Re: [OT] auth modules
On Tue, 18 Jul 2000, martin langhoff wrote: > The marketing dept here wants something really weird: they > want to publish a datasheet in a 'protected' page, but the want the > usr/pw hashes to be 'one time only'. So the user must be deleted after > the first time it is used. That should be all but trivial to implement. Off the top of my head: sub handler { my $r = shift; # Only execute for the first internal request return OK unless $r->is_initial_req; # Replace this with your favorite data store. tie %password, 'DB_File', $password_file or die "can initialize $password_file: $!"; # Get the username and password sent from the client my ($res, $sent_pw) = $r->get_basic_auth_pw; return AUTH_REQUIRED if !$sent_pw; my $username = $r->connection->user; # crypt() the sent password and see if it matches the stored one if (crypt($sent_pw, $password{$username}) eq $password{$username}) { # If so, delete the key and return OK delete $password{$username}; $r->connection->auth_type('Basic'); $r->connection->user($username); return OK; } else { # Otherwise return AUTH_REQUIRED return AUTH_REQUIRED; } } - Matt
Re: best encryption module
On Fri, 7 Jul 2000, clayton cottingham aka drfrog wrote: > whats the best encryption module for use with mod perl? > i want to encrypt passwords store in a db and then be able to check > what a users inputs against it Perl has a built-in crypt() function. The actual encryption algorithm used depends on your system's C library. Older systems still use 56-bit DES. Newer ones may use something stronger like MD5 or Blowfish. See your crypt(3) manpage and `perldoc -f crypt` for more information. - Matt
Re: bogus taint error?
On Sun, 2 Jul 2000, Michael Blakeley wrote: > This is just plain weird. My last resort was to turn taint off: > > $ ls -l logs/httpd.pid > -rw-rw-rw- 1 root other 6 Jul 2 19:23 logs/httpd.pid > $ grep -i taint conf/httpd.conf > #PerlTaintCheck On > $ ls -l conf/httpd.conf > -rw-r--r-- 1 root other 7437 Jul 2 17:22 conf/httpd.conf > > I'm not including any sort of startup.pl file. So taint is off, right? Is the script running setuid or setgid? If the script's real and effective uids or gids don't match, perl enables taint mode automatically. You might add some debugging code to verify that $< == $> and $( == $). - Matt
Re: Problems with Apache::DBI
On Mon, 12 Jun 2000, Rob Tanner wrote: > Believe it or not, it's the simplest task in the world. In startup.pl add > the line "PerlModule Apache::DBI" You can either stick "PerlModule Apache::DBI" in your httpd.conf or add 'use Apache::DBI ();' to your startup.pl. Also, for mysql, you'll need to add a keepalive routine to your startup.pl: sub Apache::DBI::db::ping { my $dbh = shift; return $dbh->do('select 1'); } - Matt
Re: mod_perl and IPC
On Mon, 22 May 2000, DeWitt Clinton wrote: > The problem had to do with large numbers of objects in the cache. ... > Right now, things are in a holding pattern because I'm finding a limit > on the number of objects I can put in the cache (less than 100, so it > is an issue). Hopefully Sam will offer some insight here. I ran into this with IPC::SharedCache a couple of months ago and had some discussion with Sam about it. The problem is a lack of shared memory segments and/or semaphores compiled into the kernel. IIRC, the default for both under Linux is 128. The BSD system I was trying to use only had 32 segments and something like 10 semaphore identifiers. In order to scale a system, you'll need to recompile the kernel with higher limits. - Matt
Re: mod_perl and BSDi 4.1
On Fri, 19 May 2000, Russell Hay wrote: > BSDi/4.1 ... cannot find libperl.so. Find the directory on your machine with libperl.so in it (probably /usr/libdata/perl5/i386-bsdos/5.00402/CORE or /usr/local/lib/perl5/5.00502/i386-bsdos/CORE/), add it to /etc/ld.so.conf, and run ldconfig. - Matt
Re: 2 server setup w/mod_proxy with a per-filename filter
On Mon, 1 May 2000, Martin A. Langhoff wrote: > hi, > > I'm trying to implement a one light + one fat apache server setup > and I'm .. > wanting it to proxy everything that looks ~ \.pl$ See [EMAIL PROTECTED]">http://forum.swarthmore.edu/epigone/modperl/mimzhingleh/[EMAIL PROTECTED] for some mod_rewrite examples from a couple of weeks ago on this list. - Matt
Re: Installing mod_perl when other things are required, too.
On Sat, 22 Apr 2000, Forrest Aldrich wrote: > I need to also install apache with php and mod_ssl. Here's the shell script I use. It will require some editing for your site. - Matt #!/bin/sh # source directories for mod_ssl, mod_php3, mod_perl, and apache MOD_SSL=/usr/local/src/mod_ssl-2.6.2-1.3.12 MOD_PHP=/usr/local/src/php-3.0.16 MOD_PERL=/usr/local/src/modperl APACHE=/usr/local/src/apache_1.3.12 # server.crt and server.key for mod_ssl SERVER_CRT=/var/httpd/conf/ssl.crt/server.crt SERVER_KEY=/var/httpd/conf/ssl.key/server.key # directory to install apache into PREFIX=/var/httpd build_mod_ssl() { echo "Building mod_ssl ..." cd $MOD_SSL ./configure --with-apache=$APACHE \ --with-crt=$SERVER_CRT \ --with-key=$SERVER_KEY } build_php3() { echo "Building php3 ..." if [ -f $APACHE/src/Makefile ]; then echo "Looks like apache has already been configured once. No need to fake it." else echo "Faking apache configuration ..." cd $APACHE ./configure --prefix=$PREFIX fi cd $MOD_PHP ./configure --with-mysql --with-apache=$APACHE --enable-track-vars make make install } build_apache() { echo "Building mod_perl and apache ..." cd $MOD_PERL perl Makefile.PL USE_APACI=1 \ EVERYTHING=1 \ APACHE_PREFIX=$PREFIX \ APACHE_SRC=$APACHE/src \ DO_HTTPD=1 \ APACI_ARGS=--enable-module=rewrite,--enable-suexec,--suexec-caller=nobody,--suexec-docroot=/var/www,--suexec-gidmin=100,--activate-module=src/modules/php3/libphp3.a,--enable-module=so,--enable-module=ssl make } build_mod_ssl build_php3 build_apache # once everything's built, cd $MOD_PERL and make install
Re: Implementing security in CGI
On Fri, 21 Apr 2000, Gunther Birznieks wrote: > At 01:44 PM 4/20/00 -0500, Matt Carothers wrote: > > >Another big win is that the secure token can persist across multiple > >servers. > > What would prevent the token from being across multiple servers otherwise? It's beneficial when compared to a non-token system like apache's basic auth, where your browser won't (or shouldn't anyway) send your credentials to multiple hosts, and you end up having to enter your password over and over. Regarding cookies vs. url mangling, you could use urls as easily as cookies. Just unpack your encrypted data into hex and shove it right into the url. It would make for some pretty long urls, but I've seen worse on search engines. :) > The nice thing about your encryption is that it makes the cookie into a > kind of pseudo client certificate -- providing information. But at the same > time, I would be concerned that that sort of Encryption overhead (on top of > SSL) seems like it would add load to the server. > > How does it work for you in real world use? It works great for my purposes, but my servers are very lightly loaded. > I suppose it poses an > interesting tradeoff... with that method you don't have to maintain real > session persistence since you have it in your decrypted data? So then you > can avoid an extra IO going to a database or flatfile to retrieve the > session info. > > Am I getting this correct? Exactly. It's a cpu vs. i/o tradeoff. It takes more processor power to decrypt/encrypt a cookie on each hit, but you only have to query the database once for each session. - Matt
Re: do "file" -- does NOTHING
On Fri, 21 Apr 2000, w trillich wrote: > the entire listing for startup.pl is: > > package Apache::ReadConfig; > > Apache->httpd_conf("Clavis"); > Apache->httpd_conf(""); > Apache->httpd_conf(" 1/2%3'*"); > Apache->httpd_conf("isn't this wonderful?"); You need to use() the Apache module in order to access its methods. Add this to the top of your startup.pl: BEGIN { use Apache(); } - Matt
Re: Implementing security in CGI
On Thu, 20 Apr 2000, DeWitt Clinton wrote: > 5) The secure token is associated on the server side (preferably on > another tier, such as a database) with the user identification token. > Additionally, to support secure session timeouts, the current time > must be recorded. An easy way to implement timeouts is to store a timestamp and a lifetime in the secure token itself. For instance, the handler I wrote for our web-based administration system at work concatenates the user's username, ip address, the current time, and a lifetime then encrypts them with Blowfish and sends out the ciphertext in a cookie. Each time a user connects, the PerlAuthenHandler decrypts the token and verifies that timestamp + lifetime > current time. > Briefly, the advantage to using cookies is that: > > a) The user identification token can persist between browser sessions, > provided they don't explicitly log out. Another big win is that the secure token can persist across multiple servers. I implemented my cookie-based PerlAuthenHandler because our administration system is spread out over four servers. Using Basic authentication, users had to re-enter their password for each one. With cookies, they can authenticate once on the main server and access the rest with the token. > Over the past six months, eZiba was overwhelmed by requests to use > this technology. I'm happy to say that we are spinning of a new > venture, Avacet, Inc., to make this platform available to the > community. And here's the best part -- everything Avacet does will be > available open source and free via the GPL. I look forward to seeing it. - Matt
Re: [RFC] Do Not Run Everything on One mod_perl Server
On Tue, 18 Apr 2000, Stas Bekman wrote: > Let's assume that you have two different sets of scripts/code which > have a little or nothing in common at all (different modules, no base > code sharing), the basic mod_perl process before the code have been > loaded of three Mbytes and each code base adds ten Mbytes when > loaded. Which makes each process 23Mb in size when all the code gets > loaded. Can't you share most of that 23mb between the processes by pre-loading the scripts/modules in your startup.pl? I'd say the main advantage of engineering dissimilar services as if they were on separate servers is scalability rather than memory use. When a site outgrows the hardware it's on, spreading it out to multiple machines requires a lot less ankle grabbing if it was designed that way to begin with. :) - Matt
Re: front end proxy and virtual hosts
On Mon, 10 Apr 2000, Eric Cholet wrote: > The front-end light server, serving static requests and proxying > dynamic requests to a back-end modperl server, is well documented, > except in the case of virtual hosts. How do you do it? On the front end: DocumentRoot /vhosts/customer ProxyPass/perl/ http://localhost/customer/perl/ ProxyPassReverse /perl/ http://localhost/customer/perl/ On the back end: DocumentRoot /vhosts BindAddress 127.0.0.1 SetHandler perl-script PerlHandler Apache::Registry # Or whatever PerlSendHeader On Options +ExecCGI - Matt
Re: panic: POPSTACK, Callback called exit and Apache::Session's"die" seems to be resurrecting itself
On Tue, 4 Apr 2000, Sang Han wrote: > Hi, > > Can someone help me out here? ... > panic: POPSTACK > Callback called exit. Something in your module is calling Perl's exit() instead of $r->exit. http:[EMAIL PROTECTED] - Matt
Re: Sharing memory between Apache processes
On Tue, 4 Apr 2000 [EMAIL PROTECTED] wrote: > >A good package for this is IPC::Shareable. You can store info in semaphores > >and share it between processes. > > Except that I don't think you can you use shared memory (the semaphores are > just flags) across multiple web servers, and I have been wrong before. You can share memory segments between web servers with no trouble. Depending on how you implement the storage, you may run into difficulties with your operating system, though. For instance, all the BSD derivatives I've investigated (FreeBSD, OpenBSD, and BSDi so far) only have 32 shared segments and 10 semaphores compiled into the kernel by default. In contrast, the Linux kernel ships with 128 of each. - Matt
Re: Breaking single line into multiple lines in code
On Mon, 3 Apr 2000, Ravi Malghan wrote: > system("echo \"update alerts.journal set Text1 = > '$PING' where Serial = $ARGV[0];\ngo\nquit\n\" | > /opt/Omnibus/bin/nco_sql -server > NCOMS_DC1 -user root -passwd gtsgroup"); open(NCO, "|/opt/Omnibus/bin/nco_sql -server NCOMS_DC1 -user root -passwd gtsgroup"); print NCO << "END_SQL"; update alerts.journal set Text1 = '$PING' where Serial = $ARGV[0]; go quit END_SQL close(NCO); - Matt P.S. I really hope you're going to change that password. :)
Re: dynamically output messages on browser.
On Sun, 2 Apr 2000, Hui Zhu wrote: > I wrote perl script to out put messages. > It is supposed to output one line per 4 seconds. > But the server did not output the result per 4 seconds instead output > all of results after 40 seconds Set $| = 1; OT: You can do neat stuff with $| = 1 and Javascript. I wrote a CGI that does some time consuming checks and displays the results by changing the graphics on the output page with
Re: Help! Need correct order to build/install
On Fri, 31 Mar 2000, Drew Schatt wrote: > I need to run mod_ssl, mod_perl, php, and mod_rewrite. ... > The order I've been trying to use is, I go into the php folder, IIRC, last time I mixed these three I started with mod_ssl. 1) configure and make install in the ssl directory 2) configure in the apache directory (as per the php3 instructions) 3) configure and make install in the php3 directory 4) perl Makefile.PL in the mod_perl dir, make, make test, make install > Then, I go into the mod_perl folder, and run "perl Makefile.PL USE_APACI=1 > EVERYTHING=1 SSL_BASE=/usr/local/ssl APACHE_PREFIX=/usr/local/apache > APACI_ARGS=--enable-module=ssl,--enable-mo > dule=rewrite,--activate-module=src/modules/php3/libphp3.a". This used to > (under Solaris 7 on Sparc hardware) run just fine. Now, however, I get > errors when it is trying to generate the makefiles, like this: > "Creating Makefile in src/modules/perl > Creating Makefile in src/modules/php3 > Checking CGI.pm VERSION..ok > Checking for LWP::UserAgent..ok > Checking for HTML::HeadParserok > :/etc:/home/schatt/bin:.: Command not found > apxs:Error: Sorry, no DSO support for Apache available > apxs:Error: under your platform. Make sure the Apache > apxs:Error: module mod_so is compiled into your server > apxs:Error: binary `/usr/local/apache/bin/httpd'. You'll want to add a --enable-module=so to your APACI_ARGS above. - Matt
Re: modperl/MySQL question
On Tue, 8 Feb 2000, Terry G Lorber II wrote: > DBD::mysql::st execute failed: MySQL server has gone away at slashmod.pm > line 23 [...] > Is this a server problem, a perl problem, or a MySQL problem? Do I need > to adjust a timeout setting somewhere? Sounds like you need Apache::DBI. 1) Enable Apache::DBI either with 'PerlModule Apache::DBI' in httpd.conf or 'use Apache::DBI ();' in your startup.pl. Apache::DBI wraps some DBI methods to maintain persistant connections. 2) For MySQL, you'll need to add a keepalive routine to your startup.pl: sub Apache::DBI::db::ping { my $dbh = shift; return $dbh->do('select 1'); } 3) Also, you may want to increase the mysqld connection timeout in my.cnf: [mysqld] set-variable = wait_timeout=129600 - Matt