Re: svn commit: r280884 - /httpd/mod_aspdotnet/trunk/mod/mod_aspdotnet.cpp

[Adrian Wilkins]

W. Rowe wrote

Ping(!)  Would appreciate if anyone would try testing this release and
replying on-list if virtual, files in fact really are working.  If not
I'll pull down the snapshot, if so I'll move forward on 'AspNet error'
to bypass Apache ErrorDocument handling.


Adrian says

This fixed the problem I had with error pages, which was that the
default ASP.NET generated page for customErrors mode=On / was
being served up just fine, but the more detailed page with stack trace
for customErrors mode=Off / was being replaced with the default
Apache ErrorDocument.

I don't have any ErrorDocument values explicitly defined. The ASP.NET
page with stack trace is now served properly, given juicy stacktrace
goodness to those people debugging.

With  customErrors mode=On defaultRedirect=BadThings.htm /,
BadThings.htm is also served correctly.

Don't know about virtual files though (are the error pages examples of
these?), but you fixed something real good...

NTLM authentication using mod_auth_sspi fails

[Adrian Wilkins]

Using mod_auth_sspi results in an exception in the WindowsIdentity class.

The user token is being sourced from the
System.Web.Hosting.SimpleWorkerRequest class which returns a null
pointer from the GetUserToken() method.

The ISAPIWorkerRequestInProc and ISAPIWorkerRequestOutOfProc classes
(same namespace) may or may not be appropriate replacements. Or
perhaps use the aspnet_isapi.dll methods EcbGetImpersonationToken or
PMGetImpersonationToken (in and out of process calls, repectively),
which are exposed also by the System.Web.UnsafeNativeMethods class.

Would just like to be able to avoid having to school my users in yet
another user/password combo, and just stick with NTLM as it's what
they are used to for their Subversion repo and Trac.


# Exception stack trace

[ArgumentException: Token cannot be zero.]
   System.Security.Principal.WindowsIdentity.CreateFromToken(IntPtr
userToken, String type, Boolean bClose) +145
   System.Security.Principal.WindowsIdentity..ctor(IntPtr userToken,
String type, WindowsAccountType acctType, Boolean isAuthenticated) +38
   System.Web.Security.WindowsAuthenticationModule.OnEnter(Object
source, EventArgs eventArgs) +372
   
System.Web.SyncEventExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute()
+51
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step,
Boolean completedSynchronously) +87


## httpd.conf

#asp.net
#AspNetVersion v1.1.4322

LoadModule aspdotnet_module modules/mod_aspdotnet.so

AddHandler asp.net asax ascx ashx asmx aspx axd config cs csproj licx
rem resources resx soap vb vbproj vsdisco webinfo

IfModule mod_aspdotnet.cpp
  # Mount the ASP.NET /asp application
  AspNetMount /arty d:/www/localhost/htdocs/arty
  #/SampleASP is the alias name for asp.net to execute
  #c:/SampleASP is the actual execution of files/folders  in that location

  # Map all requests for /asp to the application files
  Alias /arty d:/www/localhost/htdocs/arty
  #maps /SampleASP request to c:/SampleASP
  #now to get to the /SampleASP type http://localhost/SampleASP
  #It'll redirect http://localhost/SampleASP to c:/SampleASP

  # Allow asp.net scripts to be executed in the /SampleASP example
  Directory d:/www/localhost/htdocs/arty
Options FollowSymlinks ExecCGI
Order allow,deny

AuthType SSPI
AuthName aspx
SSPIAuth On
SSPIAuthoritative On
SSPIOfferBasic On
require valid-user

Allow from all
DirectoryIndex index.htm index.aspx
   #default the index page to .htm and .aspx
  /Directory

  # For all virtual ASP.NET webs, we need the aspnet_client files
# to serve the client-side helper scripts.
AliasMatch /aspnet_client/system_web/(\d+)_(\d+)_(\d+)_(\d+)/(.*) \
  C:/Windows/Microsoft.NET/Framework/v$1.$2.$3/ASP.NETClientFiles/$4
Directory \
  C:/Windows/Microsoft.NET/Framework/v*/ASP.NETClientFiles
Options FollowSymlinks
Order allow,deny
Allow from all
/Directory
/IfModule
#asp.net

[jira] Commented: (MODPYTHON-77) The multiple interpreter concept of mod_python is broken for Python extension modules since Python 2.3

[Graham Dumpleton (JIRA)]

[ 
http://issues.apache.org/jira/browse/MODPYTHON-77?page=comments#action_12356765 
] 

Graham Dumpleton commented on MODPYTHON-77:
---

Just to make this problem even more complicated, due to how Mac OS X handles 
unloading of dynamically loaded modules, parts of the solution presented here 
so far may not actually work on that platform.

On Mac OS X, if one takes the initial basic solution of storing the first 
interpreter as the main_interpreter and nothing else, the original problem 
goes away, however, Apache will crash when apachectl restart is run.

The problem is that when a restart occurs, Apache doesn't actually kill the 
parent process. What it does is to unload any loaded Apache modules, such as 
mod_python.so and then it will be reload them again. This results in all 
global data within mod_python.so being thrown away. The python_init() 
function of the mod_python.so will be called again to reinitialise all the lost 
global data and start over, but it fails in doing this.

The reason it fails is that although mod_python.so is unloaded, the dynamically 
loaded Python framework isn't. The first consequence of this is that when 
calling python_init() the subsequent time, the Python framework is already 
initialised. Due to a previous workaround incorporated into python_init() 
specifically because of Mac OS X, this luckily doesn't stop us from at least 
trying to initialise mod_python again.

In initialising mod_python though, because the previous global data is lost, we 
need to store the initial interpreter state against main_interpreter again. To 
do this, PyThreadState_Get()-interp is used. For this to work though, it is 
necessary that the call to PyEval_InitThreads() just prior to that point in 
the code has acquired the global lock and set up a current thread state. This 
will only occur though for the very first call to PyEval_InitThreads(). Because 
the Python framework isn't unloaded and Python thus is already in an 
initialised state, the PyEval_InitThreads() call doesn't do anything. Because 
there is no valid active thread state, the call to PyThreadState_Get() fails.

One can see this when some extra debugging is added to mod_python. For Mac OS X 
we get:

# apachectl start

[Fri Nov 04 20:50:17 2005] [notice] mod_python: Creating 8 session mutexes 
based on 6 max processes and 25 max threads.
[Fri Nov 04 20:50:17 2005] [error] mp_initialized=0
[Fri Nov 04 20:50:17 2005] [error] Py_IsInitialized()=0
[Fri Nov 04 20:50:17 2005] [error] interpreters=0
[Fri Nov 04 20:50:18 2005] [error] save interpreter
[Fri Nov 04 20:50:18 2005] [error] pid=805
[Fri Nov 04 20:50:18 2005] [error] ppid=1
[Fri Nov 04 20:50:18 2005] [error] done save interpreter
[Fri Nov 04 20:50:18 2005] [error] get thread state
[Fri Nov 04 20:50:18 2005] [error] okay got thread state
[Fri Nov 04 20:50:18 2005] [error] released interpreter
[Fri Nov 04 20:50:18 2005] [notice] Apache/2.0.51 (Unix) mod_python/3.2.4b 
Python/2.3 configured -- resuming normal operations

# apachectl restart

[Fri Nov 04 20:50:26 2005] [warn] child process 807 still did not exit, sending 
a SIGTERM
[Fri Nov 04 20:50:27 2005] [notice] SIGHUP received.  Attempting to restart
[Fri Nov 04 20:50:27 2005] [notice] mod_python: Creating 8 session mutexes 
based on 2 max processes and 25 max threads.
[Fri Nov 04 20:50:27 2005] [error] mp_initialized=0
[Fri Nov 04 20:50:27 2005] [error] Py_IsInitialized()=1
[Fri Nov 04 20:50:27 2005] [error] interpreters=0
[Fri Nov 04 20:50:27 2005] [error] save interpreter
[Fri Nov 04 20:50:27 2005] [error] pid=805
[Fri Nov 04 20:50:27 2005] [error] ppid=1
Fatal Python error: PyThreadState_Get: no current thread
[Fri Nov 04 20:50:27 2005] [notice] seg fault or similar nasty error detected 
in the parent process

You can see how it is the same process ID, that Python is already marked as 
initailised, yet interpreters and the initialized flag which were global 
data in mod_python.so have gone back to being 0. Finally, the 
PyThreadState_Get() function dies.

If one looks at Linux, one instead sees:

# apachectl start

[Fri Nov 04 05:22:46 2005] [notice] mod_python: Creating 8 session mutexes 
based on 150 max processes and 0 max threads.
[Fri Nov 04 05:22:46 2005] [error] mp_initialized=0
[Fri Nov 04 05:22:46 2005] [error] Py_IsInitialized()=0
[Fri Nov 04 05:22:46 2005] [error] interpreters=0
[Fri Nov 04 05:22:46 2005] [error] save interpreter
[Fri Nov 04 05:22:46 2005] [error] pid=8757
[Fri Nov 04 05:22:46 2005] [error] ppid=1
[Fri Nov 04 05:22:46 2005] [error] done save interpreter
[Fri Nov 04 05:22:46 2005] [error] get thread state
[Fri Nov 04 05:22:46 2005] [error] okay got thread state
[Fri Nov 04 05:22:46 2005] [error] released interpreter
[Fri Nov 04 05:22:46 2005] [notice] Apache/2.0.55 (Unix) mod_python/3.2.4b 
Python/2.3.5 configured -- resuming normal operations

# apachectl restart

[Fri Nov 04 05:22:55 2005] [notice] SIGHUP received.  Attempting to restart
[Fri 

[jira] Updated: (MODPYTHON-77) The multiple interpreter concept of mod_python is broken for Python extension modules since Python 2.3

[Graham Dumpleton (JIRA)]

 [ http://issues.apache.org/jira/browse/MODPYTHON-77?page=all ]

Graham Dumpleton updated MODPYTHON-77:
--

Attachment: grahamd_20051105.tar.gz

Here is my first go at an alternate patch for this problem. Patch was made 
against SVN head, believed to be 3.2.4b.

All the change in effect does is save the first interpreter as 
main_interpreter, but most importantly it does this in Apache child process and 
not in the parent process before the fork occurs as was the case before. This 
avoids problems on Mac OS X where Apache would crash on restart and on Linux 
where Apache would crash after the request had been handled.

Note that this change doesn't use any of the PEP GIL specific calls nor does it 
do anything specific to make anything work on Python 2.3.5. Except for moving 
one thread state swap call from the parent process context to the child process 
context, all thread management code is the same.

The changes work fine on:

  Mac OS X (10.3.9) / Apache 2.0.51 (worker) / Python 2.3 (Apple OS Installed)
  Linux Fedora Code 2 / Apache 2.0.55 (prefork) / Python 2.3.5

Test example was gilstate.tar.gz attached to MODPYTHON-77.

Also passed on mod_python/test suite on Mac OS X. There were failures of test 
suite on Linux, but those failures occurred before patches were applied as well.

The changes need to be tested on Win32 Apache as well as system where no thread 
support compiled into Python.

For those of you following this issue, if you can test this change, indicate if 
it works or fails and if it fails indicate specifically how it is failing. From 
any failures can then start to understand the other changes Boyan has made and 
what is required and what isn't.


 The multiple interpreter concept of mod_python is broken for Python extension 
 modules since Python 2.3
 --

  Key: MODPYTHON-77
  URL: http://issues.apache.org/jira/browse/MODPYTHON-77
  Project: mod_python
 Type: Bug
   Components: core
 Versions: 3.1.4
  Environment: Python = 2.3
 Reporter: Boyan Boyadjiev
  Attachments: diff.txt, diff2.txt, diff3.txt, gil_test.c, gilstate.tar.gz, 
 grahamd_20051105.tar.gz, mod_python.c, mod_python.c.diff, mod_python.h.diff, 
 src.zip

 The multiple interpreter concept of mod_python is broken for Python extension 
 modules since Python 2.3 because of the PEP 311 (Simplified Global 
 Interpreter Lock Acquisition for Extensions):
 ...
 Limitations and Exclusions
 This proposal identifies a solution for extension authors with
 complex multi-threaded requirements, but that only require a
 single PyInterpreterState.  There is no attempt to cater for
 extensions that require multiple interpreter states.  At the time
 of writing, no extension has been identified that requires
 multiple PyInterpreterStates, and indeed it is not clear if that
 facility works correctly in Python itself.
 ...
 For mod_python this means, that complex Python extensions won't work any more 
 with Python = 2.3, because they are supposed to work only with the first 
 interpreter state initialized for the current process (a problem we 
 experienced). The first interpreter state is not used by mod_python after the 
 python_init is called. 
 One solution, which works fine for me, is to save the first interpreter state 
 into the interpreters dictionary in the function python_init 
 (MAIN_INTERPRETER is used as a key):
 static int python_init(apr_pool_t *p, apr_pool_t *ptemp,
apr_pool_t *plog, server_rec *s)
 {
 ...
 /* initialize global Python interpreter if necessary */
 if (! Py_IsInitialized())
 {
 /* initialze the interpreter */
 Py_Initialize();
 #ifdef WITH_THREAD
 /* create and acquire the interpreter lock */
 PyEval_InitThreads();
 #endif
 /* create the obCallBack dictionary */
 interpreters = PyDict_New();
 if (! interpreters) {
 ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, s,
  python_init: PyDict_New() failed! No more memory?);
 exit(1);
 }
 {   
 /*
 Workaround PEP 311 - Simplified Global Interpreter Lock 
 Acquisition for Extensions
 BEGIN
 */
 PyObject *p = 0;
 interpreterdata * idata = (interpreterdata 
 *)malloc(sizeof(interpreterdata));
 PyThreadState* currentThreadState = PyThreadState_Get();
 PyInterpreterState *istate = currentThreadState-interp;
 idata-istate = istate;
 /* obcallback will be created on first use */
 idata-obcallback = NULL;
 p = PyCObject_FromVoidPtr((void ) idata, NULL); /*p-refcout = 1*/
 PyDict_SetItemString(interpreters, MAIN_INTERPRETER, p); 
 /*p-refcout = 2*/
 

Re: Potential memory leak in /modules/cache/mod_mem_cache.c

[Xuekun Hu]

So, same reason. Also in file mod_mem_cache.c around line 786, there
is a malloc(mobj-m_len), and a few lines later, another
malloc(obj-count) is performed.

If the second malloc fails, I think also should add something like
  free(mobj-m);
  mobj-m = NULL;

reasonable?

Thx, Xuekun

On 11/3/05, Bill Stoddard [EMAIL PROTECTED] wrote:
 Christophe Jaillet wrote:
  Comments agains httpd-2.1.8-beta
  =
 
  In file mod_mem_cache.c (/modules/cache) around line 558, there is a malloc
  (*obj).
  A few lines later, another malloc (buf) is performed.
 
  If the second malloc fails, then we have (*obj = NULL) but I don't see
  anyway to free the memory allocated.
  I would have imagined something like
  free (*obj);
  *obj = NULL;
 
  Unless, as a newbie in apache, there is something I don't know about memory
  management in apache...
 
  Christophe JAILLET
 

 Agreed, looks like a bug and your fix looks right.

 Bill

Re: SSL enabled - nokeepalive in MSIE for non-SSL connections

[Joe Orton]

On Thu, Nov 03, 2005 at 03:37:10PM +0100, Olaf van der Spek wrote:
 Joe Orton wrote:
  All versions need unclean shutdown at least, not sure about keepalive.  If 
  you
  have new data to provide on this front that's great and very welcome, please
  send it to [EMAIL PROTECTED]  bugzilla is not a discussion or support 
  forum, however.
 
 I've been running without
 SetEnvIf User-Agent .*MSIE.* \
  nokeepalive ssl-unclean-shutdown \
  downgrade-1.0 force-response-1.0
 for a few months now and I haven't encountered any issues with IE.
 So I think it's safe to drop this work around.

Intesting to hear, thanks.  What range of MSIE versions are hitting your 
SSL site?

joe

Re: authn, authz and access. oh my.

[Graham Leggett]

Brandon Fosdick wrote:


Noobie question...what's the difference between authentication,

 authorization and access?

Authentication asks is this user who they say they are, this stage 
usually involves a username and password of some sort, or a certificate, 
etc.


Authorisation asks is this user allowed to access this resource. Here 
the require directive specifies whether just being known to the system 
is enough, or whether further group membership is required.


From a module perspective these two tasks are handled in two separate 
steps. Usually the second step relies on the first step, but it is still 
possible to be authenticated by one module (for example, an SSL 
certificate) and authorised by another module (for example, checking if 
the certificate DN is a member of an LDAP group).


Regards,
Graham
--


smime.p7s
Description: S/MIME Cryptographic Signature

Re: Problem with mod_proxy and ProxyPassReverse

[Graham Leggett]

Eric B. wrote:


# Production Server
Location /ASPTest/
ProxyPassReverse /
/Location
ProxyPass   /ASPTest/ http://192.168.100.1/

# Development  Test Server
Location /dev/ASPTest/
ProxyPassReverse /
/Location
ProxyPass   /dev/ASPTest/ http://192.168.100.1:8080/


Unless you are trying to do something special, the ProxyPassReverse 
lines should look like this:


ProxyPassReverse /ASPTest/ http://192.168.100.1/
ProxyPass/ASPTest/ http://192.168.100.1/

# Development  Test Server
ProxyPassReverse /dev/ASPTest/ http://192.168.100.1:8080/
ProxyPass/dev/ASPTest/ http://192.168.100.1:8080/

Make sure that your backend webservers agree that they are called 
http://192.168.100.1:8080;, otherwise ProxyPassReverse won't do anything.


The ProxyPassReverse is a simple find and replace string match on the 
prefix of the URL returned by the backend server during redirects. You 
had this prefix set to /, which won't match http://...;.


Another problem you may have is if hard coded references to the full 
site name are hard coded into your backend application. Proxy does not 
parse HTML, and so doesn't try any of the same find and replace magic 
inside the HTML itself.


If this is the case, either remove the references to the full site name 
from the backend, or introduce a mechanism to make sure the backend 
embeds the frontend world visible URL into the pages instead of your 
private http://192.168.0.1 URL.


Regards,
Graham
--


smime.p7s
Description: S/MIME Cryptographic Signature

Re: SSL enabled - nokeepalive in MSIE for non-SSL connections

[Olaf van der Spek]

On 11/4/05, Joe Orton [EMAIL PROTECTED] wrote:
 On Thu, Nov 03, 2005 at 03:37:10PM +0100, Olaf van der Spek wrote:
  Joe Orton wrote:
   All versions need unclean shutdown at least, not sure about keepalive.  
   If you
   have new data to provide on this front that's great and very welcome, 
   please
   send it to [EMAIL PROTECTED]  bugzilla is not a discussion or support 
   forum, however.
 
  I've been running without
  SetEnvIf User-Agent .*MSIE.* \
   nokeepalive ssl-unclean-shutdown \
   downgrade-1.0 force-response-1.0
  for a few months now and I haven't encountered any issues with IE.
  So I think it's safe to drop this work around.

 Intesting to hear, thanks.  What range of MSIE versions are hitting your
 SSL site?

It's only a small SSL site, used for administration tasks by a few people.
I've been using the latest versions of IE6 so based on that I know the
issue doesn't affect all IE versions (while the SetEnvIf matches all
versions).

[jira] Commented: (MODPYTHON-77) The multiple interpreter concept of mod_python is broken for Python extension modules since Python 2.3

[Boyan Boyadjiev (JIRA)]

[ 
http://issues.apache.org/jira/browse/MODPYTHON-77?page=comments#action_12356757 
] 

Boyan Boyadjiev commented on MODPYTHON-77:
--

Sorry - I didn't saw the change done for MODPYTHON-83. PyThreadState_Swap must 
be added in the non thread case of  release_interpreter.

With  smallest required change I just wanted to say, that if the GIL stuff is 
not going to be used in mod_python, there is still somehing to do in order to 
handle the Python thread state in a proper way since Python 2.3.5.

I think, that the most proper fix will be mod_python.?.diff + 
PyThreadState_Swap.

Now a different point regarding internal_redirect. What will hapen if 
interpreter1 call internal_redirect  into interpreter2? Could it be, that the 
block 
Py_BEGIN_ALLOW_THREADS
ap_internal_redirect(new_uri, self-request_rec);
Py_END_ALLOW_THREADS
is not sofficient any more and should be changed in something like this
   release_interpreter
   ap_internal_redirect(new_uri, self-request_rec);
   get_interpreter



 The multiple interpreter concept of mod_python is broken for Python extension 
 modules since Python 2.3
 --

  Key: MODPYTHON-77
  URL: http://issues.apache.org/jira/browse/MODPYTHON-77
  Project: mod_python
 Type: Bug
   Components: core
 Versions: 3.1.4
  Environment: Python = 2.3
 Reporter: Boyan Boyadjiev
  Attachments: diff.txt, diff2.txt, diff3.txt, gil_test.c, gilstate.tar.gz, 
 mod_python.c, mod_python.c.diff, mod_python.h.diff, src.zip

 The multiple interpreter concept of mod_python is broken for Python extension 
 modules since Python 2.3 because of the PEP 311 (Simplified Global 
 Interpreter Lock Acquisition for Extensions):
 ...
 Limitations and Exclusions
 This proposal identifies a solution for extension authors with
 complex multi-threaded requirements, but that only require a
 single PyInterpreterState.  There is no attempt to cater for
 extensions that require multiple interpreter states.  At the time
 of writing, no extension has been identified that requires
 multiple PyInterpreterStates, and indeed it is not clear if that
 facility works correctly in Python itself.
 ...
 For mod_python this means, that complex Python extensions won't work any more 
 with Python = 2.3, because they are supposed to work only with the first 
 interpreter state initialized for the current process (a problem we 
 experienced). The first interpreter state is not used by mod_python after the 
 python_init is called. 
 One solution, which works fine for me, is to save the first interpreter state 
 into the interpreters dictionary in the function python_init 
 (MAIN_INTERPRETER is used as a key):
 static int python_init(apr_pool_t *p, apr_pool_t *ptemp,
apr_pool_t *plog, server_rec *s)
 {
 ...
 /* initialize global Python interpreter if necessary */
 if (! Py_IsInitialized())
 {
 /* initialze the interpreter */
 Py_Initialize();
 #ifdef WITH_THREAD
 /* create and acquire the interpreter lock */
 PyEval_InitThreads();
 #endif
 /* create the obCallBack dictionary */
 interpreters = PyDict_New();
 if (! interpreters) {
 ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, s,
  python_init: PyDict_New() failed! No more memory?);
 exit(1);
 }
 {   
 /*
 Workaround PEP 311 - Simplified Global Interpreter Lock 
 Acquisition for Extensions
 BEGIN
 */
 PyObject *p = 0;
 interpreterdata * idata = (interpreterdata 
 *)malloc(sizeof(interpreterdata));
 PyThreadState* currentThreadState = PyThreadState_Get();
 PyInterpreterState *istate = currentThreadState-interp;
 idata-istate = istate;
 /* obcallback will be created on first use */
 idata-obcallback = NULL;
 p = PyCObject_FromVoidPtr((void ) idata, NULL); /*p-refcout = 1*/
 PyDict_SetItemString(interpreters, MAIN_INTERPRETER, p); 
 /*p-refcout = 2*/
 Py_DECREF(p); /*p-refcout = 1*/
 /*
 END
 Workaround PEP 311 - Simplified Global Interpreter Lock 
 Acquisition for Extensions
 */
 }
 /* Release the thread state because we will never use
  * the main interpreter, only sub interpreters created later. */
 PyThreadState_Swap(NULL);
 #ifdef WITH_THREAD
 /* release the lock; now other threads can run */
 PyEval_ReleaseLock();
 #endif
 }
 return OK;
 }
 Another change I've made in the attached file is to Py_DECREF(p) in 
 get_interpreter, which will remove leaky reference to the PyCObject with the 
 interpreter data. This was not a real problem, but now 

Re: svn commit: r227435 - in /httpd/httpd/branches/2.0.x: CHANGES STATUS modules/proxy/proxy_util.c

[André Malo]

Anyone?

* Andr__ Malo [EMAIL PROTECTED] wrote:

 * [EMAIL PROTECTED] wrote:
 
  Author: jim
  Date: Thu Aug  4 10:07:57 2005
  New Revision: 227435
 
  URL: http://svn.apache.org/viewcvs?rev=227435view=rev
  Log:
  mod_proxy: Fix over-eager handling of '%' for reverse proxies.  PR 29554.
 
 Note that this patch broke certain RewriteRules out there, which proxy URLs 
 with path parameters (http://foo/bar;param?query). It might be questionable 
 if the Rules were written wrong in the first place, but they are broken by 
 the update to 2.0.55 now.
 
 For example, I have something like this (shortened):
 RewriteMap e int:escape
 RewriteRule ^/+(.*) \
 http://backend/${e:$1}?i=${e:%{REMOTE_ADDR}}%{ENV:NEW_QUERY} [P,NE]
 
 If $1 contains a ';', it is escaped by the map to %3B but no longer 
 unescaped by mod_proxy.
 
 A possible solution would be, of course to be more careful with the rule 
 (splitting at the ;). A more general solution would be to add ; to the safe 
 T_OS_ESCAPE_PATH characters in gen_test_char.c. I'd prefer to do the latter 
 but dunno if there may be problems on non-unices.
 
 What do you think?
 
 nd
 -- 
 Das Verhalten von Gates hatte mir bewiesen, dass ich auf ihn und seine
 beiden Gefährten nicht zu zählen brauchte -- Karl May, Winnetou III
 
 Im Westen was neues: http://pub.perlig.de/books.html#apache2
 

Re: cache trouble (Re: [vote] 2.1.9 as beta)

[Graham Leggett]

Nick Kew wrote:


I'm not convinced by that either.  In fact, I dislike the whole run it in a
quick handler principle - it runs a supertanker through the KISS principle,
and has consequently left us with a cache that never really worked.
Even if we fix this, it's sure to have a high bugrate for the forseeable
future precisely because it violates KISS.


The principle behind running it in a quick handler in the original 
design was so that the cache could work as a 100% standards compliant 
HTTP/1.1 caching proxy, as described in section 13 of RFC2616.


RFC2616 is well understood, and already nails down all security issues 
to do with proxy caching. Making the cache follow a widely accepted and 
known to work standard follows the KISS principle.


Over time, the cache has slowly moved backwards from being as far 
forward on the frontend of the filter stack as possible, to further and 
further back into the webserver itself.


In the process, the cache becomes less and less compliant with RFC2616, 
which has made it more difficult to understand and more complex to 
implement.


The httpd cache is simply yet another cache in the chain of HTTP/1.1 
caches that are typically present when a browser accepts a page from a 
website. The authentication issue is handled by RFC2616 already, and as 
long as httpd mod_cache conforms to the correct headers handling, and 
works like the other proxies in the chain, then authentication is not a 
problem.


Regards,
Graham
--


smime.p7s
Description: S/MIME Cryptographic Signature

Re: Potential memory leak in /modules/cache/mod_mem_cache.c

[Bill Stoddard]

Xuekun Hu wrote:

So, same reason. Also in file mod_mem_cache.c around line 786, there
is a malloc(mobj-m_len), and a few lines later, another
malloc(obj-count) is performed.

If the second malloc fails, I think also should add something like
  free(mobj-m);
  mobj-m = NULL;

reasonable?


No.  Once a cache object is allocated, it will be cleaned up by cleanup_cache_object when the reference count 
drops to 0. To understand how this works, find this line of code.


   apr_pool_cleanup_register(r-pool, obj, decrement_refcount,
  apr_pool_cleanup_null);

When r-pool is cleaned up, decrement_refcount is called. decrement_refcount will call cleanup_cache_onject 
when the refcount goes to 0.


Bill

Re: authn, authz and access. oh my.

[Brad Nicholes]

 On 11/3/2005 at 10:38 pm, in message [EMAIL PROTECTED],
[EMAIL PROTECTED] 
wrote:
 As if the old system wasn't hard enough to wrap one's head around.
Just when 
 I had it figured out enough to go and write mod_auth_userdir you guys
go and 
 change things on me.
 
 BTW, when did this change? I've been lurking on this list since July
and 
 have only recently heard about this. Was it a secret or did I miss
it?

   The authentication module refactoring actually took place about two
years ago.  The problem is that it is new functionality that is not
necessarily backward compatible so it had to wait for Apache 2.2.  But
it has been available for testing and evaluating for quite a while.


 
 Also...I was originally toying with the idea of folding auth[n|z|?]
stuff 
 into mod_dav_userdir, just to have it all taken care of in one place.
Any 
 thoughts on that idea? Feasible? Bad news?

   I actually did this with mod_authnz_ldap mainly because there was
too much information and resources that would have had to be shared or
reconstructed between the two modules.  The upside is that unless you
have a need to implement some special type of authorization, you can rip
all of the authorization stage from your module and rely on the existing
authz modules.  Then all you really need to worry about is what your
module needs to do for authentication (authn).  The other good news is
that there is plenty of example code.

Brad

Re: cache trouble (Re: [vote] 2.1.9 as beta)

[Joshua Slive]

Graham Leggett wrote:
The httpd cache is simply yet another cache in the chain of HTTP/1.1 
caches that are typically present when a browser accepts a page from a 
website. The authentication issue is handled by RFC2616 already, and as 
long as httpd mod_cache conforms to the correct headers handling, and 
works like the other proxies in the chain, then authentication is not a 
problem.


I agree with you about 90%.  The problem is that there are a very few 
things that aren't accounted for in standard HTTP caching rules.  One 
example is Varying access by client IP address.  Another example is 
changing protocol behavior when communicating with the client. 
Reasonable proxy administrators may want to do these things.


Joshua.

Re: Omission in the documentation

[Joe Schaefer]

Bengt-Arne Fjellner [EMAIL PROTECTED] writes:

 The documentation for APR::Request ought to mention that atleast jar
 and params returns undef if there is no cookie/param

done.
-- 
Joe Schaefer

Re: cache trouble (Re: [vote] 2.1.9 as beta)

[Brian Akins]

Joshua Slive wrote:

I haven't looked carefully at the code, but I don't believe 
protocol-level things like the force-response-1.0 variable are stored in 
the cache.


If it's a global setenvif variable (runs is post-read, before 
quick-handler), then these adjustments work, because 
force-response-1.0 and others are at the protocol level, mod_cache 
doesn't cache whether it was a 1.0 or 1.1 response.


--
Brian Akins
Lead Systems Engineer
CNN Internet Technologies

Re: cache trouble (Re: [vote] 2.1.9 as beta)

[Graham Leggett]

Joshua Slive said:

 I agree with you about 90%.  The problem is that there are a very few
 things that aren't accounted for in standard HTTP caching rules.  One
 example is Varying access by client IP address.

I can't see how you could have any meaningful caching at all if the
content is varied by IP address, unless you had the IP address in a header
and did some clever caching of variants.

In this case you'd probably not use the cache at all for this part of the
URL space.

 Another example is
 changing protocol behavior when communicating with the client.

What protocol behaviour would change, can you give an example?

Regards,
Graham
--

Re: cache trouble (Re: [vote] 2.1.9 as beta)

[William A. Rowe, Jr.]

I almost tried to snip the comments below in my reply, and there was nothing
I could clip out - thank you Graham for explaining so clearly the entire design
principals of how and why mod_proxy does exactly what it does.

It leaves us wondering; how can allow from/deny from n.n.n.n be mapped to
RFC 2616 semantics, or at least, without running the many server hooks on
later requests?  The only way I can see, is that we should have any more
explicit allow from/deny from leave a marker in the request record from that
authorization phase, and mark it nocache if the request doesn't otherwise
set the authentication required headers.

Thoughts?

Graham Leggett wrote:

Nick Kew wrote:

I'm not convinced by that either.  In fact, I dislike the whole run 
it in a
quick handler principle - it runs a supertanker through the KISS 
principle,

and has consequently left us with a cache that never really worked.
Even if we fix this, it's sure to have a high bugrate for the forseeable
future precisely because it violates KISS.



The principle behind running it in a quick handler in the original 
design was so that the cache could work as a 100% standards compliant 
HTTP/1.1 caching proxy, as described in section 13 of RFC2616.


RFC2616 is well understood, and already nails down all security issues 
to do with proxy caching. Making the cache follow a widely accepted and 
known to work standard follows the KISS principle.


Over time, the cache has slowly moved backwards from being as far 
forward on the frontend of the filter stack as possible, to further and 
further back into the webserver itself.


In the process, the cache becomes less and less compliant with RFC2616, 
which has made it more difficult to understand and more complex to 
implement.


The httpd cache is simply yet another cache in the chain of HTTP/1.1 
caches that are typically present when a browser accepts a page from a 
website. The authentication issue is handled by RFC2616 already, and as 
long as httpd mod_cache conforms to the correct headers handling, and 
works like the other proxies in the chain, then authentication is not a 
problem.


Regards,
Graham
--

Re: cache trouble (Re: [vote] 2.1.9 as beta)

[Joshua Slive]

Graham Leggett wrote:

Joshua Slive said:


I agree with you about 90%.  The problem is that there are a very few
things that aren't accounted for in standard HTTP caching rules.  One
example is Varying access by client IP address.


I can't see how you could have any meaningful caching at all if the
content is varied by IP address, unless you had the IP address in a header
and did some clever caching of variants.

In this case you'd probably not use the cache at all for this part of the
URL space.


This is the case we've been discussing where someone wishes to, for 
example, restrict a reverse proxy to a particular network.  I agree that 
it can't be done with standard caching rules, which is the problem.  I 
don't think it is a huge problem, but I'm sure there are people who wish 
to run a host-restricted proxy.





Another example is
changing protocol behavior when communicating with the client.


What protocol behaviour would change, can you give an example?


force-response-1.0, for example.  Brian points out that this could still 
work if it was global.  But you couldn't apply particular protocol 
adjustments to particular areas of the URL-space.  This probably isn't a 
big problem.



Joshua.

Re: cache trouble (Re: [vote] 2.1.9 as beta)

[Ruediger Pluem]

On 11/04/2005 08:20 PM, Joshua Slive wrote:
 
 
 Graham Leggett wrote:

[..cut..]


 In this case you'd probably not use the cache at all for this part of the
 URL space.
 
 
 This is the case we've been discussing where someone wishes to, for
 example, restrict a reverse proxy to a particular network.  I agree that
 it can't be done with standard caching rules, which is the problem.  I
 don't think it is a huge problem, but I'm sure there are people who wish
 to run a host-restricted proxy.

What about forward proxies that should only be usable from certain client IP's?
I admit I haven't tested so far, but these should fail also.

Regards

Rüdiger

Re: mod_deflate Vary header

[Ruediger Pluem]

On 11/04/2005 07:36 AM, Florian Zumbiehl wrote:


[..cut..]

 
Maybe I'm pessimistic, but I think, omitting the Vary header for
uncompressed ressources will lead to poisoned caches, which statistically
nearly always will request the uncompressed variant and so actually
*add* load to your server's bandwidth.
 
 
 Hu? Erm, could it be that you are thinking of load-reducing caches put
 directly in front of the web server? In that case, I wonder how the web
 server's bandwidth could be the bottleneck?!
 
 To put this straight: I was thinking about web servers behind
 V.90/ISDN/ADSL lines where _that_ line  usually will be the bottleneck
 on any connections to the outside world and about caching proxies
 in that outside world ...

Yes, but if you do compression because some of your clients have low bandwith
connections (but are capable of receiving compressed pages) and access your
server via a proxy then not sending the Vary header can poison the cache in a 
way
you do not want. Because if the client which causes the proxy to cache the 
response
is not capable to receive compressed pages will cause the proxy to cache *only* 
the
uncompressed version of the page.

Regards

Rüdiger

Re: mod_deflate Vary header

[TOKILEY]

This has been discussed many times before and no one
seems to understand what the fundamental problem is.

It is not with the servers at all, it is with the CLIENTS.

What both of you are saying is true... whether you "Vary:"
on "Content-encoding" and/or "User-agent" or not... there
is a risk of getting the wrong content ( compressed versus
uncompressed ) "stuck" in a downstream cache.

It is less and less likely these days that the cache will receive
a request from a client that CANNOT "decompress", but still
possible. Handling requests from clients that cannot decompress
have become ( at long last ) the "fringe" cases but are
no less important than ever.

Microsoft Internet Explorer ( all versions ) will REFUSE to cache
anything locally if it shows up with any "Vary:" headers on it.
Period. End of sentence.

So you might think you are doing your downstream clients a
favor by tacking on a "Vary:" header to the compressed data
so it gets 'stored' somewhere close to them... but you would
be wrong.

If you don't put a "Vary:" header on it... MSIE will, in fact, 
cache the compressed response locally and life is good.
The user won't even come back for it until it's expired on
their own hard drive or they clear their browser cache.

However... if you simply add a "Vary:" header to the same
compressed response... MSIE now refuses to cache that
response at all and now you create a "thundering herd"
scenario whereby the page is never local to the user for
any length of time and each "forward" or "back" button
hit causes the client to go upstream for the page each
and every time. Even if there is a cache nearby you would
discover that the clients are nailing it each and every time
for the same page just because it has a "Vary:" header on it.

I believe Netscape has the same problem(s).
I don't use Netscape anymore.
Anyone know for sure if Netscape actually stores "variants"
correctly in local browser cache?

Yours...
Kevin Kiley



In a message dated 11/4/2005 4:55:02 PM Central Standard Time, [EMAIL PROTECTED] writes:


On 11/04/2005 07:36 AM, Florian Zumbiehl wrote:


[..cut..]

 
Maybe I'm pessimistic, but I think, omitting the Vary header for
uncompressed ressources will lead to "poisoned" caches, which statistically
nearly always will request the uncompressed variant and so actually
*add* load to your server's bandwidth.
 
 
 Hu? Erm, could it be that you are thinking of load-reducing caches put
 directly in front of the web server? In that case, I wonder how the web
 server's bandwidth could be the bottleneck?!
 
 To put this straight: I was thinking about web servers behind
 V.90/ISDN/ADSL lines where _that_ line usually will be the bottleneck
 on any connections to the outside world and about caching proxies
 in that outside world ...

Yes, but if you do compression because some of your clients have low bandwith
connections (but are capable of receiving compressed pages) and access your
server via a proxy then not sending the Vary header can "poison" the cache in a way
you do not want. Because if the client which causes the proxy to cache the response
is not capable to receive compressed pages will cause the proxy to cache *only* the
uncompressed version of the page.

Regards

Rüdiger

Re: Documentation TODOs for 2.2

[Sander Temme]

On Oct 30, 2005, at 2:05 PM, Nick Kew wrote:


I'm just looking at docs/2.1 and noting some existing pages that  
definitely
need updating.  No reference to pages that need writing, or to non- 
English
versions of anything.  I might tackle some of these myself, but no  
promises.


*** = really important, ** = should do, * = would be nice



I just upgraded www.apache.org to 2.1.9, and the main holdup was the  
authn/authz modules... I'd put three stars *** next to some  
documentation on upgrading a given 2.0 AAA configuration to its 2.2  
equivalent.


S.

--
[EMAIL PROTECTED]  http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




smime.p7s
Description: S/MIME cryptographic signature

Edge connection filter cannot be removed?

[Paul Querna]

This is currently listed as a show stopper in the 2.2.x/STATUS file:


The edge connection filter cannot be removed:

http://marc.theaimsgroup.com/?l=apache-httpd-devm=105366252619530w=2

jerenkrantz asks: Why should this block a release?

stas replies: because it requires a rewrite of the filters stack
implementation (you have suggested that) and once 2.2 is released you
can't do that anymore.


I believe that this is really a feature enhancement.  It is not a
regression from the 2.0.xx branch.  I don't believe it should be a show
stopper for 2.2.x.

If there is support to change the edge connection filters, get it into
trunk first.  Once it is in trunk, we can have a better handle on back
port it to any branches.

What does everyone think?  I would like to remove this as a show stopper
in a week if there are no objections.

Thanks,

-Paul