TR of 2.4.8
Looks like we are Good2Go for a TR today at noonish (eastern)
[PATCH 56152 3/4] mod_proxy: Split the NoProxy parameter parsing away
From: Lubomir Rintel lubo.rin...@gooddata.com
It is nice and could be reused by ProxyBlock.
---
modules/proxy/mod_proxy.c | 98 +--
1 file changed, 53 insertions(+), 45 deletions(-)
diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
index e7c78ee..bd3bf82 100644
--- a/modules/proxy/mod_proxy.c
+++ b/modules/proxy/mod_proxy.c
@@ -1723,56 +1723,17 @@ static const char* cookie_domain(cmd_parms *cmd, void
*dconf, const char *f,
return NULL;
}
-static const char *
-set_proxy_exclude(cmd_parms *parms, void *dummy, const char *arg)
-{
-server_rec *s = parms-server;
-proxy_server_conf *conf =
-ap_get_module_config(s-module_config, proxy_module);
-struct noproxy_entry *new;
-struct noproxy_entry *list = (struct noproxy_entry *)
conf-noproxies-elts;
-struct apr_sockaddr_t *addr;
-int found = 0;
-int i;
-
-/* Don't duplicate entries */
-for (i = 0; i conf-noproxies-nelts; i++) {
-if (strcasecmp(arg, list[i].name) == 0) { /* ignore case for host
names */
-found = 1;
-break;
-}
-}
-
-if (!found) {
-new = apr_array_push(conf-noproxies);
-new-name = arg;
-if (APR_SUCCESS == apr_sockaddr_info_get(addr, new-name, APR_UNSPEC,
0, 0, parms-pool)) {
-new-addr = addr;
-}
-else {
-new-addr = NULL;
-}
-}
-return NULL;
-}
-
-
-/* Similar to set_proxy_exclude(), but defining directly connected hosts,
- * which should never be accessed via the configured ProxyRemote servers
- */
-static const char *
-set_proxy_dirconn(cmd_parms *parms, void *dummy, const char *arg)
+/* Add an entry to a NoProxy or ProxyBlock list */
+const char *
+add_exclude_list(cmd_parms *parms, const char *arg, apr_array_header_t
*array)
{
-server_rec *s = parms-server;
-proxy_server_conf *conf =
-ap_get_module_config(s-module_config, proxy_module);
struct exclude_entry *New;
-struct exclude_entry *list = (struct exclude_entry *) conf-dirconn-elts;
+struct exclude_entry *list = (struct exclude_entry *) array-elts;
int found = 0;
int i;
/* Don't duplicate entries */
-for (i = 0; i conf-dirconn-nelts; i++) {
+for (i = 0; i array-nelts; i++) {
if (strcasecmp(arg, list[i].name) == 0) {
found = 1;
break;
@@ -1780,7 +1741,7 @@ static const char *
}
if (!found) {
-New = apr_array_push(conf-dirconn);
+New = apr_array_push(array);
New-name = apr_pstrdup(parms-pool, arg);
New-hostaddr = NULL;
@@ -1817,6 +1778,53 @@ static const char *
}
static const char *
+set_proxy_exclude(cmd_parms *parms, void *dummy, const char *arg)
+{
+server_rec *s = parms-server;
+proxy_server_conf *conf =
+ap_get_module_config(s-module_config, proxy_module);
+struct noproxy_entry *new;
+struct noproxy_entry *list = (struct noproxy_entry *)
conf-noproxies-elts;
+struct apr_sockaddr_t *addr;
+int found = 0;
+int i;
+
+/* Don't duplicate entries */
+for (i = 0; i conf-noproxies-nelts; i++) {
+if (strcasecmp(arg, list[i].name) == 0) { /* ignore case for host
names */
+found = 1;
+break;
+}
+}
+
+if (!found) {
+new = apr_array_push(conf-noproxies);
+new-name = arg;
+if (APR_SUCCESS == apr_sockaddr_info_get(addr, new-name, APR_UNSPEC,
0, 0, parms-pool)) {
+new-addr = addr;
+}
+else {
+new-addr = NULL;
+}
+}
+return NULL;
+}
+
+
+/* Similar to set_proxy_exclude(), but defining directly connected hosts,
+ * which should never be accessed via the configured ProxyRemote servers
+ */
+static const char *
+set_proxy_dirconn(cmd_parms *parms, void *dummy, const char *arg)
+{
+server_rec *s = parms-server;
+proxy_server_conf *conf =
+ap_get_module_config(s-module_config, proxy_module);
+
+return add_exclude_list(parms, arg, conf-dirconn);
+}
+
+static const char *
set_proxy_domain(cmd_parms *parms, void *dummy, const char *arg)
{
proxy_server_conf *psf =
--
1.8.3.1
[PATCH 56152 2/4] mod_proxy: Match resolved addresses for NoProxy too
We resolve the names using the configuration parsing, thus we already have the
addresses. It could be redundant for NoProxy, but the same code could be used
with ProxyBlock if it did this.
---
modules/proxy/proxy_util.c | 8
1 file changed, 8 insertions(+)
diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c
index 0081940..22b6ea1 100644
--- a/modules/proxy/proxy_util.c
+++ b/modules/proxy/proxy_util.c
@@ -699,6 +699,7 @@ static int proxy_match_domainname(struct exclude_entry
*This, request_rec *r)
PROXY_DECLARE(int) ap_proxy_is_hostname(struct exclude_entry *This, apr_pool_t
*p)
{
struct apr_sockaddr_t *addr;
+struct in_addr *ip;
char *host = This-name;
int i;
@@ -714,6 +715,9 @@ PROXY_DECLARE(int) ap_proxy_is_hostname(struct
exclude_entry *This, apr_pool_t *
}
This-hostaddr = addr;
+ip = (struct in_addr *) addr-ipaddr_ptr;
+This-addr.s_addr = ip-s_addr;
+This-mask.s_addr = htonl(APR_INADDR_NONE);
/* Strip trailing dots */
for (i = strlen(host) - 1; i 0 host[i] == '.'; --i) {
@@ -736,6 +740,10 @@ static int proxy_match_hostname(struct exclude_entry
*This, request_rec *r)
return 0; /* oops! */
}
+/* Maybe the ip address matches. */
+if (proxy_match_ipaddr(This, r))
+return 1;
+
h2_len = strlen(host2);
h1_len = strlen(host);
--
1.8.3.1
[PATCH 56152 1/4] mod_proxy: Rename dirconn_entry to exclude_entry
From: Lubomir Rintel lubo.rin...@gooddata.com
Currently they are used for NoProxy, but could be reusable to ProxyBlock.
Rename them to something more generic.
---
modules/proxy/mod_proxy.c | 8
modules/proxy/mod_proxy.h | 4 ++--
modules/proxy/proxy_util.c | 24
modules/proxy/proxy_util.h | 8
4 files changed, 22 insertions(+), 22 deletions(-)
diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
index 329e805..e7c78ee 100644
--- a/modules/proxy/mod_proxy.c
+++ b/modules/proxy/mod_proxy.c
@@ -924,7 +924,7 @@ static int proxy_handler(request_rec *r)
proxy_balancer *balancer = NULL;
proxy_worker *worker = NULL;
int attempts = 0, max_attempts = 0;
-struct dirconn_entry *list = (struct dirconn_entry *)conf-dirconn-elts;
+struct exclude_entry *list = (struct exclude_entry *)conf-dirconn-elts;
/* is this for us? */
if (!r-proxyreq || !r-filename || strncmp(r-filename, proxy:, 6) != 0)
@@ -1203,7 +1203,7 @@ static void * create_proxy_config(apr_pool_t *p,
server_rec *s)
ps-proxies = apr_array_make(p, 10, sizeof(struct proxy_remote));
ps-aliases = apr_array_make(p, 10, sizeof(struct proxy_alias));
ps-noproxies = apr_array_make(p, 10, sizeof(struct noproxy_entry));
-ps-dirconn = apr_array_make(p, 10, sizeof(struct dirconn_entry));
+ps-dirconn = apr_array_make(p, 10, sizeof(struct exclude_entry));
ps-workers = apr_array_make(p, 10, sizeof(proxy_worker));
ps-balancers = apr_array_make(p, 10, sizeof(proxy_balancer));
ps-forward = NULL;
@@ -1766,8 +1766,8 @@ static const char *
server_rec *s = parms-server;
proxy_server_conf *conf =
ap_get_module_config(s-module_config, proxy_module);
-struct dirconn_entry *New;
-struct dirconn_entry *list = (struct dirconn_entry *) conf-dirconn-elts;
+struct exclude_entry *New;
+struct exclude_entry *list = (struct exclude_entry *) conf-dirconn-elts;
int found = 0;
int i;
diff --git a/modules/proxy/mod_proxy.h b/modules/proxy/mod_proxy.h
index b99ee17..392c4d0 100644
--- a/modules/proxy/mod_proxy.h
+++ b/modules/proxy/mod_proxy.h
@@ -115,11 +115,11 @@ struct proxy_alias {
proxy_balancer *balancer; /* only valid for reverse-proxys */
};
-struct dirconn_entry {
+struct exclude_entry {
char *name;
struct in_addr addr, mask;
struct apr_sockaddr_t *hostaddr;
-int (*matcher) (struct dirconn_entry * This, request_rec *r);
+int (*matcher) (struct exclude_entry * This, request_rec *r);
};
struct noproxy_entry {
diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c
index 6017b82..0081940 100644
--- a/modules/proxy/proxy_util.c
+++ b/modules/proxy/proxy_util.c
@@ -79,10 +79,10 @@ const apr_strmatch_pattern PROXY_DECLARE_DATA
*ap_proxy_strmatch_domain;
extern apr_global_mutex_t *proxy_mutex;
-static int proxy_match_ipaddr(struct dirconn_entry *This, request_rec *r);
-static int proxy_match_domainname(struct dirconn_entry *This, request_rec *r);
-static int proxy_match_hostname(struct dirconn_entry *This, request_rec *r);
-static int proxy_match_word(struct dirconn_entry *This, request_rec *r);
+static int proxy_match_ipaddr(struct exclude_entry *This, request_rec *r);
+static int proxy_match_domainname(struct exclude_entry *This, request_rec *r);
+static int proxy_match_hostname(struct exclude_entry *This, request_rec *r);
+static int proxy_match_word(struct exclude_entry *This, request_rec *r);
APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(proxy, PROXY, int, create_req,
(request_rec *r, request_rec *pr), (r, pr),
@@ -426,7 +426,7 @@ static const char *
}
/* Return TRUE if addr represents an IP address (or an IP network address) */
-PROXY_DECLARE(int) ap_proxy_is_ipaddr(struct dirconn_entry *This, apr_pool_t
*p)
+PROXY_DECLARE(int) ap_proxy_is_ipaddr(struct exclude_entry *This, apr_pool_t
*p)
{
const char *addr = This-name;
long ip_addr[4];
@@ -547,7 +547,7 @@ PROXY_DECLARE(int) ap_proxy_is_ipaddr(struct dirconn_entry
*This, apr_pool_t *p)
}
/* Return TRUE if addr represents an IP address (or an IP network address) */
-static int proxy_match_ipaddr(struct dirconn_entry *This, request_rec *r)
+static int proxy_match_ipaddr(struct exclude_entry *This, request_rec *r)
{
int i, ip_addr[4];
struct in_addr addr, *ip;
@@ -635,7 +635,7 @@ static int proxy_match_ipaddr(struct dirconn_entry *This,
request_rec *r)
}
/* Return TRUE if addr represents a domain name */
-PROXY_DECLARE(int) ap_proxy_is_domainname(struct dirconn_entry *This,
apr_pool_t *p)
+PROXY_DECLARE(int) ap_proxy_is_domainname(struct exclude_entry *This,
apr_pool_t *p)
{
char *addr = This-name;
int i;
@@ -672,7 +672,7 @@ PROXY_DECLARE(int) ap_proxy_is_domainname(struct
dirconn_entry *This, apr_pool_t
}
/* Return TRUE if host host is in domain domain */
-static int proxy_match_domainname(struct dirconn_entry *This,
[PATCH 56152 4/4] mod_proxy: Share NoProxy parameter parsing and evaluation with ProxyBlock
From: Lubomir Rintel lubo.rin...@gooddata.com
They do the same task now, so we can remove some duplicate code. They do the
same thing except that ProxyBlock does certain things better -- they support
masked network addresses, thus we can now block subnets.
---
docs/manual/mod/mod_proxy.xml | 14 +++---
modules/proxy/mod_proxy.c | 27 ++-
modules/proxy/mod_proxy.h | 5 -
modules/proxy/proxy_util.c| 35 ++-
4 files changed, 11 insertions(+), 70 deletions(-)
diff --git a/docs/manual/mod/mod_proxy.xml b/docs/manual/mod/mod_proxy.xml
index d0adb3a..38bedee 100644
--- a/docs/manual/mod/mod_proxy.xml
+++ b/docs/manual/mod/mod_proxy.xml
@@ -1509,8 +1509,8 @@ will rewrite a cookie with backend path code//code (or
usage
pThe directiveProxyBlock/directive directive can be used to
block FTP or HTTP access to certain hosts via the proxy, based on
-a full or partial hostname match, or, if applicable, an IP address
-comparison./p
+a host name or a domain name match, or, if applicable, an IP host or
+network address comparison./p
pEach of the arguments to the directiveProxyBlock/directive
directive can be either code*/code or a alphanumeric string.
@@ -1522,11 +1522,11 @@ will rewrite a cookie with backend path code//code
(or
modulemod_proxy/module will deny access to all FTP or HTTP
sites./p
-pOtherwise, for any request for an HTTP or FTP resource via the
-proxy, modulemod_proxy/module will check the hostname of the
-request URI against each specified string. If a partial string
-match is found, access is denied. If no matches against hostnames
-are found, and a remote (forward) proxy is configured using
+pOtherwise, the matching same as one used with
+directiveNoProxy/directive is conducted to check the hostname of
+the request URI against each specified string. If a match is found,
+access is denied. If no matches against hostnames are found, and a
+remote (forward) proxy is configured using
directiveProxyRemote/directive or
directiveProxyRemoteMatch/directive, access is allowed. If no
remote (forward) proxy is configured, the IP address of the
diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
index bd3bf82..707067c 100644
--- a/modules/proxy/mod_proxy.c
+++ b/modules/proxy/mod_proxy.c
@@ -1202,7 +1202,7 @@ static void * create_proxy_config(apr_pool_t *p,
server_rec *s)
ps-sec_proxy = apr_array_make(p, 10, sizeof(ap_conf_vector_t *));
ps-proxies = apr_array_make(p, 10, sizeof(struct proxy_remote));
ps-aliases = apr_array_make(p, 10, sizeof(struct proxy_alias));
-ps-noproxies = apr_array_make(p, 10, sizeof(struct noproxy_entry));
+ps-noproxies = apr_array_make(p, 10, sizeof(struct exclude_entry));
ps-dirconn = apr_array_make(p, 10, sizeof(struct exclude_entry));
ps-workers = apr_array_make(p, 10, sizeof(proxy_worker));
ps-balancers = apr_array_make(p, 10, sizeof(proxy_balancer));
@@ -1783,31 +1783,8 @@ static const char *
server_rec *s = parms-server;
proxy_server_conf *conf =
ap_get_module_config(s-module_config, proxy_module);
-struct noproxy_entry *new;
-struct noproxy_entry *list = (struct noproxy_entry *)
conf-noproxies-elts;
-struct apr_sockaddr_t *addr;
-int found = 0;
-int i;
-/* Don't duplicate entries */
-for (i = 0; i conf-noproxies-nelts; i++) {
-if (strcasecmp(arg, list[i].name) == 0) { /* ignore case for host
names */
-found = 1;
-break;
-}
-}
-
-if (!found) {
-new = apr_array_push(conf-noproxies);
-new-name = arg;
-if (APR_SUCCESS == apr_sockaddr_info_get(addr, new-name, APR_UNSPEC,
0, 0, parms-pool)) {
-new-addr = addr;
-}
-else {
-new-addr = NULL;
-}
-}
-return NULL;
+return add_exclude_list(parms, arg, conf-noproxies);
}
diff --git a/modules/proxy/mod_proxy.h b/modules/proxy/mod_proxy.h
index 392c4d0..1ffb9ce 100644
--- a/modules/proxy/mod_proxy.h
+++ b/modules/proxy/mod_proxy.h
@@ -122,11 +122,6 @@ struct exclude_entry {
int (*matcher) (struct exclude_entry * This, request_rec *r);
};
-struct noproxy_entry {
-const char *name;
-struct apr_sockaddr_t *addr;
-};
-
typedef struct {
apr_array_header_t *proxies;
apr_array_header_t *sec_proxy;
diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c
index 22b6ea1..bdb01ca 100644
--- a/modules/proxy/proxy_util.c
+++ b/modules/proxy/proxy_util.c
@@ -783,8 +783,6 @@ static int proxy_match_word(struct exclude_entry *This,
request_rec *r)
return host != NULL ap_strstr_c(host, This-name) != NULL;
}
-#define MAX_IP_STR_LEN (46)
-
PROXY_DECLARE(int) ap_proxy_checkproxyblock(request_rec *r, proxy_server_conf
*conf,
const char *hostname,
[PATCH 56152 0/4] mod_proxy: Add support for network addresses to NoProxy
Hi, I opened a ticket [1] with the patches (chained to this message), but got virtually no responsem, therefore I assume it might be a better idea to discuss them in a list. [1] https://issues.apache.org/bugzilla/show_bug.cgi?id=56152 I'd very thankful for a review and evenutal merge. Thank you! Lubo
[PATCH 55178 2/2] mod_authn_ldap: Allow specifying SASL interaction
From: Lubomir Rintel lubo.rin...@gooddata.com --- docs/manual/mod/mod_authnz_ldap.xml | 28 +++ docs/manual/style/scripts/prettify.js | 2 +- include/util_ldap.h | 4 ++- modules/aaa/mod_authnz_ldap.c | 16 +++-- modules/ldap/util_ldap.c | 67 +-- 5 files changed, 102 insertions(+), 15 deletions(-) diff --git a/docs/manual/mod/mod_authnz_ldap.xml b/docs/manual/mod/mod_authnz_ldap.xml index 1a99079..264b447 100644 --- a/docs/manual/mod/mod_authnz_ldap.xml +++ b/docs/manual/mod/mod_authnz_ldap.xml @@ -191,6 +191,14 @@ for HTTP Basic authentication./description tdAn optional SASL mechanism to use for bind with during the search phase./td /tr + + tr +tddirective +module=mod_authnz_ldapAuthLDAPBindSASLInteract/directive/td + +tdAn optional command to run when SASL +requests interaction to obtain credentials./td + /tr /table /section @@ -973,6 +981,26 @@ AuthLDAPBindSASLMech GSSAPI /directivesynopsis directivesynopsis +nameAuthLDAPBindSASLInteract/name +descriptionOptional command to run when SASL requests interaction to obtain credentials/description +syntaxAuthLDAPBindSASLInteract emcommand/em/syntax +contextlistcontextdirectory/contextcontext.htaccess/context +/contextlist +overrideAuthConfig/override + +usage +pAn optional command to run when SASL +requests interaction to obtain credentials./p + +examplepre +#Initialize Kerberos Credentials Cache using a key from a keytab for given principal +AuthLDAPBindSASLInteract /usr/bin/kinit -k -t /etc/httpd/conf/krb5.keytab host/example.com +/pre/example + +/usage +/directivesynopsis + +directivesynopsis nameAuthLDAPCharsetConfig/name descriptionLanguage to charset conversion configuration file/description syntaxAuthLDAPCharsetConfig emfile-path/em/syntax diff --git a/docs/manual/style/scripts/prettify.js b/docs/manual/style/scripts/prettify.js index f1ab2e6..5777258 100644 --- a/docs/manual/style/scripts/prettify.js +++ b/docs/manual/style/scripts/prettify.js @@ -132,7 +132,7 @@ var prettyPrint; var SH_KEYWORDS = [FLOW_CONTROL_KEYWORDS, case,done,elif,esac,eval,fi, + function,in,local,set,then,until,echo]; var CONFIG_ENVS = [User-Agent,HTTP_USER_AGENT,HTTP_REFERER,HTTP_COOKIE,HTTP_FORWARDED,HTTP_HOST,HTTP_PROXY_CONNECTION,HTTP_ACCEPT,REMOTE_ADDR,REMOTE_HOST,REMOTE_PORT,REMOTE_USER,REMOTE_IDENT,REQUEST_METHOD,SCRIPT_FILENAME,PATH_INFO,QUERY_STRING,AUTH_TYPE,DOCUMENT_ROOT,SERVER_ADMIN,SERVER_NAME,SERVER_ADDR,SERVER_PORT,SERVER_PROTOCOL,SERVER_SOFTWARE,TIME_YEAR,TIME_MON,TIME_DAY,TIME_HOUR,TIME_MIN,TIME_SEC,TIME_WDAY,TIME,API_VERSION,THE_REQUEST,REQUEST_URI,REQUEST_FILENAME,IS_SUBREQ,HTTPS,REQUEST_SCHEME]; - var CONFIG_KEYWORDS = [Macro,UndefMacro,Use,AuthLDAPURL,AcceptFilter,AcceptPathInfo,AccessFileName,Action,AddAlt,AddAltByEncoding,AddAltByType,AddCharset,AddDefaultCharset,AddDescription,AddEncoding,AddHandler,AddIcon,AddIconByEncoding,AddIconByType,AddInputFilter,AddLanguage,AddModuleInfo,AddOutputFilter,AddOutputFilterByType,AddType,Alias,AliasMatch,Allow,AllowCONNECT,AllowEncodedSlashes,AllowMethods,AllowOverride,AllowOverrideList,Anonymous,Anonymous_LogEmail,Anonymous_MustGiveEmail,Anonymous_NoUserID,Anonymous_VerifyEmail,AsyncRequestWorkerFactor,AuthBasicAuthoritative,AuthBasicProvider,AuthDBDUserPWQuery,AuthDBDUserRealmQuery,AuthDBMGroupFile,AuthDBMType,AuthDBMUserFile,AuthDigestAlgorithm,AuthDigestDomain,AuthDigestNcCheck,AuthDigestNonceFormat,AuthDigestNonceLifetime,AuthDigestProvider,AuthDigestQop,AuthDigestShmemSize,AuthFormAuthoritative,AuthFormBody,AuthFormDisableNoStore,AuthFormFakeBasicAuth,AuthFormLocation,AuthFormLoginRequiredLocation,AuthFormLoginSuccessLocation, AuthFormLogoutLocation,AuthFormMethod,AuthFormMimetype,AuthFormPassword,AuthFormProvider,AuthFormSitePassphrase,AuthFormSize,AuthFormUsername,AuthGroupFile,AuthLDAPAuthorizePrefix,AuthLDAPBindAuthoritative,AuthLDAPBindDN,AuthLDAPBindPassword,AuthLDAPBindSASLMech,AuthLDAPCharsetConfig,AuthLDAPCompareAsUser,AuthLDAPCompareDNOnServer,AuthLDAPDereferenceAliases,AuthLDAPGroupAttribute,AuthLDAPGroupAttributeIsDN,AuthLDAPInitialBindAsUser,AuthLDAPInitialBindPattern,AuthLDAPMaxSubGroupDepth,AuthLDAPRemoteUserAttribute,AuthLDAPRemoteUserIsDN,AuthLDAPSearchAsUser,AuthLDAPSubGroupAttribute,AuthLDAPSubGroupClass,AuthLDAPUrl,AuthMerging,AuthName,AuthnCacheContext,AuthnCacheEnable,AuthnCacheProvideFor,AuthnCacheSOCache,AuthnCacheTimeout,AuthnProviderAlias,AuthType,AuthUserFile,AuthzDBDLoginToReferer,AuthzDBDQuery,AuthzDBDRedirectQuery,AuthzDBMType,AuthzProviderAlias,AuthzSendForbiddenOnFailure,BalancerGrowth,BalancerMember,BrowserMatch,BrowserMatchNoCase,BufferedLogs,BufferSize,CacheDefaultEx
[PATCH 55178 1/2] mod_authn_ldap: Allow authentication with SASL
From: Lubomir Rintel lubo.rin...@gooddata.com --- docs/manual/mod/mod_authnz_ldap.xml | 34 - docs/manual/style/scripts/prettify.js | 2 +- include/util_ldap.h | 5 +- modules/aaa/mod_authnz_ldap.c | 14 +- modules/ldap/util_ldap.c | 94 +++ 5 files changed, 111 insertions(+), 38 deletions(-) diff --git a/docs/manual/mod/mod_authnz_ldap.xml b/docs/manual/mod/mod_authnz_ldap.xml index de59a0b..1a99079 100644 --- a/docs/manual/mod/mod_authnz_ldap.xml +++ b/docs/manual/mod/mod_authnz_ldap.xml @@ -183,6 +183,14 @@ for HTTP Basic authentication./description tdAn optional password to bind with during the search phase./td /tr + + tr +tddirective +module=mod_authnz_ldapAuthLDAPBindSASLMech/directive/td + +tdAn optional SASL mechanism to use for bind +with during the search phase./td + /tr /table /section @@ -903,8 +911,8 @@ to perform a DN lookup/description usage pAn optional DN used to bind to the server when searching for -entries. If not provided, modulemod_authnz_ldap/module will use -an anonymous bind./p +entries. If not provided, and simple bind (not SASL) is used, +modulemod_authnz_ldap/module will use an anonymous bind./p /usage /directivesynopsis @@ -943,6 +951,28 @@ AuthLDAPBindPassword exec:/path/to/otherProgram argument1 /directivesynopsis directivesynopsis +nameAuthLDAPBindSASLMech/name +descriptionOptional SASL mechanism to use in binding to the LDAP server/description +syntaxAuthLDAPBindSASLMech emsasl-mech/em/syntax +contextlistcontextdirectory/contextcontext.htaccess/context +/contextlist +overrideAuthConfig/override + +usage +pAn optional SASL mechanism used to bind to the server when +searching for entries. Multiple mechanisms can be used, +separated with commas. If not provided, +modulemod_authnz_ldap/module will use simple bind./p + +examplepre +#Authenticate with Kerberos GSSAPI +AuthLDAPBindSASLMech GSSAPI +/pre/example + +/usage +/directivesynopsis + +directivesynopsis nameAuthLDAPCharsetConfig/name descriptionLanguage to charset conversion configuration file/description syntaxAuthLDAPCharsetConfig emfile-path/em/syntax diff --git a/docs/manual/style/scripts/prettify.js b/docs/manual/style/scripts/prettify.js index 2fa959a..f1ab2e6 100644 --- a/docs/manual/style/scripts/prettify.js +++ b/docs/manual/style/scripts/prettify.js @@ -132,7 +132,7 @@ var prettyPrint; var SH_KEYWORDS = [FLOW_CONTROL_KEYWORDS, case,done,elif,esac,eval,fi, + function,in,local,set,then,until,echo]; var CONFIG_ENVS = [User-Agent,HTTP_USER_AGENT,HTTP_REFERER,HTTP_COOKIE,HTTP_FORWARDED,HTTP_HOST,HTTP_PROXY_CONNECTION,HTTP_ACCEPT,REMOTE_ADDR,REMOTE_HOST,REMOTE_PORT,REMOTE_USER,REMOTE_IDENT,REQUEST_METHOD,SCRIPT_FILENAME,PATH_INFO,QUERY_STRING,AUTH_TYPE,DOCUMENT_ROOT,SERVER_ADMIN,SERVER_NAME,SERVER_ADDR,SERVER_PORT,SERVER_PROTOCOL,SERVER_SOFTWARE,TIME_YEAR,TIME_MON,TIME_DAY,TIME_HOUR,TIME_MIN,TIME_SEC,TIME_WDAY,TIME,API_VERSION,THE_REQUEST,REQUEST_URI,REQUEST_FILENAME,IS_SUBREQ,HTTPS,REQUEST_SCHEME]; - var CONFIG_KEYWORDS = [Macro,UndefMacro,Use,AuthLDAPURL,AcceptFilter,AcceptPathInfo,AccessFileName,Action,AddAlt,AddAltByEncoding,AddAltByType,AddCharset,AddDefaultCharset,AddDescription,AddEncoding,AddHandler,AddIcon,AddIconByEncoding,AddIconByType,AddInputFilter,AddLanguage,AddModuleInfo,AddOutputFilter,AddOutputFilterByType,AddType,Alias,AliasMatch,Allow,AllowCONNECT,AllowEncodedSlashes,AllowMethods,AllowOverride,AllowOverrideList,Anonymous,Anonymous_LogEmail,Anonymous_MustGiveEmail,Anonymous_NoUserID,Anonymous_VerifyEmail,AsyncRequestWorkerFactor,AuthBasicAuthoritative,AuthBasicProvider,AuthDBDUserPWQuery,AuthDBDUserRealmQuery,AuthDBMGroupFile,AuthDBMType,AuthDBMUserFile,AuthDigestAlgorithm,AuthDigestDomain,AuthDigestNcCheck,AuthDigestNonceFormat,AuthDigestNonceLifetime,AuthDigestProvider,AuthDigestQop,AuthDigestShmemSize,AuthFormAuthoritative,AuthFormBody,AuthFormDisableNoStore,AuthFormFakeBasicAuth,AuthFormLocation,AuthFormLoginRequiredLocation,AuthFormLoginSuccessLocation,
[PATCH 55178 0/2] mod_authn_ldap: SASL support
Hi, I've submitted a patch set [1] adding SASL support to mod_authn_ldap a while ago, but the ticket got no feedback. I'd be very thankful for a review and merge. [1] https://issues.apache.org/bugzilla/show_bug.cgi?id=55178 Thank you! Lubo
[PATCH 51648 apreq2] Remove redundant Apache2::Cookie::httpcookie documentation
--- Hi, please review and merge this. It seems to be an easyfix, but the ticket [1] seemengly generated no useful attention. [1] https://issues.apache.org/bugzilla/show_bug.cgi?id=51648 Thank you, Lubo glue/perl/lib/Apache2/Cookie.pm | 14 -- 1 file changed, 14 deletions(-) diff --git a/glue/perl/lib/Apache2/Cookie.pm b/glue/perl/lib/Apache2/Cookie.pm index 715ab14..d6a5b31 100644 --- a/glue/perl/lib/Apache2/Cookie.pm +++ b/glue/perl/lib/Apache2/Cookie.pm @@ -450,20 +450,6 @@ Get or set the HttpOnly flag for the cookie: -=head2 httponly - -$cookie-httponly() -$cookie-httponly($set) - -Get or set the HttpOnly flag for the cookie: - -$cookie-httponly(1); -$is_HttpOnly = $cookie-httponly; -$cookie-httponly(0); - - - - =head2 comment $cookie-comment() -- 1.8.3.1
[VOTE] Release Apache httpd 2.4.8 as GA
The pre-release test tarballs for Apache httpd 2.4.8 can be found at the usual place: http://httpd.apache.org/dev/dist/ I'm calling a VOTE on releasing these as Apache httpd 2.4.8 GA. [ ] +1: Good to go [ ] +0: meh [ ] -1: Danger Will Robinson. And why. Vote will last the normal 72 hrs. NOTE: The *-deps are only there for convenience.
Re: Tagging 2.2.27 tag Friday Feb 28th.
On Thu, 20 Feb 2014 02:42:46 -0600 William A. Rowe Jr. wr...@rowe-clan.net wrote: With no objection, I will tag and roll 2.2 branch for release a week from Friday, with the intent to announce both the proper 2.4 'current' and the 2.2 'legacy' at the same time in tandem with Jim's efforts. To celebrate 2.4.8's tag I'll be tagging today, at last. There is one patch is STATUS that corresponds to a 2.4.8 fix in mod_log_config, if that can get one more vote. Flurry of backport commits starts shortly. I'm considering Yann's additional proxy SNI fail-reuse patch as well, but as it didn't make 2.4.8 I would prefer to keep 2.2.27 in sync, and apply to both trees if appropriate, once both are tagged.
Re: [VOTE] Release Apache httpd 2.4.8 as GA
On 11.03.2014 17:34, Jim Jagielski wrote:
The pre-release test tarballs for Apache httpd 2.4.8 can be found
at the usual place:
http://httpd.apache.org/dev/dist/
I'm calling a VOTE on releasing these as Apache httpd 2.4.8 GA.
[ ] +1: Good to go
[ ] +0: meh
[ ] -1: Danger Will Robinson. And why.
Vote will last the normal 72 hrs.
NOTE: The *-deps are only there for convenience.
I get a segfault during startup init on www.apache.org when using SSL.
This didn't happen for r1570851. Candidate is r1573360.
That server currently uses OpenSSL 1.0.1e.
GDB:
Program terminated with signal 11, Segmentation fault.
#0 0x00010287a19a in ssl_set_cert_masks () from
/usr/local/lib/libssl.so.8
(gdb) bt full
#0 0x00010287a19a in ssl_set_cert_masks () from
/usr/local/lib/libssl.so.8
No symbol table info available.
#1 0x00010287a6f6 in ssl_get_server_send_pkey () from
/usr/local/lib/libssl.so.8
No symbol table info available.
#2 0x00010287a7a9 in ssl_get_server_send_cert () from
/usr/local/lib/libssl.so.8
No symbol table info available.
#3 0x000102616d2a in ssl_init_server_certs (pphrases=0x10226ab58,
mctx=0x10227d938, ptemp=optimized out, p=optimized out, s=optimized
out) at ssl_engine_init.c:959
No locals.
#4 ssl_init_server_ctx (pphrases=optimized out, sc=optimized out,
ptemp=optimized out, p=optimized out, s=optimized out) at
ssl_engine_init.c:1287
No locals.
#5 ssl_init_ConfigureServer (s=0x102277350, p=0x102023028,
ptemp=0x102051028, sc=0x10227d7d8, pphrases=optimized out) at
ssl_engine_init.c:1378
rv = optimized out
#6 0x000102617cfc in ssl_init_Module (p=0x102023028,
plog=optimized out, ptemp=0x102051028, base_server=0x10204dbe8) at
ssl_engine_init.c:228
mc = optimized out
sc = optimized out
s = 0x102277350
rv = 0
pphrases = 0x10226ab58
#7 0x0044965c in ap_run_post_config (pconf=0x102023028,
plog=0x10204f028, ptemp=0x102051028, s=0x10204dbe8) at config.c:103
n = 4
rv = optimized out
#8 0x0042afd7 in main (argc=9, argv=0x7fffd8c0) at main.c:696
c = 68 'D'
showcompile = 0
showdirectives = 0
confname = 0x7fffdbb7 /.../conf/httpd.conf
def_server_root = 0x4655c0 /...
temp_error_log = 0x0
error = optimized out
process = 0x102021118
pconf = 0x102023028
plog = 0x10204f028
ptemp = 0x102051028
pcommands = 0x102045028
opt = 0x102045118
rv = optimized out
opt_arg = 0x7fffdbfa SSL
...
#3 0x000102616d2a in ssl_init_server_certs (pphrases=0x10226ab58,
mctx=0x10227d938, ptemp=optimized out, p=optimized out, s=optimized
out) at ssl_engine_init.c:959
959 if (!(ssl = SSL_new(mctx-ssl_ctx)) ||
(gdb) print *pphrases
$1 = {pool = 0x102051028, elt_size = 8, nelts = 0, nalloc = 2, elts =
0x10226ab78 }
(gdb) print *mctx
$2 = {sc = 0x10227d7d8, ssl_ctx = 0x102185600, pks = 0x10227da20, pkp =
0x0, ticket_key = 0x10227dab0, protocol = 6, pphrase_dialog_type =
SSL_PPTYPE_BUILTIN,
pphrase_dialog_path = 0x0, cert_chain = 0x1022784c0 /crt,
crl_path = 0x0, crl_file = 0x0,
crl_check_mode = SSL_CRLCHECK_UNSET, stapling_enabled = 0,
stapling_resptime_skew = -1, stapling_resp_maxage = -1,
stapling_cache_timeout = -1,
stapling_return_errors = 4294967295, stapling_fake_trylater =
4294967295, stapling_errcache_timeout = -1, stapling_responder_timeout =
-1, stapling_force_url = 0x0,
srp_vfile = 0x0, srp_unknown_user_seed = 0x0, srp_vbase = 0x0, auth =
{ca_cert_path = 0x0, ca_cert_file = 0x0,
cipher_suite = 0x102108d18 ..., verify_depth = 1, verify_mode =
SSL_CVERIFY_NONE},
ocsp_enabled = 0, ocsp_force_default = 0, ocsp_responder = 0x0,
ocsp_resptime_skew = -1, ocsp_resp_maxage = -1, ocsp_responder_timeout = -1}
Config structure is roughly:
VirtualHost _default_:443
ServerName ...
DocumentRoot ...
SSLEngine on
SSLCACertificateFile pem
SSLCertificateFile crt
SSLCertificateKeyFile key
SSLCertificateChainFile pem
/VirtualHost
VirtualHost *:443
SSLEngine on
SSLCertificateFile crt
SSLCertificateKeyFile key
SSLCertificateChainFile crt
DocumentRoot ...
ServerName ...
ServerAlias ...
UseCanonicalName On
non-ssl config items
/VirtualHost
VirtualHost *:443
ServerName ...
UseCanonicalName Off
VirtualDocumentRoot ...
VirtualScriptAlias ...
ServerAlias ...
SSLEngine on
SSLCertificateFile crt
SSLCertificateKeyFile key
SSLCertificateChainFile crt
non-ssl config items
/VirtualHost
The certificates etc. in the three blocks are three different ones.
I'll have a look what I can find out, just an early heads-up.
Regards,
Rainer
Re: [VOTE] Release Apache httpd 2.4.8 as GA
On 11/03/2014 20:29, Rainer Jung wrote: On 11.03.2014 17:34, Jim Jagielski wrote: The pre-release test tarballs for Apache httpd 2.4.8 can be found at the usual place: http://httpd.apache.org/dev/dist/ I'm calling a VOTE on releasing these as Apache httpd 2.4.8 GA. [ ] +1: Good to go [ ] +0: meh [ ] -1: Danger Will Robinson. And why. Vote will last the normal 72 hrs. NOTE: The *-deps are only there for convenience. I get a segfault during startup init on www.apache.org when using SSL. This didn't happen for r1570851. Candidate is r1573360. That server currently uses OpenSSL 1.0.1e. GDB: Program terminated with signal 11, Segmentation fault. #0 0x00010287a19a in ssl_set_cert_masks () from /usr/local/lib/libssl.so.8 (gdb) bt full #0 0x00010287a19a in ssl_set_cert_masks () from /usr/local/lib/libssl.so.8 No symbol table info available. #1 0x00010287a6f6 in ssl_get_server_send_pkey () from /usr/local/lib/libssl.so.8 Could be a known issue in OpenSSL 1.0.1e which is fixed in 1.0.1f. Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 shen...@opensslfoundation.com
Re: [VOTE] Release Apache httpd 2.4.8 as GA
On 11.03.2014 21:41, Dr Stephen Henson wrote: On 11/03/2014 20:29, Rainer Jung wrote: On 11.03.2014 17:34, Jim Jagielski wrote: The pre-release test tarballs for Apache httpd 2.4.8 can be found at the usual place: http://httpd.apache.org/dev/dist/ I'm calling a VOTE on releasing these as Apache httpd 2.4.8 GA. [ ] +1: Good to go [ ] +0: meh [ ] -1: Danger Will Robinson. And why. Vote will last the normal 72 hrs. NOTE: The *-deps are only there for convenience. I get a segfault during startup init on www.apache.org when using SSL. This didn't happen for r1570851. Candidate is r1573360. That server currently uses OpenSSL 1.0.1e. GDB: Program terminated with signal 11, Segmentation fault. #0 0x00010287a19a in ssl_set_cert_masks () from /usr/local/lib/libssl.so.8 (gdb) bt full #0 0x00010287a19a in ssl_set_cert_masks () from /usr/local/lib/libssl.so.8 No symbol table info available. #1 0x00010287a6f6 in ssl_get_server_send_pkey () from /usr/local/lib/libssl.so.8 Could be a known issue in OpenSSL 1.0.1e which is fixed in 1.0.1f. Thanks Steve. Will try, actually was on my way to update when I noticed there was not yet a BSD port for 1.0.1f. Will try nevertheless. Regards, Rainer
Re: svn commit: r1576504 - /httpd/httpd/branches/2.4.x/STATUS
Probably 2.4.8/STATUS should be fixed too.
On Tue, Mar 11, 2014 at 10:10 PM, yla...@apache.org wrote:
Author: ylavic
Date: Tue Mar 11 21:10:01 2014
New Revision: 1576504
URL: http://svn.apache.org/r1576504
Log:
Fix 2.4.8 release year.
Modified:
httpd/httpd/branches/2.4.x/STATUS
Modified: httpd/httpd/branches/2.4.x/STATUS
URL:
http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1576504r1=1576503r2=1576504view=diff
==
--- httpd/httpd/branches/2.4.x/STATUS (original)
+++ httpd/httpd/branches/2.4.x/STATUS Tue Mar 11 21:10:01 2014
@@ -33,7 +33,7 @@ Release history:
while x.{even}.z versions are Stable/GA releases.]
2.4.9 : In development.
-2.4.8 : Tagged on March 11, 2013.
+2.4.8 : Tagged on March 11, 2014.
2.4.7 : Tagged on November 19, 2013. Released on Nov 25, 2013
2.4.6 : Tagged on July 15, 2013. Released July, 22, 2013
2.4.5 : Tagged on July 11, 2013, not released.
Re: [VOTE] Release Apache httpd 2.4.8 as GA
Builds fine on VC11 Win32, other flavors I try tomorrow Till now it runs fine, but get the following (run OpenSSL 1.0.1f): AH02559: The SSLCertificateChainFile directive (D:/servers/apacheS/conf/extra/httpd-ssl.conf:55) is deprecated, SSLCertificateFile should be used instead In the change log it is mentioned. By instruction of my certificate Certification Authority in conf: SSLCertificateChainFile conf/sub.class2.server.ca.cer SSLCACertificateFile conf/ca.cer Changed to: SSLCACertificateFile conf/sub.class2.server.ca.cer and as expected the warning is gone. Not sure if it has any consequences ? Steffen -Original Message- From: Jim Jagielski Sent: Tuesday, March 11, 2014 5:34 PM Newsgroups: gmane.comp.apache.devel To: httpd Subject: [VOTE] Release Apache httpd 2.4.8 as GA The pre-release test tarballs for Apache httpd 2.4.8 can be found at the usual place: http://httpd.apache.org/dev/dist/ I'm calling a VOTE on releasing these as Apache httpd 2.4.8 GA. [ ] +1: Good to go [ ] +0: meh [ ] -1: Danger Will Robinson. And why. Vote will last the normal 72 hrs. NOTE: The *-deps are only there for convenience.
Re: [VOTE] Release Apache httpd 2.4.8 as GA
On 3/11/2014 1:29 PM, Rainer Jung wrote:
On 11.03.2014 17:34, Jim Jagielski wrote:
The pre-release test tarballs for Apache httpd 2.4.8 can be found
at the usual place:
http://httpd.apache.org/dev/dist/
I'm calling a VOTE on releasing these as Apache httpd 2.4.8 GA.
[ ] +1: Good to go
[ ] +0: meh
[ ] -1: Danger Will Robinson. And why.
Vote will last the normal 72 hrs.
NOTE: The *-deps are only there for convenience.
I get a segfault during startup init on www.apache.org when using SSL.
This didn't happen for r1570851. Candidate is r1573360.
I'm seeing this with OpenSSL 0.9.8y on Windows.
That server currently uses OpenSSL 1.0.1e.
GDB:
Program terminated with signal 11, Segmentation fault.
#0 0x00010287a19a in ssl_set_cert_masks () from
/usr/local/lib/libssl.so.8
(gdb) bt full
#0 0x00010287a19a in ssl_set_cert_masks () from
/usr/local/lib/libssl.so.8
No symbol table info available.
#1 0x00010287a6f6 in ssl_get_server_send_pkey () from
/usr/local/lib/libssl.so.8
No symbol table info available.
#2 0x00010287a7a9 in ssl_get_server_send_cert () from
/usr/local/lib/libssl.so.8
No symbol table info available.
#3 0x000102616d2a in ssl_init_server_certs (pphrases=0x10226ab58,
mctx=0x10227d938, ptemp=optimized out, p=optimized out, s=optimized
out) at ssl_engine_init.c:959
No locals.
#4 ssl_init_server_ctx (pphrases=optimized out, sc=optimized out,
ptemp=optimized out, p=optimized out, s=optimized out) at
ssl_engine_init.c:1287
No locals.
#5 ssl_init_ConfigureServer (s=0x102277350, p=0x102023028,
ptemp=0x102051028, sc=0x10227d7d8, pphrases=optimized out) at
ssl_engine_init.c:1378
rv =optimized out
#6 0x000102617cfc in ssl_init_Module (p=0x102023028,
plog=optimized out, ptemp=0x102051028, base_server=0x10204dbe8) at
ssl_engine_init.c:228
mc =optimized out
sc =optimized out
s = 0x102277350
rv = 0
pphrases = 0x10226ab58
#7 0x0044965c in ap_run_post_config (pconf=0x102023028,
plog=0x10204f028, ptemp=0x102051028, s=0x10204dbe8) at config.c:103
n = 4
rv =optimized out
#8 0x0042afd7 in main (argc=9, argv=0x7fffd8c0) at main.c:696
c = 68 'D'
showcompile = 0
showdirectives = 0
confname = 0x7fffdbb7 /.../conf/httpd.conf
def_server_root = 0x4655c0 /...
temp_error_log = 0x0
error =optimized out
process = 0x102021118
pconf = 0x102023028
plog = 0x10204f028
ptemp = 0x102051028
pcommands = 0x102045028
opt = 0x102045118
rv =optimized out
opt_arg = 0x7fffdbfa SSL
...
#3 0x000102616d2a in ssl_init_server_certs (pphrases=0x10226ab58,
mctx=0x10227d938, ptemp=optimized out, p=optimized out, s=optimized
out) at ssl_engine_init.c:959
959 if (!(ssl = SSL_new(mctx-ssl_ctx)) ||
(gdb) print *pphrases
$1 = {pool = 0x102051028, elt_size = 8, nelts = 0, nalloc = 2, elts =
0x10226ab78 }
(gdb) print *mctx
$2 = {sc = 0x10227d7d8, ssl_ctx = 0x102185600, pks = 0x10227da20, pkp =
0x0, ticket_key = 0x10227dab0, protocol = 6, pphrase_dialog_type =
SSL_PPTYPE_BUILTIN,
pphrase_dialog_path = 0x0, cert_chain = 0x1022784c0 /crt,
crl_path = 0x0, crl_file = 0x0,
crl_check_mode = SSL_CRLCHECK_UNSET, stapling_enabled = 0,
stapling_resptime_skew = -1, stapling_resp_maxage = -1,
stapling_cache_timeout = -1,
stapling_return_errors = 4294967295, stapling_fake_trylater =
4294967295, stapling_errcache_timeout = -1, stapling_responder_timeout =
-1, stapling_force_url = 0x0,
srp_vfile = 0x0, srp_unknown_user_seed = 0x0, srp_vbase = 0x0, auth =
{ca_cert_path = 0x0, ca_cert_file = 0x0,
cipher_suite = 0x102108d18 ..., verify_depth = 1, verify_mode =
SSL_CVERIFY_NONE},
ocsp_enabled = 0, ocsp_force_default = 0, ocsp_responder = 0x0,
ocsp_resptime_skew = -1, ocsp_resp_maxage = -1, ocsp_responder_timeout = -1}
Config structure is roughly:
VirtualHost _default_:443
ServerName ...
DocumentRoot ...
SSLEngine on
SSLCACertificateFile pem
SSLCertificateFile crt
SSLCertificateKeyFile key
SSLCertificateChainFile pem
/VirtualHost
VirtualHost *:443
SSLEngine on
SSLCertificateFile crt
SSLCertificateKeyFile key
SSLCertificateChainFile crt
DocumentRoot ...
ServerName ...
ServerAlias ...
UseCanonicalName On
non-ssl config items
/VirtualHost
VirtualHost *:443
ServerName ...
UseCanonicalName Off
VirtualDocumentRoot ...
VirtualScriptAlias ...
ServerAlias ...
SSLEngine on
SSLCertificateFile crt
SSLCertificateKeyFile key
SSLCertificateChainFile crt
non-ssl config items
/VirtualHost
The certificates etc. in the three blocks are three different ones.
I'll have a look what I can find out, just an early heads-up.
Regards,
Rainer
Re: [VOTE] Release Apache httpd 2.4.8 as GA
On 11 Mar 2014, at 22:43, Steffen i...@apachelounge.com wrote: Builds fine on VC11 Win32, other flavors I try tomorrow Till now it runs fine, but get the following (run OpenSSL 1.0.1f): AH02559: The SSLCertificateChainFile directive (D:/servers/apacheS/conf/extra/httpd-ssl.conf:55) is deprecated, SSLCertificateFile should be used instead In the change log it is mentioned. By instruction of my certificate Certification Authority in conf: SSLCertificateChainFile conf/sub.class2.server.ca.cer SSLCACertificateFile conf/ca.cer Changed to: SSLCACertificateFile conf/sub.class2.server.ca.cer and as expected the warning is gone. Not sure if it has any consequences ? Instead of using SSLCACertificateFile, try using only SSLCertificateFile, as described here: http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile
Re: [VOTE] Release Apache httpd 2.4.8 as GA
On 11.03.2014 21:53, Rainer Jung wrote: On 11.03.2014 21:41, Dr Stephen Henson wrote: On 11/03/2014 20:29, Rainer Jung wrote: On 11.03.2014 17:34, Jim Jagielski wrote: The pre-release test tarballs for Apache httpd 2.4.8 can be found at the usual place: http://httpd.apache.org/dev/dist/ I'm calling a VOTE on releasing these as Apache httpd 2.4.8 GA. [ ] +1: Good to go [ ] +0: meh [ ] -1: Danger Will Robinson. And why. Vote will last the normal 72 hrs. NOTE: The *-deps are only there for convenience. I get a segfault during startup init on www.apache.org when using SSL. This didn't happen for r1570851. Candidate is r1573360. That server currently uses OpenSSL 1.0.1e. GDB: Program terminated with signal 11, Segmentation fault. #0 0x00010287a19a in ssl_set_cert_masks () from /usr/local/lib/libssl.so.8 (gdb) bt full #0 0x00010287a19a in ssl_set_cert_masks () from /usr/local/lib/libssl.so.8 No symbol table info available. #1 0x00010287a6f6 in ssl_get_server_send_pkey () from /usr/local/lib/libssl.so.8 Could be a known issue in OpenSSL 1.0.1e which is fixed in 1.0.1f. Thanks Steve. Will try, actually was on my way to update when I noticed there was not yet a BSD port for 1.0.1f. Will try nevertheless. Updating to OpenSSL 1.0.1f fixed it. Regards, Rainer
Re: [VOTE] Release Apache httpd 2.4.8 as GA
Am 11.03.2014 22:52, schrieb Falco Schwarz: On 11 Mar 2014, at 22:43, Steffen i...@apachelounge.com mailto:i...@apachelounge.com wrote: Builds fine on VC11 Win32, other flavors I try tomorrow Till now it runs fine, but get the following (run OpenSSL 1.0.1f): AH02559: The SSLCertificateChainFile directive (D:/servers/apacheS/conf/extra/httpd-ssl.conf:55) is deprecated, SSLCertificateFile should be used instead In the change log it is mentioned. By instruction of my certificate Certification Authority in conf: SSLCertificateChainFile conf/sub.class2.server.ca.cer SSLCACertificateFile conf/ca.cer Changed to: SSLCACertificateFile conf/sub.class2.server.ca.cer and as expected the warning is gone. Not sure if it has any consequences ? Instead of using SSLCACertificateFile, try using only SSLCertificateFile, as described here: http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile caution in context of SSLUseStapling On maybe that works with 2.4.8 too, with 2.4.7 it does not in case having cert/key/ca-chain combined in SSLCertificateFile however, i build http://httpd.apache.org/dev/dist/httpd-2.4.8.tar.bz2 in a short on Fedora 20 x86_64 with openssl-1.0.1e and likely give a vote tomorrow signature.asc Description: OpenPGP digital signature
Re: [VOTE] Release Apache httpd 2.4.8 as GA
SLCertificateFile points already the certificate: SSLCertificateFile conf/ssl.crt SSLCertificateKeyFile conf/ssl.key The doc says the directive can be used multiple times. So I added : SSLCertificateFile conf/sub.class2.server.ca.cer But then Apache does not start: [Tue Mar 11 23:03:56.812199 2014] [ssl:emerg] [pid 4356:tid 468] AH02577: Init: SSLPassPhraseDialog builtin is not supported on Win32 (key file D:/servers/apacheS/conf/sub.class2.server.ca.cer) [Tue Mar 11 23:03:56.812199 2014] [ssl:emerg] [pid 4356:tid 468] AH02312: Fatal error initialising mod_ssl, exiting. [Tue Mar 11 23:03:56.812199 2014] [ssl:emerg] [pid 4356:tid 468] AH02564: Failed to configure encrypted (?) private key www.land10web.com:443:1, check D:/servers/apacheS/conf/sub.class2.server.ca.cer [Tue Mar 11 23:03:56.813199 2014] [ssl:emerg] [pid 4356:tid 468] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Tue Mar 11 23:03:56.813199 2014] [ssl:emerg] [pid 4356:tid 468] SSL Library Error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error [Tue Mar 11 23:03:56.813199 2014] [ssl:emerg] [pid 4356:tid 468] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Tue Mar 11 23:03:56.813199 2014] [ssl:emerg] [pid 4356:tid 468] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=RSA) [Tue Mar 11 23:03:56.813199 2014] [ssl:emerg] [pid 4356:tid 468] SSL Library Error: error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib ... So I leave it now with SSLCACertificateFile conf/sub.class2.server.ca.cer , which looks working fine. On Tuesday 11/03/2014 at 22:53, Falco Schwarz wrote: On 11 Mar 2014, at 22:43, Steffen i...@apachelounge.com wrote: Builds fine on VC11 Win32, other flavors I try tomorrow Till now it runs fine, but get the following (run OpenSSL 1.0.1f): AH02559: The SSLCertificateChainFile directive (D:/servers/apacheS/conf/extra/httpd-ssl.conf:55) is deprecated, SSLCertificateFile should be used instead In the change log it is mentioned. By instruction of my certificate Certification Authority in conf: SSLCertificateChainFile conf/sub.class2.server.ca.cer SSLCACertificateFile conf/ca.cer Changed to: SSLCACertificateFile conf/sub.class2.server.ca.cer and as expected the warning is gone. Not sure if it has any consequences ? Instead of using SSLCACertificateFile, try using only SSLCertificateFile, as described here: http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile
Re: Re: Adding AddHandler support for mod_proxy
Am 27.02.2014 18:19, schrieb ryo takatsuki: Thx for the patch! Let me take a look... I'm assuming that there's no real work-around other than the patch itself, right? If there is, we could not find it :) We have been searching for months and trying different approaches. This is required to work with out of the box installation of many apps without requiring them to modify their htaccess files. Thanks for looking into it! Hi, You can put the patch in its own module, it is not required to be part of mod_proxy if you can accept to use internals of one module in another. That is what I am currently doing with apache 2.4 since I like to use the binary package of my distribution without the need to recompile the whole server. https://gist.github.com/progandy/6ed4eeea60f6277c3e39/ 2014-02-27 14:24 GMT+01:00 Jim Jagielski j...@jagunet.com: Thx for the patch! Let me take a look... I'm assuming that there's no real work-around other than the patch itself, right? On Feb 26, 2014, at 1:47 PM, ryo takatsuki ryotakats...@gmail.com wrote: Hi all, Any other comments about the patch? I believe it is simple enough and could ease the migration from mod_php to PHP-FPM (and make use of the new event mode) with minimal changes to the default configurations. Could you consider adding it? Pretty please :) To give more background, at Bitnami we have 800.000+ monthly *new* installs just for Apache + PHP environments, a growing number of them in the cloud. We have daily requests for switching to nginx as the default, but we believe Apache 2.4 event MPM + PHP-FPM to be equivalent in terms of performance and you get all the other goodness of Apache. This is a small change that would make the transition to the event MPM on our side significantly easier (long story) Best regards, Juanjo. 2014-02-18 15:46 GMT+01:00 ryo takatsuki ryotakats...@gmail.com: AddHandler might be tricky from security point of view, eg. most of cms software usually checks only for last extension before writing uploaded files, but this AddHandler will also pass test.php.jpeg to php which might execute this Yes, It would be probably safer to use something like: FilesMatch \.php$ SetHandler proxy:unix:/path/to/app.sock|fcgi://localhost/ /FilesMatch 2014-02-17 0:11 GMT+01:00 Lazy lazy...@gmail.com: 2014-02-06 ryo takatsuki ryotakats...@gmail.com: Hi, I have an improvement request to suggest but I would like to first provide some background to justify it, I apologise for the long email :). I'm actively using mod_proxy to forward PHP files requests to PHP-FPM. My current approach is to use a RewriteRule with the 'P' flag because (in most of the cases) it plays nicely with other rules configured by the applications I'm configuring, as well as allowing per-Directory configurations. To make it properly work I must assure the proxy RewriteRule must be the latest one to be evaluated. The problem is that from time to time I encounter corner cases in which the rules previously executed include a [L] option that abort the next rules evaluation, skipping the proxy one, making Apache serve the PHP text as plain text. This can be solved by tweaking the rules but it is a tedious process and is hard to determine all the scenarios in which the rewrites could go wrong. IMHO this is a good idea, a handler is more compatible with .htacess files created for mod_php and it fits shared hosting env Thinking about my goal with all of this was at the beginning, I realised I only wanted a way of configuring a handler for all my PHP files, that in this case is PHP-FPM, without having to worry about what happens before the resource is going to be served. This made my think about the possibility of adding this functionality to mod_proxy itself, allowing defining a proxy worker as a handler for certain types of files. Something like: AddHandler proxy:unix:/path/to/app.sock|fcgi://localhost/ .php AddHandler might be tricky from security point of view, eg. most of cms software usually checks only for last extension before writing uploaded files, but this AddHandler will also pass test.php.jpeg to php which might execute this I made a quick POC, it is a really small change and for those in my situation it could really simplify the configuration of their apps. Of course, I'm open to criticisms and alternative solutions :). The code that adds the new functionality is inserted at the beginning of mod_proxy's proxy_handler. The conditions are a little weird because I only wanted to check the handler if it is not a proxy request already. diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c index 9d7c92f..49f3bdc 100644 --- a/modules/proxy/mod_proxy.c +++ b/modules/proxy/mod_proxy.c @@ -927,8 +927,20 @@ static int proxy_handler(request_rec *r) struct dirconn_entry *list = (struct dirconn_entry *)conf-dirconn-elts; /* is this for us? */ -if (!r-proxyreq || !r-filename || strncmp(r-filename, proxy:, 6) != 0) +if (!r-filename) +
Re: [VOTE] Release Apache httpd 2.4.8 as GA
On 12/03/2014 00:30, Dr Stephen Henson wrote: The fix was applied on Feb 11 2013. That would mean that official releases affected would be 0.9.8y, 1.0.0j and 1.0.1c. Any later official release should include the fix but we weren't planning to make any more 0.9.8 official releases though a 0.9.8 snapshot should include the fix. OS specific versions of OpenSSL might not have included the fix. This is the actual diff: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=147dbb2fe3bead7a10 It looks like the only case this can happen is ssl_init_server_certs where an SSL structure is created, SSL_get_certificate called and then it is freed. If so then calling SSL_set_connect_state before the SSL_get_certificate call is a potential workaround. This works because the faulty code isn't used by SSL structures where ssl-server == 0 and SSL_set_connect_state does that, among other things. This is a bit of a hack because it's called on a server SSL structure. This would probably fail horribly if an attempt was made to use the SSL structure but in this case we're freeing it up immediately so this should hopefully not matter. Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 shen...@opensslfoundation.com
Re: [VOTE] Release Apache httpd 2.4.8 as GA
On 11/03/2014 21:46, Gregg Smith wrote: On 3/11/2014 1:29 PM, Rainer Jung wrote: On 11.03.2014 17:34, Jim Jagielski wrote: The pre-release test tarballs for Apache httpd 2.4.8 can be found at the usual place: http://httpd.apache.org/dev/dist/ I'm calling a VOTE on releasing these as Apache httpd 2.4.8 GA. [ ] +1: Good to go [ ] +0: meh [ ] -1: Danger Will Robinson. And why. Vote will last the normal 72 hrs. NOTE: The *-deps are only there for convenience. I get a segfault during startup init on www.apache.org when using SSL. This didn't happen for r1570851. Candidate is r1573360. I'm seeing this with OpenSSL 0.9.8y on Windows. Here are some more details of the bug in OpenSSL I *think* triggers this. The function SSL_get_certificate was modified in some versions of OpenSSL to return the certificate the server used instead of the current certificate it had done previously. This was to make OCSP stapling work with multiple configured certificates. Unfortunately a bug in the change mean it would crash if it was called before the server sent the certificate. Later versions of OpenSSL restored the original behaviour unless SSL_get_certificate was called inside the OCSP callback when it would return the certificate actually sent. The fix was applied on Feb 11 2013. That would mean that official releases affected would be 0.9.8y, 1.0.0j and 1.0.1c. Any later official release should include the fix but we weren't planning to make any more 0.9.8 official releases though a 0.9.8 snapshot should include the fix. OS specific versions of OpenSSL might not have included the fix. This is the actual diff: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=147dbb2fe3bead7a10 Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 shen...@opensslfoundation.com
Re: [VOTE] Release Apache httpd 2.4.8 as GA
On 12/03/2014 09:17, Noel Butler wrote: On 12/03/2014 02:34, Jim Jagielski wrote: The pre-release test tarballs for Apache httpd 2.4.8 can be found at the usual place: http://httpd.apache.org/dev/dist/ [1] I'm calling a VOTE on releasing these as Apache httpd 2.4.8 GA. [ ] +1: Good to go [ ] +0: meh [ ] -1: Danger Will Robinson. And why. Vote will last the normal 72 hrs. NOTE: The *-deps are only there for convenience. -1 slackware 13.1 w/apr-1.50, apr-util-1.5.3, SSL 0.9.8y - segfaults a third party on IRC reports likewise on RHEL 5.5 So it seems more than just openssl 1.0.1e affected Too early in morning, forgot to add slackware 14.0, 14.1 builds and execution succeeds, but both use openssl 1.0.1f Links: -- [1] http://httpd.apache.org/dev/dist/
Re: [VOTE] Release Apache httpd 2.4.8 as GA
On 12/03/2014 02:34, Jim Jagielski wrote: The pre-release test tarballs for Apache httpd 2.4.8 can be found at the usual place: http://httpd.apache.org/dev/dist/ [1] I'm calling a VOTE on releasing these as Apache httpd 2.4.8 GA. [ ] +1: Good to go [ ] +0: meh [ ] -1: Danger Will Robinson. And why. Vote will last the normal 72 hrs. NOTE: The *-deps are only there for convenience. -1 slackware 13.1 w/apr-1.50, apr-util-1.5.3, SSL 0.9.8y - segfaults a third party on IRC reports likewise on RHEL 5.5 So it seems more than just openssl 1.0.1e affected Links: -- [1] http://httpd.apache.org/dev/dist/
