On 02/14/2017 01:24 PM, Andrei Ivanov wrote:
> On Tue, Feb 14, 2017 at 2:19 PM, Daniel Gruno <humbed...@apache.org
> <mailto:humbed...@apache.org>> wrote:
>
> On 02/14/2017 01:16 PM, Andrei Ivanov wrote:
> > On Tue, Feb 14, 2017 at 1:59 PM, Daniel Gruno <humbed...@apache.org
> <mailto:humbed...@apache.org>
> > <mailto:humbed...@apache.org <mailto:humbed...@apache.org>>> wrote:
> >
> > On 02/14/2017 12:38 PM, Andrei Ivanov wrote:
> > > Hi,
> > > I'm trying to create a lua authorization script but I can't seem
> to
> > > access the request environment:
> > >
> > > require 'apache2'
> > >
> > > function authz_check_remote_ip_in_client_san(r)
> > > r:err("remote_ip_in_client_san running...");
> > > r:alert("uri: " .. r.uri);
> > > r:alert("useragent_ip: " .. r.useragent_ip);
> > > local ip = r.subprocess_env["REMOTE_ADDRESS"];
> > > r:crit("REMOTE_ADDRESS: " .. (ip or "N/A"));
> > > r:emerg("SSL_CLIENT_SAN_IPaddr: " ..
> > > (r.subprocess_env["SSL_CLIENT_SAN_IPaddr"] or "N/A"));
> >
> >
> > What about r.subprocess_env["REMOTE_ADDRESS"]? Shouldn't that work at
> least?
>
> Not exactly, this isn't CGI - the remote IP is exposed through
> r.useragent_ip. Getting environment variables is tricky since the Lua VM
> is sort of detached from the actual thread handling the request.
>
>
> I was using the REMOTE_ADDRESS since it was used as an example in a post :-)
> http://lua-users.org/lists/lua-l/2010-07/msg00671.html
> Is subprocess_env working at all?
Shortest answer I can think of is: Yes, but it doesn't do what you think
it does. it's not equivalent to os.getenv().
Perhaps later I'll elaborate on that...when I have my brain with me.
>
>
> >
> >
> > use r:ssl_var_lookup("SSL_CLIENT_SAN_IPaddr") instead.
> > r:ssl_var_lookup does the special SSL vars.
> >
> >
> > I don't get a nil now anymore, but I seem to get back an empty string
> :-(
> > SSL_CLIENT_SAN_IPaddr should be exposed by mod_nss, activated in this
> > virtual host.
>
> If it's not exposed by mod_ssl, then it may not be available through
> that call. You should try finding the corresponding mod_ssl variable if
> possible.
>
> I'm using mod_nss exactly because mod_ssl doesn't expose that variable
> and my issue that requests that is sitting ignored for 2 months now :-(
> I was hoping this would help:
> <Files ~ "\.(cgi|shtml|phtml|php3|lua?)$">
> NSSOptions +StdEnvVars
> </Files>
>
>
>
> >
> >
> >
> > With regards,
> > Daniel.
> >
> > >
> > > return apache2.AUTHZ_GRANTED
> > > end
> > >
> > > The logs show entries like this for the values accessed from
> > > r.subprocess_env:
> > > REMOTE_ADDRESS: N/A
> > > SSL_CLIENT_SAN_IPaddr: N/A
> > >
> > >
> > > LuaScope thread
> > > LuaAuthzProvider remote_ip_in_client_san
> > > /etc/httpd/authz/authz_check_remote_ip_in_client_san.lua
> > > authz_check_remote_ip_in_client_san
> > > <Location />
> > > Require remote_ip_in_client_san
> > >
> > > # these don't seem to work so I'm trying to implement them in
> a LUA
> > > script
> > > #NSSRequire %{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}
> > > #Require expr "%{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}"
> > > </Location>
> > >
> > > What am I doing wrong?
> > >
> > > Thank you in advance.
> >
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> <mailto:users-unsubscr...@httpd.apache.org>
> > <mailto:users-unsubscr...@httpd.apache.org
> <mailto:users-unsubscr...@httpd.apache.org>>
> > For additional commands, e-mail: users-h...@httpd.apache.org
> <mailto:users-h...@httpd.apache.org>
> > <mailto:users-h...@httpd.apache.org
> <mailto:users-h...@httpd.apache.org>>
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> <mailto:users-unsubscr...@httpd.apache.org>
> For additional commands, e-mail: users-h...@httpd.apache.org
> <mailto:users-h...@httpd.apache.org>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
