Re: [users@httpd] mod_lua and subprocess_env
On Wed, Feb 22, 2017 at 1:09 AM, Yann Ylavic wrote:
> On Tue, Feb 21, 2017 at 5:43 PM, Andrei Ivanov
> wrote:
>> On Tue, Feb 21, 2017 at 6:32 PM, Yann Ylavic wrote:
>>>
>>> On Tue, Feb 21, 2017 at 4:50 PM, Andrei Ivanov
>>> wrote:
>>> >>>
>>> >>> Header set Client-SAN "%{PeerExtList('2.5.29.17')}s"
>>>
>>> The syntax may be rather:
>>>
>>> Header set Client-SAN "expr=%{PeerExtList:2.5.29.17}"
>>>
>>> Does it work better?
>>
>>
>> Uf, no :-(
>
> I've got it to work in (in 2.4.25), with a patch (attached), and for
> me it outputs:
> Client-SAN: DNS:www1.domain.tld, DNS:www2.domain.tld,
> DNS:www3.domain.tld, IP Address:192.168.150.80, IP
> Address:192.168.150.145, IP Address:172.25.25.100
>
> So I guess something like:
> Require expr "('IP Address:' . %{REMOTE_ADDR}) -in
> PeerExtList('2.5.29.17')"
> should work (at least with 2.4.5).
I meant 2.4.25 here...
>
>
> Regards,
> Yann.
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] mod_lua and subprocess_env
On Tue, Feb 21, 2017 at 5:43 PM, Andrei Ivanov wrote:
> On Tue, Feb 21, 2017 at 6:32 PM, Yann Ylavic wrote:
>>
>> On Tue, Feb 21, 2017 at 4:50 PM, Andrei Ivanov
>> wrote:
>> >>>
>> >>> Header set Client-SAN "%{PeerExtList('2.5.29.17')}s"
>>
>> The syntax may be rather:
>>
>> Header set Client-SAN "expr=%{PeerExtList:2.5.29.17}"
>>
>> Does it work better?
>
>
> Uf, no :-(
I've got it to work in (in 2.4.25), with a patch (attached), and for
me it outputs:
Client-SAN: DNS:www1.domain.tld, DNS:www2.domain.tld,
DNS:www3.domain.tld, IP Address:192.168.150.80, IP
Address:192.168.150.145, IP Address:172.25.25.100
So I guess something like:
Require expr "('IP Address:' . %{REMOTE_ADDR}) -in PeerExtList('2.5.29.17')"
should work (at least with 2.4.5).
Regards,
Yann.
Index: server/util_expr_eval.c
===
--- server/util_expr_eval.c (revision 1783852)
+++ server/util_expr_eval.c (working copy)
@@ -50,6 +50,9 @@ AP_IMPLEMENT_HOOK_RUN_FIRST(int, expr_lookup, (ap_
static const char *ap_expr_eval_string_func(ap_expr_eval_ctx_t *ctx,
const ap_expr_t *info,
const ap_expr_t *args);
+static apr_array_header_t *ap_expr_eval_list_func(ap_expr_eval_ctx_t *ctx,
+const ap_expr_t *info,
+const ap_expr_t *args);
static const char *ap_expr_eval_re_backref(ap_expr_eval_ctx_t *ctx,
unsigned int n);
static const char *ap_expr_eval_var(ap_expr_eval_ctx_t *ctx,
@@ -80,6 +83,8 @@ static int inc_rec(ap_expr_eval_ctx_t *ctx)
return 1;
}
+#define AP_EXPR_MAX_LIST_STRINGS 500
+
static const char *ap_expr_eval_word(ap_expr_eval_ctx_t *ctx,
const ap_expr_t *node)
{
@@ -161,6 +166,35 @@ static const char *ap_expr_eval_word(ap_expr_eval_
result = ap_expr_eval_string_func(ctx, info, args);
break;
}
+case op_ListFuncCall: {
+const ap_expr_t *info = node->node_arg1;
+const ap_expr_t *args = node->node_arg2;
+apr_array_header_t *array = ap_expr_eval_list_func(ctx, info, args);
+if (array && array->nelts > 0) {
+struct iovec *vec;
+int n = array->nelts, i = 0;
+/* sanity check */
+if (n > AP_EXPR_MAX_LIST_STRINGS) {
+n = AP_EXPR_MAX_LIST_STRINGS;
+}
+/* all entries (but last) separated by ", " */
+n = (n * 2) - 1;
+vec = apr_palloc(ctx->p, n * sizeof(struct iovec));
+for (;;) {
+const char *s = APR_ARRAY_IDX(array, i, const char *);
+vec[i].iov_base = (void *)s;
+vec[i].iov_len = strlen(s);
+if (++i >= n) {
+break;
+}
+vec[i].iov_base = (void *)", ";
+vec[i].iov_len = 2;
+++i;
+}
+result = apr_pstrcatv(ctx->p, vec, n, NULL);
+}
+break;
+}
case op_RegexBackref: {
const unsigned int *np = node->node_arg1;
result = ap_expr_eval_re_backref(ctx, *np);
@@ -213,6 +247,19 @@ static const char *ap_expr_eval_string_func(ap_exp
return (*func)(ctx, data, ap_expr_eval_word(ctx, arg));
}
+static apr_array_header_t *ap_expr_eval_list_func(ap_expr_eval_ctx_t *ctx,
+const ap_expr_t *info,
+const ap_expr_t *arg)
+{
+ap_expr_list_func_t *func = (ap_expr_list_func_t *)info->node_arg1;
+const void *data = info->node_arg2;
+
+AP_DEBUG_ASSERT(info->node_op == op_ListFuncInfo);
+AP_DEBUG_ASSERT(func != NULL);
+AP_DEBUG_ASSERT(data != NULL);
+return (*func)(ctx, data, ap_expr_eval_word(ctx, arg));
+}
+
static int intstrcmp(const char *s1, const char *s2)
{
apr_int64_t i1 = apr_atoi64(s1);
@@ -268,13 +315,8 @@ static int ap_expr_eval_comp(ap_expr_eval_ctx_t *c
}
else if (e2->node_op == op_ListFuncCall) {
const ap_expr_t *info = e2->node_arg1;
-const ap_expr_t *arg = e2->node_arg2;
-ap_expr_list_func_t *func = (ap_expr_list_func_t *)info->node_arg1;
-apr_array_header_t *haystack;
-
-AP_DEBUG_ASSERT(func != NULL);
-AP_DEBUG_ASSERT(info->node_op == op_ListFuncInfo);
-haystack = (*func)(ctx, info->node_arg2, ap_expr_eval_word(ctx, arg));
+const ap_expr_t *args = e2->node_arg2;
+apr_array_header_t *haystack = ap_expr_eval_list_func(ctx, info, args);
if (haystack == NULL) {
return 0;
}
@@ -474,8 +516,19 @@ ap_expr_t *ap_expr_str_func_make(const char *name,
ap_expr_parse_ctx
RE: [users@httpd] Problem when using nested if statements in apache 2.4
Thanks Luca. This all makes sense with what I was seeing. I ended up using
something similar to what you suggested. Here it is in case it ever helps
someone.
ErrorDocument 400 /errors/400
ErrorDocument 401 /errors/401
ErrorDocument 402 /errors/402
ErrorDocument 403 /errors/403
ErrorDocument 404 /errors/404
ErrorDocument 405 /errors/405
ErrorDocument 500 /errors/500
ErrorDocument 501 /errors/501
ErrorDocument 502 /errors/502
ErrorDocument 503 /errors/503
ErrorDocument 504 /errors/504
ErrorDocument 505 /errors/505
From: Luca Toscano [mailto:toscano.l...@gmail.com]
Sent: Tuesday, February 21, 2017 11:46 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Problem when using nested if statements in apache 2.4
Hi Mike,
2017-02-20 18:17 GMT+01:00 Mike Schlottman
mailto:mschl...@spe.org>>:
I’m trying to configure apache 2.4 to show nice error pages to external users
of our web site, while allowing staff to see the real error. The idea is to
prevent exposing privileged information to the general public while allowing
our staff to more easily debug issues on our production web site. To
accomplish this I am using a combination of ErrorDocument within an If
statement that evaluates the header X-Real-IP which is the IP address of the
client on my server.
This seems to work, until I nest the If statements to catch all the IP ranges
that I am interested in.
For example…
http://172.28.1.84/32>' ">
ErrorDocument 404 /errors/404
will correctly show the nice 404 page for a user coming from 172.28.1.84.
Using this, the same user coming from 172.28.1.84 sees the nice error page.
http://127.0.0.0/8>' ">
ErrorDocument 404 /errors/404
Simmilarly the same user gets the nice error page when this code is used.
http://192.168.0.0/16>' ">
ErrorDocument 404 /errors/404
The problem comes when I combine these 2 so that all users except those coming
from 127.*.*.* or 192.168.*.* see the nice error page.
http://127.0.0.0/8>' ">
http://192.168.0.0/16>' ">
ErrorDocument 404 /errors/404
The user from 172.28.1.84 does not get the nice 404 page, but the default 404
page. The IP does not match either of the ranges as observed when using the
ranges individually, but when combined in this way it does not work as expected.
Any ideas why this is?
I reproduced your use case and from the error_log (trace8) I can see that with
nested s the second one seems not evaluated (or more precisely, its
expression is not). In the beginning I thought it was a peculiarity of how the
ErrorDocument core directive settings are merged between sections, but it seems
not the case.
From my point of view, a container like should be used like other similar
directives like and , where this use case would look a
bit weird. The naming brings up conventions that we use in traditional
programming languages, so this might be the source of the confusion.
For your specific use case, I'd have done something like the following:
http://192.168.0.0/16>' ||
! %{HTTP:X-Real-IP} -ipmatch '192.168.0.0/16' ">
ErrorDocument 404 "My awesome error"
or maybe using /.
http://httpd.apache.org/docs/current/sections.html shows a little paragraph
about "Nesting of sections", but I don't see any reference of your use case.
I'll dig a bit more during the next days to find a better explanation if nobody
will come up with a better solution :)
Luca
Re: [users@httpd] Problem when using nested if statements in apache 2.4
Hi Mike, 2017-02-20 18:17 GMT+01:00 Mike Schlottman : > I’m trying to configure apache 2.4 to show nice error pages to external > users of our web site, while allowing staff to see the real error. The > idea is to prevent exposing privileged information to the general public > while allowing our staff to more easily debug issues on our production web > site. To accomplish this I am using a combination of ErrorDocument within > an If statement that evaluates the header X-Real-IP which is the IP address > of the client on my server. > > > > This seems to work, until I nest the If statements to catch all the IP > ranges that I am interested in. > > > > For example… > > > > ErrorDocument 404 /errors/404 > > > > will correctly show the nice 404 page for a user coming from 172.28.1.84. > > > > Using this, the same user coming from 172.28.1.84 sees the nice error > page. > > > > ErrorDocument 404 /errors/404 > > > > > > Simmilarly the same user gets the nice error page when this code is used. > > > > ErrorDocument 404 /errors/404 > > > > > > The problem comes when I combine these 2 so that all users except those > coming from 127.*.*.* or 192.168.*.* see the nice error page. > > > > > > ErrorDocument 404 /errors/404 > > > > > > The user from 172.28.1.84 does not get the nice 404 page, but the default > 404 page. The IP does not match either of the ranges as observed when > using the ranges individually, but when combined in this way it does not > work as expected. > > > > Any ideas why this is? > > > I reproduced your use case and from the error_log (trace8) I can see that with nested s the second one seems not evaluated (or more precisely, its expression is not). In the beginning I thought it was a peculiarity of how the ErrorDocument core directive settings are merged between sections, but it seems not the case. >From my point of view, a container like should be used like other similar directives like and , where this use case would look a bit weird. The naming brings up conventions that we use in traditional programming languages, so this might be the source of the confusion. For your specific use case, I'd have done something like the following: ErrorDocument 404 "My awesome error" or maybe using /. http://httpd.apache.org/docs/current/sections.html shows a little paragraph about "Nesting of sections", but I don't see any reference of your use case. I'll dig a bit more during the next days to find a better explanation if nobody will come up with a better solution :) Luca
Re: [users@httpd] mod_lua and subprocess_env
On Tue, Feb 21, 2017 at 6:43 PM, Andrei Ivanov
wrote:
> On Tue, Feb 21, 2017 at 6:32 PM, Yann Ylavic wrote:
>
>> On Tue, Feb 21, 2017 at 4:50 PM, Andrei Ivanov
>> wrote:
>> >>>
>> >>> Header set Client-SAN "%{PeerExtList('2.5.29.17')}s"
>>
>> The syntax may be rather:
>>
>> Header set Client-SAN "expr=%{PeerExtList:2.5.29.17}"
>>
>> Does it work better?
>>
>
> Uf, no :-(
> I've mentioned above, this is with Apache/2.4.6 (Red Hat Enterprise Linux)
> OpenSSL/1.0.1e-fips
> I was also trying the Header with expr=value, but then I noticed it's
> available in 2.4.10 and later
>
>
Trying with the latest Apache/2.4.25 and switching to expression values:
- These work:
Header set Client-IP "expr=%{REMOTE_ADDR}"
Header set Client-DN "expr=%{SSL_CLIENT_S_DN}"
- These do not work, even after I adapted the expression following the
documentation,
"Function calls use the %{funcname:arg} syntax rather than
funcname(arg).":
Header set Client-SAN "expr=%{PeerExtList:2.5.29.17}"
Can't parse value expression : Function 'PeerExtList' does not exist
What should I do?
At least the standard expressions ("%{PeerExtList('2.5.29.17')}s") had a
modifier that indicated it's an SSL
expression and knew how to invoke it... even if it didn't work :-/
Re: [users@httpd] apache run status: how to tell as non-root user (on *nix)?
On Tue, Feb 21, 2017 at 8:15 AM, Yehuda Katz wrote: > That grep would not work on Debian-style packages because they show apache2 > as the executable but it might be the best way on other systems. Good point, Yehuda. I guess I should find out But I just looked at my ps output and it shows the complete star line so grepp ing apache should work for me, too: $ ps -C httpd -o cmd= /usr/local/apache2/bin/httpd -k start Thanks! -Tom - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] mod_lua and subprocess_env
On Tue, Feb 21, 2017 at 6:32 PM, Yann Ylavic wrote:
> On Tue, Feb 21, 2017 at 4:50 PM, Andrei Ivanov
> wrote:
> >>>
> >>> Header set Client-SAN "%{PeerExtList('2.5.29.17')}s"
>
> The syntax may be rather:
>
> Header set Client-SAN "expr=%{PeerExtList:2.5.29.17}"
>
> Does it work better?
>
Uf, no :-(
I've mentioned above, this is with Apache/2.4.6 (Red Hat Enterprise Linux)
OpenSSL/1.0.1e-fips
I was also trying the Header with expr=value, but then I noticed it's
available in 2.4.10 and later
Re: [users@httpd] mod_lua and subprocess_env
On Tue, Feb 21, 2017 at 4:50 PM, Andrei Ivanov wrote:
>>>
>>> Header set Client-SAN "%{PeerExtList('2.5.29.17')}s"
The syntax may be rather:
Header set Client-SAN "expr=%{PeerExtList:2.5.29.17}"
Does it work better?
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] apache run status: how to tell as non-root user (on *nix)?
On Tue, Feb 21, 2017 at 3:53 PM, Yann Ylavic wrote: > On Tue, Feb 21, 2017 at 3:19 PM, Rainer Canavan > wrote: [...] >> If you know where the .pid file is, you can read that and check if the >> process is >> running, e.g. via ps --pid `cat /var/run/apache2.pid` > > Or: > kill -0 `cat /var/run/apache2.pid` > > which is likely "lighter". That's probably the preferred way if the user has the proper permissions, but fails if a non-privileged user attempts to check if a process running as root is actually running. I also haven't checked if ps --pid is POSIX or a GNU extension, but it should at least work on debian. rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] mod_lua and subprocess_env
On Mon, Feb 20, 2017 at 11:31 AM, Andrei Ivanov
wrote:
> On Fri, Feb 17, 2017 at 12:18 PM, Andrei Ivanov
> wrote:
>
>>
>> On Thu, Feb 16, 2017 at 9:26 PM, Eric Covener wrote:
>>
>>> On Thu, Feb 16, 2017 at 11:16 AM, Andrei Ivanov
>>> wrote:
>>> > Is there a way to debug this? To print the values from the expression
>>> in the
>>> > logs maybe?
>>>
>>> One simple way to debug is to use the same [sub-]expressions in
>>> mod_headers conditions or header values
>>>
>>
>> Great idea, thanks :-)
>>
>> Header set Client-IP "%{REMOTE_ADDR}e"
>> Header set Client-SAN "%{PeerExtList('2.5.29.17')}s"
>> Header set Client-DN "%{SSL_CLIENT_S_DN}s"
>>
>> Client-IP: 159.107.78.110
>> Client-SAN: (null)
>> Client-DN: CN=client-with-subjectAltName-with-just-IPs-2
>>
>> Unfortunately, I don't get the Client SAN :-(
>>
>> Btw, this is with Apache/2.4.6 (Red Hat Enterprise Linux)
>> OpenSSL/1.0.1e-fips
>> I was also trying the Header with expr=value, but then I noticed it's
>> available in 2.4.10 and later.
>>
>
> Can anybody understand why this doesn't work? :-(
> Please help.
>
Yan? Any thoughts please?
Re: [users@httpd] apache run status: how to tell as non-root user (on *nix)?
On Tue, Feb 21, 2017 at 3:19 PM, Rainer Canavan wrote: > On Tue, Feb 21, 2017 at 2:53 PM, Tom Browder wrote: >> I need to programatically determine whether httpd is running or not, whether >> I'm root or not. The only reliable way I have found is to use the system >> command 'ps -C httpd' and grep the results. >> >> Is there a better way? > > > If you know where the .pid file is, you can read that and check if the > process is > running, e.g. via ps --pid `cat /var/run/apache2.pid` Or: kill -0 `cat /var/run/apache2.pid` which is likely "lighter". Regards, Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] apache run status: how to tell as non-root user (on *nix)?
the existence of the PID file only gives a hint; its contents (the PID of the process) should then be checked to see if that particular process is indeed (still) running. Citeren Rainer Canavan : On Tue, Feb 21, 2017 at 2:53 PM, Tom Browder wrote: I need to programatically determine whether httpd is running or not, whether I'm root or not. The only reliable way I have found is to use the system command 'ps -C httpd' and grep the results. Is there a better way? If you know where the .pid file is, you can read that and check if the process is running, e.g. via ps --pid `cat /var/run/apache2.pid` rainer - To unsubscribe, e-mail: users-unsubscribe@httpd.apache.orgFor additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] apache run status: how to tell as non-root user (on *nix)?
On Tue, Feb 21, 2017 at 2:53 PM, Tom Browder wrote: > I need to programatically determine whether httpd is running or not, whether > I'm root or not. The only reliable way I have found is to use the system > command 'ps -C httpd' and grep the results. > > Is there a better way? If you know where the .pid file is, you can read that and check if the process is running, e.g. via ps --pid `cat /var/run/apache2.pid` rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] apache run status: how to tell as non-root user (on *nix)?
On Tue, Feb 21, 2017 at 07:58 Mike Schlottman wrote: > If you have httpd running as a service in Centos, you can run service > httpd status. > Thanks, Mike. But I'm running Debian and, for httpd, the old init.d thing. I would love to get a systemd working for it, but I need a real cookbook solution, 'cause everything I've looked at seems kind of hand wavy. But, anyway, is the 'service' command usable by a non-root user? Best regards, -Tom
Re: [users@httpd] apache run status: how to tell as non-root user (on *nix)?
That grep would not work on Debian-style packages because they show apache2 as the executable but it might be the best way on other systems. - Y Sent from a device with a very small keyboard and hyperactive autocorrect. On Feb 21, 2017 8:54 AM, "Tom Browder" wrote: > I need to programatically determine whether httpd is running or not, > whether I'm root or not. The only reliable way I have found is to use the > system command 'ps -C httpd' and grep the results. > > Is there a better way? > > Thanks. > > Best regards, > > -Tom >
RE: [users@httpd] apache run status: how to tell as non-root user (on *nix)?
If you have httpd running as a service in Centos, you can run service httpd status. It will return a status code of 0 if it is running. % service httpd status > /dev/null Redirecting to /bin/systemctl status httpd.service % echo $? 0 From: Tom Browder [mailto:tom.brow...@gmail.com] Sent: Tuesday, February 21, 2017 7:54 AM To: users@httpd.apache.org Subject: [users@httpd] apache run status: how to tell as non-root user (on *nix)? I need to programatically determine whether httpd is running or not, whether I'm root or not. The only reliable way I have found is to use the system command 'ps -C httpd' and grep the results. Is there a better way? Thanks. Best regards, -Tom
[users@httpd] apache run status: how to tell as non-root user (on *nix)?
I need to programatically determine whether httpd is running or not, whether I'm root or not. The only reliable way I have found is to use the system command 'ps -C httpd' and grep the results. Is there a better way? Thanks. Best regards, -Tom
