Re: [OT] auth modules
On Tue, 18 Jul 2000, martin langhoff wrote:
The marketing dept here wants something really weird: they
want to publish a datasheet in a 'protected' page, but the want the
usr/pw hashes to be 'one time only'. So the user must be deleted after
the first time it is used.
That should be all but trivial to implement. Off the top of my head:
sub handler
{
my $r = shift;
# Only execute for the first internal request
return OK unless $r-is_initial_req;
# Replace this with your favorite data store.
tie %password, 'DB_File', $password_file
or die "can initialize $password_file: $!";
# Get the username and password sent from the client
my ($res, $sent_pw) = $r-get_basic_auth_pw;
return AUTH_REQUIRED if !$sent_pw;
my $username = $r-connection-user;
# crypt() the sent password and see if it matches the stored one
if (crypt($sent_pw, $password{$username}) eq $password{$username})
{
# If so, delete the key and return OK
delete $password{$username};
$r-connection-auth_type('Basic');
$r-connection-user($username);
return OK;
} else {
# Otherwise return AUTH_REQUIRED
return AUTH_REQUIRED;
}
}
- Matt
Re: best encryption module
On Fri, 7 Jul 2000, clayton cottingham aka drfrog wrote: whats the best encryption module for use with mod perl? i want to encrypt passwords store in a db and then be able to check what a users inputs against it Perl has a built-in crypt() function. The actual encryption algorithm used depends on your system's C library. Older systems still use 56-bit DES. Newer ones may use something stronger like MD5 or Blowfish. See your crypt(3) manpage and `perldoc -f crypt` for more information. - Matt
Re: Problems with Apache::DBI
On Mon, 12 Jun 2000, Rob Tanner wrote:
Believe it or not, it's the simplest task in the world. In startup.pl add
the line "PerlModule Apache::DBI"
You can either stick "PerlModule Apache::DBI" in your httpd.conf or add
'use Apache::DBI ();' to your startup.pl. Also, for mysql, you'll need
to add a keepalive routine to your startup.pl:
sub Apache::DBI::db::ping {
my $dbh = shift;
return $dbh-do('select 1');
}
- Matt
Re: mod_perl and IPC
On Mon, 22 May 2000, DeWitt Clinton wrote: The problem had to do with large numbers of objects in the cache. ... Right now, things are in a holding pattern because I'm finding a limit on the number of objects I can put in the cache (less than 100, so it is an issue). Hopefully Sam will offer some insight here. I ran into this with IPC::SharedCache a couple of months ago and had some discussion with Sam about it. The problem is a lack of shared memory segments and/or semaphores compiled into the kernel. IIRC, the default for both under Linux is 128. The BSD system I was trying to use only had 32 segments and something like 10 semaphore identifiers. In order to scale a system, you'll need to recompile the kernel with higher limits. - Matt
Re: mod_perl and BSDi 4.1
On Fri, 19 May 2000, Russell Hay wrote: BSDi/4.1 ... cannot find libperl.so. Find the directory on your machine with libperl.so in it (probably /usr/libdata/perl5/i386-bsdos/5.00402/CORE or /usr/local/lib/perl5/5.00502/i386-bsdos/CORE/), add it to /etc/ld.so.conf, and run ldconfig. - Matt
Re: 2 server setup w/mod_proxy with a per-filename filter
On Mon, 1 May 2000, Martin A. Langhoff wrote: hi, I'm trying to implement a one light + one fat apache server setup and I'm .. wanting it to proxy everything that looks ~ \.pl$ See [EMAIL PROTECTED]">http://forum.swarthmore.edu/epigone/modperl/mimzhingleh/[EMAIL PROTECTED] for some mod_rewrite examples from a couple of weeks ago on this list. - Matt
Re: perldo file -- does NOTHING
On Fri, 21 Apr 2000, w trillich wrote:
the entire listing for startup.pl is:
package Apache::ReadConfig;
Apache-httpd_conf("Clavis");
Apache-httpd_conf("/Frammistat");
Apache-httpd_conf("Chibblewink 1/2%3'*");
Apache-httpd_conf("isn't this wonderful?");
You need to use() the Apache module in order to access its methods. Add
this to the top of your startup.pl:
BEGIN
{
use Apache();
}
- Matt
Re: Implementing security in CGI
On Fri, 21 Apr 2000, Gunther Birznieks wrote: At 01:44 PM 4/20/00 -0500, Matt Carothers wrote: Another big win is that the secure token can persist across multiple servers. What would prevent the token from being across multiple servers otherwise? It's beneficial when compared to a non-token system like apache's basic auth, where your browser won't (or shouldn't anyway) send your credentials to multiple hosts, and you end up having to enter your password over and over. Regarding cookies vs. url mangling, you could use urls as easily as cookies. Just unpack your encrypted data into hex and shove it right into the url. It would make for some pretty long urls, but I've seen worse on search engines. :) The nice thing about your encryption is that it makes the cookie into a kind of pseudo client certificate -- providing information. But at the same time, I would be concerned that that sort of Encryption overhead (on top of SSL) seems like it would add load to the server. How does it work for you in real world use? It works great for my purposes, but my servers are very lightly loaded. I suppose it poses an interesting tradeoff... with that method you don't have to maintain real session persistence since you have it in your decrypted data? So then you can avoid an extra IO going to a database or flatfile to retrieve the session info. Am I getting this correct? Exactly. It's a cpu vs. i/o tradeoff. It takes more processor power to decrypt/encrypt a cookie on each hit, but you only have to query the database once for each session. - Matt
Re: Implementing security in CGI
On Thu, 20 Apr 2000, DeWitt Clinton wrote: 5) The secure token is associated on the server side (preferably on another tier, such as a database) with the user identification token. Additionally, to support secure session timeouts, the current time must be recorded. An easy way to implement timeouts is to store a timestamp and a lifetime in the secure token itself. For instance, the handler I wrote for our web-based administration system at work concatenates the user's username, ip address, the current time, and a lifetime then encrypts them with Blowfish and sends out the ciphertext in a cookie. Each time a user connects, the PerlAuthenHandler decrypts the token and verifies that timestamp + lifetime current time. Briefly, the advantage to using cookies is that: a) The user identification token can persist between browser sessions, provided they don't explicitly log out. Another big win is that the secure token can persist across multiple servers. I implemented my cookie-based PerlAuthenHandler because our administration system is spread out over four servers. Using Basic authentication, users had to re-enter their password for each one. With cookies, they can authenticate once on the main server and access the rest with the token. Over the past six months, eZiba was overwhelmed by requests to use this technology. I'm happy to say that we are spinning of a new venture, Avacet, Inc., to make this platform available to the community. And here's the best part -- everything Avacet does will be available open source and free via the GPL. I look forward to seeing it. - Matt
Re: [RFC] Do Not Run Everything on One mod_perl Server
On Tue, 18 Apr 2000, Stas Bekman wrote: Let's assume that you have two different sets of scripts/code which have a little or nothing in common at all (different modules, no base code sharing), the basic mod_perl process before the code have been loaded of three Mbytes and each code base adds ten Mbytes when loaded. Which makes each process 23Mb in size when all the code gets loaded. Can't you share most of that 23mb between the processes by pre-loading the scripts/modules in your startup.pl? I'd say the main advantage of engineering dissimilar services as if they were on separate servers is scalability rather than memory use. When a site outgrows the hardware it's on, spreading it out to multiple machines requires a lot less ankle grabbing if it was designed that way to begin with. :) - Matt
Re: front end proxy and virtual hosts
On Mon, 10 Apr 2000, Eric Cholet wrote: The front-end light server, serving static requests and proxying dynamic requests to a back-end modperl server, is well documented, except in the case of virtual hosts. How do you do it? On the front end: VirtualHost www.customer.com DocumentRoot /vhosts/customer ProxyPass/perl/ http://localhost/customer/perl/ ProxyPassReverse /perl/ http://localhost/customer/perl/ /VirtualHost On the back end: DocumentRoot /vhosts BindAddress 127.0.0.1 Directory /vhosts/*/perl SetHandler perl-script PerlHandler Apache::Registry # Or whatever PerlSendHeader On Options +ExecCGI /Directory - Matt
Re: Sharing memory between Apache processes
On Tue, 4 Apr 2000 [EMAIL PROTECTED] wrote: A good package for this is IPC::Shareable. You can store info in semaphores and share it between processes. Except that I don't think you can you use shared memory (the semaphores are just flags) across multiple web servers, and I have been wrong before. You can share memory segments between web servers with no trouble. Depending on how you implement the storage, you may run into difficulties with your operating system, though. For instance, all the BSD derivatives I've investigated (FreeBSD, OpenBSD, and BSDi so far) only have 32 shared segments and 10 semaphores compiled into the kernel by default. In contrast, the Linux kernel ships with 128 of each. - Matt
Re: panic: POPSTACK, Callback called exit and Apache::Session'sdie seems to be resurrecting itself
On Tue, 4 Apr 2000, Sang Han wrote: Hi, Can someone help me out here? ... panic: POPSTACK Callback called exit. Something in your module is calling Perl's exit() instead of $r-exit. http:[EMAIL PROTECTED] - Matt
Re: Breaking single line into multiple lines in code
On Mon, 3 Apr 2000, Ravi Malghan wrote:
system("echo \"update alerts.journal set Text1 =
'$PING' where Serial = $ARGV[0];\ngo\nquit\n\" |
/opt/Omnibus/bin/nco_sql -server
NCOMS_DC1 -user root -passwd gtsgroup");
open(NCO,
"|/opt/Omnibus/bin/nco_sql -server NCOMS_DC1 -user root -passwd gtsgroup");
print NCO "END_SQL";
update alerts.journal set Text1 = '$PING' where Serial = $ARGV[0];
go
quit
END_SQL
close(NCO);
- Matt
P.S. I really hope you're going to change that password. :)
Re: dynamically output messages on browser.
On Sun, 2 Apr 2000, Hui Zhu wrote: I wrote perl script to out put messages. It is supposed to output one line per 4 seconds. But the server did not output the result per 4 seconds instead output all of results after 40 seconds Set $| = 1; OT: You can do neat stuff with $| = 1 and Javascript. I wrote a CGI that does some time consuming checks and displays the results by changing the graphics on the output page with script blocks as the data comes in. Both Netscape and IE execute the scripting as soon as they receive it, rather than waiting for the page to finish loading. - Matt
Re: modperl/MySQL question
On Tue, 8 Feb 2000, Terry G Lorber II wrote:
DBD::mysql::st execute failed: MySQL server has gone away at slashmod.pm
line 23
[...]
Is this a server problem, a perl problem, or a MySQL problem? Do I need
to adjust a timeout setting somewhere?
Sounds like you need Apache::DBI.
1) Enable Apache::DBI either with 'PerlModule Apache::DBI' in httpd.conf
or 'use Apache::DBI ();' in your startup.pl. Apache::DBI wraps some
DBI methods to maintain persistant connections.
2) For MySQL, you'll need to add a keepalive routine to your startup.pl:
sub Apache::DBI::db::ping {
my $dbh = shift;
return $dbh-do('select 1');
}
3) Also, you may want to increase the mysqld connection timeout in my.cnf:
[mysqld]
set-variable = wait_timeout=129600
- Matt
