Re: how to check for ssl.

2000-08-06 Thread Jean-Denis Girard 

$r->server->port() returns 0
$r->parsed_uri->port() and $r->parsed_uri->fragment() return nothing !!!

___cliff rayman___ a écrit :

> try these and see what they return:
>
> $r->server->port();
> $r->parsed_uri->port();
>
> --
> ___cliff [EMAIL PROTECTED]http://www.genwax.com/
> Jean-Denis Girard wrote:
>
> > For some reason (probably my error),  $r->get_server_port() always returns 80
> >
> > although my mod_perl backend only listen to 8080 and 8443 (I use Listen
> > directives).
> > I'm using (sockaddr_in($r->connection->local_addr))[0] to get the port
> > instead.
> > Though it works, I must load one more module (Socket), which I would like to
> > avoid if
> > possible...
> >
> > Any idea about my mistake ?
> >
> > My conf: apache-1.3.12 + mod_ssl-2.3.4  <=> apache-1.3.12 + mod_perl-1.24 on
> > linux-2.2.14
> >
> > Jean-Denis Girard
> > http://www.esoft.pf
> >
> > ___cliff rayman___ a écrit :
> >
> > > $port=$r->get_server_port();
> > >
> > > [EMAIL PROTECTED] wrote:
> > >
> > > > Ok, so what is the PORT variable and how do i access it?
> > > >
> > > > Scott
> > > > On 3 Aug 2000, at 22:08, Stas Bekman wrote:
> > > > > Not really, you can spoof both:
> > > > > http://thingy.kcilink.com/modperlguide/config/Knowing_the_proxy_pass_e
> > > > > d_Connec.html
> > > > >
> > >
> > > --
> > > ___cliff [EMAIL PROTECTED]http://www.genwax.com/

Re: how to check for ssl.

2000-08-04 Thread ___cliff rayman___ 

try these and see what they return:

$r->server->port();
$r->parsed_uri->port();

--
___cliff [EMAIL PROTECTED]http://www.genwax.com/
Jean-Denis Girard wrote:

> For some reason (probably my error),  $r->get_server_port() always returns 80
>
> although my mod_perl backend only listen to 8080 and 8443 (I use Listen
> directives).
> I'm using (sockaddr_in($r->connection->local_addr))[0] to get the port
> instead.
> Though it works, I must load one more module (Socket), which I would like to
> avoid if
> possible...
>
> Any idea about my mistake ?
>
> My conf: apache-1.3.12 + mod_ssl-2.3.4  <=> apache-1.3.12 + mod_perl-1.24 on
> linux-2.2.14
>
> Jean-Denis Girard
> http://www.esoft.pf
>
> ___cliff rayman___ a écrit :
>
> > $port=$r->get_server_port();
> >
> > [EMAIL PROTECTED] wrote:
> >
> > > Ok, so what is the PORT variable and how do i access it?
> > >
> > > Scott
> > > On 3 Aug 2000, at 22:08, Stas Bekman wrote:
> > > > Not really, you can spoof both:
> > > > http://thingy.kcilink.com/modperlguide/config/Knowing_the_proxy_pass_e
> > > > d_Connec.html
> > > >
> >
> > --
> > ___cliff [EMAIL PROTECTED]http://www.genwax.com/

Re: how to check for ssl.

2000-08-04 Thread Jean-Denis Girard 

For some reason (probably my error),  $r->get_server_port() always returns 80

although my mod_perl backend only listen to 8080 and 8443 (I use Listen
directives).
I'm using (sockaddr_in($r->connection->local_addr))[0] to get the port
instead.
Though it works, I must load one more module (Socket), which I would like to
avoid if
possible...

Any idea about my mistake ?

My conf: apache-1.3.12 + mod_ssl-2.3.4  <=> apache-1.3.12 + mod_perl-1.24 on
linux-2.2.14

Jean-Denis Girard
http://www.esoft.pf


___cliff rayman___ a écrit :

> $port=$r->get_server_port();
>
> [EMAIL PROTECTED] wrote:
>
> > Ok, so what is the PORT variable and how do i access it?
> >
> > Scott
> > On 3 Aug 2000, at 22:08, Stas Bekman wrote:
> > > Not really, you can spoof both:
> > > http://thingy.kcilink.com/modperlguide/config/Knowing_the_proxy_pass_e
> > > d_Connec.html
> > >
>
> --
> ___cliff [EMAIL PROTECTED]http://www.genwax.com/

[ot] Re: how to check for ssl.

2000-08-04 Thread blue 

On Fri, 4 Aug 2000 [EMAIL PROTECTED] wrote:

> There is more then one section that needs to be secure and its not 
> quite as blank and white as folder /secure needs to be secure.
> for example.
> folder /ecom/checkout needs to be secure.
> folder /ecom/showcart doesn't

it is really starting to sound like the site design itself could use a
revamp. i believe the hopping back and forth between http/https is going
to generate a lot of silly warning on the user's browser, as well.

why not just set the up for https as soon as they need it and then leave
them there?

> Scott
> 
> On 4 Aug 2000, at 10:16, David Mitchell wrote:
> > 
> >  .
> >  Redirect /secure https://www.mysite.com/secure
> > 
> 
> 

-- 
Blue Lang  Unix Systems Admin
QSP, Inc., 3200 Atlantic Ave, Ste 100, Raleigh, NC, 27604
Home: 919 835 1540  Work: 919 875 6994  Fax: 919 872 4015

Re: how to check for ssl.

2000-08-04 Thread scotta 

There is more then one section that needs to be secure and its not 
quite as blank and white as folder /secure needs to be secure.
for example.
folder /ecom/checkout needs to be secure.
folder /ecom/showcart doesn't
Scott

On 4 Aug 2000, at 10:16, David Mitchell wrote:
> 
>  .
>  Redirect /secure https://www.mysite.com/secure
>

Re: how to check for ssl.

2000-08-04 Thread David Mitchell 

> I've got a section of our site where I want to force the user to 
> connect via ssl.
> Inside of mod_perl, is there a parameter I can grab to see whether 
> the connection is ssl or not?  Or a way to get the port number?

If there isnt a special reason otherwise, why not just put a
redirect in http.conf, eg


.
Redirect /secure https://www.mysite.com/secure


Then any attempts to access something under http://www.mysite.com/secure
will get a redirect to same page but using https.

Re: how to check for ssl.

2000-08-03 Thread ___cliff rayman___ 

$port=$r->get_server_port();

[EMAIL PROTECTED] wrote:

> Ok, so what is the PORT variable and how do i access it?
>
> Scott
> On 3 Aug 2000, at 22:08, Stas Bekman wrote:
> > Not really, you can spoof both:
> > http://thingy.kcilink.com/modperlguide/config/Knowing_the_proxy_pass_e
> > d_Connec.html
> >

--
___cliff [EMAIL PROTECTED]http://www.genwax.com/

Re: how to check for ssl.

2000-08-03 Thread scotta 

Ok, so what is the PORT variable and how do i access it?

Scott
On 3 Aug 2000, at 22:08, Stas Bekman wrote:
> Not really, you can spoof both:
> http://thingy.kcilink.com/modperlguide/config/Knowing_the_proxy_pass_e
> d_Connec.html
>

[Mason]Re: how to check for ssl.

2000-08-03 Thread Tim Bishop 



On Thu, 3 Aug 2000, Stas Bekman wrote:

> On Thu, 3 Aug 2000, ___cliff rayman___ wrote:
> 
> > use Apache::URI ();
> > $r->parsed_uri->scheme;
> > 
> > returns http or https
> 
> Not really, you can spoof both:
> http://thingy.kcilink.com/modperlguide/config/Knowing_the_proxy_pass_ed_Connec.html
>  
> > [EMAIL PROTECTED] wrote:
> > 
> > > I've got a section of our site where I want to force the user to
> > > connect via ssl.
> > > Inside of mod_perl, is there a parameter I can grab to see whether
> > > the connection is ssl or not?  Or a way to get the port number?
> > >
> > > Scott

I had the same problem recently, where the mod_perl backend server did not
know what was happening on the front end with respect to SSL.  I solved it
in a way that is flexible, but perhaps overkill:

I patched mod_headers.c on the frontend server to allow one to attach
extra headers to requests when they are proxied to the backend.  This
allows you to stuff info in headers about SSL, or the remote-ip, etc.  
You can specify headers to set with the same substitution syntax as
RewriteRule

(The patch is attached)

example:

On the front-end server:
( cd apache_1.3.12 ; patch -p1 
SSLOptions StdEnvVars
ProxyHeaderRewrite append X-SSL-Cipher "%{ENV:SSL_PROTOCOL} ${ENV:SSL_CIPHER}"

# tell upstream server the virtual host used
ProxyHeaderRewrite append X-Frontend-Host "%{HTTP:Host}"



Now, for a typical SSL request that is proxied to the back end (as
plaintext), these headers are added: 
X-Forwarded-For: 1.2.3.4
X-Frontend-Host: my.frontend.site.com
X-SSL-Cipher: SSLv3 IDEA



On the backend server, parse the headers with some little perl handler in
startup.pl, and stuff the info where most other modules expect it (in $r,
or in environment vars):

sub My::ProxyHeaderParse ($) {
   my $r = shift;

  # we'll only look at the X-Forwarded-For header if the requests
  # comes from our local network
  return OK unless ($r->connection->remote_ip =~ /^192\.168/ );

  if (my ($ip) = $r->header_in('X-Forwarded-For') =~ /([^,\s]+)$/) {
  $r->connection->remote_ip($ip);
  }

  # mv X-Frontend-Host: into Host: header
  my $host_header = $r->header_in('X-Frontend-Host');
  if ( defined($host_header) ) {
  $r->header_in('Host', $host_header)
  }

  # set up ssl env vars, if present in a X-SSL-Cipher header
  my $ssl_header = $r->header_in('X-SSL-Cipher');
  if ( defined($ssl_header) ) {
  ($ENV{SSL_PROTOCOL}, $ENV{SSL_CIPHER}) = split(/ /,$ssl_header);
  $ENV{HTTPS} = 'ON';  # CGI.pm:protocol() require 'ON'  (not 1 !)
  } 

   return OK;
  }

# called in httpd.conf
#  PerlPostReadRequestHandler My::ProxyHeaderParse



--- apache_1.3.12.dist/src/modules/standard/mod_headers.c   Wed Oct 27 02:26:53 
1999
+++ apache_1.3.12/src/modules/standard/mod_headers.cThu Jul 13 16:53:11 2000
@@ -99,9 +99,52 @@
  *  To remove a header:
  * Header unset Author
  *
+ *
+ * Non-standard Additions:
+ *
+ *Most code is from mod_rewrite, by
+ * Ralf S. Engelschall
+ * [EMAIL PROTECTED]
+ *Assembled by Tim Bishop <[EMAIL PROTECTED]>
+ *
+ *
+ * HeaderRewrite  (set headers to client using RewriteCond syntax)
+ * 
+ * Syntax: HeaderRewrite action header rewriteValue
+ *  
+ * This works the same as the header directive, except that full
+ * mod_rewrite RewriteCond interpolation is performed on the rewriteValue
+ * string.  See http://www.apache.org/docs/mod/mod_rewrite.html#RewriteCond
+ * (Of course, back-references (%N, $N) have no meaning)
+ *
+ * 
+ * ProxyHeaderRewrite (set headers sent to upstream servers (if proxying))
+ *
+ * Syntax:  ProxyHeaderRewrite action header rewriteValue
+ *
+ * ProxyHeaderRewrite allows you to rewrite headers sent to upstream
+ * servers when your server is functioning as a proxy server.
+ * This is useful when you want to send additional header information
+ * to upstream servers.
+ *
+ * Bugs:  Cannot rewrite the Host header with ProxyHeaderRewrite
+ *
+ * Examples:
+ *  
+ *# tell upstream server the ip of the request
+ *ProxyHeaderRewrite append X-Forwarded-For  "%{REMOTE_ADDR}" 
+ *# tell upstream server info on SSL status
+ *
+ *SSLOptions StdEnvVars
+ *ProxyHeaderRewrite append X-SSL-Cipher "%{ENV:SSL_PROTOCOL} 
+%{ENV:SSL_CIPHER}"
+ *
+ *# tell upstream server the virtual host used
+ *ProxyHeaderRewrite append X-Frontend-Host "%{HTTP:Host}"
+ *
  */
 
 #include "httpd.h"
+#include "http_log.h"
 #include "http_config.h"
 
 typedef enum {
@@ -111,12 +154,50 @@
 hdr_unset = 'u' /* unset header */
 } hdr_actions;
 
+typedef enum {
+  hdr_string  = 's',  /* header is a string */
+  hdr_env_var = 'v',  /* set header from env var */
+  hdr_interpolate = 'i'   /* header needs to be interpolated (not yet!) */
+} hdr_value_type;
+
+typedef enum {

Re: how to check for ssl.

2000-08-03 Thread Stas Bekman 

On Thu, 3 Aug 2000, Philip Mak wrote:

> On Thu, 3 Aug 2000, Stas Bekman wrote:
> 
> > > use Apache::URI ();
> > > $r->parsed_uri->scheme;
> > > 
> > > returns http or https
> > 
> > Not really, you can spoof both:
> 
> Does the user have to spoof it deliberately in order for the wrong one to
> be detected?
> 
> If spoofing requires the user to do it on purpose, then in this case the
> $r->parsed_uri->scheme should be sufficient. The other method (putting
> HTTPS on a different port and using mod_rewrite to make it transparent) is
> better of course, but in case you can't do it for some reason, I think
> this will work too.
> 
> They don't gain anything by spoofing http/https deliberately; it just
> makes their connection not secure.

Not really. Of course this is not a thing happening to you every day, but
someone can intercept the connection and spoof it for server as a secure,
while in fact Eve (the interceptor's name that usually used in crypto
docs, next to Alice and Bob) intercepts all the connections making the
user submitting information in insecure way. Think about banking... So
checking for the scheme would be Ok in 99.9% cases, if you don't care
about the one that might be spoofed.


_
Stas Bekman  JAm_pH --   Just Another mod_perl Hacker
http://stason.org/   mod_perl Guide  http://perl.apache.org/guide 
mailto:[EMAIL PROTECTED]   http://perl.org http://stason.org/TULARC
http://singlesheaven.com http://perlmonth.com http://sourcegarden.org

Re: how to check for ssl.

2000-08-03 Thread Philip Mak 

On Thu, 3 Aug 2000, Stas Bekman wrote:

> > use Apache::URI ();
> > $r->parsed_uri->scheme;
> > 
> > returns http or https
> 
> Not really, you can spoof both:

Does the user have to spoof it deliberately in order for the wrong one to
be detected?

If spoofing requires the user to do it on purpose, then in this case the
$r->parsed_uri->scheme should be sufficient. The other method (putting
HTTPS on a different port and using mod_rewrite to make it transparent) is
better of course, but in case you can't do it for some reason, I think
this will work too.

They don't gain anything by spoofing http/https deliberately; it just
makes their connection not secure.

-Philip Mak ([EMAIL PROTECTED])

Re: how to check for ssl.

2000-08-03 Thread Stas Bekman 

On Thu, 3 Aug 2000, ___cliff rayman___ wrote:

> use Apache::URI ();
> $r->parsed_uri->scheme;
> 
> returns http or https

Not really, you can spoof both:
http://thingy.kcilink.com/modperlguide/config/Knowing_the_proxy_pass_ed_Connec.html
 


> [EMAIL PROTECTED] wrote:
> 
> > I've got a section of our site where I want to force the user to
> > connect via ssl.
> > Inside of mod_perl, is there a parameter I can grab to see whether
> > the connection is ssl or not?  Or a way to get the port number?
> >
> > I went through the archives last night and couldn't find anything
> > near this.  Am I missing something way to obvious here? I checked
> > the headers_in and nothing there would even hint that its ssl.
> >
> > Scott
> 
> --
> ___cliff [EMAIL PROTECTED]http://www.genwax.com/
> 
> 
> 



_
Stas Bekman  JAm_pH --   Just Another mod_perl Hacker
http://stason.org/   mod_perl Guide  http://perl.apache.org/guide 
mailto:[EMAIL PROTECTED]   http://perl.org http://stason.org/TULARC
http://singlesheaven.com http://perlmonth.com http://sourcegarden.org

Re: how to check for ssl.

2000-08-03 Thread ___cliff rayman___ 

use Apache::URI ();
$r->parsed_uri->scheme;

returns http or https

[EMAIL PROTECTED] wrote:

> I've got a section of our site where I want to force the user to
> connect via ssl.
> Inside of mod_perl, is there a parameter I can grab to see whether
> the connection is ssl or not?  Or a way to get the port number?
>
> I went through the archives last night and couldn't find anything
> near this.  Am I missing something way to obvious here? I checked
> the headers_in and nothing there would even hint that its ssl.
>
> Scott

--
___cliff [EMAIL PROTECTED]http://www.genwax.com/

Re: how to check for ssl.

2000-08-03 Thread Vivek Khera 

> "s" == scotta  <[EMAIL PROTECTED]> writes:

s> I've got a section of our site where I want to force the user to 
s> connect via ssl.
s> Inside of mod_perl, is there a parameter I can grab to see whether 
s> the connection is ssl or not?  Or a way to get the port number?

perldoc Apache

then scan for the word "port".  First line containing it is your
answer.

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Vivek Khera, Ph.D.Khera Communications, Inc.
Internet: [EMAIL PROTECTED]   Rockville, MD   +1-301-545-6996
GPG & MIME spoken herehttp://www.khera.org/~vivek/

how to check for ssl.

2000-08-03 Thread scotta 

I've got a section of our site where I want to force the user to 
connect via ssl.
Inside of mod_perl, is there a parameter I can grab to see whether 
the connection is ssl or not?  Or a way to get the port number?

I went through the archives last night and couldn't find anything 
near this.  Am I missing something way to obvious here? I checked 
the headers_in and nothing there would even hint that its ssl.


Scott