[users@httpd] Client certificate authentication against (Open)LDAP server
OS : Debian 10.7 Apache HTTPD : 2.4.38 (from standard repo) Dear, my setup is as follows : above mentioned Apache connecting to OpenLDAP. User basic authentication (username/password) already works (against LDAP inetOrgPerson structure) What I would like to achieve is to have user certificates in the inetOrgPerson->userCertificate attribute and the users would have to authenticate against that by presenting the corresponding private key. Like one would do by : curl -u test_01 --key priv.key https://test.com 2 questions : 1. is the above possible to achieve by any configuration/module or do I have to try to code this ? 2. if the above is true, I suspect I still need the username to be provided by the user, right ? (it would be like username/password authentication but instead of a password the user would provide a private key) Thanks in advance
[users@httpd] APR util slotmem errors.
Quick question how does the apr use the shm segments and why does it have a
slotmem error if we use mod_proxy with several balancer name calls and
multiple hosts apache servers on a single dev box? I am really trying to
understand how this code segment below works?
shm.c file call?
#if APR_USE_SHMEM_SHMGET 71 static key_t our_ftok(const char
*filename) 72 { 73 /* to help avoid collisions while still
using 74 * an easily recreated proj_id */ 75 apr_ssize_t
slen = strlen(filename); 76 return ftok(filename, 77
(int)apr_hashfunc_default(filename, &slen)); 78 } 79 #endif
APR_PERMS_SET_IMPLEMENT(shm)
696 {
697 #if APR_USE_SHMEM_SHMGET || APR_USE_SHMEM_SHMGET_ANON
698 struct shmid_ds shmbuf;
699 int shmid;
700 apr_shm_t *m = (apr_shm_t *)theshm;
701
702 if ((shmid = shmget(m->shmkey, 0, SHM_R | SHM_W)) == -1) {
703 return errno;
704 }
705 shmbuf.shm_perm.uid = uid;
706 shmbuf.shm_perm.gid = gid;
707 shmbuf.shm_perm.mode = apr_unix_perms2mode(perms);
708 if (shmctl(shmid, IPC_SET, &shmbuf) == -1) {
709 return errno;
710 }
711 return APR_SUCCESS;
712 #else
713 return APR_ENOTIMPL;
714 #endif
715 }
716
shmbuf.shm_perm.uid = uid;
706 shmbuf.shm_perm.gid = gid;
707 shmbuf.shm_perm.mode = apr_unix_perms2mode(perms);
Re: [users@httpd] APR_USE_SHMEM_SHMGET 0-1 option.
Thanks Yann. On Fri, Dec 11, 2020, 11:44 AM Yann Ylavic wrote: > On Fri, Dec 11, 2020 at 5:10 PM Wendell Hatcher > wrote: > > > > Hi All, quick question. The APR_USE_SHMEM_SHMGET defined option within > the shm.c file what does it do exactly and can we set the option to 0 or 1? > What would the setting of the option to those values effect? > > It's defined (in lib APR) by the ./configure script (autoconf) based > on its availability, and is the default on unix(es) systems (where IPC > SysV shared memories are usually/always implemented). > > This can't be defined explicitly (./configure will overwrite it) but > it's possible to select the POSIX semaphores mechanism instead with > "./configure --enable-posix-shm ...", which is usually a good > alternative "suffering" less from system limits than IPC SysV, since > limits are then the filesystem's maximum number of inodes (as opposed > to SysV's kernel.sem=... settings). > > > Regards; > Yann. > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >
Re: [users@httpd] APR_USE_SHMEM_SHMGET 0-1 option.
On Fri, Dec 11, 2020 at 5:43 PM Yann Ylavic wrote: > > On Fri, Dec 11, 2020 at 5:10 PM Wendell Hatcher > wrote: > > > > Hi All, quick question. The APR_USE_SHMEM_SHMGET defined option within > > the shm.c file what does it do exactly and can we set the option to 0 or 1? > > What would the setting of the option to those values effect? > > It's defined (in lib APR) by the ./configure script (autoconf) based > on its availability, and is the default on unix(es) systems (where IPC > SysV shared memories are usually/always implemented). > > This can't be defined explicitly (./configure will overwrite it) but > it's possible to select the POSIX semaphores mechanism instead with > "./configure --enable-posix-shm ...", which is usually a good > alternative "suffering" less from system limits than IPC SysV, since > limits are then the filesystem's maximum number of inodes (as opposed > to SysV's kernel.sem=... settings). s/kernel.sem/kernel.shm*/ for SHMs obviously ;) > > > Regards; > Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] APR_USE_SHMEM_SHMGET 0-1 option.
On Fri, Dec 11, 2020 at 5:10 PM Wendell Hatcher wrote: > > Hi All, quick question. The APR_USE_SHMEM_SHMGET defined option within the > shm.c file what does it do exactly and can we set the option to 0 or 1? What > would the setting of the option to those values effect? It's defined (in lib APR) by the ./configure script (autoconf) based on its availability, and is the default on unix(es) systems (where IPC SysV shared memories are usually/always implemented). This can't be defined explicitly (./configure will overwrite it) but it's possible to select the POSIX semaphores mechanism instead with "./configure --enable-posix-shm ...", which is usually a good alternative "suffering" less from system limits than IPC SysV, since limits are then the filesystem's maximum number of inodes (as opposed to SysV's kernel.sem=... settings). Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] APR_USE_SHMEM_SHMGET 0-1 option.
Hi All, quick question. The APR_USE_SHMEM_SHMGET defined option within the shm.c file what does it do exactly and can we set the option to 0 or 1? What would the setting of the option to those values effect? -Wendell
Re: [users@httpd] some questions to mod_rewrite
On Fri, Dec 11, 2020 at 10:06 AM Lentes, Bernd
wrote:
>
> - On Dec 9, 2020, at 6:02 PM, Eric Covener cove...@gmail.com wrote:
>
> Hi Eric,
>
> thanks for your answer.
> Now i'm struggling with RewriteRule
> ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
>
> Most is clear. The content of the parentheses () like build, tests .. is
> or-conjuncted by the pipe |,
> so only one of the patterns must appear.
> But what is ?: ?
It makes the () "non-capturing" meaning if you had other () sequences
this or-conjunction would not eat up $1.
In the case above it is unnecessary since there is no other capture.
> The question mark normally is a repeater for the prior character. But there
> is no one.
> And wherefore is the colon ?
It's a special case when following "(". It allows the
matching/capturing to be customized a few different ways (man
pcresyntax has a concise list of the flags that follow "(?")
> I gave https://perldoc.perl.org/perlre#Metacharacters a chance. It seems the
> ?: says that a match for (build|tests|config|lib|3rdparty|templates)
> can't be used as a backreference. Right ? Where is the purpose of that ?
yes, just to avoid eating up $1. But some people do it out of habit
when they use () just to group "|".
> in my error_log with setting "LogLevel info rewrite:trace2":
> [Fri Dec 11 15:44:50.666869 2020] [rewrite:trace1] [pid 3408]
> mod_rewrite.c(483): [client 146.107.126.166:57329] 146.107.126.166 - -
> [nc-mcd.helmholtz-muenchen.de/sid#7f9158e4f700][rid#7f9155a2a0a0/initial]
> [perdir /var/www/nextcloud/] pass through /var/www/nextcloud/
>
> What is sid and rid ?
server (vhost) id and request id i believe. Usually not so useful.
The /initial meant it's not a "subrequest" (a way apache modules
sometimes make an internal request related to the real request to
probe for things)
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] some questions to mod_rewrite
- On Dec 9, 2020, at 6:02 PM, Eric Covener cove...@gmail.com wrote: Hi Eric, thanks for your answer. Now i'm struggling with RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L] Most is clear. The content of the parentheses () like build, tests .. is or-conjuncted by the pipe |, so only one of the patterns must appear. But what is ?: ? The question mark normally is a repeater for the prior character. But there is no one. And wherefore is the colon ? I gave https://perldoc.perl.org/perlre#Metacharacters a chance. It seems the ?: says that a match for (build|tests|config|lib|3rdparty|templates) can't be used as a backreference. Right ? Where is the purpose of that ? in my error_log with setting "LogLevel info rewrite:trace2": [Fri Dec 11 15:44:50.666869 2020] [rewrite:trace1] [pid 3408] mod_rewrite.c(483): [client 146.107.126.166:57329] 146.107.126.166 - - [nc-mcd.helmholtz-muenchen.de/sid#7f9158e4f700][rid#7f9155a2a0a0/initial] [perdir /var/www/nextcloud/] pass through /var/www/nextcloud/ What is sid and rid ? Thanks. Bernd Helmholtz Zentrum München Helmholtz Zentrum Muenchen Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH) Ingolstaedter Landstr. 1 85764 Neuherberg www.helmholtz-muenchen.de Aufsichtsratsvorsitzende: MinDir.in Prof. Dr. Veronika von Messling Geschaeftsfuehrung: Prof. Dr. med. Dr. h.c. Matthias Tschoep, Kerstin Guenther Registergericht: Amtsgericht Muenchen HRB 6466 USt-IdNr: DE 129521671 - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] mpm_winnt, websockets and restarts: increasing number of (blocked?) threads
Hi,
Short version:
I use httpd on Windows as a reverse proxy for a microservice system. Some
services communicate over websockets (more precicely: SignalR). From time
to time I have to restart the server in order to read a new configuration.
I observe an increasing number of threads blocked by the SignalR
connections. It's a matter of time until the server completely freezes
because no threads are available for other requests.
Details:
I reduced my system as much as possible. I end up with two microservices, A
and B. A has a SignalR hub. Both, A and B subscribe to the events of this
hub. Thus, there should be two connections.
Now the experiment:
1. Start the two microservices: They repeatedly try to connect, but fail.
This is expected, because they are configured to connect via the reverse
proxy and httpd is not running yet.
2. Start httpd (Windows Service): As expected, both services establish
their connection, confirmed by the service logs and mod_status showing 2
connections.
3. Restart httpd: In real-world, I call
httpd.exe -n "ServiceName" -k restart
programmatically. For this experiment, I call it from Powershell. What
happens?
3a. The parent starts a new child and hands over 2 sockets, see
error.log on Pastebin
3b. The parent needs to stop the old child. The old child cannot stop
because of the open connections. The old child waits a grace period of 30s
before, then it terminates the 2 threads. My services log that their
connection was disconnected and attempt to reconnect. At this moment, 2
more connections appear in mod_status. However, I don't see any socket
handover in error.log.
4. Repeat httpd restart.
4a. The parent starts a new child and hands over 2 sockets, see
error.log. It's still 2 sockets, although I saw 4 connections in mod_status
in the previous step.
4b. The parent shuts down the old child. This time, there is no grace
period, but 18(!) threads that failed to exit are terminated, see
error.log. Both services log disconnect and reconnect. However, no
additional connections appear in mod_stats, it remains 4.
When I repeat restarting httpd, most of the time it happens the same as
described in step 4. Only difference is a changing number of "threads that
failed to exit". But sometimes, additional connections appear in
mod_status. I can't reproduce this on purpose. I suspect a race condition
how fast the old child is shut down, the new one is started and my services
trying to reconnect, but I don't know the httpd source code.
To get my job done, I need to know: What can I do to avoid eventually
blocking the server?
Out of curiosity, I also would like to know what excatly happens, how the
SignalR connectios are handed over to the next child, why the first restart
works different than the other restarts.
I appreciate any hint!
Some more information about server and configuration:
Version: 2.4.41
Some config snippets:
ThreadsPerChild 20 # handy for debugging, not in production
RewriteEngine On
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteCond %{HTTP:Connection} upgrade [NC]
RewriteRule "^/my/microservice" "wss://hostname:53728%{REQUEST_URI}"[P]
ProxyPass /my/microservice https://hostname:53728/my/microservice
ProxyPassReverse /my/microservice https://hostname:53728/my/microservice
Link to error.log on Pastebin: https://pastebin.com/7a7B0bLb
