Re: mod_perl module documentation
On Tue, Jun 18, 2002 at 01:30:47PM -0400, Rich Bowen wrote: > It has long frustrated me that there was no mod_perl module > documentation, in the style of the standard Apache module documentation. > I don't mean to bash the docs that are there - clearly, they are of > exceptional quality. But I wanted something like the standard module > docs. > > So, rather than complaining, which would seem to be, at best, in poor > taste, given the quantity of stuff that folks like Stas have already > written, I've started on a mod_perl module doc, based on the Apache 2.0 > module documentation XML template. You can see the first cut at > http://www.apacheadmin.com/mod_perl.html > I like it a lot - but then again, I'm a big fan of the apache docs, so this format is a big hit with me :) I like the guide, but once you've been through it a couple of times then this is the sort of document you need IMHO. Short, concise and more of a reference is the way to go, and it makes life simpler for someone like me who admins apache more than mod_perl. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall
Re: sending ssl certificate according to virtual host
On Wed, Nov 06, 2002 at 11:52:13AM -0500, Vivek Khera wrote: > What they should have done is what is done now with TLS in SMTP. You > connect to the same port, but issue a "STARTTLS" command to switch > over to secured mode. With this type of scheme, the header info with > the desired host could be in the initial request, so then you could > pick the right certificates to use. Alas, the HTTP protocol doesn't > work this way as far as I can tell. > An untested patch to support this in Apache 2 was sent to the dev@httpd list by Ryan Bloom a few weeks back. Getting support for STARTTLS into Apache is only the first step - so far no clients support it yet. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall
Re: external access to intranet
I've had to do something similar a while back, and ended up doing this without modperl. I might end up switching to modperl one of these days. It looks something like: - --- |SSL| -> |FW| -> |proxy.internaldom.dk| -> |somehost.internaldom.dk| - --- The frontend SSL server is set up with mod_proxy and has an entry for each internal host that looks like: ProxyPass /intra/somehost/ http://somehost.internaldom.dk/ ProxyPassReverse /intra/somehost/ http://somehost.internaldom.dk/ And then making sure that all is handled through the proxy: ProxyRemote http http://proxy.internaldom.dk:12345/ The internal proxy is quite simply set up to push all html through one simple regexp: s|http://(\w+).internaldom.dk|/intra/$1|g Currently my proxy is based on http://muffin.doit.org/ NoThanks, but will probably end up as some kind of Apache/mod_perl once I get my new proxy machine. There is two obvious advantages about this approach - only one regexp, which means only one pass of the html is needed and that the connection from the external machine through the firewall is restricted to one simple rule in the FW machine and that it can be easily protected with encryption/authentication. This probably doesn't answer your question ;-) But I hope that at least the idea is useful. vh Mads Toftum, QDPH
Re: external access to intranet
On Wed, Apr 05, 2000 at 03:37:23PM +0200, Jonas Nordström wrote: [SNIP] > For example, if > the HTML contains "" I want to change that to > "https://gateway_server/intranet_host/path/myfile.html>" > Actually links of that isn't a problem - the browser will think of it relative to its current position, which means that a link like: in a page like https://gateway_server/intranet_host/ will be automatically requested as https://gateway_server/intranet_host/path/myfile.html So basically that specific example isn't a problem - something like http://intranet_host/"> would be a problem. vh Mads Toftum, QDPH
Re: 2 server setup w/mod_proxy with a per-filename filter
On Mon, May 01, 2000 at 01:31:26PM -0300, Martin A. Langhoff wrote: > The only workaround I foresee might be using mod_rewrite, but I'd > rather not :), does anyone have a better idea? Or maybe a few examples > of mod_rewrite use that work in this case? mod_rewrite is quite nice for such a setup - I usually end up with a mix of proxy and rewrite to get the job done. Lots of examples are available in http://www.apache.org/docs/misc/rewriteguide.html vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall
Re: proxy requests via mod_proxy
Take a look at ftp://ftp.netcetera.dk/pub/apache/mod_proxy_add_forward.c It could be a way to solve your problem. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall
Re: Proxy setup w/ SSL
On Tue, Aug 08, 2000 at 05:08:36PM +0100, Matt Sergeant wrote: > > Keep-alives. To be able to do that you need to store your output and make > sure that your solution sends the appropriate headers that don't kill > keep-alive. These include Content-Length (which is why you need to store > your output before sending it) and some others which I forget, anyone? > Unfortunately keep-alive doesn't work too well with SSL and MSIE :( SSL Session caching is the way to go instead - an SSL cache hit (ie. no RSA operations) is probably about a hundred times faster than having to set up the session from scratch. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall
Re: Proxy setup w/ SSL
On Tue, Aug 08, 2000 at 04:07:58PM +, Nigel Hamilton wrote: > Also, does anyone know a way to speed up SSL somehow? Well worth a read is http://www.awe.com/mark/apcon2000/ which covers most of the performance related issues. Also note that the openssl project is currently adding hardware accelerator support which might end up giving us some cheaper hw options in the future. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall
Re: RSA_PKCS1_RSAref : That old question
On Sat, Dec 02, 2000 at 10:14:51PM -0500, [EMAIL PROTECTED] wrote: > Debian-2.2.17 > Perl-5.6.0 --prefix=/opt > apache_1.3.14 > mod_perl-1.24_01 > mod_ssl-2.7.1-1.3.14 > openssl-0.9.6 > rsaref-2.0 from ftp://www.spinnaker.com/pub/crypt/rsaref Don't use RSAREF. Support for RSAREF was removed from mod_ssl in version 2.7.0-1.3.14 because there is no reason to use it at all. Just rebuild your openssl without RSAREF. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [OT] 128 bit encryption and IE
On Mon, May 07, 2001 at 11:39:59AM -0400, Geoffrey Young wrote: > Hi all... > > sorry for the OT, but has anyone figured out how to tell whether a browser > supports 56 or 128 bit encryption? Apparently, users of IE with 56 bit, > when entering a 128 bit page, get the standard Cannot Find Server error page > with little in the way directions to help the EU know to upgrade. If you set your site to accept only 128 bit ciphers, this is what will happen because the browsers that are capable of upgrading from 56 to 128 bit encryption do this by first connecting at 56 and the renegotiating at 128. See also http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/README.GlobalID > > has anyone battled this and come up with an elegant solution? > It would of course help a bit if you told us which server you're trying to do this on ;-) With Apache+mod_ssl it is quite simple - just configure it to allow the weak ciphers, and then limit actual access by using SSLRequire to allow only >= 128 bits encryption. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall
Re: SSL and thin/fat server setups.
On Fri, Jun 29, 2001 at 02:07:50PM -0500, Christopher L. Everett wrote: > Hello all, > > I've been running apache+mod_perl servers with apache+mod_ssl > front-ends, and been quite happy with this type of setup for > quite some time. > > Now I need to use SSL certificates for authenticating users > of an online database. It seems like there's no way to get > the SSL information that the front-end sees to the back-end > server because the SSL protocol underlies the HTTP protocol > (outside of writing a custom apache module, and passing back > the cert info in headers) and there's no such thing as an SSL > proxy module that I've been able to find. > I did make a module like that last year - it is available from http://www2.toftum.dk/apache/ vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall
