Re: [OT] auth modules

[Matt Carothers]

On Tue, 18 Jul 2000, martin langhoff wrote:

> The marketing dept here wants something really weird: they
> want to publish a datasheet in a 'protected' page, but the want the
> usr/pw hashes to be 'one time only'. So the user must be deleted after
> the first time it is used.

That should be all but trivial to implement.  Off the top of my head:

sub handler
{
my $r = shift;

# Only execute for the first internal request
return OK unless $r->is_initial_req;

# Replace this with your favorite data store.
tie %password, 'DB_File', $password_file
or die "can initialize $password_file: $!";

# Get the username and password sent from the client
my ($res, $sent_pw) = $r->get_basic_auth_pw;
return AUTH_REQUIRED if !$sent_pw;
my $username = $r->connection->user;

# crypt() the sent password and see if it matches the stored one
if (crypt($sent_pw, $password{$username}) eq $password{$username})
{
# If so, delete the key and return OK
delete $password{$username};
$r->connection->auth_type('Basic');
$r->connection->user($username);

return OK;
} else {
# Otherwise return AUTH_REQUIRED
return AUTH_REQUIRED;
}
}

- Matt

Re: best encryption module

[Matt Carothers]

On Fri, 7 Jul 2000, clayton cottingham aka drfrog wrote:

> whats the best encryption module for use with mod perl?
> i want to encrypt passwords store in a db and then be able to check 
> what a users inputs against it

Perl has a built-in crypt() function.  The actual encryption algorithm used
depends on your system's C library.  Older systems still use 56-bit DES.  
Newer ones may use something stronger like MD5 or Blowfish.  See your crypt(3)
manpage and `perldoc -f crypt` for more information.

- Matt

Re: bogus taint error?

[Matt Carothers]

On Sun, 2 Jul 2000, Michael Blakeley wrote:

> This is just plain weird. My last resort was to turn taint off:
> 
> $ ls -l logs/httpd.pid
> -rw-rw-rw-   1 root other  6 Jul  2 19:23 logs/httpd.pid
> $ grep -i taint conf/httpd.conf
> #PerlTaintCheck On
> $ ls -l conf/httpd.conf
> -rw-r--r--   1 root other   7437 Jul  2 17:22 conf/httpd.conf
> 
> I'm not including any sort of startup.pl file. So taint is off, right?

Is the script running setuid or setgid?  If the script's real and effective
uids or gids don't match, perl enables taint mode automatically.  You might
add some debugging code to verify that $< == $> and $( == $).

- Matt

Re: Problems with Apache::DBI

[Matt Carothers]

On Mon, 12 Jun 2000, Rob Tanner wrote:

> Believe it or not, it's the simplest task in the world.  In startup.pl add 
> the line "PerlModule Apache::DBI"

You can either stick "PerlModule Apache::DBI" in your httpd.conf or add
'use Apache::DBI ();' to your startup.pl.  Also, for mysql, you'll need 
to add a keepalive routine to your startup.pl:

sub Apache::DBI::db::ping {
my $dbh = shift;
return $dbh->do('select 1');
}

- Matt

Re: mod_perl and IPC

[Matt Carothers]

On Mon, 22 May 2000, DeWitt Clinton wrote:

> The problem had to do with large numbers of objects in the cache.
...
> Right now, things are in a holding pattern because I'm finding a limit
> on the number of objects I can put in the cache (less than 100, so it
> is an issue).  Hopefully Sam will offer some insight here.

I ran into this with IPC::SharedCache a couple of months ago and had some
discussion with Sam about it.  The problem is a lack of shared memory
segments and/or semaphores compiled into the kernel.  IIRC, the default for
both under Linux is 128.  The BSD system I was trying to use only had 32
segments and something like 10 semaphore identifiers.  In order to scale
a system, you'll need to recompile the kernel with higher limits.

- Matt

Re: mod_perl and BSDi 4.1

[Matt Carothers]

On Fri, 19 May 2000, Russell Hay wrote:

> BSDi/4.1 ... cannot find libperl.so.

Find the directory on your machine with libperl.so in it  
(probably /usr/libdata/perl5/i386-bsdos/5.00402/CORE or
/usr/local/lib/perl5/5.00502/i386-bsdos/CORE/), add it to
/etc/ld.so.conf, and run ldconfig.

- Matt

Re: 2 server setup w/mod_proxy with a per-filename filter

[Matt Carothers]

On Mon, 1 May 2000, Martin A. Langhoff wrote:

> hi,
> 
> I'm trying to implement a one light + one fat apache server setup
> and I'm 
..
> wanting it to proxy everything that looks ~ \.pl$

See
[EMAIL PROTECTED]">http://forum.swarthmore.edu/epigone/modperl/mimzhingleh/[EMAIL PROTECTED]
for some mod_rewrite examples from a couple of weeks ago on this list.

- Matt

Re: Installing mod_perl when other things are required, too.

[Matt Carothers]

On Sat, 22 Apr 2000, Forrest Aldrich wrote:

> I need to also install apache with php and mod_ssl.

Here's the shell script I use.  It will require some editing for your site.

- Matt

#!/bin/sh

# source directories for mod_ssl, mod_php3, mod_perl, and apache
MOD_SSL=/usr/local/src/mod_ssl-2.6.2-1.3.12
MOD_PHP=/usr/local/src/php-3.0.16
MOD_PERL=/usr/local/src/modperl
APACHE=/usr/local/src/apache_1.3.12

# server.crt and server.key for mod_ssl
SERVER_CRT=/var/httpd/conf/ssl.crt/server.crt
SERVER_KEY=/var/httpd/conf/ssl.key/server.key

# directory to install apache into
PREFIX=/var/httpd

build_mod_ssl()
{
echo "Building mod_ssl ..."
cd $MOD_SSL
./configure --with-apache=$APACHE \
--with-crt=$SERVER_CRT \
--with-key=$SERVER_KEY
}

build_php3()
{
echo "Building php3 ..."
if [ -f $APACHE/src/Makefile ]; then
echo "Looks like apache has already been configured once.  No need to 
fake it."
else
echo "Faking apache configuration ..."
cd $APACHE
./configure --prefix=$PREFIX
fi

cd $MOD_PHP
./configure --with-mysql --with-apache=$APACHE --enable-track-vars
make
make install
}

build_apache()
{
echo "Building mod_perl and apache ..."
cd $MOD_PERL
perl Makefile.PL USE_APACI=1 \
EVERYTHING=1 \
APACHE_PREFIX=$PREFIX \
APACHE_SRC=$APACHE/src \
DO_HTTPD=1 \

APACI_ARGS=--enable-module=rewrite,--enable-suexec,--suexec-caller=nobody,--suexec-docroot=/var/www,--suexec-gidmin=100,--activate-module=src/modules/php3/libphp3.a,--enable-module=so,--enable-module=ssl
make
}

build_mod_ssl
build_php3
build_apache

# once everything's built, cd $MOD_PERL and make install

Re: Implementing security in CGI

[Matt Carothers]

On Fri, 21 Apr 2000, Gunther Birznieks wrote:

> At 01:44 PM 4/20/00 -0500, Matt Carothers wrote:
> 
> >Another big win is that the secure token can persist across multiple
> >servers.
> 
> What would prevent the token from being across multiple servers otherwise? 

It's beneficial when compared to a non-token system like apache's basic
auth, where your browser won't (or shouldn't anyway) send your credentials 
to multiple hosts, and you end up having to enter your password over and 
over.

Regarding cookies vs. url mangling, you could use urls as easily as 
cookies.  Just unpack your encrypted data into hex and shove it right 
into the url.  It would make for some pretty long urls, but I've seen
worse on search engines. :)
 
> The nice thing about your encryption is that it makes the cookie into a 
> kind of pseudo client certificate -- providing information. But at the same 
> time, I would be concerned that that sort of Encryption overhead (on top of 
> SSL) seems like it would add load to the server.
> 
> How does it work for you in real world use?

It works great for my purposes, but my servers are very lightly loaded.

> I suppose it poses an 
> interesting tradeoff... with that method you don't have to maintain real 
> session persistence since you have it in your decrypted data? So then you 
> can avoid an extra IO going to a database or flatfile to retrieve the 
> session info.
> 
> Am I getting this correct?

Exactly.  It's a cpu vs. i/o tradeoff.  It takes more processor power to
decrypt/encrypt a cookie on each hit, but you only have to query the database
once for each session.

- Matt

Re: do "file" -- does NOTHING

[Matt Carothers]

On Fri, 21 Apr 2000, w trillich wrote:

> the entire listing for startup.pl is:
> 
>   package Apache::ReadConfig;
> 
>   Apache->httpd_conf("Clavis");
>   Apache->httpd_conf("");
>   Apache->httpd_conf(" 1/2%3'*");
>   Apache->httpd_conf("isn't this wonderful?");

You need to use() the Apache module in order to access its methods.  Add 
this to the top of your startup.pl:

BEGIN
{ 
use Apache();
}

- Matt

Re: Implementing security in CGI

[Matt Carothers]

On Thu, 20 Apr 2000, DeWitt Clinton wrote:

> 5) The secure token is associated on the server side (preferably on
> another tier, such as a database) with the user identification token.
> Additionally, to support secure session timeouts, the current time
> must be recorded.

An easy way to implement timeouts is to store a timestamp and a lifetime 
in the secure token itself.  For instance, the handler I wrote for our
web-based administration system at work concatenates the user's username,
ip address, the current time, and a lifetime then encrypts them with 
Blowfish and sends out the ciphertext in a cookie.  Each time a user 
connects, the PerlAuthenHandler decrypts the token and verifies that
timestamp + lifetime > current time.
 
> Briefly, the advantage to using cookies is that:
> 
> a) The user identification token can persist between browser sessions,
> provided they don't explicitly log out.  

Another big win is that the secure token can persist across multiple
servers.  I implemented my cookie-based PerlAuthenHandler because our
administration system is spread out over four servers.  Using Basic
authentication, users had to re-enter their password for each one.  With
cookies, they can authenticate once on the main server and access the rest
with the token.
 
> Over the past six months, eZiba was overwhelmed by requests to use
> this technology.  I'm happy to say that we are spinning of a new
> venture, Avacet, Inc., to make this platform available to the
> community.  And here's the best part -- everything Avacet does will be 
> available open source and free via the GPL.

I look forward to seeing it.

- Matt

Re: [RFC] Do Not Run Everything on One mod_perl Server

[Matt Carothers]

On Tue, 18 Apr 2000, Stas Bekman wrote:

> Let's assume that you have two different sets of scripts/code which
> have a little or nothing in common at all (different modules, no base
> code sharing), the basic mod_perl process before the code have been
> loaded of three Mbytes and each code base adds ten Mbytes when
> loaded. Which makes each process 23Mb in size when all the code gets
> loaded.

Can't you share most of that 23mb between the processes by pre-loading 
the scripts/modules in your startup.pl?  I'd say the main advantage of
engineering dissimilar services as if they were on separate servers is
scalability rather than memory use.  When a site outgrows the hardware 
it's on, spreading it out to multiple machines requires a lot less ankle 
grabbing if it was designed that way to begin with. :)

- Matt

Re: front end proxy and virtual hosts

[Matt Carothers]

On Mon, 10 Apr 2000, Eric Cholet wrote:

> The front-end light server, serving static requests and proxying
> dynamic requests to a back-end modperl server, is well documented,
> except in the case of virtual hosts. How do you do it?

On the front end:


DocumentRoot /vhosts/customer
ProxyPass/perl/ http://localhost/customer/perl/
ProxyPassReverse /perl/ http://localhost/customer/perl/


On the back end:

DocumentRoot /vhosts
BindAddress 127.0.0.1


SetHandler perl-script
PerlHandler Apache::Registry # Or whatever
PerlSendHeader  On
Options +ExecCGI


- Matt

Re: panic: POPSTACK, Callback called exit and Apache::Session's"die" seems to be resurrecting itself

[Matt Carothers]

On Tue, 4 Apr 2000, Sang Han wrote:

> Hi,
> 
> Can someone help me out here?
... 
> panic: POPSTACK
> Callback called exit.

Something in your module is calling Perl's exit() instead of $r->exit.

http:[EMAIL PROTECTED]

- Matt

Re: Sharing memory between Apache processes

[Matt Carothers]

On Tue, 4 Apr 2000 [EMAIL PROTECTED] wrote:

> >A good package for this is IPC::Shareable.  You can store info in semaphores
> >and share it between processes.
> 
> Except that I don't think you can you use shared memory (the semaphores are 
> just flags) across multiple web servers, and I have been wrong before.
 
You can share memory segments between web servers with no trouble.
Depending on how you implement the storage, you may run into difficulties
with your operating system, though.  For instance, all the BSD derivatives 
I've investigated (FreeBSD, OpenBSD, and BSDi so far) only have 32 shared
segments and 10 semaphores compiled into the kernel by default.  In
contrast, the Linux kernel ships with 128 of each.

- Matt

Re: Breaking single line into multiple lines in code

[Matt Carothers]

On Mon, 3 Apr 2000, Ravi Malghan wrote:

> system("echo \"update alerts.journal set Text1 =
> '$PING' where Serial = $ARGV[0];\ngo\nquit\n\" |
> /opt/Omnibus/bin/nco_sql -server
> NCOMS_DC1  -user root -passwd gtsgroup");

open(NCO,
"|/opt/Omnibus/bin/nco_sql -server NCOMS_DC1 -user root -passwd gtsgroup");
print NCO << "END_SQL";
update alerts.journal set Text1 = '$PING' where Serial = $ARGV[0];
go
quit
END_SQL
close(NCO);

- Matt

P.S. I really hope you're going to change that password. :)

Re: dynamically output messages on browser.

[Matt Carothers]

On Sun, 2 Apr 2000, Hui Zhu wrote:

> I wrote perl script to out put messages.
> It is supposed to output one line per 4 seconds.
> But  the server did not output the result per 4 seconds instead output
> all of results after 40 seconds

Set $| = 1;

OT: You can do neat stuff with $| = 1 and Javascript.  I wrote a CGI that
does some time consuming checks and displays the results by changing the
graphics on the output page with 

Re: Help! Need correct order to build/install

[Matt Carothers]

On Fri, 31 Mar 2000, Drew Schatt wrote:

> I need to run mod_ssl, mod_perl, php, and mod_rewrite.
...
> The order I've been trying to use is, I go into the php folder, 

IIRC, last time I mixed these three I started with mod_ssl.

1) configure and make install in the ssl directory
2) configure in the apache directory (as per the php3 instructions)
3) configure and make install in the php3 directory
4) perl Makefile.PL in the mod_perl dir, make, make test, make install

> Then, I go into the mod_perl folder, and run "perl Makefile.PL USE_APACI=1
> EVERYTHING=1 SSL_BASE=/usr/local/ssl APACHE_PREFIX=/usr/local/apache
> APACI_ARGS=--enable-module=ssl,--enable-mo
> dule=rewrite,--activate-module=src/modules/php3/libphp3.a".  This used to
> (under Solaris 7 on Sparc hardware) run just fine.  Now, however, I get
> errors when it is trying to generate the makefiles, like this:
> "Creating Makefile in src/modules/perl
> Creating Makefile in src/modules/php3
> Checking CGI.pm VERSION..ok
> Checking for LWP::UserAgent..ok
> Checking for HTML::HeadParserok
> :/etc:/home/schatt/bin:.: Command not found
> apxs:Error: Sorry, no DSO support for Apache available
> apxs:Error: under your platform. Make sure the Apache
> apxs:Error: module mod_so is compiled into your server
> apxs:Error: binary `/usr/local/apache/bin/httpd'.

You'll want to add a --enable-module=so to your APACI_ARGS above.

- Matt

Re: modperl/MySQL question

[Matt Carothers]

On Tue, 8 Feb 2000, Terry G Lorber II wrote:

> DBD::mysql::st execute failed: MySQL server has gone away at slashmod.pm
> line 23
[...]
> Is this a server problem, a perl problem, or a MySQL problem?  Do I need
> to adjust a timeout setting somewhere?

Sounds like you need Apache::DBI.

1) Enable Apache::DBI either with 'PerlModule Apache::DBI' in httpd.conf
   or 'use Apache::DBI ();' in your startup.pl.  Apache::DBI wraps some
   DBI methods to maintain persistant connections.

2) For MySQL, you'll need to add a keepalive routine to your startup.pl:

sub Apache::DBI::db::ping {
my $dbh = shift;
return $dbh->do('select 1');
}

3) Also, you may want to increase the mysqld connection timeout in my.cnf:

[mysqld]
set-variable = wait_timeout=129600

- Matt