RE: throttling
Looks like you might want to merge the IP-based throttling from mod_throttle with the location-based throttling from mod_throttle_access. The site that hosted the source for mod_throttle_access has been lost, but here is the latest from that site. Thanks, Christian - Christian Gilmore Technology Leader GeT WW Global Applications Development IBM Software Group -Original Message- From: Paolo Campanella [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 04, 2002 7:28 AM To: [EMAIL PROTECTED] Subject: throttling Hi all I had a look at mod_throttle, but it doesn't seem to be able to do what I want. I would like to limit accesses by remote IP address, _per-URL_ (mod_throttle seems to only be able to do this in the server scope, not per-location/per-directory/per-virtualhost). Can anyone recommend an alternative which does what I want? Thanks mod_throttle_access-0.2.tar.gz Description: GNU Zip compressed data
AuthCookie questions
I'm considering use of Apache::AuthCookie in my environment. Here's the problem I need to solve. I'm not certain if AuthCookie will, without modification, support my needs. 1. Authentication cookies are doled out from a centralized server that is out of my control and cannot be modified to suit my local needs (if any). 2. If the cookie is not present when a user hits my site, I redirect to the centralized server and leave breadcrumbs in the redirect for the cookie server to redirect back to me after giving out the cookie. 3. I need to parse the cookie to determine validity and populate certain environmental variables. 4. I cannot modify the cookie and should not send additional cookies. I know that AuthCookie in combination with a locally-written subclass to implement the authen_ses_key method will handle needs 1-3. I'm uncertain about 4. Can I use an unmodified AuthCookie to ensure that whatever format the inbound cookie is in is sufficient and will not need to be modified or supplemented? I believe the answer is no, and, if it is, should this be something that AuthCookie be modified to handle? Thanks, Christian - Christian Gilmore Technology Leader GeT WW Global Applications Development IBM Software Group
RE: AuthCookie questions
Hi, Michael. Let me try again with more specifics. I'm required to mash my service into another organization's authentication scheme, ditching my own secure methods for their cross-domain unencrypted, unsigned cookie. 1. Foreign server, foreign.foo.com, presents a form to a user requesting userid/password. Foreign server accepts credentials and creates simple session cookie whose domain is foo.com containing a string of unencrypted key/value pairs. 2. User comes to my local server, local.foo.com, and sends along his cookie for domain foo.com. I need to parse out one of the key/value pairs and populate an environment variable (aside from REMOTE_USER) with the pair's data. If the user comes without the cookie or without appropriate data in the cookie, I need to redirect him to foreign. I am also asked to not create any other cookies. All the data I need is in the one cookie that comes from foreign. So, my needs boil down to: 1. Read data from existing cookie. 1a. Redirect if cookie is non-existent. 2. Accept or reject cookie. 2a. If rejected, redirect. 2b. If accepted, populate environment and return. On a side note, if anyone finds the proposed design lacking for security or anything else, please let me know. Thanks, Christian - Christian Gilmore Technology Leader GeT WW Global Applications Development IBM Software Group -Original Message- From: Michael Schout [mailto:mschout;gkg.net] Sent: Tuesday, October 22, 2002 2:00 PM To: Christian Gilmore Cc: Modperl Mailing List (E-mail) Subject: Re: AuthCookie questions Christian Gilmore wrote: 4. I cannot modify the cookie and should not send additional cookies. [snip] about 4. Can I use an unmodified AuthCookie to ensure that whatever format the inbound cookie is in is sufficient and will not need to be modified or supplemented? I believe the answer is no, and, if it is, should this be What exactly do you mean by this? What are you trying to accomplish? Do you mean The user cannot modify the cookie? If thats what you mean, then yes, there are ways to do that. Basically you have to cryptographically sign the cookie using a secret that is unknown to the end user. There is an example of this in the Eagle book, and Apache::AuthTicket uses a scheme similar to this. Because you cant control what the cookie server sends, you'd probably have to do some sort of double redirect For example: o user is redirected to auth server o auth server returns cookie and redirects to /SIGNHANDLER o signhandler gets the cookie, cryptographically signs it, and returns the cookie to the client and redirects to real location o user is redirected to real location. If thats not what you mean, please elaborate. Regards, Mike
RE: Linux + Apache Worm exploiting pre 0.9.6g OpenSSL vulnerabilities on the loose
Josh, I believe the virus only affects systems pre-0.9.6e: http://www.openssl.org/news/secadv_20020730.txt. Thanks, Christian - Christian Gilmore Technology Leader GeT WW Global Applications Development IBM Software Group -Original Message- From: Josh Chamas [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 17, 2002 2:43 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Linux + Apache Worm exploiting pre 0.9.6g OpenSSL vulnerabilities on the loose Hey, There seems to be a worm spreading for Apache + Linux + OpenSSL servers that I saw a discussion on at http://apache.slashdot.org/apache/02/09/13/2315246.shtml?tid=172 Seems like we need to upgrade our apache servers to OpenSSL 0.9.6g if we haven't already. I didn't see this posted to mod_perl yet, forgive me if this has been sent out already. Based on discussion at: http://online.securityfocus.com/bid/5363/discussion/ it seems that we might need to upgrade modssl as well, but I have not seen a release of modssl since June ( see http://www.modssl.org/news/ ), so this seems to not be necessary, but do not take my word for it, upgrade if you think its a good idea ( probably is anyway ). Regards, Josh Josh Chamas, Founder phone:925-552-0128 Chamas Enterprises Inc.http://www.chamas.com NodeWorks Link Checkinghttp://www.nodeworks.com
Carp interaction with mod_perl
How does the Carp module interact with mod_perl? Is there a built-in catch for croak or does it actually kill the child process, for instance? Thanks, Christian - Christian Gilmore Technology Leader GeT WW Global Applications Development IBM Software Group
RE: automatic redirect to https
Is there a reason you don't just use a Redirect?
VirtualHost __default__:80
Redirect / https://secure.server.com/
/VirtualHost
Regards,
Christian
-
Christian Gilmore
Technology Leader
GeT WW Global Applications Development
IBM Software Group
-Original Message-
From: Aaron J Mackey [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 13, 2002 1:12 PM
To: [EMAIL PROTECTED]
Subject: automatic redirect to https
Can anyone see something wrong with this, or suggest a better
mechanism:
unless ( $ENV{HTTPS} ) {
# bounce request to secure port
my $uri = $r-parsed_uri();
$uri-scheme('https');
$r-header_out(Location = $uri-unparse());
return REDIRECT;
}
This doesn't seem to work for me; the browser acts as if it's in an
eternal redirection loop. And the server's error log says
that a child
segfaulted in the process. The $uri-unparse yields a string like
https:/mydirectory when I access
http://myserver.org/mydirectory;. Do
I need to rebuild the entire URI manually?
Thanks,
-Aaron
RE: Throttling, once again
Hi, Jeremy. I looked at the page you mentioned below. It wasn't really clear on the page, but what happens when the requests get above the max allowed? Are the remaining requests queued or are they simply given some kind of error message? The service will respond with an HTTP 503 message when the MaxConcurrentReqs number is reached. That tells the browser that the service is temporarily unavailable and to try again later. There seem to be a number of different modules for this kind of thing, but most of them seem to be fairly old. We could use a more currently throttling module that combines what others have come up with. Age shouldn't matter. If something works as designed, it doesn't need to be updated. :) For example, the snert.com mod_throttle is nice because it does it based on IP - but it does it site wide in that mode. This mod_throttle seems nice because it can be set for an individual URI...But that's a pain for sites like mine that have 50 or more intensive scripts (by directory would be nice). And still both of these approaches don't use cookies like some of the others to make sure that legit proxies aren't blocked. Well, the design goals of each are probably different. For instance, mod_throttle_access was designed to keep a service healthy, not punish a set of over-zealous users. Blocking by IP doesn't necessarily protect the health of your service. Also, you shouldn't rely on cookies to ensure the health of your service. If someone has cookies disabled, they can defeat your scheme. BTW, mod_throttle_access is a per-directory module (ie, by Directory, Location, or Files), so you can protect an entire tree at once. It will just count that entire tree as one unit during its count toward MaxConcurrentReqs. Regards, Christian - Christian Gilmore Technology Leader GeT WW Global Applications Development IBM Software Group
RE: Throttling, once again
Hi, Drew. I came across the very problem you're having. I use mod_bandwidth, its actively maintained, allows via IP, directory or any number of ways to monitor bandwidth usage http://www.cohprog.com/mod_bandwidth.html The size of the data sent through the pipe doesn't reflect the CPU spent to produce that data. mod_bandwidth probably doesn't apply in the current scenario being discussed. Thanks, Christian - Christian Gilmore Technology Leader GeT WW Global Applications Development IBM Software Group
RE: Throttling, once again
Bill, If you're looking to throttle access to a particular URI (or set of URIs), give mod_throttle_access a look. It is available via the Apache Module Registry and at http://www.fremen.org/apache/mod_throttle_access.html . Regards, Christian - Christian Gilmore Technology Leader GeT WW Global Applications Development IBM Software Group -Original Message- From: Bill Moseley [mailto:[EMAIL PROTECTED]] Sent: Friday, April 19, 2002 12:56 AM To: [EMAIL PROTECTED] Subject: Throttling, once again Hi, Wasn't there just a thread on throttling a few weeks ago? I had a machine hit hard yesterday with a spider that ignored robots.txt. Load average was over 90 on a dual CPU Enterprise 3500 running Solaris 2.6. It's a mod_perl server, but has a few CGI scripts that it handles, and the spider was hitting one of the CGI scripts over and over. They were valid requests, but coming in faster than they were going out. Under normal usage the CGI scripts are only accessed a few times a day, so it's not much of a problem have them served by mod_perl. And under normal peak loads RAM is not a problem. The machine also has bandwidth limitation (packet shaper is used to share the bandwidth). That combined with the spider didn't help things. Luckily there's 4GB so even at a load average of 90 it wasn't really swapping much. (Well not when I caught it, anyway). This spider was using the same IP for all requests. Anyway, I remember Randal's Stonehenge::Throttle discussed not too long ago. That seems to address this kind of problem. Is there anything else to look into? Since the front-end is mod_perl, it mean I can use mod_perl throttling solution, too, which is cool. I realize there's some fundamental hardware issues to solve, but if I can just keep the spiders from flooding the machine then the machine is getting by ok. Also, does anyone have suggestions for testing once throttling is in place? I don't want to start cutting off the good customers, but I do want to get an idea how it acts under load. ab to the rescue, I suppose. Thanks much, -- Bill Moseley mailto:[EMAIL PROTECTED]
RE: Multiple Cookie Header Bug with Apache::ProxyRewrite
Alex,
Thanks for the report! I'll look into it and your provided patch as soon
as I have a chance.
Thanks,
Christian
-
Christian Gilmore
Technology Leader
GeT WW Global Applications Development
IBM Software Group
-Original Message-
From: Alex Menendez [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 02, 2002 11:45 PM
To: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'
Cc: '[EMAIL PROTECTED]'; Sean Corfield; Alex Menendez
Subject: Multiple Cookie Header Bug with Apache::ProxyRewrite
hello, Christian
I found a bug with how Apache::ProxyRewite handles cookies.
Our proxy server was trying to display a remote application
that heavily uses cookies butthe application was failing miserably.
I compared the headers of what the proxy server was sending
to the client vs. what the remote server was displaying. the
proxy server was only sending one (the last one) of 4
Set-Cookie headers.
The problems lies in the way that all headers are set:
$r-headers_out-{$header} = $value;
I patched the server by changing sum code in: sub respond { }
to allow for multiple cookie headers.
Here is what I did:
# feed reponse back into our request_record
$response-scan(sub {
my ($header, $value) = @_;
$r-log-debug(respond: OUT $header: $value);
if ($header =~ /^Set-Cookie/i) {
$value =~ /path=([^;]+)/i;
my $cookie_path = $1;
rewrite_url($r, $remote_site,
\$cookie_path, $mapref);
$value =~ s/(path=)([^;]+)/$1$cookie_path/i;
# Multiple Cookie Patch added by amen
# 04/03/2002
$r-headers_out-add( 'Set-Cookie' = $value );
$r-log-debug(respond: OUT-MOD
$header: $value);
} else {
$r-headers_out-{$header} = $value;
}
});
Makes sense :)
thanx for writing this,
-amen
BTW we are using version 0.15
cpan hacked or april fools?
Anyone looked at CPAN's front page today: www.cpan.org? It is either a pretty amusing April Fools joke or a hack. Fun either way! Christian - Christian Gilmore Technology Leader GeT WW Global Applications Development IBM Software Group
Authentication redirection
I am attempting to redirect certain users during the authentication phase
to support password expiration management. I am not having success
building it directly into the authentication module and think it may be
perhaps that the internal REDIRECT constant is ignored if given outside of
a content handling phase. Could someone confirm this thought? I was
attempting this bit of code:
if ($expired eq 'true') {
$r-content_type('text/html');
$r-header_out(Location = $redirect);
return REDIRECT;
}
The behavior from this bit of code is just as if I had returned OK.
My other idea is to just write a note on the board and have a downstream
content handler do the redirection, but I was hoping to roll it all into
one package, since the problem, password expiration, is most directly tied
to authentication.
Thanks,
Christian
-
Christian Gilmore
Team Lead
Web Infrastructure Tools
IBM Software Group
RE: Cache::FileCache issues
Hrm. I'm running Solaris 8 with a standard install/patch set. I've tried manipulating the path to have mkdir either be the solaris default (/usr/bin/mkdir) or the GNU fileutils version (/opt/gnu/bin/mkdir). Both produce the same error. [Tue Jan 29 08:28:43 2002] [debug] AuthenCache.pm(197): [client 1.16.67.28] manage_cache: path=/opt/gnu/bin:/sbin:/usr/sbin:/usr/bin [Tue Jan 29 08:28:43 2002] [debug] AuthenCache.pm(200): [client 1.16.67.28] manage_cache: mkdir=/opt/gnu/bin/mkdir [Tue Jan 29 08:28:43 2002] [error] mkdir : No such file or directory at /opt/gnu/depot/perl-5.6.1/lib/site_perl/5.6.1/Cache/FileBackend.pm line 220 [Tue Jan 29 08:32:13 2002] [debug] AuthenCache.pm(197): [client 1.16.67.28] manage_cache: path=/usr/bin:/opt/gnu/bin:/sbin:/usr/sbin [Tue Jan 29 08:32:13 2002] [debug] AuthenCache.pm(200): [client 1.16.67.28] manage_cache: mkdir=/usr/bin/mkdir [Tue Jan 29 08:32:13 2002] [error] mkdir : No such file or directory at /opt/gnu/depot/perl-5.6.1/lib/site_perl/5.6.1/Cache/FileBackend.pm line 220 Regards, Christian -Original Message- From: Perrin Harkins [mailto:[EMAIL PROTECTED]] Sent: Monday, January 28, 2002 4:38 PM To: Christian Gilmore; Modperl Mailing List (E-mail) Subject: Re: Cache::FileCache issues [Mon Jan 28 14:52:35 2002] [error] mkdir : No such file or directory at /opt/gnu /depot/perl-5.6.1/lib/site_perl/5.6.1/Cache/FileBackend.pm line 220 Looks to me like your system has no mkdir command, or it isn't in the path, or it doesn't support an option that's needed (-p maybe?). Maybe Cache::FileBackend should use File::Path::mkpath for portability. - Perrin
Cache::FileCache issues
Hi. I'm trying to update Apache::AuthenCache and Apache::AuthzCache to use
Cache::Cache instead of IPC::Cache. The cutover should be straightforward
enough, but I am finding a roadblock. I'm hoping someone can point out
something obvious I'm overlooking. Here is the relevant hunk of code and
output from the debug-set apache.
my $cache = Cache::FileCache-new({ namespace = $auth_name,
default_expires_in =
$cache_time_limit,
cache_root = $cache_dir,
directory_umask= $cache_umask });
[Mon Jan 28 14:52:35 2002] [debug]
/opt/gnu/depot/perl-5.6.1/lib/site_perl/5.6.1
/Apache/AuthenCache.pm(178): [client 1.16.67.28] manage_cache:
cache_time_limit=
30, cache_dir=/tmp, cache_umask=007, auth_name=Enterprise Server
[Mon Jan 28 14:52:35 2002] [error] mkdir : No such file or directory at
/opt/gnu
/depot/perl-5.6.1/lib/site_perl/5.6.1/Cache/FileBackend.pm line 220
I'm trying to use the default /tmp (I have also tried a non-default), but
I get a burp from within Cache::FileCache's library. Ideas?
Regards,
Christian
-
Christian Gilmore
Team Lead
Web Infrastructure Tools
IBM Software Group
RE: Request Limiter
If you're looking for limiting simultaneous requests to a URI resource (and not the entire server, which can be handled by MaxClients), you may be looking for mod_throttle_access. It can be found at http://modules.apache.org/search?id=232. Regards, Christian - Christian Gilmore Team Lead Web Infrastructure Tools IBM Software Group -Original Message- From: Ken Miller [mailto:[EMAIL PROTECTED]] Sent: Monday, January 14, 2002 12:14 PM To: [EMAIL PROTECTED] Subject: Request Limiter There was a module floating around a while back that did request limiting (a DOS preventional tool). I've searched the archives (unsuccessfully), and I was wondering if anyone knows what the heck I'm talking about. I thought it was on Matt Sergeant's web site, but for the life of me I can't remember what the url is. Can someone help? My next question would be, if I can't find the module, is what phase would I place a request limiter? Should it just go at the head of the PerlHandler chain, or earlier in the request phase? (I do have 'the book', but unfortunately, it's elsewhere right now). Thanks! -klm.
RE: DSO Issues
Ditto. DSO makes my life so much better in terms of portability and administratability that having my services down for a few seconds during a log rotation is certainly worth it. Regards, Christian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Vivek Khera Sent: Tuesday, November 27, 2001 2:17 PM To: [EMAIL PROTECTED] Subject: Re: DSO Issues DW == David Wheeler [EMAIL PROTECTED] writes: DW While it seems to be well-known anecdotally that one should never use a DW DSO install of mod_perl (particularly among Mason developers), is there DW yet any place where all the known issues surrounding the use of DSO The *only* issue I encounter is a massive memory leak upon SIGHUP or SIGUSR to apache. The amount of leakage depends on my particular application. Having a DSO makes it much easier for me to administer (having multiple instances of apache running on the same machine, some with and some without mod_perl), so I live with it and do a full stop/restart instead of SIGHUP to rotate logs. -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Vivek Khera, Ph.D.Khera Communications, Inc. Internet: [EMAIL PROTECTED] Rockville, MD +1-240-453-8497 AIM: vivekkhera Y!: vivek_khera http://www.khera.org/~vivek/
Module that implements HTTP/1.1 caching?
Does anyone know if there is a perl module that implements HTTP/1.1 caching? I'd like to use one with Apache::ProxyRewrite and don't want to reinvent the wheel. :) Regards, Christian - Christian Gilmore Team Lead Web Infrastructure Tools IBM Software Group
RE: ANNOUNCE: Starting work on Apache::RedirectUnless
Putting it into the auth phase would be appropriate, but I have to wonder why this module is needed other than to refrain from keeping your configuration file clean. Your unsecure virtual host should have no auth statements in it if you want all auth to be on your secure virtual host... You'll need to have your entire session where you want the user to authenticate on the same virtual host, else the user will be prompted multiple times or you will have a security gap if you're leaving it all up to the service layer. Regards, Christian -Original Message- From: J. J. Horner [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 8:51 AM To: [EMAIL PROTECTED] Subject: ANNOUNCE: Starting work on Apache::RedirectUnless I have need of a module that will redirect to https anytime basic authentication is required. I figure the best way to do this is to step in at the authentication phase, and should authentication be required and the method be http, redirect to https for any and all basic authentication traffic. Perhaps after this, redirect to http, if desired. Any comments or suggestions? Thanks, JJ -- J. J. Horner H*,6d6174686c696e40326a6e6574776f726b732e636f6d *** H*,6a6a686f726e65724062656c6c736f7574682e6e6574 Freedom is an all-or-nothing proposition: either we are completely free, or we are subjects of a tyrannical system. If we lose one freedom in a thousand, we become completely subjugated.
RE: ANNOUNCE: Starting work on Apache::RedirectUnless
A realm is defined by the following three things: 1) AuthName 2) ServerName (well, the server name in the URL actually) 3) Port (well, the port to which the browser is talking) If these three things are not always the same, the browser will prompt the user to re-authenticate. So, you cannot authenticate a user on your https port and magically expect that information to be passed by the browser to your http port. You'd have to do application-layer session handling with some kind of shared information across services. There are security implications to consider here... Regards, Christian -Original Message- From: 'J. J. Horner' [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:01 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: ANNOUNCE: Starting work on Apache::RedirectUnless The problem with that solution is that we have 2 virtual hosts, one http, one https, on one machine. https is the only available transport outside of our network, while the http server is available internally. This is a production webserver, with existing information, applications, etc. We don't want to redesign our existing setup just to move content to a secure virtualhost when someone wants to authenticate. This approach allows us to keep things from the developer side very transparent. Developers can continue to maintain and create as usual, with the added step of a login being transferred by https method. If I were designing a server from scratch, I would plan better, but since we are trying to implement encrypted basic authentication after the server, sites, applications are in place, we have to work around them. With the AuthName set to one value across the server, we may be able to prevent too many logins. We need to keep the same content on both virtualhosts as much as possible. Ideas? Comments? Thanks, JJ * Christian Gilmore ([EMAIL PROTECTED]) [010918 11:36]: Putting it into the auth phase would be appropriate, but I have to wonder why this module is needed other than to refrain from keeping your configuration file clean. Your unsecure virtual host should have no auth statements in it if you want all auth to be on your secure virtual host... You'll need to have your entire session where you want the user to authenticate on the same virtual host, else the user will be prompted multiple times or you will have a security gap if you're leaving it all up to the service layer. Regards, Christian -Original Message- From: J. J. Horner [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 8:51 AM To: [EMAIL PROTECTED] Subject: ANNOUNCE: Starting work on Apache::RedirectUnless I have need of a module that will redirect to https anytime basic authentication is required. I figure the best way to do this is to step in at the authentication phase, and should authentication be required and the method be http, redirect to https for any and all basic authentication traffic. Perhaps after this, redirect to http, if desired. Any comments or suggestions? Thanks, JJ -- J. J. Horner H*,6d6174686c696e40326a6e6574776f726b732e636f6d *** H*,6a6a686f726e65724062656c6c736f7574682e6e6574 Freedom is an all-or-nothing proposition: either we are completely free, or we are subjects of a tyrannical system. If we lose one freedom in a thousand, we become completely subjugated. -- J. J. Horner H*,6d6174686c696e40326a6e6574776f726b732e636f6d *** H*,6a6a686f726e65724062656c6c736f7574682e6e6574 Freedom is an all-or-nothing proposition: either we are completely free, or we are subjects of a tyrannical system. If we lose one freedom in a thousand, we become completely subjugated.
RE: ANNOUNCE: Starting work on Apache::RedirectUnless
Redirects in the non-secure virtual host to the secure virtual host would certainly do the trick. The module does have value (better name would be Apache::AuthRedirect, IMO), but it would be built for people to be lazy about their configurations. Regards, Christian -- Christian Gilmore Team Lead Web Infrastructure Tools IBM Software Group -Original Message- From: Stephen Adkins [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 3:09 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: ANNOUNCE: Starting work on Apache::RedirectUnless Hi, I have been following this thread with interest because I have been struggling with the same problem. I define it this way. * To achieve secure authentication which is widely supported, you need to use Basic authentication over SSL * All URLs which can be accessed with HTTPS can be accessed with HTTP * I secure certain directories with .htaccess and all of the links in my site which point to them are via HTTPS, so as long as people always follow the links, they will never transfer the password in clear text (essentially) over the network using HTTP. * However, if they type the URL directly into the browser and they *forget* to use https but rather use http, their password is exposed to network sniffers. I think that it was to solve this problem that J.J.Horner suggested the module. Any request to a secured area using HTTP would be automatically redirected to the same URL with HTTPS instead. Thus, the browser would never, ever be prompted to surrender the authentication credentials (password) in the clear over HTTP. Thus, I see great value to JJ's suggested module. Is there an easier way to safeguard against Apache prompting for a password over HTTP? Stephen At 01:41 PM 9/18/2001 -0500, Christian Gilmore wrote: A realm is defined by the following three things: 1) AuthName 2) ServerName (well, the server name in the URL actually) 3) Port (well, the port to which the browser is talking) If these three things are not always the same, the browser will prompt the user to re-authenticate. So, you cannot authenticate a user on your https port and magically expect that information to be passed by the browser to your http port. You'd have to do application-layer session handling with some kind of shared information across services. There are security implications to consider here... Regards, Christian -Original Message- From: 'J. J. Horner' [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:01 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: ANNOUNCE: Starting work on Apache::RedirectUnless The problem with that solution is that we have 2 virtual hosts, one http, one https, on one machine. https is the only available transport outside of our network, while the http server is available internally. This is a production webserver, with existing information, applications, etc. We don't want to redesign our existing setup just to move content to a secure virtualhost when someone wants to authenticate. This approach allows us to keep things from the developer side very transparent. Developers can continue to maintain and create as usual, with the added step of a login being transferred by https method. If I were designing a server from scratch, I would plan better, but since we are trying to implement encrypted basic authentication after the server, sites, applications are in place, we have to work around them. With the AuthName set to one value across the server, we may be able to prevent too many logins. We need to keep the same content on both virtualhosts as much as possible. Ideas? Comments? Thanks, JJ * Christian Gilmore ([EMAIL PROTECTED]) [010918 11:36]: Putting it into the auth phase would be appropriate, but I have to wonder why this module is needed other than to refrain from keeping your configuration file clean. Your unsecure virtual host should have no auth statements in it if you want all auth to be on your secure virtual host... You'll need to have your entire session where you want the user to authenticate on the same virtual host, else the user will be prompted multiple times or you will have a security gap if you're leaving it all up to the service layer. Regards, Christian -Original Message- From: J. J. Horner [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 8:51 AM To: [EMAIL PROTECTED] Subject: ANNOUNCE: Starting work on Apache::RedirectUnless I have need of a module that will redirect to https anytime basic authentication is required. I figure the best way to do this is to step in at the authentication phase, and should authentication be required and the method be http, redirect to https
RE: Mod_Perl on AIX
It greatly depends upon how you built perl. If you're using the OS-provided perl installation, you'll have to use IBM C for AIX to compile apache/mod_perl. Also, other problems/pitfalls exist if you wish to use mod_perl as a DSO. These problems can be overcome, but you'll need specific versions to do so... Regards, Christian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jim Cox Sent: Sunday, May 06, 2001 2:07 PM To: [EMAIL PROTECTED] Subject: Mod_Perl on AIX Can someone point me to the docs for compiling latest mod_perl 1.26 for apache 1.3.20 on AIX 4.3.3 using gcc. Or if docs don't exist, or if I missed something, Just slap me. The docs I've found result in a broken build enviromnent. I suspect that the problem is related to using gcc+ and not the distributed AIX cc. I just wanted to ask before I tried to modify the distributed Makefile.PL. Expesially centz I'za perl newbi. :o -- Jim Cox (mailto:[EMAIL PROTECTED]) (817) 315-8134 (888) 834-7656 Toll Free (817) 315-8253 FAX (817) 233-8567 Mobile
RE: Mod_Perl on AIX
You'll need to compile and install your own perl, then, using gcc. Regards, Christian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jim Cox Sent: Sunday, May 06, 2001 5:19 PM Cc: [EMAIL PROTECTED] Subject: Re: Mod_Perl on AIX Therein lies the problem. I currently do not have the IBM supplied cc on the system. If the answer is to use only the IBM cc I'm not sure there will be an answer. Everything else compiles fine, Apache, as well as the other modules. Thanks. Christian Gilmore wrote: It greatly depends upon how you built perl. If you're using the OS-provided perl installation, you'll have to use IBM C for AIX to compile apache/mod_perl. Also, other problems/pitfalls exist if you wish to use mod_perl as a DSO. These problems can be overcome, but you'll need specific versions to do so... Regards, Christian -- Jim Cox (mailto:[EMAIL PROTECTED]) (817) 315-8134 (888) 834-7656 Toll Free (817) 315-8253 FAX (817) 233-8567 Mobile
RE: Restricting MP3 files being served
Actually, you want mod_throttle_access. Standard C apache plugin module. http://www.fremen.org/apache/. Regards, Christian -Original Message- From: Perrin Harkins [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 14, 2001 5:28 PM To: Rod Butcher; [EMAIL PROTECTED] Subject: Re: Restricting MP3 files being served I have a lot of large MP3 files, and want to restrict the number that Apache serves concurrently. Is this possible ? I'm posting it here since I assume it would require some sort of module to achieve it. ?? (Win 32). You want mod_throttle. I don't know if it works on Windows. - Perrin
[ANNOUNCE] Apache::AuthenLDAP 0.61
The uploaded file Apache-AuthenLDAP-0.61.tar.gz has entered CPAN as file: $CPAN/authors/id/C/CG/CGILMORE/Apache-AuthenLDAP-0.61.tar.gz size: 8287 bytes md5: 51603e4084fd448e9f72e6e5e0f26baa No action is required on your part Request entered by: CGILMORE (Christian Gilmore) Request entered on: Thu, 12 Jul 2001 14:30:49 GMT Request completed: Thu, 12 Jul 2001 14:31:55 GMT Virtually Yours, Id: paused,v 1.74 2001/05/20 14:59:52 k Exp k Apache::AuthenLDAP is designed to work with mod_perl and Net::LDAP. This module authenticates a user against an LDAP backend. It can be combined with Apache::AuthzLDAP to provide LDAP authorization as well. See AuthenLDAP.pm pod for detailed documentation. $Id: README,v 1.1 2000/09/26 18:27:36 cgilmore Exp $ 2001-07-12 Christian Gilmore [EMAIL PROTECTED] o Removed test for mod_perl-1.26 or higher. o Cleaned up documentation o Made release 0.61 2001-05-27 Christian Gilmore [EMAIL PROTECTED] o Deprecated generic variable naming in favor of module specific to reduce potential conflict with other auth modules: LDAPServer - AuthenLDAPServer LDAPPort- AuthenLDAPPort UidAttrType - AuthenUidAttrType Original variable names are still accepted but will be removed on the next major release. o Made release 0.60 2001-01-08 Christian Gilmore [EMAIL PROTECTED] o Added handling of blank userid input o Better handling of pre-1.26 set_handlers bugs o Made release 0.52 2000-09-26 Christian Gilmore [EMAIL PROTECTED] o Made first public releases 0.50 and 0.51 $Id: ChangeLog,v 1.6 2001/07/12 14:06:35 cgilmore Exp $ Enjoy, Christian - Christian Gilmore Infrastructure Tools Team Lead Web Multimedia Development IBM Software Group
[ANNOUNCE] Apache::AuthzCache 0.06
The uploaded file Apache-AuthzCache-0.06.tar.gz has entered CPAN as file: $CPAN/authors/id/C/CG/CGILMORE/Apache-AuthzCache-0.06.tar.gz size: 8800 bytes md5: e4b15058f8b67b4906248f27c3f62fbd No action is required on your part Request entered by: CGILMORE (Christian Gilmore) Request entered on: Thu, 12 Jul 2001 14:32:02 GMT Request completed: Thu, 12 Jul 2001 14:33:46 GMT Virtually Yours, Id: paused,v 1.74 2001/05/20 14:59:52 k Exp k Apache::AuthzCache is designed to work with a mod_perl authorization module to provide caching of group membership for site users. For a list of mod_perl authorization modules see: http://www.cpan.org/modules/by-module/Apache/apache-modlist.html When a request that requires authorization is received, Apache::AuthzCache looks up the REMOTE_USER in a shared-memory cache (using IPC::Cache) and compares the list of groups in the cache against the groups enumerated within the require configuration directive. If a match is found, the handler returns OK and clears the downstream Authz handlers from the stack. Otherwise, it returns DECLINED and allows the next PerlAuthzHandler in the chain to be called. After the primary authorization handler completes with an OK, Apache::AuthzCache::manage_cache adds the new group (listed in REMOTE_GROUP) to the cache. See AuthzCache.pm pod for detailed documentation. $Id: README,v 1.1 2000/09/26 20:11:50 cgilmore Exp $ 2001-07-12 Christian Gilmore [EMAIL PROTECTED] o Removed test for mod_perl-1.26 or higher. o Cleaned up documentation. o Made release 0.06. 2001-05-29 Christian Gilmore [EMAIL PROTECTED] o Bug fix on strict syntax error. o Made release 0.05. 2001-02-28 Christian Gilmore [EMAIL PROTECTED] o Added requirement that Apache::Log be imported. Oversight found by Rod Bloodgood. o Made release 0.04. 2001-01-08 Christian Gilmore [EMAIL PROTECTED] o Better handled pre-1.26 set_handlers bugs. o Made release 0.03. 2000-09-26 Christian Gilmore [EMAIL PROTECTED] o Made first public release 0.02. $Id: ChangeLog,v 1.6 2001/07/12 14:12:48 cgilmore Exp $ Enjoy, Christian - Christian Gilmore Infrastructure Tools Team Lead Web Multimedia Development IBM Software Group
[ANNOUNCE] Apache::AuthzLDAP 0.61
The uploaded file Apache-AuthzLDAP-0.61.tar.gz has entered CPAN as file: $CPAN/authors/id/C/CG/CGILMORE/Apache-AuthzLDAP-0.61.tar.gz size: 9821 bytes md5: 0942df504a5569cc8db4aff00a8980e1 No action is required on your part Request entered by: CGILMORE (Christian Gilmore) Request entered on: Thu, 12 Jul 2001 14:32:12 GMT Request completed: Thu, 12 Jul 2001 14:34:02 GMT Virtually Yours, Id: paused,v 1.74 2001/05/20 14:59:52 k Exp k Apache::AuthzLDAP is designed to work with mod_perl and Net::LDAP. This module authorizes a user against an LDAP backend. It can be combined with Apache::AuthenLDAP to provide LDAP authentication as well. See AuthzLDAP.pm pod for detailed documentation. $Id: README,v 1.1 2000/09/26 18:51:51 cgilmore Exp $ 2001-07-12 Christian Gilmore [EMAIL PROTECTED] o Removed test for mod_perl-1.26 or higher. o Cleaned up documentation. o Made release 0.61. 2001-05-27 Christian Gilmore [EMAIL PROTECTED] o Deprecated generic variable naming in favor of module specific to reduce potential conflict with other auth modules: GroupAttrType - AuthzGroupAttrType GroupAttrValue - AuthzGroupAttrValue LDAPServer - AuthzLDAPServer LDAPPort- AuthzLDAPPort MemberAttrType - AuthzMemberAttrType MemberAttrValue - AuthzMemberAttrValue NestedGroups- AuthzNestedGroups UidAttrType - AuthzUidAttrType Original variable names are still accepted but will be removed on the next major release. This change allows for user information to be hosted on one LDAP while group information is hosted on another. o Made release 0.60. 2001-01-08 Christian Gilmore [EMAIL PROTECTED] o Fixed bug regarding nested groups whose membership was by dn. o Better handled of pre-1.26 set_handlers bugs. o Made release 0.51. 2000-09-26 Christian Gilmore [EMAIL PROTECTED] o Made first public release 0.50. $Id: ChangeLog,v 1.5 2001/07/12 14:18:52 cgilmore Exp $ Enjoy, Christian - Christian Gilmore Infrastructure Tools Team Lead Web Multimedia Development IBM Software Group
RE: announce: mod_perl-1.25_01
Hrm. Ok, I'll have to release new versions of my modules that have tests for mod_perl 1.26. At what release level do you expect this patch to be committed? Regards, Christian -Original Message- From: Doug MacEachern [mailto:[EMAIL PROTECTED]] Sent: Monday, July 09, 2001 10:37 PM To: Christian Gilmore Cc: 'Modperl Mailing List (E-mail)' Subject: Re: announce: mod_perl-1.25_01 On Mon, 9 Jul 2001, Christian Gilmore wrote: Doug, I didn't see in the announcement that the below fix is included in 1.25_01. Can you please confirm? the patch has not been committed and will probably wait until after 1.26. i'm concerned that the current patch might introduce bugs elsewhere, its a thorny problem to solve and i don't want to delay 1.26 any longer.
Re: announce: mod_perl-1.25_01
Doug,
I didn't see in the announcement that the below fix is included in
1.25_01. Can you please confirm?
Regards,
Christian
-Original Message-
From: Doug MacEachern [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 15, 2000 7:59 PM
To: [EMAIL PROTECTED]
Cc: 'Modperl Mailing List (E-mail)'
Subject: Re: Yet more on set_handlers() and new-found problems with
lookup_uri()
i think the jist of the problem(s), is that set_handlers()
modifies the
configuration structure (the one created at startup from
httpd.conf), so
any subrequests will end up with the modified structure (which is not
reset until the end of the request). this patch implements
{get,set}_handlers in terms of r-per_request_config, which is
unique to each (sub-)request. if this doesn't fix the
problem, it would
really help to have a small test case that i can drop in to
see the bug in
action.
Index: src/modules/perl/Apache.xs
===
RCS file: /home/cvs/modperl/src/modules/perl/Apache.xs,v
retrieving revision 1.103
diff -u -r1.103 Apache.xs
--- src/modules/perl/Apache.xs 2000/08/15 19:36:32 1.103
+++ src/modules/perl/Apache.xs 2000/08/16 00:46:44
@@ -73,12 +73,6 @@
void (*set_func) (void *, void *, SV *);
} perl_handler_table;
-typedef struct {
-I32 fill;
-AV *av;
-AV **ptr;
-} perl_save_av;
-
static void set_handler_dir (perl_handler_table *tab,
request_rec *r, SV
*sv);
static void set_handler_srv (perl_handler_table *tab,
request_rec *r, SV
*sv);
@@ -101,28 +95,17 @@
{HandlerDirEntry(PerlFixupHandler, PerlFixupHandler)},
{HandlerDirEntry(PerlHandler, PerlHandler)},
{HandlerDirEntry(PerlLogHandler, PerlLogHandler)},
+{HandlerDirEntry(PerlCleanupHandler, PerlCleanupHandler)},
{ FALSE, NULL }
};
-static void perl_restore_av(void *data)
-{
-perl_save_av *save_av = (perl_save_av *)data;
-
-if(save_av-fill != DONE) {
-AvFILLp(*save_av-ptr) = save_av-fill;
-}
-else if(save_av-av != Nullav) {
-*save_av-ptr = save_av-av;
-}
-}
-
static void perl_handler_merge_avs(char *hook, AV **dest)
{
int i = 0;
HV *hv = perl_get_hv(Apache::PerlStackedHandlers, FALSE);
SV **svp = hv_fetch(hv, hook, strlen(hook), FALSE);
AV *base;
-
+
if(!(svp SvROK(*svp)))
return;
@@ -133,45 +116,53 @@
}
}
+#define avptr_from_offset(ptr, tab) \
+(AV **)((char *)ptr + (int)(long)tab-offset)
+
static void set_handler_base(void *ptr, perl_handler_table
*tab, pool *p,
SV *sv)
{
-AV **av = (AV **)((char *)ptr + (int)(long)tab-offset);
+int do_register_cleanup = 0;
+AV **av = avptr_from_offset(ptr, tab);
-perl_save_av *save_av =
-(perl_save_av *)palloc(p, sizeof(perl_save_av));
-
-save_av-fill = DONE;
-save_av-av = Nullav;
-
-if((sv == sv_undef) || (SvIOK(sv) SvIV(sv) == DONE)) {
-if(AvTRUE(*av)) {
-save_av-fill = AvFILL(*av);
-AvFILLp(*av) = -1;
-}
-}
-else if(SvROK(sv) SvTYPE(SvRV(sv)) == SVt_PVAV) {
-if(AvTRUE(*av))
-save_av-av = av_copy_array(*av);
-*av = (AV*)SvRV(sv);
-++SvREFCNT(*av);
+if ((sv == sv_undef) || (SvIOK(sv) SvIV(sv) == DONE)) {
+if (!*av) {
+do_register_cleanup = 1;
+}
+if (*av SvREFCNT(*av)) {
+SvREFCNT_dec(*av);
+}
+*av = newAV();
+}
+else if (SvROK(sv) SvTYPE(SvRV(sv)) == SVt_PVAV) {
+*av = (AV*)SvRV(sv);
+++SvREFCNT(*av);
+do_register_cleanup = 1;
}
else {
-croak(Can't set_handler with that value);
+croak(Can't set_handler with that value);
+}
+
+if (do_register_cleanup) {
+register_cleanup(p, (void*)*av, mod_perl_cleanup_av,
mod_perl_noop);
}
-save_av-ptr = av;
-register_cleanup(p, save_av, perl_restore_av, mod_perl_noop);
}
-static void set_handler_dir(perl_handler_table *tab,
request_rec *r, SV
*sv)
+void set_handler_dir(perl_handler_table *tab, request_rec *r, SV *sv)
{
-dPPDIR;
-set_handler_base((void*)cld, tab, r-pool, sv);
+dPPREQ;
+if (!cfg-dir_cfg) {
+cfg-dir_cfg = perl_create_dir_config(r-pool, r-uri);
+}
+set_handler_base((void*)cfg-dir_cfg, tab, r-pool, sv);
}
static void set_handler_srv(perl_handler_table *tab,
request_rec *r, SV
*sv)
{
-dPSRV(r-server);
-set_handler_base((void*)cls, tab, r-pool, sv);
+dPPREQ;
+if (!cfg-srv_cfg) {
+cfg-srv_cfg = perl_create_server_config(r-pool, NULL);
+}
+set_handler_base((void*)cfg-srv_cfg, tab, r-pool, sv);
}
static perl_handler_table *perl_handler_lookup(char *name)
@@ -185,29 +176,45 @@
return NULL;
}
-
static SV *get_handlers(request_rec *r, char *hook)
{
AV *avcopy;
AV **av;
+dPPREQ;
dPPDIR;
dPSRV(r-server);
RE: push_handlers and PerlAuthenHandler troubles
There are known bugs in push_handlers/set_handlers that I believe are
corrected in CVS and should be part of the 1.26 release. Perhaps these
bugs are the problem.
Regards,
Christian
-Original Message-
From: Bolt Thrower [mailto:[EMAIL PROTECTED]]
Sent: Monday, June 25, 2001 10:50 PM
To: [EMAIL PROTECTED]
Subject: push_handlers and PerlAuthenHandler troubles
For a particular Location, I'd like to selectively (i.e., based on
arbitrary criteria) determine whether a visitor needs authentication.
So I set up a Location section in httpd.conf as follows:
Location /
AuthType Apache::AuthTicket
AuthName HomeIntranet
PerlAuthenHandler Intranet::CheckSiteAuthen
#PerlAuthenHandler Apache::AuthTicket-authenticate
PerlAuthzHandler Apache::AuthTicket-authorize
require valid-user
/Location
Intranet::CheckSiteAuthen looks like:
---[start]-
package Intranet::CheckSiteAuthen;
use strict;
use DBI;
use Apache::Constants qw(:common);
use Intranet::common;
use Data::Dumper;
sub handler {
my $r = shift;
$r-warn(starting CheckSiteAuthen);
$r-push_handlers(PerlAuthenHandler =
'Apache::AuthTicket-authenticate');
return DECLINED;
}
1;
---[end]-
But when I try to access a location under that configuration,
I see in my error log:
[Mon Jun 25 18:33:55 2001] [crit] [client 192.168.10.15]
configuration error: couldn't check user. No user file?:
/u/IntranetLoginForm
(/u/IntranetLoginForm is the login CGI form that Apache::AuthTicket
uses).
All I'm trying to do at this point is set up a PerlAuthenHandler that
passes control to another one (Apache::AuthTicket-authenticate).
Of course, everything works with the configuration
Location /
AuthType Apache::AuthTicket
AuthName HomeIntranet
#PerlAuthenHandler Intranet::CheckSiteAuthen
PerlAuthenHandler Apache::AuthTicket-authenticate
PerlAuthzHandler Apache::AuthTicket-authorize
require valid-user
/Location
Any suggestions for me?
Thanks,
--
Steve Chadsey [EMAIL PROTECTED]
So drink to forget and drown all your sorrows
Bury your dreams and choose catharsis!
-- Sentenced, Nepenthe
RE: Confusion resolved (was: mod_perl DSO leaking on restart)
Doug,
Will this patch make it into 1.26? If so, is there a slated release date
for 1.26?
Thanks,
Christian
-Original Message-
From: Doug MacEachern [mailto:[EMAIL PROTECTED]]
Sent: Monday, June 18, 2001 9:04 PM
To: Paul G. Weiss
Cc: mod_perl list
Subject: Re: Confusion resolved (was: mod_perl DSO leaking on restart)
ah ha, right, since i always have PERL_DEBUG=1, perl_destruct_level is
always set to 2. good find! it should always be 2 for dso,
this patch
seems to fix USE_APXS too.
--- src/modules/perl/mod_perl.c 2001/06/14 04:49:08 1.137
+++ src/modules/perl/mod_perl.c 2001/06/19 01:59:18
@@ -259,8 +259,6 @@
if((pdl = getenv(PERL_DESTRUCT_LEVEL)))
perl_destruct_level = atoi(pdl);
-else
- perl_destruct_level = PERL_DESTRUCT_LEVEL;
if(perl_destruct_level 0) {
MP_TRACE_g(fprintf(stderr,
@@ -510,6 +508,7 @@
array_header *librefs;
librefs = xs_dl_librefs((pool *)data);
+perl_destruct_level = 2;
perl_shutdown(NULL, NULL);
unload_xs_so(librefs);
}
RE: IP based instant throttle?
You'd want to look at the scoreboard. mod_throttle_access (http://www.fremen.org/apache/) does this function based upon URI. The only changes would be to base it upon client IP and change the scope to allow it to be outside a Directory block. It would be a minor change. Regards, Christian -Original Message- From: Justin [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 07, 2001 7:51 PM To: [EMAIL PROTECTED] Subject: IP based instant throttle? Does anyone see the value in a Throttle module that looked at the apache parent status block and rejected any request where another child was already busy servicing *that same IP* ? (note: the real IP is in the header in a backend setup so it is not possible to dig it out across children without creating another bit of shared memory or using the filesystem?). I'm still finding existing throttle modules do not pickup and block parallel or fast request streams fast enough .. ok there are no massive outages but 10 seconds of delay for everyone because all demons are busy servicing the same guy before we can conclude we're being flooded is not really great.. modperl driven forums (or PHP ones even) can be killed this way since there are so many links on one page, all active.. thanks for any thoughts on this. -Justin
[ANNOUNCE] Apache::AuthenLDAP 0.60
The uploaded file Apache-AuthenLDAP-0.60.tar.gz has entered CPAN as file: $CPAN/authors/id/C/CG/CGILMORE/Apache-AuthenLDAP-0.60.tar.gz size: 8176 bytes md5: 07405d95c2e62f5ce20f3dc067317755 No action is required on your part Request entered by: CGILMORE (Christian Gilmore) Request entered on: Sun, 27 May 2001 20:57:29 GMT Request completed: Sun, 27 May 2001 20:58:49 GMT Virtually Yours, Id: paused,v 1.74 2001/05/20 14:59:52 k Exp k Apache::AuthenLDAP is designed to work with mod_perl and Net::LDAP. This module authenticates a user against an LDAP backend. It can be combined with Apache::AuthzLDAP to provide LDAP authorization as well. See AuthenLDAP.pm pod for detailed documentation. $Id: README,v 1.1 2000/09/26 18:27:36 cgilmore Exp $ 2001-05-27 Christian Gilmore [EMAIL PROTECTED] o Deprecated generic variable naming in favor of module specific to reduce potential conflict with other auth modules: LDAPServer - AuthenLDAPServer LDAPPort- AuthenLDAPPort UidAttrType - AuthenUidAttrType Original variable names are still accepted but will be removed on the next major release. o Made release 0.60 2001-01-08 Christian Gilmore [EMAIL PROTECTED] o Added handling of blank userid input o Better handling of pre-1.26 set_handlers bugs o Made release 0.52 2000-09-26 Christian Gilmore [EMAIL PROTECTED] o Made first public releases 0.50 and 0.51 $Id: ChangeLog,v 1.5 2001/05/27 20:52:15 cgilmore Exp $ Enjoy, Christian - Christian Gilmore Infrastructure Tools Team Lead Web Multimedia Development Tivoli Systems, Inc.
[ANNOUNCE] Apache::AuthzLDAP 0.60
The uploaded file Apache-AuthzLDAP-0.60.tar.gz has entered CPAN as file: $CPAN/authors/id/C/CG/CGILMORE/Apache-AuthzLDAP-0.60.tar.gz size: 9718 bytes md5: ee2f18984cea35f0c2c139c25a255526 No action is required on your part Request entered by: CGILMORE (Christian Gilmore) Request entered on: Sun, 27 May 2001 20:57:43 GMT Request completed: Sun, 27 May 2001 20:59:04 GMT Virtually Yours, Id: paused,v 1.74 2001/05/20 14:59:52 k Exp k Apache::AuthzLDAP is designed to work with mod_perl and Net::LDAP. This module authorizes a user against an LDAP backend. It can be combined with Apache::AuthenLDAP to provide LDAP authentication as well. See AuthzLDAP.pm pod for detailed documentation. $Id: README,v 1.1 2000/09/26 18:51:51 cgilmore Exp $ 2001-05-27 Christian Gilmore [EMAIL PROTECTED] o Deprecated generic variable naming in favor of module specific to reduce potential conflict with other auth modules: GroupAttrType - AuthzGroupAttrType GroupAttrValue - AuthzGroupAttrValue LDAPServer - AuthzLDAPServer LDAPPort- AuthzLDAPPort MemberAttrType - AuthzMemberAttrType MemberAttrValue - AuthzMemberAttrValue NestedGroups- AuthzNestedGroups UidAttrType - AuthzUidAttrType Original variable names are still accepted but will be removed on the next major release. This change allows for user information to be hosted on one LDAP while group information is hosted on another. o Made release 0.60 2001-01-08 Christian Gilmore [EMAIL PROTECTED] o Fixed bug regarding nested groups whose membership was by dn o Better handled of pre-1.26 set_handlers bugs o Made release 0.51 2000-09-26 Christian Gilmore [EMAIL PROTECTED] o Made first public release 0.50 $Id: ChangeLog,v 1.4 2001/05/27 20:50:07 cgilmore Exp $ Enjoy, Christian - Christian Gilmore Infrastructure Tools Team Lead Web Multimedia Development Tivoli Systems, Inc.
[ANNOUNCE] Apache::ProxyRewrite 0.14
The uploaded file Apache-ProxyRewrite-0.14.tar.gz has entered CPAN as file: $CPAN/authors/id/C/CG/CGILMORE/Apache-ProxyRewrite-0.14.tar.gz size: 11720 bytes md5: 5d9f08ffb63b78f279bffef5b3afb8dd No action is required on your part Request entered by: CGILMORE (Christian Gilmore) Request entered on: Wed, 21 Mar 2001 16:34:36 GMT Request completed: Wed, 21 Mar 2001 16:35:48 GMT Virtually Yours, Id: paused,v 1.72 2000/12/26 15:12:53 k Exp k Apache::ProxyRewrite acts as a reverse-proxy that will rewrite URLs embedded in HTML documents per apache configuration directives. This module was written to allow multiple backend services with discrete URLs to be presented as one service and to allow the proxy to do authentication on the client's behalf. See ProxyRewrite.pm pod for detailed documentation. $Id: README,v 1.1 2001/01/02 23:10:47 cgilmore Exp $ 2001-03-20 Christian Gilmore [EMAIL PROTECTED] o Corrected bug preparing redirect responses. Bug reported by Vsevolod Ilyushchenko. o Parser now handles tags with single quotes. Bug reported by Andrew Carlson. o Made release 0.14. 2001-03-02 Christian Gilmore [EMAIL PROTECTED] o Corrected bug handling tags with whitespace around edges of quotes. o Made release 0.13. 2001-03-02 Christian Gilmore [EMAIL PROTECTED] o Corrected mishandling of URL-shrinking in rewrite_url. o Ensured that parsing loop closes in the case of final missing end tag. o Now unescape headers for proxy request. Bug reported and patched by Eric Kolve. o Removed use of deprecated header_in and header_out in favor of current headers_in and headers_out. o Set-Cookie path is now rewritten. Feature requested by Eric Kolve. o Made release 0.12. 2001-01-14 Christian Gilmore [EMAIL PROTECTED] o Added 'base' as an element of the LINK_ELEMENT hash. Bug reported by Eric Kolve. o Made release 0.11. 2001-01-02 Christian Gilmore [EMAIL PROTECTED] o Made first public release 0.10. $Id: ChangeLog,v 1.6 2001/03/21 16:25:04 cgilmore Exp $ Enjoy, Christian - Christian Gilmore Infrastructure Tools Team Lead Web Multimedia Development Tivoli Systems, Inc.
[ANNOUNCE] Apache::ProxyRewrite 0.13
The uploaded file Apache-ProxyRewrite-0.13.tar.gz has entered CPAN as file: $CPAN/authors/id/C/CG/CGILMORE/Apache-ProxyRewrite-0.13.tar.gz size: 11473 bytes md5: 2d071b8a4f8aed938b349804b7648890 No action is required on your part Request entered by: CGILMORE (Christian Gilmore) Request entered on: Wed, 07 Mar 2001 19:50:37 GMT Request completed: Wed, 07 Mar 2001 19:51:06 GMT Virtually Yours, Id: paused,v 1.72 2000/12/26 15:12:53 k Exp k Apache::ProxyRewrite acts as a reverse-proxy that will rewrite URLs embedded in HTML documents per apache configuration directives. This module was written to allow multiple backend services with discrete URLs to be presented as one service and to allow the proxy to do authentication on the client's behalf. See ProxyRewrite.pm pod for detailed documentation. $Id: README,v 1.1 2001/01/02 23:10:47 cgilmore Exp $ 2001-03-02 Christian Gilmore [EMAIL PROTECTED] o Corrected bug handling tags with whitespace around edges of quotes. o Made release 0.13. 2001-03-02 Christian Gilmore [EMAIL PROTECTED] o Corrected mishandling of URL-shrinking in rewrite_url. o Ensured that parsing loop closes in the case of final missing end tag. o Now unescape headers for proxy request. Bug reported and patched by Eric Kolve. o Removed use of deprecated header_in and header_out in favor of current headers_in and headers_out. o Set-Cookie path is now rewritten. Feature requested by Eric Kolve. o Made release 0.12. 2001-01-14 Christian Gilmore [EMAIL PROTECTED] o Added 'base' as an element of the LINK_ELEMENT hash. Bug reported by Eric Kolve. o Made release 0.11. 2001-01-02 Christian Gilmore [EMAIL PROTECTED] o Made first public release 0.10. $Id: ChangeLog,v 1.4 2001/03/07 19:43:15 cgilmore Exp $ Enjoy, Christian - Christian Gilmore Infrastructure Tools Team Lead Web Multimedia Development Tivoli Systems, Inc.
[ANNOUNCE] Apache::AuthzCache 0.04
The uploaded file Apache-AuthzCache-0.04.tar.gz has entered CPAN as file: $CPAN/authors/id/C/CG/CGILMORE/Apache-AuthzCache-0.04.tar.gz size: 8624 bytes md5: 1a7794bc9878041af34f7fc4511b52ef No action is required on your part Request entered by: CGILMORE (Christian Gilmore) Request entered on: Fri, 02 Mar 2001 21:21:18 GMT Request completed: Fri, 02 Mar 2001 21:21:28 GMT Virtually Yours, Id: paused,v 1.72 2000/12/26 15:12:53 k Exp k Apache::AuthzCache is designed to work with a mod_perl authorization module to provide caching of group membership for site users. For a list of mod_perl authorization modules see: http://www.cpan.org/modules/by-module/Apache/apache-modlist.html When a request that requires authorization is received, Apache::AuthzCache looks up the REMOTE_USER in a shared-memory cache (using IPC::Cache) and compares the list of groups in the cache against the groups enumerated within the "require" configuration directive. If a match is found, the handler returns OK and clears the downstream Authz handlers from the stack. Otherwise, it returns DECLINED and allows the next PerlAuthzHandler in the chain to be called. After the primary authorization handler completes with an OK, Apache::AuthzCache::manage_cache adds the new group (listed in REMOTE_GROUP) to the cache. See AuthzCache.pm pod for detailed documentation. $Id: README,v 1.1 2000/09/26 20:11:50 cgilmore Exp $ 2001-02-28 Christian Gilmore [EMAIL PROTECTED] o Added requirement that Apache::Log be imported. Oversight found by Rod Bloodgood. o Made release 0.04 2001-01-08 Christian Gilmore [EMAIL PROTECTED] o Better handled pre-1.26 set_handlers bugs o Made release 0.03 2000-09-26 Christian Gilmore [EMAIL PROTECTED] o Made first public release 0.02 $Id: ChangeLog,v 1.4 2001/02/28 23:52:13 cgilmore Exp $
[ANNOUNCE] Apache::ProxyRewrite 0.12
The uploaded file Apache-ProxyRewrite-0.12.tar.gz has entered CPAN as file: $CPAN/authors/id/C/CG/CGILMORE/Apache-ProxyRewrite-0.12.tar.gz size: 11412 bytes md5: 3155ae03a511171270d88a8ead86677d No action is required on your part Request entered by: CGILMORE (Christian Gilmore) Request entered on: Fri, 02 Mar 2001 21:17:46 GMT Request completed: Fri, 02 Mar 2001 21:18:12 GMT Virtually Yours, Id: paused,v 1.72 2000/12/26 15:12:53 k Exp k Apache::ProxyRewrite acts as a reverse-proxy that will rewrite URLs embedded in HTML documents per apache configuration directives. This module was written to allow multiple backend services with discrete URLs to be presented as one service and to allow the proxy to do authentication on the client's behalf. See ProxyRewrite.pm pod for detailed documentation. $Id: README,v 1.1 2001/01/02 23:10:47 cgilmore Exp $ 2001-03-02 Christian Gilmore [EMAIL PROTECTED] o Corrected mishandling of URL-shrinking in rewrite_url. o Ensured that parsing loop closes in the case of final missing end tag. o Now unescape headers for proxy request. Bug reported and patched by Eric Kolve. o Removed use of deprecated header_in and header_out in favor of current headers_in and headers_out. o Set-Cookie path is now rewritten. Feature requested by Eric Kolve. o Made release 0.12. 2001-01-14 Christian Gilmore [EMAIL PROTECTED] o Added 'base' as an element of the LINK_ELEMENT hash. Bug reported by Eric Kolve. o Made release 0.11. 2001-01-02 Christian Gilmore [EMAIL PROTECTED] o Made first public release 0.10. $Id: ChangeLog,v 1.3 2001/03/02 21:12:48 cgilmore Exp $ Enjoy, Christian - Christian Gilmore Infrastructure Tools Team Lead Web Multimedia Development Tivoli Systems, Inc.
[RESEND] Apache::Status and custom menu_items
I didn't get any responses on this thread a few weeks ago. Does anyone have any successful experience with adding a custom menu in Apache::Status? Regards, Christian -Original Message- From: Christian Gilmore [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 24, 2001 5:26 PM To: Modperl Mailing List (E-mail) Subject: Apache::Status and custom menu_items I'm attempting to insert a custom menu item as described in the eagle book, pages 641-3. To my knowledge, I've properly coded, yet I don't see any change in the /perl-status output. Also, a number of modules I know are loaded, such as Apache::Resource and Tivoli::Apache::AuthenCache, don't show up in the "Loaded Modules" section. Here's my httpd configuration (the kitchen sink approach while attempting to determine the problem): PerlModule Apache::Status PerlModule Apache::Resource PerlModule HTML::Embperl PerlModule B::Terse PerlSetEnv PERL_RLIMIT_CPU 120 PerlModule Tivoli::Apache::AuthenLDAP PerlModule Tivoli::Apache::AuthzLDAP PerlModule Tivoli::Apache::AuthenCache PerlModule Tivoli::Apache::AuthzCache SetEnvEMBPERL_OPTIONS 19472 SetEnvEMBPERL_ESCMODE 0 Location /perl-status SetHandlerperl-script PerlHandler Apache::Status PerlSetVarStatusDumperOn PerlSetVarStatusPeek On PerlSetVarStatusLexInfo On PerlSetVarStatusDeparse On PerlSetVarStatusTerse On PerlSetVarStatusTerseSize On PerlSetVarStatusTerseSizeMainSummary On /Location Any ideas where these menu_items are supposed to show up? I understood it to be the top level. Neither my module's menu_items nor Apache::Resource's menu_items appear, although if I dig through the symbol table dump, I find both packages have the routine for menu_items listed and available for deparsing, dumps, etc. Also, the "Memory Usage" item that should show up when StatusTerseSizeMainSummary is on is not showing up. Regards, Christian --------- Christian Gilmore Infrastructure Tools Team Lead Web Multimedia Development Tivoli Systems, Inc.
RE: [RESEND] Apache::Status and custom menu_items
Are you saying that you see an extra menu from Apache::DBI when using Apache::Status? I'm not seeing any custom menus. For instance, Apache::Resource custom menu does not display. I'm currently using apache-1.3.12 with mod_perl-1.24 on solaris-2.6. Regards, Christian -Original Message- From: Vivek Khera [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 07, 2001 1:05 PM To: Modperl Mailing List (E-mail) Subject: Re: [RESEND] Apache::Status and custom menu_items "CG" == Christian Gilmore [EMAIL PROTECTED] writes: CG I didn't get any responses on this thread a few weeks ago. Does anyone CG have any successful experience with adding a custom menu in CG Apache::Status? Apache::DBI appends its own menu item. Couldn't you do yours the same way?
RE: [RESEND] Apache::Status and custom menu_items
I believe I'm doing that. I don't have a startup.pl. Here's what's in httpd.conf (in order): PerlModule Apache::Status PerlModule Apache::Resource PerlModule HTML::Embperl PerlModule B::Terse PerlSetEnv PERL_RLIMIT_CPU 120 PerlModule Tivoli::Apache::AuthenLDAP PerlModule Tivoli::Apache::AuthzLDAP PerlModule Tivoli::Apache::AuthenCache PerlModule Tivoli::Apache::AuthzCache Regards, Christian -Original Message- From: Vivek Khera [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 07, 2001 1:21 PM To: 'Modperl Mailing List (E-mail)' Subject: RE: [RESEND] Apache::Status and custom menu_items "CG" == Christian Gilmore [EMAIL PROTECTED] writes: CG Are you saying that you see an extra menu from Apache::DBI when using CG Apache::Status? I'm not seeing any custom menus. For instance, Yes, I do. You need to load Apache::Status before Apache::DBI, however, as per the Apache::DBI docs.
RE: mod_perl as DSO on AIX with perl-5.6
Recompiling with dl_dlopen.xs instead of dl_aix.xs caused 49 of the 180 self-tests to fail. I recompiled with debugging turned on and ran against GDB. Here's the result followed by the output of './perl -I./lib -V'. Jens, did you have success running with dl_dlopen.xs without other modification? Regards, Christian web1-jr% gdb ./perl GNU gdb 5.0 Copyright 2000 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "rs6000-ibm-aix4.3.3.0"... (gdb) set args t/lib/socket.t (gdb) run Starting program: /home/cgilmore/src/perl-5.6.0/./perl t/lib/socket.t Program received signal SIGSEGV, Segmentation fault. 0xd1cc7534 in boot_Socket (cv=0x200851a8) at Socket.c:1221 1221Socket.c: No such file or directory. (gdb) bt #0 0xd1cc7534 in boot_Socket (cv=0x200851a8) at Socket.c:1221 #1 0x100b2818 in Perl_pp_entersub () at pp_hot.c:2533 #2 0x10091064 in Perl_runops_debug () at run.c:56 #3 0x100013ac in S_call_body (myop=0x2ff22078, is_eval=0) at perl.c:1761 #4 0x100064cc in Perl_call_sv (sv=0x2003, flags=6) at perl.c:1677 #5 0x100012f4 in S_call_list_body (cv=0x2003) at perl.c:3600 #6 0x10008534 in Perl_call_list (oldscope=1, paramList=0x20038804) at perl.c:3528 #7 0x100993f4 in Perl_newATTRSUB (floor=78, o=0x2003c338, proto=0x0, attrs=0x0, block=0x2003c478) at op.c:4641 #8 0x10099f3c in Perl_utilize (aver=1, floor=78, version=0x0, id=0x2002bb78, arg=0x0) at op.c:3162 #9 0x10092b70 in Perl_yyparse () at perly.y:403 #10 0x100023dc in S_parse_body (env=0x0, xsinit=0x20020b18 PL_no_wrongref+5736) at perl.c:1249 #11 0x10008c30 in perl_parse (my_perl=0x2002b338, xsinit=0x20020b18 PL_no_wrongref+5736, argc=2, argv=0x2ff229c4, env=0x0) at perl.c:857 #12 0x10001070 in main (argc=2, argv=0x2ff229c4, env=0x2ff229d0) at perlmain.c:50 #13 0x11dc in __start () web1-jr% ./perl -I./lib -V Summary of my perl5 (revision 5.0 version 6 subversion 0) configuration: Platform: osname=aix, osvers=4.3.3.0, archname=aix uname='aix web1-jr 3 4 000528df4c00 ' config_args='-d' hint=previous, useposix=true, d_sigaction=define usethreads=undef use5005threads=undef useithreads=undef usemultiplicity=undef useperlio=undef d_sfio=undef uselargefiles=undef use64bitint=undef use64bitall=undef uselongdouble=undef usesocks=undef Compiler: cc='cc', optimize='-g', gccversion= cppflags='' ccflags ='-DDEBUGGING -D_ALL_SOURCE -D_ANSI_C_SOURCE -D_POSIX_SOURCE -qmaxmem=1638 4 -I/usr/vac/include -I/opt/gnu/include' stdchar='unsigned char', d_stdstdio=define, usevfork=false intsize=4, longsize=4, ptrsize=4, doublesize=8 d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=8 ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=4 alignbytes=8, usemymalloc=n, prototype=define Linker and Libraries: ld='ld', ldflags ='-L/usr/vac/lib -L/opt/gnu/lib' libpth=/opt/gnu/lib /usr/vac/lib /lib /usr/lib /usr/ccs/lib libs=-lbind -lnsl -ldbm -ldl -lld -lm -lC -lc -lcrypt -lbsd -lPW -liconv libc=, so=a, useshrplib=false, libperl=libperl.a Dynamic Linking: dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, cdlflags=' -bE:/opt/gnu/depot/perl-5.6.0/lib/5.6.0/aix/CORE/perl.exp -bE: /opt/gnu/depot/perl-5.6.0/lib/5.6.0/aix/CORE/perl.exp -bE:/opt/gnu/depot/p erl-5.6.0/lib/5.6.0/aix/CORE/perl.exp -bE:/opt/gnu/depot/perl-5.6.0/lib/5. 6.0/aix/CORE/perl.exp' cccdlflags=' ', lddlflags='-bhalt:4 -bM:SRE -bI:$(PERL_INC)/perl.exp -bE:$(BASEEXT).exp -b noentry -lC -lc -L/opt/gnu/lib -L/usr/vac/lib' Characteristics of this binary (from libperl): Compile-time options: DEBUGGING Built under aix Compiled at Feb 7 2001 18:22:19 @INC: ./lib /opt/gnu/depot/perl-5.6.0/lib/5.6.0/aix /opt/gnu/depot/perl-5.6.0/lib/5.6.0 /opt/gnu/depot/perl-5.6.0/lib/site_perl/5.6.0/aix /opt/gnu/depot/perl-5.6.0/lib/site_perl/5.6.0 /opt/gnu/depot/perl-5.6.0/lib/site_perl . -Original Message- From: Jens-Uwe Mager [mailto:[EMAIL PROTECTED]] Sent: Sunday, January 28, 2001 8:46 AM To: Christian Gilmore Cc: Modperl Mailing List (E-mail) Subject: Re: mod_perl as DSO on AIX with perl-5.6 On Sat, Jan 27, 2001 at 01:42:44PM -0600, Christian Gilmore wrote: Hey. I see in mod_perl's INSTALL document that there's a required patch for DynaLoader if you intend to run mod_perl as DSO on AIX (4.3) with perl-5.005_3. Is patching required for 5.6? If so, will the same patch in the INSTALL doc apply? Unfortunately this is a bit complicated and it depends upon AIX version. For AIX versions before 4.3 yes, and I posted the patch on this list a while ago. But as you are using AIX 4.3 this is
RE: [RFC] Apache::BlockSymLinks 0.1
Geoff, et al: I've toyed with ModuleConfig, and it is really cool, but I was under the impression that people stayed away from using it since it appears to require a recompile of mod_perl for every module that inserts a new directive into the list. That's why I assumed the use of PerlSetVar was much more popular than ModuleConfig. Regards, Christian On Fri, 2 Feb 2001, Geoffrey Young wrote: you may want to look into Apache::ModuleConfig to see how you can create directives without the need for a separate config file. for instance: SymLinkRule Deny .* it's pretty easy and probably a bit cleaner in this case (since I suspect that you moved to a config file since PerlSetVar just didn't fit the bill for the syntax you wanted). just see chapter 8 of the Eagle book
Re: ServerRoot/Block Directive question...
There is no negation of an entire regex in apache's configuration. You have to do something like this: DirectoryMatch "^(cgi-bin|perl)$" PerlAccessHandler Apache::GateKeeper ErrorDocument 403 /index.html Files "login.cgi" PerlAccessHandler Apache::OK /Files /DirectoryMatch Regards, Christian On Fri, 2 Feb 2001, Joseph Crotty wrote: Hi all, I have an Apache::GateKeeper that checks to see if the user has logged in and been served a cookie... if not they are redirected to index.html(to login). I want all comers to ServerRoot/cgi-bin or ServerRoot/perl to have to go thru the GateKeeper handler, except those trying to get to login.cgi which lives in ServerRoot/perl. I was trying to use the perl.conf Block Directives below, but am not getting the negated Files !~ line to work right. I snooped around on the mail archives but can't find anything about negated regex matching. PerlRequire conf/startup.pl PerlFreshRestartOn PerlSetEnv MOD_PERL_TRACE all #Directory Handlers #-- Directory /perl AllowOverride None Options +ExecCGI SetHandler perl-script PerlHandler Apache::Registry PerlSendHeader On /Directory Directory ~ (cgi-bin|perl) Files !~ "login.cgi" PerlAccessHandler Apache::GateKeeper ErrorDocument 403 /index.html /Files /Directory Thanks, Joe Crotty
Re: Logging to apache from perl
Sure, you could do this, but it sounds horribly insecure...
In httpd.conf:
Location /secure
PerlAuthenHandler MyAuthHandler
/Location
In MyAuthHandler:
sub handler {
my $r = shift;
$r-connection-user('USERNAME');
return OK;
}
Regards,
Christian
On Tue, 30 Jan 2001, harilaos wrote:
Hello,
i was wondering if anyone could help me.
I want to create a username and password when a user enters my site,
then pass these values to apache to authenticate. Then i could
have the REMOTE_USER variable available throught the users
stay at my site. Is there a way to pass these values to apache
without having to pop up the login window? Is the
Apache::AuthAny module supposed to do this?
My aim is to have the variable Remote_User available to my scripts
without having to put the info in a login box.
Thanks
mod_perl as DSO on AIX with perl-5.6
Hey. I see in mod_perl's INSTALL document that there's a required patch for DynaLoader if you intend to run mod_perl as DSO on AIX (4.3) with perl-5.005_3. Is patching required for 5.6? If so, will the same patch in the INSTALL doc apply? Regards, Christian - Christian Gilmore Infrastructure Tools Team Lead Web Multimedia Development Tivoli Systems, Inc.
Apache::Status and custom menu_items
I'm attempting to insert a custom menu item as described in the eagle book, pages 641-3. To my knowledge, I've properly coded, yet I don't see any change in the /perl-status output. Also, a number of modules I know are loaded, such as Apache::Resource and Tivoli::Apache::AuthenCache, don't show up in the "Loaded Modules" section. Here's my httpd configuration (the kitchen sink approach while attempting to determine the problem): PerlModule Apache::Status PerlModule Apache::Resource PerlModule HTML::Embperl PerlModule B::Terse PerlSetEnv PERL_RLIMIT_CPU 120 PerlModule Tivoli::Apache::AuthenLDAP PerlModule Tivoli::Apache::AuthzLDAP PerlModule Tivoli::Apache::AuthenCache PerlModule Tivoli::Apache::AuthzCache SetEnvEMBPERL_OPTIONS 19472 SetEnvEMBPERL_ESCMODE 0 Location /perl-status SetHandlerperl-script PerlHandler Apache::Status PerlSetVarStatusDumperOn PerlSetVarStatusPeek On PerlSetVarStatusLexInfo On PerlSetVarStatusDeparse On PerlSetVarStatusTerse On PerlSetVarStatusTerseSize On PerlSetVarStatusTerseSizeMainSummary On /Location Any ideas where these menu_items are supposed to show up? I understood it to be the top level. Neither my module's menu_items nor Apache::Resource's menu_items appear, although if I dig through the symbol table dump, I find both packages have the routine for menu_items listed and available for deparsing, dumps, etc. Also, the "Memory Usage" item that should show up when StatusTerseSizeMainSummary is on is not showing up. Regards, Christian --------- Christian Gilmore Infrastructure Tools Team Lead Web Multimedia Development Tivoli Systems, Inc.
RE: [ANNOUNCE] Apache::ProxyRewrite 0.11
Stephane, When you say per-directory realms, do you mean you want to be able to define a ProxyAuthInfo variable multiple times? You can do that once per front-end location. Currently, the ProxyAuthInfo variable is not tied to a particular realm. Rather, it is tied to a particular URI. As for javascript, if it is properly encased within HTML comments, it won't be touched by the rewriting engine. If it dynamically generates URLs on the fly, the likely case is that these URLs will be invalid or will point directly to the backend, skipping the proxy. Two things about this: 1) If your front-end URI space maps directly onto your backend and the javascript produces relative URIs, there shouldn't be a problem unless the code is generating absolute URLs. 2) In order to handle all cases of dynamically rewriting javascript (or any code, for that matter), one must first solve the halting problem. That is an impossible task. Regards, Christian - Christian Gilmore Infrastructure Tools Team Lead Web Multimedia Development Tivoli Systems, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, January 15, 2001 4:10 AM To: Christian Gilmore Cc: Modperl Mailing List (E-mail) Subject: Re: [ANNOUNCE] Apache::ProxyRewrite 0.11 On Sunday 14 January 2001, at 13 h 55, the keyboard of "Christian Gilmore" [EMAIL PROTECTED] wrote: Apache::ProxyRewrite acts as a reverse-proxy that will rewrite URLs embedded in HTML documents per apache configuration directives. This module was written to allow multiple backend services with discrete URLs to be presented as one service What about Javascript code? Or per-directory realms?
[ANNOUNCE] Apache::ProxyRewrite 0.11
The uploaded file Apache-ProxyRewrite-0.11.tar.gz has entered CPAN as file: $CPAN/authors/id/C/CG/CGILMORE/Apache-ProxyRewrite-0.11.tar.gz size: 10843 bytes md5: 851e2561d7bcd9ef4fd20dd8cb735ad5 Apache::ProxyRewrite acts as a reverse-proxy that will rewrite URLs embedded in HTML documents per apache configuration directives. This module was written to allow multiple backend services with discrete URLs to be presented as one service and to allow the proxy to do authentication on the client's behalf. See ProxyRewrite.pm pod for detailed documentation. 2001-01-14 Christian Gilmore [EMAIL PROTECTED] o Added 'base' as an element of the LINK_ELEMENT hash o Made release 0.11 2001-01-02 Christian Gilmore [EMAIL PROTECTED] o Made first public release 0.10 $Id: ChangeLog,v 1.2 2001/01/14 19:47:28 cgilmore Exp $ Enjoy, Christian - Christian Gilmore Infrastructure Tools Team Lead Web Multimedia Development Tivoli Systems, Inc.
[ANNOUNCE] Apache-AuthenLDAP 0.52
The uploaded file Apache-AuthenLDAP-0.52.tar.gz has entered CPAN as file: $CPAN/authors/id/C/CG/CGILMORE/Apache-AuthenLDAP-0.52.tar.gz size: 8013 bytes md5: 6a14a04f645bbec6506ad1035731e657 Apache::AuthenLDAP is designed to work with mod_perl and Net::LDAP. This module authenticates a user against an LDAP backend. It can be combined with Apache::AuthzLDAP to provide LDAP authorization as well. See AuthenLDAP.pm pod for detailed documentation. $Id: README,v 1.1 2000/09/26 18:27:36 cgilmore Exp $ 2001-01-08 Christian Gilmore [EMAIL PROTECTED] o Added handling of blank userid input o Better handled of pre-1.26 set_handlers bugs 2000-09-26 Christian Gilmore [EMAIL PROTECTED] o Made first public release 0.50 $Id: ChangeLog,v 1.2 2001/01/08 17:31:22 cgilmore Exp $ Enjoy, Christian - Christian Gilmore Infrastructure Tools Team Lead Web Multimedia Development Tivoli Systems, Inc.
[ANNOUNCE] Apache-AuthzLDAP 0.51
The uploaded file Apache-AuthzLDAP-0.51.tar.gz has entered CPAN as file: $CPAN/authors/id/C/CG/CGILMORE/Apache-AuthzLDAP-0.51.tar.gz size: 9191 bytes md5: 86999685dbf96137a739e4431faa6fc9 Apache::AuthzLDAP is designed to work with mod_perl and Net::LDAP. This module authorizes a user against an LDAP backend. It can be combined with Apache::AuthenLDAP to provide LDAP authentication as well. See AuthzLDAP.pm pod for detailed documentation. $Id: README,v 1.1 2000/09/26 18:51:51 cgilmore Exp $ 2001-01-08 Christian Gilmore [EMAIL PROTECTED] o Fixed bug regarding nested groups whose membership was by dn o Better handled of pre-1.26 set_handlers bugs 2000-09-26 Christian Gilmore [EMAIL PROTECTED] o Made first public release 0.50 $Id: ChangeLog,v 1.2 2001/01/08 17:24:25 cgilmore Exp $ Enjoy, Christian - Christian Gilmore Infrastructure Tools Team Lead Web Multimedia Development Tivoli Systems, Inc.
[ANNOUNCE] Apache-AuthzCache 0.03
The uploaded file Apache-AuthzCache-0.03.tar.gz has entered CPAN as file: $CPAN/authors/id/C/CG/CGILMORE/Apache-AuthzCache-0.03.tar.gz size: 8508 bytes md5: 237a62049ca0cabe74fdcd62272624c1 Apache::AuthzCache is designed to work with a mod_perl authorization module to provide caching of group membership for site users. For a list of mod_perl authorization modules see: http://www.cpan.org/modules/by-module/Apache/apache-modlist.html When a request that requires authorization is received, Apache::AuthzCache looks up the REMOTE_USER in a shared-memory cache (using IPC::Cache) and compares the list of groups in the cache against the groups enumerated within the "require" configuration directive. If a match is found, the handler returns OK and clears the downstream Authz handlers from the stack. Otherwise, it returns DECLINED and allows the next PerlAuthzHandler in the chain to be called. After the primary authorization handler completes with an OK, Apache::AuthzCache::manage_cache adds the new group (listed in REMOTE_GROUP) to the cache. See AuthzCache.pm pod for detailed documentation. $Id: README,v 1.1 2000/09/26 20:11:50 cgilmore Exp $ 2001-01-08 Christian Gilmore [EMAIL PROTECTED] o Better handled pre-1.26 set_handlers bugs 2000-09-26 Christian Gilmore [EMAIL PROTECTED] o Made first public release 0.02 $Id: ChangeLog,v 1.2 2001/01/08 17:41:17 cgilmore Exp $ Enjoy, Christian - Christian Gilmore Infrastructure Tools Team Lead Web Multimedia Development Tivoli Systems, Inc.
RE: [ANNOUNCE] Apache-AuthenLDAP 0.52
Yup, but according to Doug, the patch committed to fix the set_handlers problems is not slated to enter production until 1.26 is released. 1.25 will not contain the patch. You'd have to ask Doug why. Regards, Christian -Original Message- From: Geoffrey Young [mailto:[EMAIL PROTECTED]] Sent: Monday, January 08, 2001 12:48 PM To: 'Christian Gilmore'; Modperl Mailing List (E-mail) Subject: RE: [ANNOUNCE] Apache-AuthenLDAP 0.52 -Original Message- From: Christian Gilmore [mailto:[EMAIL PROTECTED]] Sent: Monday, January 08, 2001 12:52 PM To: Modperl Mailing List (E-mail) Subject: [ANNOUNCE] Apache-AuthenLDAP 0.52 o Better handled of pre-1.26 set_handlers bugs did I miss something - this is the second time someone has mentioned 1.26... is 1.25 not slated to be the next release? --Geoff
RE: [ANNOUNCE] Apache-AuthenLDAP 0.52
Geoff,
Here's the relevant note from Doug last August.
Regards,
Christian
-Original Message-
From: Doug MacEachern [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 30, 2000 10:54 PM
To: Geoffrey Young
Cc: '[EMAIL PROTECTED]'
Subject: RE: $r-get_handlers bug/oversight?
i committed 2 small bits of the last patch, adding PerlCleanupHandler to
the {get,set}_handlers table and the $r-get_handler refcnt fix. i put a
new version of the patch against cvs here:
http://perl.apache.org/~dougm/set_handlers.pat
similar to the last, but also deals with
$r-set_handlers(Perl*Handler = undef)
and also allows set_handlers() to change the handlers for the current
phase, something which did not work in the past. one caveat though, the
number of new handlers passed to set_handlers() must be different from the
current number of handlers. you can work around that by adding an extra
dummy DECLINED handler:
$r-set_handlers($callback = [\DECLINED,
\one_handler,
\two_handler]);
it would be great to hear test results from the new patch, but in any case
it probably won't go in until after 1.25.
[ANNOUNCE] Apache::ProxyRewrite 0.10
The uploaded file Apache-ProxyRewrite-0.10.tar.gz has entered CPAN as file: $CPAN/authors/id/C/CG/CGILMORE/Apache-ProxyRewrite-0.10.tar.gz size: 10759 bytes md5: eb5a80cb7ded3e41705382b371ae5015 Apache::ProxyRewrite acts as a reverse-proxy that will rewrite URLs embedded in HTML documents per apache configuration directives. This module was written to allow multiple backend services with discrete URLs to be presented as one service and to allow the proxy to do authentication on the client's behalf. See ProxyRewrite.pm pod for detailed documentation. Enjoy, Christian - Christian Gilmore Infrastructure Tools Team Lead Web Multimedia Development Tivoli Systems, Inc.
RE: Dynamic content that is static
You might want to take a look at Strudel. It is a project people from my last job were working on: http://www.research.att.com/~mff/strudel/. Regards, Christian -Original Message- From: Philip Mak [mailto:[EMAIL PROTECTED]] Sent: Friday, December 22, 2000 8:09 PM To: [EMAIL PROTECTED] Subject: Dynamic content that is static Hi everyone, I have been going over the modperl tuning guide and the suggestions that people on this list sent me earlier. I've reduced MaxClients to 33 (each httpd process takes up 3-4% of my memory, so that's how much I can fit without swapping) so if the web server overloads again, at least it won't take the machine down with it. Running a non-modperl apache that proxies to a modperl apache doesn't seem like it would help much because the vast majority of pages served require modperl. I realized something, though: Although the pages on my site are dynamically generated, they are really static. Their content doesn't change unless I change the files on the website. (For example, http://www.animewallpapers.com/wallpapers/ccs.htm depends on header.asp, footer.asp, series.dat and index.inc. If none of those files change, the content of ccs.htm remains the same.) So, it would probably be more efficient if I had a /src directory and a /html directory. The /src directory could contain my modperl files and a Makefile that knows the dependencies; when I type "make", it will evaluate the modperl files and parse them into plain HTML files in the /html directory. Does anyone have any suggestions on how to implement this? Is there an existing tool for doing this? How can I evaluate modperl/Apache::ASP files from the command line? Thanks, -Philip Mak ([EMAIL PROTECTED])
RE: security suggestion
The thing is, though, that as a web administrator I don't want those same developers (or at least all of them) to be able to create and in- stall _arbitrary_ handlers or arbitrary perl code. Sometimes the de- velopers just don't know enough. And sometimes I just don't trust them enough to allow it. And just putting your configuration for their portion of the site into the main configuration files would be insufficient? Christian
[RFC] Apache::ProxyRewrite
I've completed work on a proxying module we needed here at work. I intend
to release it to the community, but first I want to get comments on its
current name and design. Perhaps there is a direction for it to grow
before initial release?
The Problem I Needed to Solve:
We need to proxy our external web services, but secure and insecure, to
our internal personnel while also doing authentication on the personnel's
behalf behind the scenes. In order to minimize muddying of customer data,
only a single "group" userid exists. This userid is to be used for the
purpose of authenticating and authorizing internal personnel to certain
areas of our external site.
The Solution:
Apache::ProxyRewrite will proxy content, rewriting arbitrary URLs embedded
in the content (if HTML) per run-time configuration. A configuration
example for the host www-internal.tivoli.com:
Location /
SetHandler perl-script
PerlHandlerProxyRewrite
RProxyTo http://www.tivoli.com
RProxyAuthInfo "BASIC dG32cvVwcnQ6amF4MzhfYXS="
RProxyAuthRedirect On
RProxyRewrite https://www.tivoli.com/secure /secure
/Location
Location /secure
SetHandler perl-script
PerlHandlerProxyRewrite
RProxyTo https://www.tivoli.com/secure
RProxyAuthInfo "BASIC dG32cvVwcnQ6amF4MzhfYXS="
RProxyAuthRedirect On
RProxyRewrite http://www.tivoli.com//
RProxyRewrite http://foo.bar.com/ /secure/foo
/Location
Requests for "/" will first be proxied to http://www.tivoli.com. The
content at the URL will be parsed (quickly via a single pass through the
code, not with HTML::Parser and its variants). There will be an implicit
rule that references to relative path of the argument to RProxyTo ("/" in
this case) in the document will be rewritten to the relative URI in the
current Location (also "/" in this case). Further, references to
https://www.tivoli.com/secure on the backend will be rewritten to /secure.
The RProxyAuthInfo directive allows for automatic authentication and
authorization for a predetermined userid. The RProxyAuthRedirect directive
allows the server to receive backend 401 responses and redirect the client
directly to that backend URI. I don't anticipate this directive having
much value to the general community, but it was a requirement of our
installation.
Please send comments, questions, flames (hopefully none of these!) back to
the list. I attempted to contact the owner of the Apache::RewritingProxy
package to no avail. His package, though, seems designed to rewrite
content, not URIs, so I think there's room for both.
Thanks,
Christian
-
Christian Gilmore
Infrastructure Tools Team Lead
Web Multimedia Development
Tivoli Systems, Inc.
RE: Memory Usage
I also never build mod_perl as a DSO. For the life of me I can't understand why so many people do it, and then they act all surprised when things go wrong. I do it out of a desire to not have multiple builds of apache lying around for the various needs I have of each service I run. For those that run on a small handful of service types, DSO may not be as handy, but when you run more than 10 distinct service types, each requiring their own set of modules added or removed, you become thankful for just needing alternate configuration files than having multiple builds of apache hanging around. You become much more thankful when it comes time to upgrade to the next minor version of apache. Regards, Christian
RE: Memory Usage
I'm leaning along the lines of just killing the process, rotating the logs, and restarting it. It should take no more than 5 seconds once a week a 4:00am. This is exactly what I do, except I have it scripted. The downside is that your service is unavailable for a few seconds (maybe more depending upon the length of time it takes for the parent to wipe out all the old children). I'd be happy to share the script, provided my boss doesn't mind. :) Regards, Christian
RE: Memory Usage
Find attached the rotatelogs.pl script. My experience is that killing off children after so much usage is a GoodThing (tm). So long as the parent remains at a stable size, things should go ok. Regards, Christian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Buddy Lee Haystack Sent: Tuesday, November 07, 2000 3:27 PM To: Christian Gilmore Cc: 'G.W. Haywood'; 'mod_perl list' Subject: Re: Memory Usage Thanks Christian! Scripts would be nice.;-) I take it you've used DSO much more than I have, so I'm interested in any information in addition to that provided by the kind "G.W. Haywood" to the following: "What concerns me even more is the fact that I have Apache restart child processes after they each serve 100 requests [MaxRequestsPerChild 100] it's a RedHat default that is supposed to reduce memory leaks, but with mod_perl DSO it may actually have the opposite effect. I can easily increase the value, or remove it altogether. Any recommendations?" Christian Gilmore wrote: I'm leaning along the lines of just killing the process, rotating the logs, and restarting it. It should take no more than 5 seconds once a week a 4:00am. This is exactly what I do, except I have it scripted. The downside is that your service is unavailable for a few seconds (maybe more depending upon the length of time it takes for the parent to wipe out all the old children). I'd be happy to share the script, provided my boss doesn't mind. :) Regards, Christian -- BLH www.RentZone.org rotatelogs.pl
RE: Remote Hosting
It sounds like you're looking for a proxy. If that's the case, there are a huge variety of options starting with apache's own built-in mod_proxy. Regards, Christian -Original Message- From: Allen Wilson [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 26, 2000 3:54 PM To: Modperl Subject: Remote Hosting Does anyone have an idea of how to set up a remote host request. I am attempting to set up a web system where the user makes a request and it is process from one server to another. The remote server will return a file that will be formatted in a web page. I already have the formatting done...it is the connection and requesting from the remote server giving me the problem. I tried to run the remote shell (remsh ) but that failed. Any ideas would be appreciate. Allen
RE: Why isn't PerlSetEnv working for me?
If you have a startup.pl, why not just use lib qw(/usr/local/MyPerl/lib); within the startup.pl script? Regards, Christian -Original Message- From: Keith G. Murphy [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 26, 2000 5:32 PM To: [EMAIL PROTECTED] Subject: Why isn't PerlSetEnv working for me? I'm running Apache 1.3.9 with mod_perl embedded, on Debian GNU/Linux. I have the following lines towards the end of my httpd.conf: PerlSetEnv PERL5LIB /usr/local/MyPerl/lib PerlRequire startup.pl Include perllocs.conf However, upon system startup, my startup.pl fails because it can't find a particular module in the @INC list. If I start Apache from the command line, it works. This is undoubtedly because PERL5LIB is set up in my /etc/profile, to the same path. I've looked at this until I'm crosseyed. Seemingly PerlSetEnv just doesn't work. Any ideas? Yes, I know the workaround: 'use lib' in startup.pl. But why?
RE: Why it prompt Multiple time for Authentication ???
Have you tried wrapping Apache::AuthenCache around Authen::Smb? It may help you out with the occasional communication issues with the backend PDC. Regards, Christian -Original Message- From: Jerrad Pierce [mailto:[EMAIL PROTECTED]] Sent: Monday, September 25, 2000 10:54 AM To: 'Sambit Nanda'; [EMAIL PROTECTED] Subject: RE: Why it prompt Multiple time for Authentication ??? This was covered previously, perhaps it should be covered in a FAQ? If your NT PDC is slow, occasionally an authentication attempt will take too long, and return a status, which the module mistakenly regards as an error and reprompts for authentication information -Original Message- From: Sambit Nanda [mailto:[EMAIL PROTECTED]] Sent: Monday, September 25, 2000 11:51 AM To: [EMAIL PROTECTED] Subject: Why it prompt Multiple time for Authentication ??? Hi perl Experts Here is the problem : 1. I am using Apache 1.3.11 + openssl + mod _ssl + mod _perl + mod_php on my web server 2. I have the Module Installed call "Authen::Smb" for Authentication with Win NT PDC from Apache . Problem : I do not understand Some time My web server ask for Password repeated time for each session and some time it won't. I mean once u login and go to next page or location of the seem application it ask again the password. and some time it works very fine. What can be the Error. Why it happening so Funny.. ?? 3. Is Multiple PDC Authentication Module with Apache released or Not ?? I need a kind attention of Joshu Gerth on this issue.. Any help would be appreciated Thanks Sambit Nanda Unix Admin __ Do You Yahoo!? Send instant messages get email alerts with Yahoo! Messenger. http://im.yahoo.com/
RE: mod_perl security on a shared web server
Felix, There's not much available that is efficient and does per-resource throttling based upon CPU, RAM, and time of which I know. I looked around for such things about 8 months ago. I instead decided that, for my needs, limiting simultaneous client access to resource hogs was good enough. I wrote mod_throttle_access to serve this purpose. It is available through the Apache Module Registry or directly here: http://www.fremen.org/apache/ Regards, Christian From: FĂ©lix C.Courtemanche [mailto:[EMAIL PROTECTED]] I had someone mention ressource restricting modules, especially for the amount of cpu, ram and time of execution used. Anyone can direct me specifically to any of theses (or all of them)? I can't seem to find one that is completed and working well.
OT: Help with LocationMatch rule
This post is off topic. I apologize in advance, but I'm hoping someone out there can answer this question easily for me. I want to put an authentication rule on an entire site save for two subdirectories. How can I do so? As LocationMatch doesn't have an operator for "all things not matched by this regular expression" and one apparently can't ignore a parent directory's authentication rules if the child wants no authentication whatsoever, I can't come up with the right solution. The closest I've come is: LocationMatch "^/($|[^(cfincludes|includes)])" But this doesn't work as the brackets remove any sense of string, reducing my match to the set of words that are not completely within the jumbled letters inside the brackets. Regards, Christian --------- Christian Gilmore Infrastructure Tools Team Lead Web Multimedia Development Tivoli Systems, Inc.
lookup_uri() / lookup_file() behavior
I'm trying to determine what the proper behavior for lookup_uri() / lookup_file() should be. This call creates a subrequest that appears as if it is a new one up until the content handler phase. From the eagle book, pages 452-3: lookup_file() and lookup_uri() invoke Apache subrequests. A subrequest is treated exactly like an ordinary request, except that the post read request ... [is] not run... lookup_uri() performs the URI translation on the provided URI, passing the request to the access control and authorization handlers, if any... Should the subrequest have the same stack of handlers and environment with which the parent request began or should it have the same stack and environment at the time the parent request launched the subrequest? From my readings of the Modules eagle book (such as pages 62-3 and 452-3) and the Apache eagle book (such as page 271) and my own common sense, I'd say it should be the former (same as the beginning of the parent). What would you say? Regards, Christian - Christian Gilmore Infrastructure Tools Team Lead Web Multimedia Development Tivoli Systems, Inc.
Yet more on set_handlers() and new-found problems with lookup_uri()
Hello, again. We're making progress; I think I've decided what the actual bugs are. :) Please let me know if you disagree. On certain requests, such as requests which ask for directories and require the aid of DirectoryIndex, lookup_uri() is called. This call creates a subrequest that appears as if it is a new one up until the content handler phase. From the eagle book, pages 452-3: lookup_file() and lookup_uri() invoke Apache subrequests. A subrequest is treated exactly like an ordinary request, except that the post read request ... [is] not run... lookup_uri() performs the URI translation on the provided URI, passing the request to the access control and authorization handlers, if any... The bugs, I believe are the following two: 1) set_handlers() doesn't do what it claims except with respect to using undef. If you add handlers in, it is ignored, at least if the handlers you are trying to add are in the same phase the handler from which you are calling set_handlers(). This bug is evident in the error log snippet attached. It shows that, even though I call set_handlers twice in a row, once to clear the stack and once to add the AuthzCache::dummy handler, the dummy method in fact is not added as shown in the subrequest. I've also attached the AuthzCache code with the debug statements included. 2) The subrequest's handlers stack is not reset to what it was when the initial request began. It is whatever is left from the initial request's processing up to the point that the subrequest launched. Here's the important steps that occur when I request a directory URL (ie, /foo/). 1) AuthzCache runs and has a hit. It clears the all handlers in the phase and returns OK. 2) lookup_uri() is called and the first name in DirectoryIndex is examined. 3) While running through the phases for this subrequest, the PerlAuthzHandlers is empty. 4) The subrequest completes with what I presume is an AUTH_REQUIRED error, since the user didn't match the required group. 5) Steps 2 through 4 are called for all DirectoryIndex files. The server finally returns the directory contents instead. The second bug may not be a bug, per se, but while it functions like it does, I don't see any way to do what I want while the first bug with set_handlers exists. If I could set_handlers(PerlAuthzHandlers = [ \OK ]) and the handler stack would actually be modified, I'd be set. I'll keep banging away on this problem, but I'd appreciate hearing from y'all whether you can reproduce my problems and whether you believe I'm right with respect to the analysis of the problems. Regards, Christian -Original Message- From: Christian Gilmore [mailto:[EMAIL PROTECTED]] Sent: Friday, July 07, 2000 3:34 PM To: Modperl Mailing List (E-mail) Subject: More on the set_handlers() / push_handlers() bug... Hello, again. Here's a quick summary of the problem: upon clearing the stack of handlers (with set_handlers(PerlAuthzHandlers = undef)) the server appears to not recognize when it has found a DirectoryIndex file and returns the contents of a directory instead of the index file. Since last writing on this topic, I upgraded to all of the newest versions (apache-1.3.12, perl-5.6, mod_perl-1.24) and configured mod_perl with PERL_TRACE=1. Looking at the error_log with the handler tracing on and httpd running in single-server mode, I discovered that the server does appear to cycle through the directory indexes, but doesn't realize when it has found one. I've attached two error logs for the request http://dw3.tivoli.com:81/home/passwd/group/: one with the cache enabled, one without. I've also attached a copy of the document returned by the server for the with-authz-cache request. The document is the auto-generated contents of the directory. As you can see, index.phtml does exist in the directory and is the first file searched for by the server. Does anyone have any ideas here? Can anyone reproduce the problem? I've also included the source for the AuthzCache and AuthzLDAP. If anyone could use at least the Cache code and see if you could reproduce the problem, I'd really appreciate it. I noticed that the error log with the cache enabled shows that subsequent internal requests (such as those you see when requesting a directory instead of a named file) don't reset the handler stack to what is in the configuration. See about line 65 of each log file for this difference. Regards, Christian - Christian Gilmore Infrastructure Tools Team Lead Web Multimedia Development Tivoli Systems, Inc. - AuthzCache.pm - AuthzLDAP.pm - group-dir.html - error_log_with_cache - error_log_without_cache AuthzCache.pm error_log_with_cache
More on the set_handlers() / push_handlers() bug...
Hello, again. Here's a quick summary of the problem: upon clearing the stack of handlers (with set_handlers(PerlAuthzHandlers = undef)) the server appears to not recognize when it has found a DirectoryIndex file and returns the contents of a directory instead of the index file. Since last writing on this topic, I upgraded to all of the newest versions (apache-1.3.12, perl-5.6, mod_perl-1.24) and configured mod_perl with PERL_TRACE=1. Looking at the error_log with the handler tracing on and httpd running in single-server mode, I discovered that the server does appear to cycle through the directory indexes, but doesn't realize when it has found one. I've attached two error logs for the request http://dw3.tivoli.com:81/home/passwd/group/: one with the cache enabled, one without. I've also attached a copy of the document returned by the server for the with-authz-cache request. The document is the auto-generated contents of the directory. As you can see, index.phtml does exist in the directory and is the first file searched for by the server. Does anyone have any ideas here? Can anyone reproduce the problem? I've also included the source for the AuthzCache and AuthzLDAP. If anyone could use at least the Cache code and see if you could reproduce the problem, I'd really appreciate it. I noticed that the error log with the cache enabled shows that subsequent internal requests (such as those you see when requesting a directory instead of a named file) don't reset the handler stack to what is in the configuration. See about line 65 of each log file for this difference. Regards, Christian - Christian Gilmore Infrastructure Tools Team Lead Web Multimedia Development Tivoli Systems, Inc. AuthzCache.pm AuthzLDAP.pm Title: Index of /home/passwd/group Index of /home/passwd/group NameLast modified Size Description Parent Directory18-May-2000 11:25 - display_group_info.p.. 07-Jun-2000 10:4511k group.phtml 08-Jun-2000 17:3818k index.phtml 05-Jun-2000 12:13 7k Apache/1.3.12 Server at dw3.tivoli.com Port 81 error_log_with_cache error_log_without_cache
RE: More on the set_handlers() / push_handlers() bug...
Forgive me for the obvious and probably stupid questions, (especially since I didn't see the earlier posts in which you probably answered them =o) but just for the record -- No problem. I appreciate your trying to help! Could you be misspelling "PerlAuthzHandler"? I note you said "PerlAuthzHandlers" with an 's' below Is that a feature I should kick myself for not being aware of? Or maybe just an email typo? Or a code error? (I do see it's a stack of handlerS, but) Heh. No, that was just a typo in my mail. I have it right in the handler code, which I had attached. Why undefine the handlers? Could you just use $r-set_handlers( PerlAuthzHandler = [ \OK ] ); or something? Could that be part of the problem? (Though I don't see how.I'm still pretty new to this.) Well, setting it to undef is what is recommended in the "Apache Modules" book (page 466), but I have tried setting it to \OK. Setting it to \OK turns out to do nothing at all. The server ignores your attempted change (even though it shows that it did change when you look at get_handlers) and continues as if you never even called set_handlers. Please, if you have the time and opportunity, give the AuthzCache a try. I'd really like to know that others can reproduce the problem. It can wrap around any perl Authz handler as follows: PerlAuthzHandler Tivoli::Apache::AuthzCache your authz handler here Tivoli::Apache::AuthzCache::manage_cache Regards, Christian - Christian Gilmore Infrastructure Tools Team Lead Web Multimedia Development Tivoli Systems, Inc.
IPC::ShareLite 0.07a test problems
Hey, I realize this problem isn't directly mod-perl related, but I'm trying to build the most up-to-date version of perl/apache/etc to continue debugging the problem I'm having with set_handlers() (see other recent thread). I'm using IPC::Cache (which of course relies on IPC::ShareLite) within an AuthzCache module. I'm finding test errors in IPC::ShareLite-0.07a under solaris 2.5.1/perl-5.6.0. Below is the output of a gdb on the test. Has anyone successfully compiled and tested ShareLite in a similar environment? Regards, Christian cougar% gdb perl-5.60 GNU gdb 4.18 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "sparc-sun-solaris2.5.1"... (gdb) set args test.pl (gdb) r Starting program: /opt/gnu/bin/perl-5.60 test.pl 1..8 ok 1 ok 2 ok 3 not ok 4 ok 5 ok 6 not ok 7 Bad realloc() ignored at /opt/gnu/depot/perl-5.6.0/lib/site_perl/sun4-solaris/IPC/ShareLite.pm line 106. Program received signal SIGSEGV, Segmentation fault. 0x79568 in Perl_sv_usepvn () (gdb) share Symbols already loaded for /usr/lib/libsocket.so.1 Symbols already loaded for /usr/lib/libnsl.so.1 Symbols already loaded for /usr/lib/libdl.so.1 Symbols already loaded for /usr/lib/libm.so.1 Symbols already loaded for /usr/lib/libc.so.1 Symbols already loaded for /usr/lib/libsec.so.1 Symbols already loaded for /usr/lib/libintl.so.1 Symbols already loaded for /usr/lib/libmp.so.1 Symbols already loaded for /usr/lib/libw.so.1 Symbols already loaded for /opt/gnu/depot/perl-5.6.0/lib/site_perl/sun4-solaris/auto/IPC/ShareLite/Shar eLite.so (gdb) bt #0 0x79568 in Perl_sv_usepvn () #1 0xef58327c in XS_IPC__ShareLite_read_share (cv=0x161f80) at ShareLite.xs:314 #2 0x73114 in Perl_pp_entersub () #3 0x6c0cc in Perl_runops_standard () #4 0x23eb0 in S_run_body () #5 0x23b18 in perl_run () #6 0x2115c in main () - Christian Gilmore Infrastructure Tools Team Lead Web Multimedia Development Tivoli Systems, Inc.
RE: set_handlers() bug?
So, I've done a bit more debugging. It looks like set_handlers is all
befuddled. I have the below code:
my $handlers = $r-get_handlers('PerlAuthzHandler');
foreach (@$handlers) {
$r-log-debug("handler: (Pre) PerlAuthzHandler $_ next in line");
}
# Per Eric Cholet
# $r-set_handlers(PerlAuthzHandler = [\OK]);
$r-set_handlers(PerlAuthzHandler = [\Tivoli::Apache::AuthzCache,
\OK]);
#$r-set_handlers(PerlAuthzHandler = undef);
$handlers = $r-get_handlers('PerlAuthzHandler');
foreach (@$handlers) {
$r-log-debug("handler: (Post) PerlAuthzHandler $_ next in line");
}
return OK;
[Mon Jun 26 10:30:58 2000] [debug]
/opt/apache/dw3.tivoli.com/81/lib/perl/Tivoli/Apache/AuthzCache.pm(132):
[client 146.84.34.143] handler: (Pre) PerlAuthzHandler
Tivoli::Apache::AuthzCache::handler next in line
[Mon Jun 26 10:30:58 2000] [debug]
/opt/apache/dw3.tivoli.com/81/lib/perl/Tivoli/Apache/AuthzCache.pm(132):
[client 146.84.34.143] handler: (Pre) PerlAuthzHandler
Tivoli::Apache::AuthzLDAP next in line
[Mon Jun 26 10:30:58 2000] [debug]
/opt/apache/dw3.tivoli.com/81/lib/perl/Tivoli/Apache/AuthzCache.pm(132):
[client 146.84.34.143] handler: (Pre) PerlAuthzHandler
Tivoli::Apache::AuthzCache::manage_cache next in line
[Mon Jun 26 10:30:58 2000] [debug]
/opt/apache/dw3.tivoli.com/81/lib/perl/Tivoli/Apache/AuthzCache.pm(140):
[client 146.84.34.143] handler: (Post) PerlAuthzHandler CODE(0x4a3a00) next
in line
[Mon Jun 26 10:30:58 2000] [debug]
/opt/apache/dw3.tivoli.com/81/lib/perl/Tivoli/Apache/AuthzCache.pm(140):
[client 146.84.34.143] handler: (Post) PerlAuthzHandler CODE(0x1840c4) next
in line
The behavior I see is that changes to set_handlers that aren't set to undef
are ignored. AuthzLDAP and AuthzCache::manage_cache are still called even
though I set the handlers to be a stack of AuthzCache and OK. According to
get_handlers, I'm getting garbage back after I do a set_handlers. When I do
a set of undef, get returns nothing, properly enough, but the DirectoryIndex
is ignored/missing.
Regards,
Christian
RE: Embperl: loop control bug
Should embperl then be altered to handle loop control itself or should we just use [* *] embperl structures to allow us to use perl's control structures instead of embperl's? In either event, it should probably be documented as a shortcoming of using embperl's control structures. Regards, Christian -Original Message- From: Gerald Richter [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 03, 2000 11:27 PM To: Christian Gilmore; ModPerl Mailing List (E-mail) Subject: RE: Embperl: loop control bug Embperl (1.2.0) causes a core dump when I put in a loop control statement. For instance, in the following snippet of code, when the 'last' line is reached, the apache child dumps core. [- $i = 0 -] [$ while ($i 10) $] [+ $i +]br [$ if ($i == 5) $] [- last -] [$ endif $] [- $i++ -] [$ endwhile $] The problem occurs regardless of what looping mechanism I use (foreach, while, etc). Can someone confirm that this problem also occurs on their system, please? "while/endwhile" are Embperl control statements and "last" is a Perl statement. This can't work at all, because Perl doesn't know anything about Embperl's while/endwhile. This is completly handled by Embperl itself. Gerald - Gerald Richterecos electronic communication services gmbh Internetconnect * Webserver/-design/-datenbanken * Consulting Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz E-Mail: [EMAIL PROTECTED] Voice:+49 6133 925151 WWW:http://www.ecos.de Fax: +49 6133 925152 -
RE: Embperl: problem with module imports
Thanks, Gerald. That worked. The documentation should reflect the need for the semi-colon. The use statement is an example in the section on [- -]. At least at this spot, if not also in a special gotchas section, it should be mentioned. Regards, Christian -Original Message- From: Gerald Richter [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 03, 2000 11:29 PM To: Christian Gilmore; ModPerl Mailing List (E-mail) Subject: RE: Embperl: problem with module imports The test.html file contains only the [- use MODULE_HERE -] line. Try [- use MODULE_HERE ; -] for whatever reason, Perl likes to see a semikolon here. Gerald
RE: Embperl: loop control bug
Actually, the use of last/next still causes a core dump (bus error) with
perl's structures as well. Uncommenting either of the two loop control lines
will cause the dump.
[- $i = 0; -]
[* while ($i 10) { *]
[+ $i +]br
[* if ($i == 5) { *]
[# last; #]
[- $i++; -]
[# next; #]
[* } *]
[- $i++; -]
[* } *]
Regards,
Christian
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
Behalf Of Christian Gilmore
Sent: Friday, February 04, 2000 10:33 AM
To: 'Gerald Richter'; 'ModPerl Mailing List (E-mail)'
Subject: RE: Embperl: loop control bug
Should embperl then be altered to handle loop control itself
or should we just
use [* *] embperl structures to allow us to use perl's
control structures
instead of embperl's? In either event, it should probably be
documented as a
shortcoming of using embperl's control structures.
Regards,
Christian
-Original Message-
From: Gerald Richter [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 03, 2000 11:27 PM
To: Christian Gilmore; ModPerl Mailing List (E-mail)
Subject: RE: Embperl: loop control bug
Embperl (1.2.0) causes a core dump when I put in a loop control
statement. For
instance, in the following snippet of code, when the 'last' line
is reached,
the apache child dumps core.
[- $i = 0 -]
[$ while ($i 10) $]
[+ $i +]br
[$ if ($i == 5) $]
[- last -]
[$ endif $]
[- $i++ -]
[$ endwhile $]
The problem occurs regardless of what looping mechanism I use
(foreach, while,
etc). Can someone confirm that this problem also occurs on
their system,
please?
"while/endwhile" are Embperl control statements and "last" is a Perl
statement. This can't work at all, because Perl doesn't know
anything about
Embperl's while/endwhile. This is completly handled by
Embperl itself.
Gerald
-
Gerald Richterecos electronic communication services gmbh
Internetconnect * Webserver/-design/-datenbanken * Consulting
Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz
E-Mail: [EMAIL PROTECTED] Voice:+49 6133 925151
WWW:http://www.ecos.de Fax: +49 6133 925152
-
Embperl: loop control bug
Embperl (1.2.0) causes a core dump when I put in a loop control statement. For instance, in the following snippet of code, when the 'last' line is reached, the apache child dumps core. [- $i = 0 -] [$ while ($i 10) $] [+ $i +]br [$ if ($i == 5) $] [- last -] [$ endif $] [- $i++ -] [$ endwhile $] The problem occurs regardless of what looping mechanism I use (foreach, while, etc). Can someone confirm that this problem also occurs on their system, please? Regards, Christian - Christian Gilmore Senior Technical Staff Member ATT Labs IP Technology, Florham Park [EMAIL PROTECTED] http://www.research.att.com/info/cgilmore
RE: How do you turn logging off completely in Embperl?
Jason, Using both 'EMBPERL_LOG /dev/null' and 'EMBPERL_DEBUG 0' will do the trick. Without redirecting EMBPERL_LOG, embperl will always try to open /tmp/embperl.log on its first use. I consider this a bug and a security hazard (writing anything blindly to /tmp can have potentially lethal side effects, eg: user foo puts in a symlink from /tmp/embperl.log to anything owned by the user running the server and that file gets embperl logs appended to it!). The log file is tied to at a few different spots within the code. None of these check the setting of EMBPERL_DEBUG before tying to the log. They should only tie to the log if the debug setting is not zero. Regards, Christian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jason Bodnar Sent: Wednesday, January 19, 2000 4:12 PM To: mod_perl list Subject: How do you turn logging off completely in Embperl? How do you turn logging off completely in Embperl? Is it even possible? I set EMBPERL_DEBUG to 0 but it still tries to open a log file. I didn't see anything in EMBPERL_OPTIONS. --- Jason Bodnar + [EMAIL PROTECTED] + Tivoli Systems In Jail Rock house Rock, he was everything Rockabilly's about. No, I mean he is Rockabilly. Mean, Surly, Nasty, Brute. I mean in that movie he couldn't give a about nothin'. Just rockin' and rollin', livin' fast, dying young, leavin' a good lookin' corpse. --Clarence Worley, True Romance
Embperl configuration directives ignored
I'm not seeing the proper behavior from either EMBPERL_LOG or EMBPERL_DEBUG. Here's the configuration in httpd.conf: Perlrequire /www/www/lib/modperl-startup.pl PerlSetEnv EMBPERL_OPTIONS 2178 PerlSetEnv EMBPERL_LOG /tmp/embperl_testlog PerlSetEnv EMBPERL_DEBUG0 PerlSetEnv EMBPERL_MAIL_ERRORS_TO embperl Running apache-1.3.9 / mod-perl-1.21 / embperl 1.2b11. These environment variables are being properly set by apache(I can see them with [$ while ($k, $v) = each (%ENV) $][+ $k +] = [+ $v +]br[$ endwhile $]), but they are apparently being ignored by Embperl. The log that gets created is the default /tmp/embperl.log and it continues to be written to upon occasion even through debug is set to zero (btw, the setting to zero isn't documented, but Gerald told me about it in a long ago query response). Does anyone else see this behavior? Regards, Christian
$r-args missing data
We just updgraded from apache-1.3.3/mod_perl-1.16 to
apache-1.3.9/mod_perl-1.21 on solaris-2.5.1. $r-args does not contain any
data for us now when it did before during the URI translation phase.
We're running a minimal system, so many modules have been stripped from the
build (included is one home-grown module mod_pushweb which does no
modification whatsoever of request_rec). We put in some extra debug lines into
both apache's httpd_main.c and mod_perl's mod_perl.c.
It appears that both apache and mod_perl internally have r-args correct, yet
it doesn't make it up to the TransTest module. This same TransHandler code
worked just fine in the previous 1.3.3/1.21 build. Can anyone see the problem?
Included below are:
* build commands we used
* httpd.conf snippets relating to mod_perl
* the TransTest module which demonstrates the problem
* the error_log
The build commands for mod_perl:
perl Makefile.PL USE_APACI=1 PERL_TRANS=1 PERL_STACKED_HANDLERS=1
(answer 'y' to the first question, 'n' to the second)
make all
make install
The build commands for apache:
configure
--disable-module=actions \
--disable-module=alias --disable-module=asis \
--disable-module=auth --disable-module=autoindex \
--disable-module=cgi --disable-module=dir \
--disable-module=env --disable-module=imap \
--disable-module=include --disable-module=mime \
--disable-module=negotiation --disable-module=setenvif \
--disable-module=status --disable-module=userdir \
--activate-module=src/modules/mod_pushweb/libmod_pushweb.a \
--activate-module=src/modules/perl/libperl.a \
--enable-module=apache_ssl
make
From httpd.conf:
PerlRequire /weblab/services/pushweb/lib/TransTest.pm
PerlTransHandler TransTest
The module:
package TransTest;
use lib qw(/weblab/services/pushweb/lib);
use strict;
use Apache::Constants ':common';
use Apache::Log;
sub handler {
my($r) = @_;
$r-handler("perl-script");
$r-push_handlers(PerlHandler = \transtest_handler);
return OK;
}
sub transtest_handler {
my($r) = @_;
my $log = $r-server-log;
$log-debug("TransTest Handler entry");
$log-debug("The Entire Request: " . $r-as_string);
$log-debug("The Request Line: " . $r-the_request);
$log-debug("The Path Information: " . $r-uri);
$log-debug("The Args: " . $r-args);
my $response = "htmlbodyTransTest ";
$response .= "response/body/html\n";
$r-no_cache(1);
# Apache's no-caching (as of 1.3.0) is broken.
# It just modifies stamp
$r-header_out('Pragma', 'no-cache');
$r-header_out('Cache-control', 'no-cache');
$r-header_out('Content-Length', length($response));
$r-send_http_header();
$r-print($response);
$log-debug("TransTest Handler exit");
}
1;
__END__
From the error_log:
[Thu Dec 2 17:07:08 1999] [notice] Apache/1.3.9 Ben-SSL/1.37 (Unix)
mod_perl/1.21 configured -- resuming normal operations
[Thu Dec 2 17:07:08 1999] [info] Server built: Dec 1 1999 19:11:25
[Thu Dec 2 17:07:21 1999] [debug] apache_ssl.c(1718): CIPHER is RC4-MD5
[Thu Dec 2 17:07:21 1999] [debug] buff.c(263): read returned 310 rwstate=3
state=3 rstate=240 cren=0 aren=0 accept=1
[Thu Dec 2 17:07:21 1999] [error] [client 135.207.24.19] before ap_parse_uri
[Thu Dec 2 17:07:21 1999] [error] [client 135.207.24.19] after ap_parse_uri
args=foo=bar
[Thu Dec 2 17:07:21 1999] [debug] mod_perl.c(884): before callup to
perltranshandler, args=foo=bar
[Thu Dec 2 17:07:21 1999] [debug] mod_perl.c(887): after callup to
perltranshandler, args=foo=bar
[Thu Dec 2 17:07:21 1999] [debug]
/weblab/services/pushweb/lib/TransTest.pm(18): TransTest Handler entry
[Thu Dec 2 17:07:21 1999] [debug]
/weblab/services/pushweb/lib/TransTest.pm(20): The Entire Request: GET
/login=cgilmore/?foo=bar HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Charset: iso-8859-1,*,utf-8
Accept-Encoding: gzip
Accept-Language: en
Connection: Keep-Alive
Host: absent.research.att.com
User-Agent: Mozilla/4.61 [en] (X11; U; SunOS 5.7 sun4u)
HTTP/1.0 (null)
[Thu Dec 2 17:07:21 1999] [debug]
/weblab/services/pushweb/lib/TransTest.pm(21): The Request Line: GET
/login=cgilmore/?foo=bar HTTP/1.0
[Thu Dec 2 17:07:21 1999] [debug]
/weblab/services/pushweb/lib/TransTest.pm(22): The Path Information:
/login=cgilmore/
[Thu Dec 2 17:07:21 1999] [debug]
/weblab/services/pushweb/lib/TransTest.pm(23): The Args:
[Thu Dec 2 17:07:21 1999] [debug]
/weblab/services/pushweb/lib/TransTest.pm(35): TransTest Handler exit
Thanks,
Christian
-
Christian Gilmore
Senior Technical Staff Member
ATT Labs IP Technology, Florham Park
[EMAIL PROTECTED]
http://www.research.att.com/info/cgilmore
RE: Trying not to re-invent the wheel
I found that writing my own parser to fit my specific need was far and away the fastest thing I could do. It really depends upon your specific application. HTML::Parser is nice if you want to see the structure of the document your parsing but is just too slow to use for wresting particular tags from a document... If you're interested, I could forward you the code snippet I wrote as it is part of a package we've obtained a software release from ATT called absent (see http://www.research.att.com/projects/absent/ for more). Regards, Christian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ian Mahuron Sent: Wednesday, November 10, 1999 1:10 PM To: Ian Mahuron; ModPerl Subject: RE: Trying not to re-invent the wheel As per someone's suggestion I'll ellaborate on what's in the HTML... Insert code for advertisment (there's 1,000's of different ads on the site.): ADVERTISMENT id=252 Insert news scroller: NEWS_ITEM id=92834 bgcolor="#0066FF" There will be at least 50 similar tags.. so I'm not parsing for just a couple of tags like HTML::Template.. I may implement IF/LOOPS/etc.. but not until I see the need. I've written up a few test benches for HTML::Parser.. it works ok, but it's not as fast as I would like it to be. Ian
Apache::SpeedLimit and problems with IPC::Shareable
I inserted Apache::SpeedLimit into one of our servers the other day. It works as advertised, but I'm now seeing errors in the error_log that are coming from Apache::SpeedLimit/IPC::Shareable. I wonder if anyone else has had this problem. From the error_log: [Wed Nov 10 13:28:55 1999] [notice] Apache/1.3.9 (Unix) mod_perl/1.21 mod_ssl/2.4.2 OpenSSL/0.9.4 configured -- resuming normal operations [Wed Nov 10 13:28:55 1999] [notice] suEXEC mechanism enabled (wrapper: /www/www/apache/bin/suexec) panic: restartop panic: POPSTACK Callback called exit. panic: restartop panic: POPSTACK Callback called exit. panic: restartop panic: POPSTACK Callback called exit. panic: restartop panic: POPSTACK Callback called exit. panic: restartop panic: POPSTACK Callback called exit. [Wed Nov 10 13:29:14 1999] [notice] caught SIGTERM, shutting down My software/hardware setup: IRIX64 akalice 6.5 11051732 IP25 mod_perl-1.21 apache-1.3.9 Apache::SpeedLimit direct from the "Apache Modules" book My apache configuration: Location / PerlAccessHandler Apache::SpeedLimit PerlSetVar SpeedLimit 61 PerlSetVar SpeedSamples20 PerlSetVar SpeedForgive10 /Location Output from ipcs: [akalice:www] /_ ipcs -mbcopt IPC status from /dev/kmem as of Wed Nov 10 13:42:19 1999 T ID KEYMODE OWNERGROUP CREATOR CGROUP NATTCH SEGSZ CPID LPID ATIMEDTIMECTIME Shared Memory: m 0 0x53637444 --rw-r--r-- root root root root 1 200382 382 9:40:42 no-entry 9:40:42 m140 0x53504c4d --rw-r--r-- www-nobo www-nobo www-nobo www-nobo 0 65536 73426277621049 13:29:07 13:29:07 16:13:46 Any help on this would be appreciated. Regards, Christian - Christian Gilmore Senior Technical Staff Member ATT Labs IP Technology, Florham Park [EMAIL PROTECTED] http://www.research.att.com/info/cgilmore
RE: Embperl [- -] annoyance
Auto-generated mathematica output... People who choose to put optional information within a document inside of brackets... I have hundreds of examples here on our site (http://www.research.att.com/) where we've bumped up against the use of square brackets followed by one of the key characters used for purposes not intended to be Embperl... Regards, Christian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Gerald Richter Sent: Tuesday, November 09, 1999 1:53 PM To: Christian Gilmore; 'David Bushong'; [EMAIL PROTECTED] Subject: RE: Embperl [- -] annoyance This would be taken care of if the delimiters for Embperl tags weren't so common in everyday use. Sorry, but in my "everyday use" they are not so common. The only case I know where it occur, is the regex that David and Steve described. Are you know other cases, where this will be a problem? Gerald has said he'll work on making the delimiters definable (so one could use straight html comments, for instance) in the next version (ie, 1.3). Yes, I will add the options the configure it. This may solves some problems, other delimiters may create other problems... I have choosen the [-/+ ... +/-] very carefully to avoid such situation as often as possible, also there maybe better delimiters, but with HTML comment for example, things like td bgcolor="[+ $bg +]" will not work, because you can't nest html tags. Gerald --- Gerald Richter ecos electronic communication services gmbh Internet - Infodatenbanken - Apache - Perl - mod_perl - Embperl E-Mail: [EMAIL PROTECTED] Tel:+49-6133/925151 WWW:http://www.ecos.de Fax:+49-6133/925152 ---
RE: Embperl and Apache LogLevel configuration
...and Embperl runs under mod_perl? Not as CGI? In CGI Mode
the only chance
is to print to stderr, which always shows up in the error log. Under
mod_perl, the timestamp should apear and the message only
get's logged when
loglevel is error or below.
If you run under mod_perl, how do you call the page?
Here's the portion of my httpd.conf that deals with Embperl:
# startup.perl loads all functions that we want to use within mod_perl
Perlrequire /www/www/lib/modperl-startup.pl
SetEnv EMBPERL_LOG /dev/null
# Below environment tells embperl to pass errors through and not complain
# as well as to not chdir on each request
SetEnv EMBPERL_OPTIONS 130
# Below environment tells embperl to log only grievous errors
SetEnv EMBPERL_DEBUG 1
# We could use the below to parse and re-mail errors
SetEnv EMBPERL_MAIL_ERRORS_TO embperl
FilesMatch ".*\.html$"
SetHandler perl-script
PerlHandler HTML::Embperl
Options +ExecCGI
/FilesMatch
Here's modperl-strartup.pl:
# @(#) SID: 1.1; module: modperl-startup.pl; last changed: 10/19/99
10:30:06use strict;
#modify @INC if needed
use lib qw(/www/www/lib);
# make sure we are in a sane environment.
$ENV{GATEWAY_INTERFACE} =~ /^CGI-Perl/ or die "GATEWAY_INTERFACE not Perl!";
# for things in the "/perl" URL
use Apache::Registry;
#load perl modules of your choice here
#this code is interpreted *once* when the server starts
use LWP::UserAgent ();
use HTML::Embperl;
#home-grown html border production
use Borders;
# tell me more about warnings
#use Carp ();
#$SIG{__WARN__} = \Carp::cluck;
# Load CGI.pm and call its compile() method to precompile
# (but not to import) its autoloaded methods.
#use CGI ();
#CGI-compile(':all');
# Switch to the below when 2.49 is installed
use CGI qw(-compile :all);
1;
Here's a portion of error_log and access_log:
[Tue Oct 19 10:33:46 1999] [notice] Apache/1.3.9 (Unix) mod_perl/1.21
mod_ssl/2.4.2 OpenSSL/0.9.4 configured -- resuming normal operations
[Tue Oct 19 10:33:46 1999] [notice] suEXEC mechanism enabled (wrapper:
/www/www/apache/bin/suexec)
[4834290]ERR: 30: Line 1: Not found /www/www/research/reports/1099.html
bual.research.att.com - - [19/Oct/1999:10:33:50 -0400] "GET /reports/1099.html
HTTP/1.0" 404 335 "-" "Mozilla/4.61 [en] (X11; U; SunOS 5.7 sun4u)"
By the way, even though I "SetEnv EMBPERL_LOG /dev/null", /tmp/embperl.log
still is written to. I had to set that file to be a symlink to /dev/null.
Regards,
Christian
