Re: Apache::ASP rules [was: Sorry men]

[Francesc Guasch]

Ime Smits wrote:
> 
> Bottomline: Apache::ASP made me really happy because now don't have to
> develop for IIS anymore and I can stick to my Linux environment. I can

I'm also being told every once in a while by management
about why we aren't using IIS, you know, when they receive
marketing information.

I have a list of lack of features in mind but I'll like
to hear horror stories and so from somone who really used it.


-- 
 - frankie -

Re: php And Apache::ASP

[Joshua Chamas]

Jerrad Pierce wrote:
> 
> Are php3 and ASP mutually exclusive?
> I enabled mod_perl and mod_php3 (the defaults that come in the RH6.1
> distrib)
> and installed Apache::ASP, and while either or work, if I enable both the
> server spontaneously combusts. (It will touch the log files if they do not
> exist, and then disappear).
> 

Sounds like one of those great Linux DSO problems.  Try
compiling your apache static, which usually makes these
problems go away.

-- Joshua

Re: Apache::ASP and Postgres

[Joshua Chamas]

FEITO Nazareno wrote:
> 
> Hi buddy... I have a recommendation for you...
> Here where I work, we have a unix and a linux running Oracle databases
> accessed by perl and ASP, perl is embeded, I mean, .phtml, and it really
> sucks, I mean, is really crazy to do that, but the ppl didn´t know that...
> in that way we connect with oracle with DBI trought modperl but we make
> another things with ASP and Javascript.
> The code is like perl embeded into ASP, the results are good, but when a
> programmer want to analize that we call to the mental hospital, do you
> understand me?

I think this poor guy was mixing up IIS/ASP with Apache::ASP, which 
is a perl native port of ASP.  PHTML sounds like Apache::SSI.  Anyhow,
he doesn't know much about what he's doing, but if wanted to learn
from the list, he could.  For starters, all of the embeded perl solutions
allow things to be done quickly and easily w/o much design.  Such
is also perl's strength & weakness, that to program well, you must have
a good programmer, but you have some very powerful tools all the same.

For more information on Apache::ASP, check out 
  http://www.nodeworks.com/asp/

--Joshua

Re: libapreq and select multiple?

[Jim Winstead]

On Apr 27, Jim Winstead wrote:
> Is it just me, or does libapreq not handle the response from  multiple> correctly? It appears to only make one of the values
> accessible.
> 
> From what I can tell, this appears to go all the way down to the
> Apache::Table implementation, where the underlying Apache data
> structure does not quite have the perl semantics of no duplicate
> keys.
> 
> My ideal would be for $apr->param("selectmultiplename") to return
> an array ref of the values. But I don't really have much of a clue
> of where to start to implement this.
> 
> Thoughts?

Of course, $apr->param("selectmultiplename") returns an array of
the values in an array context.

Subtle. :)

Jim

libapreq and select multiple?

[Jim Winstead]

Is it just me, or does libapreq not handle the response from  correctly? It appears to only make one of the values
accessible.

>From what I can tell, this appears to go all the way down to the
Apache::Table implementation, where the underlying Apache data
structure does not quite have the perl semantics of no duplicate
keys.

My ideal would be for $apr->param("selectmultiplename") to return
an array ref of the values. But I don't really have much of a clue
of where to start to implement this.

Thoughts?

Jim

Re: Security in displaying arbitrary HTML

[Jeffrey W. Baker]

On Thu, 27 Apr 2000, John M Vinopal wrote:

> I am a bad hacker and watching your line.  I see cookies A and B go to you.
> I set cookies A and B in my web browser.  I am now you.  You can try to 
> permute the cookies with IP# (breaks on proxies) or Browser type, but all
> cookie based approaches believe in the value of something sent cleartext.
> Or use SSL.

Well, uh, duh.  Any authentication sent in plain text (telnet, rsh,
ftp) is insecure.  NO authentication scheme is secure unless it uses
encryption on the line.  SSL is neccessary (but not sufficient) for secure
authentication by any means.

Those of us who have implemented secure web sites know that it is hard but
not impossible to do.  There are headaches associated with just about
every aspect of it.  The funny thing is, the major websites almost always
get it wrong!  Many of them do not escape HTML in form input.  They do not
validate form or URI input.  They do all sorts of wanky things with
cookies.

My personal philosophy is to spend a lot of cycles on site security and
get rid of all problems that are legitimately on the server
side.  Anything that triggers bugs in the browsers I leave up to the
browser vendors.  In my current work, we have built in a system for
allowing and disallowing browser revisions as new stuff comes across on
BugTraq. 

-jwb

Re: segfault in DSO mod_perl 1.23 (perl 5.6.0) with apache-1.3.12

[Michael Poole]

Doug MacEachern <[EMAIL PROTECTED]> writes:

> can you see if this patch fixes the problem?  make sure you let mod_perl
> build httpd and pass USE_APACI=1 to Makefile.PL
> 
> --- Makefile.PL 2000/04/21 06:24:27 1.158
> +++ Makefile.PL 2000/04/27 22:45:30 1.160
> @@ -186,7 +186,7 @@
>  $PERL_DEBUG = "";
>  $PERL_DESTRUCT_LEVEL = "";
>  $PERL_STATIC_EXTS = "";
> -$PERL_EXTRA_CFLAGS = "";
> +$PERL_EXTRA_CFLAGS = $] >= 5.006 ? $Config{ccflags} : "";
>  $SSLCacheServerPort = 8539;
>  $SSL_BASE = ""; 
>  $Port = $ENV{HTTP_PORT} || 8529;

Yes.  Using the same Makefile.PL invocation that failed before (see my
previous email), this passes "make test."  I haven't tried running it
in my full pseudo-production environment because that also uses mod_ssl,
but the test suite checks out okay.

In hopes that this would fix the APXS build, I tried rebuilding with
that, but whenever the httpd tried to load the php3 or perl module, it
would die in pthread_mutex_lock.  This was slightly odd, since php3
would load fine when httpd was statically linked against mod_perl.
For the time being, I'll just roll back to using static mod_perl and
dynamic mod_ssl and php3.

Michael

Re: segfault in DSO mod_perl 1.23 (perl 5.6.0) with apache-1.3.12

[Michael Poole]

Doug MacEachern <[EMAIL PROTECTED]> writes:

> > perl Makefile.PL USE_APXS=1 WITH_APXS=/usr/local/sbin/apxs EVERYTHING=1
> 
> probably a long shot, but any difference if you build with USE_DSO=1
> instead of USE_APXS ?

My apologies for taking so long to reply -- it's been a busy week.
>From a clean apache_1.3.12 and mod_perl-1.23 tree, running:
  perl Makefile.PL APACHE_SRC=../apache_1.3.12/src DO_HTTPD=1 \
USE_APACI=1 USE_DSO=1 EVERYTHING=1
  make
  make test

results in almost all of the tests failing.  When I try to start the
server manually (using the same parameters as 'make test' gives it),
it gets SIGSEGV while parsing the httpd config files.  A backtrace
from gdb shows:

(gdb) bt
#0  _dl_debug_state () at dl-debug.c:56
#1  0x4000a3eb in _dl_catch_error (errstring=0xbfffc034, 
operate=0x40148d20 , args=0xbfffc038) at dl-error.c:141
#2  0x401490cd in _dl_open (
file=0x866cc20 
"/usr/local/lib/perl5/5.6.0/i686-linux-thread-multi-64all/auto/IO/IO.so", mode=1, 
caller=0xbfffc034) at dl-open.c:232
#3  0x4006a063 in dlopen_doit (a=0xbfffc148) at dlopen.c:41
#4  0x4000a3eb in _dl_catch_error (errstring=0x4006bd00, 
operate=0x4006a038 , args=0xbfffc148) at dl-error.c:141
#5  0x4006a549 in _dlerror_run (operate=0x4006a038 , 
args=0xbfffc148) at dlerror.c:125
#6  0x4006a023 in __dlopen_check (
file=0x866cc20 
"/usr/local/lib/perl5/5.6.0/i686-linux-thread-multi-64all/auto/IO/IO.so", mode=1) at 
dlopen.c:53
#7  0x401b09e9 in XS_DynaLoader_dl_load_file ()
   from 
/usr/local/stow/apache/1.3.12/src/mod_perl-1.23/t/../../apache_1.3.12/src/modules/perl/libperl.so
[... much Perl internals elided ...]
#54 0x40171257 in perl_cmd_require ()
   from 
/usr/local/stow/apache/1.3.12/src/mod_perl-1.23/t/../../apache_1.3.12/src/modules/perl/libperl.so
#55 0x806b67e in invoke_cmd ()
#56 0x806bb01 in ap_handle_command ()
#57 0x806bb9d in ap_srm_command_loop ()
#58 0x806bff4 in ap_process_resource_config ()
#59 0x806c8f8 in ap_read_config ()
#60 0x8076570 in standalone_main ()
#61 0x8076e9c in main ()
#62 0x400841eb in __libc_start_main (main=0x8076b04 , argc=6, 
argv=0xbc54, init=0x804e3cc <_init>, fini=0x8093b64 <_fini>, 
rtld_fini=0x4000a610 <_dl_fini>, stack_end=0xbc4c)
at ../sysdeps/generic/libc-start.c:90

and t/logs/error_log contains:

[notice] END block called for startup.pl
[notice] Destruction->DESTROY called for $global_object

(I'm not sure if that's an error or just diagnostics; it looks like
the latter.  If the SEGV is unrelated to it, I could continue hunting
down the error given hints on what to look for.  But not all is lost
-- see my reply to your other email.)

Michael

Re: php And Apache::ASP

[Ime Smits]

| Are php3 and ASP mutually exclusive?

Nope... I have Apache/1.3.12 (Linux 2.2.12), PHP/3.0.15, mod_perl/1.21_03
and Apache::ASP running perfectly well together. On another system
PHP/4.0RC1 is working in the same environment just as fine. However, as I
don't like the RedHat provided RPMs I built everything from source.

| Before I installed Devel::Symdump I would get this in error.log:
| [Thu Apr 27 06:14:07 2000] [error] [asp] [2726] cannot load Apache::Symbol
| for UndefRoutine: Can't locate Devel/Symdump.pm in @INC (@INC contains:
| /usr/lib/perl5/5.00503/i386-linux /usr/lib/perl5/5.00503
| /usr/lib/perl5/site_perl/5.005/i386-linux /usr/lib/perl5/site_perl/5.005 .
| /etc/httpd/ /etc/httpd/lib/perl) at
| /usr/lib/perl5/site_perl/5.005/i386-linux/Apache/Symbol.pm line 10. <-->
| BEGIN failed--compilation aborted at
| /usr/lib/perl5/site_perl/5.005/i386-linux/Apache/Symbol.pm line 10. <-->
| BEGIN failed--compilation aborted at (eval 11) line 2. <-->

Do you have all the Apache::ASP dependencies in the right place?

Ime

Re: Embperl: browser does not send cookie back to webserver

[Kee Hinckley]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

At 4:27 PM -0500 4/27/00, Igor Chudov @ home wrote:
>Please disregard my previous email, I have figured out what store
>and locker to use.

What did you use?

>I thought that it was due to EMBPERL_COOKIE_PATH not being set, but
>setting it did not help. Do you have any suggestions?

Here's what I set, and it seems to work for me.

 PerlSetEnv  EMBPERL_COOKIE_NAME 'ONECALLWEB_UID'
 PerlSetEnv  EMBPERL_COOKIE_DOMAIN   '.somewhere.com'
 PerlSetEnv  EMBPERL_COOKIE_PATH '/'
- -- 

Kee Hinckley - Somewhere Consulting Group - Cyberspace Architects(rm)

I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.2 for non-commercial use 

iQA/AwUBOQjJfyZsPfdw+r2CEQLeTgCcCEw/ma3+9qgd8Y57bQlYp2X5HGsAoI8S
DrhF0rbc138VdBKZQTe8YKbv
=e+TG
-END PGP SIGNATURE-

Re: segfault in DSO mod_perl 1.23 (perl 5.6.0) with apache-1.3.12

[Doug MacEachern]

can you see if this patch fixes the problem?  make sure you let mod_perl
build httpd and pass USE_APACI=1 to Makefile.PL

--- Makefile.PL 2000/04/21 06:24:27 1.158
+++ Makefile.PL 2000/04/27 22:45:30 1.160
@@ -186,7 +186,7 @@
 $PERL_DEBUG = "";
 $PERL_DESTRUCT_LEVEL = "";
 $PERL_STATIC_EXTS = "";
-$PERL_EXTRA_CFLAGS = "";
+$PERL_EXTRA_CFLAGS = $] >= 5.006 ? $Config{ccflags} : "";
 $SSLCacheServerPort = 8539;
 $SSL_BASE = ""; 
 $Port = $ENV{HTTP_PORT} || 8529;

Re: Security in displaying arbitrary HTML

[John M Vinopal]

I am a bad hacker and watching your line.  I see cookies A and B go to you.
I set cookies A and B in my web browser.  I am now you.  You can try to 
permute the cookies with IP# (breaks on proxies) or Browser type, but all
cookie based approaches believe in the value of something sent cleartext.
Or use SSL.

-j

On Thu, Apr 27, 2000 at 12:34:30PM -0700, Nick Tonkin wrote:
> On Thu, 27 Apr 2000, Marc Slemko wrote:
> 
> > Cookies are not secure and will never be secure.  They may be "good
> > enough", and you may not have much choice, but they are still simply not
> > secure when you put everything together.
> 
> Can you be more specific about why you say that? If I set an encrypted,
> short-lived cookie upon validated authentication, why is that any less secure than 
>any
> of the other approaches you mentioned?
> 
> 
> - nick
> 

Re: Authorization questions

[Nick Tonkin]

We use a two stage system, Access and a combination
Authentication/Authorization stage.

When the user attempts to access a page a mod_perl Access handler checks
for a cookie (we think it's pretty secure :) showing they have been
previously authenticated. If not, they are sent off to an Authentication
handler which authenticates them, and, if that was successful, looks up
their permissions from a database and stores them on disk using
Apache::Session::File. The data is stored (everywhere) in a
object.attribute=perm_level structure.

When the user *is* authenticated the Access handler slurps up the perms
from disk and stuffs them in the pnotes table in a hashref, which can then
be checked by the modules that display data, allowing them to decide
whether to show data read only, read-write, or not at all.

It's very nifty. To give props where due, it is partially based on the
Ticket Access stuff from the book (for the cookie access stuff) and
contains code by Jeff Baker (the storage stuff).

If there is a fair amount of interest I can genericize it and whack it
into CPAN ...

Nick




On Thu, 27 Apr 2000, Michael Nachbaur wrote:

> I have a question.  I'm working on a project that requires not only file-by-file 
>authentication and authorization, but task-by-task authorization within a file (for 
>instance...read access, but not write).  Basically, I'd like to have a database table 
>define permissions (which can be associated with groups and users), and what type of 
>permission it is: file-level, or task-level (or external/internal).  Then, provide 
>methods that a perl program can use to ask "Am I able to do this?".
> 
> Is there something out there that does this?  I'm planning on writing a module to 
>handle this, so if theres something that I can start with, that would help things out 
>a lot.  Also, if anyone wants anything similar to this, let me know what features 
>you'd like, and I'll see if I can integrate 'em into my requirements.
> 
> I'm also thinking of doing something similar for authentication (because I'd like to 
>have a login screen in HTML, instead of having that HTTP popup login window.).  
>Anything out there that does this?
> 
> If this is a case of RTFM, could someone point me to where I can learn more about 
>this?
> 
> Thanks a bunch,
> -MN
> 


- nick

Re: speed up/load balancing of session-based sites

[Perrin Harkins]

On Thu, 27 Apr 2000, Dan McCormick wrote:
> If you split things between a proxy and a mod_perl server, the first hit
> would have to go through to the mod_perl server to initiate the session,
> but subsequent requests which may not need the session info could be
> sent to the proxy.  Is that possible?

Anything that actually uses the session data to do something specific to
this user will have to go through to the backend mod_perl server.  Generic
pages without user customization could be served from the proxy cache
though.

> Further, what are the standard ways to load balance a session-tracking
> app across multiple servers when the sessions are stored in memory and a
> given user has to be consistently sent back to the same machine?

Most of the commercial load-balancing tools support the concept of
"sticky" load-balancing, which routes people back to the same box each
time.  If you can't do that, you have to share the sessions across all app
servers, probably by putting them into a database.

> Can round-robin DNS be counted on to send people back to the same
> server over the life of a given session?

It should work, but round-robin DNS has its own shortcomings (no failover
support) that usually send people to NAT-based approaches for high-traffic
commercial sites.

- Perrin

Re: OOP, Inheritance, and mod_perl

[Perrin Harkins]

On Thu, 27 Apr 2000, bahwi wrote:
> I have a question about OOP, Inheritance, and mod_perl. I have OO
> pre-loaded module A, which clients B, C, and D use. Each one get's
> their own, and the configuration variables are different. My question here
> is how much memory does this take up? Is the module's memory copied
> several times for clients B, C, and D? From what I have read I'm pretty
> sure that it's not that, just the variables are different, but I'd like to
> be sure. 

With the caveat that I've never read the Perl source, I'm pretty sure your
compiled code is kept in memory separately from your variables, so you
will only have one copy of the code.

> On to my second question, client E, F, and G each are using pre-loaded OO
> module A, but they are iheriting the class, make some changes, and then
> creating it with the new method. Each one has a different inheritance, and
> different methods are changed or added. How does this affect memory? Does
> each one get a full copy of the module in memory, and then it is changed?

Again, there is only one copy of the code, but any variables are separate.

- Perrin

RE: Authorization questions

[Michael Nachbaur]

Different paradigm.  There aren't going to be any unix users corresponding to the 
users on the site (read: like an amazon.com user, not a unix user).  This is going to 
be used on a website for personalization stuff, and I think the potential of having 
100+ unix users is a bad thing for performance. ;)

So, it needs to be done in a database.

My main concern is not the querying of the database server...thats easy.  My question 
is the *way* the info is requested, and trying to fit that in well with Apache.

-Original Message-
From: Jerrad Pierce [mailto:[EMAIL PROTECTED]]
Sent: Thursday, April 27, 2000 1:45 PM
To: 'Michael Nachbaur'
Subject: RE: Authorization questions


Why not rely upon the underlying filesystem's ACL's...

Have the REMOTE_USER be in various groups on the system, to gain various
priveleges to various files... (and set euid and egid within your module)?

  o _
 /|/ |   Jerrad Pierce \ | __|_ _|
 /||/   http://pthbb.org  .  | _|   |
 \||  _.-~-._.-~-._.-~-._@"  _|\_|___|___|


> -Original Message-
> From: Michael Nachbaur [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, April 27, 2000 16:39
> To: mod_perl Maillist
> Subject: Authorization questions
> 
> 
> I have a question.  I'm working on a project that requires 
> not only file-by-file authentication and authorization, but 
> task-by-task authorization within a file (for instance...read 
> access, but not write).  Basically, I'd like to have a 
> database table define permissions (which can be associated 
> with groups and users), and what type of permission it is: 
> file-level, or task-level (or external/internal).  Then, 
> provide methods that a perl program can use to ask "Am I able 
> to do this?".
> 
> Is there something out there that does this?  I'm planning on 
> writing a module to handle this, so if theres something that 
> I can start with, that would help things out a lot.  Also, if 
> anyone wants anything similar to this, let me know what 
> features you'd like, and I'll see if I can integrate 'em into 
> my requirements.
> 
> I'm also thinking of doing something similar for 
> authentication (because I'd like to have a login screen in 
> HTML, instead of having that HTTP popup login window.).  
> Anything out there that does this?
> 
> If this is a case of RTFM, could someone point me to where I 
> can learn more about this?
> 
> Thanks a bunch,
> -MN
> 

Authorization questions

[Michael Nachbaur]

I have a question.  I'm working on a project that requires not only file-by-file 
authentication and authorization, but task-by-task authorization within a file (for 
instance...read access, but not write).  Basically, I'd like to have a database table 
define permissions (which can be associated with groups and users), and what type of 
permission it is: file-level, or task-level (or external/internal).  Then, provide 
methods that a perl program can use to ask "Am I able to do this?".

Is there something out there that does this?  I'm planning on writing a module to 
handle this, so if theres something that I can start with, that would help things out 
a lot.  Also, if anyone wants anything similar to this, let me know what features 
you'd like, and I'll see if I can integrate 'em into my requirements.

I'm also thinking of doing something similar for authentication (because I'd like to 
have a login screen in HTML, instead of having that HTTP popup login window.).  
Anything out there that does this?

If this is a case of RTFM, could someone point me to where I can learn more about this?

Thanks a bunch,
-MN

Re: Security in displaying arbitrary HTML

[Matt Sergeant]

On Thu, 27 Apr 2000, Vivek Khera wrote:

> > "SC" == Steven Champeon <[EMAIL PROTECTED]> writes:
> 
> SC> developers and designers) for Webmonkey:
> 
> SC>  http://hotwired.lycos.com/webmonkey/00/18/index3a.html
> 
> SC> If you want to see what sort of stuff the XSS problem opens you up for,
> SC> just try appending ?tw=alert("aha!"); to the URL above.
> 
> Why on earth would you take user input and output it verbatim to your
> pages?  Rule number 1 of developing a web site is to never trust the
> user's input values.  *Always* validate it against what you're
> expecting.

Unfortunately there's also a browser bug to contend with. They treat \x8b
(I think that's the right code) as < and there's a similar code for
>. Since most web developers are just doing s/

Fastnet Software Ltd. High Performance Web Specialists
Providing mod_perl, XML, Sybase and Oracle solutions
Email for training and consultancy availability.
http://sergeant.org http://xml.sergeant.org

[new module development] Apache::Ping

[Geoffrey Young]

hi all...

well, this isn't a new module quite yet...  I've been toying with
the idea of a module that does automatic server monitoring.  I know there
must be programs out there that do this, and the guide has some examples,
but I was interested in creating a module add-in that would take care of
things with minimal intervention (as in PerlModule Apache::Ping and that's
all)...

I'm not really a systems person, so I don't get all the intricicies of
forking, daemons, and the like, but here's a skeleton that seems to work...

Does anyone think this is a worthy endeavor?  Are there some inherent
dangers here that should mentioned?

--Geoff


package Apache::Ping;

use 5.004;
use mod_perl 1.23;
use LWP::UserAgent;
use strict;

$SIG{CHLD} = 'IGNORE';

my $warmup   = 10;
my $wait = 10;
my $restart  = "/usr/local/apache/apachectl restart";
my $url  = "http://localhost/perl-status";

defined (my $kid = fork) or die "Cannot fork: $!\n";
unless ($kid) {
  close STDIN;
  close STDOUT;
  close STDERR;
  open STDIN, '/dev/null'|| die "Can't read /dev/null: $!";
  open STDOUT, '>/dev/null'  || die "Can't write to /dev/null: $!";
  open STDERR, '>/dev/null'  || die "Can't write to /dev/null: $!";
  sleep($warmup);
  while(1) {
my $ua = new LWP::UserAgent;
my $req = new HTTP::Request (GET => $url);
my $res = $ua->request($req);
if ($res->is_success) {
  sleep($wait);
} else {
  system($restart);
  CORE::exit(0);
}
  }
  close FH;
  CORE::exit(0);
}

1;

php And Apache::ASP

[Jerrad Pierce]

Are php3 and ASP mutually exclusive?
I enabled mod_perl and mod_php3 (the defaults that come in the RH6.1
distrib)
and installed Apache::ASP, and while either or work, if I enable both the
server spontaneously combusts. (It will touch the log files if they do not
exist, and then disappear).

Before I installed Devel::Symdump I would get this in error.log:
[Thu Apr 27 06:14:07 2000] [error] [asp] [2726] cannot load Apache::Symbol
for UndefRoutine: Can't locate Devel/Symdump.pm in @INC (@INC contains:
/usr/lib/perl5/5.00503/i386-linux /usr/lib/perl5/5.00503
/usr/lib/perl5/site_perl/5.005/i386-linux /usr/lib/perl5/site_perl/5.005 .
/etc/httpd/ /etc/httpd/lib/perl) at
/usr/lib/perl5/site_perl/5.005/i386-linux/Apache/Symbol.pm line 10. <-->
BEGIN failed--compilation aborted at
/usr/lib/perl5/site_perl/5.005/i386-linux/Apache/Symbol.pm line 10. <-->
BEGIN failed--compilation aborted at (eval 11) line 2. <--> 


thanks!

  o _
 /|/ |   Jerrad Pierce \ | __|_ _|
 /||/   http://pthbb.org  .  | _|   |
 \||  _.-~-._.-~-._.-~-._@"  _|\_|___|___|

Re: Security in displaying arbitrary HTML

[Marc Slemko]

On Thu, 27 Apr 2000, Vivek Khera wrote:

> > "SC" == Steven Champeon <[EMAIL PROTECTED]> writes:
> 
> SC> developers and designers) for Webmonkey:
> 
> SC>  http://hotwired.lycos.com/webmonkey/00/18/index3a.html
> 
> SC> If you want to see what sort of stuff the XSS problem opens you up for,
> SC> just try appending ?tw=alert("aha!"); to the URL above.
> 
> Why on earth would you take user input and output it verbatim to your
> pages?  Rule number 1 of developing a web site is to never trust the
> user's input values.  *Always* validate it against what you're
> expecting.

Remember, this isn't just cases where user A writes something that user B
sees.  This includes cases where user A creates something that only user A
sees.  Traditionally, it was often assumed that "hey, who cares?  It is
only the user that will see it, no one else will".

It is really a very hard problem to ensure it is 100% correct everywhere,
and there are a lot of gotchas involved in trying to do it properly in
anything but the simplest situation.

Every major web site has places where they don't do this properly.

Re: Security in displaying arbitrary HTML

[Steven Champeon]

On Thu, 27 Apr 2000, Vivek Khera wrote:
> Why on earth would you take user input and output it verbatim to your
> pages?  Rule number 1 of developing a web site is to never trust the
> user's input values.  *Always* validate it against what you're
> expecting.

I guess someone had better tell the folks at Vignette that. Well, and
the folks at all the major search engines. And the portals. And anyone
using a search box that redisplays the query on every results page...

Before I wrote the article, I checked out about fifty major portals
and search engines, and only about a third did any filtering on the
input; some did filtering, but poorly; and a good third of them just
redisplayed the query verbatim. Try searching for 

 alert("aha");

at your favorite search engine. The problem is, well, pretty widespread.

Steve

-- 
tired of being an underappreciated functionary in a soulless machine?
hesketh.com is hiring: 

Re: Security in displaying arbitrary HTML

[Vivek Khera]

> "SC" == Steven Champeon <[EMAIL PROTECTED]> writes:

SC> developers and designers) for Webmonkey:

SC>  http://hotwired.lycos.com/webmonkey/00/18/index3a.html

SC> If you want to see what sort of stuff the XSS problem opens you up for,
SC> just try appending ?tw=alert("aha!"); to the URL above.

Why on earth would you take user input and output it verbatim to your
pages?  Rule number 1 of developing a web site is to never trust the
user's input values.  *Always* validate it against what you're
expecting.

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Vivek Khera, Ph.D.Khera Communications, Inc.
Internet: [EMAIL PROTECTED]   Rockville, MD   +1-301-545-6996
PGP & MIME spoken herehttp://www.kciLink.com/home/khera/

Re: Security in displaying arbitrary HTML

[Steven Champeon]

On Thu, 27 Apr 2000, Marc Slemko wrote:
> > Can you be more specific about why you say that? If I set an encrypted,
> > short-lived cookie upon validated authentication, why is that any less
> > secure than any of the other approaches you mentioned?
> 
> It isn't necessarily any "less secure", but you just have to understand
> and properly manage what it opens you up to.  I'm not suggesting
> alternatives because they are very limited.

I just wrote an article on XSS (Cross-Site Scripting -- I use "XSS"
instead of "CSS" because CSS means Cascading Style Sheets to most Web
developers and designers) for Webmonkey:

 http://hotwired.lycos.com/webmonkey/00/18/index3a.html

If you want to see what sort of stuff the XSS problem opens you up for,
just try appending ?tw=alert("aha!"); to the URL above.
Both the Apache folks and Microsoft security have detailed several ways
in which this attack can be much, much, worse than a single Javascript
popup. There are links to resources at the end of the article.

Myself, I've been amusing myself with this:

 
http://hotwired.lycos.com/webmonkey/00/18/index3a_page6.html?tw=%3CIMG%20SRC%3Dhttp%3A%2F%2Fbarneyonline.com%2Fimages%2Fbab3.gif%3E

Cheers,
Steve

-- 
tired of being an underappreciated functionary in a soulless machine?
hesketh.com is hiring: 

Re: Security in displaying arbitrary HTML

[Marc Slemko]

On Thu, 27 Apr 2000, Nick Tonkin wrote:

> On Thu, 27 Apr 2000, Marc Slemko wrote:
> 
> > Cookies are not secure and will never be secure.  They may be "good
> > enough", and you may not have much choice, but they are still simply not
> > secure when you put everything together.
> 
> Can you be more specific about why you say that? If I set an encrypted,
> short-lived cookie upon validated authentication, why is that any less secure than 
>any
> of the other approaches you mentioned?

It isn't necessarily any "less secure", but you just have to understand
and properly manage what it opens you up to.  I'm not suggesting
alternatives because they are very limited.

What it means is that if anyone can make a normal user (eg. javascript
enabled, etc.) follow an arbitrary link while they have that cookie, then
the cookie can be stolen, either through "cross site scripting" type
attacks (and I can guarantee you that if you have a site with any real
amount of dynamic content, you are almost certain to be vulnerable) or
browser specific bugs that have been or will be made known.

Sure, there is a limited time period during which that risk may be open.  
Compared to a crazy site like barnesandnoble.com, where if you enable
their fast checkout, then a cookie is stored that will give you full
access to your account forever without entering any more information; you
can even change your password, etc. without having to know the current
one.

Sure, you have to get the user to follow an arbitrary link, but that is
downright easy in many cases.  Granted, a lot easier for a site like
amazon.com than joescornergrocerystore.com.

But the risks are very real and very poorly understood.  However, they
will be problems for years to come.  The only way they will stop being a
problem is if people deploy and use a real authentication method designed
for authentication with very controlled access, instead of tacking it onto
cookies that are wide open.

Re: Security in displaying arbitrary HTML

[Nick Tonkin]

On Thu, 27 Apr 2000, Marc Slemko wrote:

> Cookies are not secure and will never be secure.  They may be "good
> enough", and you may not have much choice, but they are still simply not
> secure when you put everything together.

Can you be more specific about why you say that? If I set an encrypted,
short-lived cookie upon validated authentication, why is that any less secure than any
of the other approaches you mentioned?


- nick

Re: [RFC] modproxy:modperl ratios...

[Michael hall]

On Thu, Apr 27, 2000 at 02:29:15AM +, [EMAIL PROTECTED] wrote:

> Matt & List, 
> > Is there any benefit of mod_proxy over a real proxy front end like "Oops"?
> > 
> 
> This is a good question..., the only answer I've come up with thus far
> from reading the new-httpd devel list is compelling though.  Here's
> what people there said in response to folks trying to kill mod_proxy
> as a canoniacle apache module:  (Using the argument your sort of
> alluding to)
> 1)  Using mod_proxy as opposed to a seperate package allows you to
> leverage other apache modules..., mod_ssl, and mod_raven for
> commercial folks comes to mind.
> 2)  Apache logging.  It's the real deal.
> 
> Those are the only two that I saw on the list that held any water with
> me.  However, if there is an async i/o frontend out there, it would
> have distinct advantages over apache.  Namely speed.  But for me the
> most compelling is reason #1.  If I finish my async i/o patch to
> mod_proxy..., to me, there would be no reason to contemplate another
> package.  (Clearly HUGE personal bias here)

I'm with you. Setup Squid at one time and although it worked it did have
some quirks and I didn't see any performance benefits (actually if I recall
it was slower). I like the Apache way as its fairly straight forward
(unless you get into some of the esoteric mod_rewrite stuff), everythings
setup in one config, plus the benefits you mentioned above.

> BTW:  As Mike Hall brought up, they wanted to kill it because there is
> no maintainer for mod_proxy.  There are a lot of people

Yes, recently people have been 'stepping up to the plate', quite a change
from even a month ago, guess they realized its either do or die

--
Marijuana is nature's way of saying, "Hi!".

Mike Hall,
Unix Admin   - Rock Island Communications   <[EMAIL PROTECTED]>
System Admin - riverside.org<[EMAIL PROTECTED]>

Re: Security in displaying arbitrary HTML

[Marc Slemko]

On Thu, 27 Apr 2000, Jeremy Howard wrote:

> I'm interested in providing 'HTML email' support for my users (like
> HotMail, Outlook Express, Eudora 4.0, etc provide), but I'm very
> nervous about security. Essentially, providing HTML email involves
> letting any arbitrary HTML get displayed by Apache...
> 
> Has anyone done this, or can anyone provide any tips on what the
> minimum amount of HTML laundering I need to do to avoid security
> holes? I say 'minimum', because I would like to maximise the amount of
> working HTML users can receive.
> 
> I assume I don't have to worry about PHP/EmbPerl/etc tags, since by
> the time mod_perl is finished with it, it's too late for other
> handlers to step in (unless I specifically chain them). Is that right?

Assuming you never write out temporary files to disk in a web accessible
location containing user accessible info, then point the user to that temp
file directly.

> The only potential holes I can think of are 'javascript:' URLs, which
> I could just filter out, and cross-site scripting URLs (does anyone
> have any code that recognises hrefs with potential cross-site
> scripting problems?)

Sorry, you are out of luck.  You either won't have the full HTML
functionality you want, or you won't be secure.

The very fact that Microsoft is still running into new issues in Hotmail
(even when considering only IE) should attest to that.

Your efforts need to be focused on risk management.  How do you do your
authentication?  Is it persistent?  Is it completely cookie based,
completely URL based, HTTP basic auth based, or some combination?  How
long is authentication good for?  What do you let users do without
re-entering their password (eg. to change their password, they should have
to enter the existing one even if they have authenticated)?  etc.

You should also really configure only allowing specific things though
instead of trying to filter out bad things.  You still won't catch
everything, but that will catch things like about: URLs in IE (yup, you
can inject javascript using them), "mocha:" URLs in Navigator (guess 
"javascript:" wasn't enough), etc.

Cookies are not secure and will never be secure.  They may be "good
enough", and you may not have much choice, but they are still simply not
secure when you put everything together.

Re: [RFC] modproxy:modperl ratios...

[Perrin Harkins]

On Thu, 27 Apr 2000, Matt Sergeant wrote:
> Is there any benefit of mod_proxy over a real proxy front end like "Oops"?

There's a big study of proxy servers posted at
http://bakeoff.ircache.net/N02/.  There are some expensive ones with
dedicated hardware that perform well.  Of course, there are tremendous
benefits to having the source when you discover that the way some header
is handled is not quite right for you, etc.  For example, we found we
wanted to disable the feature that gets a fresh page from the backend
server when the user hits reload, since the cached copy in mod_proxy is
the freshest that end users are allowed to see.

Basically, mod_proxy and squid have had more work put into making them
work as reverse proxies than other servers have.  It doesn't like Oops
supports a reverse proxy mode.  It may not be immediately obvious, but you
often need things like ProxyPassReverse
(http://www.apache.org/docs/mod/mod_proxy.html#proxypassreverse) when you
start using a proxy server in this way.

- Perrin

Trouble compiling mod_perl

[Jean-Sebastien Morisset]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I first tried to compile mod_perl-1.22 using APXS, but whenever I would
load the module, the Apache child would die.

Here's the command line I used:

perl Makefile.PL NO_HTTPD=1 EVERYTHING=1
WITH_APXS=/opt/apache-1.3.12/bin/apxs USE_APXS=1

I then tried to compile mod_perl with Apache (not shared). When I do, the
make fails. Here's the mod_perl config I used:

perl Makefile.PL DO_HTTPD=1 EVERYTHING=1

And the configuration for Apache:

SSL_BASE=../openssl-0.9.5a
RSA_BASE=../rsaref-2.0/local
export SSL_BASE RSA_BASE

./configure \
- --prefix=/opt/apache-1.3.12 \
- --enable-rule=SHARED_CORE \
- --activate-module=src/modules/perl/libperl.a \
- --enable-module=ssl \
- --enable-module=unique_id \
- --enable-module=rewrite \
- --enable-module=expires \
- --enable-module=info \
- --enable-module=so \
- --enable-module=status \
- --enable-module=vhost_alias \
- --enable-shared=max \
- --disable-shared=perl \
- --disable-shared=vhost_alias \
- --disable-module=userdir \
- --disable-module=autoindex \
- --disable-module=imap

And here's the error which is generated by the make:

<=== src/modules
gcc -c  -I./os/unix -I./include   -DLINUX=2 -DMOD_SSL=206102 -DUSE_HSREGEX
- -DEAPI -DUSE_EXPAT -I./lib/expat-lite -fpic -DSHARED_CORE `./apaci`
modules.c
gcc -c  -I./os/unix -I./include   -DLINUX=2 -DMOD_SSL=206102 -DUSE_HSREGEX
- -DEAPI -DUSE_EXPAT -I./lib/expat-lite -fpic -DSHARED_CORE `./apaci`
buildmark.c
gcc -shared -o libhttpd.so buildmark.o modules.o modules/perl/libperl.a
modules/standard/libstandard.a main/libmain.a ./os/unix/libos.a ap/libap.a
regex/libregex.a lib/expat-lite/libexpat.a  
gcc  -I./os/unix -I./include   -DLINUX=2 -DMOD_SSL=206102 -DUSE_HSREGEX
- -DEAPI -DUSE_EXPAT -I./lib/expat-lite -fpic -DSHARED_CORE `./apaci`
- -rdynamic \
  -o libhttpd.ep -DSHARED_CORE_TIESTATIC main/http_main.c \
  -L. -lhttpd  -lm -lcrypt -lndbm -ldl
./libhttpd.so: undefined reference to `PL_dowarn'
./libhttpd.so: undefined reference to `Perl_gv_stashpv'
./libhttpd.so: undefined reference to `perl_get_sv'
./libhttpd.so: undefined reference to `Perl_croak'
./libhttpd.so: undefined reference to `Perl_sv_free'
./libhttpd.so: undefined reference to `Perl_markstack_grow'
./libhttpd.so: undefined reference to `PL_gid'
.
.
.


Does anyone have any idea what could be wrong?

Thanks,
js.
- -- 
Jean-Sebastien Morisset, Sr. UNIX Admin <[EMAIL PROTECTED]>
Personal Homepage  
UNIX, Internet, Homebrewing, Cigars, PCS, CP2020 and other Fun Stuff...
This is Linux Country. On a quiet night you can hear Windows NT reboot!

-BEGIN PGP SIGNATURE-
Version: PGP 6.5.1i
Comment: Personal Home Page 

iQA/AwUBOQiMc5xsiDnGGop4EQK8OQCeLJ8Gh5I1TI25aWVnQCVtsKEE1KcAoIZr
eZGPrCErESqVqlWXqwhd58oM
=KrJz
-END PGP SIGNATURE-

RequestNotes and file uploads [was how to rewrite to a POST ]

[Geoffrey Young]

I was looking at Apache::Request file uploads again.  IIRC, I decided to
prohibit file uploads early on in RequestNotes because at that time
RequestNotes was parsing the request and storing it in a hash and putting
that in pnotes and some suggested that blindly storing files in memory was a
bad idea.  Now, pnotes just holds the Apache::Table object created by
Apache::Request->parms(), though.

I think that creating a third pnotes entry containing Apache::Upload
arrayref works.  I tested it a bit and it seems ok using the $apr->upload
array.  I tried to pass an upload object back and access multiple files
using next(), but I couldn't get it to work (probably because I wasn't
calling something right).

anyway, since I don't ever deal with file uploads in real life, could those
of you who can test the following patch?  Sorry it's so lengthy...

TIA

--Geoff

--- RequestNotes.pm.old Thu Apr 27 13:36:02 2000
+++ RequestNotes.pm Thu Apr 27 14:48:36 2000
@@ -16,7 +16,7 @@
 use Apache::Request;
 use strict;
 
-$Apache::RequestNotes::VERSION = '0.03';
+$Apache::RequestNotes::VERSION = '0.04';
 
 # set debug level
 #  0 - messages at info or debug log levels
@@ -28,12 +28,13 @@
 # initialize request object and variables
 #-
   
-  my $r   = shift;
-  my $log = $r->server->log;
+  my $r = shift;
+  my $log   = $r->server->log;
 
-  my $maxsize = $r->dir_config('MaxPostSize') || 1024;
+  my $maxsize   = $r->dir_config('MaxPostSize') || 1024;
+  my $uploads   = $r->dir_config('DisableUploads') =~ m/Off/i ? 0 : 1;
 
-  my %cookies = (); # hash for cookie names and values
+  my %cookies   = ();   # hash for cookie names and values
 
 #-
 # do some preliminary stuff...
@@ -47,7 +48,7 @@
 
   # this routine works for either a get or post request
   my $apr = Apache::Request->new($r, POST_MAX => $maxsize,
- DISABLE_UPLOADS => 1);
+ DISABLE_UPLOADS => $uploads);
   my $status = $apr->parse;
 
   if ($status) {
@@ -73,6 +74,12 @@
   }
   
 #-
+# create an array of all Apache::Upload objects
+#-
+
+  my @uploads = $apr->upload;
+
+#-
 # grab the cookies
 #-
 
@@ -92,6 +99,7 @@
 #-
 
   $r->pnotes(INPUT => $input);
+  $r->pnotes(UPLOADS => \@uploads);
   $r->pnotes(COOKIES => \%cookies) if %cookies;
 
 #-
@@ -118,8 +126,10 @@
 
 PerlInitHandler Apache::RequestNotes
 PerlSetVar MaxPostSize 1024
+PerlSetVar DisableUploads On
 
   MaxUploadSize is in bytes and defaults to 1024, thus is optional.
+  DisableUploads defaults to On, and likewise is optional.
 
 =head1 DESCRIPTION
 
@@ -134,11 +144,17 @@
   some Perl*Handler or Registry script:
 
 my $input  = $r->pnotes('INPUT');
+my $uploads= $r->pnotes('UPLOADS');
 my $cookies= $r->pnotes('COOKIES');

 # GET and POST data
 my $foo= $input->get('foo');
  
+# uploaded files
+foreach my $upload (@$uploads) {
+  print $upload->name;
+} 
+
 # cookie data
 my $bar= $cookies->{'bar'};  # one way
 
@@ -154,7 +170,9 @@
   the names and values of all cookies sent back to your domain and
   path.  $input contains a reference to an Apache::Table object and
   can be accessed via Apache::Table methods.  If a form contains
-  both GET and POST data, both are available via $input.
+  both GET and POST data, both are available via $input. $uploads
+  contains a reference to an array containing all the Apache::Upload
+  objects for the request, which can be used to access uploaded files.
 
   Once the request is past the PerlInit phase, all other phases can
   have access to form input and cookie data without parsing it
@@ -162,10 +180,6 @@
   POST data is required by numerous handlers along the way.
 
 =head1 NOTES
-
-  Apache::RequestNotes does not allow for file uploads. If either a 
-  file upload was attempted, or the POST data exceeds MaxPostSize,
-  rather than return SERVER_ERROR it sets $Apache::RequestNotes::err.
 
   Verbose debugging is enabled by setting the variable
   $Apache::RequestNotes::DEBUG=1 to or greater. To turn off all debug




> -Original Message-
> From: Kip Cranford [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, April 27, 2000 11:32 AM
> To: Ken Y. Clark
> Cc: [EMAIL PROTECTED]
> Subject: Re: how to rewrite to a POST 
> 
> 
> On: Thu, 27 Apr 2000 09:06:24 EDT "Ken Y. Clark" wrote:
> 
> >On Wed, 

Re: mod_proxy and Name based Virtual Hosts

[Leslie Mikesell]

According to Matt Sergeant:
> OK, just to get this onto a different subject line... I can't seem to get
> mod_proxy to work on the front end with name based virtual hosts on the
> backend, I can only get it to work if I have name based virtual hosts on
> both ends.

You should be able to use IP based vhosts going to the same IP
and different port on the back end (the backend just needs
a different global Port: setting) or name based vhosts
on the front end going to port based on the backend, each
with a different port number.

  Les Mikesell
   [EMAIL PROTECTED]

Re: mod_proxy and Name based Virtual Hosts

[Vivek Khera]

> "MS" == Matt Sergeant <[EMAIL PROTECTED]> writes:


MS> Still doesn't solve the problem of editing only 1 config file, unless I
MS> generate a config file with perl :(


I don't think it is possible to do it such that you only have one
config file to edit.  Both sides need to know about the virtual hosts.

Security in displaying arbitrary HTML

[Jeremy Howard]

I'm interested in providing 'HTML email' support for my users (like HotMail, Outlook 
Express, Eudora 4.0, etc provide), but I'm very nervous about security. Essentially, 
providing HTML email involves letting any arbitrary HTML get displayed by Apache...

Has anyone done this, or can anyone provide any tips on what the minimum amount of 
HTML laundering I need to do to avoid security holes? I say 'minimum', because I would 
like to maximise the amount of working HTML users can receive.

I assume I don't have to worry about PHP/EmbPerl/etc tags, since by the time mod_perl 
is finished with it, it's too late for other handlers to step in (unless I 
specifically chain them). Is that right? The only potential holes I can think of are 
'javascript:' URLs, which I could just filter out, and cross-site scripting URLs (does 
anyone have any code that recognises hrefs with potential cross-site scripting 
problems?)

TIA,
  Jeremy

Re: mod_proxy and Name based Virtual Hosts

[Matt Sergeant]

On Thu, 27 Apr 2000, Vivek Khera wrote:

> > "MS" == Matt Sergeant <[EMAIL PROTECTED]> writes:
> 
> MS> OK, just to get this onto a different subject line... I can't seem to get
> MS> mod_proxy to work on the front end with name based virtual hosts on the
> MS> backend, I can only get it to work if I have name based virtual hosts on
> MS> both ends. So I have a front end saying:
> 
> I personally use name-based on the front end and port-based on the
> backend.  You have to do the virtualizing on the front end.

Still doesn't solve the problem of editing only 1 config file, unless I
generate a config file with perl :(

-- 


Fastnet Software Ltd. High Performance Web Specialists
Providing mod_perl, XML, Sybase and Oracle solutions
Email for training and consultancy availability.
http://sergeant.org http://xml.sergeant.org

Apache::ASP rules [was: Sorry men]

[Ime Smits]

| Oh, almost forget it... ASP is a loose of time on developer time... and
the
| module is to heavy, sorry but betwen oracle and ASP our server is down in
| performance, we run unix on a SGI and with 256mb ram...
| If you are trying to put ASP cause you don´t want to break the designer
| work, you are loosing your time (that was the intention here, but it
doesn´t
| work), the design is all broke.
| Is more estructured and I vote for put HTML into Perl and not Perl into
HTML
| or the same with ASP.

I think you have a point if you're writing stuff which is going to get a
million or so pageviews a day. In that case, you'll probably have a pretty
good insight in how things are going to be in advance and you can spent some
valuable time into thinking out every aspect of your application before you
actually start coding.

I think the big bonus of Apache::ASP (or one of the other embedded perl
implemententations) is that one can start working on a project with a very
ugly looking functional implementation of what you want and later add (or
let other people add) layout to it with their very nice HTML design tools
out there, like DreamWeaver and other kick-ass Macromedia products even I
like to work with. With Apache::ASP, I can work together with people who
have great skills in using visual HTML editors but think they see line-noise
when they actually see perl - as long as they leave the asp tags alone.
Before this, we had to develop the complete design of a website and then in
the end wrap the HTML in perl scripts. In case of any change in design or
restyle, everything had to be done all over and there I was cut/copy/pasting
everything all over.

In my opinion, using Apache::ASP instead of doing old fashioned scripts,
greatly reduces the time taken to complete a project, especially in those
cases where you have to work on something with a lot of people and you don't
know exactly what the finished project is going to be like until it's
actually finished. This indeed has some drawbacks in performance. But hey,
processor time is getting cheaper each day. If you're really aiming for
speed and performance, there's always the option of rewriting and optimizing
when your product is finished using non-embedded perl, C or, if you're a
real die hard, even ASM. I would prefer buying another Pentium box, though.
Except for some very busy sites, you'll probably don't care about a few
extra milliseconds. Selects on databases which have grown out of proportion
or have a bad structure were a far bigger slowdown than the use of
Apache::ASP in most things I've seen so far.

Now for the non rational part, consider this: just because Apache::ASP was
out there I was able to convince some of the most nasty M$ IIS-addicted
people I work with that Apache+Perl is a very good alternative for IIS. It
isn't that much of a change if people won't have to change their way of
thinking and can continue using their existing skills and tools to develop a
website. For most website developers switching from VBScript ASP to
PerlScript ASP is just a matter of learning some basic rules and grammar.

Consider this - rather unethical - issue too: The main problem I had with
people who are more into marketing then into technical stuff (say: managers)
is that every time I tried to convince them in using someting non-M$ for a
new project, I would have a terrible hard time. Thanks to Apache::ASP, I can
make them dream on while they see *.asp floating around all over the place,
but don't know what's really going on. Until the complete product has
proofed to work - and then suddenly they don't care anymore if they find out
there is no M$ box at the other end of the wire ;P

Bottomline: Apache::ASP made me really happy because now don't have to
develop for IIS anymore and I can stick to my Linux environment. I can
concentrate on real scripting and let other people without any scripting
knowledge focus on creating the HTML and layout.

Ime

Re: mod_proxy and Name based Virtual Hosts

[Matt Sergeant]

On Thu, 27 Apr 2000, Drew Taylor wrote:

> I'm not very skilled in this area, but it looks like you are proxying to
> a backend on port 8080, but you never specify port 8080 in the config
> for the backend... Perhaps this is it? Or did you leave out part of the
> backend config?

No - I just left that out - otherwise there would be a port conflict and
one of the httpds wouldn't start.

-- 


Fastnet Software Ltd. High Performance Web Specialists
Providing mod_perl, XML, Sybase and Oracle solutions
Email for training and consultancy availability.
http://sergeant.org http://xml.sergeant.org

Re: mod_proxy and Name based Virtual Hosts

[Vivek Khera]

> "MS" == Matt Sergeant <[EMAIL PROTECTED]> writes:

MS> OK, just to get this onto a different subject line... I can't seem to get
MS> mod_proxy to work on the front end with name based virtual hosts on the
MS> backend, I can only get it to work if I have name based virtual hosts on
MS> both ends. So I have a front end saying:

I personally use name-based on the front end and port-based on the
backend.  You have to do the virtualizing on the front end.

Re: Proxy front end behind 64k

[Vivek Khera]

> "MS" == Matt Sergeant <[EMAIL PROTECTED]> writes:

MS> OK, I can't figure this out.. help me out here. I want to deal with my
MS> virtual hosts on the heavyweight server. The frontend server should just
MS> be a simple thing that I never have to touch.

Front end must be virtual-host aware as well.  See my posting on the
details of doing this from a couple of weeks ago.

Re: mod_proxy and Name based Virtual Hosts

[Drew Taylor]

I'm not very skilled in this area, but it looks like you are proxying to
a backend on port 8080, but you never specify port 8080 in the config
for the backend... Perhaps this is it? Or did you leave out part of the
backend config?

Matt Sergeant wrote:
> 
> OK, just to get this onto a different subject line... I can't seem to get
> mod_proxy to work on the front end with name based virtual hosts on the
> backend, I can only get it to work if I have name based virtual hosts on
> both ends. So I have a front end saying:
> 
> NameVirtualHost 194.70.26.133
> 
> 
> ServerName xml.sergeant.org
> ProxyPass / http://xml.sergeant.org:8080/
> ProxyPassReverse / http://xml.sergeant.org:8080/
> 
> ... etc, for all nbvh's
> 
> and almost the same on the backend:
> 
> NameVirtualHost 194.70.26.133
> 
> 
> ServerName xml.sergeant.org
> DocumentRoot...
> ErrorLog...
> CustomLog...
> 
> ... etc, for all nbvh's.
> 
> It can't be this hard, can it? I just want my vhosts config on 1 server -
> not both! And I don't want to be changing my setup - i.e. no mod_rewrite
> to rewrite to DocRoot/hostname - that's just annoying!

-- 
Drew Taylor
Vialogix Communications, Inc.
501 N. College Street
Charlotte, NC 28202
704 370 0550
http://www.vialogix.com/

mod_proxy and Name based Virtual Hosts

[Matt Sergeant]

OK, just to get this onto a different subject line... I can't seem to get
mod_proxy to work on the front end with name based virtual hosts on the
backend, I can only get it to work if I have name based virtual hosts on
both ends. So I have a front end saying:

NameVirtualHost 194.70.26.133


ServerName xml.sergeant.org
ProxyPass / http://xml.sergeant.org:8080/
ProxyPassReverse / http://xml.sergeant.org:8080/

... etc, for all nbvh's

and almost the same on the backend:

NameVirtualHost 194.70.26.133


ServerName xml.sergeant.org
DocumentRoot...
ErrorLog...
CustomLog...

... etc, for all nbvh's.

It can't be this hard, can it? I just want my vhosts config on 1 server -
not both! And I don't want to be changing my setup - i.e. no mod_rewrite
to rewrite to DocRoot/hostname - that's just annoying!

-- 


Fastnet Software Ltd. High Performance Web Specialists
Providing mod_perl, XML, Sybase and Oracle solutions
Email for training and consultancy availability.
http://sergeant.org http://xml.sergeant.org

Re: ANNOUNCE: Apache-TicketAccess 0.10

[James G Smith]

"Bruce W. Hoylman" <[EMAIL PROTECTED]> wrote:
>
>> "Michael" == Michael Schout <[EMAIL PROTECTED]> writes:
>
>Michael> Okay.  I guess I am at a loss as to what this module should
>Michael> be named then.  It is heaily based on the TicketAccess
>Michael> system in the modperl book.  It is a ticket based
>Michael> authentication system.
>
>Michael> Maybe Apache::AuthTicket?
>
>Michael> Does anyone have any suggestions?
>
>I was thinking AuthTicket also.  That is my vote.

Btw, you might want to look at Authen::Ticket, JIC there is some code you 
might be able to borrow, or if the two are similar enough -- it should be able 
to emulate the scheme presented in the book.

Sorry this is a week after the announce that started this thread - I've been 
very busy at work, which is finally letting me breath now.
-- 
James Smith <[EMAIL PROTECTED]>, 979-862-3725
Texas A&M CIS Operating Systems Group, Unix

Re: Proxy front end behind 64k

[shane]

You need to take a sledge hammer to your config... get rid of almost
EVERYTHING.  Here is a copy of mine..., oh, and you might want to look
back a few days, I posted a really good link about mod_proxy and
mod_rewrite.  Or search apache's site for mod_proxy, or just proxy...
that's how I came up with that link.  Anyhow... heres the config:

#
##  apache-rproxy.conf -- Apache configuration for Reverse Proxy Usage
##

User nobody
Group nobody

#   server type
ServerType   standalone
Port 1080
MinSpareServers  2
StartServers 2
MaxSpareServers  2
MaxClients   16
MaxRequestsPerChild  100

#   server operation parameters
KeepAliveon
MaxKeepAliveRequests 100
KeepAliveTimeout 15
Timeout  400
IdentityCheckoff
HostnameLookups  off

#   paths to runtime files
PidFile  /usr/local/apacheproxy/logs/apache-rproxy.pid
LockFile /usr/local/apacheproxy/logs/apache-rproxy.lock
ErrorLog /usr/local/apacheproxy/logs/elog
CustomLog/usr/local/apacheproxy/logs/dlog "%{%v/%T}t %h -> %{SERVER}e URL: 
%U"

#   unused paths
ServerRoot   /usr/local/apacheproxy
DocumentRoot /tmp
CacheRoot/tmp
#RewriteLog   /dev/null
TransferLog  /dev/null
#TypesConfig  /dev/null
AccessConfig /dev/null
ResourceConfig   /dev/null

#   speed up and secure processing

Options -FollowSymLinks -SymLinksIfOwnerMatch
#   AllowOverwrite None


#   the status page for monitoring the reverse proxy
#
#SetHandler server-status
#

#   enable the URL rewriting engine
#RewriteEngineon
#RewriteLogLevel  0

#   define a rewriting map with value-lists where
#   mod_rewrite randomly chooses a particular value
#RewriteMap server  rnd:/path/to/apache-rproxy.conf-servers

#   make sure the status page is handled locally
#   and make sure no one uses our proxy except ourself
#RewriteRule^/apache-rproxy-status.*  -  [L]
#RewriteRule^(http|ftp)://.*  -  [F]

#   now choose the possible servers for particular URL types
#RewriteRule^/(.*\.(cgi|shtml))$  to://${server:dynamic}/$1  [S=1]
#RewriteRule^/(.*)$to://${server:static}/$1  

#   and delegate the generated URL by passing it 
#   through the proxy module
#RewriteRule^to://([^/]+)/(.*)http://$1/$2   [E=SERVER:$1,P,L]

#   and make really sure all other stuff is forbidden 
#   when it should survive the above rules...
#RewriteRule.* -  [F]

#   enable the Proxy module without caching
ProxyRequestson
NoCache  *

#   setup URL reverse mapping for redirect reponses
ProxyPass / http://www.esdev.net/
ProxyPassReverse  /  http://www.esdev.net/

On Thu, Apr 27, 2000 at 05:41:36PM +0100, Matt Sergeant wrote:
> On Thu, 27 Apr 2000, Matt Sergeant wrote:
> 
> > > 1 mod_perl process could handle all the load
> > > you could possibly generate, and just let the mod_proxies build up and
> > > you'll see a lot lower memory usage on your box... seriously, in low
> > > bandwidth situations if your using the box for more than hosting
> > > (which I'd be willing to put good money on you are) then mod_proxy
> > > stands to give you tremendous benefits in the amount of free resources
> > > for other programs.
> > 
> > I'm going to try it. I'll let people know...
> 
> OK, I can't figure this out.. help me out here. I want to deal with my
> virtual hosts on the heavyweight server. The frontend server should just
> be a simple thing that I never have to touch.
> 
> But when I do:
> 
> ProxyPass / http://127.0.0.1:8080/
> ProxyPassReverse / http://127.0.0.1:8080/
> 
> I get all requests going to the default virtual host, not the virtual host
> I'm requesting...
> 
> -- 
> 
> 
> Fastnet Software Ltd. High Performance Web Specialists
> Providing mod_perl, XML, Sybase and Oracle solutions
> Email for training and consultancy availability.
> http://sergeant.org http://xml.sergeant.org
> 

Re: ANNOUNCE: Apache-TicketAccess 0.10

[Bruce W. Hoylman]

> "Michael" == Michael Schout <[EMAIL PROTECTED]> writes:

Michael> Okay.  I guess I am at a loss as to what this module should
Michael> be named then.  It is heaily based on the TicketAccess
Michael> system in the modperl book.  It is a ticket based
Michael> authentication system.

Michael> Maybe Apache::AuthTicket?

Michael> Does anyone have any suggestions?

I was thinking AuthTicket also.  That is my vote.

Re: I guess we all have the same problem...

[shane]

Install mod_proxy.  It will help... you see..., with a pipe that small
your httpd children are just sort of hanging around feeding really
really small packets.  With mod_proxy you have two sets of processes.
For your bandwidth, you only need ONE big old fat mod_perl process.
And ten really really tiny (500k, maybe smaller) processes feeding
these clients.  I posted a URL that shows you how to config it with
modrewrite..., check it out, it was a couple days ago.  Or just search
the mod_perl list for mod_proxy.

Later,
Shane.

On Thu, Apr 27, 2000 at 01:09:51PM -0300, FEITO Nazareno wrote:
> Talking about speed... I have a SGI with a line of 64k running two Apache,
> one with mod_perl, mod_ssl and mod_asp with databases Oracle and seems like
> httpd overload, he eat a lot of memory and the site is getting slow, i
> suposse the problem is on the databases
> (we all know about Oracle Databases, we give Oracle more memory and Oracle
> eat more memory than before), the other problem is on mod_asp I think cause
> ASP is too much heavy, but... httpd is getting high cause mod_asp or
> mod_perl?
> When we have 10 connections httpd go to the hell... this is some kind of
> problem that don´t let me sleep, what can I do?
> Obviusly I´m not going to change my bandwidth, but what can I do with
> mod_asp or mod_perl?
> 
> well... thanks anyway
> I hope somebody help me :(
> 
> Nazareno  [EMAIL PROTECTED]
> Perl Programmer   www.obsequie.com
> 

Re: Proxy front end behind 64k

[Matt Sergeant]

On Thu, 27 Apr 2000, Matt Sergeant wrote:

> > 1 mod_perl process could handle all the load
> > you could possibly generate, and just let the mod_proxies build up and
> > you'll see a lot lower memory usage on your box... seriously, in low
> > bandwidth situations if your using the box for more than hosting
> > (which I'd be willing to put good money on you are) then mod_proxy
> > stands to give you tremendous benefits in the amount of free resources
> > for other programs.
> 
> I'm going to try it. I'll let people know...

OK, I can't figure this out.. help me out here. I want to deal with my
virtual hosts on the heavyweight server. The frontend server should just
be a simple thing that I never have to touch.

But when I do:

ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/

I get all requests going to the default virtual host, not the virtual host
I'm requesting...

-- 


Fastnet Software Ltd. High Performance Web Specialists
Providing mod_perl, XML, Sybase and Oracle solutions
Email for training and consultancy availability.
http://sergeant.org http://xml.sergeant.org

Re: how to rewrite to a POST

[Jim Winstead]

On Apr 27, David Hajoglou wrote:
> I need to use the post, because that is what php3 is expecting.  If
> anybody can think of any better way I would like to hear it.  If not, then
> is it possible to translate a GET uri into a POST uri with a
> PerlTransHandler (or any other handler for that matter)??

Does TWIG really care whether the request comes in via GET or POST?
PHP generally does not make a distinction between the two. They
would have had to have gone out of their way to make this a
requirement.  (And one that is probably easily fixed by a search&replace
of HTTP_POST_VARS with HTTP_GET_VARS.)

But I've never used TWIG, so I may be missing the problem.

You could write your own (very limited) "proxy" on the mod_perl
side that used LWP::UserAgent to actually make the request to the
backend. Not quite as easy as just leveraging mod_proxy, but I
don't think it would be terribly difficult, either.

Jim

Re: how to rewrite to a POST

[David Hajoglou]

Ok, looking at all the posts I need to spell all of it out.  I am using
the database through the backend to prevend any passwords from being
transmited and possibally cached in a browser.  Here is how it works:

Our user, lets call him John, loggs into our portal.  This is a microsoft
environment (www.asksimon.com).  He authenticates on an MS server.  At
that time, the microsoft server generates a random key with a time stamp,
which is | delineated, adds the user name and base64 encodes it. Then all
links for the user to check his e-mail are writen as:

http://twig.asksimon.org/auth?k=b64_encoded_sequence">email

When I get the request my handler, which is triggered to fly when
/auth is requested, looks at the key, queries the MsSql database and
checks the random key and time stamp.  If all checks out, the request is
rewriten into a post like so:

twig.asksimon.org/index.php3 [log_name => "name" log_passwd => "passwd"].

I get the passwd from the .org server thereby keeping any passwords from
being transmitted between the microsoft environment and the linux
environment.

I need to use the post, because that is what php3 is expecting.  If
anybody can think of any better way I would like to hear it.  If not, then
is it possible to translate a GET uri into a POST uri with a
PerlTransHandler (or any other handler for that matter)??

I would like to use pnotes (that would have been easy) but I am going
from mod_perl to mod_php thereby nullifyiing all of the mod_perl gadgets.


Thanks
David

Re: Proxy front end behind 64k

[Matt Sergeant]

On Thu, 27 Apr 2000 [EMAIL PROTECTED] wrote:

> You could however have someone with much more bandwidth than you use
> mod_proxy to proxy and cache your site.  Like someone such as myself
> where bandwidth in the US is so cheap it's ridiculous.  Upgrading to
> T1 size pipe in a couple weeks at $200/mo with DSL... hehe, too
> awesome.  (384k now)  So, lemme get this straight..., not only does UK
> have crazy webhosting laws, but you have to pay a ton for the
> bandwidth?  Is the UK purposely trying to kill off any resemblance of
> the new economy in their country?  Good lord!

Yes. BT have decided they want all the money for themselves ;-)

(it's about $500US/month for a 64k leased line - we're getting DSL in the
cities this summer...)

> Okay... I'm really really off topic here.  But... to answer your
> question, no mod_proxy would be a huge benefit strangely enough.
> Because your bandwidth is really small... your going to have clients
> grabbing data at 1KB/sec off a HUGE mod_perl process... 64 of of them
> to be not so exact :-)

8. This is 64Kb, not 64KB. I only wish it were 64KB - had to download NT4
Option pack yesterday...

> 1 mod_perl process could handle all the load
> you could possibly generate, and just let the mod_proxies build up and
> you'll see a lot lower memory usage on your box... seriously, in low
> bandwidth situations if your using the box for more than hosting
> (which I'd be willing to put good money on you are) then mod_proxy
> stands to give you tremendous benefits in the amount of free resources
> for other programs.

I'm going to try it. I'll let people know...

-- 


Fastnet Software Ltd. High Performance Web Specialists
Providing mod_perl, XML, Sybase and Oracle solutions
Email for training and consultancy availability.
http://sergeant.org http://xml.sergeant.org

I guess we all have the same problem...

[FEITO Nazareno]

Talking about speed... I have a SGI with a line of 64k running two Apache,
one with mod_perl, mod_ssl and mod_asp with databases Oracle and seems like
httpd overload, he eat a lot of memory and the site is getting slow, i
suposse the problem is on the databases
(we all know about Oracle Databases, we give Oracle more memory and Oracle
eat more memory than before), the other problem is on mod_asp I think cause
ASP is too much heavy, but... httpd is getting high cause mod_asp or
mod_perl?
When we have 10 connections httpd go to the hell... this is some kind of
problem that don´t let me sleep, what can I do?
Obviusly I´m not going to change my bandwidth, but what can I do with
mod_asp or mod_perl?

well... thanks anyway
I hope somebody help me :(

Nazareno[EMAIL PROTECTED]
Perl Programmer www.obsequie.com

Re: Proxy front end behind 64k

[shane]

You could however have someone with much more bandwidth than you use
mod_proxy to proxy and cache your site.  Like someone such as myself
where bandwidth in the US is so cheap it's ridiculous.  Upgrading to
T1 size pipe in a couple weeks at $200/mo with DSL... hehe, too
awesome.  (384k now)  So, lemme get this straight..., not only does UK
have crazy webhosting laws, but you have to pay a ton for the
bandwidth?  Is the UK purposely trying to kill off any resemblance of
the new economy in their country?  Good lord!

Okay... I'm really really off topic here.  But... to answer your
question, no mod_proxy would be a huge benefit strangely enough.
Because your bandwidth is really small... your going to have clients
grabbing data at 1KB/sec off a HUGE mod_perl process... 64 of of them
to be not so exact :-).  1 mod_perl process could handle all the load
you could possibly generate, and just let the mod_proxies build up and
you'll see a lot lower memory usage on your box... seriously, in low
bandwidth situations if your using the box for more than hosting
(which I'd be willing to put good money on you are) then mod_proxy
stands to give you tremendous benefits in the amount of free resources
for other programs.

Thanks,
Shane.

On Thu, Apr 27, 2000 at 04:35:26PM +0100, Matt Sergeant wrote:
> I'm behind a 64k leased line here (net access is *extremely* expensive
> here in the UK) and I was thinking, a proxy front end is probably really
> not necessary for me. Worst case scenario: I get 8 clients connecting to
> my at about 1KB/s - my pipe is maxed out anyway, so pushing them
> onto a proxy is just making more work! Just a thought for anyone
> thinking about a proxy front end - evaluate your pipe too.
> 
> -- 
> 
> 
> Fastnet Software Ltd. High Performance Web Specialists
> Providing mod_perl, XML, Sybase and Oracle solutions
> Email for training and consultancy availability.
> http://sergeant.org http://xml.sergeant.org
> 

Re: Proxy front end behind 64k

[Vivek Khera]

> "d" == dreamwvr  <[EMAIL PROTECTED]> writes:

d>   that is the whole point about squid since not all requests need to go all 
d> the way out there and all the way back:-))

The discussion here is using squid as a reverse proxy, to accelerate
your httpd to the outside world.  Not using squid as a regular proxy
where it caches requests from your site out.

RE: Proxy front end behind 64k

[Leon Brocard]

Matt Sergeant wrote:

> If I can't serve pages any faster, or to more people because 
> of bandwidth limitations - what good can it do me?

dreamwvr may to trying to get the point across that squid could
be on the ISP side of your 64K line. I don't think this is going
to happen in practice, though.

Leon
--
Leon Brocard   |   perl "programmer"   |   [EMAIL PROTECTED]
 

Re: Proxy front end behind 64k

[dreamwvr]

hi,
  that is the whole point about squid since not all requests need to go all 
the way out there and all the way back:-))
On Thu, 27 Apr 2000, Matt Sergeant wrote:
> On Thu, 27 Apr 2000, dreamwvr wrote:
> 
> > hi,
> >   so your saying that say 'squid' would not be productive? seems 
> > to me that if you are caching http and ftp stuff well that is going to 
> > provide you with the pseudo of more bandwidth.. since not all requests 
> > need to go beyond squid .. being delivered from the cache or chain of 
> > caches it is more efficient that's for sure.. and that always is better IMHO
> 
> If I can't serve pages any faster, or to more people because of bandwidth
> limitations - what good can it do me?
> 
> -- 
> 
> 
> Fastnet Software Ltd. High Performance Web Specialists
> Providing mod_perl, XML, Sybase and Oracle solutions
> Email for training and consultancy availability.
> http://sergeant.org http://xml.sergeant.org

Re: Proxy front end behind 64k

[Matt Sergeant]

On Thu, 27 Apr 2000, dreamwvr wrote:

> hi,
>   so your saying that say 'squid' would not be productive? seems 
> to me that if you are caching http and ftp stuff well that is going to 
> provide you with the pseudo of more bandwidth.. since not all requests 
> need to go beyond squid .. being delivered from the cache or chain of 
> caches it is more efficient that's for sure.. and that always is better IMHO

If I can't serve pages any faster, or to more people because of bandwidth
limitations - what good can it do me?

-- 


Fastnet Software Ltd. High Performance Web Specialists
Providing mod_perl, XML, Sybase and Oracle solutions
Email for training and consultancy availability.
http://sergeant.org http://xml.sergeant.org

Re: Proxy front end behind 64k

[dreamwvr]

hi,
  so your saying that say 'squid' would not be productive? seems 
to me that if you are caching http and ftp stuff well that is going to 
provide you with the pseudo of more bandwidth.. since not all requests 
need to go beyond squid .. being delivered from the cache or chain of 
caches it is more efficient that's for sure.. and that always is better IMHO
Regards,
[EMAIL PROTECTED]   

Proxy front end behind 64k

[Matt Sergeant]

I'm behind a 64k leased line here (net access is *extremely* expensive
here in the UK) and I was thinking, a proxy front end is probably really
not necessary for me. Worst case scenario: I get 8 clients connecting to
my at about 1KB/s - my pipe is maxed out anyway, so pushing them
onto a proxy is just making more work! Just a thought for anyone
thinking about a proxy front end - evaluate your pipe too.

-- 


Fastnet Software Ltd. High Performance Web Specialists
Providing mod_perl, XML, Sybase and Oracle solutions
Email for training and consultancy availability.
http://sergeant.org http://xml.sergeant.org

Re: how to rewrite to a POST

[Kip Cranford]

On: Thu, 27 Apr 2000 09:06:24 EDT "Ken Y. Clark" wrote:

>On Wed, 26 Apr 2000, David Hajoglou wrote:
>
>> so, is it possible to take a GET request and rewrite the uri into a POST
>> request and if so how?
>
>i'm not sure if that's really necessary.  you could just put the GET args
>into $r->pnotes, perhaps like so:
>
[ snip ]

This approach works, or you could use something like Apache::RequestNotes.
However, you still need to deal with file uploads potentially, which I don't
believe the RequestNotes does.

In my situation, file uploads are important, as is authentication.  I check
authentication credentials on every request, and redirect to a login page
immediately when the check fails.  In this case, posted information (including
the file upload information) would be lost, which isn't good if the user uploaded
a big file.  I work around this by doing a simple client-side authentication
check (I use cookies to hold a username, so just check to see if it exists),
which launches a sub-window allowing the user to authenticate if their cookie
has expired.  Not the most elegant, but the best I could come up with right now.  

I also store all the request information in pnotes like RequestNotes.  However,
I also store a refrence to the file upload information (if any) along with
information on where the file contents are located.

If there are better solutions out there, I'm all ears!


--kip

speed up/load balancing of session-based sites

[Dan McCormick]

All this talk of mod_proxy has me wondering:  What's the conventional
wisdom regarding the speed up or load balancing of a server running
something like Apache::ASP, or anything else that tracks sessions?

If you split things between a proxy and a mod_perl server, the first hit
would have to go through to the mod_perl server to initiate the session,
but subsequent requests which may not need the session info could be
sent to the proxy.  Is that possible?

Further, what are the standard ways to load balance a session-tracking
app across multiple servers when the sessions are stored in memory and a
given user has to be consistently sent back to the same machine?  Can
round-robin DNS be counted on to send people back to the same server
over the life of a given session?

Dan

off-topic question

[Ron Beck]

Hello all,
I have a perl question which is somewhat related because I'm trying to
write a mod_perl script but I'm stuck with this.

I need to search a flat file for either a specific user name, or for all
users.  what I want to do is something like this...

...
if ($user_name =~ /all/)
{
  $regexp_string = "^[a-zA-Z]+";
}
else
{
  $regexp_string = $user_name;
}
foreach $key (sort keys %tickets)
{
 print "$key\t$ticket{$key}\n" if ($key =~ /$regexp_string/);
}

I thought I've done this before but I can't find an example of it.  What
am I missing here?  This is really a basic perl question but I need a
quick answer and I don't have anywhere else to turn at the moment.

Thanks & regards,
Ron

Re: [RFC] modproxy:modperl ratios...

[Vivek Khera]

> "MS" == Matt Sergeant <[EMAIL PROTECTED]> writes:

>> doing - and the TCP listen queue will hold a few more
>> connections if you are slightly short of backends.

MS> Is there any benefit of mod_proxy over a real proxy front end like "Oops"?

Not being familiar with "Oops", I can say that I use mod_proxy as the
front end so that I can do virtual hosting.  Doing this with Squid is
not so straight-forward (meaning it requires me to spend lots of time
learning something else to maintain.)

Another valid reason which does not apply to me directly, is that some
places it is hard to get software approved for use.  Once you've got
Apache approved, you can then use the mod_proxy within it, but getting
"Oops" or Squid approved may be more difficult.

Re: [RFC] modproxy:modperl ratios...

[Leslie Mikesell]

According to Matt Sergeant:

> Is there any benefit of mod_proxy over a real proxy front end like "Oops"?

I've run squid as an alternative and did not see any serious
differences except that the caching was defeated about 10% of the
time even on images, apparently because the clients were hitting
the 'reload' button.   Apache gives you (a) the already-familiar
config file, (b) mod_rewrite to short-circuit image requests and
direct others to different backends, (c) all the other modules you
might want - ssl, jserv, custom logging, authentication, etc.
The main improvement I'd like to see would be load balancing and
failover on the client side of mod_proxy and some sort of IP takeover
mechanism on the front end side so a pair of machines would act as
hot spares for each other on the same IP address.  I know some work
has been done on this but nothing seems like a complete solution
yet.

Re: how to rewrite to a POST

[J. J. Horner]

On Thu, 27 Apr 2000, Ken Y. Clark wrote:

> On Wed, 26 Apr 2000, David Hajoglou wrote:
> 
> > so, is it possible to take a GET request and rewrite the uri into a POST
> > request and if so how?
> 
> i'm not sure if that's really necessary.  you could just put the GET args
> into $r->pnotes, perhaps like so:
> 
> sub handler {
> my $r = shift;
> return DECLINED unless $r->is_main();
> 
> my $apr= Apache::Request->new($r);
> my @params = $apr->param;
> my %args   = ();
> $args{$_}  = $apr->param($_) for @params;
> $r->pnotes('args', %args);
> return OK;
> }
> 

In my situation, we sometimes have developers who try to send uids and
passwords across using a get.  This puts uids and passwords in the
logfile.  Is there a way to rewrite the GET to a POST before logging so as
to remove the uid/password data pairs?

Jon

-- 
J. J. Horner
Apache, Perl, Unix, Linux
[EMAIL PROTECTED] http://www.knoxlug.org/

Re: [RFC] modproxy:modperl ratios...

[Vivek Khera]

> "s" == shane  <[EMAIL PROTECTED]> writes:


s> Okay, these are my thoughts, what do you think?

I just set upper bounds on the number of mod_perl processes to be
about 3/4 of RAM based on the size of the typical httpd with
everything loaded, and then I set the maximum number of front-ends to
be something like 1/2 of RAM based on their sizes.  Then I watch the
status of both and see how many of each we have typically running and
what the max of each was.  If I top out of mod_perl processes, and
that lasts a while, then I've got to adjust (ie, add RAM.)  I've yet
to get near my max front-end process limit.

This is pretty much the only way you can do it.  No amout of theory is
going to predict how the system will behave.  You have to observe and
adjust.  It just makes no sense to allow mod_perl to use more than the
physical amount of RAM on your system, though.

(When I say physical RAM, I mean the amount your system allows your
group of processes to use.  This may be different than the real
hardware amount of RAM.)

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Vivek Khera, Ph.D.Khera Communications, Inc.
Internet: [EMAIL PROTECTED]   Rockville, MD   +1-301-545-6996
PGP & MIME spoken herehttp://www.kciLink.com/home/khera/

RE: how to rewrite to a POST

[Geoffrey Young]

> -Original Message-
> From: Ken Y. Clark [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, April 27, 2000 9:06 AM
> To: [EMAIL PROTECTED]
> Subject: Re: how to rewrite to a POST
> 
> 
> On Wed, 26 Apr 2000, David Hajoglou wrote:
> 
> > so, is it possible to take a GET request and rewrite the 
> uri into a POST
> > request and if so how?
> 
> i'm not sure if that's really necessary.  you could just put 
> the GET args
> into $r->pnotes, perhaps like so:
> 
> sub handler {
> my $r = shift;
> return DECLINED unless $r->is_main();
> 
> my $apr= Apache::Request->new($r);
> my @params = $apr->param;
> my %args   = ();
> $args{$_}  = $apr->param($_) for @params;
> $r->pnotes('args', %args);
> return OK;
> }

or just use Apache::RequestNotes, which does all that for you (and parses
your cookies, if any, while it's at it...)

--Geoff

> 
> ky
> 

[ANNOUNCE] AXDTK 0.01

[Matt Sergeant]

The first release of the packaged up Apache XML Delivery Toolkit is now
available for download, at http://xml.sergeant.org/download/

The kit bundles together the following modules:

Apache::MimeXML
Apache::XMLStylesheet
Apache::NotXSLT
Apache::XPathScript

Theres not very much documentation available at the moment, after
installing type "perldoc Apache::XMLStylesheet" to get general install
instructions.

Discussion of AXDTK takes place on the mailing list. Sent a mail to
[EMAIL PROTECTED] to subscribe, or browse the archive at
http://xml.sergeant.org/cgi-bin/ezmlm-cgi/2

-- 


Fastnet Software Ltd. High Performance Web Specialists
Providing mod_perl, XML, Sybase and Oracle solutions
Email for training and consultancy availability.
http://sergeant.org http://xml.sergeant.org

Re: mod_perl-1.99_01-dev

[Stas Bekman]

On Tue, 25 Apr 2000, Doug MacEachern wrote:

> On Fri, 21 Apr 2000, Greg Cope wrote:
>  
> > Does this  mean that we {will|may} be able to use the interpreter pool to
> > set up X Perl interpreters (say 20 to service dynamic handlers) with Z
> > apache (say 60 to handle static + dynamic content - assuming the dynamic
> > content is passed to the Perl interpreters) children, and hence have
> > significant memory savings as we can avoid (in some cases) the light / heavy
> > httpd model ?
> 
> yes, exactly.

But you will be not able to tune the two types of the threads to have
different Apache parameters (MaxRequests and others) so I'm not sure you
will get rid of the dual setup, unless these will be taken care of by
mod_perl.

__
Stas Bekman | JAm_pH--Just Another mod_perl Hacker
http://stason.org/  | mod_perl Guide  http://perl.apache.org/guide 
mailto:[EMAIL PROTECTED]  | http://perl.orghttp://stason.org/TULARC/
http://singlesheaven.com| http://perlmonth.com http://sourcegarden.org
--

Sorry men

[FEITO Nazareno]

Sorry I´m just trying to make your life more easy...
Oh, almost forget it... ASP is a loose of time on developer time... and the
module is to heavy, sorry but betwen oracle and ASP our server is down in
performance, we run unix on a SGI and with 256mb ram...
If you are trying to put ASP cause you don´t want to break the designer
work, you are loosing your time (that was the intention here, but it doesn´t
work), the design is all broke.
Is more estructured and I vote for put HTML into Perl and not Perl into HTML
or the same with ASP.

Sorry again men... bye

Nazareno
Perl Programmer www.obsequie.com

Re: how to rewrite to a POST

[Ken Y. Clark]

On Wed, 26 Apr 2000, David Hajoglou wrote:

> so, is it possible to take a GET request and rewrite the uri into a POST
> request and if so how?

i'm not sure if that's really necessary.  you could just put the GET args
into $r->pnotes, perhaps like so:

sub handler {
my $r = shift;
return DECLINED unless $r->is_main();

my $apr= Apache::Request->new($r);
my @params = $apr->param;
my %args   = ();
$args{$_}  = $apr->param($_) for @params;
$r->pnotes('args', %args);
return OK;
}

ky

RE: Problem compiling mod_perl 1.23 on Solaris 2.4

[FEITO Nazareno]

Good For you buddie:)
We know that you can do that... ;)

bybye

Nazareno
Perl Programmer www.obsequie.com

Re: Problem compiling mod_perl 1.23 on Solaris 2.4

[Steve Hay]

Steve Hay wrote:

> I'm having a problem compiling mod_perl 1.23 (with Apache 1.3.12 / Perl
> 5.6.0) as a DSO using APXS on Solaris 2.4.

In case anyone is interested...

I've solved my own problem (just as well, really).  If I re-compile
everything with the -Xa compiler flag then it all works out fine.

Re: Apache::ASP and Postgres

[shane]

Hi buddy, I have a recommendation for you.  Keep recommendations like
this off the modperl list.  Some people use Apache::Asp and they're
happy with it, others you Embperl, others use Mason.  Some crazy
people like me occasionaly write web apps in c.  If you have a
recommendation... I recommend you back it up with a real reason.  Like
it's too slow, or it sucks up too much memory.  Or developement time
is significantly impacted.

Maybe I'm just in a bad mood..., but this isn't the kind of thing that
should be on the list.

Thanks,
Shane.

Sorry mistake...

[FEITO Nazareno]

In last message I say this: in that way we connect with oracle with DBI
trought modperl
but what I did really want to say was... we connect with oracle trought DBI
and we use modperl for connect with the webserver.

Sorry, i hope is all clear...
bybye

Nazareno
Perl Programmer www.obsequie.com

RE: Apache::ASP and Postgres

[FEITO Nazareno]

Hi buddy... I have a recommendation for you...
Here where I work, we have a unix and a linux running Oracle databases
accessed by perl and ASP, perl is embeded, I mean, .phtml, and it really
sucks, I mean, is really crazy to do that, but the ppl didn´t know that...
in that way we connect with oracle with DBI trought modperl but we make
another things with ASP and Javascript.
The code is like perl embeded into ASP, the results are good, but when a
programmer want to analize that we call to the mental hospital, do you
understand me?
I know, you didn´t ask that but is just a recommendation, don´t mix perl and
ASP... if you going to do it only with ASP is fine, but I don´t think you
can do that... 

Nazareno
Perl Programmer www.obsequie.com

OOP, Inheritance, and mod_perl

[bahwi]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello,
I have a question about OOP, Inheritance, and mod_perl. I have OO
pre-loaded module A, which clients B, C, and D use. Each one get's
their own, and the configuration variables are different. My question here
is how much memory does this take up? Is the module's memory copied
several times for clients B, C, and D? From what I have read I'm pretty
sure that it's not that, just the variables are different, but I'd like to
be sure. 

On to my second question, client E, F, and G each are using pre-loaded OO
module A, but they are iheriting the class, make some changes, and then
creating it with the new method. Each one has a different inheritance, and
different methods are changed or added. How does this affect memory? Does
each one get a full copy of the module in memory, and then it is changed?

Also, I have a question about this that I have seen in /perl-status:


Apache::ROOT::somedir::scripta_2ecgi 
Apache::ROOTsome_2ewhere_2ecom::somedir::scripta_2ecgi 

Was the same script loaded twice? It seems to have been loaded from both
/somedir/scripta.cgi and
some.where.com/somedir/scripta.cgi

Is this taking up memory twice or not? Thanks for your help, we're doing
this on various versions of FreeBSD from 2.x to 3.x

Thanks in advance, I'm still just learning mod_perl so please put up with
me for now.

- -- 
"I worry about my child and the Internet all the time, even though she's
too young to have logged on yet. Here's what I worry about. I worry that
10 or 15 years from now, she will come to me and say 'Daddy, where were
you when they took freedom of the press away from the Internet?' "
- Mike Godwin
- - [EMAIL PROTECTED]
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.1 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD4DBQE5B+fG7fLCRgNUD40RAugNAJYlJM4MEqgtskIxPlif99qrJo+xAJoC0qkh
ayKEwtyIKG4FdpNBEO/JvQ==
=aodQ
-END PGP SIGNATURE-

Re: Apache::Filter problems with HEAD...

[Ken Williams]

Aha, this is a new bug with the new version of Apache::Filter.  As of 1.008,
the headers aren't sent until the first body text is output.  That means that
during a HEAD request, they're never sent.

I've got a fix in mind - in the meantime you can downgrade to 1.007.


[EMAIL PROTECTED] (Trevor Phillips) wrote:
>I've discovered some problems that I think are related to Apache::Filter. It
>certainly seems to affect only mod_perl scripts which use Apache::Filter...
>
>Basically, when you do a HEAD request method, you don't get any headers back.
>In fact, you don't get anything! When you do a normal GET method, you get all
>the headers, as well as the page content.
>
>I've tested this with different mod_perl scripts (which all support
>Apache::Filter), and they all seem to do it.
>
>Is this a problem with Apache::Filter's handling of HEAD requests?
>
>-- 
>.. Trevor Phillips -   http://jurai.murdoch.edu.au/ . 
>: CWIS Systems Administrator -   [EMAIL PROTECTED] : 
>| IT Services   -   Murdoch University | 
> >--- Member of the #SAS# & #CFC# <
>| On nights such as this, evil deeds are done. And good deeds, of /
>| course. But mostly evil, on the whole. /
> \  -- (Terry Pratchett, Wyrd Sisters)  /
>

  ------
  Ken Williams Last Bastion of Euclidity
  [EMAIL PROTECTED]The Math Forum

[OT] mod_auth_digest bug; Programming modules information needed...

[BeerBong]

Hello all!

Today I tried to install mod_auth_digest (Apache 1.3.12).
Installed without any problems, but when I request scripts with parameters
in protected directory -

Bad Request
requested URI /manager/script.asp not equals /manager/script.asp?param_1=23

Or something like this.

I now that mod_auth_digest is experemental module, it is just bug report.

And another question.
I need to place homepages of one user's group on one site, and another group
on another.
mod_userdir does not allow to do this.
I found mod_userpath.c and change it slightly.
Script doesn't work, and I don't know where I can read documentation about
writing modules.
I know that there is www.modperl.com and O'Reilly book (I'm not too reach to
buy this book here - Russia), but may be you can tell me about another
resources ?

#include "httpd.h"
#include "http_config.h"

module userpath_module;

#define DEFAULT_USER_PATH "/usr/local/etc/httpd/htdocs/"


void *create_userpath_config (pool *dummy, server_rec *s)

return (void*)DEFAULT_USER_PATH;
}

char *set_user_path (cmd_parms *cmd, void *dummy, char *arg)
{
void *server_conf = cmd->server->module_config;

ap_set_module_config (server_conf, &userpath_module,
   ap_pstrdup (cmd->pool, arg));
return NULL;
}

command_rec userpath_cmds[] = {
{ "UserPath", set_user_path, NULL, RSRC_CONF, TAKE1,
"the directory which contains all user html directories or
'disabled'" },
{ NULL }
};

int translate_userpath (request_rec *r)
{
void *server_conf = r->server->module_config;
char *userpath = (char *)ap_get_module_config(server_conf,
&userpath_module)
;
char *name = r->uri;

if (userpath != NULL && strcasecmp(userpath, "disabled") != 0 &&
name[0] == '/' && name[1] == '~')
{
char *w, *dname;

dname = name + 2;
w = ap_getword(r->pool, &dname, '/');

r->filename = ap_pstrcat (r->pool, userpath, "/", w, "/public_html",
dna
me, NULL);

return OK;
}

return DECLINED;
}

module userpath_module = {
   STANDARD_MODULE_STUFF,
   NULL,/* initializer */
   NULL,/* dir config creater */
   NULL,/* dir merger --- default is to override */
   create_userpath_config,  /* server config */
   NULL,/* merge server config */
   userpath_cmds,   /* command table */
   NULL,/* handlers */
   translate_userpath,  /* filename translation */
   NULL,/* check_user_id */
   NULL,/* check auth */
   NULL,/* check access */
   NULL,/* type_checker */
   NULL,/* fixups */
   NULL /* logger */
};


Sergey Polyakov - Chief of WebZavod.
http://www.webzavod.ru

Re: [RFC] modproxy:modperl ratios...

[shane]

> Right, but the difference with Oops is it's a threaded server, and while I
> couldn't get it to work (the author appears to be Russian, and his idea of
> documentation is "oops.cfg is easy to understand. Just edit it"), it looks
> like it should be extremely quick, even if serving static images from the
> mod_perl httpd, and letting Oops cache them.
> 

Okay, so I'm horrible... I'm going to evangelize something I worked on
:-).  But if you want a good static accelerator you should take a look
at phhttpd.  I know... I'm a Bad Person (tm).  But seriously, the most
recent edition is pretty darn stable... once you figure out how to use
it.  It's faster than khttpd BTW.  There is "fairly good"
documentation DocBook style that's on the website, but it's not
exactly accurate I've found.  Anyhow, if you post to the list for it
it's likely that either I or Zach will answer really quickly.

It's at: people.redhat.com/zab/ , or they'll probably pull that down
at some point in the future since he doesn't work there anymore, drop
me an email since Zach no longer works for RH.  Its just a lightning
speed HTTPD static accelerator.

Thanks,
Shane.

RE: schwartzian

[Eric Cholet]

> where would an intrepid innocent turn for details on what methods
> and/or fields are available to the PerlLogHandler in the passed
> arglist @_ array (okay, $_[0] or shift) ? 
> 
> apparently
> ->last and
> ->request_time and
> ->status
> ..and $_[0]->last has submethods including
>   get_remote_host,
>   method,
>   the_request,
>   header_in,
>   bytes_sent
> ..what else is available, and what's the documentation called?

$_[0] is the request record, all these methods are Apache methods,
'perldoc Apache' will give you the documentation for them.
->last is a pointer to the last subrequest in the request chain.
Also see http://www.modperl.com/book/chapters/ch9.html but be aware
that the perldoc is more up to date.

--
Eric

schwartzian

[w trillich]

from his webtechniques article a while back--(source code
is available at www.webtechniques.com)... here's a slice from
r.schwartz's quickie DBIlogger--

$r->push_handlers (
  PerlLogHandler =>
  sub {
  my $orig = shift;
  my $r = $orig->last;
  my @data =
  (
  ht_time($orig->request_time, '%Y-%m-%d %H:%M:%S', 0),
  $r->get_remote_host,
  $r->method,
  # $orig->uri,
#$r->header_in('Host') .# for virtual hosts?
  ($r->the_request =~ /^\S+\s+(\S+)/)[0],
  $r->connection->user,
  $r->header_in('Referer'),
  $r->header_in('User-agent'),
  $orig->status,
  $r->bytes_sent,
   );
...
   }
);


where would an intrepid innocent turn for details on what methods
and/or fields are available to the PerlLogHandler in the passed
arglist @_ array (okay, $_[0] or shift) ? 

apparently
->last and
->request_time and
->status
..and $_[0]->last has submethods including
get_remote_host,
method,
the_request,
header_in,
bytes_sent
..what else is available, and what's the documentation called?

Perl 5.6 + mod_perl 1.23 + Apache 1.3.12

[Jim Serio]

Is anyone else having problems with Perl 5.6?
I just setup a new development box with fresh
installs of:

Perl 5.6
Apache 1.3.12 (compiled w/mod_perl 1.23 + PHP4 RC1)

Everything compiles and runs fine expect any
scripts that use either DBI or Apache::DBI.
My scripts work fine on a Perl 5.004 + mod_perl 1.23
install, but on this new box any script run returns 
nothing, zero nada. And the error log shows nothing
as well. It seems to error out on the "connect"
statement. The same script (using DBI instead
of Apache:DBI) runs flawlessly at the shell, so I
have ruled out DBI.

Any ideas?

Jim

Re: [RFC] modproxy:modperl ratios...

[Matt Sergeant]

On Thu, 27 Apr 2000 [EMAIL PROTECTED] wrote:

> Matt & List, 
> > Is there any benefit of mod_proxy over a real proxy front end like "Oops"?
> > 
> 
> This is a good question..., the only answer I've come up with thus far
> from reading the new-httpd devel list is compelling though.  Here's
> what people there said in response to folks trying to kill mod_proxy
> as a canoniacle apache module:  (Using the argument your sort of
> alluding to)
> 1)  Using mod_proxy as opposed to a seperate package allows you to
> leverage other apache modules..., mod_ssl, and mod_raven for
> commercial folks comes to mind.
> 2)  Apache logging.  It's the real deal.
> 
> Those are the only two that I saw on the list that held any water with
> me.  However, if there is an async i/o frontend out there, it would
> have distinct advantages over apache.  Namely speed.  But for me the
> most compelling is reason #1.  If I finish my async i/o patch to
> mod_proxy..., to me, there would be no reason to contemplate another
> package.  (Clearly HUGE personal bias here)

Right, but the difference with Oops is it's a threaded server, and while I
couldn't get it to work (the author appears to be Russian, and his idea of
documentation is "oops.cfg is easy to understand. Just edit it"), it looks
like it should be extremely quick, even if serving static images from the
mod_perl httpd, and letting Oops cache them.

-- 


Fastnet Software Ltd. High Performance Web Specialists
Providing mod_perl, XML, Sybase and Oracle solutions
Email for training and consultancy availability.
http://sergeant.org http://xml.sergeant.org

Re: [RFC] modproxy:modperl ratios...

[shane]

Matt & List, 
> Is there any benefit of mod_proxy over a real proxy front end like "Oops"?
> 

This is a good question..., the only answer I've come up with thus far
from reading the new-httpd devel list is compelling though.  Here's
what people there said in response to folks trying to kill mod_proxy
as a canoniacle apache module:  (Using the argument your sort of
alluding to)
1)  Using mod_proxy as opposed to a seperate package allows you to
leverage other apache modules..., mod_ssl, and mod_raven for
commercial folks comes to mind.
2)  Apache logging.  It's the real deal.

Those are the only two that I saw on the list that held any water with
me.  However, if there is an async i/o frontend out there, it would
have distinct advantages over apache.  Namely speed.  But for me the
most compelling is reason #1.  If I finish my async i/o patch to
mod_proxy..., to me, there would be no reason to contemplate another
package.  (Clearly HUGE personal bias here)

Thanks,
Shane.

BTW:  As Mike Hall brought up, they wanted to kill it because there is
no maintainer for mod_proxy.  There are a lot of people
working on it right now (Graham and Sam..., Grahams cleaning up the
code and Sams porting it to Apache2.  I think this module is going to
get a lot better in the very near term.  Oh yea, and Graham is working
on KeepAlives, and submitted a HTTP1.1 patch to it.  I'm adding
features but I haven't posted them to the new-httpd list... waiting
till I have a critical mass of feature addition before posting them.)

Re: [RFC] modproxy:modperl ratios...

[Matt Sergeant]

On Wed, 26 Apr 2000, Leslie Mikesell wrote:

> According to [EMAIL PROTECTED]:
> > 
> > So, overall..., I think that you should consider how many modperl
> > processes you want completely seperately from how many modproxy
> > processes you want.
> 
> Apache takes care of these details for you.  All you need to
> do is configure MaxClients around the absolute top number of
> mod_perls you can handle before you start pushing memory
> to swap, some small MinSpareServers and a bigger MaxSpareServers
> and the rest takes care of itself.  On the front-end side
> you really don't want any process limits.  If you can't
> run enough, buy more memory or turn keepalives down.  Apache
> will keep the right number running for the work you are
> doing - and the TCP listen queue will hold a few more
> connections if you are slightly short of backends.

Is there any benefit of mod_proxy over a real proxy front end like "Oops"?

-- 


Fastnet Software Ltd. High Performance Web Specialists
Providing mod_perl, XML, Sybase and Oracle solutions
Email for training and consultancy availability.
http://sergeant.org http://xml.sergeant.org

Apache::Filter problems with HEAD...

[Trevor Phillips]

I've discovered some problems that I think are related to Apache::Filter. It
certainly seems to affect only mod_perl scripts which use Apache::Filter...

Basically, when you do a HEAD request method, you don't get any headers back.
In fact, you don't get anything! When you do a normal GET method, you get all
the headers, as well as the page content.

I've tested this with different mod_perl scripts (which all support
Apache::Filter), and they all seem to do it.

Is this a problem with Apache::Filter's handling of HEAD requests?

-- 
. Trevor Phillips -   http://jurai.murdoch.edu.au/ . 
: CWIS Systems Administrator -   [EMAIL PROTECTED] : 
| IT Services   -   Murdoch University | 
 >--- Member of the #SAS# & #CFC# <
| On nights such as this, evil deeds are done. And good deeds, of /
| course. But mostly evil, on the whole. /
 \  -- (Terry Pratchett, Wyrd Sisters)  /

modperl-unsubscribe@apache.org

[Sylko Olzscher]

unsubscribe

Java is calling