Re: AcceptPathInfo configured, finding out the real URL that is used
Hallo list, Answering my own request .. I have not found a way yet to determine the really delivered URL instead of the user given one. I found out that the filename field in the request_rec contains the actually used PHP script. So with the use of the document root of the request I will be able construct a virtual URL as if the user directly requested the real file. Probably this is the only way to find out what PHP will be doing later with the request. Greetings -- Christoph Gröver
AcceptPathInfo configured, finding out the real URL that is used
Hello list, I am developing a module which should be able to allow or deny access to URLs based on a database. I have now found out that with 'AcceptPathInfo on' there are URLs that the user can access by simply adding a trailing '/' or a trailing '/whatever'. So the user specifies he wants '/index.php/whatever' and this is not diallowed in the database, but then he will get /index.php with '/whatever' added to the PHP script as a path-info field. This bypasses the security of course. Is there a way of knowing whether this is in affect or (preferred) is there a way to find out the real URL that the PHP interpreter will be using at last. My module runs in the auth_checker phase and in the fixup phase. I have not found a way yet to determine the really delivered URL instead of the user given one. Thank you for your time, Greetings -- Christoph Gröver, gro...@sitepark.com
Re: How to determine the right vhost in name based vhosting
Hello list, Hello Sorin, I tested several different Apaches (2.4.x and 2.2.x) and they never did the wanted or expected. If I configure more than one VHost only the first one is returned by the server-server_hostname structure. The one of the second vhost that is configured as a ServerName seems to be impossible to determine? Is there any other way to find the hostname? Greetings -- Sitepark Gesellschaft für Informationsmanagement mbH Rothenburg 14-16, 48143 Münster Telefon: +49 251 482655-0, Telefax: +49 251 482655-55 http://www.sitepark.com http://www.facebook.com/sitepark Geschäftsführer: Thorsten Liebold Amtsgericht Münster, HRB 5017
Re: How to determine the right vhost in name based vhosting
Hello Sorin, I suppose you use the server field of the request_rec structure and not some stored server_rec that was passed to you in post_config or somewhere else. Definitely. I have adopted this from some other module and didn't know there was another way to obtain a server_rec structure. So I should be looking for a better way to find the right structure. Thank you very much. This sounds as if it will be the right way. Apache keeps a linked list of server_rec structures. The head of the list is the server_rec of the whole apache server. The rest of the list contains one server_rec structure per vhost. For each request apache picks the right server_rec from the list according to the Host header and sets r-server to point to the picked object. This information will also help. Thank you. Also make sure that your request really arrives in the vhost you intended. Typically I check this by logging to different files (see the CustomLog directive) in each vhost. This is actually the case. I receive the requests in the right vhost. I have separate logfiles for each vhost. Thanks for your answers. I guess I will be able to solve the issue with these informations. With kind regards, -- Sitepark Gesellschaft für Informationsmanagement mbH Rothenburg 14-16, 48143 Münster Telefon: +49 251 482655-0, Telefax: +49 251 482655-55 http://www.sitepark.com http://www.facebook.com/sitepark Geschäftsführer: Thorsten Liebold Amtsgericht Münster, HRB 5017
Re: How to determine the right vhost in name based vhosting
Hello Sorin, Thank you very much. I finally found out the course of the strange results I am getting. I used the request_rec to get the conn_rec. In this connection record there's a field called base_server, which I used as the source for the server_hostname. request_rec *r; conn_rec *c; server_rec *server; c = r-connection; server = c-base_server; My misunderstanding was that this leads to the main vhost I am using. But it actually leads to the default server of the current ip:port combination. Now I use: server = r-server; This gives the expected result. Everything is fine now ;-). I can't tell you why I used the more complicated way to retrieve a server_rec. Probably just used some example code from somewhere. In the beginning everything seemed alright since we always had just one vhost under one IP. The problem showed up when we had a second vhost running. Another misunderstanding solved now. Thank you for your time (and patience). With kind regards .. -- Sitepark Gesellschaft für Informationsmanagement mbH Rothenburg 14-16, 48143 Münster Telefon: +49 251 482655-0, Telefax: +49 251 482655-55 http://www.sitepark.com http://www.facebook.com/sitepark Geschäftsführer: Thorsten Liebold Amtsgericht Münster, HRB 5017
Re: How to determine the right vhost in name based vhosting
Hello Sorin, I've tested this setup in 2.4.6 and r-server-server_hostname contains what you want. Thanks for your answer. Well, at least with Apache 2.2.15 I recognize a different behaviour. The server-server_hostname points to the first vhost that is configured for an IP:Port combination, not to the vhost configured in the Apache ServerName option. In my example the result is always main.domain.tld, and never www.domain.tld I will try a few other apache versions to verify this further. Thank you, Greetings -- Sitepark Gesellschaft für Informationsmanagement mbH Rothenburg 14-16, 48143 Münster Telefon: +49 251 482655-0, Telefax: +49 251 482655-55 http://www.sitepark.com http://www.facebook.com/sitepark Geschäftsführer: Thorsten Liebold Amtsgericht Münster, HRB 5017
How to determine the right vhost in name based vhosting
Hello, We usually use name based virtualhosts with something like the following configuration: NameVirtualHost IP:80 VirtualHost IP:80 ServerName main.domain.tld ServerAlias alias.domain.tld .. /VirtualHost VirtualHost IP:80 ServerName www.domain.tld ServerAlias alt.domain.tld .. /VirtualHost Now I'm looking for a function which reliable returns the host main.domain.tld if the first vhost is used (even if it is used as alias.domain.tld) and returns www.domain.tld if the second one is used (even if under the name alt.domain.tld). I know of two ways to do this: 1. ap_get_server_name This returns the right hostname if UseCanonicalName is set. But returns just the Host:-Header if it is off - which is the default. 2. server_rec structure The element server-server_hostname always returns the first vhost available for an ip address. So even if I use www.domain.tld it returns main.domain.tld So the first option depends on UseCanonicalName, the second does something else - which is not what I want. Any other ways of doing this? Or is there just the solution to force UseCanonicalName to on and otherwise it won't work. Can anybody enlighten me as to how this should be done? Thank you, Greetings -- Sitepark Gesellschaft für Informationsmanagement mbH Rothenburg 14-16, 48143 Münster Telefon: +49 251 482655-0, Telefax: +49 251 482655-55 http://www.sitepark.com http://www.facebook.com/sitepark Geschäftsführer: Thorsten Liebold Amtsgericht Münster, HRB 5017
Re: Is UseCanonicalName in effect? How to find out
Hello list, Probably I just have to import this and use the values in this structure? Well, no answer yet. I found an example code where someone just uses the core_dir_config structure by including the http_core.h header file and reading the value use_canonical after getting the config of the core_module like this: core_dir_config *conf = (core_dir_config *) ap_get_core_module_config(r-per_dir_config); Works fine. If there's a more elegant way e.g. a function I'd still like to hear it. Greetings -- Christoph Gröver
Is UseCanonicalName in effect? How to find out
Dear list, Is there a preferred way to find out (in a module) whether UseCanonicalName ist not off? I had a look at the structures (server_rec ..) in httpd.h, but only found the core_dir_config structure. It is supposed to be a private configuration structure for the core_dir_module? Probably I just have to import this and use the values in this structure? Thank you for your time. Greetings -- Sitepark Gesellschaft für Informationsmanagement mbH Rothenburg 14-16, 48143 Münster Telefon: +49 251 482655-0, Telefax: +49 251 482655-55 http://www.sitepark.com http://www.facebook.com/sitepark Geschäftsführer: Thorsten Liebold Amtsgericht Münster, HRB 5017
Re: Authentication/Authorization module vs. Basic Authentication
Hello Niq, Hello List, I have been able to solve this issue. Well, I should say, I have found a workaround. I suspected mod_auth_basic to be doing something wrong, so I had a close look at the sourcecode. It is only run in the check_user_id phase. I tested whether the problem still exists if my module is hooked in at the beginning of the check_user_id phase and returns with status DONE, thus preventing mod_auth_basic to be run at all. The problem is immediately gone, so I'm sure this module is the cause. But I haven't found out what exactly goes wrong. Doesn't matter. This way it works. Thank youfor your time. Greetings -- Christoph Gröver
Re: Authentication/Authorization module vs. Basic Authentication
Hello Nick, You'd want the err_headers_out to set that for an error return. OK. Good point. Changed that. Instead of sending back to the client a 302 or a 301 the next thing that happens the apache sends back a 401. Have you traced and/or stepped through execution of your own code? I have a lot of debugging code in my module. The last thing that my module does in the access checking phase is returning HTTP_MOVED_TEMPORARILY (this is logged to the errorlog). For debugging purposes I have a short code segment hooked up into the phases check_user_id and auth_checker. Those are not run. So. This leads to my conclusion that some other module must be doing something in the access checking phase. Could it be that your errordocument itself authenticates the client? The problem arises when the client sends POST data to the webserver. The client sends authentication information and my module does a redirection to either a failed login page or a successful welcome page. Without any Basic Authentication / require lines in the configuration this works. If I add a require valid-user it doesn't work anymore. I tried to find out with LogLevel debug. But this actually leads to nearly no extra lines in the log files. My usual tool in that situation is gdb. I guess the other modules are not logging much if not compile for verbosity? If I'd use gdb I would have to compile every module with debugging support, I guess? Thank you for your answer, Greetings -- Sitepark Gesellschaft für Informationsmanagement mbH Rothenburg 14-16, 48143 Münster Telefon: +49 251 482655-0, Telefax: +49 251 482655-55 http://www.sitepark.com http://www.facebook.com/sitepark Geschäftsführer: Thorsten Liebold Amtsgericht Münster, HRB 5017
Authentication/Authorization module vs. Basic Authentication
Dear mailing list, I have written a rather complex module which deals with authentication and authorization among other things. It checks for example for the existence of a valid kerberos ticket, it checks a mysql database for information which user is allowed to see which URL of a website. Later it filters out unwanted content or removes part of the content delivered to the user based on the id of the user. I didn't want the module to be dependent on any require ... line and I found out these lines are essential for a module which uses the auth_checker hook. So I use some of the other hooks. The main authentication and authorization parts are done in ap_hook_access_checker. Below there's the part of the code which registers functions for the hooks. The module was first created for Apache 1.3, transferred to Apache 2.0 and is now used with Apache 2.2. But lately there seem to be some compatibility problems with Basic Authentication. In the past it was possible to use Basic Authentication and this module at the same time. Now this gives us some Error 401 although we have a satisfy any and an allowed IP address configured. After the code in the acess_checker phase is run and returns a HTTP_MOVED_TEMPORARILY the user is prompted with a password/login popup. This is not coming from my code. I guess it's coming from the module that implements Basic Authentication. So while I cannot give you an example snippet of code, because it's a complex module which I cannot boil down to a few lines of code, I hope you still have an idea what might be going wrong or in which direction I should analyse this. Any help is greatly appreciated. Thank you very much. == static void SumpfRegisterHooks(apr_pool_t *pool) { static const char * const Succ[] = { mod_php.c, NULL }; // This is the hook that is called initially at the server start // after the configuration is read ap_hook_post_config(SumpfInit, NULL, NULL, APR_HOOK_MIDDLE); // or APR_HOOK_LAST ? // This is the hook that is called after reading each request ap_hook_post_read_request(SumpfStartPerRequest, NULL, NULL, APR_HOOK_MIDDLE); // or APR_HOOK_LAST ? // We cannot use the auth_checker hook, cause it depends on // 'require valid-user' in the configuration ap_hook_access_checker(SumpfAuthChecker, NULL, NULL, APR_HOOK_FIRST); // ap_hook_check_user_id(SumpfCheckUserID, NULL, NULL, APR_HOOK_MIDDLE); // auth_checker hook will only be used if we have a 'require ...' option // if we use the require option the basic auth module can't use it !!! ap_hook_auth_checker(SumpfCheckAuthorization, NULL, NULL, APR_HOOK_FIRST); // For Kerberos we cannot run in auth_checker phase because mod_auth_kerb // prevents this by returning OK, which means no other module is run here // So we run as first in fixup hook ap_hook_fixups(SumpfKerberosChecker, NULL, NULL, APR_HOOK_FIRST); // For PHP a normal hook_handler doesn't do anything, // presumably because mod_php ends with return(OK) // We need the hook_fixups !! ap_hook_fixups(SumpfHandleSpecialRequests, NULL, NULL, APR_HOOK_MIDDLE); // Not needed anymore 15.12.2006 // ap_hook_handler(SumpfSpecialURLs, NULL, NULL, APR_HOOK_MIDDLE); ap_hook_insert_filter(SumpfInsertFilter, Succ, NULL, APR_HOOK_MIDDLE); ap_register_output_filter(SumpfFilterName, sumpf_filter, NULL, AP_FTYPE_RESOURCE); } === -- Sitepark Gesellschaft für Informationsmanagement mbH Rothenburg 14-16, 48143 Münster Telefon: +49 251 482655-0, Telefax: +49 251 482655-55 http://www.sitepark.com http://www.facebook.com/sitepark Geschäftsführer: Thorsten Liebold Amtsgericht Münster, HRB 5017
Re: Accessing environment variables set by other modules
Hello Jeff, Sometimes envvars are set directly into subprocess_env (e.g., handling of SetEnv/SetEnvIf). IOW, subprocess_env is the primary representation. But the REMOTE_USER and HTTP request header variables are a representation of information stored elsewhere (r-user, r-headers_in), and that envvar representation is created just before running an external process. A module should always look at the primary representation, in this case r-user. Thank you for these statements. Will just use r-user now. Thankful greetings. -- Sitepark Gesellschaft für Informationsmanagement mbH Rothenburg 14-16, 48143 Münster Telefon: +49 251 482655-0, Telefax: +49 251 482655-55 http://www.sitepark.com http://www.facebook.com/sitepark Geschäftsführer: Thorsten Liebold Amtsgericht Münster, HRB 5017
Accessing environment variables set by other modules
Hello list, I'm trying to access the environment variable REMOTE_USER which is set by the mod_auth_kerb module (at least I think so). I tried it with two different code snippets, both are not working. 1. const char *remote = apr_table_get(r-subprocess_env, REMOTE_USER); 2. char *remote = get_env(REMOTE_USER); I also changed the hook that I have my code registered in, so that it runs later than the mod_auth_kerb. But still REMOTE_USER appears to be always empty. What am I doing wrong? Someone point me in the right direction? Thank you for your time. Greetings -- Christoph Gröver, gro...@sitepark.com
Re: Accessing environment variables set by other modules
Hello Daniel, Just a quick suggestion; Have you tried r-user ? Tak! Really a good suggestion. r-user is set if it's run in the fixup hook. I still would like to know if it's possible to access variables set by other modules, but for the current development it'll be sufficient. With kind regards. Christoph Grøver --
Question about malloc / realloc in module
Hello list, In a module I have to allocate and reallocate a chunk of memory. Because (AFAIK) Apache or its libraries do not support reallocation I use the standard functions malloc/realloc (and free), of course. But what if there's a problem in another module? Is it possible that due to some errors somewhere else the malloc/realloc of my modules are run (and therefor memory is allocated) but the corresponding free is not called, because the thread/process had a strange ending. So would this result in a memory leak? (if this happens often!) Hope you can enlight me on this topic. Bye, -- Christoph Gröver, gro...@sitepark.com
Re: Question about malloc / realloc in module
Thank you, Nick, for your answer, So would this result in a memory leak? (if this happens often!) Potentially yes, unless you can do an exhaustive analysis of all possible processing paths. The fix for that is to register a free as a pool cleanup immediately after the malloc/realloc. See mod_proxy_html for an example. Thanks for this suggestion. If I do not find out what is causing the apache childs to grow in memory usage, I will try this to be sure it's not my memory allocations. Greetings. -- Christoph Gröver, gro...@sitepark.com
Re: Preventing the use of chunked TF encoding while content-filtering
Hello Anthony, I had a mod_buffer module written for me by Konstantin Chuguev (konstan...@chuguev.com) which collects chunks and buffers them for transfer in one shot. You should contact him and see whether he'll give/license it to you. Thank you for your answer. Does this mean that collecting the chunks and transfering them in one shot will solve my problem? Do you know for sure that by this I will be able to circumvent the use of chunked transfer encoding? I will program it myself, but I wanted to be sure that this will help before I start implementing it. Bye -- Christoph Gröver, gro...@sitepark.com Sitepark GmbH, Gesellschaft für Informationsmanagement, AG Münster, HRB 5017 Rothenburg 14-16, D-48143 Münster, Telefon (0251) 48265-50 Geschäftsführer: Dipl.-Phys. Martin Kurze, Dipl.-Des. Thorsten Liebold
Preventing the use of chunked TF encoding while content-filtering
Hello list, I have written a module which does filtering the content. It gets those buckets and works on them and passes on the brigade of buckets. OK, works perfect for nearly all conditions. Execpt When the user runs the infamous Internet Explorer and uses a misconfigured proxy, it doesn't. With the help of some debugging we have found out what happens: The proxy is not HTTP/1.1-aware, which means it just changes the HTTP-response to be HTTP/1.0, but it keeps the 'chunked transfer encoding' of the original content. Almost all browsers recognize that it's still chunked although the header claims to be HTTP/1.0 and do the right thing. MSIE doesn't. It gives the user the content and displays it with those hex encoded chunk lengths in it. Of course, this breaks website design and often the functionality. So, what can we do about it? We cannot change the proxy people are using and we cannot fix their misconfigured proxies (or their broken proxies). We cannot tell them to not use MSIE, either. So we should tell the Apache Webserver to not use 'chunked transfer encoding'. I thought this might be possible by just saying r-chunked = FALSE; But it didn't help. So after some talking: Is there a way to get rid of CTFE ? Perhaps if we collect all the chunks, put it in one chunk and set a ContentLength-Header ? Or is there another trick to do this? Greetings from Münster, looking forward to your ideas. -- Christoph Gröver, gro...@sitepark.com Sitepark GmbH, Gesellschaft für Informationsmanagement, AG Münster, HRB 5017 Rothenburg 14-16, D-48143 Münster, Telefon (0251) 48265-50 Geschäftsführer: Dipl.-Phys. Martin Kurze, Dipl.-Des. Thorsten Liebold