Re: [AOLSERVER] Can you help me get rid of the temp files in this exec?
Dossy said: > On 2003.09.07, Jerry Asher <[EMAIL PROTECTED]> wrote: >> >> WS: uses Verisign Payment gateway to charge user for the new virus and >> drug. > > If your front-end webservers are doing CC auth and verification, then > you might as well be giving your product away. Or, hope your e-commerce > site is so low-traffic that nobody finds out about you. Because, if > someone does, you'll be in for a world of hurt ... before they even > steal a single credit card number from your systems. Well, googling for php ecommerce script serves up 1/4 million links. cgi commerce script is another 1/4 million, and ecommerce gateway serves up 1/3 million links. Now I realize I'm making a McDonalds trailer trash argument here, but the empirical reality is that a lot of folks with only one webserver seem to doing cc auth and verification. That said, I agree with you that a two body solution is preferable. Jerry -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] Can you help me get rid of the temp files in this exec?
Rob Mayoff said: > The PK needn't be accessible from the Internet, needn't run the same OS, > needn't have a web server, etc. So I am curious, in terms of buy vs. make A: Can I buy one of these in a small, raided, secure rackable form? B: Is there a version and distribution of *nix, *bsd that can run AOLserver in which the entire system except for /var/log /var/"postgres-data" or /var/"berkeley db data" can be run off of CD (and is considered to be a secured distribution?) I realize requiring AOLserver etc. is drastic overkill, but for me it's the swiss army knife that would get it in a reasonably secure fashion to market quickest. Then once one of these is built and installed at this one client's site, what do you think, is there a big, small, or medium market for this? Jerry -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] Can you help me get rid of the temp files in this exec?
Daniel P. Stasinski said: > On Sun, 2003-09-07 at 11:41, Daniel P. Stasinski wrote: > >> Check out my ns_encrypt() module that's in CVS. > > I just realized I had not updated CVS with a small patch needed for > compatibility between older versions of OpenSSL. It may take a few days > to propagate. If you need it before that, I can email the tarball > directly No, I have what I need for now, a proc forking thing I wrote last night that will work fine for a week and let me move on until CVS is updated (but if you haven't already, I would appreciate it if the readme lists the versions of AOLserver and openssl your module supports.) Thanks, Jerry -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] Can you help me get rid of the temp files in this exec?
Daniel P. Stasinski said: The problem with what the customer wants is that the password is > instantly exposed if the server should ever get hacked. > > Check out my ns_encrypt() module that's in CVS. It uses all OpenSSL > algorithms, a one time pad, and RSA public/private keys. The webserver > has the public key and some other remote system would have the private > key. > > Daniel Hi Daniel, Scott just pointed that out to me. But can you clarify how you envision it being used? If I understand what you are saying and wrap it through my not enough coffee and I always make things too complex while not really solving the problemifier, then you have two machines: WS: running the app PK: server with the private key The user always sees WS. User wants to purchase latest version of Snow Crash User enters Credit Card info, CC. WS: uses Verisign Payment gateway to charge user for the new virus and drug. WS encrypts using the public key the CC info and stuffs the encrypted info into local database. User comes back to WS, and now wants to purchase Dick Clark's 100th anniversary Birthday Video. WS pulls encrypted info out of db, and sends it to PK for decryption. PK decrypts it. WS uses decrypted info to charge user for video with Verisign. Now the silly h4x0r comes along and steals the db and runs away. Result: silly h4x0r can do nothing with the db. So his bigger sister the wiley h4x0r comes back and for as long as she can maintain a cracked system and a script and remain undetected, she can pull decrypted cc info out of pk. Summary: this mitigates or eliminates the hit & run. Team h4x0r has to either break into two machines, or break into one machine and remain hidden, or break into one machine, and have an insider send the private key along. The Wiley sysadmin still had best be up on security patches, monitoring logs, intrustion detection, etc. Do I basically have it or is there a better way to do this? Thanks, Jerry P.S. If tripwire was cheaper to run, I'd probably add some rube goldberg scheme where the WS exposes portions of its fs (/etc/ /sbin etc) to PK via NFS and the PK comes along every five minutes and checksums WS and only ever processes n cards per minute and only if the checksum doesn't change. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
[AOLSERVER] Can you help me get rid of the temp files in this exec?
Ah, I figured it out. After getting the binary, encrypted output, I send
it through openssl once more, this time translating it to base64 and that
makes it very friendly to tcl.
Thanks for the help!
Jerry
I created two functions: cc_encrypt and cc_decrypt that use openssl to
encrypt and decrypt a string. I then plan on storing the encrypted binary
string in the database (along with data detailing the encryption
parameters apart from the password.)
openssl bf -pass pass:${password}
will use the blowfish cipher to encrypt stdin, sending it to stdout using
the password.
openssl bf -pass pass:${password} -in infile -out outfile
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of
your email blank.
[AOLSERVER] Can you help me get rid of the temp files in this exec?
I hope you folks don't mind this duplication of posting. I am sort of
reposting a question here that I posted over at openacs.org, as I know
that some of you that could help don't really hang out over there.
The post over there is:
http://openacs.org/forums/message-view?message_id=120984
But it reads like this:
A client wants to store, well you know, credit card data in the database.
Here's what I am thinking of doing, and I'd like your help in making what
I do actually useful.
I created two functions: cc_encrypt and cc_decrypt that use openssl to
encrypt and decrypt a string. I then plan on storing the encrypted binary
string in the database (along with data detailing the encryption
parameters apart from the password.)
openssl bf -pass pass:${password}
will use the blowfish cipher to encrypt stdin, sending it to stdout using
the password.
openssl bf -pass pass:${password} -in infile -out outfile
will use the blowfish cipher to encrypt infile, sending it to stdout using
the password.
and
openssl ... -d
will decrypt
The complete functions are here:
http://openacs.org/forums/message-view?message_id=120985
But the relevant snippet is:
set plainfilename [ns_mktemp /tmp/cc-XX]
set plainfd [open $plainfilename w]
puts -nonewline $plainfd $plaintext
close $plainfd
set cryptfilename ${plainfilename}.crypt
exec openssl bf -pass pass:${passphrase} -in $plainfilename
-out $cryptfilename
file delete $plainfilename
set cryptfd [open $cryptfilename r]
fconfigure $cryptfd -translation binary
set crypt [read $cryptfd]
close $cryptfd
file delete $cryptfilename
Question one:
What's a good cipher to use? blowfish, des3, ...?
Question two:
So this encrypts the database but now I have this $password floating
around. The password can be set with an environment variable, a string as
I show here, or a file somewhere in the filesystem. Is there a reasonable
secure and easy to implement way to manage this password?
Question three:
I have gotten this working using the temp file approach, but I would like
to get rid of the temporary files both for file hygiene and privacy
concerns.
The problem is that openssl creates binary strings, and I can't figure out
how to make a binary process pipeline (to use the Welch terminology (p110
of PPiTaT) out of exec, or out of |open.
Can anyone help? What magical incantation can I use to get rid of the temp
files?
Question four: assuming the password can be managed, and that I can get
rid of the temp files, what are the security implications of this?
Thanks for your help,
Jerry
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of
your email blank.
Re: [AOLSERVER] {SPAM?} [AOLSERVER] announcing C API draft for review
With my new posting powers, I'll add that it's not just Dossy using the ns_ as stopwords. Think about the googlebots. Like modern monks, toiling long hours in dim light with few breaks, the googlebots scour the net, thankless, repetitive work, never breaking their vows of silence or chastity, transcribing and indexing all they find so that we may one day recover it. If we don't feed them the right stop words, we'll never be able to make use of their works. Think of the googlebots! Jerry Dossy said: > On 2003.08.28, Roberto Mello <[EMAIL PROTECTED]> wrote: >> >> In a reference I like to see the whole function name, without anything >> implied. I think removing the Ns_ decreases readability. How do others >> feel about that? > > I didn't want to be the first to say it, but yeah, the listing page > needs the "Ns_" ... it might increase the amount of text you can fit on > a page by trimming 3 characters here and there, but to a programmer, it > definitely reduces readability. > > When my eyes scan code, I look for the equivalent of "stopwords" and the > "Ns_" prefix serves as such a visual cue. Not having them makes the > docs almost awkward to skim. > > -- Dossy > > -- > Dossy Shiobara mail: [EMAIL PROTECTED] > Panoptic Computer Network web: http://www.panoptic.com/ > "He realized the fastest way to change is to laugh at your own > folly -- then you can let go and quickly move on." (p. 70) > > > -- > AOLserver - http://www.aolserver.com/ > > To Remove yourself from this list, simply send an email to > <[EMAIL PROTECTED]> with the > body of "SIGNOFF AOLSERVER" in the email message. You can leave the > Subject: field of your email blank. > -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
[AOLSERVER] outgoingip.patch -- how to get qmail to bind to a specific ip address
This is a bit of a test message to ensure I have the all important closure and can send emails directly to the aolserver list. It turns out my ISP delegated the reverse ip to me of one of my addresses, but not all. But qmail's qmail-remote just binds to anything it can get ahold of. (We've all been guilty of that behavior) http://www.qmail.org/outgoingip.patch for qmail 1.03 provides qmail/control/outgoingip It's sort of like paxil for qmail. It makes qmail more outgoing. No it's not. It does force qmail to bind to a specific address and try that address first. Enlightenment for all results! Jerry -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
[AOLSERVER] My posts are failing to be uh, posted. (posted directly through listserv and not via email)
Last week, I sent a terribly informative and highly salient message to the list. And it never showed up. (Which is too bad, because the honorable David Savimbi, nephew of Jonas tells me his offer has since expired.) This week qmail returned it to me, something at aol did not like an IP Name address lookup. I am thinking this is a reverse DNS lookup, but I am not sure. A few minutes ago, I sent a copy of this post (I did this using a non gell-man technique) to the list, and I can see it sitting in qmail's queue. The reason it's there now, is the same as it was seven days ago: [EMAIL PROTECTED]>: Connected to 152.163.216.7 but sender was rejected. Remote host said: 450 4.7.1 Access temporarily denied. IP name lookup failed [192.25.138.230] I've long posted to this list (as I am sure many of you regret), and my mailserver has never had the reverse dns pointing to theashergroup. It hasn't been a problem in the past. Is this a reverse dns check or something else? What's going on, and where? Is it with listserv, or with aol.com's servers, or with mine? Thanks, Jerry Hi. This is the qmail-send program at moe.theashergroup.com. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. <[EMAIL PROTECTED]>: Connected to 152.163.216.7 but sender was rejected. Remote host said: 450 4.7.1 Access temporarily denied. IP name lookup failed [192.25.138.230] I'm not going to try again; this message has been in the queue too long. --- Below this line is a copy of the message. Return-Path: <[EMAIL PROTECTED]> Received: (qmail 10798 invoked by uid 99); 19 Aug 2003 17:00:37 - Received: from 68.3.55.171 (SquirrelMail authenticated user jerry) by postoffice.theashergroup.com with HTTP; Tue, 19 Aug 2003 10:00:37 -0700 (MST) Message-ID: <[EMAIL PROTECTED]> In-Reply-To: <[EMAIL PROTECTED]> References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> Date: Tue, 19 Aug 2003 10:00:37 -0700 (MST) Subject: Re: [AOLSERVER] is ns_conn peeraddr spoofable? From: "Jerry Asher" <[EMAIL PROTECTED]> To: "AOLserver Discussion" <[EMAIL PROTECTED]> User-Agent: SquirrelMail/1.4.0 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 X-Priority: 3 Importance: Normal > In fact there are four address-filtering rules your router should use: > - Drop a packet from the WAN with a LAN source address > - Drop a packet from the WAN without a LAN destination address > - Drop a packet from the LAN without a LAN source address > - Drop a packet from the LAN with a LAN destination address > In fact, a day or two ago, I sent an email to various authors of Blaster articles saying that the DSL and Cable companies should do exactly this on their routers (and others things they could do) for basic consumer accounts. This would dramatically reduce many attacks and the reward for hijacking a machine. It would also make attacks much more easily traced. This wouldn't have stopped Blaster, but my basic thesis is that the Cable/DSL providers have as much blame and arguably more so for providing a shoddy product as Microsoft. Jerry -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
[AOLSERVER] listserv archive search broken?
Wanting to find out more about what I believe is AOLserver 4.0s decoupling of Tcl versions from the server, I visited the archives and searched for: tcl 8.4 (since may 2003) Nothing was found So I searched for tcl (since may 2003) Nothing was found So I searched for tclNothing was found So I searched for dossy Nothing was found Now I can believe that we have never written about tcl, but I know we have discussed the dossy api. So I conclude that search of the listserv archive is broken (and maybe I am just the last to know.) And I would like to add my support to anyone that wants to get the aolserver mailing list off of listserv. Jeez, that's one sucky piece of malware. Jerry -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
[AOLSERVER] Looking for a semi-permanent place to discuss AOLserver/Tcl performance/profiling/memory/threads....
One of the more popular topics of conversation appears to be how does one analyze or debug memory issues. And this raises all sorts of questions about versions of Tcl, how AOLserver gets things done, multithreaded Tcl, etc. It would be great if we could capture this information in a more permanent fashion than in the archives of this mailing list. Perhaps the Panoptic Wiki, or a section of aolserver.com could be the place for this Any thoughts? Jerry -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] [ aolserver-Feature Requests-746579 ] Server instance controller process
Scott Goodwin wrote: My vote is to put it in. /s. I agree completely. Feature: it is backwards and forward compatible with existing scripts AND it will make AOLserver implementation easier for newcomers by eliminating one more piece of the puzzle. Jerry -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list: http://www.aolserver.com/listserv.html List information and options: http://listserv.aol.com/
Re: [AOLSERVER] [ aolserver-Feature Requests-746579 ] Server instance
Zoran Vasiljevic wrote: On Friday 06 June 2003 10:29, you wrote: >But maybe it's simpler and more reliable just to put in a bare >bones http get implementation For people using aolserver as http-server, well, ok. But there are others, not necessarily employing it as http-server at all. I think in order to have a general solution, one should at least allow some limited scripting capabilites for the watchdog, if need be. On the other side, having the watchdog as simple is possible is equaly (if not more) important. It's my perception that several AOLserver problems have been due to underlying problems with Tcl. I would want the parent process to be (almost) provably correct and if there is a problem, I would want it to be easy to find with inspection. To support the non-http users (of which I am one from time to time), I'd prefer to see a plug-in architecture similar to the db and comm modules. Support http-get-monitoring with a plug in and let others develop their own X-Y-monitoring with plug ins of their own. Leave Tcl out of the parent and we can be assured the parent is still robust and invariant to new versions of Tcl. Jerry -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list: http://www.aolserver.com/listserv.html List information and options: http://listserv.aol.com/
Re: [AOLSERVER] [ aolserver-Feature Requests-746579 ] Server instance
Zoran Vasiljevic wrote: On Friday 06 June 2003 09:50, you wrote: >At the risk of adding complexity to the parent process, I >wouldn't mind seeing such a monitoring facility added to the >parent process. That implies, the parent (watchdog) should have at least one thread with the instantiated Tcl interp with ns_* command set loaded, right? We can put some ns/server/watchdog section and fill in some variables there, one of whoch could point to a file with Tcl procs to run for checking. Sort of that, hm... ? Zoran Not necessarily. Maybe. It would be nice to be able to use Tcl to communicate and implement parent process modules and functions. But maybe it's simpler and more reliable just to put in a bare bones http get implementation Jerry -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list: http://www.aolserver.com/listserv.html List information and options: http://listserv.aol.com/
Re: [AOLSERVER] [ aolserver-Feature Requests-746579 ] Server instance
Indeed they are not. I'd add some more confusion by extending the second to "Are you *correctly* answering requests?" So, the solution window may vary between a very simple dumb one "Are you still running?" to some AI-based custom behaviour, which is, by it's very nature, hard (if possible at all) to properly generalize. Now, reality is: there is *none* of the above in nsd as-is now! I have been able to make do quite adequately with the ACS suggested monitoring mechanism, which basically just ns_httpgets a list of URLs and expected results and compares the actual results with the expected results and restarts AOLserver on failure. I use a very simple static page to test if basic request processing is working, and then a very simple page involving a db query to determine if the db is up and their is connectivity between the db and aolserver. At the risk of adding complexity to the parent process, I wouldn't mind seeing such a monitoring facility added to the parent process. Jerry -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list: http://www.aolserver.com/listserv.html List information and options: http://listserv.aol.com/
Re: [AOLSERVER] Ns_GetVersion(&major, &minor, &patch) ??
I wonder if Ns_TclGetVersion would be less confusing and more consistent with other Ns_Tcl... function (such as Ns_TclGetLibrary()). Jerry Zoran Vasiljevic wrote: At the moment, we have Ns_InfoServerVersion(void) which returns a char * with the version string. I would need a better (i.e. simpler) implementation, like Tcl_GetVersion() for example, which returns the major/minor/patch version numbers. This is far more easier to handle programatically. I need this in order to make run-time decisions about the running server from within the C-code. Are there any major obstacles why we would not implement this one in standard AOLserver API? I'm still not certain about the name but it should look like: void Ns_GetVersion(int *major, int *minor, int *patch) Cheers, Zoran I. To remove yourself from this list: Send a message to "[EMAIL PROTECTED]" with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/ I. To remove yourself from this list: Send a message to "[EMAIL PROTECTED]" with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/
Re: [AOLSERVER] ns_vhr command not working from a .tcl script for me
madhusudhanarao sunkara wrote: hi, i am trying to give web interface for ns_vhr command, so that i can add ,delete get virtual hosts at runtime . for this i had written a small tcl file that contains only ns_vhr update command . i can not run it on slave server since it doesn't have ns_vhr module loaded.(i got the error message unknown command when i tried it earlier) so i tried it to run on master server . surprisingly (for me) it is not serving pages although i configured the master config file for web page root and several sections to deal with adp and tcl pages. can't we serve tcl/adp pages from master server in this situation... master server root is at /web/master/ and www contains index.adp, index.tcl ,test.tcl(it contains the command ) Yes, as I recall you're right about that. The nsvhr module master complete takes over the entire urlspace in the master so you cannot serve pages (apart from errors) from the master. I think. You may need to look at the code or experiment but you may be able to use a registered proc to server pages. Apart from that your options are to hack the code and modify nsvhr to only take over a part of the urlspace, or better, to have the master register for some urlspace that it will serve. Jerry Madhu Sudhana Rao > From: Jerry Asher > Reply-To: AOLserver Discussion > To: [EMAIL PROTECTED] > Subject: Re: [AOLSERVER] ns_vhr command not working from a .tcl script > for > me > Date: Wed, 5 Mar 2003 09:04:29 -0800 > > madhusudhanarao sunkara wrote: > >> hi, >> >> ns_vhr command is not working for me, when it is embedded in .tcl script >> the server is responding with error something like >> invalid command name ns_vhr update .. >> but when i tried it with nscp it is working . is it restricted for >> server control port admin .. >> what changes shall i make to my tcl script to work > > > This is surprising to me, but then I am not sure I ever used it from > anything other than the nscp command line. I love the nscp command > line. (Back when I was a kid, we had to wget | cat all of our web > pages.) > > I haven't looked at this code in more than a year, and, I am trying not > to use it now in fact. I don't have time to look at it now. > > A first glance at the code itself, and I don't see anything that should > restrict it to just the control port. Also, "invalid command" does not > appear in the code, although "unknown command" does. > > Best of luck, I am interested in knowing what you find out. > > > Jerry > I. To remove yourself from this list: Send a message to "[EMAIL PROTECTED]" with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/
Re: [AOLSERVER] ns_vhr command not working from a .tcl script for me
madhusudhanarao sunkara wrote: hi, ns_vhr command is not working for me, when it is embedded in .tcl script the server is responding with error something like invalid command name ns_vhr update .. but when i tried it with nscp it is working . is it restricted for server control port admin .. what changes shall i make to my tcl script to work This is surprising to me, but then I am not sure I ever used it from anything other than the nscp command line. I love the nscp command line. (Back when I was a kid, we had to wget | cat all of our web pages.) I haven't looked at this code in more than a year, and, I am trying not to use it now in fact. I don't have time to look at it now. A first glance at the code itself, and I don't see anything that should restrict it to just the control port. Also, "invalid command" does not appear in the code, although "unknown command" does. Best of luck, I am interested in knowing what you find out. Jerry I. To remove yourself from this list: Send a message to "[EMAIL PROTECTED]" with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/
[AOLSERVER] virtual hosting options and a fantasy ....
hod of just piping each byte through an intermediate proxy, to a much more interesting and scalable across many machines method of screwing around with the underlying TCP packets' routing so that on a network wide basis, webserver responses respond directly to the client browser and no longer need to get piped back through the intermediate proxy. (That's sort of like the nsunix trick, done through routing, and so applicable to very large sites.) What is the old saying about slicker than shit through a goose? I mean, um, that's really cool. If it really works, I know, I just know that we would all be walking around with groupies on our elbows. I'd love to see various AOLserver modules, documentation, admin pages, dbs set up to cooperate well with the Linux Virtual Server. We'll never displace Apache, but if we had a highly available, highly scalable server, I think we could get some interesting press and projects coming our way. Jerry Tomasz Kosiak wrote: You may take a look at my proposal to the virtual hosting solution. So far this is only proposal and I dont't know if it would be incorporated into core. I've got working copy of 3.5.1 with those patches, indeed I reviewed them one more time and going to preprare a distro including them. You can take a look at older AOLserver version that we use in production for over a year (at http://miniacs.zjednoczenie.com/snapshot.html). I'm totaly dedicated to have my modification included into core. Now they are kept as separate patches which are applied to standard AOLserver distribution. Yesterday I've fixed also additional modules to work with my proposal. They expose new commands or options to handle AOLserver urlspace in single server. ns_register_filter ?-vserver vserver? when method url adp ?arg? ns_register_proc ?-noinherit? ?-vserver vserver? method url proc ?arg? ns_register_adp ?-noinherit? ?-vserver vserver? method url adp ?arg? ns_register_proxy ?-noinherit? ?-vserver vserver? method url proxyURL ?arg? ns_url2file ?-vserver vserver? url ns_url2file_map ?-noinherit? ?-vserver vserver? url path ?arg? ns_url2file_map ?-vserver vserver? url ns_register_adp is already included in AS 4.x - it works like ns_register_proc but for adp srcipts. ns_register_proxy is to allow to proxy part of or whore urlspace to another httpserver using nsvhr mechanisms. With ns_vserver command it is a generalised nsvhr command implemented by Jerry Asher. ns_url2file_* allows to file and handle directory aliases. It is based on example from old AOLserver C manual and expose TCL interface to it: http://www.tcl.tk/man/aolserver3.0/c-app2.htm You can map individual url to file with ns_url2file_map -noinherit url file arg or alias url prefix to directory with ns_url2file_map urlprefix dir arg With ns_url2file_arg url you can retrive the argument. Of course these command are vserver-aware and accept -vserver switch. --tkosiak Here is response from Nathan Folkman appropos my proposal: Thanks! I'll put it on the Core Team agenda for next week's meeting. This week's meeting is already booked with bug scrubbing. I'll keep you posted. - Nathan -- Forwarded message -- Date: Mon, 3 Mar 2003 18:46:15 +0100 (CET) From: Tomasz Kosiak To: Nathan Folkman Subject: vservers I've got a implementation of virtual host support for AOLserver. When compared with AS 4.x vservers it is complementary approach. It allows to define separate filter/urlspace in one AS 4.x server. It means that tcl code base and conn threads are shared in my approach. Some time ago I've presented this to Jim Davidson. He has said that he will present it to AOLserver Core Team. I wonder if you reveived my proposal (copy is in attachement). What do you think about it? --tkosiak I. To remove yourself from this list: Send a message to "[EMAIL PROTECTED]" with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/
Re: [AOLSERVER] nsvhr API to manipulate mappings on the fly?
Tilmann Singer wrote: Yes, I haven't played with this in over a year, but you can find it here: http://www.theashergroup.com/download/ aolserver3.3-vhr.patch v.6 Adds ns_vhr command to examine nsvhr configuration at runtime, and to add or delete vhr hosts at runtime. These patches also better support legacy HTTP/1.0 clients that do not pass a Host field, and close various memory leaks. This patch set includes all of the above AOLserver3Patches. I have done no work to getting this to work with 3.5. (IIRC, I think I was a bit surprised 3.5 came out, prior to that I was thinking it was just going to 4.0 which did inline virtual hosting.) Jerry Hi, I remember once reading that someone (Jerry?) wrote an API that allows to manipulate the nsvhr virtual hosting mappings during runtime so that the changes would take effect immediately, without a restart. I can't seem to find any references to this anymore - does it still exist? If yes, in which version (I'm currently using 3.3+ad13 and soon propably 3.5)? TIA, til I. To remove yourself from this list: Send a message to "[EMAIL PROTECTED]" with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/ I. To remove yourself from this list: Send a message to "[EMAIL PROTECTED]" with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/
Re: [AOLSERVER] Root-server switches from BIND to NSD.
Dossy wrote: On 2003.02.25, Jerry Asher wrote: >The nsd in this case is not the naviserver daemon we all enjoy but a >nameserver daemon written at "NLnet Labs in cooperation with RIPE." Should we add to the confusion and start coding up an nsdns module so one could use AOLserver to serve DNS? :-) Imagine the additional confusion and flames regarding security when we announce our new version is based on nsd 8. Jerry I. To remove yourself from this list: Send a message to "[EMAIL PROTECTED]" with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/
[AOLSERVER] Root-server switches from BIND to NSD.
http://slashdot.org/comments.pl?sid=55040&threshold=-1&commentsort=3&tid=185&mode=thread&pid=5379648 Well this isn't really as true or good as I wish it was. The nsd in this case is not the naviserver daemon we all enjoy but a nameserver daemon written at "NLnet Labs in cooperation with RIPE." http://www.nlnetlabs.nl/nsd/index.html They say, "NSD is an authoratative only, high performance, simple and open source name server." And they're not using tinydns either, although if you look at the first few slides in their presentation, the slides look as though they may have come directly from tiny documentation! http://www.ripe.net/ripe/meetings/archive/ripe-42/presentations/ripe42-dns-aons/ Hmmmph! Jerry I. To remove yourself from this list: Send a message to "[EMAIL PROTECTED]" with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/
Re: [AOLSERVER] aolserver 3.3ad13 on RedHat 8.0
Rob Mayoff wrote:
+-- On Feb 12, Jerry Asher said:
>At any rate, I had thought we were talking about, for the most part,
>rare occasions when new threads are created.
I thought we were talking about checking SP every time something (like
a stack frame) is pushed onto the stack. That means you have to know
the limit for SP every time you push a stack frame. The limit depends
on which stack you're using, which in turn depends on which thread is
executing. So you can either store the limits in TLS, or in a global
table which you search using the current SP as the key.
See that's the problem with long threads. We should probably just
declare hitler and get on with our work. My crawling back up *this
thread's stack* leads me to believe stack creation and allocation was
the problem.
I would think that if I am really pushing a stack frame onto a stack,
then I presumably have to know where the base of the stack is and the
top of stack. If I know where the base of the stack is, I should be
able to lookup what the max stack size is? However you store the base
and the top, can be the same place/same mechanism to store the size?
And so it should take just a bit more arithmetic on a stack frame push
to check the stack limits
I once read that Goering coded it up as follows:
struct stack {
ulong maxsize;
void *top;
long base;
}
I'll let you determine how Ms. Braun, herself coded the stack frame push
itself as an exercise, or we can leave it here.
Jerry
Re: [AOLSERVER] aolserver 3.3ad13 on RedHat 8.0
>If as a thread, I ask for a new thread to be created and hence a new >stack, I would guess (but I don't know) that the base for all stack >pointers are stored in some global, locked, table, along perhaps with >the limits of the stack which are either stored in that table, or >local to the stack itself. Suppose it is. Now you've got to locate the table - which, unless you're willing to limit the number of simultaneous threads, must be able to grow and therefore cannot be at a fixed address. Once you've located the table, you've got to search it using the current SP as the search key. Maybe you do it by binary search; maybe you do it by hashing the high bits of SP. Whichever way you choose, I think it's going to require several instructions. Well the base of the table has to be at a fixed address, but it could be a linked pointer. Or since growing it is presumably rare, it could be a table that grows and when it does grow threads are momentarily blocked from using it. No telling what the performance impacts are At any rate, I had thought we were talking about, for the most part, rare occasions when new threads are created. If so, then taking a few instructions or a loop to determine where the new stack can go seems like it could be reasonable. > Note that each time you create a stack from (or otherwise dynamically > extend the stack), you need to compare the SP to a thread-specific > limit, which means using TLS. So using TLS storage appears to be an optimization (and in the case of creating new stacks, and figuring out where they can go, a not terribly profitable optimization) but not a requirement. Thanks for your explanation. The truth is in the details. I can clearly see architectures that permit all sorts of stuff but again, who knows which will have sucky behavior or not. Oh for Multics and being able to just ask for a new 2g segment at will. Alas. Jerry
Re: [AOLSERVER] aolserver 3.3ad13 on RedHat 8.0
Rob Mayoff wrote: Note that each time you create a stack from (or otherwise dynamically extend the stack), you need to compare the SP to a thread-specific limit, which means using TLS. I'm not sure how long Linux (for example) has supported TLS, and I'm pretty sure that its support has changed over time, so checking SP is not necessarily trivial. Thanks Rob, I am trying to understand where the thread-specific limit is involved but I can't. If as a thread, I ask for a new thread to be created and hence a new stack, I would guess (but I don't know) that the base for all stack pointers are stored in some global, locked, table, along perhaps with the limits of the stack which are either stored in that table, or local to the stack itself. I mean, clearly the memory allocater knows where it allocated the stacks...? Then if I as a compiler, need to push a new stack frame on the stack, I would think the stack limits are easily accessible in either the global stack table, or the local to the specific stack area. My first thoughts are that the amount to push onto the stack is known by the compiler and are thread invariant. So I am sure my guesses are off the mark, but where? pleh? Jerry P.S. Again, I'll ignore extending the stack. I am sorry I brought that up in the first place since I think the most important thing is to just protect the stacks and detect overflow. I suspect stack extension is treatable, once stack overflow can be reliably detected, but the argument confuse me and make by brain hurt.
Re: [AOLSERVER] aolserver 3.3ad13 on RedHat 8.0
I'll do the easy but ugly top posting thing I understand your model, and as usual you have explained your model very clearly. But I think there are some assumptions in your model that need to be addressed. Your argument is basically that it's hard to allocate multiple stacks in a single address space environment. I agree with that. But that's not the problem. The problem I think is detecting stack overflows in the first place. Your model appears to be based on a MC68000 architecture, with no memory management unit. One flat address space for everyone to play in. And perhaps as an implementation goal of Tcl, this is the model they choose to program to. I can certainly understand that. It's simple, easy to debug -- compelling. And yes, much of the world of C/Unix was developed for such a flat space processor. But there is no real need for multi-threaded programs to only have a single address space. I think we all want the multiple threads to be able to access any of the structures or code with another thread, but that still doesn't require a single address space. But again, the problem is not allocation of stacks, but detection of stack overflow. Yeah, Multics and the 80x86 had segments. Multics was great, it had paged segments. So I would bet if one could write to a segmented architecture, it would be natural to place each stack in its own segment, and let the mmu detect stack overflows. And yeah, in the early smaller intels, we all got annoyed with having to load up various registers with appropriate segment pointers to differentiate code and data. Even in a flat architecture, in a machine with an mmu, all of this ill memory access should be detectable. As I mentioned on the DEC-10, and I am pretty sure on VAX/VMS you could arbitrarily protect specific pages against writes AND reads. Any thread trying to read or write into a page generates a fault. I would think it would be a good idea to separate each of those stack frames with a one or more protected pages. It might not solve the problem of one thread still corrupting another thread's memory or stack, but assuming a page was larger than several stack frames, it would certainly catch most typical stack overflows. Wouldn't it? (Do mmus only care about interprocess access and cannot catch intraprocess accesses?) But again, maybe I'm missing something here. When I was writing compilers for some small functional languages, I knew, or rather the compiler knew at every subroutine push, just how large the new stack frame had to be. It would seem to be pretty easy math, and not too harsh of an efficiency hit to have the compiler/interpreter check available stack size at each function entry. And at runtime if knew variables are consed onto the stack, again it should be simple during initial allocation of the variable by an interpreter to check the stack size. So what am I missing? I still don't understand why it isn't relatively easy to know when the stack is exhausted. Forget stack extension. I will be happy with a known error returning to the programmer: stack overflow. We could catch that one. We don't even get that. We get: game over dude, segv. That's unsafe! I would bet that if one can detect stack overflows reliably, then one can also implement an algorithm to safely extend the stack. It might have other performance impacts though. To sum up, I still do not see any technical reason for not being able to detect stack overflow other than management goals in the implementation of Tcl and the one possibly technical goal of trading off a level of safety vs. a level of performance. But hell, I know little about this, so please do clue me in. Jerry Rob Mayoff wrote: +-- On Feb 11, Jerry Asher said: >Are you really saying you cannot imagine how in a multithreaded >environment one can automatically and efficiently extend the stack? Depends on what you mean by "extend the stack". A single-threaded program has a heap and a stack in a single address space. We put the heap at the bottom and the stack at the top and let them grow towards each other. Obviously this allows each the maximum room for growth; we don't have to put a fixed division point into the address space. If the stack grows down into a page that the heap wasn't already using, the OS can detect that and simply map physical memory to that part of the program's address space. This form of "extending the stack" is easy. Now, in a program with N threads, we have a heap and N stacks in a single address space. We must create N-1 divisions in the address space. (We could get away with floor((N-1)/2) divisions if we let half the stacks grow towards lower addresses and the other half grow towards higher addresses, but we'd still need O(N) divisions and the code would be messy.) The heap and one stack can share one part of the address space,
Re: [AOLSERVER] aolserver 3.3ad13 on RedHat 8.0
Rob Mayoff wrote: +-- On Feb 11, Jerry Asher said: >Sigh, that must've been some sort of computing golden age Oh for >the renaissance! Yep, the golden age - before multithreaded programming. I don't believe that's true, in large part because at the time I was doing multithreading on minis that only had threads and didn't have processes (Honeywell Level 6). (Level 6 referred to how much HBD was involved.) But I cannot say that these machines made stack extension easy or possible. (And I am pretty sure the Lisp Machine had threads, stacks, and either automatic stack extension, OR at least detected all stack overruns, but I don't know for sure.) How did/does Ada accomplish this? Are you really saying you cannot imagine how in a multithreaded environment one can automatically and efficiently extend the stack? So we can expect multithreaded programs to suffer from obscure memory overruns, rather than fail with a known error? Jeez, you make a very curious argument against multithreaded programming. Safety. Mine, yours, and the other folks in our airplane. (Maybe this explains the Navy destroyer running NT that needed the tow back to port.) On the otherhand, I cannot imagine using Tcl in such an environment either -- my Tcl at least does suffer the runtime detection of a missing $ (but that really wasn't the argument you made -- not that automatic stack extension was not efficient for Tcl or useful for Tcl given Tcl's usage, but that it wasn't possible in a world of multithreaded programming.) I suspect you're wrong. I hope so. Jerry
Re: [AOLSERVER] aolserver 3.3ad13 on RedHat 8.0
Andrew Piskorski wrote: On Tue, Feb 11, 2003 at 02:40:11AM -0800, Jeff Hobbs wrote: >I added that warning in myself after getting enough reports. I narrowed >the size to 2400K to match the default Tcl eval stack recursion limit of >1000. I think 4M is more than you need, 1M will likely do it, and 2400K >covers all the bases. Jeff, for those of us not especially familiar with the Tcl internals, could you give or point us to a basic explanation of how and why Tcl uses the C stack, as opposed to being "stackless"? (A Google search for "stackless Tcl" turns up some interesting links, but doesn't seem to really answer this question.) Not to whine, but I think I was using the DEC-10 in 1979 when I first encountered stacks that would grow themselves as appropriate. I think the technique then was to place the top of the stack against a protected page of memory. When the stack overflowed, the protected page was accessed and an error handler caught the error and extended the stack. Thus any error was NOT death by mysterious data overrun, but was instead an understandable abs. max stack size had been exceeded. Sigh, that must've been some sort of computing golden age Oh for the renaissance! Jerry
Re: [AOLSERVER] aolserver 3.3ad13 on RedHat 8.0
Jeff Hobbs The Tcl Guy Senior Developer http://www.ActiveState.com/ Tcl Support and Productivity Solutions That's interesting. My copy of stack.test doesn't include anything like that. The openacs lore has been that 500K has been the appropriate stacksize. I have increased it to 4M. Let's see what happens. Thanks, Jerry
Re: [AOLSERVER] aolserver 3.3ad13 on RedHat 8.0
Brian Fenton wrote: What's your stacksize? Try increasing it. Brian Yeah, I've done that one. It's currently 500K. ??? Jerry
[AOLSERVER] aolserver 3.3ad13 on RedHat 8.0
I am consistently (a few times a day) receiving a segv in an AOLserver installation. I am using AOLserver3.3ad13 as downloaded from openacs.org and RedHat 8.0. The segv comes in cache.c when it is in a page hit many many times each day. Somehow the cache structure has become corrupted. I have never seen this before. Anyone else seen it? Wild ass guess, could this be a RH8.0 problem? Thanks, Jerry
Re: [AOLSERVER] Offtopic dumb security policy example, at um, aol
Dossy wrote: On 2003.01.27, Jerry Asher wrote: >I was very surprised to find a new message, A CONFIRMATION MESSAGE, in >that alternative email address's mailbox. I've attached it below. > >Jeez! Just what is this confirming? Think: Someone creates a Netscape mail account. They sign themselves up for a whole slew of mailing lists, acknowledging the subscription confirmations. Then, they point the alternative email address at someone they dislike. Now, this poor sod is stuck receiving a whole boatload of email they didn't sign up for, from lists they probably don't know how to unsubscribe from ... Confirming that alternative email address should, presumably, stop this potential abuse. The target sod just refuses to acknowledge the confirmation, and that should stop the process right there ... -- Dossy Sure that keeps the new email address from being screwed up, but at the risk of hijacking someone's email away from them. So I figure out Dossy's aolscreen name, I cons together your daughters name and guess your password, and then I get to steal your email. If I am getting email I don't want I do have someways of tracking it down and stopping it. If your email just stops one day and you don't realize it for a day, or a week, what are you going to do? How will you ever fix that? Again, anyone have the aol email addresses for the folks on mahogany row? Jerry
[AOLSERVER] Offtopic dumb security policy example, at um, aol
I decided to use a very old netscape mail account to send an anonymous anthrax warning (kidding). This is now run by aol. Anyway, I did appropriate things, found the account, logged in, and visited the options/preferences and changed the "alternative email" address from an address at an ISP that hasn't existed for about three years to a new and improved (with enzymes!) address. I was very surprised to find a new message, A CONFIRMATION MESSAGE, in that alternative email address's mailbox. I've attached it below. Jeez! Just what is this confirming? Jerry P.S. On an unrelated note, does anyone have Steve Case's email address? I um, would like to find it before he loses fiduciary powers. Screen Name Service wrote: Dear jerryasher, Reply to this e-mail to confirm your e-mail address change from [EMAIL PROTECTED] to [EMAIL PROTECTED] In the reply, type 'OK'. Please send your confirmation within 72 hours. The e-mail address change will be made for the following screen name: jerryasher
Re: [AOLSERVER] Is Aolserver vulnerable?
Scott Goodwin wrote:
have the source code.
We use AOLserver for EMIS, which is not vulnerable. I've added extra
checking to the EMIS request processor 5 minutes ago to log any attempts
to use HTTP methods that we don't accept so we can identify attempts to
use TRACE. Here's the piece of code I added to do that:
if {! [regexp -nocase {get|post|head} $http_method]} {
ns_log warning "BAD HTTP METHOD: $http_method from $peer_addr: HTTP
REQ=$request"
ns_return 403 text/html [ns_adp_parse -file
/emis/pages/errors/errorframe.adp 403]
return filter_return
} else {
ns_log notice "$http_method request for $request from $peer_addr"
}
This is a good idea.
You may wish to change this to return a TRACE specific error message
that mentions this exploit. That way the user will be alerted to
dubious activity on his machine.
Jerry
Re: [AOLSERVER] Is Aolserver vulnerable?
Below you can see that Apache 2.0 (RH 8) does echo back all the headers that you send to it with your TRACE command. And rereading the RFC, I gather that is just what it should be doing. According to the whitepaper then The exploit then is one that allows a client side script to read information (cookies for now) that are already in the client but that are supposed to be hidden from the script. The script uses some technology within the browser to generate its own HTTP request. The browser goes along with the game and fills in the cookie information that should be hidden. The script sends the request and gets to read the response. Since the request is a TRACE, the response includes the hidden cookie information. It goes away entirely if the server doesn't implement TRACE. It will not cause cross site leakage unless your browser already has a cross site leakage bug in it. IE currently does. Other browsers may or may not have bugs. When will you be secure that your browser has none of these bugs? If your browser has a cross site scripting bug, if you visit multiple websites with trace on, you can have a cross site scripting exploit. So the short term fix for YOU the webuser is to have your proxy remove all TRACE requests. Let's give that one an unlikely tag. The news article claims that Apache needs a patch and can't just be configured to not implement TRACE. Does anyone know if that is so? Jerry KRUSTY$ telnet homer.theashergroup.com 16040 Trying 192.168.0.32... Connected to homer.theashergroup.com. Escape character is '^]'. TRACE / HTTP/1.1 HOST: homer.theashergroup.com COOKIE: foo=bar HTTP/1.1 200 OK Date: Wed, 22 Jan 2003 22:35:26 GMT Server: Apache/2.0.40 (Red Hat Linux) Content-Length: 68 Content-Type: message/http TRACE / HTTP/1.1 HOST: homer.theashergroup.com COOKIE: foo=bar Connection closed by foreign host. KRUSTY$
Re: [AOLSERVER] Is Aolserver vulnerable?
Jade Rubick wrote: Does Aolserver implement the TRACE command? http://www.extremetech.com/article2/0,3973,841047,00.asp Here's what RFC 2616 says about TRACE. This is just about all it says about TRACE. The other mentions are about issues that couldn't cause an exploit: http://www.ietf.org/rfc/rfc2616.txt 9.8 TRACE The TRACE method is used to invoke a remote, application-layer loop- back of the request message. The final recipient of the request SHOULD reflect the message received back to the client as the entity-body of a 200 (OK) response. The final recipient is either the origin server or the first proxy or gateway to receive a Max-Forwards value of zero (0) in the request (see section 14.31). A TRACE request MUST NOT include an entity. TRACE allows the client to see what is being received at the other end of the request chain and use that data for testing or diagnostic information. The value of the Via header field (section 14.45) is of particular interest, since it acts as a trace of the request chain. Use of the Max-Forwards header field allows the client to limit the length of the request chain, which is useful for testing a chain of proxies forwarding messages in an infinite loop. If the request is valid, the response SHOULD contain the entire request message in the entity-body, with a Content-Type of "message/http". Responses to this method MUST NOT be cached. I am printing out WhiteHat's WhitePaper now (on my own highly patented WritePaper (TM)): http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf. But this is exploit is evidently related to cross site scripting. Anyway, my own initial thoughts are that I am thinking the problem is not reflecting back the messages, but including all the cookies and headers in the message. If so, there is nothing in the RFC that I can see that suggests an HTTP 1.1 server needs to send anything other than a 200 header. The VIA header IS an information leak, but if I recall from the past, lots of actual proxies don't implement that header anyway And it would be a reasonable thing to do to NOT implement it. If the problem is sending anything at all and not just the headers, well I confess thinking: Wow. Cool. Bad. Jerry
Re: [AOLSERVER] using aolserver for mail
Peter M. Jansson writes: Unless all 256 emails are going to the same box, and you are the horrified sysadmin of that box watching qmail crush you with incoming traffic. The out-of-the-box config of qmail is definitely faster than the out-of-the-box config of sendmail, but if you add queues to sendmail, it can push as many simultaneous messages as you want, and it can push them faster than qmail can. 1. Klez, Klez, Klez, Klez, Klezzy Klez, wonderful klez! 2. FIRST, I MUST SOLICIT YOUR STRICTEST CONFIDENCE IN THIS TRANSACTION 3. And while they are pushing those emails, my friend is sitting in a bathtub full of ice, trying to call the cops 4. Urgent: the FCC is about to impose a modem tax 5. How Make a FORTUNE on the Information Superhighway - by Laurence A. Canter and Martha Siegel, from HarperCollins 1994. Hmm, is there anyway we can slow down qmail and sendmail? Jerry
Re: [AOLSERVER] using aolserver for mail
Gabriel Ricard writes: Ok, this may be a totally crazy idea that's completely unnecessary, but here it goes: I want to have a high performance mail server that's easy to configure for use in our system at work. Now, thinking about it, that's exactly what AOLServer does for HTTP traffic, so why can't I use AOLServer for my SMTP traffic as well? For a dismal experience, check out all the hatred and flames that occur on the MTA (qmail, sendmail, postfix, ...) developer lists. Writing an MTA is very hard. You have to make it reliable, secure, easy to configure, and fast. Sendmail has been around for something like 20 years now? How many thousands of man years? Qmail has been around since 95-97 and benefited both from having been written by a coder-savant, but also from being able to learn from sendmail's failures. And postfix benefited by looking at qmail and sendmail. My suggestion is to make AOLserver more of a partner with either qmail or postfix than it is right now. Let the MTA developers do what they do best Jerry Jerry
[AOLSERVER] Tabs, Spacers, 20-30 years ago, ACID, rec.drugs.?
Since I only piped in once (and you all have directions on how to pipe me to /dev/null now), here's my one real desire, which near as I can tell, AOLserver does a wonderful job of. I live in a dead trees world, sigh, and until I can get 600 dpi resolution on a screen with no glare that I can draw circles on and underline, well And there are many times when I have to print code out and then take that code into an isolation tank to ponder over. Tabs, no tabs, ... as long as it is readable, and mainly, as long as I can print the code out, on one page. For me this means lines that have been wrapped by the author at 70-80 columns, and then indented on the next line at some semi-reasonable and consistent place. AOLserver is great about this. ArsDigita Tcl was absolutely terrible about this. Jeez I hated looking at aD Tcl pages. Pages developed on 21" monitors at their highest resolution without a care for maintenance. Jerry
Re: [AOLSERVER] Emacs indents for tcl and C
On 2002.11.10, Jerry Asher <[EMAIL PROTECTED]> wrote: I love emacs. Long live emacs. I hate emacs though. What I hate is that from the behavior I've seen, apparently at MIT it's considered that a fast way for a frosh to get noticed by Richard Stallman is to change a well known API, and then to change all keybindings to make use of the new paradigm. I swear, every two years all my emacs customizations break. Gratuitously. A good portion of programming speed comes from muscle memory of the environment, so that the brain is free to think about the code at hand, not how to key it in. As you say, this is why emacs sucks and vi still rules. ;-) Hey! I didn't say that. Grrr. Thanks for the explanation of the tabs, but you don't have to get nasty. (I've been using emacs now for probably 21 years, back when they were Editor Macros for Teco, and replacing VTEDIT (on VMS and TOPS-10, then found emacs on Multics, then on the Symbolics, oh boy, am I a user of obsolete systems!) $$ Jerry
Re: [AOLSERVER] Emacs indents for tcl and C
Dossy writes: On 2002.11.10, Andrew Piskorski <[EMAIL PROTECTED]> wrote: Of course, I've never run across anyone who really WANTED to use tabs rather than spaces, just people who did it that way by accident without thinking, because it's the Emacs default. Guess you've never met me, then. ;-) -- Dossy But I'd certainly like to. I'm not going to ask you a major religious question about why MySQL when you could be using ...X, but okay, please forgive my asking a minor religious question Why tabs? Jerry
Re: [AOLSERVER] Emacs indents for tcl and C
Tom Jackson writes: Thanks for your help. I always feel real annoyed at myself when I start editing code I wrote in Xemacs in vi. Shudder. I wonder why emacs and Xemacs use tabs at all, given the advice of most coding standards on using spaces. Yes I agree. A tab is a legit character, so I can see why someone making an editor would want to support it. What's more fun (or not) is meeting up with someone on a project that insists on using tabs in their code. I love emacs. Long live emacs. I hate emacs though. What I hate is that from the behavior I've seen, apparently at MIT it's considered that a fast way for a frosh to get noticed by Richard Stallman is to change a well known API, and then to change all keybindings to make use of the new paradigm. I swear, every two years all my emacs customizations break. Gratuitously. Jerry
Re: [AOLSERVER] Emacs indents for tcl and C
Tom Jackson writes: I'm trying to configure Xemacs to use spaces instead of tabs when auto indenting source files. The advice given in http://aolserver.com/docs/devel/tech/standards.html#overall was to add the following lisp code to my .emacs file: (add-hook 'c-mode-hook (function (lambda () (setq c-basic-offset 4) (setq c-indent-level 4 I did this and restarted, but the indents still seem to be tabs. Is there a way to do this in Xemacs, and can it work for Tcl as well? --Tom Jackson Try setting indent-tabs-mode to nil. That works for me in emacs and for c. I haven't tried it with tcl. Do you know the difference between xemacs and emacs these days? If so please tell. So different and so close. The documentation of both wrt to tabs was identical. Confusing. Jerry
Re: [AOLSERVER] Other languages
At 08:20 AM 11/8/2002, you wrote: >On Fri, Nov 08, 2002 at 04:33:41AM -0500, Nathan Folkman wrote: > >> I hope to continue to see people stepping up to support different languages: >> Tcl, Perl, Python, Java, PHP, etc. If there server is well designed, and >> things are abstracted correctly, then there would be no reason not to support >> as many languages as possible. > >I think of AOLserver as a web application server, not as a general >web server. In fact, I often use it as a swiss-army knife for networked >applications. This should be even more interesting when libnsd is out. > >-Roberto I agree with Roberto. I consider AOLserver to be a web application server, though with the hijacking of the name by the J2EE crowd, I am not exactly sure what a web application server is. But I would like to see more (of something) go into making AOLserver an even better web application server. Support for more languages is critical to AOLserver's long term success. The momentum these days in somewhere in the PHP, Python, J2EE, C# worlds. If we want to attract the smart developers and if we want to make it easier to sell into organizations, if we want to compete with these technologies, then we need some amount of support for more languages. There is a question of what users want when they want language support. Do they want: A) Apache/Zope/ APIs? B) Languages as independent black box modules. As an example, support for Gallery (PHP) doesn't imply PHP support where a PHP module can add registered filters, procs, etc. C) Language support as cooperating modules. My java modules can easily create/modify data structures available to my python modules and my tcl modules. D) Language support where each language is an equal peer with Tcl and C. For each connection perhaps, "I" can decide whether to attach a Tcl, Python, or Ruby interp to the thread. I can develop registered procs and filters in any language of my choice. What I mainly want is stability. It aggrieves me that neither pywx nor php are considered to be stable. That leads me to using AOLserver for Tcl, and using Apache for PHP. After that, I would like to see (C) cooperating modules as a goal, but would settle for (B) independent language modules. I am very curious as to what would make AOLserver an even better application server than it already is. These days I suspect a very healthy support for XML, XML-RPC, and SOAP are way up there. I suspect the move to using standard Tcl and therefore support for standard Tcl libraries will go along way. But what other things, in what other ways, could AOLserver support your apps? Jerry
[AOLSERVER] Googling the AOLserver Documentation
Peter M. Jansson writes: On Sunday, November 3, 2002, at 02:33 PM, Scott Goodwin wrote: Documenting multiple commands on the same page ... will confuse the readers I disagree; I find, for example, that the traditional AOLserver documentation including all variants of ns_return on a single page helps me to better understand the range of responses available. Yes, I absolutely agree with this. When inspecting APIs, I always first want to know, what is the range of possibilities. I don't get that answer when the responses are listed only on separate pages. I suspect too that listing these things on the same page will help us Google the manual. I no longer bookmark the doc pages for Tcl or AOLserver, I google the command and hit the lucky button. That's a pretty wonderful thing to be able to do. Jerry
Re: [AOLSERVER] AOLserver and IP Multicast....
Peter M. Jansson writes: >Why do you think this is too many to use conventional tcp? Isn't one of >the reasons we choose AOLserver that it scales? The crux of my problem is that I don't have the target hardware yet, and it's quite an experience leap for me to estimate how many requests per second AOLserver can handle on a Sun midframe server for the requests we will be seeing. I believe our systems will be capable of performing thousands of requests per second, but how many thousands? If we have 300 servers and they did something dumb (like our client has demanded/requested) and they each heartbeat each other then each has to handle 300 connections per second just for a heartbeat. And each has to make 300 connections to send its heartbeat to the other systems. That might be a considerable chunk of the max connections a system might handle, and that doesn't include other messages we may wish to pass around involving state information. And none of that includes any of the actual client requests. Now there are various ways we might make this more efficient, but one way that seems to stick out is if we can use some form of broadcast or multicast so that one system can speak to everyone at a time. This would be very nice for heartbeats (as spec'd by the client). It would also seem to make sense for passing state information around as long as we can somehow ensure those multicasts are reliable. By the way, I would love to hear some benchmarks of AOLserver on Sun v100s, v880s, or SunFire 6800s. >You could also consider using DNS to >propagate the data, with caching servers at various points in the network, >assuming you feel the traffic would overwhelm a single server. Can you explain a bit more on how to get DNS to do this? >I don't think multicast is going to work well with HTTP, though, because >HTTP pretty much requires data exchange between broadcaster and receiver, >and multicast pretty much excludes any data from reaching the broadcaster >from the receiver. Yes, well I have thought that I would "break" HTTP in the sense that I wouldn't be returning any responses back. On the other hand I would love to hijack the request processor so that I can operate on a multicasted HTTP get/post. And what I would probably do to start out is have each multicast include a sequence number and have clients have a reverse request so that they can keep track themselves of which messages they didn't receive and ask to have those retransmitted. Yes it's kludgey, that's why I would appreciate hearing from anyone that has looked into "reliable ip multicasting". >I'm curious to find out what you learn, though. >Pete. I'll be happy to follow up if anything interesting comes along. Jerry
[AOLSERVER] AOLserver and IP Multicast....
First of all, I know nothing about IP Multicast. (But I am reading Stevens...) I have a system with several hundred machines on it and I need to keep each system updated with various pieces of information including various heartbeats, pieces of state information. The machines are all behind our firewall, but there are so many they do live on different segments of our net (i.e. there are many routers.) I believe there are too many systems to use typical tcp/ip unicast connections, and it strikes me that this may be a good use if broadcast or ip multicast. My understanding so far of multicast is that it's not a protocol in and of itself, it's a technique that we can layer a protocol on top of. So using my favorite Swiss Army knife, I am thinking of creating an AOLserver module that can perform http gets or posts using either a broadcast or ip multicast, and making changes to nssock (or creating a new module) that enables AOLserver to listen for http requests over broadcast or ip multicast. Am I just an ignorant ass or would this be interesting, useful, and implementable? (or all of the above?) Before going to AOLserver, are there any tools already out there that can be used to make for an efficient information bus using broadcast or ip multicast? If I do choose to build such a module and create some form of bus on top of it, what are the pitfalls I should be aware of? And since I believe that broadcast and ip multicast are UDP and inherently unreliable, what are the common techniques used to make for a reliable multicast? In fact, googling on reliable multicast leads me to a few commercial products and a CISCO specification of PGM, pragmatic multicast. Is there a standard reliable multicast protocol that I should look to? Thanks! Jerry
Re: [AOLSERVER] php + aolserver (is it stable?)
Whenever I think about php + aolserver, I am struck by what I've seen in the past. Comments at the php sites that php + aolserver isn't stable or ready for production. Am I confused about this? Also, do php programs embedded within aolserver benefit from: A) aolserver's db connection pooling? B) aolserver's multithreaded model? C) ??? Due to the stability issues, I haven't seen much value in adding php to aolserver, and not just letting apache and aolserver run side by side with apache hosting php. ??? Thanks, Jerry
Re: [AOLSERVER] OT: gearing for speed.... (caching connections)
At 05:12 AM 8/30/2002, you wrote: >SSL requires a 7-step handshake between the two systems in order to >establish an SSL connection before any data can be passed. This handshake >also requires multiple cryptographic operations including generation of a >fairly small random number, as well as disk accesses of the digital >certificate files for authentication. SSL session establishment takes a >bit of time. To compensate for this, most SSL implementations will cache >connections between two systems so that what appears to the application >writer as a second session, runs over an existing SSL connection. Even >so, there is some overhead in the encryption once the session has been >established. I have an application where two AOLserver instances on two different nodes are going to have lots and lots of communication between themselves -- I would prefer to keep the connections transient, but want to know what the alternatives are. It's interesting to know that nsopenssl/nsssl may already be doing some of this. Can you tell me more about how this connection caching is done in AOLserver? Is it handled entirely within nsopenssl/nsssl? Is it actually keeping the TCP/IP connection open, or just caching some of the SSL/crypto data? If the latter, how does it determine a new request is actually part of an old SSL session? Thanks, Jerry
Re: [AOLSERVER] ns_queryget problem
Interesting you link this to virtual servers What is your virtual server technology? Jerry At 03:32 AM 8/24/2002, you wrote: >dear all, > >i got this error message after i setting my aolserver into several virtual >web >server. Before i just ran one server on the aolserver and never found this >error message. is there any body knows how to fix this problem since my web >after i run several virtual server is not running smoothly some of the >task is >missing. > >Error writing content: resource temporarily unavailable > while executing >"ns_conncptofp $fp" > (procedure "ns_getform" line 25) > invoked from within >"ns_getform" > (procedure "ns_queryget" line 2) > invoked from within >"ns_queryget target_user" > invoked from within chunk: 0 of adp: > /usr/aolserver/servers/photokiosk/pages/userupload.adp > > >FYI: i'm using AOLserver 3.3ad13 > >TIA >oetjoen
Re: [AOLSERVER] SOAP and AOLserver
At 09:20 AM 8/23/2002, you wrote: >On Fri, Aug 23, 2002 at 06:04:09PM +0200, Branimir Dolicki wrote: > > > Does anybody have any experience (good or bad) with implementing > > SOAP webservices with AOLserver? Which technologies did you use? > > What worked? What didn't? > >I'm told that TclSOAP (which does both SOAP and XML-RPC) is the tool >to use, but I personally never got around to trying it. I did around >with ns_xmlrpc a bit, but I'd look at TclSOAP first. More info here: I used ns_xmlrpc with a xmlrpc layer that had been handed down and finally reworked by Dave Bauer and myself. Oh the pain! It made me truly envy the C# folks and their WSDL interpreter/class proxy generator. Jerry
Re: [AOLSERVER] Ideal AOLserver servers in network bound application....
Thanks Dossy, I knew about 2, and 3, but hadn't thought too much about 1. Can you be more specific though, or could you give a few model names that I can research? Thanks, Jerry
[AOLSERVER] Ideal AOLserver servers in network bound application....
I need to make some recommendations for likely AOLserver server machines. Each connection will have a small amount of work to authenticate, decrypt, format the content, but most of the content will be provided by databases serviced by external database machines. I believe the system will be network/cpu/copy bound more than disk i/o bound. We would like to be able to implement some very high connection rates. I am at a loss this afternoon in being able to give a good argument for why a mid-size, or big box could be expected to do significantly better than a typical low end server. What are the things you folks would look for to configure a server to get high connection rates out of AOLserver in an environment where there is no local database on the AOLserver server? Thanks, Jerry
[AOLSERVER] 28,000 hits per second, how many servers of what kind again?
Back in '99, Philip Greenspun wrote: >America Online is fielding 28,000 hits per second across all of its >various Web services and servers I am curious if anyone knows what the configuration looked like at that time. How many servers was AOL using? What were they? On a somewhat related topic, I would like to know how many persistent connections a cough, typical linux server, cough, might be expected to reliably service, and what are the limitations involved. I've visted the C10K pages and the like, and ran across a quote attributed to Alan Cox suggesting that each connection requires 20K in the kernel (and a rejoinder of well that was dumb then) suggesting that 1000 connections would require 20M just for TCP's use. And it appears from a few years ago that a few hundred was okay, but more than a thousand was considered dicey. But that was a few years and a few kernels ago. What's the scoop now? How many persistent connection might a uniprocessor Xeon 1.6Ghz PIII with lots of memory reliably handle? Semi-informed guesses are what I am seeking. Is it 1K, 2K, 4K, 8K, 16K, 32K, ...? Thanks, Jerry
Re: [AOLSERVER] [ aolserver-Bugs-446689 ] nsreturnredirect isn't
Hi Jim, No one wants a flame war. I would like a world class webserver that is protocol compliant because I believe that makes development easier, not harder, and it makes it easier for me to encourage clients to use it, and it makes it easier for clients to use it, and not worry why it's neither Apache, or IIS. I would like a webserver that doesn't have to come with a collection of developer caveats. I would love to see a relationship between the AOLserver staff and the community in which each side supports, benefits from, and respects each other. Regarding your specific points, 1. Though it may not be RFC compliant to do what it is doing, it will >still work on 95%+ of the browsers in use. I believe the trend is not just that IE is taking over the desktop, but also that small micro browsers are cropping up left and right on all sorts of devices and internet appliances. I am annoyed these days when my ericsson fails to properly surf yahoo's site. I suspect a bug in either my phone's browser or yahoo's server. >2. It is only an issue if the developer has a coding error. Except that as ad_returnredirect shows, most of those coding errors can be completely mediated by extending what ns_returnredirect does. Since ad_returnredirect demonstrates a wonderful prototype (if not the fix itself), and thus completes much of the development process (requirements, design, ...) why not extend ns_returnredirect to make the developers tasks easier are more likely to be correct? >3. Taken together, it is extremely unlikely to happen in practice. Gosh, my experience has always beeen that P(coding error) approaches 1 for any non-trivial program. And sadly, because of the nature of scripted web pages, where (page return) functionality is often duplicated on each and every page, this misuse of ns_returnredirect when it occurs at all, is likely to occur on many many pages of a website, since it is the result of an otherwise competent developer, not realizing what RFC behavior actually is. And of course, I encountered this by finding it throughout the ACS, an example of a non-trivial website developed by largely competent programmers. >4. Given that it is unlikely, and that AOL's server developer >resources are limited, how many resources should be used in making this >change, reviewing it, testing it, etc.? I would say "not many". I don't know how long it will take to implement a fix. Since no one came forward saying, "yes, but low priority due to our lack of resources", and since no one said, "yes, could you submit a patch", and since no one rejected it saying, "we believe this will take a week of developer time that we don't have", I find it difficult to address your question of cost benefit analysis. In general I think any afternoon spent towards making AOLserver a more RFC compliant server is an afternoon well spent towards client and developer acceptance of our server. Jerry Jerry Asher [EMAIL PROTECTED] 1678 Shattuck Avenue Suite 161 Tel: (510) 549-2980 Berkeley, CA 94709 Fax: (877) 311-8688
Re: [AOLSERVER] [ aolserver-Bugs-446689 ] nsreturnredirect isn't RFC2068 compliant
I am extremely disappointed how this bug was resolved, by rejecting it. The suggestion that it is up to the caller to do the right thing tacitly admits that the bug is factually correct, ns_returnredirect is not RFC2068 compliant. Whatever happened to the philosophy of "be liberal in what you accept and conservative in what you send". If find the statement used to close the report flippant, arrogant, and aggravating. Once again, the AOLserver staff gives the finger to the community. Why should we participate in submitting bug reports when this is the response? >The caller should be sure to do the Right Thing in this case. In fact it would be pretty easy for ns_returnredirect to either detect and report the problem in the parameters it was passed, or to implement behavior in which it returns rfc compliant values and in a manner that does what most of its callers would want. (See ad_returnredirect for the suggested bug fix and behavior implementation.) Sigh, Jerry At 09:51 AM 3/19/2002, Ms. Source Forge wrote: >Bugs item #446689, was opened at 2001-08-01 03:04 >You can respond by visiting: >http://sourceforge.net/tracker/?func=detail&atid=103152&aid=446689&group_id=3152 > >Category: API: C >Group: aolserver4_0 > >Status: Closed >Resolution: Rejected >Priority: 1 >Submitted By: Jerry Asher (jerryasher) >Assigned to: Kriston Rehberg (kriston) >Summary: nsreturnredirect isn't RFC2068 compliant > >Initial Comment: >This is "broken" in aolserver 4, but is also broken in >the AOLserver 3.x series. > >According to RFC 2068, Section 14.30, Location, the >Location field must be an absoluteURI. >ns_returnredirect doesn't ensure this and will >gleefully create and return "relative urls". > >So if a page at /foo/bar does something like: > >ns_returnredirect index.tcl > >(presumably intending that the browser should redirect >to /foo/bar/nextpage.tcl) > >What will be returned is: > >Location: nextpage.tcl > >It turns out that many browsers such as IE and >Netscape understand this and will do the right thing, >but other browsers and "browser like simulations" such >as ns_httpget fail to "do the right thing" and end up >returning a 404 (ns_httpget will look for >http://host/nextpage.tcl) (I encountered this in both >AOLserver/ns_httpget as well as on a web server load >tester.) > >Suggested solutions: > >1. Have ns_returnredirect throw an error if the >passed in location isn't an absoluteURI (that places >the responsibility on the developer to pass in >absoluteURIs.) > >2. Follow the suggestion of the ACS routine >ad_returnredirect and check the location. If it's not >an absoluteURI, try and create one using the state of >the current connection (using the current directory >and the value of the HOST field and/or the driver >location.) > >-- > >Comment By: Kriston Rehberg (kriston) >Date: 2002-03-19 12:50 > >Message: >Logged In: YES >user_id=16427 > >The caller should be sure to do the Right Thing in this case. > > >-- > >You can respond by visiting: >http://sourceforge.net/tracker/?func=detail&atid=103152&aid=446689&group_id=3152 Jerry Asher [EMAIL PROTECTED] 1678 Shattuck Avenue Suite 161 Tel: (510) 549-2980 Berkeley, CA 94709 Fax: (877) 311-8688
[AOLSERVER] reliable messaging between multiple AOLserver processes
I am working on a project I would love to use AOLserver with. We are going to have a variety of Linux and Solaris machines each running one or more copies of AOLserver doing various tasks, some web related, some wireless related, and some just doing random TCP based tasks. Some of these machines will be in the same rack at an ISP, while others will be in different racks, on different continents. I wonder what tools you folks might have, that could be distributed (to people as well as between processors) that help multiple AOLserver processes communicate and cooperate. What would be great are tools that allow me to broadcast messages, or that create a reliable messaging layer between multiple AOLserver processes. Perhaps even better would be any tools that might help one reliably share/sync any specific tcl object between multiple AOLserver processes. If I build this myself, I am considering utilizing the Spread Toolkit, http://www.spread.org/ (which carries an older BSD-like license.) >Spread is a toolkit that provides a high performance messaging service >that is resilient to faults across external or internal networks. Spread >functions as a unified message bus for distributed applications, and >provides highly tuned application-level multicast and group communication >support. Spread services range from reliable message passing to fully >ordered messages with delivery guarantees, even in case of computer >failures and network partitions. Does anyone have any experience with this toolkit? If so, what is your experience, is it reliable? Is it high performance? Thanks, Jerry Asher ==== Jerry Asher [EMAIL PROTECTED] 1678 Shattuck Avenue Suite 161 Tel: (510) 549-2980 Berkeley, CA 94709 Fax: (877) 311-8688
Re: [AOLSERVER] server reload function
At 12:05 AM 3/11/2002, you wrote: >I have my AOLserver in inittab already. >But i should maintain many online user's information and i should not stop >the sevice. >Thanks. I am not sure what you need to reload, but you can use ns_eval [list source ] to have the contents of filename sourced into every interp (thanks Rob Mayoff). At runtime, you can use the nscp module to telnet into AOLserver and execute commands against it, or you can just add the ns_eval to some protected page Jerry ==== Jerry Asher [EMAIL PROTECTED] 1678 Shattuck Avenue Suite 161 Tel: (510) 549-2980 Berkeley, CA 94709 Fax: (877) 311-8688
Re: [AOLSERVER] AOLserver.com relaunched!
Thanks for the hard work involved. I dunno the realities, but I keep hearing rumors and worries of SF's demise -- I sure hope there are adequate mirrors somewhere. Jerry Jerry Asher [EMAIL PROTECTED] 1678 Shattuck Avenue Suite 161 Tel: (510) 549-2980 Berkeley, CA 94709 Fax: (877) 311-8688
Re: [AOLSERVER] AOLServer public license ?
I think is is true with the additional prologue: "If you are distributing your derived work, THEN, " >The short version is that if you create a derived work, you must allow >access to the source of your derived work. If used AOLserver code and >hacked it to specialize it somehow, then your hacks must be available. If >your product only uses AOLserver as a program, and only interfaces with it >through the network and via modules, then you do not have to provide the >sources for the programs that organize AOLserver for you, nor for the >modules. It's my understanding that you don't have to do anything if the work exists solely in your labs, or on your own servers, regardless of what your changes did, or where you made the changes to. Jerry ==== Jerry Asher [EMAIL PROTECTED] 1678 Shattuck Avenue Suite 161 Tel: (510) 549-2980 Berkeley, CA 94709 Fax: (877) 311-8688
Re: [AOLSERVER] spat of SourceForge messages
At 06:24 PM 2/26/2002, you wrote: >What was up with all those SourceForge messages? Did Kris >just do a mass-assign to himself for all the open tickets? >Or did something else happen that I missed ... ? I think it was the former, but when I got them all, my first thoughts were that sourceforge was bellying up. Jerry ==== Jerry Asher [EMAIL PROTECTED] 1678 Shattuck Avenue Suite 161 Tel: (510) 549-2980 Berkeley, CA 94709 Fax: (877) 311-8688
[AOLSERVER] AOLserver on HPUX: experiences?
We're specing a system and considering using HPUX for a high availability solution. (Stratus actually). I know from http://www.aolserver.com/docs/admin/install.adp, that AOLserver is "known to have compile and run" on HPUX. Does anyone run AOLserver in production on HPUX? What are your experiences with that? Thanks, Jerry ======== Jerry Asher [EMAIL PROTECTED] 1678 Shattuck Avenue Suite 161 Tel: (510) 549-2980 Berkeley, CA 94709 Fax: (877) 311-8688
[AOLSERVER] And if you thought nsvhr was an inefficient virtual hosting mechanism...
VMware is a wonderful product. I am also amazed that these days a company with such a technically hard product, not hardware, to make or support could get funded. That said, I was surprised by their newsletter suggestion this morning: >TECH TIP OF THE MONTH: >HOSTING SERVICES ON VIRTUAL MACHINES BEHIND VMWARE NAT >Our users and staff often discover hints and shortcuts that can >help you get the most from VMware products. This month, our tech >tip explains how to configure VMware NAT so that your virtual >machines can provide network services (such as Web and FTP) on >your public network. NAT enables guest operating systems to share >the host operating system IP address(es). ... >Read more about hosting services on >virtual machines behind VMware NAT at: >http://vmware1.m0.net/m/s.asp?HB5170575598X1186076X89440X This is not the solution I would choose if I was concerned about performance. I do wonder how well it might work as a chroot alternative. Jerry ==== Jerry Asher [EMAIL PROTECTED] 1678 Shattuck Avenue Suite 161 Tel: (510) 549-2980 Berkeley, CA 94709 Fax: (877) 311-8688
Re: [AOLSERVER] Critical filter failed
>Totally agree. In fact, I think there may be other cases where AS 3.4 >doesn't log Bad Request errors that are internally generated by AS. I >have had users do screen shots of Bad Request, yet I can't find them >in my logs. Could be stupidity on my part...dunno yet. > >Jim I can confirm that uncaught errors will result in a connection that is not logged. And when I examine the logs of the reverse proxy master (aolserver running nsvhr), you can see the connections there that don't appear in an aolserver whose connection generated an error.) If I recall that's because access logging itself is implemented as a just another filter and the filter logic is such that an error in any filter results in the rest of the filters being skipped. It might be a good thing to have "finally" filters, that are run no matter what, and I wouldn't mind seeing finer grain control over which filter runs before which other filters (not just what phase they run in.) (As an aside, there is other information that may not get logged. As an example, anyone who returns their content with ns_write (I believe) and not ns_return, or not through an ADP page, will have erroneous logging of amount of content returned.) Jerry ==== Jerry Asher [EMAIL PROTECTED] 1678 Shattuck Avenue Suite 161 Tel: (510) 549-2980 Berkeley, CA 94709 Fax: (877) 311-8688
Re: [AOLSERVER] Exposing API's to other modules?
At 11:12 AM 1/3/2002, you wrote: >I believe nsopenssl conforms to these standards as they are written now. >The standard you pointed us to covers function naming standards, but makes >no distinction between functions in the AOLserver core versus functions in >a module. > > >/s. Hi Scott, I didn't intend to imply you weren't living these standards. I was trying to back up your point that there is value to using these naming conventions. I shall weasel by saying that I see the distinction between core vs. non-core as implicit rather than explicit. Jim and the other folks, when writing Naviserver used Ns_ and not Tcl_ so perhaps we all might have clued in to write our external modules as My_ and not Ns_ and not Tcl_. Jerry ======== Jerry Asher [EMAIL PROTECTED] 1678 Shattuck Avenue Suite 161 Tel: (510) 549-2980 Berkeley, CA 94709 Fax: (877) 311-8688
Re: [AOLSERVER] Exposing API's to other modules?
>Is this a big deal? Changing function names just to be consistent may be >viewed as a waste of time. I don't happen to think so. It helps when I go >read another module's sources if they follow a style consistent with the >core stuff. I'm probably outnumbered in this view. I have worked on several well built systems where, having learned the naming conventions, I could just about "make up a name to fit the functionality I was looking for" and then find that that function had already been written by the developers. One of Ousterhout's greater contributions was the documentation of his team's programming standards. I apologize for ending this message without the link. But if they're not there already, maybe the AOLserver.com folks could link to them from their site. Jerry ==== Jerry Asher [EMAIL PROTECTED] 1678 Shattuck Avenue Suite 161 Tel: (510) 549-2980 Berkeley, CA 94709 Fax: (877) 311-8688
Re: [AOLSERVER] How does a module know a GET or POST request was
>If someone says "show me a traffic summary for the last 2 years, by >week, ordered by blah", it may not be trivial to generate that kind of >report. So it does hurt to keep on doing it when no one is listening. > >Jim But is there an efficient way to determine the connection has been broken? From what I've seen in the code, AOLserver detects broken connections the *next* time it tries a write or read of a connection. When someone clicks on a bring-your-server-to-the-knees-query, after AOLserver hands it to your code, nothing else is done on that connection until your code tries to return a page. At that point, the write will get a connection broken error. Is it possible for a TCP based connection to know when a socket is broken *as it happens*? If possible is that an efficient manner to run webserver based communications? Jerry ======== Jerry Asher [EMAIL PROTECTED] 1678 Shattuck Avenue Suite 161 Tel: (510) 549-2980 Berkeley, CA 94709 Fax: (877) 311-8688
Re: [AOLSERVER] enterprise.netscape.com ... hmmm.
At 11:58 AM 12/17/2001, you wrote: >Hey, Jim and Kris, > >Some sales person from Netscape called me asking about their >Directory Service offering, and in the conversation I said >"man, the migration path from NES 3.63 to iPlanet 4.x sucks ..." >and she said "oh, we've got NES 6.0 ... have you looked at it? >Check it out at enterprise.netscape.com ..." so I did. > >Curiously, digging slightly deeper, I found: > > $ telnet enterprise.netscape.com 80 > Trying 204.29.187.30... > Connected to enterprise.aoltw.net. > Escape character is '^]'. > HEAD / HTTP/1.0 > Host: enterprise.netscape.com:80 > > HTTP/1.1 200 OK > Server: Netscape-Enterprise/6.0 AOL > Date: Mon, 17 Dec 2001 19:55:03 GMT > Content-type: text/html > Content-length: 0 > Connection: close > >Netscape-Enterprise/6.0 AOL <-- AOL? > >Can my dreams be coming true? Is NES 6.0 really AOLserver >in disguise, with the traditional NES web-based GUI admin >on top of it to configure it? :-) Hi Dossy, I guess I'm too tired, but what is it you see in the above that leads you to believe this may be AOLserver incognito? Jerry Jerry Asher [EMAIL PROTECTED] 1678 Shattuck Avenue Suite 161 Tel: (510) 549-2980 Berkeley, CA 94709 Fax: (877) 311-8688
Re: [AOLSERVER] SCRIPT_NAME and PATH_INFO
I believe this is a known bug: http://sourceforge.net/tracker/index.php?func=detail&aid=230479&group_id=315 2&atid=103152. Uh, not to beat a dead horse, I submitted that bug to AOL as it was reported in the ArsDigita forums. Unfortunately, in the no good deed goes unpunished department, the one charming comment from the AOL team was that they don't follow such links when tracking bug reports. So I don't know if it has ever been looked at or not. Apologies Jerry
Re: [AOLSERVER] We've made a code change, would like opinions as to is this a good or bad idea...
I've developed one of the more popular virtual hosting solutions -- without
giving your solution too much thought, it seems reasonable and clever.
Jerry
At 12:42 PM 12/7/2001, you wrote:
>At BNA we have a problem with use of AOLserver in terms of
>how it handles the Location parameter value. The Location
>is a fixed value that is a "global constant" for the
>AOLserver process.
>
>In our virtual hosting environment on our production
>machines this a problem. The problem is as follows:
>
>The machine host name is >>> xyz.bna.com
>One of many virtual host names is >>> productA.bna.com
>User requests >>> http://productA.bna.com/
>(notice that there is no / at the end of the user request)
>
>According to spec AOLserver should redirect to the complete
>url.
>Wanted behavior is a redirect to >>>
>http://productA.bna.com//
>
>actual behavior is a redirect to >>>
>http://xyz.bna.com//
>
>Our location is the machine name because we can only set
>one. But one location is not sufficient for our needs. I
>am aware of the many different Virtual Hosting solutions
>that are proposed for AOLserver. But we found a way to fix
>our problem without actually needing to use any of the
>currently specified Virtual Hosting approaches. I would
>like to get your opinion on our approach to solving our
>problem.
>
>In nsd/return.c we have modified the function
>Ns_ConnReturnRedirect. Please note the additional block of
>code marked with a "ZZZ BNA" comment. What this does is
>return the user specified host name in preference to the
>Location value. This solves our particular problem. It is
>not a Virtual Hosting solution per se, but it does solve our
>problem.
>
>My question is: Do any of you who know the code better than
>we do think this is a dangerous thing to do? If so where
>should I look in the code to see the danger? Our testing
>has shown no problems with this change, at least not so far!
>
>Here is the modified source code:
>
>Ns_ConnReturnRedirect(Ns_Conn *conn, char *url)
>{
> Ns_DString ds, msg;
> intresult;
> char* host;
>
> Ns_DStringInit(&ds);
> Ns_DStringInit(&msg);
> if (url != NULL) {
> if (*url == '/') {
>
> /* ZZZ BNA - we look for a host entry before
>defaulting
>to the location value.
> */
> host = Ns_SetGet(conn->headers, "Host");
> if (host) {
> Ns_DStringAppend(&ds, "http://";);
> Ns_DStringAppend(&ds, host);
> } else {
> Ns_DStringAppend(&ds,
>Ns_ConnLocation(conn));
> }
> }
> Ns_DStringAppend(&ds, url);
> Ns_HeadersPut(conn, "Location", ds.string);
> Ns_DStringVarAppend(&msg, ""\">The requested URL has moved
>here.", NULL);
> result = Ns_ReturnNotice(conn, 302, "Redirection",
>msg.string);
> } else {
> result = Ns_ReturnNotice(conn, 204, "No Content",
>msg.string);
> }
> Ns_DStringFree(&msg);
> Ns_DStringFree(&ds);
> return result;
>}
>
>Thanks for the help!
>
>/pgw
>Greg Wolff
>[EMAIL PROTECTED]
Jerry Asher [EMAIL PROTECTED]
1678 Shattuck Avenue Suite 161 Tel: (510) 549-2980
Berkeley, CA 94709 Fax: (877) 311-8688
Re: [AOLSERVER] AOLserver 4 - Win32 not supported?
The decision to drop Win32 has been kicking around for some time now. My interpretation of the chat two weeks ago was that dropping Win32 support should make it easier to make AOLserver more robust and maybe faster in the UNIX environments. It will definitely make it an easier application to support. For the *nix users, that's a great win, and the large reason I support dropping Win32 support. That said, I'd love to see a cygwin port, and perhaps that's something that our win32 community can strive to provide. Jerry ======== Jerry Asher [EMAIL PROTECTED] 1678 Shattuck Avenue Suite 161 Tel: (510) 549-2980 Berkeley, CA 94709 Fax: (877) 311-8688
[AOLSERVER] AOLserver license and legality of creating proprietary modules....?
I apologize for stumbling over the legalize in the license: (MPL 1.1) http://www.aolserver.com/license/ Would someone sum up the legality of a party, not AOL, creating, distributing, and selling, a proprietary AOLserver module? I have been asked to help develop a piece of network glue, and gosh, it would appear to really benefit from being made from AOLserver, plus a variety of C or Tcl modules. I certainly want to support AOLserver. I would plan on contributing changes to AOLserver itself back to AOLserver, while encapsulating the new network glue in its own module. I don't know who the end client is, and so I don't know if they intend to sell the software, or just services based on their own internal application. I do know they would want to own the module that implements the core piece of their service, and I suspect they really don't want to own anything but that. It is conceivable they would be happy to link to or mirror the AOLserver distribution while selling the nsglue module. Is this behavior A) encouraged B) tolerated C) illegal D) ?? If A) or B) is there a guide to practical working with the MPL in spirit as well as in letter? Thank you, Jerry Asher ======== Jerry Asher [EMAIL PROTECTED] 1678 Shattuck Avenue Suite 161 Tel: (510) 549-2980 Berkeley, CA 94709 Fax: (877) 311-8688
Re: [AOLSERVER] AOLServer for Windows file hosting...
Daniel, Rant away. We all need to let off steam now and again. I do have a completely different perspective. AOLserver on Win2K? When in Rome dude I think that if Win2K is a requirement you should be thinking IIS or Apache, that's what most everyone is using on that platform. And the AOLServer community is small as it is. To be successful at AOLserver and Win2K, you will definitely need to be C proficient, and probably *nix proficient as well. You're going to be a test pilot As an aside, after twenty years of not getting source with the software I require, and not being able to fix show stopper bugs, what a joy it is to have the source once more. I literally feel like I can breathe once more. That's not to say that the open source / linux world doesn't have problems dealing with installation dealing with numbers of libraries, complexity of interactions, quality, versioning, etc. I'd love to try gnucash (will quicken ever offer an undo feature, or (emacs) lossage, or an accountant's journal, all of which are needed when your two year old starts banging on your keyboard?) but here's what gnucash says about the issue: >For many, if not most, users of GNU/Linux, the installation of the latest >(1.6.x) versions of GnuCash requires a substantial effort to >install/upgrade dozens of supporting libraries. Although the effort >depends on the distribution and on your experience, it has proved to be >overwhelming and impossible for many, many users. Unless you feel quite >confident in your abilities, and are willing to take the time to diagnose >install problems on your own, it is recommended that you not upgrade to >gnucash-1.6, but rather, wait until your favorite distribution includes >gnucash-1.6 by default. Best of luck in your endeavors! I hope you avoid the fate of many test pilots, and have no streets named after you. Jerry ==== Jerry Asher [EMAIL PROTECTED] 1678 Shattuck Avenue Suite 161 Tel: (510) 549-2980 Berkeley, CA 94709 Fax: (877) 311-8688
Re: [AOLSERVER] Resolution! RE: [AOLSERVER] segmentation violation: gdb stack trace WAS RE: [AOLSERVER] Trying to debug a C module?
At 01:32 PM 10/27/01, you wrote: >Thanks to the weekly chat on AOLServer hosted every Thursday: > >* used libefence to locate a large for loop with an for loop that was >populating a malloc structure, that was causing access to unallocated >memory. Can you expand on that a bit. What was involved in linking libefence in? Thanks, Jerry ======== Jerry Asher [EMAIL PROTECTED] 1678 Shattuck Avenue Suite 161 Tel: (510) 549-2980 Berkeley, CA 94709 Fax: (877) 311-8688
Re: [AOLSERVER] Returning complex data from Oracle stored procedure...?
>On Wed, Oct 24, 2001 at 02:18:08PM -0400, Lane Wimberley wrote: > > Hello, AolServants! Hmm, that doesn't sound so good. How about AOLSavants? Jerry ======== Jerry Asher [EMAIL PROTECTED] 1678 Shattuck Avenue Suite 161 Tel: (510) 549-2980 Berkeley, CA 94709 Fax: (877) 311-8688
Re: [AOLSERVER] Trying to debug a C module?
Part of the problem I have had in debugging modules is getting that the symbols of the module are loaded at runtime, not at link time. So my gdbinit contains: set args -d -s theashergroup -ft /web/aol33/theashergroup.tcl -u theashergroup -g web handler 13 nostop pass file /web/aol33/bin/nsd8x Then I start aolserver under gdb gdb Set a break at nsd/modload.c/NsLoadModules() break NsLoadModules Then run and when you hit NsLoadModules, step through it. Your module will eventually be loaded and its initproc run with a call to Ns_ModuleLoad. Have fun, Jerry Jerry Asher [EMAIL PROTECTED] 1678 Shattuck Avenue Suite 161 Tel: (510) 549-2980 Berkeley, CA 94709 Fax: (877) 311-8688
Re: [AOLSERVER] Updated the "Sites That Run On AOLserver" wiki
I think you're both right. It's interesting to see what netcraft does when you remove your headers. It's got three or four things that it tries to generate different responses from your server. Older ACS versions did remove the server header, inadvertently I am pretty sure. So amongst other things. netcraft would come GET /, and annoyed with no server header, it would try GET /xyzzy, which would get an AOLserver generated 404 that DID contain the server header. I think netcraft has some other tricks up it's sockets. Anyway, if you're going to remove the header, grep ALL your code, including CGI. Jerry ==== Jerry Asher [EMAIL PROTECTED] 1678 Shattuck Avenue Suite 161 Tel: (510) 549-2980 Berkeley, CA 94709 Fax: (877) 311-8688
Re: [AOLSERVER] 3.4, idle thread timeout broken on Linux
>This shows (I think) that if you currently have N threads active, no >threads will timeout if there are N hits in threadtimeout seconds, at >least on a Linux box, because the thread scheduling is FIFO instead of >LIFO. On one of our production server, we are up to around 26 active >threads. I don't think there is any value for threadtimeout that would >make threads actually time-out. That could be, I don't know how Linux wakes things up, BUT, >I dunno if there is a way to make Linux/pthreads/AS/... wakeup threads >in LIFO order instead of FIFO. Anyone else know? From what I recall of how threads are started and killed, well, if this is a concern of yours, then another way to skin that cat might to alter the logic in nsthread and conn.c maintaining a ratio of active threads to total threads, and to start killing threads off when the ratio becomes too low. Jerry ======== Jerry Asher [EMAIL PROTECTED] 1678 Shattuck Avenue Suite 161 Tel: (510) 549-2980 Berkeley, CA 94709 Fax: (877) 311-8688
Re: [AOLSERVER] AOLserver complies with HTTP minimums?
At 11:16 AM 10/17/01, Peter M. Jansson wrote: >On Wednesday, October 17, 2001, at 02:09 PM, Jerry Asher wrote: >>Ah, well while revealing internal names and such, what's "Magic Carpet >>Engineering?" >I'm not revealing anything that hasn't been published elsewhere: > >http://www.zdnet.com/eweek/stories/general/0,11011,2797243,00.html Thanks for the link, and please accept my apology: I didn't mean to imply you were revealing anything sensitive or confidential. Jerry ======== Jerry Asher [EMAIL PROTECTED] 1678 Shattuck Avenue Suite 161 Tel: (510) 549-2980 Berkeley, CA 94709 Fax: (877) 311-8688
Re: [AOLSERVER] AOLserver complies with HTTP minimums?
At 11:07 AM 10/17/01, you wrote: >On Wednesday, October 17, 2001, at 01:29 PM, Jerry Asher wrote: >>What's the screen name service? >Screen Name Service is AOL's service-wide authentication scheme -- you see >it when you log in to the AOL web site to pick up mail or use the Java AIM >applet. Ah, well while revealing internal names and such, what's "Magic Carpet Engineering?" Jerry ======== Jerry Asher [EMAIL PROTECTED] 1678 Shattuck Avenue Suite 161 Tel: (510) 549-2980 Berkeley, CA 94709 Fax: (877) 311-8688
Re: [AOLSERVER] AOLserver complies with HTTP minimums?
At 10:22 AM 10/17/01, you wrote: >Hi there, > >in Screen Name Service, we're currently investigating a problem regarding the >truncation/dropping of HTTP headers when they're becoming too big or too many >for the client or the server to handle. > >Just wanted to ask you guys if you know of any limitations of AOLserver in >this regard. Especially, do you guys support the following minimums for both >incoming and >outgoing headers: > > * 4K characters per HTTP header line > * 16K characters total for all HTTP header lines > * 100 HTTP header lines The first two settings are all settable through the config.tcl. In particular, the defaults are 8K chars per line (MAXLINE) and 16K chars total for all HTTP header lines (MAXHEADERS). A brief inspection of aolserver/nsd/conn.c/ns_connreadheaders doesn't reveal any limit on the number of HTTP header lines. What's the screen name service? Jerry ==== Jerry Asher [EMAIL PROTECTED] 1678 Shattuck Avenue Suite 161 Tel: (510) 549-2980 Berkeley, CA 94709 Fax: (877) 311-8688
[AOLSERVER] Possible AOLserver Denial Of Service...?
I haven't nailed down the minimal case, but I have encountered what appears to be a possible AOLserver Denial of Service It appears that ns_returnfile will not timeout, but will hold a connection open in perpetuity. Here's what I observe: 1. OpenACS 3.2.5 has a module, SDM, that registers a proc to handle downloads of various "releases" (most likely a tar file). 2. That proc will call ns_returnfile to return the file. 3. The proc will then go on to insert various entries into a db, logging the download. 4. Tailing the server log, and using IE 5.5, I visited the SDM module and instigate a download. Relatively immediately, IE 5.5 pops up a dialog box titled "File Download" and asking me if I wish to Open this file from its current location, or download it to disk. 5. I leave the room, pop open a coke, and flip channels looking for an early John Wayne flick (for some reason they are rampant after 1:30am on the freebie (free as in commercial) cable channels. 6. It's at least ten minutes later, and no joy on the TV front. I can't find an X-Files rerun, a Quantum Leap Rerun, or a Buffy rerun. Xena is on, but it jumped the shark long ago. What I wouldn't give to find a cable channel with Maverick on, but I haven't found Maverick on in fifteen years. No, what we do have is: http://tv.yahoo.com/grid?lineup=us_CA60321&genres=0&dur=&starttime=1003057200&.intl=us NIKP 53 Cheers TVG, CC Cheers TVG, CC Cheers TVG, CC Cheers TVG, CC Cheers TVG, CC Cheers TVG, CC NIKP 53 Yes, Nik is showing 7 1/2 straight hours of Sam, Diane, and Woody. I think I've seen this Twilight Zone that I am now taking part in. Life sucks tonight. I return to the damned computer, click [Cancel], and then observe the tailed server log initiate the database inserts using what now appears to be a very old connection number. Is that ns_returnfile combined with my TV viewing holding that connection resource? (I believe so.) Can this be used to force a DOS on an AOLserver? Scenario: I have a tcl proc on my attacker AOLServer fork 200 threads. Each thread visits YOUR MACHINE, where it visits a URL on your machine known to invoke ns_returnfile. The thread then does nothing: I guess it opens the connection, but doesn't read any of the bytes. After 100 or so of these attempts, your AOLserver has no more connections to give to legitimate requests. DOS. Would this work? Have I missed something? (Well I did miss Blazing Saddles, D'oh!) Am I right to think that ns_returnfile should have a timeout? Do you know where I can still find Bart, Beau, and Brett? (Apart from a planet 42 lightyears away?) Jerry Jerry Asher [EMAIL PROTECTED] 1678 Shattuck Avenue Suite 161 Tel: (510) 549-2980 Berkeley, CA 94709 Fax: (877) 311-8688
Re: [AOLSERVER] config confusion
At 05:42 AM 9/29/01, you wrote: >On 2001.09.29, Jim Wilcoxson <[EMAIL PROTECTED]> wrote: > > But it doesn't seem to buy anything to have users waiting on a connection > > queue vs. waiting on the socket listen queue, except they have a different > > message on their browser status line. > >Are you saying that maxconnections isn't setting the socket listen >queue size? > >-- Dossy I say that maxconnections sets the number of connections that can be accepted, backlog sets the socket listen queue size, I don't know what causes the server to hang. That's what we want to find out! http://www.city-net.com/abbottandcostellofc/whoscrip.htm Jerry ==== Jerry Asher [EMAIL PROTECTED] 1678 Shattuck Avenue Suite 161 Tel: (510) 549-2980 Berkeley, CA 94709 Fax: (877) 311-8688
Re: [AOLSERVER] config confusion
Jim this writeup is great. What you write coincides with my own analyses two months ago when upgrading nsunix to AOLserver 3.3. If I understand your question then my guess as to the advantage of accepting connections even when there are no threads available is thus: 1. We know it's the typical case that you can have 100 connections and only ten threads, so by default you have to be able to accept more connections than threads. 2. Connections can block for i/o (waiting for the 300 baud dial up user using a 20 year old trs-100, so you would want a thread to be able to handle more than one connection 3. If you aren't being slashdotted and the high traffic is temporary, than accepting the connection and holding onto it until a thread becomes available probably keeps the browser from timing out more often than in the case where the connection isn't accepted until a thread becomes available. >I don't quite understand the value of accepting connections even >though there is no thread available to service the request (this >occurs if maxconnections > maxthreads). From my point of view as a >webmaster, I will probably set maxconnections and maxthreads equal. >This way, if a browser hits our site and no thread is available, the >user will see "contacting blah.com" during the delay and assume there >is some network problem. If I set maxconnections > maxthreads and >maxthreads is too low, users will see "blah.com contacted, waiting for >reply" and it'll look like our site is slow. Okay - a bit deceitful. Jerry Jerry Asher [EMAIL PROTECTED] 1678 Shattuck Avenue Suite 161 Tel: (510) 549-2980 Berkeley, CA 94709 Fax: (877) 311-8688
Re: [AOLSERVER] command line -g isn't used in exec.
This sounds related to bug: 425401 http://sourceforge.net/tracker/index.php?func=detail&aid=425401&group_id=315 2&atid=103152. Or rather, I wonder if the patch supplied for that bug helps out your issue. Jerry "supplementary groups not set/cleared nsd/nsmain.c does not drop/set supplementary groups before changing user ID. This can lead to a security breach." and "Think that changing user id is missing additional steps. I have AOLServer 3.2 + ad12 running as user nsadmin - but the umask for operations done by the server is not the 002 that is nsadmin's umask, but instead 022 like root. I tried setting umask by including it in the wrapper script I use to set Oracle environment variables: #!/bin/sh umask 002 . /etc/shell-mods.sh exec `dirname $0`/nsd $* And operatons like opening a file handle, writing a file, and closing the handle give me files with group write permission. nscp gives me a file without group write. In both cases, the group for the file is set correctly (is the group set by the -g flag, not root's group "other")." Tom Jackson writes: > I start aolserver with: > > #!/bin/sh > sleep 3 > exec /web/scripts/bin/nsd -it /web/control/scripts/nsd.tcl -u nsadmin -g > web > > As the nsadmin user: > nsadmin$ groups > nsadmin web > > The tcl script: > > set groups [exec groups] > > returns just 'nsadmin' > > Scripts which require the group to be web do not work. > My /etc/passwd file has the primary group for nsadmin as nsadmin > > To get things working, I had to change the primary group to web. > > Is this expected? I was thinking the command line would set the group. > > --Tom Jackson
Re: [AOLSERVER] The -s command line option
>What would be the difference between [source filename] and >[ns_include filename]? Hmm, I guess about three characters. Jerry ==== Jerry Asher [EMAIL PROTECTED] 1678 Shattuck Avenue Suite 161 Tel: (510) 549-2980 Berkeley, CA 94709 Fax: (877) 311-8688
Re: [AOLSERVER] The -s command line option
At 05:09 PM 9/27/01, you wrote: >On 2001.09.27, Jim Wilcoxson <[EMAIL PROTECTED]> wrote: > > Guess I will make 8 small shell scripts, set an environment variable > > differently in each one, use $env(blah) to do the conditional stuff... > >Why not create 8 different nsd.tcl-like files? The common bits can >be extracted out into a seperate .tcl file that gets sourced from >each of the 8 different files. So, you'll end up with 9 files, >and the functionality you want without any mess or requiring an >AOLserver code change. > >Plus, it'll be easier to maintain, this way. Since AOLserver 3.3 came out, I've been thinking that an ns_include command might be very handy in this situation. Still I am sorry to say that I believe AOLs response to the bug reports was more typical of the old AOLserver attitude towards the community than what I was hoping was a friendlier attitude that I had been seeing. Jerry ==== Jerry Asher [EMAIL PROTECTED] 1678 Shattuck Avenue Suite 161 Tel: (510) 549-2980 Berkeley, CA 94709 Fax: (877) 311-8688
Re: [AOLSERVER] Query variables starting with an underscore?
At 04:37 PM 9/27/01, you wrote: >Hi all, > >one of our partners has reported a problem with AOLserver and query variables >starting with underscores ... do you guys know anything about this? >Unfortunately, i don't know which version they're using, just want to give it >a try: > >"With the AOL server (TCL) is there a limitation that the variable that >is posted via HTTP cannot begin with an underscore ( _ ) ? Can I not >post, for e.g. "_p_thisvariable=helloworld"?" > >Does anybody know? There's a bit of an ambiguity in your question. Is it POSTs or GETs they are having a problem? Regardless, I do not believe this to be true as of AOLserver 3.3. (And much much earlier I am sure) Test a GET yourself: http://www.theashergroup.com/junk/test.tcl?_p_thisvariable=helloworld Now make a POST form, and test that too: http://www.theashergroup.com/junk/make-post.html Jerry Jerry Asher [EMAIL PROTECTED] 1678 Shattuck Avenue Suite 161 Tel: (510) 549-2980 Berkeley, CA 94709 Fax: (877) 311-8688
Re: [AOLSERVER] The -s command line option
At 04:01 PM 9/27/01, you wrote:
>I am a bit confused about -s . What is this supposed to do?
Sadly, and empirically, I have determined that that since AOLserver 3.3,
that option has retroactively been written to annoy you. It was a
meaningful option in AOLserver's 3.0, 3.1, and 3.2 and many folks wrote
code that does just what you see to do, but this code broke in AOLserver 3.3.
Bug reports and patches were supplied at sourceforge (by users), but the
AOLserver support team determined that uniform support for this feature
within the AOLserver 3.x series was not a good idea.
Several users have asked AOLserver for support for this feature in the
AOLserver 4 series, and AOLserver has been quiet about their intentions
thus far.
Regrets,
Jerry
>If I use multiple -s options, the code at nsmain.c/212 catches that error.
>
>But if I don't use any -s option and completely remove the ns/servers
>section, things still work. I expected an error because of the code at
>nsmain.c/475:
>
> /*
> * Determine the server to run.
> */
>
> if (server != NULL) {
> if (Ns_ConfigGet(NS_CONFIG_SERVERS, server) == NULL) {
> Ns_Fatal("nsmain: no such server '%s'", server);
> }
> } else {
> Ns_Set *set;
>
> set = Ns_ConfigGetSection(NS_CONFIG_SERVERS);
> if (set == NULL || Ns_SetSize(set) != 1) {
> Ns_Fatal("nsmain: no server specified: "
> "specify '-s' parameter or specify "
> NS_CONFIG_SERVERS " in config file");
> }
> server = Ns_SetKey(set, 0);
> }
> nsconf.server = nsServer = server;
>
>What I want is to be able to pass an argument to allow conditional
>execution of the nsd.tcl file, but I don't want to duplicate every
>ns/server//xxx section of the file to do that.
>
>Use an environment variable and execute nsd from a shell script??
>
>I know there was a discussion about the -s option a while back, but
>I looked through all my email/SF and couldn't find it.
>
>Thanks for any guidance,
>Jim
Jerry Asher [EMAIL PROTECTED]
1678 Shattuck Avenue Suite 161 Tel: (510) 549-2980
Berkeley, CA 94709 Fax: (877) 311-8688
[AOLSERVER] nimda has dropped dramatically for me, you?
Instead of getting thousands of hits per hour, I am today only getting tens of hits per hour. Have you folks seen a similar drop-off? Does anyone have an explanation for such a drop-off? Jerry Jerry Asher [EMAIL PROTECTED] 1678 Shattuck Avenue Suite 161 Tel: (510) 549-2980 Berkeley, CA 94709 Fax: (877) 311-8688
[AOLSERVER] analyzing and troubleshooting mysterious crashes
>For mysterious crashes with no explanation, it's probably due to data >corrupted by blown stacks. 99% of all the crashes I experience leave as their final grin this error message: "ns_realloc: could not allocate %d bytes" Invariably, this messages comes at a time in which I would have thought there was still plenty of SWAP space left on the machine. The message itself comes from aolserver/thread/ns_realloc. What this tells me is that: A) It would be very nice to have a forum and poll (at aolserver.com?) in which developers/users can interact specifically about mysterious crash issues, detail the symptoms they see and "vote" on which ones are the most frequent. B) I would love to see a -define DBG_MEMORY compile time option that would help trace down this issue and other memory/stack related issues. When compiled in, we could either get a trace of what modules, what pages, or what filters or procs are triggering the call to ns_realloc, and also get a snapshot of various structures within the system to help us understand why realloc or Ns_ThreadRealloc failed at that time. Thanks, Jerry ======== Jerry Asher [EMAIL PROTECTED] 1678 Shattuck Avenue Suite 161 Tel: (510) 549-2980 Berkeley, CA 94709 Fax: (877) 311-8688
Re: [AOLSERVER] Hm ... hm ... let's try again :-)
At 08:59 AM 9/26/01, you wrote: >From: Brian Fenton <[EMAIL PROTECTED]> > > > I hope Teo was only joking > >about his impending death if his webserver falls over, you never can tell > >with the kind of clients around these days. ;-) > >Perhaps it is a server keeping his pacemaker running... Well AOLserver does have keepalive support. Jerry ==== Jerry Asher [EMAIL PROTECTED] 1678 Shattuck Avenue Suite 161 Tel: (510) 549-2980 Berkeley, CA 94709 Fax: (877) 311-8688
Re: [AOLSERVER] POST of binary data
>The standard content-types for query data are multipart/form-data and >application/x-www-form-urlencoded. What content type are you seeing? I am not sure the content type, this is following up a bug report to nsvhr (suggesting that nsvhr didn't work with binary posts), but I know the problem is not nsvhr's and I was just getting a bit further into what the actual problem might be. >You can get the POST data into a file using ns_conncptofp. Then, using >Tcl 8, you can examine the file and deal with any binary data. To do this though, am I right in thinking a script must not get call ns_getform unless the POST is multipart/form-data OR urlencoded? Jerry ======== Jerry Asher [EMAIL PROTECTED] 1678 Shattuck Avenue Suite 161 Tel: (510) 549-2980 Berkeley, CA 94709 Fax: (877) 311-8688
[AOLSERVER] POST of binary data
I'm a bit muddleheaded this morning. Do the RFC's allow POSTing binary data using a content type of anything but multipart/form-data? Looking at RFC 2616 at the moment, I see nothing that makes the answer clear. If ns_getform sees something that is not multipart/form-data, it collects using ns_conn form. It seems that ns_conn form calls conn.c/ns_conngetquery which begets ns_querytoset which begets Ns_DecodeUrlCharset which looks for a NULL to determine the end of a string. So it appears that form.tcl/ns_getform (and hence AOLserver) requires binary data to be sent as multipart/formdata, but I am curious about the RFCs. There appear to be certain applications that post binary data using other content types, are those applications broken, or is it AOLserver itself? Thanks, Jerry ======== Jerry Asher [EMAIL PROTECTED] 1678 Shattuck Avenue Suite 161 Tel: (510) 549-2980 Berkeley, CA 94709 Fax: (877) 311-8688
Re: [AOLSERVER] AOLserver operational issues
> >Your analysis seems spot-on to me. I just thought this would be a quick >hack to see if the tcl scripts are the culprit. Even starting multiple >threads at starting, you'll still take a hit if you have to crank up >another thread during the life of the process. I'm just trying to get a >handle on likely avenues of attack for solutions. Starting up a thread >should be more heavyweight than forking a CGI, so I'm trying to get a >handle on whether thread startup is heavy, and how, if at all, it can be >mitigated. I don't know how big an interp is, and I assume that anything that takes 3 seconds to init must be fairly large. But if they are reasonably smallish (though timeconsuming to init) you could precreate more interps than threads, and then when new threads are created they will not have to under go the interp start up penalty. Jerry ======== Jerry Asher [EMAIL PROTECTED] 1678 Shattuck Avenue Suite 161 Tel: (510) 549-2980 Berkeley, CA 94709 Fax: (877) 311-8688
Re: [AOLSERVER] AOLserver operational issues
> >In the absence of information about sharing compiled Tcl objects between >interpreters, I can't see a way to address the memory footprint issue >right now, but we could see if the thread startup issue helps in terms of >time and maybe memory. I came in on this late and missed the first posting, but won't hesitate (sorry) to toss in my 2 cents. If your plan works, wouldn't that to a great deal to address the memory issues? The "enormous string" will be shared in nsv form, and each interp will only have those functions it uses. On the other hand, assuming that: 1. you only define functions that are used at sometime in your application 2. your interps are never destroyed I don't know if either of those are valid assumptions. But regarding 2, a quick examination of the code aolserver/nsd/tclinit.c, it doesn't appear to me that interps are EVER destroyed UNLESS you specifically call ns_markfordelete within your application or unless you call ns_eval in your application and had ns_eval something that it bards on. greps for markfordelete and for destroyinterp appear to reveal that nothing in AOLserver ever deletes an interp. So in the long run (but what is the long run), every interp will have every function. So while you are certainly distributing that 2-3 second per interp startup cost over time, you aren't eliminating it. If any of this is accurate, wouldn't another strategy just be to create a reasonable number of threads in the beginning (using minthreads), or creating a new parameter (mininterps) that precreates that many of interps at startup? I'm not saying what you guys want to do is wrong in any manner, I'm just trying to understand how AOLserver works and what applications rl_proc will be useful for. Thanks, Jerry Jerry Asher [EMAIL PROTECTED] 1678 Shattuck Avenue Suite 161 Tel: (510) 549-2980 Berkeley, CA 94709 Fax: (877) 311-8688
[AOLSERVER] Bug in nsvhr/nsunix: fixed....
Joshua Ginsberg reported a bug in nsvhr/nsunix: POSTs of binary data may fail with the first NULL. (I called Ns_DStringAppend instead of Ns_DStringNAppend) Thank you Joshua! The bug can be fixed with the patch I am including below. If this patch gets munged in the email, you can find it at: http://theashergroup.com/bboard/q-and-a-fetch-msg.tcl?msg_id=0G Jerry Index: nsvhr.c === RCS file: /cvs/ad33.13/aolserver/nsvhr/nsvhr.c,v retrieving revision 1.2 retrieving revision 1.3 diff -r1.2 -r1.3 37c37 < static const char *RCSID = "@(#) $Header: /cvs/ad33.13/aolserver/nsvhr/nsvhr.c,v 1.2 2001/08/30 05:33:44 jerry Exp $, compiled: " __DATE__ " " __TIME__; --- > static const char *RCSID = "@(#) $Header: /cvs/ad33.13/aolserver/nsvhr/nsvhr.c,v 1.3 2001/09/19 10:57:03 jerry Exp $, compiled: " __DATE__ " " __TIME__; 1277c1277 < // Ns_LogDumpString(Dev, buffer, numRead); --- > Ns_LogDumpString(Dev, buffer, numRead); 1279c1279 < Ns_DStringAppend(&request, buffer); --- > Ns_DStringNAppend(&request, buffer, numRead); 1316c1316 < Ns_Log(Dev, "nsvhr: sending to unix:%s on socket %d: %d [%s:%d] bytes.", --- > Ns_Log(Dev, "nsvhr: sending to unix:%s on socket %d: %d bytes. [%s:%d] ", Jerry Asher [EMAIL PROTECTED] 1678 Shattuck Avenue Suite 161 Tel: (510) 549-2980 Berkeley, CA 94709 Fax: (877) 311-8688
Re: [AOLSERVER] Conn threads dying spontaneously
The only time I've ever seen anything remotely like that was in nsunix for AOLserver 3.0, and 3.2. There was a bug in nsd/drv.c where it tried to close a socket, setting it to -1 (which it thought denoted INVALID_SOCKET). Unfortunately it was using the wrong structure and just so happened to be poking a -1 into a location in which -1 means, oh goody, let's shut the server down! If you aren't using nsunix or some odd communications driver that relys on drv.c/RunDriver (iirc), then that problem should not be affecting you, and again, I've never seen the behavior you describe. Jerry Sean Owen writes: > The nssock notice is apparently benign. (I found the code after all. I > needed to include .cpp files in my grep.) > > Here's the real problem. Under heavy load, we're consistently getting this > behavior: The server suddenly kills all its conn threads (but not the > aolserver system threads), and does not reopen them without being restarted > manually. This happens across 4 servers, at approximately the same time, > after about 40 minutes. > > Our load test peaks at 15 minutes, and our cache timeouts are set to 60 > seconds. The app continues to work fine until about the 40 minute point > each time, before deciding to kill all its threads. > > No errors are reported. > > Does anyone have any idea what could cause this to happen? > > Thanks, > Sean
Re: [AOLSERVER] Notice: nssock: server ready - resuming
It's in nssock/sock.cpp/SockReady. I saw most of what you saw in load tests when rebuilding nsunix for AOLserver 3, except I didn't notice the server killing all of its connection threads. In other words, I saw the message, but the system still seemed to respond find. In fact, the system responded so well (as far as I could tell) that I changed the Notice to a Debug. This on GNU/Linux Red Hat 6.1. Jerry At 02:38 PM 9/17/01, you wrote: >All, > >Has anyone seen this output in the logs before? > >"Notice: nssock: server ready - resuming" > >We're running some load tests, and our machines get flooded with these (one >per connection thread, per second at times) under sustained heavy load. > >Eventually, the server just kills all its connection threads and doesn't >reopen them without a restart. > >I grepped through the source, but could find this output nowhere in the >codebase. > >Any ideas? > >Thanks, >Sean Jerry Asher [EMAIL PROTECTED] 1678 Shattuck Avenue Suite 161 Tel: (510) 549-2980 Berkeley, CA 94709 Fax: (877) 311-8688
Re: [AOLSERVER] nsv vs. ns_cache vs. ns_share
At 07:28 PM 9/10/01, you wrote: >+-- On Sep 10, Jerry Asher said: > > Modifying the table becomes lengthy, you need to verify on your platform > > that you can swap a pointer in an atomic operation, readers can get old > > values for some period of time, but readers never have to lock the table. > >Consider this: > > reader is accessing table A, uses whole time slice and gets > preempted; it has pointers to table A internals in registers/stack > > writer copies table A to table B, makes table B active > > writer copies table B to table A, makes table A active > > reader gets CPU back, is still accessing table A but A's internals > have been changed, reader gets SIGSEGV I'm not sure. It's true that the writer shouldn't just free the table -- I guess that readers need to refcount it (and unrefcount it), and I'm not sure how that's done or what that does in terms of overhead. But I would think that if it's a tcl coordinated refcounted table, it wouldn't go away if the reading routine has inc'd it's ref count, the reader is just reading from a table that "newer" readers wouldn't be reading from. There does need to be some algorithm to reclaim storage from refcount 0 tables and to keep track of them. I'm not sure how Tcl does that. Or I might be all wet. Jerry Jerry Asher [EMAIL PROTECTED] 1678 Shattuck Avenue Suite 161 Tel: (510) 549-2980 Berkeley, CA 94709 Fax: (877) 311-8688
