William A. Rowe, Jr. wrote:
No, please move it first. This creates four communities (proxy, pop, mbox,
and ldap) that all share a desire to get this resolved. A fifth is likely
on it's way - there are users in some parts of the world that cannot *legally*
download or checkout httpd without
Ryan Bloom wrote:
No. That is where we started from. Graham sent a large patch that did all
of this, but a lot of it didn't really belong in APR or APR-util, because
it had nothing to do with portability.
Well, it did have a portability function in that it smoothed out
differences between
sterling wrote:
Well, it did have a portability function in that it smoothed out
differences between various LDAP libraries (openldap/netscape/iplanet)
rather than various platforms (unix/nt/etc).
what differences are smoothed out? maybe i'm looking in the wrong place,
but i don't see
Sterling Hughes wrote:
I'm developing a module (httpd2.0) and I've come across a situation
where it would be great if I could cache an operation, by saving a
variable in memory, and keep it there throughout requests, ie:
Take a look inside the code inside
Hi all,
Someone mentioned a patch they had that added a require owner
directive to authenticate a user. Was this patch posted anywhere?
Regards,
Graham
--
-
[EMAIL PROTECTED]There's a moon
over
Ryan Bloom wrote:
If you use a pre-processor, then you can make a sane decision. If the LDAP
server isn't responding, don't tell Apache to restart. If you get half-way through
updating the config file on disk, don't try to restart Apache. If you mix the two,
you open yourself up to more
Hi all,
Part two in the grand LDAP plan is to support the storing of
configuration data in an LDAP directory, somewhat along the lines of
what has been achieved with qmail+ldap+control. This allows multiple
machines (probably in a redundant configuration) to derive their config
from a common
Ryan Bloom wrote:
This has been discussed before, and was the original goal for the
configuration tree approach.
Ok.
The decision in the past has always been
that Apache config files are stored text files. If you want to store them
somewhere else, then create a pre-processor to grab the
Aaron Bannert wrote:
The attack is the same, but the result is different. Named virtual hosts
only really affect how the client contacts the server, and everything
else happens in HTTP (in the Host: header). You can not prevent someone
from altering their own DNS entries maliciously. OTOH,
Ryan Bloom wrote:
This has been discussed before, and was the original goal for the
configuration tree approach. The decision in the past has always been
that Apache config files are stored text files. If you want to store them
somewhere else, then create a pre-processor to grab the config
Hi,
This is the first module to use the LDAP functionality: mod_auth_ldap.
The module allows users to be authenticated against an LDAP database,
and then authorised against various require directives, including LDAP
group membership.
The file lives in the following directory:
Tarun Upadhyay wrote:
however, the only stumbling block on that road is that typically a SOAP call
will be made from inside a program (and not from a human-oriented interface)
so I don't know if I all authentication modules will make sense. But I guess
we can live with that.
Well - Apache
Yulya Blyakh wrote:
telnet www.ukrbiz.net 80
..
GET / HTTP/1.0
HTTP/1.1 400 Bad Request
In response, I get 400 error, and it seems that APACHE doesn't know how to
process my inquiry.
Apache is giving you the correct response to this request.
GET / HTTP/1.0
Host: www.ukrbiz.net
Tarun Upadhyay wrote:
Our basic design allows the use of another module (say mod_auth or
something else) to authenticate users but through an access file, we
authorize users to connect to particular web-service or its methods.
We want the user to be able to authorize users at either top,
Peter J. Cranstone wrote:
To garner more acceptance of Apache 2.0 it would probably be smart to
run some sample test configs of 1.3.x vs. 2.x and publish the actual
performance metrics.
It's now a marketing job to convince people that the new features are
worth moving to. The real key is
Hi all,
Here is the other half of the LDAP authentication capability for Apache
v2.0 - mod_auth_ldap. It is designed to work with the LDAP extensions to
apr-util posted in the APR developers list.
Enable the module with --with-ldap --enable-auth-ldap.
The module works for me, but still needs a
Hi all,
The CVS problems seem to be related to the /tmp directory on icarus
being writable only by root:
drwxr-xr-x 2 root wheel 512 Jul 31 15:26 tmp
Can someone fix this?
Regards,
Graham
--
-
[EMAIL PROTECTED]There's a moon
Hi all,
I am having a very odd problem with Apache v1.3.19. I have a single
virtualhost configured for a specific website with a specific ServerName
specified. I have a second general virtualhost configured as a
catchall that points to the default Apache page.
For some odd reason that I cannot
Hi all,
A project that I have been meaning to get started for a while is to add
LDAP support to Apache v2.0. The stuff I have in mind are:
- Authentication against an LDAP server (a number of modules already
exist to do this for v1.3)
- Configuration information stored in an LDAP server (for
sterling wrote:
reset_filters always removed all filters (including TLS). This is a
problem in general - I think the only reason the filters are all removed
on error is to prevent infinite recursion (in the case where the error
came from one of the filters). Optimally, if I add a filter,
[EMAIL PROTECTED] wrote:
Return to whom? Clearly if you remove the TLS filter, it won't be the
user!
Yep, right now TLS is broken. I don't have a great idea for how to fix it
though. :-(
Have reset_filters() not remove the TLS filter if it is there?
Regards,
Graham
--
Thomas Eibner wrote:
I would have liked for a better way to turn off keepalive for the last
request of the child, than just terminating it, but I couldn't find a way
to turn off keepalive before the headers were sent and ap_process_request
was called.
If I understand you right then this is
[EMAIL PROTECTED] wrote:
Fix the reset_filters function. If we set r-output_filters to NULL,
then we also have to reset the connection's filters.
Submitted by: John Sterling [EMAIL PROTECTED]
Will this not break if there is a TLS filter hanging around? This will
make the TLS filter go
[EMAIL PROTECTED] wrote:
This could be made MUCH simpler by just changing reset_filters to:
void reset_filters(r)
{
ap_filter_t *f = r-output_filters;
int has_core = 0, has_content = 0, has_http_header = 0;
while (f) {
ap_filter_t *f2 = f-next;
[EMAIL PROTECTED] wrote:
void reset_filters(r)
{
ap_filter_t *f = r-output_filters;
int has_core = 0, has_content = 0, has_http_header = 0;
while (f) {
ap_filter_t *f2 = f-next;
ap_remove_filter(f);
f = f2;
}
sterling wrote:
Since there needs to be some design work to figure out the best place to
insert the header filters, i suggest we backout the change that inserts
them in the 'insert filters' phase -
here is a patch for it, in case you don't want to just undo the original
commit:
This
sterling wrote:
Since there needs to be some design work to figure out the best place to
insert the header filters, i suggest we backout the change that inserts
them in the 'insert filters' phase -
The HTTP_HEADER filter needs to be inserted last - any filter that ends
up being run after the
sterling wrote:
After debugging the problem that doug brought up (headers are not getting
sent out when there is an error) I noticed that the HTTP_HEADER filter is
now added in the insert filters phase, which is too late because if there
is an error in anything from auth to fixups the header
sterling wrote:
What do you mean by HEADERS phase? I guess I don't know enough about the
ordering requirements of the filters.
The AP_FTYPE_HTTP_HEADERS phase (sorry - I shortened it).
What i did to temporarily fix the problem in my tree was add the
add_output_filter(HTTP_HEADER...) et.
Greg Stein wrote:
I posted a patch to fix this.
Moving the insertion of those filters to the insert_filters hook is the
right thing to do! Don't get me wrong.
Cool - I'll commit the change later tonight when I have some time...
I was trying to point out that we've got a lot of
Ian Holsman wrote:
what about the case where you need to change the header based on a environment
variable set in mod_include before the request to the proxy.
eg..
..
!--#set foo=bar--
!--#include virtual file=/proxycall --
!--#set foo=bar2--
!--#include virtual file=/proxycall --
Roy T. Fielding wrote:
I fixed it.
Cool - thanks. Just fixed the docs.
Regards,
Graham
--
-
[EMAIL PROTECTED]There's a moon
over Bourbon Street
[EMAIL PROTECTED] wrote:
So the question is - which hook should be called to fiddle with the
headers after the content generator runs, but before the headers are
sent to the network, whether a body exists or not...?
You are using the wrong kind of output filter. Take a look at how
Ian Holsman wrote:
What I need to do with mod-proxy is have a method of communicating
server notes set from mod-include (or wherever) into the request header
going to the application server, and also setting notes based on the proxy
response.
From the mod_headers experience the correct
[EMAIL PROTECTED] wrote:
How about a new hook for adding AP_FTYPE_HTTP_HEADER filters?
IMO, this should be fixed by adding the three filters above in a
core_insert_filter phase. Then, mod_headers can easily be run before the
core's insert_fitler phase. Problem solved.
The attached
[EMAIL PROTECTED] wrote:
How about a new hook for adding AP_FTYPE_HTTP_HEADER filters?
IMO, this should be fixed by adding the three filters above in a
core_insert_filter phase. Then, mod_headers can easily be run before the
core's insert_fitler phase. Problem solved.
Trouble is -
[EMAIL PROTECTED] wrote:
How about a new hook for adding AP_FTYPE_HTTP_HEADER filters?
IMO, this should be fixed by adding the three filters above in a
core_insert_filter phase. Then, mod_headers can easily be run before the
core's insert_fitler phase. Problem solved.
The attached
Graham Leggett wrote:
The output filters should *always* run, if at least to send an EOS bucket.
That EOS is actually what triggers the delivery of the headers to the
network (or at least to the CORE filter for output buffering into the next
request).
So if you're not seeing output
Greg Stein wrote:
+ap_hook_insert_filter(ap_headers_insert_output_filter, NULL, NULL,
APR_HOOK_LAST);
+ap_hook_fixups(ap_headers_fixup, NULL, NULL, APR_HOOK_LAST);
+ap_register_output_filter(FIXUP_HEADERS_OUT, ap_headers_output_filter,
AP_FTYPE_CONTENT);
+}
Is
Hi all,
This patch updates the mod_headers docs in line with changes to the
headers module.
Regards,
Graham
--
-
[EMAIL PROTECTED]There's a moon
over Bourbon Street
Bill Stoddard wrote:
I think we have a good shot at a beta candidate. I plan to tag the tree
early this afternoon (ET) unless I hear objections.
Can we get a proxy in the beta?
Regards,
Graham
--
-
[EMAIL PROTECTED]There's a moon
[EMAIL PROTECTED] wrote:
Installing a filter that deals strictly with body data can be done during
the insert_filter phase. This is where output filters are commonly
inserted into the chain. Since this is always called before the handler
phase, we are alright.
This doesn't work - the
Bill Stoddard wrote:
This doesn't work - the filter is inserted, but it never runs.
Read Ryan's response carefully (and my earlier responses this AM). The
input filter can filter the request body (not headers).
When I say filter the headers I mean fiddle with the contents of
r-headers_in
[EMAIL PROTECTED] wrote:
If it isn't running, then try changing the filter type. The general
problem is how we order filters. I am 99.9% sure that the way we link
request_filters with connection_filters is just plain wrong, but I haven't
had time to really look at it yet. I would bet that
Bill Stoddard wrote:
http://dev.apache.org/dist
Looking for votes to declare this a beta.
Hmm - no proxy in there. :( Can it be added? If so - what needs to be
done to do it?
Regards,
Graham
--
-
[EMAIL PROTECTED]There's a moon
Greg Stein wrote:
Even better, the proxy guys should say okay. we have verified that our
stuff works with the 2.0.18 tarball, so let's release an apache+proxy
tarball.
Really yuck for the end user.
There should be just one archive out there. There is no point in
releasing an archive with A
[EMAIL PROTECTED] wrote:
This is backwards. Right now, APR and APR-util are still essentially a
part of the HTTP server. In reality, those projects are going to start
doing their own releases. We haven't solved this problem yet for the web
server. Making the proxy work like APR and
Cliff Woolley wrote:
The problem I see with this is that, as Ryan points out, the dependencies
are backwards for this analogy to work. httpd depends upon APR and
APR-util, and therefore httpd developers KNOW when the two of those
packages work, or at least work well enough for httpd's
[EMAIL PROTECTED] wrote:
So this filter doesn't need to do anything if there is not body data? If
there is no body data, then the filters will never be called.
...
The input filter needs to run after the headers are read in and put in
r-headers, but before the content generator runs.
Greg Stein wrote:
The output filters should *always* run, if at least to send an EOS bucket.
That EOS is actually what triggers the delivery of the headers to the
network (or at least to the CORE filter for output buffering into the next
request).
So if you're not seeing output filters
RCHAPACH Rochester wrote:
Sorry if this is sent twice. I'm not sure my previous post got sent out.
Is there a tarball somewhere with the Apache 2.0 proxy code?
Not that I know of - the latest version is available in CVS under the
name httpd-proxy. Simply copy the contents of
Hi all,
Here is a first stab at filterizing mod_headers. I've taken out the
Header directive, and replaced it with HeaderIn and HeaderOut.
HeaderOut seems to work OK, but HeaderIn doesn't - for some reason the
filter gets added with ap_add_input_filter(), but the filter itself
never runs. I've
Fabien Penso wrote:
So all the .php3 files are send to another apache which has PHP3
support. But the proxy request inside mod_rewrite doesn't use
proxy_add_forward and I don't see the original IP at all, which brings
trouble as the PHP3 then see my local IP as REMOTE_HOST...
Isn't the
Bill Stoddard wrote:
Would anyone mind if I started hacking at mod_headers for a bit? What
I'd like to do is turn it into a filter, and allow it to fiddle with
both incoming and outgoing headers
YES! I had this on my todo list as well and will gladly review whatever you
come up with.
Ian Holsman wrote:
is there a way to specify a incoming filter for a reverse
proxy request in the current config command structure?
we intend and doing something similliar to what kwindla's patch does,
but were going to ad header lines based on a prefix of notes in the notes table
(ie ..
Greg Stein wrote:
I need to ponder a bit on the exact form of (2), but I'm thinking this is
the point to merge HTTP_IN and DECHUNK (as we discussed at Hackathon); the
combined filter would also perform task (2).
The proxy_http module uses the DECHUNK filter - but only because it has
code to
[EMAIL PROTECTED] wrote:
Log:
Track Greg's change to byte count for input filters
Wasn't this change veto'ed? There was a problem about filters that alter
the length of the content going through them.
Regards,
Graham
--
-
[EMAIL PROTECTED]
[EMAIL PROTECTED] wrote:
Wasn't this change veto'ed? There was a problem about filters that alter
the length of the content going through them.
There was no official veto, I just explained why it won't work. :-)
So what will work...? ;)
Regards,
Graham
--
Greg Stein wrote:
Bleck. That is exactly what I was trying to say we *don't* do. That is just
adding a bunch of overhead onto the RM. Just as we got the RM's job all nice
and simple, this goes and monkeys it back up.
Ok, stepping back a bit - I am not making myself clear at all. What I'm
Chuck Murcko wrote:
1) tag releases of httpd subprojects intended for release with the
tagname
that httpd uses for the same release (simplifies CVS assembly of src)
2) packaged release drops go into a subdir named by the httpd release
they go
with; i.e., httpd, so
Hi all,
After the whole integrate-mod-proxy discussion died down, much was
suggested about a rolldown tree where the latest stable version of a
module was available when an RM wanted to make a release of Apache. This
would require two steps:
- the mod_proxy people (us) would need to create a
Rodent of Unusual Size wrote:
Current status follows, not much to add except for testing/fixing
continues...
Should I add this to my weekly automail of the various STATUS
files?
If you can, please :)
Regards,
Graham
--
-
[EMAIL PROTECTED]
Chris Pepper wrote:
The problem here is that that doesn't scale. If we have 3
almost-core modules, users get apache, apache+a, apache+b, or
apache+c -- the combo builds are useless if you want two or three
add-ons. I will probably just want SSL, but it doesn't seem wise to
assume
Greg Stein wrote:
In fact, jettisoning it from httpd is (IMO) the only reason that we've seen
*any* activity on it the past couple months.
Nope - the main reason is that for the last month or so I had made
arrangements to work on the proxy full time, something I was not able to
do before
[EMAIL PROTECTED] wrote:
+ * @param readbytes How many bytes to read from the next filter. 0 means that
+ * a single line should be read.
*/
AP_DECLARE(apr_status_t) ap_get_brigade(ap_filter_t *filter, apr_bucket_brigade
*bucket,
Hi all,
Does anyone know if a version of mod_gzip exists for Apache v2.0?
Regards,
Graham
--
-
[EMAIL PROTECTED]There's a moon
over Bourbon Street
[EMAIL PROTECTED] wrote:
Log:
Sometimes, boys and girls, pointers and integers *aren't interchangeable.
Oops :( Didn't read the definition properly - still rebuilding my
sandbox with everything updated...
Regards,
Graham
--
-
[EMAIL PROTECTED]
dean gaudet wrote:
how does that work when the browser is making a byterange request on a
massive object... does the proxy strip the byterange before sending to the
upstream?
if so... ew.
it would seem the proxy needs to do byteranges (including caching of
partial content)... or treat
Chuck Murcko wrote:
I think nobody answered because this is pretty obviously the next Right
Thing to do in distributing httpd and we're to embarassed to admit we
didn't think of it first. 8^)
Trouble is - we're getting ahead of ourselves. These are all great
ideas, and should be acted on,
Chuck Murcko wrote:
c) Treating mod_proxy maintenance as NOT tied to httpd, mod_proxy
development as running on its own release cycle, mod_proxy code has its
own cvs module (hey, we can start module-2.1 now, right), and is
released with httpd distribution. Note that this may require some
Chuck Murcko wrote:
Hey, I was talking to Theo and he suggested we try doing something for
proxy like the FreeBSD ports idea: when someone installs, they try to go
get the latest releases of proxy, etc. from somewhere.
What do you guys think? It might make the outcome of the current
Chuck Murcko wrote:
Totally agree. That's why we as mod_proxy commit to cutting a release of
the web server too. Then users have what they want, in one package. Or a
generic "apache rollup" build with the non-core modules put in.
Mod_rewrite too?
(Puts on webmaster hat).
One important
"William A. Rowe, Jr." wrote:
In a rollup??? Absolutely! The tricky bit will be identifing the last
'stable' release of the apache child projects, overtagging that tag with the
apache release version, and letting it fly. I just don't see a simple
mechanism (for the RM) to do this all in a
Greg Stein wrote:
Same here. I think the separate nature has been quite good for mod_proxy,
and it could continue very well on its own, with separate release schedules
and whatnot. It definitely needs to be more prominent, so that people know
where to go, how to get it, etc, but that is
Hi all,
I want to be able to insert the mod_tls filters at the relevant places
in the proxy so as to support backend TLS to https:// and ftps:// URLs.
Trouble is, the "sense" of the certificates will be the other way around
- I would need to specify a set of root certificates instead of a single
Hi all,
The byterange filter currently assumes that none of the content
generators or filters upstream is capable of handling range requests
themselves. As a result the filter will try to do a byterange on a
byterange.
The attached patch tells the byterange filter to back off if there
already
Graham Leggett wrote:
+if ((ct = apr_table_get(r-headers_in, "Content-Type"))
+(!strncasecmp(ct, "multipart/byteranges", 20) ||
+ !strncasecmp(ct, "multipart/x-byteranges", 22))) {
+ return 0;
Oo-er! This is only half the story
[EMAIL PROTECTED] wrote:
*Sigh*. Slight janatorial work.
Oops - all hail cut and paste.
Regards,
Graham
--
-
[EMAIL PROTECTED]"There's a moon
over Bourbon Street
[EMAIL PROTECTED] wrote:
Quick question, is the proxy handling byte-range, or is the up-stream
server handling it? If the proxy module is handling it, then I believe
that the answer is to stop having the proxy handle it. If the up-stream
server is doing the work, then +1 for this patch.
Chuck Murcko wrote:
Based on interest at the hackathon, we'd like to present this for a vote
for reintegration soon. But we'd like to get it working properly first.
8^)
...and compilation tested on all the platforms supported...
Bear in mind that the -current mod_proxy development is only
Greg Stein wrote:
ap_getline is bogus and broken for a few reasons. At the hackathon, we
discussed creating apr_brigade_getline and apr_brigade_pgetline. When those
are built, you should have a much better way to fetch lines.
When? Foo... in a few weeks, I'd guess. Hmm. I'll go add a
Hi all,
Another doc fix for apr-util.
Regards,
Graham
--
-
[EMAIL PROTECTED]"There's a moon
over Bourbon Street
tonight..."
---
Graham Leggett wrote:
A comment seems to make sense. Why don't you post a patch with a comment,
and I will commit it.
Here we go...
Regards,
Graham
--
-
[EMAIL PROTECTED]"There's a moon
[EMAIL PROTECTED] wrote:
No it shouldn't. That is an error condition. The error returned is
NobodyWrote. It basically says that nobody ever sent the data to the
network.
It works without the NULL filter though - should it be there?
Regards,
Graham
--
Hi all,
The attached patch makes mod_proxy thread safe, and at the same time
fixes some nasty behavior caused by the non-thread-safeness of the
existing mod_proxy code.
Like last time, the proxy needs to attach the downstream conn_rec to the
upstream conn_rec so that keepalives can be
"Roy T. Fielding" wrote:
downstream is the wrong name -- see how it is used in the HTTP spec.
Every data stream has an upstream (where data is coming from) and
a downstream (where data is going to be forwarded), so every connection
consists of two streams: an upstream and a downstream. What
[EMAIL PROTECTED] wrote:
Make sure that it is actually working, and we aren't just returning an
error that isn't being detected.
Using FTP is an example of a protocol that could be tunnelled, I issued
a QUIT command. The FTP daemon closed the remote connection, which the
CONNECT code picked
Greg Ames wrote:
h...deja vu. HTTP has a folding feature, where header lines that
start with a space or a tab are treated as a continuation of the
previous line. Do tabs have any special meaning for FTP?
In ftp a control connection response seems to be any number of lines up
until a
Ryan Morgan wrote:
So the client needs to read everything between first line starting with 250-
and the line containing 250sp, so ap_getline will probaly not work.
And neither will what I have now - better fix it :)
Regards,
Graham
--
-
[EMAIL
[EMAIL PROTECTED] wrote:
This is a bug in your filter. You must continue to call apr_bucket_read,
until you find the LF. You have been assuming that you will always get an
entire string in one bucket. This is not the case.
This is true - but the extra split of a full [stringLF] into
Greg Ames wrote:
Found this in the apr-util docs - all hail cut and paste :)
Committed. Thanks!
I found a few more... will post them soon.
Regards,
Graham
--
-
[EMAIL PROTECTED]"There's a moon
"Victor J. Orlikowski" wrote:
Shouldn't we have a constant somewhere to compare the proto_num
against, instead of comparing it directly against 1001?
Just a question of style, and maintainability
Hmmm - true - but are there constants defined anywhere to do this? I
will fix this for
Hi all,
I am having a problem with the CONNECT part of the proxy, and need some
help to solve this one.
The SSL tunnel functionality is currently working great - a
bidirectional tunnel is set up between client and remote server, and
data flows normally in both directions over the link until
[EMAIL PROTECTED] wrote:
Whooa. We have HTTP_VERSION() for this. You pass in the major and minor
numbers for the HTTP version, and it returns the correct values.
Fixed.
Regards,
Graham
--
-
[EMAIL PROTECTED]"There's a moon
[EMAIL PROTECTED] wrote:
Why is the CONNECT proxy not using filters? It seems to me that filters
are almost ideally matched for the CONNECT requests.
Aren't filters half duplex though? The CONNECT tunnel is bidirectional.
If you want to remove a filter, look at the reset_filters function.
Hi all,
The HTTP proxy uses the HTTP_IN filter to read from the network. The
proxy code seems to be working fine, however about 10% to 20% of
requests fail with this error:
[error] (9)Bad file descriptor: apr_bucket_read
The error occurs part of the way through a read from the remote server,
Hi all,
Found this in the apr-util docs - all hail cut and paste :)
Regards,
Graham
--
-
[EMAIL PROTECTED]"There's a moon
over Bourbon Street
Hi all,
While compiling Apache v2.0 (checked out a few minutes ago) like this:
./configure --prefix=/opt/local/apache2 --enable-debug
--enable-maintainer-mode --enable-proxy
an error crops up in the ./configure script like this:
checking for sys/syslimits.h... no
checking for sys/time.h...
Hi all,
According to the following (obsolete) mod_proxy docs it is apparently
possible to use Apache and mod_proxy with SOCKS:
Can I use the Apache proxy module with my SOCKS proxy?
Yes. Just build Apache with the rule SOCKS4=yes in your
Configuration file, and follow
Greg Stein wrote:
Anyway... if those three references were removed from DECHUNK, then we'd be
able to dechunk any(!) stream. That would be kinda cool :-)
Agreed :)
Hmm. I just realized something. *Because* ap_getline only works on the top
of the connection filter stack, it means that
1 - 100 of 109 matches
Mail list logo
