Re: mod-cache-requestor plan

[Parin Shah]

On 7/15/05, Colm MacCarthaigh <[EMAIL PROTECTED]> wrote:
> On Fri, Jul 15, 2005 at 01:23:29AM -0500, Parin Shah wrote:
> > - we need to maintain a counter for url in this case which would
> > decide the priority of the url. But mainting this counter should be a
> > low overhead operation, I believe.
> 
> Is a counter strictly speaking the right approach? Why not a time of
> last access?
> 
> I havn't run a statistical analysis but based on my logs the likelyhood
> of a url being accessed is very highly correlated to how recently it has
> been accessed before. A truly popular page will always have been
> accessed recently, a page that is becoming popular (and therefore very
> likely to get future hits) will have been accessed recently and a page
> who's popularity is rapidly diminishing will not have been accessed
> recently.
> 

Last Access Time is definetaly better solution when compared to
counter mechanism. Would like to know other ppl's opinion too.

Thanks,
Parin.

Re: 2.0.55 Release

[Nick Kew]

On Fri, 15 Jul 2005, Sascha Kersken wrote:

> Hi Nick,
>
> > Are you aware that 2.1.x has builtin SQL support, through the apr_dbd
> > framework?  There's a MySQL driver for it, although it's not bundled
> > with Apache because it's GPL (for MySQL compatibility), and that's
> > not compatible with distribution from the ASF.
>
> I read about it on this list and find it very interesting, but
> unfortunately, I did not have the chance to try it out yet - my publisher
> would kill me for exceeding the deadline any longer ;-).
> Although I think it will not alter the way PHP/MySQL applications (the
> book's main topic) work dramatically right now, I still think it's a
> fascinating new feature and that some day soon, I should write a feature
> article about it for the book's companion web site. So thank you for your
> hint.

Another week could be interesting.  If any sufficiently senior
and/or listened-to MySQL people are seen at ApacheCon, we might
make some progress on the licensing issue:-)

-- 
Nick Kew

Re: [patch 1.3] The http_protocol.c C-L + T-E patch

[William A. Rowe, Jr.]

Ok, I'm a dork - those apr_'s are ap_'s in 1.3.  My bad - sorry.

Still a wise choice, grab it unmauled by email from
http://people.apache.org/~wrowe/httpd-1.3-proto-cl-te.patch

At 03:26 PM 7/15/2005, William A. Rowe, Jr. wrote:
>folks, the same patch Paul/Joe worked out for 2.1, then 2.0,
>should still probably fall on 1.3 even though proxy is not
>affected.  Other modules surely could be hit.
>
>Votes/Comments?  I think this is it for getting 1.3.34 out.
>
>Index: src/main/http_protocol.c
>===
>--- src/main/http_protocol.c(revision 209835)
>+++ src/main/http_protocol.c(working copy)
>@@ -1214,6 +1214,14 @@
> ap_log_transaction(r);
> return r;
> }
>+if (ap_table_get(r->headers_in, "Transfer-Encoding")
>+&& ap_table_get(r->headers_in, "Content-Length")) {
>+/* 2616 section 4.4, point 3: "if both Transfer-Encoding
>+ * and Content-Length are received, the latter MUST be
>+ * ignored"; so unset it here to prevent any confusion
>+ * later. */
>+ap_table_unset(r->headers_in, "Content-Length");
>+}
> }
> else {
> ap_kill_timeout(r);

[patch 1.3] The http_protocol.c C-L + T-E patch

[William A. Rowe, Jr.]

folks, the same patch Paul/Joe worked out for 2.1, then 2.0,
should still probably fall on 1.3 even though proxy is not
affected.  Other modules surely could be hit.

Votes/Comments?  I think this is it for getting 1.3.34 out.

Index: src/main/http_protocol.c
===
--- src/main/http_protocol.c(revision 209835)
+++ src/main/http_protocol.c(working copy)
@@ -1214,6 +1214,14 @@
 ap_log_transaction(r);
 return r;
 }
+if (apr_table_get(r->headers_in, "Transfer-Encoding")
+&& apr_table_get(r->headers_in, "Content-Length")) {
+/* 2616 section 4.4, point 3: "if both Transfer-Encoding
+ * and Content-Length are received, the latter MUST be
+ * ignored"; so unset it here to prevent any confusion
+ * later. */
+apr_table_unset(r->headers_in, "Content-Length");
+}
 }
 else {
 ap_kill_timeout(r);

Re: [patch 2.0] http body request/response/trace conformance

[William A. Rowe, Jr.]

At 03:03 PM 7/14/2005, William A. Rowe, Jr. wrote:
>To simplify - Jeff Joe and I reviewed two of the patches, and they
>are committed.  Two patches are available for comment;

changelog;

  *) Added TraceEnable [on|off|extended] per-server directive to alter
 the behavior of the TRACE method.  This addresses a flaw in proxy
 conformance to RFC 2616 - previously the proxy server would accept
 a TRACE request body although the RFC prohibited it.  The default
 remains 'TraceEnable on'.  [William Rowe]


>http://people.apache.org/~wrowe/httpd-2.0-trace.patch

and changelog;


  *) SECURITY: CAN-2005-2088
 proxy: Correctly handle the Transfer-Encoding and Content-Length
 headers.  Discard the request Content-Length whenever T-E: chunked
 is used, always passing one of either C-L or T-E: chunked whenever 
 the request includes a request body.  Resolves an entire class of
 proxy HTTP Request Splitting/Spoofing attacks.  [William Rowe]


The newest flavor based on my most recent commits from Roy and Jeff's
feedback is available at;

http://people.apache.org/~wrowe/httpd-2.0-proxy-request-2.patch

and 2.0 STATUS is updated accordingly.  Votes/Comments please?

>Although proxy-request.patch will evolve as this discussion
>continues; Jeff caused me to look, again, at the code and
>recognize another edge case already committed to trunk 
>(and also in the patch.)  proxy-request.patch will ultimately
>mirror what we agree to on trunk.
>
>And FYI, revert r219061 (below) from 2.1 or 2.0 to see the
>continued misbehavior of proxy without the proxy-request.patch.
>
>Bill
>
>--- httpd/httpd/branches/2.0.x/server/protocol.c (original)
>+++ httpd/httpd/branches/2.0.x/server/protocol.c Thu Jul 14 09:51:55 2005
>@@ -885,6 +885,15 @@
> apr_brigade_destroy(tmp_bb);
> return r;
> }
>+
>+if (apr_table_get(r->headers_in, "Transfer-Encoding")
>+&& apr_table_get(r->headers_in, "Content-Length")) {
>+/* 2616 section 4.4, point 3: "if both Transfer-Encoding
>+ * and Content-Length are received, the latter MUST be
>+ * ignored"; so unset it here to prevent any confusion
>+ * later. */
>+apr_table_unset(r->headers_in, "Content-Length");
>+}
> }
> else {
> if (r->header_only) {

Re: 2.0.55 Release

[Sascha Kersken]

Hi Bill,

> As Nick implies, stay tuned to this channel.  It's closing in.

I'm watching "httpd_tv" all day anyway, so I'm sure I won't miss it ;-).
Thanks.

Sascha

Re: 2.0.55 Release

[Sascha Kersken]

Hi Nick,

> Are you aware that 2.1.x has builtin SQL support, through the apr_dbd
> framework?  There's a MySQL driver for it, although it's not bundled
> with Apache because it's GPL (for MySQL compatibility), and that's
> not compatible with distribution from the ASF.

I read about it on this list and find it very interesting, but
unfortunately, I did not have the chance to try it out yet - my publisher
would kill me for exceeding the deadline any longer ;-).
Although I think it will not alter the way PHP/MySQL applications (the
book's main topic) work dramatically right now, I still think it's a
fascinating new feature and that some day soon, I should write a feature
article about it for the book's companion web site. So thank you for your
hint.

Regards
Sascha

Re: [patch 2.0] http body request/response/trace conformance

[William A. Rowe, Jr.]

At 06:14 AM 7/15/2005, Roy T. Fielding wrote:
>-1  This is a violation of HTTP:
>
>+if (apr_table_get(r->subprocess_env, "force-proxy-request-1.0")
>+ || ((r->proto_num < HTTP_VERSION(1,1))
>+ && !apr_table_get(r->subprocess_env, 
>"force-proxy-request-1.1"))) {
>
>In all cases except when specifically configured otherwise,
>the proxy must send HTTP/1.1 if it supports responses in HTTP/1.1.

Thanks for the clarification, Roy!

Bill

Re: svn commit: r218978 - in /httpd/httpd/trunk: CHANGES modules/proxy/mod_proxy_http.c

[William A. Rowe, Jr.]

At 06:34 AM 7/15/2005, Roy T. Fielding wrote:

>>All of it, except for the preference to RB_STREAM_CHUNKED when,
>>perhaps, we could be more sub-optimal, falling back on RB_SPOOL_CL.
>>
>>Many RB_STREAM_CL choices, before, were equally dangerous, and that
>>C-L == length_read test in the stream_reqbody_chunked() was meant
>>to exclude future abuse.
>
>We should be sending C-L if the brigade includes the entire message.
>CL is always preferred for requests.  The only time we should send
>T-E on a proxied request is if we cannot buffer enough of the
>received request to know how large it will be.

++1 and committed!  The solution was blindingly obvious, try to
fetch MAX_MEM_SPOOL bytes, and determine if we hit EOS before 
proceeding to elect -any- C-L or T-E method :)

The logic works out like this once it exceeds MAX_MEM_SPOOL;

  was it T-E?

Unless the user overrides by setting proxy-sendcl or by
setting force-proxy-downgrade-1.0, keep using T-E.
proxy-sendchunks causes proxy-sendcl to be ignored for this case.

  was it C-L?

Only stream (for unfiltered requests) or spool as C-L, unless
the user overrides with proxy-sendchunks (probably to specific
applications or servers that they are certain will handle 
chunked request bodies effectively.)
proxy-sendcl causes proxy-sendchunks to be ignored for this case.

Question for folks familiar with the input stack; should we loop
until MAX_MEM_SPOOL is hit, or is one call to the filter (as my
patch has done) enough to get about MAX_MEM_SPOOL bytes?

>>  * No longer upgrade HTTP/1.0 requests to the origin server as
>>HTTP/1.1 unless the force-proxy-request-1.1 envvar is set.
>>[William Rowe]
>
>-1 (veto), since it is a clear violation of
>   http://www.ietf.org/rfc/rfc2145.txt
>and the intent of HTTP versions.

Thanks!  Reverted.

Bill  

Re: 2.0.55 Release

[William A. Rowe, Jr.]

At 12:09 PM 7/15/2005, Nick Kew wrote:
>On Fri, 15 Jul 2005, Sascha Kersken wrote:
>
>> I am currently finishing the companion CD-ROM for my Beginners' Guide To
>> MySQL (for O'Reilly Germany). So I am wondering whether the announced
>> release 2.0.55 will be available within the next few days or whether I
>> should just use 2.0.54. Does anybody know an approximate release date
>yet?
>
>(as for your question, this list is where it gets decided, so the
>archives are your best answer)

As Nick implies, stay tuned to this channel.  It's closing in.

Bill

rc3 for testing (was Re: Apache Request problems with tildes)

[Joe Schaefer]

Joe Schaefer <[EMAIL PROTECTED]> writes:

> Marc Gràcia <[EMAIL PROTECTED]> writes:
>
>> The call to:
>>
>> my @values = $ar->param($parname);
>>
>> Only returns the params previous to the tilde ended param value (not
>> included).
>
> Thanks; see if this patch helps

Better yet: please test rc3 at

   http://people.apache.org/~joes/libapreq2-2.06-dev-rc3.tar.gz

-- 
Joe Schaefer

Re: 2.0.55 Release

[Nick Kew]

Subject: Re: 2.0.55 Release

On Fri, 15 Jul 2005, Sascha Kersken wrote:

> Hi,
>
> I am currently finishing the companion CD-ROM for my Beginners' Guide To
> MySQL (for O'Reilly Germany). So I am wondering whether the announced
> release 2.0.55 will be available within the next few days or whether I
> should just use 2.0.54. Does anybody know an approximate release date
yet?

Are you aware that 2.1.x has builtin SQL support, through the apr_dbd
framework?  There's a MySQL driver for it, although it's not bundled
with Apache because it's GPL (for MySQL compatibility), and that's
not compatible with distribution from the ASF.

(as for your question, this list is where it gets decided, so the
archives are your best answer)

-- 
Nick Kew

Re: Apache Request problems with tildes

[Joe Schaefer]

Marc Gràcia <[EMAIL PROTECTED]> writes:

> The call to:
>
> my @values = $ar->param($parname);
>
> Only returns the params previous to the tilde ended param value (not
> included).

Thanks; see if this patch helps

Index: library/util.c
===
--- library/util.c  (revision 216190)
+++ library/util.c  (working copy)
@@ -351,6 +351,11 @@
 *d = c;
 }
 
+else if (s + 1 >= end) {
+*d = c;
+*charset = APREQ_CHARSET_LATIN1;
+}
+
 /* utf8 cases */
 
 else if (c < 0xE0) {

-- 
Joe Schaefer

2.0.55 Release

[Sascha Kersken]

Hi,

I am currently finishing the companion CD-ROM for my Beginners' Guide To
MySQL (for O'Reilly Germany). So I am wondering whether the announced
release 2.0.55 will be available within the next few days or whether I
should just use 2.0.54. Does anybody know an approximate release date yet?

Regards
Sascha

P.S.: Of course, I would test-drive release candidates when available and
report building problems.

Re: svn commit: r218978 - in /httpd/httpd/trunk: CHANGES modules/proxy/mod_proxy_http.c

[Roy T. Fielding]

  * RFC 2616 says

"All HTTP/1.1 applications MUST be able to receive and decode the
 "chunked" transfer-coding, and MUST ignore chunk-extension 
extensions

 they do not understand."

I read this as "an HTTP/1.1 server must accept "chunked" or quit
reporting it complies with the HTTP/1.1 specification".


No, you should read it as an HTTP/1.1 server MUST be able to receive
and decode the "chunked" transfer-coding, because that's what I wrote.
In other words, it must be able to parse the message.


All of it, except for the preference to RB_STREAM_CHUNKED when,
perhaps, we could be more sub-optimal, falling back on RB_SPOOL_CL.

Many RB_STREAM_CL choices, before, were equally dangerous, and that
C-L == length_read test in the stream_reqbody_chunked() was meant
to exclude future abuse.


We should be sending C-L if the brigade includes the entire message.
CL is always preferred for requests.  The only time we should send
T-E on a proxied request is if we cannot buffer enough of the
received request to know how large it will be.


  * No longer upgrade HTTP/1.0 requests to the origin server as
HTTP/1.1 unless the force-proxy-request-1.1 envvar is set.
[William Rowe]


-1 (veto), since it is a clear violation of

   http://www.ietf.org/rfc/rfc2145.txt

and the intent of HTTP versions.

Roy

Re: [patch 2.0] http body request/response/trace conformance

[Roy T. Fielding]

-1  This is a violation of HTTP:

+if (apr_table_get(r->subprocess_env, "force-proxy-request-1.0")
+ || ((r->proto_num < HTTP_VERSION(1,1))
+ && !apr_table_get(r->subprocess_env, 
"force-proxy-request-1.1"))) {


In all cases except when specifically configured otherwise,
the proxy must send HTTP/1.1 if it supports responses in HTTP/1.1.

Roy

Re: mod-cache-requestor plan

[Colm MacCarthaigh]

On Fri, Jul 15, 2005 at 01:23:29AM -0500, Parin Shah wrote:
> - we need to maintain a counter for url in this case which would
> decide the priority of the url. But mainting this counter should be a
> low overhead operation, I believe.

Is a counter strictly speaking the right approach? Why not a time of
last access? 

They give slightly different results, but each is more useful than the
other in certain situations. Before htcacheclean existed, I used find
and simply deleted files in order of oldest atime attribute until I had
enough free space. 

That kind of behaviour was very useful in my situation (although it
involved mounting without the noatime mount option, which I dislike for
other reasons).

I havn't run a statistical analysis but based on my logs the likelyhood
of a url being accessed is very highly correlated to how recently it has
been accessed before. A truly popular page will always have been
accessed recently, a page that is becoming popular (and therefore very
likely to get future hits) will have been accessed recently and a page
who's popularity is rapidly diminishing will not have been accessed
recently.

-- 
Colm MacCárthaighPublic Key: [EMAIL PROTECTED]