Apache sub-requests
I'm currently trying to port mod_auth_script, a Apache 1.x module that
used the result of a script to allow/deny an authentication. The issue
I'm currently running into is sub requests - it seems that whatever
output and return code my module's sub request returns is what gets
sent to the web browser. What should happen is:
User asks for page.
Module makes a sub request to script.
Script returns a 200 OK, with a certain header set to allow or deny.
Module either gives web browser either a 403 or the result of the
original request.
Currently I'm always getting 200 (even on bad credentials), and the
returned document is the output of the script. (Just the body, not the
headers.)
I'm currently doing this as an AuthBasicProvider module. The following
works, perfectly:
static authn_status authn_check_password(request_rec *r, const char
*user, const char *password)
{
if(0 == strcmp(Joe, user)
0 == strcmp(bob, password))
{
return AUTH_GRANTED;
}
return AUTH_DENIED;
}
However, if I add these three lines at the top:
subreq = ap_sub_req_lookup_file(/path/to/script.php, r, NULL);
ret = ap_run_sub_req(subreq);
ap_destroy_sub_req(subreq);
I get the odd behavior above. Just adding these three lines alone,
should be essentially a no-op, aside from any side effects of having
the php script invoked. But they're not. The ap_sub_req_lookup_file
call returns 200, the ap_run_sub_req returns 0.
Where am I going wrong with sub requests? How exactly do these work?
The original mod_auth_script is here: http://mod-auth-script.sourceforge.net/
-Roy Wellington
Re: APR DBD: Column names from query
Dave Ingram wrote: First off, if this isn't the correct place to ask this then I apologise, but it seemed the most appropriate list. If there's somewhere more appropriate, please let me know. I've had a quick look for some information on accessing a database via APR, and after glancing through the header files, I still have a question: is it possible to get the column names from the query results? Yes, with sufficiently up-to-date versions of apr_dbd and mod_dbd. Hints about how it works can be found in the relevant CHANGES files. Sorry to be terse, but it would take too long to dig up URLs from here. SQLRepeat SELECT baz, bar, qux FROM sometable WHERE baz='foo' VirtualHost *:80 DocumentRoot /www/root/path/$baz ServerName $bar ServerAdmin $qux /VirtualHost /SQLRepeat Interesting idea. Are you familiar with mod_vhost_dbd, and even mod_macro, which do somewhat-related things? -- Nick Kew
Re: APR DBD: Column names from query
Nick Kew wrote: Dave Ingram wrote: First off, if this isn't the correct place to ask this then I apologise, but it seemed the most appropriate list. If there's somewhere more appropriate, please let me know. I've had a quick look for some information on accessing a database via APR, and after glancing through the header files, I still have a question: is it possible to get the column names from the query results? Yes, with sufficiently up-to-date versions of apr_dbd and mod_dbd. Hints about how it works can be found in the relevant CHANGES files. Sorry to be terse, but it would take too long to dig up URLs from here. That's fine - all I really wanted was to know if it's possible, and a nudge in the right direction -- thanks! [snip - moved lower and improved] Interesting idea. Are you familiar with mod_vhost_dbd, and even mod_macro, which do somewhat-related things? Yes indeed, although I only used the VirtualHost example as it's the most often-used. Unless I'm much mistaken, mod_vhost_dbd only allows you to set the document root, and all other mass virtualhosting solutions that I've seen are quite limited -- nowhere near this flexible. Say you wanted to add some redirects to your virtual hosts too, after the directories have been rearranged, for example... as far as I know, no module allows you to do anything like this: SQLRepeat SELECT baz, bar, qux FROM sometable WHERE baz='foo' VirtualHost *:80 DocumentRoot /www/root/path/$baz ServerName $bar ServerAdmin $qux SQLRepeat SELECT was, now FROM redirects WHERE type='permanent' AND servername = ? $bar RedirectPermanent $was $now /SQLRepeat /VirtualHost /SQLRepeat If you're interested, I've posted a bit more about it on my blog while I'm still fleshing out the idea: http://www.dmi.me.uk/blog/2008/08/13/modules-for-apache-and-php/ I've been looking at mod_macro for inspiration and to see how it does the substitution/re-parsing, and I think I may end up borrowing a few chunks of its code to avoid re-inventing the wheel... Dave
Re: Apache sub-requests
On Fri, Aug 29, 2008 at 20:52, Roy Wellington [EMAIL PROTECTED] wrote:
I'm currently trying to port mod_auth_script, a Apache 1.x module that
used the result of a script to allow/deny an authentication. The issue
I'm currently running into is sub requests - it seems that whatever
output and return code my module's sub request returns is what gets
sent to the web browser. What should happen is:
User asks for page.
Module makes a sub request to script.
Script returns a 200 OK, with a certain header set to allow or deny.
Module either gives web browser either a 403 or the result of the
original request.
Currently I'm always getting 200 (even on bad credentials), and the
returned document is the output of the script. (Just the body, not the
headers.)
I'm currently doing this as an AuthBasicProvider module. The following
works, perfectly:
static authn_status authn_check_password(request_rec *r, const char
*user, const char *password)
{
if(0 == strcmp(Joe, user)
0 == strcmp(bob, password))
{
return AUTH_GRANTED;
}
return AUTH_DENIED;
}
However, if I add these three lines at the top:
subreq = ap_sub_req_lookup_file(/path/to/script.php, r, NULL);
ret = ap_run_sub_req(subreq);
ap_destroy_sub_req(subreq);
I get the odd behavior above. Just adding these three lines alone,
should be essentially a no-op, aside from any side effects of having
the php script invoked. But they're not. The ap_sub_req_lookup_file
call returns 200, the ap_run_sub_req returns 0.
Where am I going wrong with sub requests? How exactly do these work?
The original mod_auth_script is here: http://mod-auth-script.sourceforge.net/
The behaviour you're describing is a feature. It is designed to be
like that. The subrequest sends data to the client. By the time you
set the status of the main request to AUTH_DENIED the header line
HTTP 200 OK set by the subrequest is already gone to the client.
In order to avoid this, write a filter and add it after the
ap_sub_req_lookup_file(path, r, NULL) call.
In the filter, you parse the incoming bucket brigades (containing
(parts of) the response of the php script), but you never pass the
brigades down the filter chain. So in the filter, you simply pass the
output and return APR_SUCCESS or a failure, but don't do return
ap_pass_brigade(f-next, bb). Thus, nothing is passed to the client at
the end of the subrequest execution.
S
AW: FWD: Testing modules using Python
Hi Peter, I've fixed my problem. Your advice was really helpful, the only thing I had to change was to replace server/exports.o with server/protocol.o modules.o buildmark.o server/provider.o server/util_xml.o server/error_bucket.o and everything works fine. Thanks again for your help Steven Steven Mohr Bachelor student DLR (German Aerospace Center), Simulation and Software Technology Linder Hoehe, 51147 Cologne, Germany voice: +49 2203 601 2956 fax: +49 2203 601 3070 eMail: steven.mohr at dlr.de http://www.dlr.de/sc -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 27. August 2008 20:51 An: dev@httpd.apache.org Betreff: AW: FWD: Testing modules using Python Hi Peter, I've followed your instruction. The shared object which is created has a size of 5 kB. Is this right? It seems to be very small. There are still undefined symbols of functions like ap_filter_flush, ap_is_url or ap_count_dirs. I will edit server/exports.c file because many of the undefined symbols are defined in this file (and as the first lines say, exports.c is an ugly hack which exports every function = undefined symbols) Do you know an options or other files which would improve the shared object? Thanks for your advices Steven Steven Mohr Bachelor student DLR (German Aerospace Center), Simulation and Software Technology Linder Hoehe, 51147 Cologne, Germany voice: +49 2203 601 2053 eMail: steven.mohr at dlr.de http://www.dlr.de/sc -Ursprüngliche Nachricht- Von: Peter Poeml [mailto:[EMAIL PROTECTED] Gesendet: Donnerstag, 7. August 2008 11:41 An: dev@httpd.apache.org Betreff: Re: FWD: Testing modules using Python Hi Steven, On Tue, Aug 05, 2008 at 10:21:01 +0200, [EMAIL PROTECTED] wrote: Hi, on [EMAIL PROTECTED] Peter gave me the advice to build apache with the SHARED_CORE rule. Apache 2.x does not have this rule anymore. Is there something comparable in Apache 2.x? Sorry for cross-posting but I think you are the guys who could help me. Steven The build infrastructure doesn't seem to know this anymore - but does it work if you do the following? make clean CFLAGS='-D SHARED_CORE -fPIC' ./configure make and then take the line which links together the httpd binary (the one with libtool ... -mode=link gcc ... -o httpd ... which is probably the last line) and rerun it manually with a slight change: libtool ... -mode=link gcc ... -shared -o libhttpd.so ... server/exports.o This should build the shared object anyway. But it is possible that it doesn't provide what you need. YMMV. Steven Mohr Bachelor student DLR (German Aerospace Center), Simulation and Software Technology Linder Hoehe, 51147 Cologne, Germany voice: +49 2203 601 2956 fax: +49 2203 601 3070 eMail: steven.mohr at dlr.de http://www.dlr.de/sc -Ursprüngliche Nachricht- Von: Peter Poeml [mailto:[EMAIL PROTECTED] Gesendet: Montag, 4. August 2008 16:37 An: [EMAIL PROTECTED] Betreff: Re: Testing modules using Python On Mon, Aug 04, 2008 at 04:27:58PM +0200, [EMAIL PROTECTED] wrote: Hi, I want to unit test my module (catacomb.tigris.org) using Python. My idea is to load the module with ctypes (a python module that allows to load functions from shared libraries into python) and test it in this environment. The main advantage is that it's much easier to create mock-up objects in Python than in C. My problem is that ctypes fails if the shared library contains any undefined symbols. Because the module is used normally together with a httpd server, there're a lot of undefined symbols. My solution is to link libapr, libaprutil, libexpat and libmysql statically in my module and to add a file with the definitions of the apache-internal functions (just copy and paste from httpd source). With every function which I copy in this file I get a few new undefined symbols. All in all it's a pain to search all definitions and I probably have to do this again after adding new features which uses other functionalities. Is there an easier way to do this? To build a module which includes all needed links to apache functions without linking the needed libraries statically and copy-and-paste functions from apache source? Or do you know a better way to do this? Steven With httpd 1.3, there used to be a way to build something what was called shared core, a shared object that contained the server in a form you could link it into an application. I don't know if this is still possible with httpd 2.x, but what used I in an RPM package at the time was --enable-rule=SHARED_CORE mkdir shared_core cp -p src/libhttpd.ep src/libhttpd.so src/httpd shared_core # install shared-core apache
Re: SNI in 2.2.x (Re: Time for 2.2.10?)
Den Thursday 28 August 2008 19:45:10 skrev Kaspar Brand:
I wrote:
When I added the second condition to the first if statement, I was
assuming that the default for auth.verify_depth is UNSET as well.
However, it's initialized to 1 (i.e. SSL_CVERIFY_OPTIONAL)
Wrong, of course - this macro applies to verify_*mode* (not verify_depth).
Oden, if you change the line
(sc-server-auth.verify_depth != UNSET)) {
to
(sc-server-auth.verify_depth != SSL_CVERIFY_OPTIONAL)) {
Sorry, should consequently be changed to
(sc-server-auth.verify_depth != 1)) {
Kaspar
Yes, that seems to have fixed it.
--
Regards // Oden Eriksson
Re: CRL verification in mod_ssl
On Aug 28, 2008, at 9:41 PM, Nicob wrote: Hello, I'm actually trying to setup a SSL reverse-proxy based on Apache 2.x and mod_ssl and it seems there's a bug in the verification of the CRL. If a CA changes its keys before expiration, the CRL is now signed by the new key and include certificates issued by both the new and old keys. However, mod_ssl will refuse to work if the AKID of the revoked certificate doesn't match the issuer of the CRL. Browsing Apache archives, I found that somebody posted a patch covering this need (http://marc.info/?l=apache-httpd-devm=120350484626015), but the code haven't been merged. I tested it and it works perfectly well. Does this patch seems OK to you ? If yes, is it possible to include it ? I just tried that patch - and it also matched two of my edge cases. But this is a bit too obscure for me to dare to commit it directly. Could someone else with a good x509 understanding look at it ? +1 from me - willing to do the legwork if someone else gives this a good review as well. Dw
Re: mod_proxy_balancer enhancements
On 8/28/08 8:45 PM, Jess Holle [EMAIL PROTECTED] wrote: Possible solutions include: Having an option to have a background thread ping the backends rather than allowing normal requests to do so. One way to possibly do this is to have a single health checking that's in the parent that can notify children of origin server changes. Could just be setting some flags in shared memory. The health-checker could be an external process managed like a logger as well or just forked from parent. -- Brian Akins Chief Operations Engineer Turner Digital Media Technologies
