Re: [us...@httpd] modrewrite help needed....plz :(

[Nick Kew]

On 13 May 2009, at 05:23, Karthik Nanjangude wrote:

I need the modrewriteto rewrite as  “index.html?area1=sq” 
when some body  types “ http:///SEARCH


Have I done any thing wrong in  modrewrite in http.conf  ?…..


Your rewriterule can never match.
Keep it simple - drop mod_rewrite, use mod_alias.

--
Nick Kew
-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Re: RAM problem w/ multiple Apache processes

[Nick Kew]

On 13 May 2009, at 05:13, Rex C. Eastbourne wrote:


This is probably for thread-safety reasons. Maybe you can just remove
mod_php and use PHP-as-cgi (or fastcgi).


Thanks, Eric. I kept the apache2-mpm-worker package and installed
php5-cgi.


Then you need to run your scripts as CGI (follow CGI instructions).
What you googled and tried is how to run them in-process with mod_php,
which is precisely what requires mod_php+prefork.

--
Nick Kew

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [us...@httpd] modrewrite help needed....plz :(

[Karthik Nanjangude]

Hi

This is what I did to http.conf
I now wanted to use *.jsp instead of *.html



RewriteEngine on
RewriteLog "C:/APACHE/logs/rewrite.log"
RewriteLogLevel 9
RewriteRule ^SEARCH\index.jsp$ /SEARCH/index.jsp?area1=sq [NC,L]


I have cleared the cache, restarted the APACHE server


On the URL when I type "http://10.10.21.170/SEARCH/index.jsp";


I do not see the changes... to "http://10.10.21.170/SEARCH/index.jsp?area1=sq";



For reference the log is as shown below

Rewrite.log


10.10.21.170 - - [13/May/2009:11:49:18 +051800] 
[10.10.21.170/sid#463148][rid#9a41c8/initial] (2) init rewrite engine with 
requested uri /SEARCH/index.jsp
10.10.21.170 - - [13/May/2009:11:49:18 +051800] 
[10.10.21.170/sid#463148][rid#9a41c8/initial] (3) applying pattern 
'^SEARCH\index.jsp$' to uri '/SEARCH/index.jsp'
10.10.21.170 - - [13/May/2009:11:49:18 +051800] 
[10.10.21.170/sid#463148][rid#9a41c8/initial] (1) pass through /SEARCH/index.jsp
10.10.21.170 - - [13/May/2009:11:49:20 +051800] 
[10.10.21.170/sid#463148][rid#9b2200/initial] (2) init rewrite engine with 
requested uri /SEARCH/index.jsp
10.10.21.170 - - [13/May/2009:11:49:20 +051800] 
[10.10.21.170/sid#463148][rid#9b2200/initial] (3) applying pattern 
'^SEARCH\index.jsp$' to uri '/SEARCH/index.jsp'
10.10.21.170 - - [13/May/2009:11:49:20 +051800] 
[10.10.21.170/sid#463148][rid#9b2200/initial] (1) pass through /SEARCH/index.jsp
10.10.21.170 - - [13/May/2009:11:49:21 +051800] 
[10.10.21.170/sid#463148][rid#9ae1f0/initial] (2) init rewrite engine with 
requested uri /SEARCH/index.jsp
10.10.21.170 - - [13/May/2009:11:49:21 +051800] 
[10.10.21.170/sid#463148][rid#9ae1f0/initial] (3) applying pattern 
'^SEARCH\index.jsp$' to uri '/SEARCH/index.jsp'
10.10.21.170 - - [13/May/2009:11:49:21 +051800] 
[10.10.21.170/sid#463148][rid#9ae1f0/initial] (1) pass through /SEARCH/index.jsp
10.10.21.170 - - [13/May/2009:11:49:21 +051800] 
[10.10.21.170/sid#463148][rid#9b01f8/initial] (2) init rewrite engine with 
requested uri /SEARCH/index.jsp
10.10.21.170 - - [13/May/2009:11:49:21 +051800] 
[10.10.21.170/sid#463148][rid#9b01f8/initial] (3) applying pattern 
'^SEARCH\index.jsp$' to uri '/SEARCH/index.jsp'
10.10.21.170 - - [13/May/2009:11:49:21 +051800] 
[10.10.21.170/sid#463148][rid#9b01f8/initial] (1) pass through /SEARCH/index.jsp
10.10.21.170 - - [13/May/2009:11:49:29 +051800] 
[10.10.21.170/sid#463148][rid#9ac1e0/initial] (2) init rewrite engine with 
requested uri /SEARCH/index.jsp
10.10.21.170 - - [13/May/2009:11:49:29 +051800] 
[10.10.21.170/sid#463148][rid#9ac1e0/initial] (3) applying pattern 
'^SEARCH\index.jsp$' to uri '/SEARCH/index.jsp'
10.10.21.170 - - [13/May/2009:11:49:29 +051800] 
[10.10.21.170/sid#463148][rid#9ac1e0/initial] (1) pass through /SEARCH/index.jsp
10.10.21.170 - - [13/May/2009:11:49:31 +051800] 
[10.10.21.170/sid#463148][rid#9b8218/initial] (2) init rewrite engine with 
requested uri /SEARCH/index.jsp
10.10.21.170 - - [13/May/2009:11:49:31 +051800] 
[10.10.21.170/sid#463148][rid#9b8218/initial] (3) applying pattern 
'^SEARCH\index.jsp$' to uri '/SEARCH/index.jsp'
10.10.21.170 - - [13/May/2009:11:49:31 +051800] 
[10.10.21.170/sid#463148][rid#9b8218/initial] (1) pass through /SEARCH/index.jsp




With regards
Karthik








-Original Message-
From: Igor Cicimov [mailto:icici...@gmail.com]
Sent: Wednesday, May 13, 2009 10:55 AM
To: users@httpd.apache.org
Subject: Re: [us...@httpd] modrewrite help neededplz :(

You need to make the rule case insensitive if you want to use capitol
letters. Try something like this

RewriteRule   ^SEARCH\.html$ /SEARCH/index.html?area1=sq [NC,L]

The NC flag is important here making the rule case insensitive.

Igor

On 5/13/09, Karthik Nanjangude  wrote:
> Hi
>
>
> OS /  WINDOWS 2000
> MODJK:  mod_jk-1.2.28-httpd-2.2.3.so
> APACHE: APACHE_2.2.11-win32-x86-no_ssl.msi
> APPSERVER : JBOSS 4.2.1
> JAVA: JDK5.0.8
> USED TYPE : INTRANET
>
>
>
> I have done the following  changes  in "httpd.conf"
>
>
> LoadModule jk_module C:/Apache/modules/mod_jk.so
> LoadModule rewrite_module C:/Apache/modules/mod_rewrite.so
> 
> JkWorkersFile conf/workers1.properties
> JkLogFile logs/mod_jk.log
> JkLogLevel error
> JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
> JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
> JkRequestLogFormat "%w %V %T"
>
> 
> AllowOverride all
> 
>
>
> RewriteEngine on
> RewriteLog "C:/APACHE/logs/rewrite.log"
> RewriteLogLevel 9
> RewriteRule   ^SEARCH\.html$ /SEARCH/index.html?area1=sq
>
> 
>
>
> I need the modrewriteto rewrite as  "index.html?area1=sq"when some
> body  types " http:///SEARCH
>
> Have I done any thing wrong in  modrewrite in http.conf  ?.
>
> With regards
> karthik
>
>
>
>
>
>

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-uns

Re: [us...@httpd] modrewrite help needed....plz :(

[Igor Cicimov]

You need to make the rule case insensitive if you want to use capitol
letters. Try something like this

RewriteRule   ^SEARCH\.html$ /SEARCH/index.html?area1=sq [NC,L]

The NC flag is important here making the rule case insensitive.

Igor

On 5/13/09, Karthik Nanjangude  wrote:
> Hi
>
>
> OS /  WINDOWS 2000
> MODJK:  mod_jk-1.2.28-httpd-2.2.3.so
> APACHE: APACHE_2.2.11-win32-x86-no_ssl.msi
> APPSERVER : JBOSS 4.2.1
> JAVA: JDK5.0.8
> USED TYPE : INTRANET
>
>
>
> I have done the following  changes  in "httpd.conf"
>
>
> LoadModule jk_module C:/Apache/modules/mod_jk.so
> LoadModule rewrite_module C:/Apache/modules/mod_rewrite.so
> 
> JkWorkersFile conf/workers1.properties
> JkLogFile logs/mod_jk.log
> JkLogLevel error
> JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
> JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
> JkRequestLogFormat "%w %V %T"
>
> 
> AllowOverride all
> 
>
>
> RewriteEngine on
> RewriteLog "C:/APACHE/logs/rewrite.log"
> RewriteLogLevel 9
> RewriteRule   ^SEARCH\.html$ /SEARCH/index.html?area1=sq
>
> 
>
>
> I need the modrewriteto rewrite as  "index.html?area1=sq"when some
> body  types " http:///SEARCH
>
> Have I done any thing wrong in  modrewrite in http.conf  ?.
>
> With regards
> karthik
>
>
>
>
>
>

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Re: RAM problem w/ multiple Apache processes

[Prasanna Ram Venkatachalam]

mod_actions should be included I guess. Can you see it precompiled with
apache using httpd -l? or see it in httpd.conf LoadModule section?

On Wed, May 13, 2009 at 9:43 AM, Rex C. Eastbourne  wrote:

> On Sun, May 10, 2009 at 5:59 PM, Eric Covener  wrote:
> > On Sun, May 10, 2009 at 8:53 PM, Rex C. Eastbourne
> >  wrote:
> >> Does anyone have both the worker mpm and phpmyadmin installed on
> >> Ubuntu? When I run "apt-get install phpmyadmin", it tries to remove
> >> apache2-mpm-worker and install apache2-mpm-prefork. I'm trying to
> >> figure out if there is a workaround for this (I also asked on a
> >> phpmyadmin forum but haven't heard back yet.)
> >
> > This is probably for thread-safety reasons. Maybe you can just remove
> > mod_php and use PHP-as-cgi (or fastcgi).
>
> Thanks, Eric. I kept the apache2-mpm-worker package and installed
> php5-cgi. However, now I have the problem that my PHP files aren't
> getting executed. When I set permissions to 755 (751 just gives me a
> 403 message), my browser recognizes the php files as
> "application/x-httpd-php" and attempts to download them. I Googled
> this issue and it looks like I should be adding something like the
> following to my Apache conf file:
>
> AddHandler application/x-httpd-php5 php
> Action application/x-httpd-php5 /usr/local/bin/php-cgi
>
> However, when I do this, Apache gives the following error message:
>
> "Invalid command 'Action', perhaps misspelled or defined by a module
> not included in the server configuration"
>
> I Googled that error message, but I couldn't find a clear course of
> action. So I come to this mailing list.
>
> Does anyone know what might be going on?
>
> Thanks,
>
> Rex
>
> -
> The official User-To-User support forum of the Apache HTTP Server Project.
> See http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>   "   from the digest: users-digest-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>


-- 
Prasanna Ram

[us...@httpd] modrewrite help needed....plz :(

[Karthik Nanjangude]

Hi


OS /  WINDOWS 2000
MODJK:  mod_jk-1.2.28-httpd-2.2.3.so
APACHE: APACHE_2.2.11-win32-x86-no_ssl.msi
APPSERVER : JBOSS 4.2.1
JAVA: JDK5.0.8
USED TYPE : INTRANET



I have done the following  changes  in "httpd.conf"


LoadModule jk_module C:/Apache/modules/mod_jk.so
LoadModule rewrite_module C:/Apache/modules/mod_rewrite.so

JkWorkersFile conf/workers1.properties
JkLogFile logs/mod_jk.log
JkLogLevel error
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
JkRequestLogFormat "%w %V %T"


AllowOverride all



RewriteEngine on
RewriteLog "C:/APACHE/logs/rewrite.log"
RewriteLogLevel 9
RewriteRule   ^SEARCH\.html$ /SEARCH/index.html?area1=sq




I need the modrewriteto rewrite as  "index.html?area1=sq"when some body 
 types " http:///SEARCH

Have I done any thing wrong in  modrewrite in http.conf  ?.

With regards
karthik

Re: [us...@httpd] Re: RAM problem w/ multiple Apache processes

[Rex C. Eastbourne]

On Sun, May 10, 2009 at 5:59 PM, Eric Covener  wrote:
> On Sun, May 10, 2009 at 8:53 PM, Rex C. Eastbourne
>  wrote:
>> Does anyone have both the worker mpm and phpmyadmin installed on
>> Ubuntu? When I run "apt-get install phpmyadmin", it tries to remove
>> apache2-mpm-worker and install apache2-mpm-prefork. I'm trying to
>> figure out if there is a workaround for this (I also asked on a
>> phpmyadmin forum but haven't heard back yet.)
>
> This is probably for thread-safety reasons. Maybe you can just remove
> mod_php and use PHP-as-cgi (or fastcgi).

Thanks, Eric. I kept the apache2-mpm-worker package and installed
php5-cgi. However, now I have the problem that my PHP files aren't
getting executed. When I set permissions to 755 (751 just gives me a
403 message), my browser recognizes the php files as
"application/x-httpd-php" and attempts to download them. I Googled
this issue and it looks like I should be adding something like the
following to my Apache conf file:

AddHandler application/x-httpd-php5 php
Action application/x-httpd-php5 /usr/local/bin/php-cgi

However, when I do this, Apache gives the following error message:

"Invalid command 'Action', perhaps misspelled or defined by a module
not included in the server configuration"

I Googled that error message, but I couldn't find a clear course of
action. So I come to this mailing list.

Does anyone know what might be going on?

Thanks,

Rex

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] A couple of questions about mod_authz_ldap

[André Warnier]

Edward Harvey wrote:

And how would users who have a different set of credentials they could
use for this second URL enter those credentials? The RFC specifies a 401
response in this scenario to allow a UA to resubmit different
credentials.

You might not care about the RFC, but Apache and browsers mostly do. The
behaviour you want goes against the behaviour described in the RFC, so
to get it you would need to have a custom authorization system.


Well, so I'm acknowledging there's no way to do what I want to do, but
I'll respond to this anyway.

Suppose somebody were to launch an FTP client and browse a remote
site.  If they attempt to access an area where they are denied access,
they would get "access denied" and then they would know they got
access denied with the current credentials.  If they have another set
of credentials, they will know they should reconnect with different
credentials.

If they're already authenticated and browsing along a website and try
to access a restricted item, they don't get "access denied" they get
"please enter your username/password" which is identical behavior as
unauthenticated users.  The users that I support generally think to
themselves, "I thought I already did?"  And they retry and retry until
they finally conclude that isn't going to work.

Each browser has a different way of allowing a user to re-authenticate
with different credentials.  Some have more than one way.

So I acknowledge the world isn't perfect, you don't always get
everything you want, but I do want you to acknowledge one thing, if
you please:

If a user is already authenticated, and they try to access something
which is denied, then it is more useful to communicate to the user
"Your current credentials were denied" and "You may now authenticate
with different credentials if you wish" instead of giving them the
"Please enter username/password" prompt which is identical to an
unauthenticated user.


Without letting this degenerate into a flame.. (or is it a troll ?)
You are probably right.
But what the previous person was telling you, is that it is not a 
problem of Apache, it is a problem of the browser.
The HTTP protocol RFC indicates what the server should do, which is to 
send a 401 response.
There is a reason for that : the HTTP protocol is state-less, which 
means that each request is independent of previous and following ones.

In-between each request, the server forgets everything.

So the server does not know that this is the nth time that this same 
user resubmitted a request with bad credentials, so it has to send the 
same answer each time.

And the answer can only consist of a status code, which is 401.
The server does not control the dialog that the browser pops up.

However, the browser knows (that this is the nth time this same request 
was refused because of wrong credentials), and the browser could pop up 
a different message in its dialog after it gets, say, 2 consecutive 401 
responses.
But this is a discussion to have with the people who make the browser, 
which is not what this list is about.





-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[us...@httpd] mod_proxy_balancer and stickysession

[gm]

Hi,

we want to use mod_proxy_balancer to load balance a J2EE
application server. So stickysession is set to JSESSIONID.
First I had:


  BalancerMember http://host1
  BalancerMember http://host2
  BalancerMember http://host3
  ProxySet stickysession=JSESSIONID


ProxyPreserveHost On
ProxyPassMatch ^(.*\.jsp)$ balancer://default$1
ProxyPassMatch ^(.*\.do)$ balancer://default$1

But the session was not sticky. After some TCP dump and reading
a bit more documentation, it seems that mod_proxy_balancer
alters the sessionid by appending ".[number]".

So now I have:


  BalancerMember http://host1 route=0
  BalancerMember http://host2 route=1
  BalancerMember http://host3 route=2
  ProxySet stickysession=JSESSIONID


ProxyPreserveHost On
ProxyPassMatch ^(.*\.jsp)$ balancer://default$1
ProxyPassMatch ^(.*\.do)$ balancer://default$1

In all likelihood this works better. Is this the right way to
do it?

Regards,
Gerhard

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] A couple of questions about mod_authz_ldap

[Edward Harvey]

> And how would users who have a different set of credentials they could
> use for this second URL enter those credentials? The RFC specifies a 401
> response in this scenario to allow a UA to resubmit different
> credentials.
>
> You might not care about the RFC, but Apache and browsers mostly do. The
> behaviour you want goes against the behaviour described in the RFC, so
> to get it you would need to have a custom authorization system.

Well, so I'm acknowledging there's no way to do what I want to do, but
I'll respond to this anyway.

Suppose somebody were to launch an FTP client and browse a remote
site.  If they attempt to access an area where they are denied access,
they would get "access denied" and then they would know they got
access denied with the current credentials.  If they have another set
of credentials, they will know they should reconnect with different
credentials.

If they're already authenticated and browsing along a website and try
to access a restricted item, they don't get "access denied" they get
"please enter your username/password" which is identical behavior as
unauthenticated users.  The users that I support generally think to
themselves, "I thought I already did?"  And they retry and retry until
they finally conclude that isn't going to work.

Each browser has a different way of allowing a user to re-authenticate
with different credentials.  Some have more than one way.

So I acknowledge the world isn't perfect, you don't always get
everything you want, but I do want you to acknowledge one thing, if
you please:

If a user is already authenticated, and they try to access something
which is denied, then it is more useful to communicate to the user
"Your current credentials were denied" and "You may now authenticate
with different credentials if you wish" instead of giving them the
"Please enter username/password" prompt which is identical to an
unauthenticated user.

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] authentication question

[J. Greenlees]

Ross Boylan wrote:
> Suppose I have apache running in front of a web application and
> subversion.
> 
> I am thinking of a scenario in which the web application provides a
> login page.  However, the user may also browse to web pages served by
> subversion.
> 
> Is there a way that my app can have someone log in and then pass the
> identity and authentication "up" to appache?  In particular, I'd want
> this authentication used if the user browsed over to the subversion
> repository.
> 
> I'm assume a common source, e.g., LDAP, will provide user and password
> information that is the same for my app and apache.
> 
> A final wrinkle is that the application itself may access subversion via
> http:// (https?) using either the identity of the user or, perhaps, a
> separate identity the application runs under.

I've followed the thread and have one wrinkle to the problem to mention.

subversion authentication, by default, is a hash of the encrypted password.
simplified description:
The svn client generates the hash against the password, sends both user
name and the hash, subversion generates a hash against the stored
password and compares the two, matching hashes grant write access. read
only access doesn't require authentication from subversion.

This was done to avoid passing actual login data across the net.

Unless you are willing to write a module to enable the functionality you
want in Apache, you might be better off in designing your system as a
site script. There are a number of existing scripts that allow web
browsing of subversion repositories. The write ( commit ) access issue
makes a website / apache module a remote possibility, you would have to
create the code to use the subversion authentication as a part of it.

Jaqui

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] authentication question

[André Warnier]

Ross Boylan wrote:
...
I've seen mention of apache using a login page, rather than the usual
popup.  Is there a way to do that?  It might have a nicer feel for
users.

The usual popup is built into each browser.  It appears only when the 
HTTP server is requesting a Basic or Digest type of authentication. 
Both of these are built into every browser, along with the popup window.


For any other login-based authentication scheme, the server side is on 
its own, and can decide to send any html page or whatever to ask the 
user for his id and password or whatever.
Basically in that case, the browser doesn't even "know" that it is 
"doing authentication".  For the browser, this is just a html form to be 
filled-in and submitted.


Depending on the authentication scheme, it may even be that the login 
form comes from a different server than the server the user tried to 
access in the first place, and is submitted to yet another different 
server. And that this third server then redirects the browser to the 
original server, but with a modified URL.


There are lots of schemes.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] authentication question

[André Warnier]

Ross Boylan wrote:
...
Without going into the details of the why and the when and the where, 
let's assume that if the organisation has decided to implement some 
global authentication scheme, and roll it out over time, then the first 
thing I would do, before starting to implement my own temporary and 
maybe conflicting solution, is finding out what this scheme really is, 
how it works, if it has plugins for Apache or anything else, etc..


Even if the instances that be have temporarily suspended the general 
rollout for whatever reason, it may still be so that they would welcome 
anyone willing to look at it and roll it out on his own for a new project.
Better still, since their general rollout has been suspended, they may 
even have some competent people with some free time, to help doing so.


And it may also be so that this scheme does have an easy-to-use plugin 
which does provide an authenticated user-id for Apache to use, and that 
it allows users to login only once per day (with a nice login page) no 
matter what application they want to use, and that it frees the 
departmental level of taking care of managing user-ids and so on.


One can at least hope, and there would not be much lost by asking.

So let's suppose it does work with Apache (*), and any user hitting this 
Apache server ends up authenticated from an Apache point of view.


Then it is time to start figuring out how each application running under 
Apache might get hold of this Apache-level user-id for its own purposes 
of access-control or authorization or customisation.


And there may be issues there, because not all applications are flexible 
in how they can get a user-id.


But then there also exists an arsenal of ways in Apache to get hold of 
the Apache user-id and pass it on to applications in a specific way.

I am thinking of mod_rewrite, request filters, etc..

But without knowing at least what the upper-level authentication method 
even looks like, it is all a bit pointless to elaborate.


And if the application is not Apache-based, then it may also be the time 
to go have a look at the support forum for the application in question, 
and ask if and how it can interface to the global SSO solution.




(*) and if it doesn't, then there would be some serious reason to 
question the wisdom of the overall scheme, not only by one department, 
but by many I would presume.
Despite many years in this business, and despite having lived through 
some really interesting cases, I can't quite imagine that an IT 
department of a large university would adopt a scheme which does not 
work with Apache.



-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] authentication question

[Peter Schober]

* Ross Boylan  [2009-05-12 18:17]:
> > Where is the SVN access
> > happening? From the Smalltalk app? From httpd?
>
> Both, though the smalltalk app is only going to talk to svn via http.
> There are potentially several scenarios (though I could probably
> dispense with some of them):
> 1) Someone with a subversion client on another machine accesses the svn
> server via http.
> 2) Someone uses a web browser views the respository through a web
> interface like ViewCVS or Trac.
> 3) Someone browses to our custom app which redirects tham to 2) or else
> presents material from 2) as an embedded page.
> 4) Someone using our custom app triggers some logic which causes the
> custom app to access the repository as a svn client (e.g., to get a
> changelog).  The custom web app processes the results in some way and
> displays the results.  The custom web app would also be accessing svn
> via http.

OK, clients other than full (but unmodified, without any plugins)
webbowsers generally don't implement the neccessary parts (following
HTTP 302, HTTP cookies) needed for WebSSO. That very probably also
includes svn command line clients, eclipse, etc.
  So either all mechanisms utilizing redirects and cookies are out of
the equation (which doesn't leave much), or you fall back to hacks to
get a token via the browser and feed it to the client (like OAuth).
  Or you cancel non-browser clients (which cancels commit access, I
assume).

> Ideally, I want the same id/password, and I want it only asked once.
> 
> Incidentally, solutions requiring the human clients to have more exotic
> technologies (certificates, ssh) are probably out.

Given the requirements I don't see how such a thing could work (I
suppose this also rules out Kerberos).
I still haven't a clear picture what this thing does and how the data
should flow, but maybe that's just me. I haven't had a look at the
SVN/DAV related parts of Apache.

> I've seen mention of apache using a login page, rather than the
> usual popup.  Is there a way to do that?  It might have a nicer feel
> for users.

In common websso systems you are being redirected to a login server,
enter your credentials there (which could also be OTPs or whatever,
since you'd only need to change a single server to accept stronger
authentication), and come back to the protected resource, which
*somehow* recognizes the fact that you've already logged in
elsewhere.
So the workings and/or aesthetics of the login form are usually not
from Apache httpd, but some other package (the "login" server).
-peter


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] authentication question

[Ross Boylan]

Thanks to everyone for some really good information.

@Marc Paterman, svn's apache module is dav_svn, so it's definitely DAV
related.  I'm not sure if it simply supports DAV or if that is its
native mode; I suspect the former.

On Tue, 2009-05-12 at 10:05 +0200, Peter Schober wrote:
> Ross et al.,
> 
> I'm not sure I understand the actual question at hand -- you have (or
> want to write) a Smalltalk-based application that runs in it's own
> webserver, and proxy to that with httpd?  
Yes.  As you note below, proxying implies further difficulties getting
authentication info from Apache to the my web app.  It sounds as I can
either place it in carefully cleaned http headers or rely on some other
single sign on technology.

> Where is the SVN access
> happening? From the Smalltalk app? From httpd?
Both, though the smalltalk app is only going to talk to svn via http.
There are potentially several scenarios (though I could probably
dispense with some of them):
1) Someone with a subversion client on another machine accesses the svn
server via http.
2) Someone uses a web browser views the respository through a web
interface like ViewCVS or Trac.
3) Someone browses to our custom app which redirects tham to 2) or else
presents material from 2) as an embedded page.
4) Someone using our custom app triggers some logic which causes the
custom app to access the repository as a svn client (e.g., to get a
changelog).  The custom web app processes the results in some way and
displays the results.  The custom web app would also be accessing svn
via http.
> Is this SVN-webapp something like ViewCV or Trac? 
Yes (2 and 3 above).
> Is it under your
> control (source available, permission to modify)? COST or homegrown?
All the software should be under our control and open source--that is,
all the suff I've discussed above.  If the central IT ever gets its
single signon going it will be effectively out of our control, and
apparently closed source.

> Find a few generally off-topic remarks below ;)
> 
> * Ross Boylan  [2009-05-12 04:35]:
> > Well, I don't even know how to do that step, though the reference to
> > mod-cas by Nick Owen may be a clue.
> 
> Academic organisations should definitively look into running
> Shibboleth (mod_shib in httpd, but there's a fastcgi responder as well
> as a M$-IIS ISAPI filter, for those less lucky) as campus web SSO
> system, since it also does federated websso (via SAML2).
I can pass the suggestion on, but they apparently did an exhaustive
review before settling on their solution.  Their requirements were
undoubtedly complex. For my purposes, their choice is effectively like
the weather: I just have to live with it.

However, if it's the best route, I suppose we could do a single sign on
that at least covers our little ecosystem.  When I started thinking
about this I thought that meant going with LDAP, but I guess that in
itself just assures the different apps have the same id/password.
Ideally, I want the same id/password, and I want it only asked once.

Incidentally, solutions requiring the human clients to have more exotic
technologies (certificates, ssh) are probably out.

> 
> > It's not written!  But the natural way it works is to have a login page.
> > After login, the id is saved on the server and associated with the
> > session (using the Seaside framwork).
> 
> First thing that'd need to go is the login page (see above) ;)
I've seen mention of apache using a login page, rather than the usual
popup.  Is there a way to do that?  It might have a nicer feel for
users.

> Looking at Seaside it seems this comes with it's own VM and webserver,
> so you'd need to reverse proxy to this from httpd and do all the authN
> and authZ there. Which is fine, but you won't get REMOTE_USER to your
> Seaside app via mod_proxy_http (as you would via AJP), also envvar's
> won't help, which leaves HTTP request headers (which are easily
> spoofed, so would need to be clean by httpd before proxying to
> Smalltalk).
> 
> > Funding cuts also seem likely to delay rollout of the single signon,
> > even if we wanted to use it.
> 
> There are several Free Software offerings, some of which are rather
> easy to setup and maintain[1] if you have the IdM infrastructure in
> place (directory service or database with up to date data/accounts for
> your population, a way to authenticate all users).
They've bought and partly rolled out the software, so I think it's the
cost of people's time, rather than the software, that is the main
difficulty.  Stopping part way through may be a false economy, but the
state of California has been doing a lot of those recently.
> 
> Check out http://www.nmi-edit.org/started/index.cfm or EDUCASE and
> related Internet2 activities (e.g. "CAMP" workshops).
Thank.
Ross



-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, 

Re: [us...@httpd] Virtual Host port forwarding

[Jan G.B.]

2009/5/12 zm :
>
> Hi,
>
> I've installed Apache HTTP Server 2.2.11 and I'm trying to configure it to
> do the following trick:
>
> I have 1 server, connected through 1 router. I payed for domain
> "mydomain.com" (ficticious), and it will point toward my router with
> success.
>
> My router forwards port 80 to my server IP (192.168.1.1), also to port 80.
>
> In my server, I have 2 services running:
>
> Apache HTTP server on port 80
> Webserver (tomcat) on port 8080
> SVN server on port 8081
>
> I want my apache server on port 80 to make the following forwardings:
>
> if "www.mydomain.com" forwards to "192.168.1.1:8080"
> if "svn.mydomain.com" forwards to "192.168.1.1:8081"
> if anything else, fails ... or maybe to a static apache server page that
> presents some static html page, saying "hello there, go away" (it could be
> defined on apache http server itself).
>
> Is it possible to do that?


Yes, that would be possible with Name Based Virtualhosts in
conjunction with mod_proxy.
Please look term that up with a searchengine, as there should be
plenty of examples.

There might be other approaches that can lead to success.



PS: no need to post your message three times, just because the
"Thanks" ist missing. :-)




>
> What configs should I put on "httpd.conf" VirtualHost?
>
> I'm trying with something like:
Like
NameVirtualHost *:80
 
ServerName foobar.org
DocumentRoot /your/blank/page/dir
 



 
ServerName svn.foobar.org

ProxyRequests On


Order deny,allow
 Allow from all


ProxyPass / http://192.etc:8081/
ProxyPassReverse / http://192.etc:8081/

 


and so on.
(Example is straight outta http://httpd.apache.org/docs/2.0/mod/mod_proxy.html )

Regards

 
ServerName foobar.org
DocumentRoot /your/blank/page/dir
 


> 
>    ServerName 192.168.1.1:8081
> 
>
> Should this work?
> --
> View this message in context: 
> http://www.nabble.com/Virtual-Host-port-forwarding-tp23504328p23504328.html
> Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.
>
>
> -
> The official User-To-User support forum of the Apache HTTP Server Project.
> See http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>   "   from the digest: users-digest-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Virtual Host port forwarding

[André Warnier]

Hi .
Why do you post your messages 3 times ?

Other comments down further.

zm wrote:

Hi,

I've installed Apache HTTP Server 2.2.11 and I'm trying to configure it to
do the following trick:

I have 1 server, connected through 1 router. I payed for domain
"mydomain.com" (ficticious), and it will point toward my router with
success.

My router forwards port 80 to my server IP (192.168.1.1), also to port 80.

In my server, I have 2 services running:

Apache HTTP server on port 80
Webserver (tomcat) on port 8080
SVN server on port 8081

I want my apache server on port 80 to make the following forwardings:

if "www.mydomain.com" forwards to "192.168.1.1:8080"
if "svn.mydomain.com" forwards to "192.168.1.1:8081"
if anything else, fails ... or maybe to a static apache server page that
presents some static html page, saying "hello there, go away" (it could be
defined on apache http server itself).

Is it possible to do that?


Yes.

But the first think you need, is that the DNS system, from outside on 
the Internet, would know that "www.mydomain.com" and "svn.mydomain.com" 
both resolve to the same public IP address of your router.

Is that so ?
(Otherwise, nothing below will work)(and no other method will either, 
because requests for "www.mydomain.com" and "svn.mydomain.com" would not 
even reach your router.)




What configs should I put on "httpd.conf" VirtualHost?

I'm trying with something like:

ServerName 192.168.1.1:8080


ServerName 192.168.1.1:8081


Should this work?


No, do this instead :

load mod_proxy and mod_proxy_http in your server

# following line only once
NameVirtualHost *:80


  ServerName localhost(or really whatever you want)
  DocumentRoot /some/place/nice
  DirectoryIndex index.html
  # and as /some/place/nice/index.html, a page saying "go away"
  ...


  ServerName www.mydomain.com(must be so)
  ProxyRequests Off

  Order deny,allow
  Deny from all
  Allow from (internal IP address of your router)

  Proxypass / http://localhost:8080/
  ProypassReverse / http://localhost:8080/
  ...


  ServerName svn.mydomain.com(must be so)
  ProxyRequests Off

  Order deny,allow
  Deny from all
  Allow from (internal IP address of your router)

  Proxypass / http://localhost:8081/
  ProxypassReverse / http://localhost:8081/
  ...


That's really the bare bones.
Look up each of these directives here, and understand what they do :
http://httpd.apache.org/docs/2.2/mod/directives.html


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Apache child process not exiting after it served MaxRequestsPerChild

[Karthik kanna]

Hi All,

I apologize for the attachments of size 800+k in my previous mail. I will not 
do it again.

Tom,
Yes, I agree with you. But even after it served 3 (keep alive connections + 
non keep alive) requests, the child process is not exiting. It is running on 
the server until Apache is restarted.

Regards,
Karthik Kanna


From: Tom Evans 
To: users@httpd.apache.org
Sent: Tuesday, 12 May, 2009 8:34:25 PM
Subject: Re: [us...@httpd] Apache child process not exiting after it served 
MaxRequestsPerChild

On Tue, 2009-05-12 at 18:24 +0530, Karthik kanna wrote:
> Hi,
>  
> I am using Apache 2.0.59 in AIX 5.3. Apache is running as "apache"
> user-id, even the parent process is also running as "apache" user-id.
> I am using non-standard ports like 8028/9028, so I do not require root
> user to run the parent process.. This is the configuration I am using
> in Apache 2.0.59.
>  
>  StartServers 2
>  MaxClients 150
>  MinSpareThreads 25
>  MaxSpareThreads 75
>  ThreadsPerChild 25
>  MaxRequestsPerChild 3
>  
> Actually what is happening - when the child process served 3
> requests, it is not killed by the parent process and the child process
> is running forever on the server till I manually kill the child
> process or restart the Apache. But parent process spawns new child
> process. So the number of Apache httpd process is increasing day by
> day on the server. The thing is, few child process gets killed by the
> parent process once it served 3 requests. But few child process is
> not exiting.

MaxRequestsPerChild doesn't kill children after N requests, it kills
them after N unique keep alive connections + non keep alive requests -
IE if one keep alive connection requests 40 different entities in its
lifetime, then apache will consider that as 1 request as far as counting
MaxRequestsPerChild. See
http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxrequestsperchild

>  
> Truss output of the child process that is not exiting:
> 3911841: yield()                                = 
> 3911841: thread_waitact(400)                    = 0
> 1144501: __semop(1048580, 0xF1B22D58, 1)        = 0
> 1144501: __semop(1048580, 0xF1B22D60, 1)        = 0
> 1144501: _nsleep(0x202069E8, 0x20206A60)        = 1
> 3911841: yield()                                = 
> 822367: kread(-802643620, 0x, 0) (sleeping...)
> 822367: kread(-802643620, 0x, 0)        = 0
> 3911841: yield()                                = 
> 822367: kread(-802643620, 0x, 0) (sleeping...)
> 822367: kread(-802643620, 0x, 0)        = 0
> 3911841: yield()                                = 
> 3911841: thread_waitact(400)                    = 0
> 
> Few system calls like thread_waitact(), kread(), semop() and yield()
> are running infinitely for the child process. Before the child process
> starts executing these system call infinitely, the last system call it
> was executing was thread_terminate_ack() after it served 3
> requests.
>  
> In the child process, one thread is in running state executing
> _p_nsleep() system call and another thread is in wait state, whereas
> all other threads are in terminated status.
>  
> (dbx) thread 
>  thread  state-k    wchan    state-u    k-tid  mode held scope
> function 
>  $t1    wait      0x38882158 running  2894597    k  no  pro  read
>              
> >$t2    run                  running  3674465    k  no  pro
>  _p_nsleep        
>  $t3                          terminated            u  no
> pro                    
> 
> Since 2 threads are not terminated, I think child process is not
> exiting by the process process.
>  
> Have you faced this problem? Any help you provide to resolve the issue
> is much appreciated.
>  
> Regards,
> Karthik Kanna

Also, please don't email me 800+k of logs again. kthx :)


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "  from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


  Own a website.Get an unlimited package.Pay next to nothing.*Go to 
http://in.business.yahoo.com/

Re: [us...@httpd] Mixing rewrite with authn_dbd: Rewriting based on path value stored in mysql table

[Roman Medina-Heigl Hernandez]

Bob Ionescu escribió:
> 2009/5/12 Roman Medina-Heigl Hernandez :
>> My final solution is:
>>
>>RewriteBase /stats
>>RewriteCond %{REMOTE_USER}/<>$1 !^([^<]+)<>\1
>>RewriteRule ^/clientes/(.*) 
>> /stats/%{REMOTE_USER}/stats/http/$1
>>
>>RewriteCond $1 !^[^/]+/stats/http/
>>RewriteRule ^/clientes/(.*) hacking_attempt [F]
>>
>>
>> The alternative (adding L) is:
>>
>>RewriteBase /stats
>>RewriteCond %{REMOTE_USER}/<>$1 !^([^<]+)<>\1
>>RewriteRule ^/clientes/(.*)
>> /stats/%{REMOTE_USER}/stats/http/$1 [L]
>>
>>RewriteCond $1 !^[^/]+/stats/http/
>>RewriteRule ^/clientes/(.*) hacking_attempt [F,L]
>>
>> But I see no real difference between both solutions. Am I right?
> 
> L makes only sense to abort something below, i.e. if there's nothing,
> there's nothing to abort (F implies L btw., the substitution will be
> dropped as well). Your second rule (forbidden) comes never true, if
> the first rule matched. So you could stop further (useless) processing
> with the L flag at your first rule.

Agreed.

For the record, final solution:
RewriteBase /stats
RewriteCond %{REMOTE_USER}/<>$1 !^([^<]+)<>\1
RewriteRule ^/clientes/(.*)
/stats/%{REMOTE_USER}/stats/http/$1 [L]

RewriteCond $1 !^[^/]+/stats/http/
RewriteRule ^/clientes/(.*) hacking_attempt [F]

Thanks a lot to all who contributed the thread and specially to Bob

Cheers,
-Roman


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Apache child process not exiting after it served MaxRequestsPerChild

[Tom Evans]

On Tue, 2009-05-12 at 18:24 +0530, Karthik kanna wrote:
> Hi,
>  
> I am using Apache 2.0.59 in AIX 5.3. Apache is running as "apache"
> user-id, even the parent process is also running as "apache" user-id.
> I am using non-standard ports like 8028/9028, so I do not require root
> user to run the parent process.. This is the configuration I am using
> in Apache 2.0.59.
>  
>   StartServers 2
>   MaxClients 150
>   MinSpareThreads 25
>   MaxSpareThreads 75
>   ThreadsPerChild 25
>   MaxRequestsPerChild 3
>  
> Actually what is happening - when the child process served 3
> requests, it is not killed by the parent process and the child process
> is running forever on the server till I manually kill the child
> process or restart the Apache. But parent process spawns new child
> process. So the number of Apache httpd process is increasing day by
> day on the server. The thing is, few child process gets killed by the
> parent process once it served 3 requests. But few child process is
> not exiting.

MaxRequestsPerChild doesn't kill children after N requests, it kills
them after N unique keep alive connections + non keep alive requests -
IE if one keep alive connection requests 40 different entities in its
lifetime, then apache will consider that as 1 request as far as counting
MaxRequestsPerChild. See
http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxrequestsperchild

>  
> Truss output of the child process that is not exiting:
> 3911841: yield()= 
> 3911841: thread_waitact(400)= 0
> 1144501: __semop(1048580, 0xF1B22D58, 1)= 0
> 1144501: __semop(1048580, 0xF1B22D60, 1)= 0
> 1144501: _nsleep(0x202069E8, 0x20206A60)= 1
> 3911841: yield()= 
> 822367: kread(-802643620, 0x, 0) (sleeping...)
> 822367: kread(-802643620, 0x, 0)= 0
> 3911841: yield()= 
> 822367: kread(-802643620, 0x, 0) (sleeping...)
> 822367: kread(-802643620, 0x, 0)= 0
> 3911841: yield()= 
> 3911841: thread_waitact(400)= 0
> 
> Few system calls like thread_waitact(), kread(), semop() and yield()
> are running infinitely for the child process. Before the child process
> starts executing these system call infinitely, the last system call it
> was executing was thread_terminate_ack() after it served 3
> requests.
>  
> In the child process, one thread is in running state executing
> _p_nsleep() system call and another thread is in wait state, whereas
> all other threads are in terminated status.
>  
> (dbx) thread 
>  thread  state-k wchanstate-uk-tid   mode held scope
> function 
>  $t1 wait  0x38882158 running  2894597 k   no   pro  read
>   
> >$t2 run  running  3674465 k   no   pro
>  _p_nsleep 
>  $t3  terminated u   no
> pro 
> 
> Since 2 threads are not terminated, I think child process is not
> exiting by the process process.
>  
> Have you faced this problem? Any help you provide to resolve the issue
> is much appreciated.
>  
> Regards,
> Karthik Kanna

Also, please don't email me 800+k of logs again. kthx :)


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[us...@httpd] Virtual Host port forwarding

[zm]

Hi,

I've installed Apache HTTP Server 2.2.11 and I'm trying to configure it to
do the following trick:

I have 1 server, connected through 1 router. I payed for domain
"mydomain.com" (ficticious), and it will point toward my router with
success.

My router forwards port 80 to my server IP (192.168.1.1), also to port 80.

In my server, I have 2 services running:

Apache HTTP server on port 80
Webserver (tomcat) on port 8080
SVN server on port 8081

I want my apache server on port 80 to make the following forwardings:

if "www.mydomain.com" forwards to "192.168.1.1:8080"
if "svn.mydomain.com" forwards to "192.168.1.1:8081"
if anything else, fails ... or maybe to a static apache server page that
presents some static html page, saying "hello there, go away" (it could be
defined on apache http server itself).

Is it possible to do that?

What configs should I put on "httpd.conf" VirtualHost?

I'm trying with something like:

ServerName 192.168.1.1:8080


ServerName 192.168.1.1:8081


Should this work?
-- 
View this message in context: 
http://www.nabble.com/Virtual-Host-port-forwarding-tp23504328p23504328.html
Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Apache child process not exiting after it served MaxRequestsPerChild

[Nick Kew]

On Tue, 12 May 2009 19:22:52 +0530 (IST)
Karthik kanna  wrote:

> Hi Eric,
>  
> I have attached

Please NEVER DO THAT in email to a public list (or to anyone
who hasn't given permission).

873k is a bloody big unsolicited download.  Some people have
to pay for it!  If you have big attachments, put them somewhere
and post a URL instead.

-- 
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] authentication question

[Mark H. Wood]

[tangent alert]

On Tue, May 12, 2009 at 10:05:41AM +0200, Peter Schober wrote:
[other good advice trimmed]
> > > Your problem will be to make the various applications running under 
> > > Apache aware of the single sign-on.
> 
> This is indeed as much an art as a science. Every self-respecting
> application has it's own user store, authentication mechanism, login
> form, session mechanism, etc. (which is understandable, since it can't
> expect everyone to have the necessary parts already in place).

This much is inevitable.

> So each and every application needs to be modified to rely on
> externally provided authentication (preferrably via replying on
> REMOTE_USER already being set by some mod_*), refrain from insisting
> to collect username+password itself (and impersonate the user to other
> services with them that way), possibly even "outsourcing" it's session
> management (also take into account terminiating thise several
> different sessions, one for the SSO system, one for the application,
> with different timeouts, idle timeouts and consequences for the user
> experience.)

This is not inevitable and it is most unfortunate.  Any
self-respecting application which uses authentication ought not
require us to hack it after the fact to use the methods required by
its environment.  A built-in authentication method ought to be
separated from the main application by a plugin interface *from day
one*, and it should be possible to simply leave it unplugged and plug
in something else if you have one.  We all should pay more attention
to keeping authentication, authorization, and identity separate and to
keeping their specific methods separable from the app.s we build.

And we need to pound on this point with others who build app.s for us,
until it goes in.  I've lost count of the number of products which
would have met our needs *except* that they had only a toy
authentication mechanism wired in with no possibility of bypassing it.

[end rant]

-- 
Mark H. Wood, Lead System Programmer   mw...@iupui.edu
Friends don't let friends publish revisable-form documents.


pgpgYBa1htWau.pgp
Description: PGP signature

Re: [us...@httpd] Apache child process not exiting after it served MaxRequestsPerChild

[Eric Covener]

On Tue, May 12, 2009 at 9:31 AM, Karthik kanna  wrote:
> Hi Prasanna,
>
> Thanks for your reply. Keepalive settings are as follows:
>
>
>
>   Timeout 600
>   KeepAlive On
>   MaxKeepAliveRequests 100
>   KeepAliveTimeout 15
>
> I do not think it is related to keepalive setting, because few child
> process dies properly after it served 3 requests.

Can you get a full backtrace of that lingering thread?

-- 
Eric Covener
cove...@gmail.com

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Apache child process not exiting after it served MaxRequestsPerChild

[Prasanna Ram Venkatachalam]

Oh.. :(.. Okie.. No errors in the log as well?

On Tue, May 12, 2009 at 7:01 PM, Karthik kanna  wrote:

>  Hi Prasanna,
>
> Thanks for your reply. Keepalive settings are as follows:
>
>
>
>   Timeout 600
>   KeepAlive On
>   MaxKeepAliveRequests 100
>   KeepAliveTimeout 15
> I do not think it is related to keepalive setting, because few child
> process dies properly after it served 3 requests.
>
> Regards,
> Karthik Kanna
>  --
> *From:* Prasanna Ram Venkatachalam 
> *To:* users@httpd.apache.org
> *Sent:* Tuesday, 12 May, 2009 6:53:18 PM
> *Subject:* Re: [us...@httpd] Apache child process not exiting after it
> served MaxRequestsPerChild
>
> I am not 100% sure. Do you think Keep Alive time should be revisited? I
> remember hearing it somewhere.
>
> Regards
> Prasanna Ram
>
> On Tue, May 12, 2009 at 6:24 PM, Karthik kanna  wrote:
>
>>  Hi,
>>
>> I am using Apache 2.0.59 in AIX 5.3. Apache is running as "apache"
>> user-id, even the parent process is also running as "apache" user-id. I am
>> using non-standard ports like 8028/9028, so I do not require root user to
>> run the parent process.. This is the configuration I am using in Apache
>> 2.0.59.
>>
>>   StartServers 2
>>   MaxClients 150
>>   MinSpareThreads 25
>>   MaxSpareThreads 75
>>   ThreadsPerChild 25
>>   MaxRequestsPerChild 3
>>
>> Actually what is happening - when the child process served 3 requests,
>> it is not killed by the parent process and the child process is running
>> forever on the server till I manually kill the child process or restart the
>> Apache. But parent process spawns new child process. So the number of Apache
>> httpd process is increasing day by day on the server. The thing is, few
>> child process gets killed by the parent process once it served 3
>> requests. But few child process is not exiting.
>>
>> Truss output of the child process that is not exiting:
>> 3911841: yield()=
>> 3911841: thread_waitact(400)= 0
>> 1144501: __semop(1048580, 0xF1B22D58, 1)= 0
>> 1144501: __semop(1048580, 0xF1B22D60, 1)= 0
>> 1144501: _nsleep(0x202069E8, 0x20206A60)= 1
>> 3911841: yield()=
>> 822367: kread(-802643620, 0x, 0) (sleeping...)
>> 822367: kread(-802643620, 0x, 0)= 0
>> 3911841: yield()=
>> 822367: kread(-802643620, 0x, 0) (sleeping...)
>> 822367: kread(-802643620, 0x, 0)= 0
>> 3911841: yield()=
>> 3911841: thread_waitact(400)= 0
>> Few system calls like thread_waitact(), kread(), semop() and yield() are
>> running infinitely for the child process. Before the child process starts
>> executing these system call infinitely, the last system call it was
>> executing was thread_terminate_ack() after it served 3 requests.
>>
>> In the child process, one thread is in running state executing _p_nsleep()
>> system call and another thread is in wait state, whereas all other threads
>> are in terminated status.
>>
>> *(dbx) thread*
>>  thread  state-k wchanstate-uk-tid   mode held scope function
>>  $t1 wait  0x38882158 running  2894597 k   no   pro  read
>>
>> >$t2 run  running  3674465 k   no   pro  _p_nsleep
>>
>>  $t3  terminated u   no
>> pro
>> Since 2 threads are not terminated, I think child process is not exiting
>> by the process process.
>>
>> Have you faced this problem? Any help you provide to resolve the issue is
>> much appreciated.
>>
>> Regards,
>> Karthik Kanna
>>
>>  --
>> Now surf faster and smarter ! Check out the new Firefox 3 - Yahoo! Edition
>> * Click 
>> here!
>>
>
>
>
> --
> Prasanna Ram
>
> --
> Cricket on your mind? Visit the ultimate cricket website. Enter 
> now!
>



-- 
Prasanna Ram

Re: [us...@httpd] Apache child process not exiting after it served MaxRequestsPerChild

[Karthik kanna]

Hi Prasanna,
 
Thanks for your reply. Keepalive settings are as follows:
 
  Timeout 600
  KeepAlive On
  MaxKeepAliveRequests 100
  KeepAliveTimeout 15

I do not think it is related to keepalive setting, because few child 
process dies properly after it served 3 requests.

Regards,
Karthik Kanna


From: Prasanna Ram Venkatachalam 
To: users@httpd.apache.org
Sent: Tuesday, 12 May, 2009 6:53:18 PM
Subject: Re: [us...@httpd] Apache child process not exiting after it served 
MaxRequestsPerChild


I am not 100% sure. Do you think Keep Alive time should be revisited? I 
remember hearing it somewhere.

Regards
Prasanna Ram


On Tue, May 12, 2009 at 6:24 PM, Karthik kanna  wrote:

Hi,

I am using Apache 2.0.59 in AIX 5.3. Apache is running as "apache" user-id, 
even the parent process is also running as "apache" user-id. I am using 
non-standard ports like 8028/9028, so I do not require root user to run the 
parent process.. This is the configuration I am using in Apache 2.0.59.

  StartServers 2
  MaxClients 150
  MinSpareThreads 25
  MaxSpareThreads 75
  ThreadsPerChild 25
  MaxRequestsPerChild 3

Actually what is happening - when the child process served 3 requests, it 
is not killed by the parent process and the child process is running forever on 
the server till I manually kill the child process or restart the Apache. But 
parent process spawns new child process. So the number of Apache httpd process 
is increasing day by day on the server. The thing is, few child process gets 
killed by the parent process once it served 3 requests. But few child 
process is not exiting.

Truss output of the child process that is not exiting:
3911841: yield()    = 
3911841: thread_waitact(400)    = 0
1144501: __semop(1048580, 0xF1B22D58, 1)    = 0
1144501: __semop(1048580, 0xF1B22D60, 1)    = 0
1144501: _nsleep(0x202069E8, 0x20206A60)    = 1
3911841: yield()    = 
822367: kread(-802643620, 0x, 0) (sleeping...)
822367: kread(-802643620, 0x, 0)    = 0
3911841: yield()    = 
822367: kread(-802643620, 0x, 0) (sleeping...)
822367: kread(-802643620, 0x, 0)    = 0
3911841: yield()    = 
3911841: thread_waitact(400)    = 0

Few system calls like thread_waitact(), kread(), semop() and yield() are 
running infinitely for the child process. Before the child process starts 
executing these system call infinitely, the last system call it was executing 
was thread_terminate_ack() after it served 3 requests.

In the child process, one thread is in running state executing _p_nsleep() 
system call and another thread is in wait state, whereas all other threads are 
in terminated status.

(dbx) thread 
 thread  state-k     wchan    state-u    k-tid   mode held scope function 
 $t1     wait      0x38882158 running  2894597     k   no   pro  read           
    
>$t2     run                  running  3674465     k   no   pro  _p_nsleep      
>   
 $t3                          terminated             u   no   
pro 

Since 2 threads are not terminated, I think child process is not exiting by the 
process process.

Have you faced this problem? Any help you provide to resolve the issue is much 
appreciated.

Regards,
Karthik Kanna



Now surf faster and smarter ! Check out the new Firefox 3 - Yahoo! Edition * 
Click here!


-- 
Prasanna Ram



  Now surf faster and smarter ! Check out the new Firefox 3 - Yahoo! 
Edition http://downloads.yahoo.com/in/firefox/?fr=om_email_firefox

Re: [us...@httpd] Apache child process not exiting after it served MaxRequestsPerChild

[Prasanna Ram Venkatachalam]

I am not 100% sure. Do you think Keep Alive time should be revisited? I
remember hearing it somewhere.

Regards
Prasanna Ram

On Tue, May 12, 2009 at 6:24 PM, Karthik kanna  wrote:

>  Hi,
>
> I am using Apache 2.0.59 in AIX 5.3. Apache is running as "apache" user-id,
> even the parent process is also running as "apache" user-id. I am using
> non-standard ports like 8028/9028, so I do not require root user to run the
> parent process.. This is the configuration I am using in Apache 2.0.59.
>
>   StartServers 2
>   MaxClients 150
>   MinSpareThreads 25
>   MaxSpareThreads 75
>   ThreadsPerChild 25
>   MaxRequestsPerChild 3
>
> Actually what is happening - when the child process served 3 requests,
> it is not killed by the parent process and the child process is running
> forever on the server till I manually kill the child process or restart the
> Apache. But parent process spawns new child process. So the number of Apache
> httpd process is increasing day by day on the server. The thing is, few
> child process gets killed by the parent process once it served 3
> requests. But few child process is not exiting.
>
> Truss output of the child process that is not exiting:
> 3911841: yield()=
> 3911841: thread_waitact(400)= 0
> 1144501: __semop(1048580, 0xF1B22D58, 1)= 0
> 1144501: __semop(1048580, 0xF1B22D60, 1)= 0
> 1144501: _nsleep(0x202069E8, 0x20206A60)= 1
> 3911841: yield()=
> 822367: kread(-802643620, 0x, 0) (sleeping...)
> 822367: kread(-802643620, 0x, 0)= 0
> 3911841: yield()=
> 822367: kread(-802643620, 0x, 0) (sleeping...)
> 822367: kread(-802643620, 0x, 0)= 0
> 3911841: yield()=
> 3911841: thread_waitact(400)= 0
> Few system calls like thread_waitact(), kread(), semop() and yield() are
> running infinitely for the child process. Before the child process starts
> executing these system call infinitely, the last system call it was
> executing was thread_terminate_ack() after it served 3 requests.
>
> In the child process, one thread is in running state executing _p_nsleep()
> system call and another thread is in wait state, whereas all other threads
> are in terminated status.
>
> *(dbx) thread*
>  thread  state-k wchanstate-uk-tid   mode held scope function
>  $t1 wait  0x38882158 running  2894597 k   no   pro  read
>
> >$t2 run  running  3674465 k   no   pro  _p_nsleep
>
>  $t3  terminated u   no
> pro
> Since 2 threads are not terminated, I think child process is not exiting by
> the process process.
>
> Have you faced this problem? Any help you provide to resolve the issue is
> much appreciated.
>
> Regards,
> Karthik Kanna
>
>  --
> Now surf faster and smarter ! Check out the new Firefox 3 - Yahoo! Edition
> * Click 
> here!
>



-- 
Prasanna Ram

Re: [us...@httpd] Ubuntu + Apache + Virtual host + Subversion + SSL tutorial: error about SSL.

[Eric Covener]

> SSL received a record that exceeded the maximum permissible length.
>
> (Error code: ssl_error_rx_record_too_long)
>
> The page you are trying to view can not be shown because the authenticity of
> the received data could not be verified.

Make sure your virtual hosts and NameVirtualHosts all specify a port
in the argument, and the ones that are supposed to be SSL need to have
SSL configured.

(your probably taking SSL to a non-SSL port)

-- 
Eric Covener
cove...@gmail.com

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[us...@httpd] Ubuntu + Apache + Virtual host + Subversion + SSL tutorial: error about SSL.

[tirengarfio]

Hi,

i've just followed 
[url=http://www.sellersrank.com/ubuntu/setup-apache-subversion-ssl-https-with-virtual-hosts-on-ubuntu/]this[/Url]
tutorial and when i write "https://svn.domain.com"; as the tutorial mentions
i get this message:

hi,

i added to my "/etc/hosts" and the message i mentioned in my first post is
not showed any more, now i have another message:

Secure Connection Failed

An error occurred during a connection to svn.domain.com.

SSL received a record that exceeded the maximum permissible length.

(Error code: ssl_error_rx_record_too_long)

The page you are trying to view can not be shown because the authenticity of
the received data could not be verified.

* Please contact the web site owners to inform them of this problem.


Any idea?
-- 
View this message in context: 
http://www.nabble.com/Ubuntu-%2B-Apache-%2B-Virtual-host-%2B-Subversion-%2B-SSL-tutorial%3A-error-about-SSL.-tp23502072p23502072.html
Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[us...@httpd] Apache child process not exiting after it served MaxRequestsPerChild

[Karthik kanna]

Hi,

I am using Apache 2.0.59 in AIX 5.3. Apache is running as "apache" user-id, 
even the parent process is also running as "apache" user-id. I am using 
non-standard ports like 8028/9028, so I do not require root user to run the 
parent process. This is the configuration I am using in Apache 2.0.59.

  StartServers 2
  MaxClients 150
  MinSpareThreads 25
  MaxSpareThreads 75
  ThreadsPerChild 25
  MaxRequestsPerChild 3

Actually what is happening - when the child process served 3 requests, it 
is not killed by the parent process and the child process is running forever on 
the server till I manually kill the child process or restart the Apache. But 
parent process spawns new child process. So the number of Apache httpd process 
is increasing day by day on the server. The thing is, few child process gets 
killed by the parent process once it served 3 requests. But few child 
process is not exiting.

Truss output of the child process that is not exiting:
3911841: yield()    = 
3911841: thread_waitact(400)    = 0
1144501: __semop(1048580, 0xF1B22D58, 1)    = 0
1144501: __semop(1048580, 0xF1B22D60, 1)    = 0
1144501: _nsleep(0x202069E8, 0x20206A60)    = 1
3911841: yield()    = 
822367: kread(-802643620, 0x, 0) (sleeping...)
822367: kread(-802643620, 0x, 0)    = 0
3911841: yield()    = 
822367: kread(-802643620, 0x, 0) (sleeping...)
822367: kread(-802643620, 0x, 0)    = 0
3911841: yield()    = 
3911841: thread_waitact(400)    = 0

Few system calls like thread_waitact(), kread(), semop() and yield() are 
running infinitely for the child process. Before the child process starts 
executing these system call infinitely, the last system call it was executing 
was thread_terminate_ack() after it served 3 requests.

In the child process, one thread is in running state executing _p_nsleep() 
system call and another thread is in wait state, whereas all other threads are 
in terminated status.

(dbx) thread 
 thread  state-k     wchan    state-u    k-tid   mode held scope function 
 $t1     wait      0x38882158 running  2894597     k   no   pro  read           
    
>$t2     run                  running  3674465     k   no   pro  _p_nsleep      
>   
 $t3                          terminated             u   no   
pro 

Since 2 threads are not terminated, I think child process is not exiting by the 
process process.

Have you faced this problem? Any help you provide to resolve the issue is much 
appreciated.

Regards,
Karthik Kanna


  Own a website.Get an unlimited package.Pay next to nothing.*Go to 
http://in.business.yahoo.com/

Re: [us...@httpd] Mixing rewrite with authn_dbd: Rewriting based on path value stored in mysql table

[Bob Ionescu]

2009/5/12 Roman Medina-Heigl Hernandez :
> My final solution is:
>
>RewriteBase /stats
>RewriteCond %{REMOTE_USER}/<>$1 !^([^<]+)<>\1
>RewriteRule ^/clientes/(.*) /stats/%{REMOTE_USER}/stats/http/$1
>
>RewriteCond $1 !^[^/]+/stats/http/
>RewriteRule ^/clientes/(.*) hacking_attempt [F]
>
>
> The alternative (adding L) is:
>
>RewriteBase /stats
>RewriteCond %{REMOTE_USER}/<>$1 !^([^<]+)<>\1
>RewriteRule ^/clientes/(.*)
> /stats/%{REMOTE_USER}/stats/http/$1 [L]
>
>RewriteCond $1 !^[^/]+/stats/http/
>RewriteRule ^/clientes/(.*) hacking_attempt [F,L]
>
> But I see no real difference between both solutions. Am I right?

L makes only sense to abort something below, i.e. if there's nothing,
there's nothing to abort (F implies L btw., the substitution will be
dropped as well). Your second rule (forbidden) comes never true, if
the first rule matched. So you could stop further (useless) processing
with the L flag at your first rule.

Bob

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] authentication question

[André Warnier]

Peter Schober wrote:

Ross et al.,

I agree, and that is what I was trying to tell Ross, although apparently 
not as clearly :


You should not try to do the authentication at the level of one 
application, and then "pass it up to Apache" for other applications to 
use.  That will always give you problems (*).


Instead, you should have one authentication method on top, at the level 
of Apache.
That means, as soon as the user hits Apache, it is asked for 
authentication, before it even goes further to the application level.
There are a nultitude of schemes to achieve this, starting with the 
various mod_auth* modules that come standard with Apache itself, and 
extending to all the "non-standard" external add-on modules that can do 
authentication vis-a-vis a number of different back-end systems.


Then you should have that authentication "passed down" to all 
applications that run under Apache.

That is where the real difficulty arises.

Apache must store that authenticated user-id, in some place(s) where 
each individual application can get it. That depends on the individual 
capabilities of each application, to access this in some commonly-agreed 
place(s).


One such place, accessible to cgi-bin type applications, is the 
REMOTE_USER environment value, which Apache will automatically set up if 
the user is known to Apache.


Another such place is the internal Apache request record's user-id 
field.  That is certainly accessible to applications written as Apache 
add-on modules, but it would not be as easily accessible to, for 
example, a cgi-bin program written as a shell script.


Another way would be that the Apache authentication module adds a custom 
HTTP header to each request, containing the user-id, before passing on 
the request to an application. (Since it is internal to Apache, there 
would be no security issue involved).  But it depends on the capability 
of the application to obtain the content of this specific HTTP header of 
the request.


The above by the way applies to any authentication and SSO scheme, 
whether they are free or commercial.


So now when each application gets called, it can (theoretically) obtain 
the authenticated user-id of the caller.
Now it is up to the application to do the "authorization" bit, which is 
to decide, in function of this already-verified user-id, what 
functionalities of the application this user gets access to, if any.






(*) One trivial example is if the user first hits another application, 
before accessing the one that is supposed to do the authentication.



-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] Mixing rewrite with authn_dbd: Rewriting based on path value stored in mysql table

[Roman Medina-Heigl Hernandez]

Bob Ionescu escribió:
> 2009/5/11 Roman Medina-Heigl Hernandez :
>> Bob Ionescu escribió:
>>> 2009/3/2 Roman Medina-Heigl Hernandez :
 The problem is that you cannot have %{REMOTE_USER} as 2nd parameters in
 RewriteCond, so I have no way for comparing it with $1
>>> -didn't read all-; but you can compare it with a regEx internal 
>>> backreference.
>>>
>>> RewriteBase /stats
>>> RewriteCond %{REMOTE_USER}<>$1 !^([^<]+)<>\1
>> Could you explain that, please? I didn't know that syntax...
> 
> You're capturing a value with ^([^<]+), that is according to our test
> string the value of %{REMOTE_USER} followed by the two characters <>
> as a unique separator followed by the (previous) match of ([^<]+)
> which matches against the value of $1.
> 
> E.g. if the remote_user is foo, the regEx will match against a test string of
> foo<>foo
> 
> Just take a look at the manpage of PCRE, http://www.pcre.org/pcre.txt section
> BACK REFERENCES
>Outside a character class, a backslash followed by a digit greater than

I knew (and have extensively used) about back references in PCRE but
thought the "<>" in RewriteCond's first arg could have a special meaning. I
didn't happen to figure out that you were simply "translating" REMOTE_USER
var to the second arg, using <> as separator. Nice trick!!

Anyway, I've fixed a bit by adding a slash character after REMOTE USER like
this:
RewriteCond %{REMOTE_USER}/<>$1 !^([^<]+)<>\1
(in order to avoid the bypass of the rewrite when you have authenticated as
"user" and the intruder is hacking/building URLs as "userrr").

>>> RewriteRule ^/clientes/(.*) /stats/%{REMOTE_USER}/stats/http/$1 [L]
>> Why did you removed PT and used L?
> 
> PT has no special effect in per-directory context (rewrite rules used
> inside / containers, .htaccess files etc.). In
> fact mod_rewrite will add passthrough: to the result of your
> substitution, stop the processing of following rules in that set and
> remove passthrough: later w/o doing sthg. special. L will only stop
> the rewrite of the current set. I.e. the result is the same.

I removed [L] (is it a good practice to keep it? if not, I don't see the
need to keep it) and added additional protection so the user could only
visit the desired (stats/http) directory (in order to avoid the user
including its own username in the url and reaching other directories in its
home).

My final solution is:

RewriteBase /stats
RewriteCond %{REMOTE_USER}/<>$1 !^([^<]+)<>\1
RewriteRule ^/clientes/(.*) /stats/%{REMOTE_USER}/stats/http/$1

RewriteCond $1 !^[^/]+/stats/http/
RewriteRule ^/clientes/(.*) hacking_attempt [F]


The alternative (adding L) is:

RewriteBase /stats
RewriteCond %{REMOTE_USER}/<>$1 !^([^<]+)<>\1
RewriteRule ^/clientes/(.*)
/stats/%{REMOTE_USER}/stats/http/$1 [L]

RewriteCond $1 !^[^/]+/stats/http/
RewriteRule ^/clientes/(.*) hacking_attempt [F,L]

But I see no real difference between both solutions. Am I right?

Cheers,
-Roman

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] authentication question

[Peter Schober]

Ross et al.,

I'm not sure I understand the actual question at hand -- you have (or
want to write) a Smalltalk-based application that runs in it's own
webserver, and proxy to that with httpd?  Where is the SVN access
happening? From the Smalltalk app? From httpd?
Is this SVN-webapp something like ViewCV or Trac? Is it under your
control (source available, permission to modify)? COST or homegrown?

Find a few generally off-topic remarks below ;)

* Ross Boylan  [2009-05-12 04:35]:
> Well, I don't even know how to do that step, though the reference to
> mod-cas by Nick Owen may be a clue.

Academic organisations should definitively look into running
Shibboleth (mod_shib in httpd, but there's a fastcgi responder as well
as a M$-IIS ISAPI filter, for those less lucky) as campus web SSO
system, since it also does federated websso (via SAML2).

Chances are you'll need this anyway (for access to library ressources
or outsourced student services), sooner or later. Depending on your
university's structure central IT might already offer this service,
and you could even federate internally (if campus IT runs their own
IdM systems).

> > Your problem will be to make the various applications running under 
> > Apache aware of the single sign-on.

This is indeed as much an art as a science. Every self-respecting
application has it's own user store, authentication mechanism, login
form, session mechanism, etc. (which is understandable, since it can't
expect everyone to have the necessary parts already in place).

So each and every application needs to be modified to rely on
externally provided authentication (preferrably via replying on
REMOTE_USER already being set by some mod_*), refrain from insisting
to collect username+password itself (and impersonate the user to other
services with them that way), possibly even "outsourcing" it's session
management (also take into account terminiating thise several
different sessions, one for the SSO system, one for the application,
with different timeouts, idle timeouts and consequences for the user
experience.)

Still, there's no way around that. Letting every app in your
environment collect username+password itself just has too many
security implications, as well as teaching users it's OK to enter
their credentials in just about any webpage; instead of just one,
where it's reasonable to check the URL and SSL "lock" icon.

> It's not written!  But the natural way it works is to have a login page.
> After login, the id is saved on the server and associated with the
> session (using the Seaside framwork).

First thing that'd need to go is the login page (see above) ;)
Looking at Seaside it seems this comes with it's own VM and webserver,
so you'd need to reverse proxy to this from httpd and do all the authN
and authZ there. Which is fine, but you won't get REMOTE_USER to your
Seaside app via mod_proxy_http (as you would via AJP), also envvar's
won't help, which leaves HTTP request headers (which are easily
spoofed, so would need to be clean by httpd before proxying to
Smalltalk).

> Funding cuts also seem likely to delay rollout of the single signon,
> even if we wanted to use it.

There are several Free Software offerings, some of which are rather
easy to setup and maintain[1] if you have the IdM infrastructure in
place (directory service or database with up to date data/accounts for
your population, a way to authenticate all users).

Check out http://www.nmi-edit.org/started/index.cfm or EDUCASE and
related Internet2 activities (e.g. "CAMP" workshops).

cheers,
-peter

[1] simpleSAMLphp is almost trivial and also does SAML2-based WebSSO,
Shibboleth is a more complete implementation. For intra-campus
there's Pubcookie, Cosign, CAS, etc.

-- 
peter.scho...@univie.ac.at - vienna university computer center
Universitaetsstrasse 7, A-1010 Wien, Austria/Europe
Tel. +43-1-4277-14155, Fax. +43-1-4277-9140

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [us...@httpd] authentication question

[Marc Patermann]

Hi,

Ross Boylan schrieb:

Suppose I have apache running in front of a web application and
subversion.
I don't use svn, but I think it is (in apache) somehow related with 
WebDAV, which we use.



I am thinking of a scenario in which the web application provides a
login page.  However, the user may also browse to web pages served by
subversion.

Is there a way that my app can have someone log in and then pass the
identity and authentication "up" to appache?  In particular, I'd want
this authentication used if the user browsed over to the subversion
repository.

I'm assume a common source, e.g., LDAP, will provide user and password
information that is the same for my app and apache.

We have Mediawiki and WebDAV on the same server.
Users start at a portal entry page. All sites use apache basic 
authentication with ldap.

Mediawiki uses Auth_remoteuser extension.
After one login users can use the wiki (PHP application) and WebDAV 
(apache module) seamlessly.



Marc

-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org