r)
> > r:err("remote_ip_in_client_san running...");
> > r:alert("uri: " .. r.uri);
> > r:alert("useragent_ip: " .. r.useragent_ip);
> > local ip = r.subprocess_env["REMOTE_ADDRESS"];
> > r:crit("REMOTE_ADDRESS: " .. (ip or "N/A"));
> > r:emerg("SSL_CLIENT_SAN_IPaddr: " ..
> > (r.subprocess_env["SSL_CLIENT_SAN_IPaddr"] or "N/A"));
> 
> 
> What about r.subprocess_env["REMOTE_ADDRESS"]? Shouldn't that work at least?

Not exactly, this isn't CGI - the remote IP is exposed through
r.useragent_ip. Getting environment variables is tricky since the Lua VM
is sort of detached from the actual thread handling the request.

>  
> 
> use r:ssl_var_lookup("SSL_CLIENT_SAN_IPaddr") instead.
> r:ssl_var_lookup does the special SSL vars.
> 
> 
> I don't get a nil now anymore, but I seem to get back an empty string :-(
> SSL_CLIENT_SAN_IPaddr should be exposed by mod_nss, activated in this
> virtual host.

If it's not exposed by mod_ssl, then it may not be available through
that call. You should try finding the corresponding mod_ssl variable if
possible.

>  
> 
> 
> With regards,
> Daniel.
> 
> >
> > return apache2.AUTHZ_GRANTED
> > end
> >
> > The logs show entries like this for the values accessed from
> > r.subprocess_env:
> > REMOTE_ADDRESS: N/A
> > SSL_CLIENT_SAN_IPaddr: N/A
> >
> >
> > LuaScope thread
> > LuaAuthzProvider remote_ip_in_client_san
> > /etc/httpd/authz/authz_check_remote_ip_in_client_san.lua
> > authz_check_remote_ip_in_client_san
> > 
> > Require remote_ip_in_client_san
> >
> > # these don't seem to work so I'm trying to implement them in a LUA
> > script
> > #NSSRequire %{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}
> > #Require expr "%{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}"
> > 
> >
> > What am I doing wrong?
> >
> > Thank you in advance.
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> <mailto:users-unsubscr...@httpd.apache.org>
> For additional commands, e-mail: users-h...@httpd.apache.org
> <mailto:users-h...@httpd.apache.org>
> 
> 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] mod_lua and subprocess_env

[Daniel Gruno]

On 02/14/2017 01:24 PM, Andrei Ivanov wrote:
> On Tue, Feb 14, 2017 at 2:19 PM, Daniel Gruno  <mailto:humbed...@apache.org>> wrote:
> 
> On 02/14/2017 01:16 PM, Andrei Ivanov wrote:
> > On Tue, Feb 14, 2017 at 1:59 PM, Daniel Gruno  <mailto:humbed...@apache.org>
> > <mailto:humbed...@apache.org <mailto:humbed...@apache.org>>> wrote:
> >
> > On 02/14/2017 12:38 PM, Andrei Ivanov wrote:
> > > Hi,
> > > I'm trying to create a lua authorization script but I can't seem 
> to
> > > access the request environment:
> > >
> > > require 'apache2'
> > >
> > > function authz_check_remote_ip_in_client_san(r)
> > > r:err("remote_ip_in_client_san running...");
> > > r:alert("uri: " .. r.uri);
> > > r:alert("useragent_ip: " .. r.useragent_ip);
> > > local ip = r.subprocess_env["REMOTE_ADDRESS"];
> > > r:crit("REMOTE_ADDRESS: " .. (ip or "N/A"));
> > > r:emerg("SSL_CLIENT_SAN_IPaddr: " ..
> > > (r.subprocess_env["SSL_CLIENT_SAN_IPaddr"] or "N/A"));
> >
> >
> > What about r.subprocess_env["REMOTE_ADDRESS"]? Shouldn't that work at 
> least?
> 
> Not exactly, this isn't CGI - the remote IP is exposed through
> r.useragent_ip. Getting environment variables is tricky since the Lua VM
> is sort of detached from the actual thread handling the request.
> 
> 
> I was using the REMOTE_ADDRESS since it was used as an example in a post :-)
> http://lua-users.org/lists/lua-l/2010-07/msg00671.html
> Is subprocess_env working at all?

Shortest answer I can think of is: Yes, but it doesn't do what you think
it does. it's not equivalent to os.getenv().

Perhaps later I'll elaborate on that...when I have my brain with me.

> 
> 
> >
> >
> > use r:ssl_var_lookup("SSL_CLIENT_SAN_IPaddr") instead.
> > r:ssl_var_lookup does the special SSL vars.
> >
> >
> > I don't get a nil now anymore, but I seem to get back an empty string 
> :-(
> > SSL_CLIENT_SAN_IPaddr should be exposed by mod_nss, activated in this
> > virtual host.
> 
> If it's not exposed by mod_ssl, then it may not be available through
> that call. You should try finding the corresponding mod_ssl variable if
> possible.
> 
> I'm using mod_nss exactly because mod_ssl doesn't expose that variable
> and my issue that requests that is sitting ignored for 2 months now :-(
> I was hoping this would help:
> 
> NSSOptions +StdEnvVars
> 
> 
>  
> 
> >
> >
> >
> > With regards,
> > Daniel.
> >
> > >
> > > return apache2.AUTHZ_GRANTED
> > > end
> > >
> > > The logs show entries like this for the values accessed from
> > > r.subprocess_env:
> > > REMOTE_ADDRESS: N/A
> > > SSL_CLIENT_SAN_IPaddr: N/A
> > >
> > >
> > > LuaScope thread
> > > LuaAuthzProvider remote_ip_in_client_san
> > > /etc/httpd/authz/authz_check_remote_ip_in_client_san.lua
> > > authz_check_remote_ip_in_client_san
> > > 
> > > Require remote_ip_in_client_san
> > >
> > > # these don't seem to work so I'm trying to implement them in 
> a LUA
> > > script
> > > #NSSRequire %{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}
> > > #Require expr "%{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}"
> > > 
> > >
> > > What am I doing wrong?
> > >
> > > Thank you in advance.
> >
> >
> > 
> -
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> <mailto:users-unsubscr...@httpd.apache.org>
> > <mailto:users-unsubscr...@httpd.apache.org
> <mailto:users-unsubscr...@httpd.apache.org>>
> > For additional commands, e-mail: users-h...@httpd.apache.org 
> <mailto:users-h...@httpd.apache.org>
> > <mailto:users-h...@httpd.apache.org
> <mailto:users-h...@httpd.apache.org>>
> >
> >
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> <mailto:users-unsubscr...@httpd.apache.org>
> For additional commands, e-mail: users-h...@httpd.apache.org
> <mailto:users-h...@httpd.apache.org>
> 
> 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] filtering by IP SAN entries in the client certificate

[Daniel Gruno]

On 02/15/2017 11:31 AM, Andrei Ivanov wrote:
> Hi,
> I have a requirement to check incoming requests, something that would be
> succinctly expressed this way:
> 
> 
> Require expr "%{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}"
> 
> 
> This would check that the request IP address is among the IP addresses
> in the client certificate.
> 
> Unfortunately, this doesn't work:
> 1. SSL_CLIENT_SAN_IPaddr is not exposed by mod_ssl, but I've switched to
> mod_nss, which exports it
> 2. The expression evaluation engine doesn't know how to evaluate this
> kind of expression
> 3. I've tried using mod_lua for the expression, but it can't access this
> kind of environment variables (and the SSL specific only if exposed by
> mod_ssl, not other modules, like mod_nss)

Have you tried using a rewriterule hack to pass the var?
RewriteRule .* - [E=sanip:%{SSL:SSL_CLIENT_SAN_IPaddr}]

that would expose it in mod_lua as r.subprocess_env['sanip'], provided
mod_nss actually exposes it.

> 
> I have ran out of ideas on what to try.
> 
> Please help.
> 
> Thank you.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache httpd 2.4.27 SSL

[Daniel Gruno]

On 08/20/2017 04:36 PM, Fady Haikal wrote:
> Dear Team,
> I have installed httpd 2.4.27 with SSL and while trying to verify the
> httpd-ssl.com  file the below error appear but the
> server can be started normally and accessible through https:
> 
> AH00526: Syntax error on line 52 of
> /Apache/httpd-2.4.27/conf/extra/httpd-ssl.conf:
> Invalid command 'SSLCipherSuite', perhaps misspelled or defined by a
> module not included in the server configuration
> 
> After deep troublshooting, the httpd-ssl file will be veified correctly
> 'Syntax Ok' if we moved all the configuration of loading the modules
> from httpd.conf to httpd-ssl.conf (eg. LoadModule ssl_module
> modules/mod_ssl.so)

This is likely a simple lexicographic ordering issue.
httpd-ssl.conf may be loaded before httpd.conf, in which case the
modules haven't been loaded before you use their directives. In order to
further debug the issue, you would have to share your layout of the
config dir as well as the distro you use for the system (debian, arch,
ubuntu, fedora etc).

With regards,
Daniel.

> 
> Please let me know if this is the correct configuration on the new
> versions or its a bug on this version
> 
> Regards,
> Fady
> 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] CSP nonces in apache

[Daniel Gruno]

On 09/07/2017 07:46 PM, Luis Speciale wrote:
> Hello;
> 
> I wanted to have CSP nonces in apache. Something like this in NGINX
> https://scotthelme.co.uk/csp-nonce-support-in-nginx/
> The idea is to generate a number, put this number in the CSP nonce (the
> header) and then replicate this number in every inline script.
> 
> So in my httpd-vhosts.conf I did this
> 
> Define numbnonce %{UNIQUE_ID}e
>
> SubstituteInheritBefore on
> AddOutputFilterByType SUBSTITUTE text/html
> Substitute "s|()|$1 nonce-$numbnonce$2|i"
> Substitute "s|()|$1 nonce-$numbnonce$2|i"

Quick spot-check says you should probably change '.)*)' to ').*)'
Also, the env vars need to be ${}'ed.
Assuming you want to inject nonce-foo into all non-external scripts, I
would shorten it to something like:

s|<(style|script)\s*((?!src=).*)>|<$1 nonce-${numbnonce} $2>|

> 
> Header set Content-Security-Policy "default-src 'self'; connect-src
> 'self' ; script-src 'self' 'nonce-${numbnonce}'; style-src 'self'
> 'nonce-${numbnonce}';"
> 
> The variable appears in the headers  ('nonce-WbGA@8CoABAAADceEfUP')
> but it doesn't in the substitution (

Re: [users@httpd] CSP nonces in apache

[Daniel Gruno]

On 09/07/2017 08:30 PM, Luis Speciale wrote:
> Le 07/09/2017 à 19:53, Daniel Gruno a écrit :
> 
> Thank you for your answer.
> 
>> Quick spot-check says you should probably change '.)*)' to ').*)'
> 
> I tried this but it doesn't seem to work.
> 
>> Also, the env vars need to be ${}'ed.
> 
> Ok,  I got it.
> 
>> Assuming you want to inject nonce-foo into all non-external scripts, I
>> would shorten it to something like:
>>
>> s|<(style|script)\s*((?!src=).*)>|<$1 nonce-${numbnonce} $2>|
> 
> When i do like you said, I have an error
> Bad Substitute flag, only s///[infq] are supported
> I imagine it's because the extra pipe.
> But even without it
> Substitute "s|<(style)\s*((?!src=).*)>|<$1 nonce-${numbnonce} $2>|i"
> I have no substitution at all.

Try:

Substitute "s/<(style|script)((?!\s*src=).*)>/<$1 nonce-${numbnonce} $2>/i"

> 
> Luis
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] CSP nonces in apache

[Daniel Gruno]

On 09/07/2017 08:54 PM, Luis Speciale wrote:
> Le 07/09/2017 à 20:36, Daniel Gruno a écrit :
>> On 09/07/2017 08:30 PM, Luis Speciale wrote:
>>> Le 07/09/2017 à 19:53, Daniel Gruno a écrit :
>>>
>>> Thank you for your answer.
>>>
>>>> Quick spot-check says you should probably change '.)*)' to ').*)'
>>>
>>> I tried this but it doesn't seem to work.
>>>
>>>> Also, the env vars need to be ${}'ed.
>>>
>>> Ok,  I got it.
>>>
>>>> Assuming you want to inject nonce-foo into all non-external scripts, I
>>>> would shorten it to something like:
>>>>
>>>> s|<(style|script)\s*((?!src=).*)>|<$1 nonce-${numbnonce} $2>|
>>>
>>> When i do like you said, I have an error
>>> Bad Substitute flag, only s///[infq] are supported
>>> I imagine it's because the extra pipe.
>>> But even without it
>>> Substitute "s|<(style)\s*((?!src=).*)>|<$1 nonce-${numbnonce} $2>|i"
>>> I have no substitution at all.
>>
>> Try:
>>
>> Substitute "s/<(style|script)((?!\s*src=).*)>/<$1 nonce-${numbnonce}
>> $2>/i"
> 
> Now it substitutes 

Re: [users@httpd] CSP nonces in apache

[Daniel Gruno]

On 09/11/2017 10:48 AM, Luis Speciale wrote:
> Le 07/09/2017 à 20:57, Daniel Gruno a écrit :
> 
>>
>> might be that you need to uppercase it to NUMBNONCE.
> 
> After a week trying I'm beginning to think that it can't be done the way
> I thought. Is there a way (another, of course) to achieve this?

It SHOULD work.
I tested the following:

SubstituteInheritBefore on
SetOutputFilter SUBSTITUTE # Forcing substitute on everything
Define NUMBNONCE "1234"
Substitute "s/<(script|style)((?!\s*src=)?.*)>/<$1  nonce-${NUMBNONCE}$2>/i"

My HTML then showed "

Re: [users@httpd] CSP nonces in apache

[Daniel Gruno]

On 09/11/2017 11:51 AM, Luis Speciale wrote:
> Le 11/09/2017 à 11:38, Mitchell Krog Photography a écrit :
>> As per the original article from Scott Helme that you intially
>> referred to, you will need to generate a random string yourself.
>> Something like this might help you in the right direction -
>> https://gist.github.com/earthgecko/3089509
> 
> 
> I was trying to do this with %{UNIQUE_ID} and %{TIME}, but this
> variables works in the httpd config but they appear litterally in the
> content. I need an idea or a suggestion about how achieve this
> otherwise, and that's what I can't figure how.
> 
> Thanks for the answer.

You could alternately use mod_lua as an output filter.

LuaOutputFilter fixupNonce /path/to/nonce.lua nonce
SetOutputFilter fixupNonce # or AddOutputFilterByType


and then in nonce.lua, you'd have:

function fixNonce(stype, str)
   if str:match("src=") then
  return ("<%s%s>"):format(stype, str)
   else
  return ("<%s nonce-%s %s>"):format(stype, nid, str)
   end
end

function nonce(r)
   coroutine.yield()
   -- make a random nonce ID for this session
   nid = r:sha1(math.random(1,) .. r.useragent_ip)
-- for each bucket, substitute script/style if internal
while bucket do
  bucket = bucket:gsub("<(script)(%s*.-)>", fixNonce)
  bucket = bucket:gsub("<(style)(%s*.-)>", fixNonce)
  coroutine.yield(bucket)
end
end



> 
> Luis
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How to update the Windows ”platform page”?

[Daniel Gruno]

On 03/13/2013 02:00 AM, Ben Johnson wrote:
> 
> 
> On 3/11/2013 4:20 PM, Peter Lorenzen wrote:
>> Hi,
>>
>> I just realized that the reason there is no Windows binaries for 2.2.23
>> and 2.2.24 is that the Apache Foundation does not provide the binaries
>> and whoever provided them before does not anymore.
>>
> 
> The first part is true. It's good to see that you have done your
> homework. :) As for the second part, that may not be true, necessarily.
> 
>>  
>>
>> I have assumed that the reason they were not available was because the
>> bugs fixed with the two releases were not a problem for Windows.
>>
> 
> That may very well be, but only the individual(s) creating the binaries
> can say with certainty. If said individual has retired, we may never know.
> 
>>  
>>
>> It might be naïve, but how should I know? I can find no mention of this
>> on http://httpd.apache.org.
>>
>>  
>>
>> http://httpd.apache.org/docs/2.2/platform/windows.html just states that
>> the latest downloads can be found at http://httpd.apache.org/download.cgi.
>>
>>  
>>
>> I think it would be very prudent to update the Windows platform page so
>> it reflects the reality for nobs like me.
>>
> 
> I agree.
> 
>>  
>>
>> I would not in a million years have downloaded binaries from
>> http://www.apachelounge.com so I
>> would also be nice with a link to them if this is considered a safe way
>> of getting the binaries.
>>
> 
> Again, I agree. If ASF will not or cannot provide binaries (I don't
> blame it for not providing them, given the overhead associated with
> doing so), it should provide recommendations (not to be confused with
> endorsements).
> 
>>  
>>
>> How do I go about getting the page updated? Can I somehow do it myself?
>> If not who can I contact?
>>
> 
> Paging Dr. Kew... I'm sure that others can answer this question
> (unfortunately, I cannot), but Nick Kew (a frequent poster to this list,
> and ASF developer, if I'm not mistaken) seems to be plugged into the
> development pipeline. Presumably, you would need commit access to modify
> the documentation yourself. Perhaps someone else on this list can
> provide more information if you wish to gain commit access.
> 
>>  
>>
>> Thanks
>>
>> Peter
>>
> 
> Be well!
> 
> -Ben
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 
If you want the documentation or home page to be changed, it is often
better to ping d...@httpd.apache.org than this mailing list. I've CC'ed
them this letter, in case you want to continue the discussion in the forum.

With regards,
Daniel.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Set response header based on another response header?

[Daniel Gruno]

On 04/05/2013 01:23 PM, Esmond Pitt wrote:
> Can't be done. You can only set an environment variable based on a
> *request* header.
>  
> EJP
Not entirely true, you can do this quite easily with filters, and I use
it often for that exact purpose (except I don't use the Pragma thing, I
do other transformations). You can either write a filter module
yourself, or you can use mod_lua from trunk (we need to backport this ;(
) and use the guide in the documentation to create an output filter that
just sets a header based on another header and then returns (thus
skipping the actual filtering, but still setting the header).

This might be a bit more than a configuration directive, but
nonetheless, it _is_ possible to modify/set one response header based on
another.

With regards,
Daniel

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Query regarding "mod_rewrite" module when handling URLs, containing "POST" data

[Daniel Gruno]

On 09/03/2013 09:06 PM, Ajay Garg wrote:
> Hi all.
> 
> In our setup, we need to do conditional-redirects.
> Till now, we were able to accomplish them, by using a smart combination
> of "RewriteCond", "RewriteRule" and "QSA".
> 
> However, we now face a situation, wherein we need to do re-directs, only
> if the original-URL does not contain POST-variables/parameters (although
> they may contain any number of GET-variables). Going through the
> "mod_rewrite" documentation, I could not find any way to do
> conditional-redirect, for URLs containing POST-variables/parameters.
> 
> 
> Is it even possible to accomplish via HTTPD?
> If yes, I will be grateful for pointers :)
> 
> 
> 
> Thanks and Regards,
> Ajay
Here's a hint:

RewriteCond %{REQUEST_METHOD} ^POST$
RewriteRule ..

With regards,
Daniel.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: !!! Urgently need apache 2.4.3 source code Urgent due to heartbleed bug]

[Daniel Gruno]

On 04/10/2014 09:42 AM, Sachin Goyal wrote:
> Where can I find apache 2.4.3 source code to download?
> I have apache 2.4.3 binaries running in production server but i
> don't that source code.
> 
> Now I need to rebuild apache 2.4.3 with latest version of openssl
> 1.0.1 g so I am urgent need of apache2.4.3 source code.
> 
> Can someone guide me ?
> 
> Thanks
> Sachin
> 
> 
Just run:
svn co https://svn.apache.org/repos/asf/httpd/httpd/tags/2.4.3/

and build :)

With regards,
Daniel.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Preserve protocol in httpd proxy

[Daniel Gruno]

...Or with mod_lua at a 1/10th of the price of mod_rewrite if configured
properly :-)

# httpd.conf:
LuaMapToStorage /path/to/script.lua proxyhandler

-- script.lua:
function proxyhandler(r)
  r.handler  = "proxy-server"
  r.proxyreq = apache2.PROXYREQ_REVERSE -- or whatever you like.
  if r.headers_in['Upgrade'] == "WebSocket" then
 r.filename = "proxy:ws://backend:8080" ..r.uri
  else
 r.filename = "proxy:http://backend:8080"; ..r.uri
  end
  return apache2.OK
end

With regards,
Daniel.

On 05/31/2014 05:53 PM, Jim Jagielski wrote:
> I'm sure we can do w/ mod_rewrite... it's just that
> it's soo expensive :)
> 
> On May 30, 2014, at 3:40 PM, Ruediger Pluem  wrote:
> 
>>
>>
>> Jim Jagielski wrote:
>>> Off the top of my head, I think we would need to
>>> add another proxypass option.
>>
>> Have you tried the following?
>>
>> RewriteEngine On
>> RewriteCond %{HTTP:Upgrade} =WebSocket [NC,NV]
>> RewriteRule ^/(.*) ws://my.backend:8080/$1 [P]
>> RewriteRule ^/(.*) http://my.backend:8080/$1 [P]
>>
>>
>>
>> Regards
>>
>> Rüdiger
>>
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: Apache 2.4 - non adoption reasons??

[Daniel Gruno]

On 07/18/2014 07:31 PM, Good Guy wrote:
> On 18/07/2014 15:35, Eric Covener wrote:
>> On Fri, Jul 18, 2014 at 10:21  AM, David Favor 
>> wrote:
>>> Biggest problem is with Apache changing format of conf entries.
>>
>> What do you mean by the format?
>>
> 
> I think what he is talking about is that for each upgrades, apache
> becomes non-compliance with the previous version.  So if you plan to use
> the same conf file to speed up the implementation then you are likely to
> be stuck because some entries in the conf file won't work and throw out
> errors.
> 
> Upgrades should be about new features and new codes/syntax but the old
> one should still work.
> 
> 

What on earth are you all on about?

Order x,y still works
Allow from ... still works
Deny from ... still works

There is no earth shattering change in the configuration, merely a new
and better way of setting access and an old way - both are supported.

The old way has now moved to mod_access_compat because it's not the
preferred way of handling access, but it is nonetheless still supported.

The .conf issue is purely Debian's making (and is described in their
changes doc, if people would bother reading it), take it up with the
Debian folks.


With regards,
Daniel.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] CSP nonces in apache

[Daniel Gruno]

I'll top-post.
You can't modify the headers with a filter, but you can change them
before the filtering starts...I think

The filter script starts with coroutine.yield().
before that, you can establish the nonce and set the header using either
r.headers_out or the more robust r.err_headers_out table.

so, you could ditch the Header directive in your httpd conf and change
the filter func as such:

function nonce(r)
  r.err_headers_out['Content-Security-Policy'] = "something here"
  coroutine.yield()
  while bucket do
...
   end
end


On 09/11/2017 05:00 PM, Luis Speciale wrote:
> Le 11/09/2017 à 12:02, Daniel Gruno a écrit :
> 
>>
>> You could alternately use mod_lua as an output filter.
>>
>> LuaOutputFilter fixupNonce /path/to/nonce.lua nonce
>> SetOutputFilter fixupNonce # or AddOutputFilterByType
>>
>>
>> and then in nonce.lua, you'd have:
>>
>> function fixNonce(stype, str)
>> if str:match("src=") then
>>return ("<%s%s>"):format(stype, str)
>> else
>>return ("<%s nonce-%s %s>"):format(stype, nid, str)
>> end
>> end
>>
>> function nonce(r)
>> coroutine.yield()
>> -- make a random nonce ID for this session
>> nid = r:sha1(math.random(1,) .. r.useragent_ip)
>>  -- for each bucket, substitute script/style if internal
>>  while bucket do
>>bucket = bucket:gsub("<(script)(%s*.-)>", fixNonce)
>>bucket = bucket:gsub("<(style)(%s*.-)>", fixNonce)
>>coroutine.yield(bucket)
>>  end
>> end
> 
> 
> Well, I reinstalled apache with mod_lua and your code works. I mean it
> finds the scripts tags and adds the nonce. But I'm still unable to
> replicate the nonce in the header to make it work.
> 
> So if my header contains
> 
> Header set Content-Security-Policy "default-src 'self'; connect-src
> 'self' ; script-src 'self' 'nonce-123456789'"
> 
> I named it nonce-123456789 to easily change it.
> 
> 
> I have tried with this
> bucket = bucket:gsub("nonce-123456789%s", fixNonce)
> 
> But it doesn't works there.
> 
> After some Googling (I did researches with apache modify headers, apache
> set headers with lua), I tried this too
> 
> r.headers_out['Content-Security-Policy'] = "script-src 'self'
> 'nonce-123456789'"
> 
> Then I did this
> 
> function goNonce(stype, str)
> if str:match("nonce-123456789") then
> return ("%s nonce-%s %s"):format(stype, nid, str)
> end
> end
> 
> while bucket do
> bucket = bucket:gsub("<(123456789)(%s*.-)>", goNonce)
> 
> And a dozen of similar tries, but same results, makes nothing in the
> headers. Sorry to bother you again, but I can't see the way to do it.
> 
> Thanks again
> 
> Luis
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] CSP nonces in apache

[Daniel Gruno]

On 09/12/2017 09:32 AM, Luis Speciale wrote:
> Oh, my. It's NOT working. I fooled myself yesterday
> 
> :(

Which part in particular isn't working?

> 
> Luis
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Where does ap_rprintf actually print out?

[Daniel Gruno]

On 10/13/2017 11:53 AM, eeadev dev wrote:
> Writing an apache C module I tried this function:
> 
> https://ci.apache.org/projects/httpd/trunk/doxygen/group__APACHE__CORE__PROTO.html#ga5e91eb6ca777c9a427b2e82bf1eeb81d
> 
> but I dont know where it does print out. Does it in any specific file?
> 
> I called it this way:
> 
>  ap_rprintf(r, "print out!");
> and checked in the error.log nor in the access.log

it prints a formatted string to the client (browser).

See http://httpd.apache.org/docs/2.4/developer/modguide.html for a good
primer on getting started.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Where does ap_rprintf actually print out?

[Daniel Gruno]

On 10/13/2017 12:10 PM, eeadev dev wrote:
> thanks, in the console browser?

your web browser, curl or whatever you use to communicate with httpd.
It prints in the _response body of the request_.

If you do ap_rprintf(r, "Hello, wordl!") then you will see "Hello,
world!" in your browser (chrome, firefox etc) when you visit a page run
by the module.

> 
> 2017-10-13 3:03 GMT-07:00 Daniel Gruno  <mailto:humbed...@apache.org>>:
> 
> On 10/13/2017 11:53 AM, eeadev dev wrote:
> > Writing an apache C module I tried this function:
> >
> >
> 
> https://ci.apache.org/projects/httpd/trunk/doxygen/group__APACHE__CORE__PROTO.html#ga5e91eb6ca777c9a427b2e82bf1eeb81d
> 
> <https://ci.apache.org/projects/httpd/trunk/doxygen/group__APACHE__CORE__PROTO.html#ga5e91eb6ca777c9a427b2e82bf1eeb81d>
> >
> > but I dont know where it does print out. Does it in any specific file?
> >
> > I called it this way:
> >
> >  ap_rprintf(r, "print out!");
> > and checked in the error.log nor in the access.log
> 
> it prints a formatted string to the client (browser).
> 
> See http://httpd.apache.org/docs/2.4/developer/modguide.html
> <http://httpd.apache.org/docs/2.4/developer/modguide.html> for a good
> primer on getting started.
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> <mailto:users-unsubscr...@httpd.apache.org>
> For additional commands, e-mail: users-h...@httpd.apache.org
> <mailto:users-h...@httpd.apache.org>
> 
> 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Re: [mod_lua] Successful arbitrary authentication with denied access on the resource results in a core:error AH00571 message in the logs about a missing AuthType

[Daniel Gruno]

On 03/15/2018 02:43 PM, Torsten Krah wrote:
> Opinions, anyone? Should i ask that on the dev list?
> 

It would help if you elaborated more. A one-liner won't help us much in
figuring out this issue.

What are you trying, what happens, and what did you expect?

With regards,
Daniel

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Running Lua Script using mod_lua

[Daniel Gruno]

On 05/17/2018 08:21 AM, Luca Toscano wrote:

Hi,

2018-05-16 12:22 GMT+02:00 Hemant Chaudhary 
mailto:hemantdude.chaudh...@gmail.com>>:


Hi,

While running lua_script using mod_lua, I am getting this error in
error_log. What does it mean
"PANIC: unprotected error in call to Lua API (core and library have
incompatible numeric types)"


What version of Lua are you using? You can quickly check with something 
like ldd /usr/local/apache2/modules/mod_lua.so. It might be a mismatch 
between what you are trying to execute (the script) and what you are 
using as interpreter (mod_lua), but I haven't investigated it very well 
so I might be wrong :)


Almost! :)
It's an incompatibility between mod_lua's lua lib (typically 5.1 or 5.2) 
and a library that is being used (likely made for 5.3?). There were 
fundamental changes to how numbers work in 5.3, if I remember correctly, 
so you would either have to use a library that works with 5.1/5.2, OR 
recompile mod_lua with the 5.3 library and headers.




Hope that helps,

Luca



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Oddity using FallbackResource in PHP development

[Daniel Gruno]

Do you have a handler configured for .php that might interfere here? If 
you have something like mod_php or fpm handling .php extensions, that 
may take over from the generic file handler (which is what 
FallbackResource works for) and try to serve it instead.


A solution, if this is the case, would be to only assign that handler to 
route.php, and not .php in general.


On 06/08/2018 06:47 PM, Benjamin Smith wrote:
Apache is returning 404 when an invalid PHP script is called, even 
though  FallbackResource is configured and working fine for invalid 
scripts without the .php extension.


Said another way, when I use FallbackResource, with a PHP file as the 
target, it works fine only when I don't reference an invalid PHP file. 
When I do, it doesn't work. I've spent hours poring over documentation 
and pounding on Google to no avail.



### Configuration ###
CentOS 6/64, stock install, all updates applied.
Apache 2.4.6
php 5.4.16

Document root has a single PHP file "route.php" in it, with one line:
http://site.com/route.php
I see "I was found".

When I go to
http://site.com/invalid
I see "I was found"

When I go to
http://site.com/invalid.php
I see 404 "Not Found The requested URL /invalid.php was not found on 
this server."



Wheat do I need to do to get FallbackResource to work for URLs that look 
like a PHP script?


Thanks



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] matches when ServerName directive is omitted

[Daniel Gruno]

On 06/23/2018 10:34 AM, billy noah wrote:
Thanks Eric, the rdns almost certainly /did /change so that could be the 
culprit.  Do you have a definitive answer or a way to determine how 
apache decides what "ServerName" should be when the directive is 
absent?  


From the documentation:

If no ServerName is specified, the server attempts to deduce the
client visible hostname by first asking the operating system for the
system hostname, and if that fails, performing a reverse lookup on
an IP address present on the system.

so basically it will do a gethostname() call first, falling back to a 
reverse lookup.


With regards,
Daniel.

I'll stick with the policy of using something (even nonsense as
you suggested) in the future, but I'm curious to understand the precise 
mechanics of what is happening here.  Is there some way to get a log of 
apache's decision making factors when determining which vhost to serve?


On Sat, Jun 23, 2018 at 11:28 AM, Eric Covener > wrote:


On Sat, Jun 23, 2018 at 11:22 AM billy noah mailto:billyn...@gmail.com>> wrote:
>
> I am in the process of migrating some sites from a server running Apache 
2.4.7 to a new installation (Ubuntu 18) running Apache 2.4.29 and running into 
some issues with VirtualHost matching.
>
> On my old server I have a config like this:
>
> http://12.34.56.78:80>>
>     ServerAlias *.dev.example.com 
>     VirtualDocumentRoot /var/www/dev/%1
> 
>
> http://12.34.56.78:80>>
>     ServerName example.com 
>     ServerAlias www.example.com 
>     DocumentRoot /var/www/example/
> 
>
> As you can see, the ServerName directive is intentionally absent from the 
first host which uses a VirtualDocumentRoot to serve directories based on the 
subdomain. This has been working fine on the old server.

It's unwise. You should at least pick some nonsense name.

>
> In my new environment everything worked fine at first, but today (no updates, 
nothing changed), oddly things changed. For some reason apache started matching 
example.com  to the first vhost and after some
amount of debugging I have determined that this is due to the lack
of ServerName directive. When I add one - anything really - the
problem goes away. So to be clear, a working config now looks like this:
>
> http://12.34.56.78:80>>
>     ServerName anything.dev.example.com 
>     ServerAlias *.dev.example.com 
>     VirtualDocumentRoot /var/www/dev/%1
> 
>
> http://12.34.56.78:80>>
>     ServerName example.com 
>     ServerAlias www.example.com 
>     DocumentRoot /var/www/example/
> 

Perhaps the reverse DNS of your IP address changed?  I don't think
it's directly the "system hostname".

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org

For additional commands, e-mail: users-h...@httpd.apache.org






-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Is HTTP Server affected by CVE-2018-11776 ?

[Daniel Gruno]

On 08/28/2018 11:34 AM, Satish Chhatpar 02 wrote:
Hi HTTP users, can anyone confirm if HTTP server any version is affected 
by CVE-2018-11776 ?


It is not. CVE-2018-11776 refers to Apache Struts, not the Apache HTTP 
Server. Struts is a Java framework, and has no programmatic relation to 
the HTTP Server other than being developed within the Apache Software 
Foundation.




::DISCLAIMER::
 

Confidentiality Notice from Dixons Carphone plc (registered in England & 
Wales No.07105905) of 1 Portal Way, London, W3 6RS ("Dixons Carphone"). 
The information contained in this e-mail and any attachments may be 
legally privileged, proprietary and/or confidential. If you received 
this e-mail in error, please notify the sender by return, permanently 
delete the e-mail and destroy all hard copies immediately. No warranty 
is made as to the completeness or accuracy of the information contained 
in this e-mail. Opinions, conclusions and statements of intent in this 
e-mail are those of the sender and will not bind any Dixons Carphone 
group company (Dixons Carphone Group) unless confirmed by an authorised 
representative independently of this e-mail. We do not accept 
responsibility for viruses; you must scan for these. E-mails sent to and 
from Dixons Carphone Group are routinely monitored for record keeping, 
quality control, training purposes, to ensure regulatory compliance and 
to prevent viruses and unauthorised use of our computer systems. The 
Carphone Warehouse Limited (registered in England & Wales No.02142673) 
is a member of the Dixons Carphone Group and is authorised and regulated 
by the Financial Conduct Authority.
 




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Countdown to 25 years - has httpd changed your life?

[Daniel Gruno]

Hi wonderful apache people!

As we count down to the 25th anniversary of the Apache Group, founded 
February 27th 1995 (first release of the apache webserver was in April 
1995), I'd like to put some extra effort into the quarterly board report 
I, as chair of the project, have to present to the board of directors at 
the Apache Software Foundation in February.


So I thought to myself, it would be fun to get some testimonials to 
showcase how this project has survived, grown, and remained in the top 
for 25 years, helping people achieve their goals and in the process 
helping people grow. Personally, I would not be where I am today without 
this project - I owe so much to it, and it has helped me reach many a goal.


If you too have been affected by httpd, or if you just think this is a 
really nifty piece of software because it helps you do X, Y or Z, please 
let us know on this thread. I'll later collate the responses, shorten 
them a tad, and compile a shortened list of testimonials for the board 
report.


You can tell us about your experience with the product (httpd), the 
project (the apache http server project), or just your interactions with 
the people involved. Please keep it concise, as we wouldn't want to 
force the board to go through 150 pages :)


With very warm regards,
Daniel.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] mod_compat_access format forward

[Daniel Gruno]

On 05/04/2020 17.49, David Mehler wrote:

Hello,

I've got this stanza in one of my virtual host configurations on
apache 2.4.x. It's requiring me to load the access compatibility
module, it is the only block requiring this module and i'd like to get
it converted to apache 2.4. I've not been able to get the access
correct, and would appreciate any suggestions.

 
 Order Deny,Allow
 Deny from all
 Allow from 192.168.1.1
 

Thanks.
Dave.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




Require ip 192.160.1.1



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Browsers appear to be ignoring 401 responses with WWW-Authenticate

[Daniel Gruno]

Slightly off-topic, but you might wanna check out 
https://developer.mozilla.org/en-US/docs/Web/API/fetch#parameters
Standard modern behavior, AIUI, is to not do Basic Auth via JavaScript 
fetches unless it's the same site, but this can be modified.


But I could be wrong :)

On 04/10/2021 03.04, ohaya wrote:

Hi,

We are hosting a page on one of our Apache (2.4.29).  We use Oracle OAM webgate in this 
Apache to "protect" that page.  When the webgate is installed into the Apache, 
they include a configuration file that has:


AuthType Oblix
require valid-user


We have this page configured for BASIC authentication, i.e., a popup login page 
appears when an unauthenticated user attempts to access that URL.

If we access that page directly from a browser, we get a popup login page and 
then we enter username and password, and if that authenticates, the target page 
is sent to the browser.

However, we also have some users that access this page, "indirectly", i.e., 
they (for example) load a page into their browser that has some Javascript/XHR code, and 
then that code does a GET to retrieve the page.

The problem we are having is that in this latter scenario, the request just 
fails with a 401 not authorized, and the popup login page doesn't appear, so 
the user doesn't have an opportunity to enter their credentials.

I have been using various tools like Fiddler, Live headers, and also Wireshark 
to try to see what is going on...  and I DO see what is happening, esp. with 
Wireshark, but I don't understand why the popups are not occurring.

Here is an example of a 401 response that I see in Wireshark:

Frame 157: 1322 bytes on wire (10576 bits), 1322 bytes captured (10576 bits) on 
interface \Device\NPF_{A65DD5E0-F324-4BF0-8115-255A8EC064BD}, id 0
Ethernet II, Src: PcsCompu_4d:6c:d9 (08:00:27:4d:6c:d9), Dst: PcsCompu_a8:ad:d1 
(08:00:27:a8:ad:d1)
Internet Protocol Version 4, Src: 192.168.0.103, Dst: 192.168.0.10
Transmission Control Protocol, Src Port: 8080, Dst Port: 49786, Seq: 1, Ack: 
444, Len: 1268
Hypertext Transfer Protocol
 HTTP/1.1 401 Unauthorized\r\n
 x-request-url: 
http://centos-apache3.whatever.com:/oamprotectedtarget/index.html\r\n
 date: Mon, 04 Oct 2021 00:24:26 GMT\r\n
 server: Apache/2.4.29 (Unix) OpenSSL/1.0.2k-fips\r\n
 access-control-allow-origin: *\r\n
 access-control-allow-credentials: true\r\n
 access-control-allow-methods: GET, POST, OPTIONS\r\n
 access-control-allow-headers: Origin, Content-Type, Accept\r\n
 keep-alive: timeout=7, max=100\r\n
 www-authenticate: Basic realm="ATNSCHEME-BasicSessionless"\r\n
 content-length: 381\r\n
 connection: close\r\n
 content-type: text/html; charset=iso-8859-1\r\n
 x-final-url: 
http://centos-apache3.whatever.com:/oamprotectedtarget/index.html\r\n
  [truncated]access-control-expose-headers: 
date,server,access-control-allow-origin,access-control-allow-credentials,access-control-allow-methods,access-control-allow-headers,keep-alive,www-authenticate,content-length,connection,content-ty
 \r\n
 [HTTP response 1/1]
 [Time since request: 0.009877000 seconds]
 [Request in frame: 141]
 [Request URI: 
http://192.168.0.103:8080/http://centos-apache3.whatever.com:/oamprotectedtarget/index.html]
 File Data: 381 bytes

In this case, the Javascript page is loaded from a different machine than the 
one that is hosting the page, centos-apache1.whatever.com, and you can see, the 
401/response has the CORS-response headers that should allow the browser to 
process the response?

In this type of scenario, is there some other restriction that would prevent or 
cause the browser to not popup the login window, even though the requests and 
responses appear to be all right?

Sorry about my description of this problem, but this scenario is complicated to 
explain :(...

Thanks in advance!!

Jim

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How Do I Prevent Repetitive Hits

[Daniel Gruno]

On 25/08/2022 18.16, John Iliffe wrote:


While it doesn't appear to be causing us any harm I am wondering why someone
would spend the time/money to do so and if there is any way to lock out this one
source.

Does anyone have any suggestions?


If you want it completely gone from your logs, firewall it:
iptables -A INPUT -s 193.29.60.97 -j DROP

If you just want it to return a 403, you can use Require in your vhost:
Require not ip 193.29.60.97




Thanks in advance,

John
==


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] specification of .htaccess [EXT]

[Daniel Gruno]

On 2022-11-01 20:14, Yuji_myst wrote:

Thank you.

I will try the method you replied.

Just to make sure, do you know if there is a limit on the number of 
redirect settings or .htaccess file size?


Essentially, the limit is the file size limit in your file system, or 
however much memory your server has. There are no set limits, that I can 
recall. You can have 250,000 rules in there if you like, or a million...







2022/10/26 20:54、James Smith


If you have that many look at RewriteMap

https://httpd.apache.org/docs/current/rewrite/rewritemap.html

*From:*Frank Gingras 
*Sent:* 26 October 2022 02:42
*To:* users@httpd.apache.org
*Subject:* Re: [users@httpd] specification of .htaccess [EXT]

This is an extremely bad idea. Do you have access to your config files 
/ the root user? If so, edit your vhost, and place your redirects in 
there instead.


Such a large .htaccess file will perform very poorly.

Further, avoid using mod_rewrite to redirect unless you have no choice.

On Tue, 25 Oct 2022 at 20:07, Yuji_myst > wrote:


hello

Please tell me the specification of .htaccess.

Place .htaccess in the root directory of the website and set the
redirect.

We are considering setting more than 2000 redirects.

Is there a limit on the number of redirect settings or .htaccess
file size?

I read the .htaccess documentation, but couldn't find any mention
of restrictions.

Best Regards,

Yuji

-- The Wellcome Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE. 



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache configuration for guacamole

[Daniel Gruno]

On 12/20/22 01:47, Dan Nessett wrote:

I am attempting to get guacamole working with apache. I have been working with 
the guacamole users, but they now tell me that I have an apache2 configuration 
problem. So, I am trying to get some help from apache2 users.

The set up I have is a small network behind a firewall/NAT router (running pfsense). HTTPS 
requests go to an external address and non-standard port that the router converts using NAT 
to an internal address and standard port for HTTPS (443). The local machine servicing 
requests to this internal address/port pair runs SSLH, which is a SSH/HTTPS protocol 
multiplexor. The SSLH daemon parses the first part of each protocol packet and decides to 
forward it to either the sshd daemon or the installed apache web server. In the latter case 
it sends to port 4443, on which apache is listening. I know this works, since I can login 
to the machine via ssh from an external address and HTTPS requests to the configured 
virtual machine display properly, e.g., https://:/phpinfo.php

The problem occurs when I attempt to access guacamole with an HTTPS request of: 
https://:/guacamole. This does not work. The file 000-default.conf in 
/etc/apache/sites-enabled is:


Your virtualhost configuration says it's expecting port 4443, yet your 
explanation above says the NAT translates this to 443. This suggests you 
have a typo either in your virtualhost config or your explanation. The 
port number in the virtualhost directive should, as far as I am aware, 
correspond to the port you are listening on, not the original port 
before NAT happens.




# Comment out the port 80 virtual host block



# The ServerName directive sets the request scheme, hostname and port 
that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com

ServerAdmin webmaster@localhost
DocumentRoot /var/www/html

# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf




 ServerName 
 DocumentRoot /mnt/raid5/webserver/sites/MOserver
Header always unset X-Frame-Options

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined


 Order allow,deny
 Allow from all
 ProxyPass http://127.0.0.1:8080/guacamole/ flushpackets=on
 ProxyPassReverse http://127.0.0.1:8080/guacamole/


 
   Order allow,deny
   Allow from all
   #Require all granted
   ProxyPass ws://127.0.0.1:8080/guacamole/websocket-tunnel
   ProxyPassReverse ws://127.0.0.1:8080/guacamole/websocket-tunnel
 

SSLEngine on
SSLCertificateFile /root/.acme.sh/*.mountolive.com/fullchain.cer
SSLCertificateKeyFile 
/root/.acme.sh/*.mountolive.com/*.mountolive.com.key


# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Since web page URLs work properly, the only thing I can imagine is causing a problem 
are the two  blocks that contain ProxyPass and ProxyPassReverse 
entries. I am completely unfamilar with these and would appreciate some help with the 
apache2 configuration that is supposed to enable guacamole communication.
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] RewriteCond - is this fast fail?

[Daniel Gruno]

On 2023-01-11 12:58, sebb wrote:

On Tue, 10 Jan 2023 at 23:33, Frank Gingras  wrote:


Do a quick test, and enable the rewrite log. Make sure you use a log level of 5 
to see those details.


Whilst the test might be quick, setting it up is not.

Does no-one here know the answer?


RewriteRule is evaluated first. If that matches, the RewriteCond 
directives are evaluated one at a time. If a condition fails, and there 
is no [OR] flag, then the evaluation stops and does not continue to the 
next RewriteCond


This is defined in 
https://github.com/apache/httpd/blob/trunk/modules/mappers/mod_rewrite.c#L4230 
and onwards.





On Tue, Jan 10, 2023 at 6:28 PM sebb  wrote:


On Tue, 10 Jan 2023 at 23:21, Frank Gingras  wrote:


The implicit behaviour for multiple RewriteCond directives is AND, unless you 
use [OR].


Yes, that is documented.


So without [OR], all the conditions have to match to apply the rewrite rule.


Yes, but are any subsequent conditions evaluated?


On Tue, Jan 10, 2023 at 6:06 PM sebb  wrote:


Does the first RewriteCond that fails cause any following RewriteCond
entries to be skipped?
(up to the RewriteRule)

I would hope that is the case, but AFAICT it is not explicitly stated.

If it is the case, perhaps it would be worth making explicit?
(and suggesting that the cheapest checks are done first).

Sebb

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] RewriteCond - is this fast fail?

[Daniel Gruno]

On 2023-01-11 13:16, Daniel Gruno wrote:

On 2023-01-11 12:58, sebb wrote:

On Tue, 10 Jan 2023 at 23:33, Frank Gingras  wrote:


Do a quick test, and enable the rewrite log. Make sure you use a log 
level of 5 to see those details.


Whilst the test might be quick, setting it up is not.

Does no-one here know the answer?


RewriteRule is evaluated first. If that matches, the RewriteCond 
directives are evaluated one at a time. If a condition fails, and there 
is no [OR] flag, then the evaluation stops and does not continue to the 
next RewriteCond


This is defined in 
https://github.com/apache/httpd/blob/trunk/modules/mappers/mod_rewrite.c#L4230 and onwards.


FWIW, this is also why %N is only available in the substitution 
argument, and not in the pattern argument of a RewriteRule, as %N hasn't 
been defined at the pattern matching point of a RewriteRule.







On Tue, Jan 10, 2023 at 6:28 PM sebb  wrote:


On Tue, 10 Jan 2023 at 23:21, Frank Gingras  wrote:


The implicit behaviour for multiple RewriteCond directives is AND, 
unless you use [OR].


Yes, that is documented.

So without [OR], all the conditions have to match to apply the 
rewrite rule.


Yes, but are any subsequent conditions evaluated?


On Tue, Jan 10, 2023 at 6:06 PM sebb  wrote:


Does the first RewriteCond that fails cause any following RewriteCond
entries to be skipped?
(up to the RewriteRule)

I would hope that is the case, but AFAICT it is not explicitly 
stated.


If it is the case, perhaps it would be worth making explicit?
(and suggesting that the cheapest checks are done first).

Sebb

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Unclear RewriteCond docs

[Daniel Gruno]

On 2023-05-08 08:44, Eric Covener wrote:

On Mon, May 8, 2023 at 9:41 AM Frank Gingras  wrote:


Sebb,

Are you sure about that? I would verify before we venture to clarify the docs.


I think sebb is right, I've occasionally had to try to weirdly
propagate it or delay/combine it.

In a rule or condition, the captures of the preceding condition is available


Only if the next condition is a regex condition. A literal string 
comparison condition will not reset the previous captures. And yeah, you 
can use the teststring value to add back your captures from the previous 
condition:


# Get key value into %1
RewriteCond %{QUERY_STRING} "key=(.+)"
# Append query string with %1, get key value back into %1, bar value into %2
RewriteCond %1::%{QUERY_STRING} "^(.+)::.*bar=(.+)"
# Literal comparison, doesn't change backrefs:
RewriteCond %2 ="foo"
RewriteRule .* http://foo.bar/%1/%2




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Unclear RewriteCond docs

[Daniel Gruno]

On 2023-05-08 09:33, Eric Covener wrote:

On Mon, May 8, 2023 at 10:29 AM Daniel Gruno  wrote:


On 2023-05-08 08:44, Eric Covener wrote:

On Mon, May 8, 2023 at 9:41 AM Frank Gingras  wrote:


Sebb,

Are you sure about that? I would verify before we venture to clarify the docs.


I think sebb is right, I've occasionally had to try to weirdly
propagate it or delay/combine it.

In a rule or condition, the captures of the preceding condition is available


Only if the next condition is a regex condition. A literal string
comparison condition will not reset the previous captures. And yeah, you
can use the teststring value to add back your captures from the previous
condition:

# Get key value into %1
RewriteCond %{QUERY_STRING} "key=(.+)"
# Append query string with %1, get key value back into %1, bar value into %2
RewriteCond %1::%{QUERY_STRING} "^(.+)::.*bar=(.+)"
# Literal comparison, doesn't change backrefs:
RewriteCond %2 ="foo"
RewriteRule .* http://foo.bar/%1/%2


Ah, cool and tricky to document in an "intro".  Maybe we can make sure
the gory details are right elsewhere, and caution that it's more
complicated with multiple conditions in the intro example.


Yeah, you can actually use this to accept and parse query string 
key/value pairs given in an arbitrary order, but as you say, it gets 
complex real fast - I am having to resort to making RewriteCond macros 
to accomplish this without having to write 200 lines of config :)


We do have a page dedicated to advanced usage examples, maybe I can add 
something to that page.




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] node.js application listening on port 8000 enabled with SSL certificate returns ERR_SSL_PROTOCOL_ERROR on browser.

[Daniel Gruno]

On 2023-06-21 18:57, Kaushal Shriyan wrote:

Hi,

I am running node.js application on port 8000 and Apache HTTP server on 
CentOS Linux release 7.9.2009 (Core)


# node --version
*v16.20.0*
# httpd -v
Server version: *Apache/2.4.57 (IUS)*
Server built:   Apr  7 2023 14:49:47
#

_httpd.conf file configuration_
#cat /etc/httpd/conf.d/nodejsnodejsssl.conf

     SSLEngine On
     SSLProxyEngine On
     ServerName nodejs.mydomain.com 
     SSLCertificateFile 
/etc/letsencrypt/live/nodejs.mydomain.com/cert.pem 

     SSLCertificateKeyFile 
/etc/letsencrypt/live/nodejs.mydomain.com/privkey.pem 

     SSLCertificateChainFile 
/etc/letsencrypt/live/nodejs.mydomain.com/chain.pem 


     
         ProxyPass http://localhost:8000/ 
     


When I am trying to access the URL 
https://nodejs.mydomain.com:8000/demo/index.html 
, I am encountering 
the below error on the browser.


This site can’t provide a secure connection
nodejs.mydomain.com  sent an invalid response.
ERR_SSL_PROTOCOL_ERROR

Please comment if the above httpd conf file is incorrect or If i am 
missing anything. Thanks in advance.


Best Regards,

Kaushal



There are inconsistencies in your configuration.
On one hand, you have "SSLProxyEngine On" which would imply that the 
backend node.js application is running over TLS.
On the other hand, you are proxying to HTTP://, not HTTPS://, which is 
what you would use for plain-text (not TLS) connections.


The options are mutually exclusive. Either you have TLS on node.js, and 
should proxy to https://localhost:8000 or you do not, and you shouldn't 
have "SSLProxyEngine On" defined.




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: Can supply multiple group names within a single Require ldap-group directive

[Daniel Gruno]

On 2023-08-24 10:39, Prabhu Kondarangi wrote:

Dear Team,

I am looking for the possibility of supplying multiple group names within a
single Require ldap-group directive.
Is it possible even?

Module: mod_authnz_ldap

Directive: Require ldap-group


Example:

Require ldap-group group1 group2 group3

Thanks,
Prabhu

This should really be posted to users@httpd.apache.org, so I will 
cross-post it there:



No, each ldap-group line should only have one group. but what you can do 
is make a group that are AND or OR'ed together:


Require user be a part of two groups:

  Require ldap-group cn=foo, ...
  Require ldap-group cn=bar, ...


Require user be part of at least one group:

  Require ldap-group cn=foo, ...
  Require ldap-group cn=bar, ...



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Is it true that Nginx is faster, more secure and better than Apache?

[Daniel Gruno]

On 2023-10-04 14:01, Antony Stone wrote:

On Wednesday 04 October 2023 at 20:48:19, Jason Long wrote:


Hello,Thanks again.Why has Apache Foundation never tested Apache
performance with Nginx?


I am not affiliated with the Apache Foundation in any way, but I would guess
that the primary reason is that one can make statistics say almost whatever
one wants them to, simply by selecting the data or analysis which supports the
desired outcome.  Therefore nobody is going to trust numbers put out either by
the Apache Foundation, or by Nginx, showing how they compare against the
competition.  I'm not saying that either of these organisations would be
lying, but they'd be expected to choose the tests and scenarios which show
them up in the most favourable comparative light possible.

A secondary reason is that one person's use of a web server is not the same as
another's, so any benchmarks showing Apache vs. Nginx would be idealistic and
almost certainly not what any specific real-world implementation would achieve.

Suppose you wanted to compare two makes of cars to find out which is "faster,
more secure and better" (to quote from the subject line of your email).  Would
you want such a comparison to be done by manufacturer A, manufacturer B, or an
independent third party?  No matter who it's done by, does their definition of
"better" match with yours (assuming you're a potential purchaser of one of the
cars)?


The more official, canonical reason is that NGINX is a commercial 
company making an "open core" product, while the ASF is a non-profit.


The ASF cannot and does not want to compete with other products or 
companies. It is not our mission, and we frankly do not care about 
market shares or the likes. We are volunteers working on making a free 
piece of software that can be used by whomever wants to use it.





Antony.




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] RE: pipe logs to somethings that resembles a curl post

[Daniel Gruno]

On 4/10/24 07:22, Marc wrote:


Oops I was mislead by some old posts. GlobalLog[1] does this for everything. 
However I have not found what value[2] has the requested virtual host name.

[1]
https://httpd.apache.org/docs/current/mod/mod_log_config.html

[2]
https://httpd.apache.org/docs/current/mod/mod_log_config.html#formats


You could also use 
https://httpd.apache.org/docs/current/mod/mod_lua.html#luahooklog to 
split up your logs or discard/silence certain entries.






Currently I have modified some rust application that does this to
satisfaction. But piping to a 60MB binary for quite a few virtual hosts
does not really seem efficient to me.
Is there not some apache module that can offer a "global" access to
logging and 'clones' all logging to some tcp socket? (I prefer not to
route first to syslog)




I was wondering how I could use piped logs to redirect some logs,
comparable to curl post requests.

[1]
https://httpd.apache.org/docs/current/logs.html


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Require paramater

[Daniel Gruno]

On 5/13/24 15:42, Chris me wrote:
The Apache docs recommend dong this to setup a default deny to file 
locations:




     Require all denied



Do I do that in httpd.conf or do I add that to each  entry?



If you do it in httpd.conf (which I assume would be a server-wide scope 
for you), it will be applied globally and thus within every virtualhost 
scope as well. You should then, within each virtualhost scope, 
explicitly allow access to the documentroot and other directories you 
wish to have open for reading.



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Authentication in Location blocks for reverse proxy seems to take precedence in routes

[Daniel Gruno]

On 6/14/24 12:41, M Foster wrote:

Hello,

I'm struggling a bit with an issue when using Apache as a reverse proxy 
when needing to use differing Authentication. I've searched for a couple 
of days now, but nothing matching what I'm seeing has come up.


The scenario is that I am using Apache as a reverse proxy, but sending a 
sub-path to different backend like so (extremely simplified):



   ProxyPass http://host2:8080/foo/bar 


   ProxyPass http://host1.example.com/foo 



One is overriding the other, so you get an arbitrary result. You can 
exclude /foo/bar from your second pass by using something like 
LocationMatch instead:



  .. things here for /foo/bar


.. things here for /foo/baz but not /foo/bar
ProxyPass "http://host1.example.com/$1";


Do note that if the Auth realm is the same, you can get the wrong 
credentials showing up if they differ. These should be unique if the 
credentials are.




This works without issue. However, as soon as I try to put 
authentication on the second location (or more accurately different 
authentication directives), any request to "/foo/bar" triggers auth:


Example:

   ProxyPass http://host2:8080/foo/bar 


   AuthType basic
   AuthName "Restricted"
   AuthUserFile /usr/local/apache2/.htpasswd
   Require valid-user
   ProxyPass http://host1.example.com/foo 


In the logs, set to trace8, I see that now apache is matching the 
REQUEST_URI to the wrong proxy handler:


"attempting to match URI path '/foo/bar' against prefix '/foo' for proxying
"URI path /foo/bar' matches proxy handler 'proxy:http:// 
host1.example.com/foo/bar '"
"authorization result of Require valid-user : denied (no authenticated 
user)"


Without any auth, the logs correctly show the request to `/foo/bar` 
being routed to the correct proxy handler 'proxy:http://host2:8080/foo/ 
bar '.


If anyone has any ideas on why adding auth completely blows up the proxy 
routing, I'd appreciate it. Otherwise, I'll have to create two proxy 
servers, just to handle each case.





-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] efficient abuse page

[Daniel Gruno]

On 1/16/25 11:27, Marc wrote:

I have currently some abuse page that notifies the ip is blocked. I am 
generating this page with php because I want to display the ip adres on this 
page. Is there a more efficient way to generate a page with one line of text 
and the blocked ip address?
Maybe directly in apache without using php-fpm?


You can do just about anything you like with mod_lua, including rate 
limiting, custom block messages, and more.


If you already know that an IP is supposed to be blocked, you can use 
the LuaQuickHandler[1] to serve up a message before any other processing 
happens in httpd (a quick handler fires as soon as a request is mapped 
to a virtual host, but before any file-system/rewrite/auth/whatever runs).


If you'd rather do it as a filter on responses, you can use the 
LuaOutputFilter[2] directive and set up a filter.


We make use of both of those at the ASF itself for rate- and bandwidth- 
limiting on select services, and it works well.


[1] https://httpd.apache.org/docs/trunk/mod/mod_lua.html#luaquickhandler
[2] https://httpd.apache.org/docs/trunk/mod/mod_lua.html#luaoutputfilter



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org