Re: mod_fcgid POST broken if FcgiAuthorizer is run
Jeff Trawick wrote: Variation number three: As with your patch, it remembers to add the eos bucket to the brigade of data sent to the app. As with my earlier patch, it doesn't send the trailing FCGI_STDIN record. In the spec (http://www.fastcgi.com/devkit/doc/fcgi-spec.html#S6.3), there's no mention of FCGI_STDIN for an FCGI_AUTHORIZER. I double-checked that mod_fcgid.c strips any CONTENT_LENGTH when calling the authorizer, which the spec does call for. I won't be shocked if it still fails for you; in that case I think we need to try to understand exactly why the trailing FCGI_STDIN record is needed. Our fastcgi code was expecting FCGI_STDIN. As you point out the spec does not need or allow FCGI_STDIN for an authorizer. I have fixed this bug in our fastcgi code. Now your original patch works for me now. Barry
Re: mod_fcgid POST broken if FcgiAuthorizer is run
Jeff Trawick wrote: On Fri, Oct 9, 2009 at 3:30 PM, Jeff Trawick traw...@gmail.com wrote: ... Silly me. Chris's patch at http://people.apache.org/~chrisd/patches/mod_fcgid_auth/mod_fcgid-1auth-trunk.patch handles this, and it does send a trailing FCGI_STDIN record to an authorizer. Chris, AYT I wonder if other fastcgi implementation made the same bad assumption about FCGI_STDIN always being sent as ours did. FYI: The other change I made to our fastcgi was to parse out multiple values from FCGI_PARAMS records. mod_fastcgi sends one name-value pair in a FCGI_PARAMS record and sends as many FCGI_PARAMS records as it needs to to send the environment. Where as mod_fcgid sends multiple name-value pairs in asingle FCGI_PARAMS record. Barry
Re: mod_fcgid POST broken if FcgiAuthorizer is run
Jeff Trawick wrote: On Fri, Oct 9, 2009 at 1:26 PM, Barry Scott barry.sc...@onelan.co.uk wrote: One test that needs doing is to have a Responder and an Authorizer running for the same request. I'll see if I can do that test for you next week with the pieces I have. Chris Darroch has a patch for that, which is a small part of http://people.apache.org/~chrisd/patches/mod_fcgid_auth/mod_fcgid-1auth-trunk.patch which applies to the old mod_fcgid 2.2 but which he has submitted here for inclusion. If you get stuck, look in there at some of the checks for role == responder, one or more of which are for the responder+authorizer-on-same-request issue. I'll hold off on testing this until Chris' patches are available in trunk. (I don't need this to work today, but I will need it later in the year expect) Barry
Re: mod_fcgid POST broken if FcgiAuthorizer is run
On Mon, Oct 12, 2009 at 5:51 AM, Barry Scott barry.sc...@onelan.co.uk wrote: Jeff Trawick wrote: On Fri, Oct 9, 2009 at 3:30 PM, Jeff Trawick traw...@gmail.com wrote: ... Silly me. Chris's patch at http://people.apache.org/~chrisd/patches/mod_fcgid_auth/mod_fcgid-1auth-trunk.patch handles this, and it does send a trailing FCGI_STDIN record to an authorizer. Chris, AYT I wonder if other fastcgi implementation made the same bad assumption about FCGI_STDIN always being sent as ours did. FYI: The other change I made to our fastcgi was to parse out multiple values from FCGI_PARAMS records. mod_fastcgi sends one name-value pair in a FCGI_PARAMS record and sends as many FCGI_PARAMS records as it needs to to send the environment. Where as mod_fcgid sends multiple name-value pairs in asingle FCGI_PARAMS record. Thanks for all the info. I'm inclined to commit what we think is proper for FCGI_STDIN on FCGI_AUTHORIZER and then see if it absolutely has to be adjusted later once other issues with FCGI_AUTHORIZER are cleared up and we see a variety of implementations being tested with it. (I'll go with patch 3, which adds the eos bucket to the brigade.)
mod_fcgid POST broken if FcgiAuthorizer is run
This has been filed as issue https://issues.apache.org/bugzilla/show_bug.cgi?id=47973 Further testing of our application has shown up a problem using mod_fcgid 2.3.4. With the following configuration we are seeing the request body of POST messages get stripped out if FcgidAuthorizer is used for Location /player. If we comment out the Require onelan magic the POSTs work. Looking at bridge_request we see the code is reading the input buckets and feeding then to the Authorizer. It seems to us that: Either this must not happen if the fcgid is an authorizer or the buckets must be put back for whatever handles the POST to process. Barry ... LoadModule fcgid_module modules/mod_fcgid.so FcgidCmdOptions /usr/local/onelan/html/dsmauthorizer.fcgi MaxProcesses 1 FcgidCmdOptions /usr/local/onelan/html/dsm.fcgi MaxProcesses 1 FcgidCmdOptions /usr/local/onelan/html/dsmxml.fcgi MaxProcesses 1 VirtualHost *:80 #+ Rewrite Web API Rules RewriteEngine on # security - deny TRACE and TRACK requests RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] #- Rewrite Web API Rules #+ Rewrite Web API Rules # make the URLs hide the use of dsm.fcgi RewriteRule ^/$ /dsm.fcgi [L] RewriteRule ^/(status|options|organisation|tools|setup|help)($|.*$) /dsm.fcgi/$1$2 [L] #- Rewrite Web API Rules #+ Rewrite XML API Rules # make the URLs hide the use of dsmxml.fcgi RewriteRule ^/(XML)($|.*$) /dsmxml.fcgi/$1$2 [L] #- Rewrite XML API Rules #+ Rewrite VPN ReWriteMap ntb_ip_address prg:/usr/local/onelan/dsm/bin/vpn_lookup_ip_address RewriteRule ^/player/(\d+)\.(.*) http://${ntb_ip_address:$1}:8080/player/$1.$2 [P] #- Rewrite VPN #+ Locations Web VPN API Location /player #+ HTTP auth file Order allow,deny Allow from all AuthType Digest AuthName Manager System AuthGroupFile /etc/onelan/common/http.group AuthUserFile /etc/onelan/common/http.passwd Require onelan magic #- HTTP auth file FcgidAuthorizer /usr/local/onelan/html/dsmauthorizer.fcgi /Location /VirtualHost
Re: mod_fcgid POST broken if FcgiAuthorizer is run
On Fri, Oct 9, 2009 at 12:04 PM, Barry Scott barry.sc...@onelan.co.uk wrote: This has been filed as issue https://issues.apache.org/bugzilla/show_bug.cgi?id=47973 Further testing of our application has shown up a problem using mod_fcgid 2.3.4. With the following configuration we are seeing the request body of POST messages get stripped out if FcgidAuthorizer is used for Location /player. If we comment out the Require onelan magic the POSTs work. Looking at bridge_request we see the code is reading the input buckets and feeding then to the Authorizer. It seems to us that: Either this must not happen if the fcgid is an authorizer right or the buckets must be put back for whatever handles the POST to process. Barry See patch attached to the PR. Thanks!
Re: mod_fcgid POST broken if FcgiAuthorizer is run
Jeff Trawick wrote: On Fri, Oct 9, 2009 at 12:04 PM, Barry Scott barry.sc...@onelan.co.uk wrote: This has been filed as issue https://issues.apache.org/bugzilla/show_bug.cgi?id=47973 Further testing of our application has shown up a problem using mod_fcgid 2.3.4. With the following configuration we are seeing the request body of POST messages get stripped out if FcgidAuthorizer is used for Location /player. If we comment out the Require onelan magic the POSTs work. Looking at bridge_request we see the code is reading the input buckets and feeding then to the Authorizer. It seems to us that: Either this must not happen if the fcgid is an authorizer right or the buckets must be put back for whatever handles the POST to process. Barry See patch attached to the PR. Thanks! No joy I get internal server error. But the patch below works for my case. Note: I don't understand the details of HTTPD to know if this patch is going to cause problems in other use cases, or indeed is only working by luck. One test that needs doing is to have a Responder and an Authorizer running for the same request. I'll see if I can do that test for you next week with the pieces I have. Index: modules/fcgid/fcgid_bridge.c === --- modules/fcgid/fcgid_bridge.c(revision 823573) +++ modules/fcgid/fcgid_bridge.c(working copy) @@ -470,6 +470,8 @@ return HTTP_INTERNAL_SERVER_ERROR; } +if (role == FCGI_RESPONDER) { + /* Stdin header and body */ /* XXX HACK: I have to read all the request into memory before sending it to fastcgi application server, this prevents slow clients from @@ -624,6 +626,7 @@ apr_brigade_destroy(input_brigade); } while (!seen_eos); +} /* end handling request body for responders */ /* Append an empty body stdin header */ stdin_request_header = apr_bucket_alloc(sizeof(FCGI_Header),
Re: mod_fcgid POST broken if FcgiAuthorizer is run
On Fri, Oct 9, 2009 at 1:26 PM, Barry Scott barry.sc...@onelan.co.uk wrote: Jeff Trawick wrote: On Fri, Oct 9, 2009 at 12:04 PM, Barry Scott barry.sc...@onelan.co.uk wrote: This has been filed as issue https://issues.apache.org/bugzilla/show_bug.cgi?id=47973 Further testing of our application has shown up a problem using mod_fcgid 2.3.4. With the following configuration we are seeing the request body of POST messages get stripped out if FcgidAuthorizer is used for Location /player. If we comment out the Require onelan magic the POSTs work. Looking at bridge_request we see the code is reading the input buckets and feeding then to the Authorizer. It seems to us that: Either this must not happen if the fcgid is an authorizer right or the buckets must be put back for whatever handles the POST to process. Barry See patch attached to the PR. Thanks! No joy I get internal server error. But the patch below works for my case. Note: I don't understand the details of HTTPD to know if this patch is going to cause problems in other use cases, or indeed is only working by luck. I'll have a look; thanks! One test that needs doing is to have a Responder and an Authorizer running for the same request. I'll see if I can do that test for you next week with the pieces I have. Chris Darroch has a patch for that, which is a small part of http://people.apache.org/~chrisd/patches/mod_fcgid_auth/mod_fcgid-1auth-trunk.patch which applies to the old mod_fcgid 2.2 but which he has submitted here for inclusion. If you get stuck, look in there at some of the checks for role == responder, one or more of which are for the responder+authorizer-on-same-request issue.
Re: mod_fcgid POST broken if FcgiAuthorizer is run
On Fri, Oct 9, 2009 at 1:26 PM, Barry Scott barry.sc...@onelan.co.uk wrote: Jeff Trawick wrote: On Fri, Oct 9, 2009 at 12:04 PM, Barry Scott barry.sc...@onelan.co.uk wrote: This has been filed as issue https://issues.apache.org/bugzilla/show_bug.cgi?id=47973 See patch attached to the PR. Thanks! No joy I get internal server error. But the patch below works for my case. ... Index: modules/fcgid/fcgid_bridge.c === --- modules/fcgid/fcgid_bridge.c (revision 823573) +++ modules/fcgid/fcgid_bridge.c (working copy) @@ -470,6 +470,8 @@ return HTTP_INTERNAL_SERVER_ERROR; } + if (role == FCGI_RESPONDER) { + /* Stdin header and body */ /* XXX HACK: I have to read all the request into memory before sending it to fastcgi application server, this prevents slow clients from @@ -624,6 +626,7 @@ apr_brigade_destroy(input_brigade); } while (!seen_eos); + } /* end handling request body for responders */ /* Append an empty body stdin header */ stdin_request_header = apr_bucket_alloc(sizeof(FCGI_Header), Variation number three: As with your patch, it remembers to add the eos bucket to the brigade of data sent to the app. As with my earlier patch, it doesn't send the trailing FCGI_STDIN record. In the spec (http://www.fastcgi.com/devkit/doc/fcgi-spec.html#S6.3), there's no mention of FCGI_STDIN for an FCGI_AUTHORIZER. I double-checked that mod_fcgid.c strips any CONTENT_LENGTH when calling the authorizer, which the spec does call for. I won't be shocked if it still fails for you; in that case I think we need to try to understand exactly why the trailing FCGI_STDIN record is needed. (FWIW, my authorizer is Perl using the FCGI module. The protocol implementation on the app side could explain the difference in our observations.) --- modules/fcgid/fcgid_bridge.c.orig 2009-10-09 12:09:12.032405619 -0400 +++ modules/fcgid/fcgid_bridge.c2009-10-09 15:12:25.838920760 -0400 @@ -470,6 +470,8 @@ return HTTP_INTERNAL_SERVER_ERROR; } +if (role == FCGI_RESPONDER) { + /* Stdin header and body */ /* XXX HACK: I have to read all the request into memory before sending it to fastcgi application server, this prevents slow clients from @@ -640,6 +642,8 @@ } APR_BRIGADE_INSERT_TAIL(output_brigade, bucket_header); +} /* end handling request body for responders */ + /* The eos bucket now */ bucket_eos = apr_bucket_eos_create(r-connection-bucket_alloc); APR_BRIGADE_INSERT_TAIL(output_brigade, bucket_eos); -- Born in Roswell... married an alien...
Re: mod_fcgid POST broken if FcgiAuthorizer is run
On Fri, Oct 9, 2009 at 3:30 PM, Jeff Trawick traw...@gmail.com wrote: On Fri, Oct 9, 2009 at 1:26 PM, Barry Scott barry.sc...@onelan.co.uk wrote: Jeff Trawick wrote: On Fri, Oct 9, 2009 at 12:04 PM, Barry Scott barry.sc...@onelan.co.uk wrote: This has been filed as issue https://issues.apache.org/bugzilla/show_bug.cgi?id=47973 See patch attached to the PR. Thanks! No joy I get internal server error. But the patch below works for my case. ... Index: modules/fcgid/fcgid_bridge.c === --- modules/fcgid/fcgid_bridge.c (revision 823573) +++ modules/fcgid/fcgid_bridge.c (working copy) @@ -470,6 +470,8 @@ return HTTP_INTERNAL_SERVER_ERROR; } + if (role == FCGI_RESPONDER) { + /* Stdin header and body */ /* XXX HACK: I have to read all the request into memory before sending it to fastcgi application server, this prevents slow clients from @@ -624,6 +626,7 @@ apr_brigade_destroy(input_brigade); } while (!seen_eos); + } /* end handling request body for responders */ /* Append an empty body stdin header */ stdin_request_header = apr_bucket_alloc(sizeof(FCGI_Header), Variation number three: As with your patch, it remembers to add the eos bucket to the brigade of data sent to the app. As with my earlier patch, it doesn't send the trailing FCGI_STDIN record. In the spec (http://www.fastcgi.com/devkit/doc/fcgi-spec.html#S6.3), there's no mention of FCGI_STDIN for an FCGI_AUTHORIZER. I double-checked that mod_fcgid.c strips any CONTENT_LENGTH when calling the authorizer, which the spec does call for. I won't be shocked if it still fails for you; in that case I think we need to try to understand exactly why the trailing FCGI_STDIN record is needed. (FWIW, my authorizer is Perl using the FCGI module. The protocol implementation on the app side could explain the difference in our observations.) Silly me. Chris's patch at http://people.apache.org/~chrisd/patches/mod_fcgid_auth/mod_fcgid-1auth-trunk.patch handles this, and it does send a trailing FCGI_STDIN record to an authorizer. Chris, AYT?
Re: mod_fcgid POST broken if FcgiAuthorizer is run
Jeff Trawick wrote: Chris Darroch has a patch for that, which is a small part of http://people.apache.org/~chrisd/patches/mod_fcgid_auth/mod_fcgid-1auth-trunk.patch which applies to the old mod_fcgid 2.2 but which he has submitted here for inclusion. If you get stuck, look in there at some of the checks for role == responder, one or more of which are for the responder+authorizer-on-same-request issue. Yes -- and I'm really, really going to prioritize breaking this patchset up (I know I'm a moron for having run everything together) next week and trying to commit portions one at a time to mod_fcgid trunk. I know, because we do it in production, that I have a single script running as both authorizer and responder, and it does work OK ... I just have to go back in line by line and figure out what each change was for. Please do hassle me next week if I don't show some signs of progress on this front. Chris. -- GPG Key ID: 366A375B GPG Key Fingerprint: 485E 5041 17E1 E2BB C263 E4DE C8E3 FA36 366A 375B