[us...@httpd] Apache modules question
Hello everyone , I have a project where i want to add a new phase between the content generation and the logging phase of a request. In other words i want after the response is generated and ready to be sent to the client to manipulate the html produced code (do my stuff) and then send it to the browser. I have already read stuff on how to write apache2 modules but i understood that modules can only substitute other modules that are enabled in the standard faces of a request processing and not involve somehow a new phase. My friend who works in the same project has done this with filters (i think) but we are looking for a faster way (maybe a new module enabled after the content generation). Please tell me how to do that. Sorry for bad english. Regards, Tony - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Apache2 add module help !
Hello , Consider that i have an html , javascript , php site. My goal is to somehow modify the html , javascript code before php module does its stuff. It is part of a javascript injection defense system. So i want to mark benign javascript before php module adds bad javascript code. I first thought that an output filter is the solution but i suppose that in the phase of the output filter the chunks of data will be already produced after php code generation ( is that right ) ?? So the attack is done and i will mark as benign that bad javascript injection code. Is there a way to cope with this by adding a module-filter to apache and not modify php module code ?? Thanks. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Apache2 add module help !
André Warnier wrote: antoine wrote: Hello , Consider that i have an html , javascript , php site. My goal is to somehow modify the html , javascript code before php module does its stuff. It is part of a javascript injection defense system. So i want to mark benign javascript before php module adds bad javascript code. I first thought that an output filter is the solution but i suppose that in the phase of the output filter the chunks of data will be already produced after php code generation ( is that right ) ?? Yes So the attack is done and i will mark as benign that bad javascript injection code. Is there a way to cope with this by adding a module-filter to apache and not modify php module code ?? Apart from the yes above, I cannot add much, because it is not very clear to me what you are trying to achieve, or what you are trying to protect against. You seem to say that it is the php which inserts the "bad" javascript code. But the php runs on your server, so that seems to be the right point to protect, and not later try to undo what it might have done. Or do you let any user load its own php stuff onto your server, and then just run it ? Ok i will explain. Consider that we have an html form and a php script that handles the posted data. The scenario is that the bad guy writes in the form for example " ... bad javascript code " and post this so when the client get the page we have an attack. So i want to separate the static javascript code from the dynamic one. I want a filter to process the page before any dynamic content is inserted for example by php module. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Apache2 add module help !
Nick Kew wrote: Morten K. Poulsen wrote: On Wed, 2009-10-28 at 19:06 +0200, antoine wrote: Consider that we have an html form and a php script that handles the posted data. The scenario is that the bad guy writes in the form for example " ... bad javascript code " and post this so when the client get the page we have an attack. Apache is not the right point to protect against things like that. It would be an ugly hack, which would easily be circumvented by the attacker. Use PHP's htmlentities() or strip_tags() on the untrusted data, before echoing it back to the clients. The manual pages explain how to do this. Nevertheless, mod_security offers some protection, where applications are problematic and can't be fixed. I don't know if it would help the OP, because I don't know the root cause of his problem. Thank you guys for your propositions but don't focus in the security model. In general if i use an input filter can i modify the page's static html code before any dynamic code is inserted ?? - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Apache2 content generators
Andre thank you very much for your response. I think that putting mod_php (if it is possible) as an output filter is the only solution to my project. Regards André Warnier wrote: antoine wrote: Eric Covener wrote: On Thu, Nov 5, 2009 at 10:25 AM, antoine wrote: The first one(mine) adds some stuff to the html body and the second one is the mod_php that takes the first's results and gives the client the final page. Is running PHP as a filter deprecated? That'd be an option. Sorry can you explain better. Thanks Let me roll back a little bit, and then get back to Erik's question above. Basically, there can only be one Apache "response generator" module. There can be "input" filters before : they filter the HTTP request and can do something to the request, but not to the result yet, because it is not yet created. Then there is one "response generator". That is the one which (usually) gets the basic document from disk (or creates it from scratch), modifies it or not, and produces the HTTP response. Then there can be more "output" filters, which act on the response already produced by the response generator above, and can modify it some more. I am unfamiliar with mod_php, but I imagine that it usually functions itself like the "response genrator" above. Thus, it picks up a document from disk, examines it to see if it contains any php to process, and if yes it processes this php and modifies the original document accordingly. Then it sends out the result as an HTTP response. If that is how it works, then it is going to be difficult for you to insert something else before it. Because then, your module would have to pick up the page from disk, do something to it, and then figure out a way to pass that modified document to mod_php to process. But mod_php wants to pick up the original from disk also, so you have a problem. On the other hand, if mod_php, like Erik mentions above, can also be configured to work as an output filter (instead of as the content generator), then this may be the solution. Your module could then be "content generator" : pick up the original document from disk, produce a HTTP response, and that response would then be processed by mod_php acting as an output filter. Got it ? Now you have to check yourself if mod_php /can/ be configured to work as an output filter, like Erik seems to hint that it can, or could. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Add header question
Hello! How can I add an optional header (X-Foo) in each response processed by my module (it acts as a content generator)? Regards, - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Spider Monkey
Hello, I have a question in spider monkey api for parsing javascript. Is this the right list to apply ?? If not please tell me where to ask. Regards - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [EMAIL PROTECTED] A lil Mod Rewrite help please...
You could also use the Reverse-Proxy function of Apache, with or without mod_rewrite. With Reverse-Proxy, your Apache is a gateway to a backend server, so you can pass requests to a different host/port, without doing external redirects. See directive (without mod_rewrite) or the [P] flag of the RewriteRule directive.Antoine.2006/4/8, John Hicks < [EMAIL PROTECTED]>:m i l e s wrote:> If I have the following series of urls: > webmail.theusersdomain.com> webmail.somedomain.com> webmail.myuserdomain.com > webmail.etc.com>> Instead of adding hostdirections in the apache conf fileI was> thinking a mod_rewrite rule would do the trick rather nicelywhat I > thought of was this:>> RewriteEngine on> RewriteRule ^webmail\.[a-z]+\.com$ webmail\.[a-z]+\.com\:7080/scripts/> webmail.exePart of the reason mod_rewrite is such a bear is that it performs (at least) two completely different functions:--internal redirects - where the URL in the user's browser stays thesame but the http response come from someplace other than thedirectory/file portion of the url BUT still comes from the same domain (and server).--external redirects - where the http response is a redirect telling thebrowser to go to another URL completely. (Thus the URL changes in theuser's browser.)What you are proposing above is an external redirect. You are changing the domain name portion of the URL (by changing the port). You'll haveto show that port number in the user's browser. I have a hunch you weretrying to avoid that.(Your RewriteRule is also in error: First of all: The left hand side can't refer to a domain name but onlyto the file portion of the URL. The right hand side can include a domainname, and doing do makes it a redirect. (To indicate a domain name, you use either the 'http://' prefix or use a [R] redirect directive at the end.)Secondly, even if you could include domain names, your regex is way off:I think you meant to use regular parentheses () around the second level domain portion of the URL so you could reuse it in the right hand side.And the right hand side should not be a regular _expression_ at all butshould use a $1 symbol to show where the parenthesized portion from the left hand side should go.)> And lastly, would this rule live in the httpd.conf file or would this> rule live somewhere else It can live in either the httpd.conf or the .htaccess files. >> Or if I miss my guess would this rule have to live in a .htaccess file> in EVERY domain_directory that I host ?And remember that you are defining new third level domains for each ofyour second level domains. That may require some DNS work. Within Apache, you could have a single virtual server for all yourwebmail third level domains:ServerName webmail.domain1.comServerAlias webmail.domain2.cometc.Then a single rewrite directive could apply to all those domains.But it sounds like you are running your webmail on a different instanceof Apache, so you will have to do external redirects. If you are using the different port to address a second host serverwhere your mail server lives, bear in mind that webmail (or at leastSquirrelmail) doesn't have to run on the same machine as the mailserver. Sorry to be so long winded. Hope that helps.John-The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info.To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] W3C Extended Log Format
I use the combined log format, with the elapsed request time as the last element.My LogFormat directive is :LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
The %D stands for "Time taken to serve the request, in microseconds"the result log entry is, for example :
192.168.1.100 - - [01/Mar/2006:17:31:00 +0100] "GET /jsp-examples/ HTTP/1.1" 200 16576 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:
1.8.0.1) Gecko/20060 111 Firefox/1.5.0.1" 6560The custom log format is described in
http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#formatsRgdsAntoine.2006/4/6, Bernie Durfee <
[EMAIL PROTECTED]>:Is there a way to have Apache
2.2 output access logs in W3C "Extended Log Format"? I'm specifically trying to getelapsed request time into the log, in a standard way, so that I can pick the value up in WebTrends 7. It seems like theW3C format is the only way that it can get into the log and be picked up by WebTrends. Any ideas?
Thanks,Bernie-The official User-To-User support forum of the Apache HTTP Server Project.See
http://httpd.apache.org/userslist.html> for more info.To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest:
[EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Dynamic config parameters
May be you could also share common configuration files between your load-balanced servers, and "Include" configuration files whit directives specific to each one.That is the way I work with my servers, so maintenance is kept easy (no preprocessor, no envvar).
BrgdsAntoine.2006/4/6, Bgs <[EMAIL PROTECTED]>:
Just for the records: I had to choose the preprocessor version.Bgs wrote:>>> >>> ServerName domain.com>>> ServerAlias
www.domain.com web%NUM.domain.com>>> ...>>> >> I hope this clarifies. I will skim through the addon link you sent me
>>> though. If I were to do this, I would use a simple config pre-processor to>> substitute out the variables. That is a robust, simple, and>> easy-to-impliment solution.
I believe that you can actually use env-variables in httpd.conf using>> something like ${env-variable}; but this is undocumented and perhaps>> fragile.>>>
> That would make sense. Or using some apache internal variable would suit> as well. In my case there are only two distinct variables for each site,> that should be used in VirtualHost, ServerAlias and sometimes in the
> logs definitions.>> I'd like to keep config preprocessors as a last resort solution...>>> Bye> Bgs-
The official User-To-User support forum of the Apache HTTP Server Project.See http://httpd.apache.org/userslist.html> for more info.To unsubscribe, e-mail:
[EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] weird caching problem
Hi,I guess that if the app (or anything else) doesn't send a no-cache header, or a max-age header, or a session cookie, the .jsp page will be served by the client browser cache, and will not be even received by the HTTP Server. RgdsAntoine.2006/3/28, Sean Carey <[EMAIL PROTECTED]>: Here We Go:I am using apache 2.2 , mod_jk 1.2.15, Tomcat 5.5. The applicationthat I am working on basically has 1 filename.s.jspbut.There are tons of parameters that are used on the file to make it dynamic. The problem I am having is that the apache server or mod_jkthinks its the same request, so I get major cache problem that causethe page to be skewed.If I add response header no-cache and restart the app it works fine. The company that I am consulting does not want to use a no-cacheresponse header. So I am wondering if there is a way in apache to makesure I am properly getting s.jsp through mod_jk. Any help would beappreciated. Sean-The official User-To-User support forum of the Apache HTTP Server Project.See http://httpd.apache.org/userslist.html> for more info.To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]
Re: [users@httpd] httxt2dbm - DB file not completely rewritten
Hi Rainer, I have the same issue ... 5 years later ;) with Apache 2.2.22, and even with Apache 2.4.10. Did you get an explanation (or I will raise an issue). Thanks Antoine. 2010-04-01 13:32 GMT+02:00 Rainer Frey : > I use DBM rewrite maps (apache 2.2.9 - package 2.2.9-10+lenny6) on debian 5 > with BerkeleyDB 4.6 (package 4.6.21-11). I generate the DB files with > makefiles that call httxt2dbm on potentially already existing DB files. > > When entries are added to the source files, it works fine. But when entries > are deleted from the source files, the DB files still contain the entries > and > lookup succeeds (and yes, I verified that the DB file is indeed updated).I > also grepped the db file for the key to verify that it is indeed in the > file > (and not a cached result in apache). > > Is this a bug in httxt2dbm, or is my expectation wrong? Thanks for any > comments! > > Rainer > > > > - > The official User-To-User support forum of the Apache HTTP Server Project. > See http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >" from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >
Re: [users@httpd] httxt2dbm - DB file not completely rewritten
Finally, I found that an issue was raised : Bug 51372 httxt2dbm does not remove map entries <https://bz.apache.org/bugzilla/show_bug.cgi?id=51372> It was solved by a documentation update in Apache trunk. As a matter of fact, the Apache 2.4 documentation says : If the output file already exists, it will not be truncated. New keys will > be added and existing keys will be updated. Apache 2.2 documentation was not updated yet. 2015-06-23 15:10 GMT+02:00 Antoine Prevosto : > Hi Rainer, > > I have the same issue ... 5 years later ;) with Apache 2.2.22, and even > with Apache 2.4.10. > > Did you get an explanation (or I will raise an issue). > > Thanks > Antoine. > > 2010-04-01 13:32 GMT+02:00 Rainer Frey : > >> I use DBM rewrite maps (apache 2.2.9 - package 2.2.9-10+lenny6) on debian >> 5 >> with BerkeleyDB 4.6 (package 4.6.21-11). I generate the DB files with >> makefiles that call httxt2dbm on potentially already existing DB files. >> >> When entries are added to the source files, it works fine. But when >> entries >> are deleted from the source files, the DB files still contain the entries >> and >> lookup succeeds (and yes, I verified that the DB file is indeed updated).I >> also grepped the db file for the key to verify that it is indeed in the >> file >> (and not a cached result in apache). >> >> Is this a bug in httxt2dbm, or is my expectation wrong? Thanks for any >> comments! >> >> Rainer >> >> >> >> - >> The official User-To-User support forum of the Apache HTTP Server Project. >> See http://httpd.apache.org/userslist.html> for more info. >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >>" from the digest: users-digest-unsubscr...@httpd.apache.org >> For additional commands, e-mail: users-h...@httpd.apache.org >> >> >
