Re: Why is 1.3 still on the download page?
Issac Goldstand wrote: Am I getting senile, or didn't we vote on making 1.3 End-Of-Life already? If so, why is 1.3.42 still featured on our download page as a current recommended release a year later? Isn't it time to change that to a note saying something to the extent of If you absolutely MUST continue using 1.3, you can download it from the archive? Big +1. cheers -- Lars Eilebrecht l...@eilebrecht.net
Re: Merging Via Header
Hi Raj, I have a requirement to merge multiple response Via headers, if any. Can this be achieved using the 'Header merge Via' option? Apparently, it needs a value to merge with, since I get this error: Header requires three arguments. Is there any way to achieve this through configuration? Please post configuration questions to the httpd user mailing list only. Thanks -- Lars Eilebrecht l...@apache.org
Re: Removing Limit and LimitExcept (was: svn commit: r1023227 - in /httpd/httpd/trunk: CHANGES server/core.c)
Jim Jagielski wrote: ++1. On Oct 19, 2010, at 3:28 PM, Roy T. Fielding wrote: IMO, removing Limit and LimitExcept would require a bump to httpd 3.x, since it would break almost all existing configs and introduce security holes if the installer is not prepared to rewrite them. Deprecating Limit and LimitExcept can be done in 2.4.x, which means keeping their functionality intact and warning at startup that the feature is less good than the new directives. Roy Big +1 cheers -- Lars Eilebrecht l...@eilebrecht.net
Re: [Vote] Retire 2.0.x branch?
William A. Rowe Jr. wrote: With a release on the way with a host of good bits, almost 2 years after its previous release, it seems time that the group might consider the following options... [ ] Leave 2.0.x open to maintenance [ ] Leave 2.0.x open to security/critical bug fixes only [X] Retire 2.0.x (but accumulate patches/apply_to_2.0.64) We should announce end of life of 2.0 similar to what we did with 1.3, and retire it in a few month. cheers -- Lars Eilebrecht l...@eilebrecht.net
Re: cookie to apache 2.2
Hi Adi,
you should raise questions like this on the httpd user mailing list.
Thanks
Lars
sanoadi wrote:
Hi I am sending the cookie back to web server (appache 2.2) ; it is not
getting recognized.
Cookie is prepared in the below method, where variable cookie used contains
all the cookies received in the header from the response.
protected String prepareCookie()
{
String cookieValue = ;
for(int z=0; zcookie.size(); z++)
{
KeyValueInfo keyValueInfo = (KeyValueInfo)cookie.get(z);
String key = (String)keyValueInfo.getKey();
String value = (String)keyValueInfo.getValue();
if(key.equalsIgnoreCase(Set-Cookie))
{
if(cookieValue.equals())
{
cookieValue = cookieValue + value;
}
else
{
cookieValue = cookieValue + , + value;
}
}
}
return cookieValue;
}
Now when I send this cookie it is not recognized , however if I replace
comma with semi-colon while adding cookies in the above method it works
fine. Let me knoe if there is any to do solve this. I chant change the code
of the client to prepare cookie to replace comma to semi colon.
Regards,
Adi
--
View this message in context:
http://old.nabble.com/cookie-to-apache-2.2-tp29709332p29709332.html
Sent from the Apache HTTP Server - Dev mailing list archive at Nabble.com.
Re: Stop accepting PRs for 1.3?
My concern is that people will submit 1.3 bug reports, and get frustrated when there's no official response. Is there a way we can keep 1.3 submissions open but make the level of support for 1.3 clear to bug submitters? In my opinion we should really close the bug db for 1.3 with a note that support questions can be sent to the user list, and potential security issues to our security list. We should encourage people to upgrade to 2.x and not to create or share bug fixes. ciao... Lars
Re: OpenBSD the Apache license problem. Why?
Rich Bowen wrote: Having seen this referenced several times in the last few weeks (was there a news story that resurrected this?) I've wondered about this claim, too. Can someone who remembers this incident please speak up and set the record straight about what actually happened? It seems improbable to me that there's just one side of this story, and that nobody remembers it from our perspective. What was refused, and why? Or is that not actually how it happened? Well, I wasted some time on the openbsd-misc list at that time ... Apart from the OpenBSD team claiming that we rejected some of their security patches the main issue was about them liking the Apache license 2.0. They more or less literally said, we don't like the new license because it has more stuff in it. I've given up talking to them after that... If they don't want to use anything with an Apache License 2.0, then it's really the problem of the OpenBSD team, and nothing for us to fix. cheers... -- Lars Eilebrecht l...@eilebrecht.net
Re: [VOTE] Formal deprecation of 1.3.x branch
Jeff Trawick wrote: I'd stay away from the word deprecate. In software, it means that at some point in the future the user must migrate to a new interface/feature; formal deprecation is usually announced at the beginning of the ability to transition. We're years past that for 1.3. Anybody really paying attention already knows the scoop. IMHO the correct term would be end of life. See http://en.wikipedia.org/wiki/End-of-life_(product) +1 on stopping to support 1.3.x and to issue a formal end-of-life notification as part of a final 1.3 release. Further, I'd suggest to issue an end-of-live notification for httpd 2.0.x with a date 6-12 month in the future. cheers... -- Lars Eilebrecht l...@eilebrecht.net
Re: Does Apache has similar module like Lighttpd's mod_compress ?
Dong Wang wrote: but mod_compress can cache the compressed file, not only the original file. the mod_cache can only cache the original file, isn't it? If you combine mod_deflate with mod_cache/mod_cache_disk the compressed files will be cached. ciao... -- Lars Eilebrecht l...@eilebrecht.net
Re: Obsolete modules in 2.3
Greg Stein wrote on 2009-11-11 23:33:35: Bah. If they want them, then they should not upgrade their server. Simple as that. Or just use the 2.2 modules with 2.4. There may still be some legacy sites using mod_imagemap or mod_cern_meta, but in my opinion there is absolutely no reason to continue including the modules in the httpd package. +1 on removing mod_imagemap and mod_cern_meta. ciao... -- Lars Eilebrecht l...@apache.org
Re: intend to roll 2.3 alpha on Wednesday
Paul Querna wrote: I intend to roll a 2.3 alpha release on Wednesday November 11th. +1 ciao... -- Lars Eilebrecht l...@eilebrecht.net
Re: vote on concept of ServerTokens Off
William A. Rowe, Jr. wrote: Except that in this case, between Lars offer to ignore his vote/veto, and the fact that he hasn't responded in 21 months (I also emailed him directly last week to ensure he made note of this thread), he apparently does not feel strongly enough to either confirm his veto, or confirm his willingness to be talked out of this veto. Jeff asked for explicit confirmation or retraction of this veto on Dec 6th 2006, and Lars had not responded, so it appears we can move ahead as this statement above appeared to be half-way retracted veto, and he's unwilling to comment further to either agree with Jim, or explicitly vote -0/distasteful. My apologies for not responding earlier, but I was busy moving from Munich to London last week ... As far as I remember, Mads Toftum also voted with a -1. My -1 hasn't changed as I still feel very strongly about this for reasons already discussed back in 2006 (and once in 2004 or 2005 when the same discussion came up). Given two -1s and many people voting -0 I'm wondering why we are still discussing this topic? P.S.: I'm not sure what you mean with hasn't responded in 21 months? I voted in 2006 on this topic and then you picked up this thread last week? cheers... -- Lars Eilebrecht l...@apache.org
Re: Main httpd web site page: update needed for 2.2.13
Rainer Jung wrote: I noticed there was still a 2.2.12 in a section heading of the httpd landing page. I updated in svn: BTW, the download page actually talks about the release of 2.2.18. ciao... -- Lars Eilebrecht l...@eilebrecht.net
Re: Intent to TR 2.2.12
Nick Kew wrote on 2009-07-19 00:04:59: Just been reviewing it with the testcase Bob found. I'm not able to reproduce the problem on this platform because Sun CC sets the non-matches to 0, so it all works. But the problem is clear. This throws up a non-serious problem with the patch: testing for 0. Wouldn't a better test be rm_eo == rm_so, meaning null match? I think you are right. The tests for 0 are part of the original code so I was just keeping them but testing for re-have_match first. Patching trunk based on the above. Will propose for backport if noone disputes my amendment to the patch. I've seen you added both tests in your patch so we are good anyway. +1 (and thanks for getting this fixed in trunk, I didn't had the time to look at this over the weekend). cheers... -- Lars Eilebrecht l...@eilebrecht.net
Re: Intent to TR 2.2.12
Jim Jagielski wrote:
Over the weekend I'll be doing some final things with the intent
to tag and roll 2.2.12 on Monday...
I just realized that I still have one patch for 2.2.12 which fixes an
SSI-related bug causing a segfault when handling regex back-references
(see attachment).
I didn't propose it yet for inclusion in 2.2.12 as I didn't had the
chance to fix this in trunk yet. The code/api in trunk changed
and I don't know if this bug actually exists in trunk.
I don't know if I will have the time to do this over the weekend.
ciao...
--
Lars Eilebrecht
l...@eilebrecht.net
--- mod_include.c.orig 2008-12-17 14:27:41.0 +
+++ mod_include.c 2009-02-27 15:39:22.0 +
@@ -158,6 +158,7 @@
const char *rexp;
apr_size_t nsub;
ap_regmatch_t match[AP_MAX_REG_MATCH];
+int have_match;
} backref_t;
typedef struct {
@@ -664,6 +665,11 @@
return NULL;
}
else {
+if (!re-have_match ||
+ re-match[idx].rm_so 0 || re-match[idx].rm_eo 0) {
+return NULL;
+}
+
if (re-nsub idx || idx = AP_MAX_REG_MATCH) {
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
regex capture $% APR_SIZE_T_FMT
@@ -672,10 +678,6 @@
return NULL;
}
-if (re-match[idx].rm_so 0 || re-match[idx].rm_eo 0) {
-return NULL;
-}
-
val = apr_pstrmemdup(ctx-dpool, re-source + re-match[idx].rm_so,
re-match[idx].rm_eo - re-match[idx].rm_so);
}
@@ -923,7 +925,6 @@
{
ap_regex_t *compiled;
backref_t *re = ctx-intern-re;
-int rc;
compiled = ap_pregcomp(ctx-dpool, rexp, AP_REG_EXTENDED);
if (!compiled) {
@@ -939,10 +940,11 @@
re-source = apr_pstrdup(ctx-pool, string);
re-rexp = apr_pstrdup(ctx-pool, rexp);
re-nsub = compiled-re_nsub;
-rc = !ap_regexec(compiled, string, AP_MAX_REG_MATCH, re-match, 0);
+re-have_match = !ap_regexec(compiled, string, AP_MAX_REG_MATCH,
+ re-match, 0);
ap_pregfree(ctx-dpool, compiled);
-return rc;
+return re-have_match;
}
static int get_ptoken(include_ctx_t *ctx, const char **parse, token_t *token, token_t *previous)
Re: load balancing with Apache for Tomcat workers
h iroshan wrote on 2009-04-09 23:59:42: I want to configure mod_proxy_balancer to distribute load among two back end Tomcat workers. How can I find more information relevant to this. You should ask this question on the user mailing list for Tomcat or httpd, and on the developer list. However, the following pages should have all information you need for doing this: http://httpd.apache.org/docs/2.2/mod/mod_proxy.html http://httpd.apache.org/docs/2.2/mod/mod_proxy_balancer.html ciao... -- Lars Eilebrecht l...@eilebrecht.net
Re: 2.2.11 mod_include
Torsten Foertsch wrote: [mod_include DATE_LOCAL bug] Is this a known bug? It's probably this one: https://issues.apache.org/bugzilla/show_bug.cgi?id=39369 ciao... -- Lars Eilebrecht l...@eilebrecht.net
Re: Modularity of Apache 2.2.11
Haroon Taheri wrote on 2009-03-14 17:19:11: To validate the Apache software architecture with the DSM which LDM created, I need someone who can explain me the structure and design of Apache in respect of modules. Can someone help me? Or has someone resources which I could consult? Take a look at this http://www.fmc-modeling.org/projects/apache ciao... -- Lars Eilebrecht l...@apache.org
Re: regex-related segfault in mod_include
Ruediger Pluem wrote: What are the values of idx re-match[idx].rm_so re-match[idx].rm_eo re-source and what is the string re-source is pointing to when the crash happens? idx is 1 and re-source points to an empty string which is fine. However, re-match[idx].rm_so and re-match[idx].rm_eo are random numbers, i.e., a garbage value (I guess they should be 0 if there was no match?). Thus the argument re-source + re-match[idx].rm_so ends up pointing to an out of band location (and a memcpy() for that location results in the segfault). I just don't really get why this happens in some cases (like 1 out of 10 requests). BTW, I can reproduce this on Solaris and Linux (worker and prefork) with 2.2.11. With 2.0 this works fine. ciao... -- Lars Eilebrecht l...@eilebrecht.net
Re: regex-related segfault in mod_include
Plüm, Rüdiger, VF-Group wrote: However, re-match[idx].rm_so and re-match[idx].rm_eo are random numbers, i.e., a garbage value (I guess they should be 0 if there was no match?). IMHO they should be -1. Right, that actually makes more sense ... We use different PCRE versions in both (and maybe mod_include changed too). I suspect that if ap_regexec in re_check does not detect a match re-match[idx].rm_so is not setup correctly (maybe this changed between the different PCRE versions) and as we do not check in get_include_var if we had a match at all we fall over. So we should either memorize in the re struct if we matched or not by an additional flag, so something like (untested) OK, nice ... I was trying to figure out if such a flag/value exists in ap_regmatch_t, but that didn't got me very far as re-match is basically pointing to garbage data. So initializing that actually prevents the segfault as it hits the if statement for re-match[idx].rm_so 0 (I did a quick test with your second patch). However, for performance reasons I think fixing this with an additional flag would be the best. I'll do some more testing and will come up with a final patch for this. Thanks Ruediger, that was very helpful. :) cheers... -- Lars Eilebrecht l...@eilebrecht.net
regex-related segfault in mod_include
Hi,
the following SSI statements triggers a segfault when QUERY_STRING
is empty (tested with 2.2.11):
!--#if expr=$QUERY_STRING = /foobar=([0-9]+)$/ --
!--#set var=foobar value=$1 --
!--#else --
!--#set var=foobar value=$1 --
!--#endif --
I tracked this down to get_include_var() in mod_include.c:
--snip--
static const char *get_include_var(const char *var, include_ctx_t *ctx)
{
const char *val;
request_rec *r = ctx-intern-r;
if (apr_isdigit(*var) !var[1]) {
apr_size_t idx = *var - '0';
backref_t *re = ctx-intern-re;
/* Handle $0 .. $9 from the last regex evaluated.
* The choice of returning NULL strings on not-found,
* v.s. empty strings on an empty match is deliberate.
*/
if (!re) {
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
regex capture $% APR_SIZE_T_FMT refers to no regex in %s,
idx, r-filename);
return NULL;
}
else {
if (re-nsub idx || idx = AP_MAX_REG_MATCH) {
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
regex capture $% APR_SIZE_T_FMT
is out of range (last regex was: '%s') in
%s,
idx, re-rexp, r-filename);
return NULL;
}
if (re-match[idx].rm_so 0 || re-match[idx].rm_eo 0) {
return NULL;
}
val = apr_pstrmemdup(ctx-dpool, re-source + re-match[idx].rm_so,
re-match[idx].rm_eo - re-match[idx].rm_so);
}
}
else {
val = apr_table_get(r-subprocess_env, var);
if (val == LAZY_VALUE) {
val = add_include_vars_lazy(r, var);
}
}
return val;
}
--snip--
The segfault happens with apr_pstrmemdup(), because
re-source + re-match[idx].rm_so ends up being out of bounds.
So despite the regex not matching, ctx-intern-re is actually
not NULL, but I can't seem to figure out why this is the case.
Anyone any idea?
ciao...
--
Lars Eilebrecht
l...@eilebrecht.net
Re: use of APR_SENDFILE_ENABLED in mod_disk_cache
Issac Goldstand wrote: We could just add a note to the mod_disk_cache configuration that EnableSendfile will only be taken into account when configured globally for the server or vhost. IMHO that's good enough for such a special case. I would like to avoid a dedicated sendfile directive just for mod_disk_cache. ciao... +1 Oh, looks like you reported the same bug like 2 years ago, but it wasn't fixed in trunk as you mentioned in the PR. ciao... -- Lars Eilebrecht l...@eilebrecht.net
Re: CacheIgnoreHeaders not working correctly
Ruediger Pluem wrote:
http://svn.apache.org/viewvc?view=revrevision=649162
http://svn.apache.org/viewvc?view=revrevision=649791
Hmm ... I'm not sure I understand the logic in this one:
CACHE_DECLARE(apr_table_t *)ap_cache_cacheable_headers_out(request_rec * r)
{
apr_table_t *headers_out;
headers_out = apr_table_overlay(r-pool, r-headers_out,
r-err_headers_out);
apr_table_clear(r-err_headers_out);
headers_out = ap_cache_cacheable_headers(r-pool, r-headers_out,
r-server);
if (!apr_table_get(headers_out, Content-Type)
r-content_type) {
apr_table_setn(headers_out, Content-Type,
ap_make_content_type(r, r-content_type));
}
return headers_out;
}
It merges r-headers_out and r-err_headers_out into headers_out,
then clears r-err_headers_out (?), and then ap_cache_cacheable_headers()
gets called with r-headers_out instead of headers_out?
ciao...
--
Lars Eilebrecht
l...@eilebrecht.net
Re: CacheIgnoreHeaders not working correctly
Lars Eilebrecht wrote:
[...]
So it copies r-headers_out to the local headers_out variable, and
removes all unwanted headers. However, then r-err_headers_out
gets merged into headers_out which is then stored in the cache.
Is there a reason why this is done? This could lead to quite a
number of headers being stored in the cache such as Set-Cookie.
Which happens in my case as the custom module operates on
r-err_headers_out.
So a potential fix would be to merge r-headers_out and
r-err_headers_out into the local headers_out variable, then
filter the unwanted headers, and store the result.
This seems to work, but maybe I'm missing something.
Anyone any comments about this patch?
It fixes the issue, but I'm not 100% if I may be missing something
regarding the handling of err_headers_out in mod_disk_cache.
--snip--
--- mod_disk_cache.c.orig 2009-02-10 11:08:41.0 +
+++ mod_disk_cache.c2009-02-10 10:47:48.0 +
@@ -912,7 +912,9 @@
if (r-headers_out) {
apr_table_t *headers_out;
-headers_out = ap_cache_cacheable_hdrs_out(r-pool, r-headers_out,
+headers_out = apr_table_overlay(r-pool, r-headers_out,
+r-err_headers_out);
+headers_out = ap_cache_cacheable_hdrs_out(r-pool, headers_out,
r-server);
if (!apr_table_get(headers_out, Content-Type)
@@ -921,8 +923,6 @@
ap_make_content_type(r, r-content_type));
}
-headers_out = apr_table_overlay(r-pool, headers_out,
-r-err_headers_out);
rv = store_table(dobj-hfd, headers_out);
if (rv != APR_SUCCESS) {
return rv;
--snip--
ciao...
--
Lars Eilebrecht
l...@eilebrecht.net
CacheIgnoreHeaders not working correctly
Hi, I have a question about the header handling logic of mod_cache/mod_disk_cache. With an installation running mod_disk_cache and a custom module which fiddles with Cookie and Set-Cookie headers I am running into the problem that mod_disk_cache was storing Set-Cookie headers in the cache. It is ignoring the CacheIgnoreHeaders Set-Cookie. In mod_disk_cache's store_header() function we have this code: apr_table_t *headers_out; headers_out = ap_cache_cacheable_hdrs_out(r-pool, r-headers_out, r-server); [...] headers_out = apr_table_overlay(r-pool, headers_out, r-err_headers_out); rv = store_table(dobj-hfd, headers_out); So it copies r-headers_out to the local headers_out variable, and removes all unwanted headers. However, then r-err_headers_out gets merged into headers_out which is then stored in the cache. Is there a reason why this is done? This could lead to quite a number of headers being stored in the cache such as Set-Cookie. Which happens in my case as the custom module operates on r-err_headers_out. So a potential fix would be to merge r-headers_out and r-err_headers_out into the local headers_out variable, then filter the unwanted headers, and store the result. This seems to work, but maybe I'm missing something. ciao... -- Lars Eilebrecht l...@eilebrecht.net
Re: Documentation request for review
Vincent Deffontaines wrote on 2009-02-08 13:20:23: While reviewing Lucien's french translation for the trunk performance tuning guide (misc/perf-tuning.xml), it has come to my understanding that this document contains extremely old, and probably outdated, information. Yes, this page is really *really* outdated. IMHO we should consider removing it or at least adding a note that the stuff is outdated. ciao... -- Lars Eilebrecht l...@eilebrecht.net
Re: use of APR_SENDFILE_ENABLED in mod_disk_cache
Ruediger Pluem wrote on 2009-02-07 22:03:38: IMHO this is correct. The problem is that we do not know at this point of time how EnableSendFile is set. We are in the quick handler and have not done any directory walks (and in fact if the cached entry is good we never will). So the only option I see here is to add another directive for mod_disk_cache to determine what should be done. Well, but if EnableSendfile is configured in the main config or vhost we get the setting by looking at the core_module config. Of course you are right that this doesn't work when it is defined inside a Location or Directory section. We could just add a note to the mod_disk_cache configuration that EnableSendfile will only be taken into account when configured globally for the server or vhost. IMHO that's good enough for such a special case. I would like to avoid a dedicated sendfile directive just for mod_disk_cache. ciao... -- Lars Eilebrecht l...@eilebrecht.net
Re: use of APR_SENDFILE_ENABLED in mod_disk_cache
Ruediger Pluem wrote on 2009-02-08 22:36:47:
Well, but if EnableSendfile is configured in the main config
or vhost we get the setting by looking at the core_module config.
Of course you are right that this doesn't work when it is defined
inside a Location or Directory section.
Well I am not sure if the core_dir_config structure is already setup
during the quick handler phase (even for settings done on VHOST
level).
Yes, it is. The following seems to work fine:
Index: mod_disk_cache.c
===
--- mod_disk_cache.c(revision 742187)
+++ mod_disk_cache.c(working copy)
@@ -471,7 +471,10 @@
/* Open the data file */
flags = APR_READ|APR_BINARY;
#ifdef APR_SENDFILE_ENABLED
-flags |= APR_SENDFILE_ENABLED;
+core_dir_config *coreconf = ap_get_module_config(r-per_dir_config,
+ core_module);
+flags |= ((coreconf-enable_sendfile == ENABLE_SENDFILE_OFF)
+ ? 0 : APR_SENDFILE_ENABLED);
#endif
rc = apr_file_open(dobj-fd, dobj-datafile, flags, 0, r-pool);
if (rc != APR_SUCCESS) {
Unless this gets a -1 from anyone I'll commit this to trunk
together with an appropriate note in the documentation.
ciao...
--
Lars Eilebrecht
l...@eilebrecht.net
use of APR_SENDFILE_ENABLED in mod_disk_cache
Hi, mod_disk_cache uses the following in open_entity(): #ifdef APR_SENDFILE_ENABLED flags |= APR_SENDFILE_ENABLED; #endif rc = apr_file_open(dobj-fd, dobj-datafile, flags, 0, r-pool); Maybe I'm getting confused with the various APR_SENDFILE defines, but shouldn't we be checking for the setting of the EnableSendFile directive as well? If httpd was build on a platform providing sendfile support then I guess APR_SENDFILE_ENABLED is set and we would always be using sendfile when serving files from the cache, regardless of the setting of the EnableSendFile directive. ciao... -- Lars Eilebrecht l...@eilebrecht.net
FYI: updated security report page
Hi, FYI: I've updated the security_reports.html page to refer to the central http://www.apache.org/security/ page instead of pointing people to the security email address directly. ciao... -- Lars Eilebrecht l...@apache.org
Re: accept mod_fcgid codebase into httpd project
William A. Rowe, Jr. wrote: Based on the enthusiasm of the module authors to adopt the AL and offer the mod_fcgid code to the httpd community, please vote +/-1 [ ] Accept mod_fcgid into httpd +1 ciao... -- Lars Eilebrecht l...@eilebrecht.net
Unexpected behavior of FilesMatch
Hi, I came across a strange/unexpected behavior of FilesMatch. Example config to reproduce the issue: Directory /usr/local/apache2/htdocs/test Order Deny,Allow Deny from all FilesMatch bar$ Allow from all /FilesMatch /Directory - requesting /test/blah returns a forbidden error, which is OK - requesting /test/foo.bar returns the file if it exists, which is OK - requesting /test/is/here/foo.bar returns the file if it exists, which is OK - requesting /test/not/here/foo.bar (with the directory not not existing) returns a forbidden error instead of a 404 error. In this case Apache walks up to /usr/local/apache2/htdocs/test and then uses not as the basename and matches the regex from FilesMatch against this. So using 'FilesMatch not$' would actually match and a 404 error is returned. FilesMatch is more about matching against actual files and not virtual URL paths, but I find it strange that not instead of foo.bar is used as the basename for the regex match. In most cases it probably doesn't matter if you get a 404 or a forbidden error, but once you start doing RewriteRule stuff the above can lead to unexpected results. Add the following RewriteRules to the directory section: RewriteRule ^/test/is/here/foo.bar$ /foo.bar [L] RewriteRule ^/test/not/here/foo.bar$ /foo.bar [L] - requesting /test/is/here/foo.bar redirects and returns the file /foo.bar - requesting /test/not/here/foo.bar redirects internally, but then returns a forbidden error. In this case Apache first matches the basename not *and* the basename foo.bar again the FilesMatch regex which fails ... Using 'FilesMatch (not|bar)$' would actually work in this case, but is not really something I would have expected. Tested with 2.0.63 and 2.2.11. ciao... -- Lars Eilebrecht l...@eilebrecht.net
Re: [VOTE] Release Apache HTTP server 2.2.11
Ruediger Pluem wrote: Test tarballs for Apache httpd 2.2.11 are available at: http://httpd.apache.org/dev/dist/ Your votes please; +/-1 [ ] Release httpd-2.2.11 as GA +1, tested on Ubuntu 8 (kernel 2.6.24). ciao... -- Lars Eilebrecht l...@apache.org
Re: mod_cern_meta, mod_imagemap
Paul Querna wrote: delete them. +1 you could say, let it die. but i prefer, help it die. I'm really happy to help in this case. :) ciao... -- Lars Eilebrecht [EMAIL PROTECTED]
Re: strange usage pattern for child processes
Ruediger Pluem wrote: This is a pity, because then it will become much harder to debug this issue. Any chance you get shell access or that you can instruct the administrators in the service company to get the needed information for you? Getting shell access is very unlikely ... However, initial tests using mod_disk_cache have been very good. The performance of mod_mem_cache compared to mod_disk_cache is just very bad ... It seems the main issue is/was that under high load the child process(es) of Apache just starve while trying to read something from the mem cache or to write something to it. But well, without access to the box I couldn't really dig into what exactly is happening in such a case. Ok. MaxSpareThreads is set to 75 with ThreadsPerChild 256. This means that StartServers 3 is pointless because after starting *one* process we already have way too much spare threads *overall*. So the other 2 processes will get killed immediately :-). Yes you are right, I missed that MaxSpareThreads applies to all child processes. But I didn't wrote the config. ;-) However, I still find it a bit odd that we actually use only a single process and only start using threads of another child process once all threads of the other process are busy. Wouldn't it make more sense to keep spare threads in all child processes instead of just one? Especially if the config has low MaxRequestsPerChild limit. Or am I missing something? ciao... -- Lars Eilebrecht [EMAIL PROTECTED]
Re: strange usage pattern for child processes
Ruediger Pluem wrote: Is it really a good idea to use mod_mem_cache? Keep in mind that mod_mem_cache uses local caches per process and cannot use sendfile to send cached data. It seems that mod_disk_cache with a cache root on a ram disk could be more efficient here. No, it really isn't a good idea, and it wasn't my idea. ;-) I just started working at that company, and the frontend servers are even managed by another service company so I don't even have shell access to the servers. But I'm pushing for a switch to mod_disk_cache. The first odd thing is that I would have expected that Apache uses all child processes about equally. Especially I would have expected that there are at least 25 threads for the second process in state _ (waiting for connection), because the MinSpareThread directive is set to 25. This is indeed strange. Mind to 1. Attach an ASCII-output of the whole status page to see the exact process / thread slot usage. 2. Your MPM configuration and your reverse proxy configuration. Here's the mpm config: MaxMemFree 1024 ThreadLimit 256 ServerLimit 3 StartServers3 MaxClients 768 MinSpareThreads 25 MaxSpareThreads 75 ThreadsPerChild 256 MaxRequestsPerChild 200 ciao... -- Lars Eilebrecht [EMAIL PROTECTED]
Re: [PROPOSAL] Time Based Releases
According to Paul: My proposal is for every 2 months, we do a release of the main stable branch, which at this time is 2.2.x. +1 on the concept, but in my opinion 2 month is too short. 3-4 month would be better. ciao... -- Lars Eilebrecht [EMAIL PROTECTED]
Re: Huge httpd-process
Marten Lehmann wrote: We are currently using httpd-2.2.4. Hoe comes, that httpd processes can get that huge? Martin, may I recommend that you send such support questions to one of the our user mailing lists instead of the developer list. http://httpd.apache.org/userslist.html (English) http://httpd.apache.org/usersdelist.html (German) Best Regards -- Lars Eilebrecht [EMAIL PROTECTED]
FYI: Best of Open Source in Platforms Award by Infoworld
FYI: this info came in via the press mailing list ... http://www.infoworld.com/slideshow/2007/09/114-best_of_open_so-5.html ciao... -- Lars Eilebrecht [EMAIL PROTECTED]
Re: default content type
According to Roy: For standards conformance, I am going to start removing the default content type settings from trunk tomorrow. http://issues.apache.org/bugzilla/show_bug.cgi?id=13986 If you have any problems with that, let them be known here. +1 ciao... -- Lars Eilebrecht [EMAIL PROTECTED]
Re: vote on concept of ServerTokens Off
According to Jeff: A lot of opinions were offered back in August. Some were negative but I don't see anything that looks like a veto. I voted -1 at that time which is a veto. My opinion hasn't changed and I still think that it is a very stupid idea to add a feature that allows our users to do something which is stupid and absurd. *shrug* but as everyone seems to think that this is a good idea, feel free to ignore my veto. ciao... -- Lars Eilebrecht [EMAIL PROTECTED]
Re: vote on concept of ServerTokens Off
According to Mads: On Wed, Dec 06, 2006 at 01:30:26PM +0100, Lars Eilebrecht wrote: I voted -1 at that time which is a veto. My opinion hasn't changed and I still think that it is a very stupid idea to add a feature that allows our users to do something which is stupid and absurd. I agree. So, is that a -1 or -0? ciao... -- Lars Eilebrecht [EMAIL PROTECTED]
Re: [PATCH 40026] ServerTokens Off
According to Sebastian Nohn: I personally think, ego is a bad reason for constricting people. This has nothing to do with ego. In my opinion it is more than appropriate to put a label in the form of the Server header onto the Apache HTTP Server. For example, if I buy a car I can usually order it without the exact type information/logos added to the car, but I just cannot order it without any logo of the manufacturer itself. For offering such an option with Apache I've only seen two arguments: 1. Making the server more secure by not revealing any (or fake) server information. 2. Saving bandwidth. Well, when we've had similar discussions in the past they were usually about argument No. 1, but the consensus was always that a security-by-obscurity feature in Apache does not make sense. Saving bandwidth is a valid point, but as I already pointed out in my previous email, it is only relevant to a very very tiny fraction of Apache users. Those users who run a high-traffic web site usually use self-compiled, or customized versions of Apache anyway, and for them it's easy to modify the code themselves to get rid of the Server header. Apart from that, it's also possible to customize the Server header by using mod_security which has a configuration directive for this. ciao... -- Lars Eilebrecht [EMAIL PROTECTED]
Re: [PATCH 40026] ServerTokens Off
According to William: My 2c, let's adopt the patch for three reasons... 1. it's an FAQ that would -go away-, less stress for our peer apache user supporters Is it really an FAQ? Hmm ... the last time it was discussed on the dev list was more than 2.5 years ago. Apart from that, I don't think that it would go away entirely, because I assume (based on the questions I've seen) that many people actually ask about how to change the Server header (and not just about disabling it). ciao... -- Lars Eilebrecht- Reality corrupts. [EMAIL PROTECTED] - Absolute reality corrupts absolutely.
Re: Handing off the O'Reilly copublishing thread.
According to Ben: Jim and I have been tag teaming the idea of doing something jointly with O'Reilly, for example copublishing the HTTP doc set, BTW, as you may remember, a German translation of the HTTP Server documentation got published last year by MITP. http://www.mitp.de/vmi/mitp/detail/pWert/1393 ciao... -- Lars Eilebrecht - Out of coffee--error. Programmer halted. [EMAIL PROTECTED]
Re: Discontinue current-testers v.s. stable-testers?
According to William: Would like to consolidate the two lists into [EMAIL PROTECTED] Votes please? I'm calling this issue 12 hours from now. +1 ciao... -- Lars Eilebrecht - Great spirits have always encountered violent [EMAIL PROTECTED] - opposition from mediocre. (Albert Einstein)
Re: Reverse Proxies, REMOTE_ADDR spoofing patch
According to Andy: I've patched 1.3.33 to provide a new boolean directive ProxyFakeRemoteAddr which, when enabled, plucks the value of any X-Forwarded-For header and populates REMOTE_ADDR with it. It also supresses any attempt to set REMOTE_HOST. -1 for adding this to 1.3 (IIRC, we once decided to not add any new features to 1.3). -0 for adding this to 2.x ciao... -- Lars Eilebrecht - Reality does not exist ... yet. [EMAIL PROTECTED]
Re: buffer overflow in mod_proxy in 1.3.31?
According to David: It was reported in cnet news a month or two ago, and my SOX security guys at work have been bugging me about it... I need to tell them either it's a false alarm or it will be fixed soon. A patch is available since June at http://www.apache.org/dist/httpd/patches/apply_to_1.3.31/ ciao... -- Lars Eilebrecht - Ever notice how fast Windows runs? [EMAIL PROTECTED] - Neither did I.
Re: I'd like to make some contributions
According to Jeffrey: What is the correct way to start to move forward with this? Details how code patches should be submitted are described at http://httpd.apache.org/dev/patches.html ciao... -- Lars Eilebrecht - I don't know, I don't care, [EMAIL PROTECTED]- and it doesn't make any difference.
Re: ReplaceModule directive!?
According to Gerardo Reynaga: Is there a way to pass directives to httpd once the server is running? How about using a graceful restart? Would that be feasible in your case? ciao... -- Lars Eilebrecht - Too clever is dumb. (Ogden Nash) [EMAIL PROTECTED]
Re: Proposal: Allow ServerTokens to specify Server header completely
According to Jim Jagielski: I'd like to get some sort of feedback concerning the idea of having ServerTokens not only adjust what Apache sends in the Server header, but also allow the directive to fully set that info. I tend to be -1 on this for the following reasons: - It's only security by obscurity and providing such a security feature may be misleading for our users. - We don't want people to obfuscate the server name, do we? If people really want to change it they can always do that at compile time, but we should not encourage it by providing a configuration directive for it. ciao... -- Lars Eilebrecht- Don't use no double negatives, not never. [EMAIL PROTECTED]
Re: Proposal: Allow ServerTokens to specify Server header completely
According to Ivan Ristic: I recently changed the signature of the Apache running on modsecurity.org (to pretend to be IIS5). As a result, I've started getting more IIS-related attacks than before. So, the signature does matter. I'm getting IIS-related attacks on my servers even without confguring an ISS server header. If everyone starts changing the server header to some funny name or to remove it completely, newer exploit tools won't bother to check it at all, but just try to exploit the server. ciao... -- Lars Eilebrecht - Quoting one is plagiarism. [EMAIL PROTECTED] - Quoting many is research.
Re: Proposal: Allow ServerTokens to specify Server header completely
According to Jim Jagielski: I didn't propose this to create (yet another) heated discussion, too late ;) simply to suggest that we take ServerTokens to its logical conclusion based on some requests I've seen. :) Sorry, but I don't see this as the logical conclusion of the ServerTokens directive. Being able to manage what third-party modules put in the server header is one thing, but changing the header to an arbitrary think does not seem logical to me, nor is it a security feature. This reminds me of an admin complaining about a PHP-based application that produced wrong output ... after some debugging I found out that this was caused, because the admin tried to be smart and changed Apache's version number to 0.9.7. This resulted in some of the appplication's version dependant functions to fail. ciao... -- Lars Eilebrecht - Today is the last day [EMAIL PROTECTED] - of the past of your life.
Re: SPAM and CHANGES [was: the wheel of httpd-dev]
According to William A. Rowe, Jr.:
Here is a simple suggestion; does anyone mind if I run CHANGES in 1.3,
2.0 and 2.1 through the following filter?
perl -e while(stdin){s#([^ @]*)@([^ @]*)#$1 $2#g;print $_;}
+1
ciao...
--
Lars Eilebrecht- Never put off until tomorrow what you can
[EMAIL PROTECTED] - do the day after tomorrow. (Mark Twain)
Re: Proposal: Remove mod_imap from default list
According to Rich Bowen: [Remove mod_imap and mod_asis from the default list] +1 ciao... -- Lars Eilebrecht- All the simple programs have been [EMAIL PROTECTED] - written, and all the good names taken.
Re: cvs commit: httpd-site/docs/info apache_books.html
According to André Malo: * [EMAIL PROTECTED] wrote: replacing with amp; in an URL is not a good idea. sorry, but it is. Not using amp; is wrong. See: http://www.w3.org/TR/html401/appendix/notes.html#h-B.2.2 Err ... but the links don't work then. (?) ciao.. -- Lars Eilebrecht - The steady state of disks is full. [EMAIL PROTECTED] (Ken Thompson)
Re: cvs commit: httpd-site/docs/info apache_books.html
According to André Malo: Conclusion: in URLs (in HTML, i.e. within the href attribute) should always be encoded as amp;, otherwise the browsers may fail Ok, you're right ... I tested the URLs by pasting them directly into the browser which failed, so I thought it is wrong. I've reverted my patch. ciao... -- Lars Eilebrecht - Quoting one is plagiarism. [EMAIL PROTECTED] - Quoting many is research.
Re: what language is .tw?
According to André Malo: from the current httpd-std.conf.in: AddLanguage tw .tw AddLanguage zh-tw .tw what is here intended? Uhm, well, about 5-6 month ago we had a discussion about the index.html.tw.big5 and .tw files. The result was that we removed the big5 variant and changed .tw to .zh. Looks like we forgot to make appropriate changes to the default config. Well, actually I made those changes, but forgot about httpd.conf. ciao... -- Lars Eilebrecht [EMAIL PROTECTED]
RE: book about apache 2?
According to Werner Schalk: for the german speaking people: According to the website addison-wesley.de there will be a german (sorry!) book at the end of this month. Other books are listed at http://httpd.apache.org/info/apache_books.html ciao... -- Lars Eilebrecht - No maintenance: Impossible to fix. [EMAIL PROTECTED]
Re: Port 80 vs 8080 when not SU.
According to Ravindra Jaju: How about an extra echo: if [ x`$aux/getuid.sh` != x0 -a x$port = x ]; then conf_port=8080 echo Non-root process. Server will run on port $conf_port fi +1 ciao... -- Lars Eilebrecht [EMAIL PROTECTED]
Re: Email addresses in changes file
According to [EMAIL PROTECTED]: Anyone think it is a good idea if I did a s/@/_at_/g on the email addresses in the Changes file ? Won't help that much ... -0. ciao... -- Lars Eilebrecht- All the simple programs have been [EMAIL PROTECTED] - written, and all the good names taken.
Re: problems
According to Murali K. Vemuri: i wanna add a perl script handler for the apache and i could not understand from the help files. This is a developer mailing list. Please ask your questions on the users mailing list. http://httpd.apache.org/userslist.html ciao... -- Lars Eilebrecht - Some Windows were made to be broken. [EMAIL PROTECTED]
Re: the it worked page
According to Cliff Woolley: Can we get rid of the It worked! page? Please? I'm getting sick of confused people sending us email saying their server has been hijacked. I'd like to keep it, because it is IMHO very useful for most people. And we've put a lot of effort into the translations. ciao... -- Lars Eilebrecht - Home is where the computer is plugged in. [EMAIL PROTECTED]
Re: CGI configuration
According to Dwayne Miller: BTW, if this is the wrong list, please direct me to the proper one. http://httpd.apache.org/userslist.html ciao... -- Lars Eilebrecht- Disc space... the final frontier! [EMAIL PROTECTED]
Re: Modules.apache.org development mailing list!
According to Sander van Zoest: It used to be at http://archive.covalent.net/ and was also reachable via http://mail-archives.apache.org/ but this got lost in the downtime and office move. We should probably update the IP so mail-archives.apache.org works again. Although most people use MARC now these days anyways. I'd prefer to having an 'official' apache.org location for all our mail archives. ciao... -- Lars Eilebrecht - RFC 527: Beware the ARPANET, my son; [EMAIL PROTECTED] - The bits that byte, the heads that scratch;
Re: domain.com in htdocs?
According to Martin Kraemer:
I just noticed that domain.com and mydomain.com should not
appear in the docs: they have been registered:
We've just discussed similar cases on the docs list.
The correct solutions would be use example.{com|net|org}.
These domains are registered by IANA and are intended for use
in documentation and other examples.
ciao...
--
Lars Eilebrecht - I may not be totally perfect,
[EMAIL PROTECTED] - but parts of me are excellent.
Re: PROPOSAL: new directive for mod_proxy
According to Chuck Murcko: So what do you think? Hmm... I'm not sure. Can you give some examples where this directive will be useful? ciao... -- Lars Eilebrecht - The best way to predict the future is to invent it. [EMAIL PROTECTED] - Alan Kay
RE: UseCanonicalName considered harmful
According to Ryan Bloom: All we are saying, is if you don't specify a port (i.e. you don't want to use a special port), use the same port that the original request used. +1 ciao... -- Lars Eilebrecht - You might have mail. [EMAIL PROTECTED]
Re: versioning process
According to Roy T. Fielding: And, personally, I have always hated the stupid alpha/beta/GA distinction. Our release process became constipated on the day that was added. I tend to agree. And our users get (or area already) confused by this release process. ciao... -- Lars Eilebrecht- vuja de: The feeling that you've *never*, [EMAIL PROTECTED] - *ever* been in this situation before.
RE: [PATCH] SSL_* in suexec safe env list
According to Joshua Slive: I'm not sure why Ralf did it that way. It seems that HTTPS should simply be added to the safe list near the top of the file. The revised patch is below. +1 ciao... -- Lars Eilebrecht- Cyberspace: ...the most potent technology [EMAIL PROTECTED] for mind control... (Mark Pesce)
Re: mod_ldap for Apache 2.0
According to Ryan Bloom: Mod_ldap was in 2.0, but the group decided to remove it. The docs should be removed as well. Instead of losing the code and docs, a new httpd sub-project was created, and the docs should be moved there, the code has been there for a while already. The sub-project is cool, but are we going to include mod_auth_ldap and/or mod_ldap as a standard module in future 2.0 distributions (e.g. in modules/experimental)? ciao... -- Lars Eilebrecht - Real programmers don't need comments [EMAIL PROTECTED] - ...the code is obvious.
Re: lose the underscores! (was: Apache 2_0_31 is now rolled (take 2)
According to Greg Stein: Why can't we name our damned tarballs and resulting directories like all other packages out there? For example: httpd-2.0.31-alpha.tar.gz unpacks into: ./httpd-2.0.31-alpha/ +1! ciao... -- Lars Eilebrecht - Don't hate yourself in the morning [EMAIL PROTECTED]- ...sleep till noon.
Re: Simple (hopefully) new user question
According to Grayson Walker: I'm running the Apache under Windoze and have one domain I'm hosting. I've read the documentation on multiple dsns and wonder how many other Windoze users are hosting multiple dsns -- and with what results? and what's the easiest way to get the multiple dsns running? Thanks. [EMAIL PROTECTED] is a _developer_ mailing list and _not_ a support forum. Please see http://httpd.apache.org/userslist.html for information about our user discussion list. Regards... -- Lars Eilebrecht- To err is human, [EMAIL PROTECTED]- but I can *really* foul things up.
Re: cvs commit: httpd-2.0/docs/manual/mod mod_log_config.html
According to Ian Holsman: the other issue is the SetEnvIf can't match on mime-types (;)) and the way it is hooked in would require a seperate directive to do it as But is matching on mime-types really a required feature? IMHO most people are happy with the current conditional logging feature, e.g., matching on REQUEST_URI. I tend to be -1 on your patch Ian, because the directive is too specific. We either need a more generic one or just stick with the current (or an enhanced) conditional logging functionality. ciao... -- Lars Eilebrecht- ...just a roadkill on the [EMAIL PROTECTED] - information superhighway.
beos: RequestsPerThread vs. MaxRequestsPerThread
Hi, the RequestsPerThread logs the warning MaxRequestsPerThread was set below 0 if it is set to a negativ value (note the Max). The name MaxRequestsPerThread makes IMHO more sense for this directive, because it specifies the max value, like the MaxRequestsPerChild directive. If there are no objections I'll change the Name of the directive to MaxRequestsPerThread and update the docs and httpd.conf. ciao... -- Lars Eilebrecht - Unix is like Sex: If you don't know it, [EMAIL PROTECTED] - you don't miss is. But if you know it, - you'll need it.
RE: Logs and logs and logs [oh my!]
According to William A. Rowe, Jr.: Isn't it time to drop TransferLog and CookieLog? +1 ciao... -- Lars Eilebrecht - Just give me the coffee... [EMAIL PROTECTED] - and no one will get hurt.
Linux New Media Award for httpd
Hi guys, I almost forgot to send this email... About 10 days ago the Apache httpd server has won the Linux New Media Award in the category Best Server Software. We got 54% of all votes. Other nomiees included Samba (23%), OpenSSH (17%), phpGroupware (4%) and OpenLDAP (2%). The award ceremony took place at the Linuxpark at the Systems Expo in Munich. Martin Kraemer and I (who where running the ASF booth at the expo) where there to take the award on behalf of the ASF. More details (in german) at http://www.linux-community.de/Neues/story?storyid=2245 The award money (IIRC 3000,- DM) will be transfered to the ASF account. ciao... -- Lars Eilebrecht - Money is the root of all evil! [EMAIL PROTECTED] - Send 15$ for more info!
RE: Port of Apache 1.3.20 to AtheOS
According to Rodrigo Parra Novo: I'm sending the (rather simple) patch attached. It would be nice if someone from the Apache team could take a look at the patch, and tell me if anything is still missing. It would be also nice if (hopefully) this patch could be added to the current Apache 1.3 branch, on CVS. +1 ciao... -- Lars Eilebrecht - Facts are the enemy of truth. [EMAIL PROTECTED] (Don Quixote)
