[PATCH] ProxyAddXHeaders for mod_proxy
Hi list,
for those of us who are using Apache HTTPD as a internet proxy (a
combination of forward and reverse proxy modes) it's important that
requests going to the remote servers (which are not known backends
but anonymous boxes in this case) would look the same independently
whether the original request came in reverse or forward fashion.
Currently mod_proxy_http adds X-Forwarded-* headers unconditionally
when we have a reverse proxy request and never for forward proxy
requests.
Attached patch adds a new ProxyAddXHeaders directive with a possible
options of On|Off|ReverseOnly, later option leaving the default in
order not to break compatibility with current configurations. With
this option it is possible to always add X-Forwarded-For,
X-Forwarded-Host and X-Forwarded-Server headers for both reverse and
forward proxy modes, for reverse proxy only or not to add them at all.
Comments and suggestions are welcome.
--
Dziugas Baltrunas
Index: docs/manual/mod/mod_proxy.html.en
===
--- docs/manual/mod/mod_proxy.html.en (revision 512643)
+++ docs/manual/mod/mod_proxy.html.en (working copy)
@@ -83,6 +83,7 @@
liimg alt= src=../images/down.gif / a
href=#proxyrequestsProxyRequests/a/li
liimg alt= src=../images/down.gif / a
href=#proxytimeoutProxyTimeout/a/li
liimg alt= src=../images/down.gif / a
href=#proxyviaProxyVia/a/li
+liimg alt= src=../images/down.gif / a
href=#proxyaddxheadersProxyAddXHeaders/a/li
/ul
h3Topics/h3
ul id=topics
@@ -1168,11 +1169,33 @@
/ul
/div
+div class=topa href=#page-headerimg alt=top src=../images/up.gif
//a/div
+div class=directive-sectionh2a name=ProxyAddXHeaders
id=ProxyAddXHeadersProxyAddXHeaders/a a name=proxyaddxheaders
id=proxaddxheadersDirective/a/h2
+table class=directive
+trtha
href=directive-dict.html#DescriptionDescription:/a/thtdInformation
provided in codeX-Forwarded-For/code,
+codeX-Forwarded-Host/code and codeX-Forwarded-Server/code
headers./td/tr
+trtha
href=directive-dict.html#SyntaxSyntax:/a/thtdcodeProxyAddXHeaders
On|Off|ReverseOnly/code/td/tr
+trtha
href=directive-dict.html#DefaultDefault:/a/thtdcodeProxyAddXHeaders
ReverseOnly/code/td/tr
+trtha href=directive-dict.html#ContextContext:/a/thtdserver
config, virtual host/td/tr
+trtha
href=directive-dict.html#StatusStatus:/a/thtdExtension/td/tr
+trtha
href=directive-dict.html#ModuleModule:/a/thtdmod_proxy/td/tr
+/table
+pThis directive controls the use of the codeX-Forwarded-For/code,
codeX-Forwarded-Host/code and codeX-Forwarded-Server/code headers./p
+ul
+liIf set to codeReverseOnly/code, which is the default,
codeX-Forwarded-*/code headers are only added when
+we have a reverse proxy request./li
+
+liIf set to codeOn/code, codeX-Forwarded-*/code headers are
added both for reverse and forward proxy requests./li
+
+liIf set to codeOff/code, no codeX-Forwarded-*/code headers are
added for either reverse or forward proxy requests./li
+
+/ul
/div
+/div
div class=bottomlang
pspanAvailable Languages: /spana href=../en/mod/mod_proxy.html
title=Englishnbsp;ennbsp;/a |
a href=../ja/mod/mod_proxy.html hreflang=ja rel=alternate
title=Japanesenbsp;janbsp;/a/p
/divdiv id=footer
p class=apacheCopyright 2006 The Apache Software Foundation.br /Licensed
under the a href=http://www.apache.org/licenses/LICENSE-2.0;Apache License,
Version 2.0/a./p
p class=menua href=../mod/Modules/a | a
href=../mod/directives.htmlDirectives/a | a href=../faq/FAQ/a | a
href=../glossary.htmlGlossary/a | a
href=../sitemap.htmlSitemap/a/p/div
-/body/html
\ No newline at end of file
+/body/html
Index: modules/proxy/mod_proxy_http.c
===
--- modules/proxy/mod_proxy_http.c (revision 512643)
+++ modules/proxy/mod_proxy_http.c (working copy)
@@ -699,7 +699,7 @@
* ProxyVia option for details.
*/
-if (PROXYREQ_REVERSE == r-proxyreq) {
+if (conf-x_fwd_for == x_fwd_on || (conf-x_fwd_for == x_fwd_reverse
PROXYREQ_REVERSE == r-proxyreq)) {
const char *buf;
/* Add X-Forwarded-For: so that the upstream has a chance to
@@ -711,7 +711,9 @@
/* Add X-Forwarded-Host: so that upstream knows what the
* original request hostname was.
*/
-if ((buf = apr_table_get(r-headers_in, Host))) {
+buf = PROXYREQ_REVERSE == (PROXYREQ_REVERSE == r-proxyreq) ?
+ apr_table_get(r-headers_in, Host) :
r-hostname;
+if (buf) {
apr_table_mergen(r-headers_in, X-Forwarded-Host, buf);
}
Index: modules/proxy/mod_proxy.c
===
--- modules/proxy/mod_proxy.c (revision 512643)
+++ modules/proxy/mod_proxy.c (working copy)
@@ -870,6 +870,8 @@
ps-timeout_set = 0;
ps-badopt = bad_error;
ps-badopt_set = 0;
+ps-x_fwd_for = x_fwd_reverse;
+ps-x_fwd_for_set
Module Crashes if build as a shared object
Hi all One of my apache module crashes if it is used as shared module but works fine if it is build as static module. Also it was working fine as shared module before I upgraded to kernel 2.6 and glibc 2.3.4. Following is the back trace (gdb) bt #0 0xe410 in __kernel_vsyscall () #1 0xb7d43bbb in pthread_setspecific () from /lib/libpthread.so.0 #2 0x080c92de in child_main (child_num_arg=0) at worker.c:1258 #3 0x080c9434 in make_child (s=0x8109270, slot=0) at worker.c:1341 #4 0x080c9cbc in ap_mpm_run (_pconf=0x81020a8, plog=0x814c1d0, s=0x8109270) at worker.c:1543 #5 0x080686b8 in main (argc=6, argv=0xbfafb7d4) at main.c:717 Can anyone help? Regards Manmeet Singh The information contained in this electronic mail transmission may be privileged and confidential, and therefore, protected from disclosure. If you have received this communication in error, please notify us immediately by replying to this message and deleting it from your computer without copying or disclosing it.
[ANNOUNCEMENT] - curl-loader version 0.26 released
Hi, curl-loader is a performance testing, traffic generating HTTP/S and FTP/S tool, using protocol stack of libcurl/openssl, and simulating thousands of clients, each with its own src-IP. Client activities, errors and statistics are logged. Auth-login, unlimited download urls and logoff are easily configurable. http://sourceforge.net/projects/curl-loader -- Sincerely, Robert Iakobashvili, coroberti %x40 gmail %x2e com ... Navigare necesse est, vivere non est necesse ...
Re: util_ldap.c use of hardcoded sizelimit on ldap_search_ext_s causing error
Sorry for the delay.
We use our own z/OS specific SDK. There is also a Tivoli SDK , [see Eric
Covener's appends and
http://issues.apache.org/bugzilla/attachment.cgi?id=19394 waiting for
input], which shares some commonality with z/OS (Tivoli can accept the -1
without a problem, but it acts like 0).
Thoughts are:
1) LDAP_HAS_ZOS_LDAPSDK isn't an apache define yet. (The Tivoli append adds
a LDAP_HAS_TIVOLI_LDAPSDK to apu-conf.m4, and we would do similar). So if it
shouldn't be put in svn yet skip the top 3 lines and what we're left with
isn't much different than the original hardcoded -1, but at least it puts
some doc in the code about whats going on.
#ifdef LDAP_HAS_ZOS_LDAPSDK
#define LDAP_LIMIT_VALUE LDAP_NO_LIMIT
#else
#ifdef LDAP_DEFAULT_LIMIT
#define LDAP_LIMIT_VALUE LDAP_DEFAULT_LIMIT
#else
#define LDAP_LIMIT_VALUE -1 /* equivalent to LDAP_DEFAULT_LIMIT */
#endif
#endif
2)Or the flipside, assuming everyone else who defines 0 and not -1 wants to
use 0:
#ifdef LDAP_HAS_NOVELL_LDAPSDK
#define LDAP_LIMIT_VALUE -1
#else
#ifdef LDAP_DEFAULT_LIMIT
#define LDAP_LIMIT_VALUE LDAP_DEFAULT_TIME
#else
#ifdef LDAP_NO_LIMIT
#define LDAP_LIMIT_VALUE LDAP_NO_LIMIT
#else
#define LDAP_LIMIT_VALUE -1
#endif
#endif
#endif
3) Or maybe moving it and define a APR_LDAP_DEFAULT_SIZELIMIT instead of
keeping it in util_ldap.c
4) Or some complicated(?) conf magic that would involve getting a handle and
then calling ldap_set_option(ldap, LDAP_OPT_SIZELIMIT, -1); and setting
APR_LDAP_DEFAULT_SIZELIMIT to -1 or 0 accordingly.
On 2/23/07, Brad Nicholes [EMAIL PROTECTED] wrote:
What LDAP client SDK does z/OS use? (Novell, OpenLDAP, Netscape, Other???)
Brad
On 2/22/2007 at 12:52 PM, in message
[EMAIL PROTECTED], David
Jones
[EMAIL PROTECTED] wrote:
Its the z/OS, has LDAP_NO_SIZELIMIT defined. Does not have nor support
LDAP_DEFAULT_SIZELIMIT
On 2/22/07, Brad Nicholes [EMAIL PROTECTED] wrote:
On 2/22/2007 at 7:12 AM, in message
[EMAIL PROTECTED], David
Jones
[EMAIL PROTECTED] wrote:
How about something alone these lines? It assumes there is nobody
with
LDAP_DEFAULT_LIMIT undefined AND LDAP_NO_LIMIT defined, but still
supports
and wishes to use the -1 value.
--- util_ldap.c.defaultlimitWed Feb 21 16:08:51 2007
+++ util_ldap.c.nolimit Thu Feb 15 12:50:09 2007
@@ -52,15 +52,9 @@
#define LDAP_CA_TYPE_BASE64 2
#define LDAP_CA_TYPE_CERT7_DB 3
-#ifdef LDAP_DEFAULT_LIMIT
-#define LDAP_LIMIT_VALUE LDAP_DEFAULT_LIMIT
-#else
-#ifndef LDAP_NO_LIMIT /* Have neither LDAP_DEFAULT_LIMIT or
LDAP_NO_LIMIT
*/
-#define LDAP_LIMIT_VALUE -1
-#else /* Have LDAP_NO_LIMIT, but not
LDAP_DEFAULT_LIMIT */
-#define LDAP_LIMIT_VALUE LDAP_NO_LIMIT
-#endif /* !LDAP_NO_LIMIT */
-#endif /* LDAP_DEFAULT_LIMIT */
+#ifndef LDAP_NO_LIMIT
+#define LDAP_NO_LIMIT -1
+#endif
module AP_MODULE_DECLARE_DATA ldap_module;
@@ -680,7 +674,7 @@
/* search for reqdn */
if ((result = ldap_search_ext_s(ldc-ldap, (char *)reqdn,
LDAP_SCOPE_BASE,
(objectclass=*), NULL, 1,
-NULL, NULL, NULL,
LDAP_LIMIT_VALUE,
res))
+NULL, NULL, NULL, LDAP_NO_LIMIT,
res))
== LDAP_SERVER_DOWN)
{
ldc-reason = DN Comparison ldap_search_ext_s()
@@ -958,7 +952,7 @@
if ((result = ldap_search_ext_s(ldc-ldap,
(char *)basedn, scope,
(char *)filter, attrs, 0,
-NULL, NULL, NULL,
LDAP_LIMIT_VALUE,
res))
+NULL, NULL, NULL, LDAP_NO_LIMIT,
res))
== LDAP_SERVER_DOWN)
{
ldc-reason = ldap_search_ext_s() for user failed with
server
down;
@@ -1198,7 +1192,7 @@
if ((result = ldap_search_ext_s(ldc-ldap,
(char *)basedn, scope,
(char *)filter, attrs, 0,
-NULL, NULL, NULL,
LDAP_LIMIT_VALUE,
res))
+NULL, NULL, NULL, LDAP_NO_LIMIT,
res))
== LDAP_SERVER_DOWN)
{
ldc-reason = ldap_search_ext_s() for user failed with
server
down;
Maybe I missed this before, but what platform or LDAP SDK does this
fail
on? The Novell LDAP SDK obviously supports LDAP_DEFAULT_SIZELIMIT (-1)
and
according to the OpenLDAP source code, it also supports the same
functionality if the value of sizelimit is -1 even though it does not
specifically define LDAP_DEFAULT_SIZELIMIT. I don't know what the
Netscape
or Microsoft SDKs support other than the fact that we have been passing
those SDKs the same -1 value without a problem. I believe that the
only
reason why we see the hardcoded -1 rather than a #define is simply
because
not all
Re: [PATCH] ProxyAddXHeaders for mod_proxy
Hi, list,
attaching same patch with small correction to the one submitted
previously (was unnecessary double check for PROXYREQ_REVERSE).
Patch is for httpd-2.2.x branch.
On 2/28/07, Dziugas Baltrunas [EMAIL PROTECTED] wrote:
Hi list,
for those of us who are using Apache HTTPD as a internet proxy (a
combination of forward and reverse proxy modes) it's important that
requests going to the remote servers (which are not known backends
but anonymous boxes in this case) would look the same independently
whether the original request came in reverse or forward fashion.
Currently mod_proxy_http adds X-Forwarded-* headers unconditionally
when we have a reverse proxy request and never for forward proxy
requests.
Attached patch adds a new ProxyAddXHeaders directive with a possible
options of On|Off|ReverseOnly, later option leaving the default in
order not to break compatibility with current configurations. With
this option it is possible to always add X-Forwarded-For,
X-Forwarded-Host and X-Forwarded-Server headers for both reverse and
forward proxy modes, for reverse proxy only or not to add them at all.
Comments and suggestions are welcome.
--
Dziugas Baltrunas
--
Dziugas Baltrunas
Index: docs/manual/mod/mod_proxy.html.en
===
--- docs/manual/mod/mod_proxy.html.en (revision 512643)
+++ docs/manual/mod/mod_proxy.html.en (working copy)
@@ -83,6 +83,7 @@
liimg alt= src=../images/down.gif / a
href=#proxyrequestsProxyRequests/a/li
liimg alt= src=../images/down.gif / a
href=#proxytimeoutProxyTimeout/a/li
liimg alt= src=../images/down.gif / a
href=#proxyviaProxyVia/a/li
+liimg alt= src=../images/down.gif / a
href=#proxyaddxheadersProxyAddXHeaders/a/li
/ul
h3Topics/h3
ul id=topics
@@ -1168,11 +1169,33 @@
/ul
/div
+div class=topa href=#page-headerimg alt=top src=../images/up.gif
//a/div
+div class=directive-sectionh2a name=ProxyAddXHeaders
id=ProxyAddXHeadersProxyAddXHeaders/a a name=proxyaddxheaders
id=proxaddxheadersDirective/a/h2
+table class=directive
+trtha
href=directive-dict.html#DescriptionDescription:/a/thtdInformation
provided in codeX-Forwarded-For/code,
+codeX-Forwarded-Host/code and codeX-Forwarded-Server/code
headers./td/tr
+trtha
href=directive-dict.html#SyntaxSyntax:/a/thtdcodeProxyAddXHeaders
On|Off|ReverseOnly/code/td/tr
+trtha
href=directive-dict.html#DefaultDefault:/a/thtdcodeProxyAddXHeaders
ReverseOnly/code/td/tr
+trtha href=directive-dict.html#ContextContext:/a/thtdserver
config, virtual host/td/tr
+trtha
href=directive-dict.html#StatusStatus:/a/thtdExtension/td/tr
+trtha
href=directive-dict.html#ModuleModule:/a/thtdmod_proxy/td/tr
+/table
+pThis directive controls the use of the codeX-Forwarded-For/code,
codeX-Forwarded-Host/code and codeX-Forwarded-Server/code headers./p
+ul
+liIf set to codeReverseOnly/code, which is the default,
codeX-Forwarded-*/code headers are only added when
+we have a reverse proxy request./li
+
+liIf set to codeOn/code, codeX-Forwarded-*/code headers are
added both for reverse and forward proxy requests./li
+
+liIf set to codeOff/code, no codeX-Forwarded-*/code headers are
added for either reverse or forward proxy requests./li
+
+/ul
/div
+/div
div class=bottomlang
pspanAvailable Languages: /spana href=../en/mod/mod_proxy.html
title=Englishnbsp;ennbsp;/a |
a href=../ja/mod/mod_proxy.html hreflang=ja rel=alternate
title=Japanesenbsp;janbsp;/a/p
/divdiv id=footer
p class=apacheCopyright 2006 The Apache Software Foundation.br /Licensed
under the a href=http://www.apache.org/licenses/LICENSE-2.0;Apache License,
Version 2.0/a./p
p class=menua href=../mod/Modules/a | a
href=../mod/directives.htmlDirectives/a | a href=../faq/FAQ/a | a
href=../glossary.htmlGlossary/a | a
href=../sitemap.htmlSitemap/a/p/div
-/body/html
\ No newline at end of file
+/body/html
Index: modules/proxy/mod_proxy_http.c
===
--- modules/proxy/mod_proxy_http.c (revision 512643)
+++ modules/proxy/mod_proxy_http.c (working copy)
@@ -699,7 +699,7 @@
* ProxyVia option for details.
*/
-if (PROXYREQ_REVERSE == r-proxyreq) {
+if (conf-x_fwd_for == x_fwd_on || (conf-x_fwd_for == x_fwd_reverse
PROXYREQ_REVERSE == r-proxyreq)) {
const char *buf;
/* Add X-Forwarded-For: so that the upstream has a chance to
@@ -711,7 +711,8 @@
/* Add X-Forwarded-Host: so that upstream knows what the
* original request hostname was.
*/
-if ((buf = apr_table_get(r-headers_in, Host))) {
+buf = (PROXYREQ_REVERSE == r-proxyreq) ? apr_table_get(r-headers_in,
Host) : r-hostname;
+if (buf) {
apr_table_mergen(r-headers_in, X-Forwarded-Host, buf);
}
Index: modules/proxy/mod_proxy.c
===
--- modules/proxy/mod_proxy.c (revision 512643)
Re: Small patch to ab apr_socket_recv error handling
ok, final patch, this one also adds in Content-Length: 0 when keep alive
is used.
somehow, most containers will not do keep alive unless there is a
content length header.
Filip
Filip Hanik - Dev Lists wrote:
hi Aaron,
I added in the -r command line options, to not exit out on
apr_socket_recv errors.
Patch attached
Filip
Index: ab.c
===
--- ab.c(revision 511976)
+++ ab.c(working copy)
@@ -258,6 +258,7 @@
/* - GLOBALS */
int verbosity = 0; /* no verbosity by default */
+int recverrok = 0;
int posting = 0;/* GET by default */
int requests = 1; /* Number of requests to make */
int heartbeatres = 100; /* How often do we say we're alive */
@@ -1330,9 +1331,19 @@
/* catch legitimate fatal apr_socket_recv errors */
else if (status != APR_SUCCESS) {
err_except++; /* XXX: is this the right error counter? */
-/* XXX: Should errors here be fatal, or should we allow a
- * certain number of them before completely failing? -aaron */
-apr_err(apr_socket_recv, status);
+if ( recverrok ) {
+bad++;
+close_connection(c);
+if ( verbosity = 1 ) {
+char buf[120];
+fprintf(stderr,%s: %s (%d)\n,apr_socket_recv,
apr_strerror(status, buf, sizeof buf), status);
+}
+return;
+} else {
+/* XXX: Should errors here be fatal, or should we allow a
+ * certain number of them before completely failing? -aaron */
+apr_err(apr_socket_recv, status);
+}
}
}
@@ -1559,7 +1570,7 @@
(posting == 0) ? GET : HEAD,
(isproxy) ? fullurl : path,
AP_AB_BASEREVISION,
-keepalive ? Connection: Keep-Alive\r\n : ,
+keepalive ? Connection: Keep-Alive\r\nContent-Length: 0\r\n : ,
cookie, auth, host_field, colonhost, hdrs);
}
else {
@@ -1819,6 +1830,7 @@
fprintf(stderr, -S Do not show confidence estimators and
warnings.\n);
fprintf(stderr, -g filename Output collected data to gnuplot
format file.\n);
fprintf(stderr, -e filename Output CSV file with percentages
served\n);
+fprintf(stderr, -r Don't exit on apr_socket_recv
errors.\n);
fprintf(stderr, -h Display usage information (this
message)\n);
#ifdef USE_SSL
fprintf(stderr, -Z ciphersuite Specify SSL/TLS cipher suite (See
openssl ciphers)\n);
@@ -1981,7 +1993,7 @@
#endif
apr_getopt_init(opt, cntxt, argc, argv);
-while ((status = apr_getopt(opt,
n:c:t:b:T:p:v:kVhwix:y:z:C:H:P:A:g:X:de:Sq
+while ((status = apr_getopt(opt,
n:c:t:b:T:p:v:rkVhwix:y:z:C:H:P:A:g:X:de:Sq
#ifdef USE_SSL
Z:f:
#endif
@@ -2032,6 +2044,9 @@
exit(r);
}
break;
+case 'r':
+recverrok = 1;
+break;
case 'v':
verbosity = atoi(optarg);
break;
Re: svn commit: r512848 - /httpd/httpd/trunk/VERSIONING
On 2/28/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Author: chrisd Date: Wed Feb 28 09:12:06 2007 New Revision: 512848 URL: http://svn.apache.org/viewvc?view=revrev=512848 Log: fix a minor typo Modified: httpd/httpd/trunk/VERSIONING Modified: httpd/httpd/trunk/VERSIONING URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/VERSIONING?view=diffrev=512848r1=512847r2=512848 == --- httpd/httpd/trunk/VERSIONING (original) +++ httpd/httpd/trunk/VERSIONING Wed Feb 28 09:12:06 2007 @@ -68,7 +68,7 @@ stable release due to API change requirements. * The stable subversion tree should not remain unstable at any time. Atomic -commits aught be used to introduce code from the development version to the +commits ought be used to introduce code from the development version to the that's how we remember who wrote that text ;)
Re: Using mod_proxy from another module
Yep. No problem. On Feb 21, 2007, at 4:50 AM, Marc Stern wrote: Is it also possible to make a post with this ? This is what I need. Jim Jagielski wrote: How could we use mod_proxy for outgoing connections from another module ? Is there any simple way ? Is there any standard (I mean documented) way, or would it rely on internals only ? In the latter case, we would have to recode everything when mod_proxy changes. You would do something like this: rr = ap_sub_req_method_uri(OPTIONS, *, r, NULL); /* this MUST succeed! */ apr_snprintf(newurl, sizeof(newurl), proxy:%s://%s:%d/%s, protocol, sendToIP, sendToPort, myURL); ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r-server, query constructed: %s, newurl); rr-filename = apr_pstrdup(r-pool, newurl); rr-proxyreq = PROXYREQ_REVERSE; rr-handler = proxy-server; ap_run_sub_req(rr); and then use the response as needed... The above I've used in some where I'm just interested in getting some backend header info...
Re: util_ldap.c use of hardcoded sizelimit on ldap_search_ext_s causing error
LDAP SDK differences should really be pushed down into APR-Util. In fact your
option #1 would probably be the way to go as long as it was implemented in
apr_ldap.h.in and you implemented APR_HAS_ZOS_LDAPSDK that is determined during
configure time just like the other SDKs. The #define should also be prefixed
with APR_. Unfortunately this creates a version dependancy between HTTPD and
APR-Util. This is OK for trunk but a problem for 2.2. The release of APR-Util
and HTTPD would have to be coordinated. The fallback is to patch util_ldap.c
in some way that doesn't alter the way that the other platforms or SDKs are
currently working.
Brad
On 2/28/2007 at 8:26 AM, in message
[EMAIL PROTECTED], David Jones
[EMAIL PROTECTED] wrote:
Sorry for the delay.
We use our own z/OS specific SDK. There is also a Tivoli SDK , [see Eric
Covener's appends and
http://issues.apache.org/bugzilla/attachment.cgi?id=19394 waiting for
input], which shares some commonality with z/OS (Tivoli can accept the -1
without a problem, but it acts like 0).
Thoughts are:
1) LDAP_HAS_ZOS_LDAPSDK isn't an apache define yet. (The Tivoli append adds
a LDAP_HAS_TIVOLI_LDAPSDK to apu-conf.m4, and we would do similar). So if it
shouldn't be put in svn yet skip the top 3 lines and what we're left with
isn't much different than the original hardcoded -1, but at least it puts
some doc in the code about whats going on.
#ifdef LDAP_HAS_ZOS_LDAPSDK
#define LDAP_LIMIT_VALUE LDAP_NO_LIMIT
#else
#ifdef LDAP_DEFAULT_LIMIT
#define LDAP_LIMIT_VALUE LDAP_DEFAULT_LIMIT
#else
#define LDAP_LIMIT_VALUE -1 /* equivalent to LDAP_DEFAULT_LIMIT */
#endif
#endif
2)Or the flipside, assuming everyone else who defines 0 and not -1 wants to
use 0:
#ifdef LDAP_HAS_NOVELL_LDAPSDK
#define LDAP_LIMIT_VALUE -1
#else
#ifdef LDAP_DEFAULT_LIMIT
#define LDAP_LIMIT_VALUE LDAP_DEFAULT_TIME
#else
#ifdef LDAP_NO_LIMIT
#define LDAP_LIMIT_VALUE LDAP_NO_LIMIT
#else
#define LDAP_LIMIT_VALUE -1
#endif
#endif
#endif
3) Or maybe moving it and define a APR_LDAP_DEFAULT_SIZELIMIT instead of
keeping it in util_ldap.c
4) Or some complicated(?) conf magic that would involve getting a handle and
then calling ldap_set_option(ldap, LDAP_OPT_SIZELIMIT, -1); and setting
APR_LDAP_DEFAULT_SIZELIMIT to -1 or 0 accordingly.
On 2/23/07, Brad Nicholes [EMAIL PROTECTED] wrote:
What LDAP client SDK does z/OS use? (Novell, OpenLDAP, Netscape, Other???)
Brad
On 2/22/2007 at 12:52 PM, in message
[EMAIL PROTECTED], David
Jones
[EMAIL PROTECTED] wrote:
Its the z/OS, has LDAP_NO_SIZELIMIT defined. Does not have nor support
LDAP_DEFAULT_SIZELIMIT
On 2/22/07, Brad Nicholes [EMAIL PROTECTED] wrote:
On 2/22/2007 at 7:12 AM, in message
[EMAIL PROTECTED], David
Jones
[EMAIL PROTECTED] wrote:
How about something alone these lines? It assumes there is nobody
with
LDAP_DEFAULT_LIMIT undefined AND LDAP_NO_LIMIT defined, but still
supports
and wishes to use the -1 value.
--- util_ldap.c.defaultlimitWed Feb 21 16:08:51 2007
+++ util_ldap.c.nolimit Thu Feb 15 12:50:09 2007
@@ -52,15 +52,9 @@
#define LDAP_CA_TYPE_BASE64 2
#define LDAP_CA_TYPE_CERT7_DB 3
-#ifdef LDAP_DEFAULT_LIMIT
-#define LDAP_LIMIT_VALUE LDAP_DEFAULT_LIMIT
-#else
-#ifndef LDAP_NO_LIMIT /* Have neither LDAP_DEFAULT_LIMIT or
LDAP_NO_LIMIT
*/
-#define LDAP_LIMIT_VALUE -1
-#else /* Have LDAP_NO_LIMIT, but not
LDAP_DEFAULT_LIMIT */
-#define LDAP_LIMIT_VALUE LDAP_NO_LIMIT
-#endif /* !LDAP_NO_LIMIT */
-#endif /* LDAP_DEFAULT_LIMIT */
+#ifndef LDAP_NO_LIMIT
+#define LDAP_NO_LIMIT -1
+#endif
module AP_MODULE_DECLARE_DATA ldap_module;
@@ -680,7 +674,7 @@
/* search for reqdn */
if ((result = ldap_search_ext_s(ldc-ldap, (char *)reqdn,
LDAP_SCOPE_BASE,
(objectclass=*), NULL, 1,
-NULL, NULL, NULL,
LDAP_LIMIT_VALUE,
res))
+NULL, NULL, NULL, LDAP_NO_LIMIT,
res))
== LDAP_SERVER_DOWN)
{
ldc-reason = DN Comparison ldap_search_ext_s()
@@ -958,7 +952,7 @@
if ((result = ldap_search_ext_s(ldc-ldap,
(char *)basedn, scope,
(char *)filter, attrs, 0,
-NULL, NULL, NULL,
LDAP_LIMIT_VALUE,
res))
+NULL, NULL, NULL, LDAP_NO_LIMIT,
res))
== LDAP_SERVER_DOWN)
{
ldc-reason = ldap_search_ext_s() for user failed with
server
down;
@@ -1198,7 +1192,7 @@
if ((result = ldap_search_ext_s(ldc-ldap,
(char *)basedn, scope,
(char *)filter, attrs, 0,
-
Re: What do you think about Lighttpd?
On 2/27/07, Arnold Daniels [EMAIL PROTECTED] wrote: Nick already told you, that Apache allows you to choose. So simply use the fast-cgi/mpm-event combo, if you like that best. And if you want to evangelize the combo, nobody is stopping you. I use this and it works fine. However: 1. The event MPM is EXPERIMENTAL. No telling when it will be deemed as production ready. 2. The FastCGI support from Apache is, well, not there. You will have to go out and get a third party module. Also, that doesn't compile. So you will need a patch from a fourth party to get it to even compile. 3. The FastCGI apache module has not been updated in YEARS. So don't expect improvements. I don't know if it even persists connection to the FastCGI processes. However, Apache may include a FastCGI module in 2.4, and it should get load balancing support of some sort as it works off the proxy balancer, etc., bringing it closer in line with Lighttpd. But it could easily be over a year. And it might only be EXPERIMENTAL. I know there are a bunch of very talented people on the Apache team, but I'm not sure any of them actually works on it full time. Sorta curious. 4. If you are planning to do something that holds connections for long periods of time (PUSH/COMET/etc), I think Apache is out. Lightthd has some ideas for handling this in server. If you were to write something yourself, it is far easier to do your own server in perl or php than to add the functionality to Apache. Search for chat servers for source (like jabberd from Live Journal for a perl version, I have a php one but can't remember where it came from at the moment). All rant aside, it is not that hard to compile the fastcgi module with the patches and compile apache with the event mpm. You had better have the stomach for experimental code, and the fastcgi setup and tuning is pure crap. The fastcgi setup and tuning is pure crap. Yes, I repeated that. :) But in the end, it works. And nothing says I believe like using it yourself. Successfully.
Re: What do you think about Lighttpd?
steve wrote: On 2/27/07, Arnold Daniels [EMAIL PROTECTED] wrote: Nick already told you, that Apache allows you to choose. So simply use the fast-cgi/mpm-event combo, if you like that best. And if you want to evangelize the combo, nobody is stopping you. I use this and it works fine. However: 1. The event MPM is EXPERIMENTAL. No telling when it will be deemed as production ready. . I dunno. I use it. (I also helped write it, soo...) 2. The FastCGI support from Apache is, well, not there. 3. The FastCGI apache module has not been updated in YEARS. Have you tried mod_fcgid? http://fastcgi.coremail.cn/ It fixes these two problems at least.
Re: What do you think about Lighttpd?
On Wed, Feb 28, 2007 at 01:32:44PM -0800, Paul Querna wrote: steve wrote: On 2/27/07, Arnold Daniels [EMAIL PROTECTED] wrote: Nick already told you, that Apache allows you to choose. So simply use the fast-cgi/mpm-event combo, if you like that best. And if you want to evangelize the combo, nobody is stopping you. I use this and it works fine. However: 1. The event MPM is EXPERIMENTAL. No telling when it will be deemed as production ready. . I dunno. I use it. (I also helped write it, soo...) I use it too, and have meddled with it enough at a source level to feel comfortable running it. It has obvious, documented, problems (don't use it with mod_ssl), but it's pretty good at what it's supposed to be pretty good at :-) -- Colm MacCárthaighPublic Key: [EMAIL PROTECTED]
Re: [PATCH 38014] - Patch review request
Revised patch after incorporating Will Rowe's suggestion. Regards, Basant. On Tue, Feb 27, 2007 at 05:06:57PM -0800, Basant Kukreja wrote: Hi, I work in the web tier group of Sun Microsystems Inc. I have submitted the patch for bug 38014 (The status '100 Continue' will be sent after the final status code) http://issues.apache.org/bugzilla/show_bug.cgi?id=38014 Can some of the committer kindly review my patch please to see if it is acceptable or not? Patch is against 2.2.x branch. Regards, Basant.
[PATCH 39299] - Patch review request
Hi, I am Basant. I work in web tier group in Sun Microsystems Inc. I have submitted the patch for bug 39299. Summary : Internal Server Error (500) on COPY URI : http://issues.apache.org/bugzilla/show_bug.cgi?id=39299 Can some of the committer kindly review my patch please to see if it is acceptable or not? Patch is against 2.2.x branch. Regards, Basant.
Re: [PATCH 39299] - Patch review request
On Wed, 28 Feb 2007 14:31:19 -0800 Basant Kukreja [EMAIL PROTECTED] wrote: Hi, I am Basant. I work in web tier group in Sun Microsystems Inc. I have submitted the patch for bug 39299. Summary : Internal Server Error (500) on COPY URI : http://issues.apache.org/bugzilla/show_bug.cgi?id=39299 Can some of the committer kindly review my patch please to see if it is acceptable or not? Patch is against 2.2.x branch. 409 implies a condition the client can fix. Your patch tests for a particular condition that is likely to be fixable in a server with DAV uprunning. But AFAICS it could also give a bogus 409, for example in the case of a newly-installed and misconfigured server. Does the DAV RFC explicitly tell us to use 409 in this instance? -- Nick Kew Application Development with Apache - the Apache Modules Book http://www.apachetutor.org/
mod_proxy issues and patch
Hi all, I'm trying to work on getting some sane AJP proxy configurations using Apache 2.2.4. The problem I'm running into is that we use RewriteRules to use regular expression matching for proxying. In a previous thread on this dev list there was a discussion around ProxyPass being insufficient for regular expression matching and that perhaps it should function more like JkMount with mod_jk. Specifically the problem I'm running into is something like this: RewriteRule ^(.*\.jsp)$ ajp://localhost:8010$1 [P] In this scenario, I don't use ProxyPass to declare a mod_proxy_ajp worker. There doesn't appear to be a DefineWorker directive behavior that someone mused about in the previous thread. Thus, if I want to configure the connection pooling characteristics, I can't do the following Proxy ajp://localhost:8010 ProxySet max=100 smax=10 /Proxy Because Apache will complain that the ajp://localhost:8010 worker doesn't exist. I can create a dummy ProxyPass statement: ProxyPass /bogus ajp://localhost:8010 it seems to work, but that just looks ugly to me :). It looks like with: http://svn.apache.org/viewvc?view=revrevision=427920 This problem will be solved as the Proxy section will create the worker if it doesn't already exist. But that's only in trunk. The patch looks relatively simple though, so any chance of getting it patched back into a stable 2.2.x tree? The other option that I think will work, but I haven't tested is to use a balanced worker: Proxy balancer://singleworker BalancerMember ajp://localhost:8010 max=100 smax=10 /Proxy Then declare the RewriteRule to use balancer://singleworker Basically, it appears mod_proxy_ajp is a slight step backwards in terms of mod_jk's JkMount functionality. If I'm missing something though, feel free to slap me up and correct me. Thanks, Andy
Re: What do you think about Lighttpd?
I use it too, and have meddled with it enough at a source level to feel comfortable running it. It has obvious, documented, problems (don't use it with mod_ssl), I didn't make it clear earlier -- I do use the event mpm. Successfully. What *is* the problem with mod_ssl anyway??? I have used the two together, and I haven't seen a problem BTW: FastCGI is not necessary as you can use all Apache all the time: 1. Compile once Apache 2.2 with the event MPM. This is your normal web server on port 80. 2. Compile another Apache 2.2 with the prefork MPM and mod_php. This is your PHP server. Run it on another port. 3. Use Apache's rewrite and proxy to forward the php requests from #1 server to #2 server. It seems a little heavy, but you can eliminate FastCGI altogether. If needed, you can also have your PHP server on another machine than your Web server. And you can have more PHP servers and use the proxy balancer to load balance them. Just seems a bit heavy weight when its going on a single machine. I don't have real numbers on how much more weight this is than using FastCGI. Anyone know? Config would be easier though... :) Some questions: 1. What is the issue with event mpm and mod_ssl to a end-user? 2. How much more heavy is the above setup than using FastCGI? 3. If keep-alive were on both servers (#1 to end users, numbering in the thousands, and #2 only as many as there are processes), does it work? Another way of saying it is: does mod_proxy keep connections to the other server if keep-alive is enabled? is there some other setting that does this?
Re: Using mod_proxy from another module
I can't find how to do that, could you help me ? Thanks, Marc *//* Jim Jagielski wrote: Yep. No problem. On Feb 21, 2007, at 4:50 AM, Marc Stern wrote: Is it also possible to make a post with this ? This is what I need. Jim Jagielski wrote: How could we use mod_proxy for outgoing connections from another module ? Is there any simple way ? Is there any standard (I mean documented) way, or would it rely on internals only ? In the latter case, we would have to recode everything when mod_proxy changes. You would do something like this: rr = ap_sub_req_method_uri(OPTIONS, *, r, NULL); /* this MUST succeed! */ apr_snprintf(newurl, sizeof(newurl), proxy:%s://%s:%d/%s, protocol, sendToIP, sendToPort, myURL); ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r-server, query constructed: %s, newurl); rr-filename = apr_pstrdup(r-pool, newurl); rr-proxyreq = PROXYREQ_REVERSE; rr-handler = proxy-server; ap_run_sub_req(rr); and then use the response as needed... The above I've used in some where I'm just interested in getting some backend header info...
