Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

Yann?
Any chance to get this reviewed after the 2.4.32 release?

On Tue, Jan 2, 2018 at 7:08 PM, Andrei Ivanov <andrei.iva...@gmail.com>
wrote:

> Hello? Yann?
>
> On Thu, Dec 21, 2017 at 5:39 PM, Andrei Ivanov <andrei.iva...@gmail.com>
> wrote:
>
>> Yann? Are you there? 
>>
>> On Mon, Dec 4, 2017 at 3:43 PM, Andrei Ivanov <andrei.iva...@gmail.com>
>> wrote:
>>
>>> Hi Yann,
>>> Any news on the reviews?
>>>
>>> On Tue, Oct 3, 2017 at 9:58 AM, Andrei Ivanov <andrei.iva...@gmail.com>
>>> wrote:
>>>
>>>> Woohoo!
>>>>
>>>> Thank you ☺
>>>>
>>>> On Tue, Oct 3, 2017 at 1:44 AM, Yann Ylavic <ylavic@gmail.com>
>>>> wrote:
>>>>
>>>>> Hi Andrei,
>>>>>
>>>>> Committed to trunk (http://svn.apache.org/r1810605), should have a
>>>>> better visibility (and review) now.
>>>>>
>>>>> Regards,
>>>>> Yann.
>>>>>
>>>>>
>>>>> On Sun, Sep 17, 2017 at 8:18 PM, Andrei Ivanov <
>>>>> andrei.iva...@gmail.com> wrote:
>>>>>
>>>>>> Ok, I understand.
>>>>>>
>>>>>> Thank you very much 
>>>>>>
>>>>>> On Sun, Sep 17, 2017 at 7:14 PM, Yann Ylavic <ylavic@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> On Sun, Sep 10, 2017 at 12:46 PM, Andrei Ivanov <
>>>>>>> andrei.iva...@gmail.com> wrote:
>>>>>>> > Yann?
>>>>>>> > What's the next step? Your message didn't seem to draw attention
>>>>>>> from others
>>>>>>> > and it's been almost 2 months
>>>>>>>
>>>>>>> That's called lazy consensus :)
>>>>>>>
>>>>>>> In other words, I'll commit it to trunk (once rebased, since it
>>>>>>> currently applies to 2.4.x only).
>>>>>>> There, it will easily/likely be reviewed/amended by others, either
>>>>>>> before or after the backport is proposed for some future release (no
>>>>>>> timeline for this yet).
>>>>>>>
>>>>>>> Regards,
>>>>>>> Yann.
>>>>>>>
>>>>>>> 
>>>>>>> -
>>>>>>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>>>>>>> For additional commands, e-mail: users-h...@httpd.apache.org
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

Hello? Yann?

On Thu, Dec 21, 2017 at 5:39 PM, Andrei Ivanov <andrei.iva...@gmail.com>
wrote:

> Yann? Are you there? 
>
> On Mon, Dec 4, 2017 at 3:43 PM, Andrei Ivanov <andrei.iva...@gmail.com>
> wrote:
>
>> Hi Yann,
>> Any news on the reviews?
>>
>> On Tue, Oct 3, 2017 at 9:58 AM, Andrei Ivanov <andrei.iva...@gmail.com>
>> wrote:
>>
>>> Woohoo!
>>>
>>> Thank you ☺
>>>
>>> On Tue, Oct 3, 2017 at 1:44 AM, Yann Ylavic <ylavic@gmail.com>
>>> wrote:
>>>
>>>> Hi Andrei,
>>>>
>>>> Committed to trunk (http://svn.apache.org/r1810605), should have a
>>>> better visibility (and review) now.
>>>>
>>>> Regards,
>>>> Yann.
>>>>
>>>>
>>>> On Sun, Sep 17, 2017 at 8:18 PM, Andrei Ivanov <andrei.iva...@gmail.com
>>>> > wrote:
>>>>
>>>>> Ok, I understand.
>>>>>
>>>>> Thank you very much 
>>>>>
>>>>> On Sun, Sep 17, 2017 at 7:14 PM, Yann Ylavic <ylavic@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> On Sun, Sep 10, 2017 at 12:46 PM, Andrei Ivanov <
>>>>>> andrei.iva...@gmail.com> wrote:
>>>>>> > Yann?
>>>>>> > What's the next step? Your message didn't seem to draw attention
>>>>>> from others
>>>>>> > and it's been almost 2 months
>>>>>>
>>>>>> That's called lazy consensus :)
>>>>>>
>>>>>> In other words, I'll commit it to trunk (once rebased, since it
>>>>>> currently applies to 2.4.x only).
>>>>>> There, it will easily/likely be reviewed/amended by others, either
>>>>>> before or after the backport is proposed for some future release (no
>>>>>> timeline for this yet).
>>>>>>
>>>>>> Regards,
>>>>>> Yann.
>>>>>>
>>>>>> -
>>>>>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>>>>>> For additional commands, e-mail: users-h...@httpd.apache.org
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

Yann? Are you there? 

On Mon, Dec 4, 2017 at 3:43 PM, Andrei Ivanov <andrei.iva...@gmail.com>
wrote:

> Hi Yann,
> Any news on the reviews?
>
> On Tue, Oct 3, 2017 at 9:58 AM, Andrei Ivanov <andrei.iva...@gmail.com>
> wrote:
>
>> Woohoo!
>>
>> Thank you ☺
>>
>> On Tue, Oct 3, 2017 at 1:44 AM, Yann Ylavic <ylavic@gmail.com> wrote:
>>
>>> Hi Andrei,
>>>
>>> Committed to trunk (http://svn.apache.org/r1810605), should have a
>>> better visibility (and review) now.
>>>
>>> Regards,
>>> Yann.
>>>
>>>
>>> On Sun, Sep 17, 2017 at 8:18 PM, Andrei Ivanov <andrei.iva...@gmail.com>
>>> wrote:
>>>
>>>> Ok, I understand.
>>>>
>>>> Thank you very much 
>>>>
>>>> On Sun, Sep 17, 2017 at 7:14 PM, Yann Ylavic <ylavic@gmail.com>
>>>> wrote:
>>>>
>>>>> On Sun, Sep 10, 2017 at 12:46 PM, Andrei Ivanov <
>>>>> andrei.iva...@gmail.com> wrote:
>>>>> > Yann?
>>>>> > What's the next step? Your message didn't seem to draw attention
>>>>> from others
>>>>> > and it's been almost 2 months
>>>>>
>>>>> That's called lazy consensus :)
>>>>>
>>>>> In other words, I'll commit it to trunk (once rebased, since it
>>>>> currently applies to 2.4.x only).
>>>>> There, it will easily/likely be reviewed/amended by others, either
>>>>> before or after the backport is proposed for some future release (no
>>>>> timeline for this yet).
>>>>>
>>>>> Regards,
>>>>> Yann.
>>>>>
>>>>> -
>>>>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>>>>> For additional commands, e-mail: users-h...@httpd.apache.org
>>>>>
>>>>>
>>>>
>>>
>>
>

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

Hi Yann,
Any news on the reviews?

On Tue, Oct 3, 2017 at 9:58 AM, Andrei Ivanov <andrei.iva...@gmail.com>
wrote:

> Woohoo!
>
> Thank you ☺
>
> On Tue, Oct 3, 2017 at 1:44 AM, Yann Ylavic <ylavic@gmail.com> wrote:
>
>> Hi Andrei,
>>
>> Committed to trunk (http://svn.apache.org/r1810605), should have a
>> better visibility (and review) now.
>>
>> Regards,
>> Yann.
>>
>>
>> On Sun, Sep 17, 2017 at 8:18 PM, Andrei Ivanov <andrei.iva...@gmail.com>
>> wrote:
>>
>>> Ok, I understand.
>>>
>>> Thank you very much 
>>>
>>> On Sun, Sep 17, 2017 at 7:14 PM, Yann Ylavic <ylavic@gmail.com>
>>> wrote:
>>>
>>>> On Sun, Sep 10, 2017 at 12:46 PM, Andrei Ivanov <
>>>> andrei.iva...@gmail.com> wrote:
>>>> > Yann?
>>>> > What's the next step? Your message didn't seem to draw attention from
>>>> others
>>>> > and it's been almost 2 months
>>>>
>>>> That's called lazy consensus :)
>>>>
>>>> In other words, I'll commit it to trunk (once rebased, since it
>>>> currently applies to 2.4.x only).
>>>> There, it will easily/likely be reviewed/amended by others, either
>>>> before or after the backport is proposed for some future release (no
>>>> timeline for this yet).
>>>>
>>>> Regards,
>>>> Yann.
>>>>
>>>> -
>>>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>>>> For additional commands, e-mail: users-h...@httpd.apache.org
>>>>
>>>>
>>>
>>
>

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

Woohoo!

Thank you ☺

On Tue, Oct 3, 2017 at 1:44 AM, Yann Ylavic <ylavic@gmail.com> wrote:

> Hi Andrei,
>
> Committed to trunk (http://svn.apache.org/r1810605), should have a better
> visibility (and review) now.
>
> Regards,
> Yann.
>
>
> On Sun, Sep 17, 2017 at 8:18 PM, Andrei Ivanov <andrei.iva...@gmail.com>
> wrote:
>
>> Ok, I understand.
>>
>> Thank you very much 
>>
>> On Sun, Sep 17, 2017 at 7:14 PM, Yann Ylavic <ylavic@gmail.com>
>> wrote:
>>
>>> On Sun, Sep 10, 2017 at 12:46 PM, Andrei Ivanov <andrei.iva...@gmail.com>
>>> wrote:
>>> > Yann?
>>> > What's the next step? Your message didn't seem to draw attention from
>>> others
>>> > and it's been almost 2 months
>>>
>>> That's called lazy consensus :)
>>>
>>> In other words, I'll commit it to trunk (once rebased, since it
>>> currently applies to 2.4.x only).
>>> There, it will easily/likely be reviewed/amended by others, either
>>> before or after the backport is proposed for some future release (no
>>> timeline for this yet).
>>>
>>> Regards,
>>> Yann.
>>>
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>>> For additional commands, e-mail: users-h...@httpd.apache.org
>>>
>>>
>>
>

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

Ok, I understand.

Thank you very much 

On Sun, Sep 17, 2017 at 7:14 PM, Yann Ylavic <ylavic@gmail.com> wrote:

> On Sun, Sep 10, 2017 at 12:46 PM, Andrei Ivanov <andrei.iva...@gmail.com>
> wrote:
> > Yann?
> > What's the next step? Your message didn't seem to draw attention from
> others
> > and it's been almost 2 months
>
> That's called lazy consensus :)
>
> In other words, I'll commit it to trunk (once rebased, since it
> currently applies to 2.4.x only).
> There, it will easily/likely be reviewed/amended by others, either
> before or after the backport is proposed for some future release (no
> timeline for this yet).
>
> Regards,
> Yann.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

Yann? Are you there? 

On Sun, Sep 10, 2017 at 1:46 PM, Andrei Ivanov <andrei.iva...@gmail.com>
wrote:

> Yann?
> What's the next step? Your message didn't seem to draw attention from
> others and it's been almost 2 months 
>
> On Mon, Aug 7, 2017 at 3:30 PM, Andrei Ivanov <andrei.iva...@gmail.com>
> wrote:
>
>> Hmm, if nobody comments on your proposal does it mean you get an implicit
>> commit acceptance after 1 month? 
>>
>> On Sat, Jul 15, 2017 at 7:35 PM, Andrei Ivanov <andrei.iva...@gmail.com>
>> wrote:
>>
>>> This is great news, thank you very much.
>>>
>>> So far I am monitoring the list archives through http://mail-archives.a
>>> pache.org/mod_mbox/httpd-dev/201707.mbox/browser :)
>>>
>>> On Sat, Jul 15, 2017 at 1:01 AM, Yann Ylavic <ylavic@gmail.com>
>>> wrote:
>>>
>>>> Hi Andrei,
>>>>
>>>> On Thu, Jul 13, 2017 at 3:21 PM, Andrei Ivanov <andrei.iva...@gmail.com>
>>>> wrote:
>>>> >
>>>> > Yann? Is it a good time now?
>>>>
>>>> I proposed the patch on the httpd-dev mailing list.
>>>> Waiting for feedbacks, then will commit it.
>>>>
>>>> I don't know if you are subscribed to this list, but most follow ups
>>>> will happen there now...
>>>> If you are not, I'll try to keep you informed here.
>>>>
>>>> Regards,
>>>> Yann.
>>>>
>>>> -
>>>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>>>> For additional commands, e-mail: users-h...@httpd.apache.org
>>>>
>>>>
>>>
>>
>

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

Yann?
What's the next step? Your message didn't seem to draw attention from
others and it's been almost 2 months 

On Mon, Aug 7, 2017 at 3:30 PM, Andrei Ivanov <andrei.iva...@gmail.com>
wrote:

> Hmm, if nobody comments on your proposal does it mean you get an implicit
> commit acceptance after 1 month? 
>
> On Sat, Jul 15, 2017 at 7:35 PM, Andrei Ivanov <andrei.iva...@gmail.com>
> wrote:
>
>> This is great news, thank you very much.
>>
>> So far I am monitoring the list archives through http://mail-archives.a
>> pache.org/mod_mbox/httpd-dev/201707.mbox/browser :)
>>
>> On Sat, Jul 15, 2017 at 1:01 AM, Yann Ylavic <ylavic@gmail.com>
>> wrote:
>>
>>> Hi Andrei,
>>>
>>> On Thu, Jul 13, 2017 at 3:21 PM, Andrei Ivanov <andrei.iva...@gmail.com>
>>> wrote:
>>> >
>>> > Yann? Is it a good time now?
>>>
>>> I proposed the patch on the httpd-dev mailing list.
>>> Waiting for feedbacks, then will commit it.
>>>
>>> I don't know if you are subscribed to this list, but most follow ups
>>> will happen there now...
>>> If you are not, I'll try to keep you informed here.
>>>
>>> Regards,
>>> Yann.
>>>
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>>> For additional commands, e-mail: users-h...@httpd.apache.org
>>>
>>>
>>
>

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

Hmm, if nobody comments on your proposal does it mean you get an implicit
commit acceptance after 1 month? 

On Sat, Jul 15, 2017 at 7:35 PM, Andrei Ivanov <andrei.iva...@gmail.com>
wrote:

> This is great news, thank you very much.
>
> So far I am monitoring the list archives through http://mail-archives.
> apache.org/mod_mbox/httpd-dev/201707.mbox/browser :)
>
> On Sat, Jul 15, 2017 at 1:01 AM, Yann Ylavic <ylavic@gmail.com> wrote:
>
>> Hi Andrei,
>>
>> On Thu, Jul 13, 2017 at 3:21 PM, Andrei Ivanov <andrei.iva...@gmail.com>
>> wrote:
>> >
>> > Yann? Is it a good time now?
>>
>> I proposed the patch on the httpd-dev mailing list.
>> Waiting for feedbacks, then will commit it.
>>
>> I don't know if you are subscribed to this list, but most follow ups
>> will happen there now...
>> If you are not, I'll try to keep you informed here.
>>
>> Regards,
>> Yann.
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>>
>>
>

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

This is great news, thank you very much.

So far I am monitoring the list archives through
http://mail-archives.apache.org/mod_mbox/httpd-dev/201707.mbox/browser :)

On Sat, Jul 15, 2017 at 1:01 AM, Yann Ylavic <ylavic@gmail.com> wrote:

> Hi Andrei,
>
> On Thu, Jul 13, 2017 at 3:21 PM, Andrei Ivanov <andrei.iva...@gmail.com>
> wrote:
> >
> > Yann? Is it a good time now?
>
> I proposed the patch on the httpd-dev mailing list.
> Waiting for feedbacks, then will commit it.
>
> I don't know if you are subscribed to this list, but most follow ups
> will happen there now...
> If you are not, I'll try to keep you informed here.
>
> Regards,
> Yann.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

Yann? Is it a good time now? 

On Tue, Jun 20, 2017 at 6:41 PM, Andrei Ivanov <andrei.iva...@gmail.com>
wrote:

> Hi,
> Seeing that 2.4.26 was released, is this a good time? 
>
> Thanks again.
>
> On Sun, May 28, 2017 at 11:54 PM, Yann Ylavic <ylavic@gmail.com>
> wrote:
>
>> Hi Andrei,
>>
>> On Wed, May 24, 2017 at 5:50 PM, Andrei Ivanov <andrei.iva...@gmail.com>
>> wrote:
>> >
>> > Does anybody know anything about Yann?
>>
>> I do :)
>>
>> Sorry I didn't have the time to propose something to the dev team for
>> now, while 2.4.26 is coming soon and is very unlikely to include such
>> a change on the core expression parser (without quite some testing and
>> review, we can't regress here...).
>>
>> Once 2.4.26 is out, I'll propose/commit the patch so that we can
>> discuss and hopefuly backport it to some future 2.4.x.
>>
>>
>> Regards,
>> Yann.
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>>
>>
>

Re: [users@httpd] 'require' directive result

[Andrei Ivanov]

On Wed, Jun 21, 2017 at 6:24 PM, Luca Toscano <toscano.l...@gmail.com>
wrote:

> Hi Andrei,
>
> 2017-06-16 15:23 GMT+02:00 Andrei Ivanov <andrei.iva...@gmail.com>:
>
>> Hi,
>> Now that I've managed to configure my 'require' directive, I have a
>> requirement to log some details to syslog in case the request is not
>> authorized.
>>
>> 
>>   Require expr ""
>>   // if expression is false, log details about the request and maybe
>> the SSL certificate to syslog
>> 
>>
>> I've searched around, but I can't find how I could do that.
>>
>
> sorry for what might be trivial, but have you tried  etc.. ?
>
> https://httpd.apache.org/docs/2.4/mod/core.html#if
>
> Luca
>

Aaah, you got me thinking...
I'll try Tomorrow with SetEnvIfExpr and CustomLog :)

Thank you

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

Hmm,
I was actually asking Yann about committing a patch he created.

I don't think I understand the connection with the CVEs.

On Tue, Jun 20, 2017 at 6:57 PM, Mitchell Krog Photography <
mitchellk...@gmail.com> wrote:

> Yes as it addresses a number of vulnerabilities discovered. Check mailing
> list for CVE messages sent earlier today.
>
> Kind Regards
> Mitchell Krog
> **
> Visit me at https://mitchellkrog.com
> **
> License My Images From Getty Images Here
> <http://www.gettyimages.com/search/photographer?family=creative=1=mitchell%20krog=best=true#license>
>
> or From Gallo Images Here
> <http://galloimages.co.za/Search?q=mitchell%20krog=1=1=2,1=2=on=1=48034=13=6>
> ******
>
> On 20 June 2017 at 17:41:22, Andrei Ivanov (andrei.iva...@gmail.com)
> wrote:
>
>> Hi,
>> Seeing that 2.4.26 was released, is this a good time? 
>>
>> Thanks again.
>>
>> On Sun, May 28, 2017 at 11:54 PM, Yann Ylavic <ylavic@gmail.com>
>> wrote:
>>
>>> Hi Andrei,
>>>
>>> On Wed, May 24, 2017 at 5:50 PM, Andrei Ivanov <andrei.iva...@gmail.com>
>>> wrote:
>>> >
>>> > Does anybody know anything about Yann?
>>>
>>> I do :)
>>>
>>> Sorry I didn't have the time to propose something to the dev team for
>>> now, while 2.4.26 is coming soon and is very unlikely to include such
>>> a change on the core expression parser (without quite some testing and
>>> review, we can't regress here...).
>>>
>>> Once 2.4.26 is out, I'll propose/commit the patch so that we can
>>> discuss and hopefuly backport it to some future 2.4.x.
>>>
>>>
>>> Regards,
>>> Yann.
>>>
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>>> For additional commands, e-mail: users-h...@httpd.apache.org
>>>
>>>
>>

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

Hi,
Seeing that 2.4.26 was released, is this a good time? 

Thanks again.

On Sun, May 28, 2017 at 11:54 PM, Yann Ylavic <ylavic@gmail.com> wrote:

> Hi Andrei,
>
> On Wed, May 24, 2017 at 5:50 PM, Andrei Ivanov <andrei.iva...@gmail.com>
> wrote:
> >
> > Does anybody know anything about Yann?
>
> I do :)
>
> Sorry I didn't have the time to propose something to the dev team for
> now, while 2.4.26 is coming soon and is very unlikely to include such
> a change on the core expression parser (without quite some testing and
> review, we can't regress here...).
>
> Once 2.4.26 is out, I'll propose/commit the patch so that we can
> discuss and hopefuly backport it to some future 2.4.x.
>
>
> Regards,
> Yann.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

[users@httpd] Re: 'require' directive result

[Andrei Ivanov]

Anybody? Can this be done in some way?

On Fri, Jun 16, 2017 at 4:23 PM, Andrei Ivanov <andrei.iva...@gmail.com>
wrote:

> Hi,
> Now that I've managed to configure my 'require' directive, I have a
> requirement to log some details to syslog in case the request is not
> authorized.
>
> 
>   Require expr ""
>   // if expression is false, log details about the request and maybe
> the SSL certificate to syslog
> 
>
> I've searched around, but I can't find how I could do that.
>
> Please help.
>
> Thank you
>

[users@httpd] 'require' directive result

[Andrei Ivanov]

Hi,
Now that I've managed to configure my 'require' directive, I have a
requirement to log some details to syslog in case the request is not
authorized.


  Require expr ""
  // if expression is false, log details about the request and maybe
the SSL certificate to syslog


I've searched around, but I can't find how I could do that.

Please help.

Thank you

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

On Sun, May 28, 2017 at 11:54 PM, Yann Ylavic <ylavic@gmail.com> wrote:

> Hi Andrei,
>
> On Wed, May 24, 2017 at 5:50 PM, Andrei Ivanov <andrei.iva...@gmail.com>
> wrote:
> >
> > Does anybody know anything about Yann?
>
> I do :)
>
> Sorry I didn't have the time to propose something to the dev team for
> now, while 2.4.26 is coming soon and is very unlikely to include such
> a change on the core expression parser (without quite some testing and
> review, we can't regress here...).
>
> Once 2.4.26 is out, I'll propose/commit the patch so that we can
> discuss and hopefuly backport it to some future 2.4.x.
>
>
> Regards,
> Yann.


Thank you very much :-)

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

Does anybody know anything about Yann? 樂

On Thu, Apr 27, 2017 at 3:47 PM, Andrei Ivanov <andrei.iva...@gmail.com>
wrote:

> Yann? 
>
>
> On Wed, Apr 19, 2017 at 11:49 AM, Andrei Ivanov <andrei.iva...@gmail.com>
> wrote:
>
>> On Apr 10, 2017 12:10 PM, "Andrei Ivanov" <andrei.iva...@gmail.com>
>> wrote:
>>
>> On Tue, Apr 4, 2017 at 4:25 PM, Andrei Ivanov <andrei.iva...@gmail.com>
>> wrote:
>>
>>> On Wed, Mar 29, 2017 at 12:16 PM, Andrei Ivanov <andrei.iva...@gmail.com
>>> > wrote:
>>>
>>>> On Thu, Mar 23, 2017 at 3:52 PM, Andrei Ivanov <andrei.iva...@gmail.com
>>>> > wrote:
>>>>
>>>>> On Wed, Mar 22, 2017 at 5:08 PM, Yann Ylavic <ylavic@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> On Wed, Mar 22, 2017 at 3:45 PM, Andrei Ivanov <
>>>>>> andrei.iva...@gmail.com> wrote:
>>>>>> > On Wed, Mar 22, 2017 at 3:53 PM, Andrei Ivanov <
>>>>>> andrei.iva...@gmail.com>
>>>>>> > wrote:
>>>>>> >
>>>>>> > Argh! You've sent more emails but Gmail received them out of order
>>>>>> so I
>>>>>> > didn't see your initial email about the changed syntax.
>>>>>>
>>>>>> We seem to talk past each other :)
>>>>>> Anyway, maybe past failures make more sense now...
>>>>>>
>>>>>> >
>>>>>> > It works now! :-)
>>>>>> > Wooohooo!
>>>>>>
>>>>>> Cool.
>>>>>>
>>>>>> >
>>>>>> > Now... any chance of getting the patches included in the next
>>>>>> release? :-D
>>>>>>
>>>>>> Possibly, we'll propose and ask for feedbacks on the dev@ mailing
>>>>>> list first ;)
>>>>>>
>>>>>
>>>>> Any way I can help with this?
>>>>> I saw a discussion already started about 2.4.26...
>>>>>
>>>>
>>>> Yann? :-D
>>>>
>>>
>>> Ping :-/
>>>
>>
>> Yann, please come baaack!
>>
>>
>> 
>>
>>
>>
>>>
>>>
>>>>
>>>>
>>>>>
>>>>> Btw, I also created a ticket for what I thought was the solution at
>>>>> that time: https://bz.apache.org/bugzilla/show_bug.cgi?id=60456
>>>>> I guess that would still make sense to have in the future...
>>>>>
>>>>>
>>>>>>
>>>>>> >
>>>>>> > Thank you very much, I owe you many beers! :-)
>>>>>>
>>>>>> I can drink that! let's see :)
>>>>>>
>>>>>
>>>>
>>>
>>
>

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

Yann? 

On Wed, Apr 19, 2017 at 11:49 AM, Andrei Ivanov <andrei.iva...@gmail.com>
wrote:

> On Apr 10, 2017 12:10 PM, "Andrei Ivanov" <andrei.iva...@gmail.com> wrote:
>
> On Tue, Apr 4, 2017 at 4:25 PM, Andrei Ivanov <andrei.iva...@gmail.com>
> wrote:
>
>> On Wed, Mar 29, 2017 at 12:16 PM, Andrei Ivanov <andrei.iva...@gmail.com>
>> wrote:
>>
>>> On Thu, Mar 23, 2017 at 3:52 PM, Andrei Ivanov <andrei.iva...@gmail.com>
>>> wrote:
>>>
>>>> On Wed, Mar 22, 2017 at 5:08 PM, Yann Ylavic <ylavic@gmail.com>
>>>> wrote:
>>>>
>>>>> On Wed, Mar 22, 2017 at 3:45 PM, Andrei Ivanov <
>>>>> andrei.iva...@gmail.com> wrote:
>>>>> > On Wed, Mar 22, 2017 at 3:53 PM, Andrei Ivanov <
>>>>> andrei.iva...@gmail.com>
>>>>> > wrote:
>>>>> >
>>>>> > Argh! You've sent more emails but Gmail received them out of order
>>>>> so I
>>>>> > didn't see your initial email about the changed syntax.
>>>>>
>>>>> We seem to talk past each other :)
>>>>> Anyway, maybe past failures make more sense now...
>>>>>
>>>>> >
>>>>> > It works now! :-)
>>>>> > Wooohooo!
>>>>>
>>>>> Cool.
>>>>>
>>>>> >
>>>>> > Now... any chance of getting the patches included in the next
>>>>> release? :-D
>>>>>
>>>>> Possibly, we'll propose and ask for feedbacks on the dev@ mailing
>>>>> list first ;)
>>>>>
>>>>
>>>> Any way I can help with this?
>>>> I saw a discussion already started about 2.4.26...
>>>>
>>>
>>> Yann? :-D
>>>
>>
>> Ping :-/
>>
>
> Yann, please come baaack!
>
>
> 
>
>
>
>>
>>
>>>
>>>
>>>>
>>>> Btw, I also created a ticket for what I thought was the solution at
>>>> that time: https://bz.apache.org/bugzilla/show_bug.cgi?id=60456
>>>> I guess that would still make sense to have in the future...
>>>>
>>>>
>>>>>
>>>>> >
>>>>> > Thank you very much, I owe you many beers! :-)
>>>>>
>>>>> I can drink that! let's see :)
>>>>>
>>>>
>>>
>>
>

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

On Apr 10, 2017 12:10 PM, "Andrei Ivanov" <andrei.iva...@gmail.com> wrote:

On Tue, Apr 4, 2017 at 4:25 PM, Andrei Ivanov <andrei.iva...@gmail.com>
wrote:

> On Wed, Mar 29, 2017 at 12:16 PM, Andrei Ivanov <andrei.iva...@gmail.com>
> wrote:
>
>> On Thu, Mar 23, 2017 at 3:52 PM, Andrei Ivanov <andrei.iva...@gmail.com>
>> wrote:
>>
>>> On Wed, Mar 22, 2017 at 5:08 PM, Yann Ylavic <ylavic....@gmail.com>
>>> wrote:
>>>
>>>> On Wed, Mar 22, 2017 at 3:45 PM, Andrei Ivanov <andrei.iva...@gmail.com>
>>>> wrote:
>>>> > On Wed, Mar 22, 2017 at 3:53 PM, Andrei Ivanov <
>>>> andrei.iva...@gmail.com>
>>>> > wrote:
>>>> >
>>>> > Argh! You've sent more emails but Gmail received them out of order so
>>>> I
>>>> > didn't see your initial email about the changed syntax.
>>>>
>>>> We seem to talk past each other :)
>>>> Anyway, maybe past failures make more sense now...
>>>>
>>>> >
>>>> > It works now! :-)
>>>> > Wooohooo!
>>>>
>>>> Cool.
>>>>
>>>> >
>>>> > Now... any chance of getting the patches included in the next
>>>> release? :-D
>>>>
>>>> Possibly, we'll propose and ask for feedbacks on the dev@ mailing list
>>>> first ;)
>>>>
>>>
>>> Any way I can help with this?
>>> I saw a discussion already started about 2.4.26...
>>>
>>
>> Yann? :-D
>>
>
> Ping :-/
>

Yann, please come baaack!






>
>
>>
>>
>>>
>>> Btw, I also created a ticket for what I thought was the solution at that
>>> time: https://bz.apache.org/bugzilla/show_bug.cgi?id=60456
>>> I guess that would still make sense to have in the future...
>>>
>>>
>>>>
>>>> >
>>>> > Thank you very much, I owe you many beers! :-)
>>>>
>>>> I can drink that! let's see :)
>>>>
>>>
>>
>

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

On Tue, Apr 4, 2017 at 4:25 PM, Andrei Ivanov <andrei.iva...@gmail.com>
wrote:

> On Wed, Mar 29, 2017 at 12:16 PM, Andrei Ivanov <andrei.iva...@gmail.com>
> wrote:
>
>> On Thu, Mar 23, 2017 at 3:52 PM, Andrei Ivanov <andrei.iva...@gmail.com>
>> wrote:
>>
>>> On Wed, Mar 22, 2017 at 5:08 PM, Yann Ylavic <ylavic@gmail.com>
>>> wrote:
>>>
>>>> On Wed, Mar 22, 2017 at 3:45 PM, Andrei Ivanov <andrei.iva...@gmail.com>
>>>> wrote:
>>>> > On Wed, Mar 22, 2017 at 3:53 PM, Andrei Ivanov <
>>>> andrei.iva...@gmail.com>
>>>> > wrote:
>>>> >
>>>> > Argh! You've sent more emails but Gmail received them out of order so
>>>> I
>>>> > didn't see your initial email about the changed syntax.
>>>>
>>>> We seem to talk past each other :)
>>>> Anyway, maybe past failures make more sense now...
>>>>
>>>> >
>>>> > It works now! :-)
>>>> > Wooohooo!
>>>>
>>>> Cool.
>>>>
>>>> >
>>>> > Now... any chance of getting the patches included in the next
>>>> release? :-D
>>>>
>>>> Possibly, we'll propose and ask for feedbacks on the dev@ mailing list
>>>> first ;)
>>>>
>>>
>>> Any way I can help with this?
>>> I saw a discussion already started about 2.4.26...
>>>
>>
>> Yann? :-D
>>
>
> Ping :-/
>

Yann, please come baaack!


>
>
>>
>>
>>>
>>> Btw, I also created a ticket for what I thought was the solution at that
>>> time: https://bz.apache.org/bugzilla/show_bug.cgi?id=60456
>>> I guess that would still make sense to have in the future...
>>>
>>>
>>>>
>>>> >
>>>> > Thank you very much, I owe you many beers! :-)
>>>>
>>>> I can drink that! let's see :)
>>>>
>>>
>>
>

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

On Wed, Mar 29, 2017 at 12:16 PM, Andrei Ivanov <andrei.iva...@gmail.com>
wrote:

> On Thu, Mar 23, 2017 at 3:52 PM, Andrei Ivanov <andrei.iva...@gmail.com>
> wrote:
>
>> On Wed, Mar 22, 2017 at 5:08 PM, Yann Ylavic <ylavic@gmail.com>
>> wrote:
>>
>>> On Wed, Mar 22, 2017 at 3:45 PM, Andrei Ivanov <andrei.iva...@gmail.com>
>>> wrote:
>>> > On Wed, Mar 22, 2017 at 3:53 PM, Andrei Ivanov <
>>> andrei.iva...@gmail.com>
>>> > wrote:
>>> >
>>> > Argh! You've sent more emails but Gmail received them out of order so I
>>> > didn't see your initial email about the changed syntax.
>>>
>>> We seem to talk past each other :)
>>> Anyway, maybe past failures make more sense now...
>>>
>>> >
>>> > It works now! :-)
>>> > Wooohooo!
>>>
>>> Cool.
>>>
>>> >
>>> > Now... any chance of getting the patches included in the next release?
>>> :-D
>>>
>>> Possibly, we'll propose and ask for feedbacks on the dev@ mailing list
>>> first ;)
>>>
>>
>> Any way I can help with this?
>> I saw a discussion already started about 2.4.26...
>>
>
> Yann? :-D
>

Ping :-/


>
>
>>
>> Btw, I also created a ticket for what I thought was the solution at that
>> time: https://bz.apache.org/bugzilla/show_bug.cgi?id=60456
>> I guess that would still make sense to have in the future...
>>
>>
>>>
>>> >
>>> > Thank you very much, I owe you many beers! :-)
>>>
>>> I can drink that! let's see :)
>>>
>>
>

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

On Thu, Mar 23, 2017 at 3:52 PM, Andrei Ivanov <andrei.iva...@gmail.com>
wrote:

> On Wed, Mar 22, 2017 at 5:08 PM, Yann Ylavic <ylavic@gmail.com> wrote:
>
>> On Wed, Mar 22, 2017 at 3:45 PM, Andrei Ivanov <andrei.iva...@gmail.com>
>> wrote:
>> > On Wed, Mar 22, 2017 at 3:53 PM, Andrei Ivanov <andrei.iva...@gmail.com
>> >
>> > wrote:
>> >
>> > Argh! You've sent more emails but Gmail received them out of order so I
>> > didn't see your initial email about the changed syntax.
>>
>> We seem to talk past each other :)
>> Anyway, maybe past failures make more sense now...
>>
>> >
>> > It works now! :-)
>> > Wooohooo!
>>
>> Cool.
>>
>> >
>> > Now... any chance of getting the patches included in the next release?
>> :-D
>>
>> Possibly, we'll propose and ask for feedbacks on the dev@ mailing list
>> first ;)
>>
>
> Any way I can help with this?
> I saw a discussion already started about 2.4.26...
>

Yann? :-D


>
> Btw, I also created a ticket for what I thought was the solution at that
> time: https://bz.apache.org/bugzilla/show_bug.cgi?id=60456
> I guess that would still make sense to have in the future...
>
>
>>
>> >
>> > Thank you very much, I owe you many beers! :-)
>>
>> I can drink that! let's see :)
>>
>

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

On Wed, Mar 22, 2017 at 5:08 PM, Yann Ylavic <ylavic@gmail.com> wrote:

> On Wed, Mar 22, 2017 at 3:45 PM, Andrei Ivanov <andrei.iva...@gmail.com>
> wrote:
> > On Wed, Mar 22, 2017 at 3:53 PM, Andrei Ivanov <andrei.iva...@gmail.com>
> > wrote:
> >
> > Argh! You've sent more emails but Gmail received them out of order so I
> > didn't see your initial email about the changed syntax.
>
> We seem to talk past each other :)
> Anyway, maybe past failures make more sense now...
>
> >
> > It works now! :-)
> > Wooohooo!
>
> Cool.
>
> >
> > Now... any chance of getting the patches included in the next release?
> :-D
>
> Possibly, we'll propose and ask for feedbacks on the dev@ mailing list
> first ;)
>

Any way I can help with this?
I saw a discussion already started about 2.4.26...

Btw, I also created a ticket for what I thought was the solution at that
time: https://bz.apache.org/bugzilla/show_bug.cgi?id=60456
I guess that would still make sense to have in the future...


>
> >
> > Thank you very much, I owe you many beers! :-)
>
> I can drink that! let's see :)
>

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

On Wed, Mar 22, 2017 at 3:53 PM, Andrei Ivanov <andrei.iva...@gmail.com>
wrote:

> On Wed, Mar 22, 2017 at 3:27 PM, Yann Ylavic <ylavic@gmail.com> wrote:
>
>> On Wed, Mar 22, 2017 at 1:37 PM, Yann Ylavic <ylavic@gmail.com>
>> wrote:
>> >
>> > There are two patches attached, one for the changes in httpd code, the
>> > other for the files generated by the bison/flex parser.
>>
>> The second patch was missing the changes in server/util_expr_parse.h,
>> resending...
>>
>> >
>> > Hope that helps,
>> > Yann.
>>
>
> Welcome back :-)
>
> Unfortunately,  the situation seems to be getting worse :-(
>
> These expressions don't work anymore: Can't parse value expression :
> Function 'PeerExtList' does not exist
>
> Header set Client-SAN "expr=%{PeerExtList:2.5.29.17}"
> Header set Expr1 "expr='IP Address:'.%{REMOTE_ADDR} -in
> %{PeerExtList:2.5.29.17}"
>
> I've modified this one to use the "normal" method syntax, hoping that
> would work:
>
> 
> Header set matched-dynamic true
> 
>
> Cannot parse condition clause: syntax error, unexpected T_ERROR, expecting
> T_VAR_END or ':': Invalid character in variable name '('
>
>
Argh! You've sent more emails but Gmail received them out of order so I
didn't see your initial email about the changed syntax.

It works now! :-)
Wooohooo!

Now... any chance of getting the patches included in the next release? :-D

Thank you very much, I owe you many beers! :-)

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

On Wed, Mar 22, 2017 at 3:27 PM, Yann Ylavic  wrote:

> On Wed, Mar 22, 2017 at 1:37 PM, Yann Ylavic  wrote:
> >
> > There are two patches attached, one for the changes in httpd code, the
> > other for the files generated by the bison/flex parser.
>
> The second patch was missing the changes in server/util_expr_parse.h,
> resending...
>
> >
> > Hope that helps,
> > Yann.
>

Welcome back :-)

Unfortunately,  the situation seems to be getting worse :-(

These expressions don't work anymore: Can't parse value expression :
Function 'PeerExtList' does not exist

Header set Client-SAN "expr=%{PeerExtList:2.5.29.17}"
Header set Expr1 "expr='IP Address:'.%{REMOTE_ADDR} -in
%{PeerExtList:2.5.29.17}"

I've modified this one to use the "normal" method syntax, hoping that would
work:


Header set matched-dynamic true


Cannot parse condition clause: syntax error, unexpected T_ERROR, expecting
T_VAR_END or ':': Invalid character in variable name '('

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

On Mon, Mar 13, 2017 at 4:16 PM, Andrei Ivanov <andrei.iva...@gmail.com>
wrote:

> On Fri, Mar 10, 2017 at 12:35 PM, Andrei Ivanov <andrei.iva...@gmail.com>
> wrote:
>
>> On Tue, Mar 7, 2017 at 7:08 PM, Andrei Ivanov <andrei.iva...@gmail.com>
>> wrote:
>>
>>> On Mon, Mar 6, 2017 at 12:57 PM, Yann Ylavic <ylavic@gmail.com>
>>> wrote:
>>>
>>>> Hi Andrei,
>>>>
>>>> On Mon, Mar 6, 2017 at 10:15 AM, Andrei Ivanov <andrei.iva...@gmail.com
>>>> > wrote:
>>>>
>>>>> On Thu, Mar 2, 2017 at 12:40 PM, Andrei Ivanov <
>>>>> andrei.iva...@gmail.com> wrote:
>>>>>
>>>>>> On Tue, Feb 28, 2017 at 12:09 PM, Andrei Ivanov <
>>>>>> andrei.iva...@gmail.com> wrote:
>>>>>>
>>>>>>> On Mon, Feb 27, 2017 at 11:58 AM, Andrei Ivanov <
>>>>>>> andrei.iva...@gmail.com> wrote:
>>>>>>>
>>>>>>>> On Fri, Feb 24, 2017 at 10:58 PM, Andrei Ivanov <
>>>>>>>> andrei.iva...@gmail.com> wrote:
>>>>>>>>
>>>>>>>>> On Feb 24, 2017 22:54, "Yann Ylavic" <ylavic@gmail.com> wrote:
>>>>>>>>>
>>>>>>>>> On Fri, Feb 24, 2017 at 6:50 PM, Andrei Ivanov <
>>>>>>>>> andrei.iva...@gmail.com> wrote:
>>>>>>>>> >
>>>>>>>>> > I've managed to apply your patch and rebuild Apache and now I
>>>>>>>>> have:
>>>>>>>>> > Header set Client-IP "expr=%{REMOTE_ADDR}"
>>>>>>>>> > Header set Client-SAN "expr=%{PeerExtList:2.5.29.17}"
>>>>>>>>> > Header set Client-DN "expr=%{SSL_CLIENT_S_DN}"
>>>>>>>>>
>>>>>>>>> Could you please add:
>>>>>>>>>   Header set Expr "'IP Address:'.%{REMOTE_ADDR} -in
>>>>>>>>> PeerExtList('2.5.29.17')"
>>>>>>>>> ?
>>>>>>>>>
>>>>>>>>> If it outputed "Expr: IP Addressfalse" that'd be issue with
>>>>>>>>> operators'
>>>>>>>>> precedence.
>>>>>>>>> I'll try on my side, but you may beat me to it since you have the
>>>>>>>>> environment...
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Ugh, it's my work environment, I'll be able to access it only on
>>>>>>>>> Monday.
>>>>>>>>>
>>>>>>>>>
>>>>>>>> Tried now, I've adapted your suggestion a bit as it doesn't seem
>>>>>>>> correct:
>>>>>>>>
>>>>>>>> Header set Expr "expr='IP Address:'.%{REMOTE_ADDR} -in
>>>>>>>> %{PeerExtList:2.5.29.17}"
>>>>>>>>
>>>>>>>> This results in:
>>>>>>>> Expr: 'IP Address:'.159.107.78.127 -in email:,
>>>>>>>> email:, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, IP
>>>>>>>> Address:159.107.78.127, IP Address:FE80:0:0:0:6D03:4CE1:C15F:5A44
>>>>>>>>
>>>>>>>> As far as I understand, it doesn't perform the concatenation
>>>>>>>> properly.
>>>>>>>> I've tried
>>>>>>>> Header set Expr "expr='%{IP Address:'
>>>>>>>> ​​
>>>>>>>> .%{REMOTE_ADDR}} -in %{PeerExtList:2.5.29.17}"
>>>>>>>>
>>>>>>>> But I get a parse error at startup:
>>>>>>>> Can't parse value expression : syntax error, unexpected T_ERROR,
>>>>>>>> expecting T_VAR_END or ':': Invalid character in variable name ' '
>>>>>>>>
>>>>>>>> But I think mod_headers has some different way of interpreting
>>>>>>>> expressions, because this doesn't work:
>>>>>>>>
>>>>>>>> Header set matched false
>>>>>>>> >>>>>>> ​​
>>>>>>>> %{PeerExtList:2.5.29.17}">
>>>>>>>> Header set matched true
>>>>>>>> 

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

On Fri, Mar 10, 2017 at 12:35 PM, Andrei Ivanov <andrei.iva...@gmail.com>
wrote:

> On Tue, Mar 7, 2017 at 7:08 PM, Andrei Ivanov <andrei.iva...@gmail.com>
> wrote:
>
>> On Mon, Mar 6, 2017 at 12:57 PM, Yann Ylavic <ylavic@gmail.com>
>> wrote:
>>
>>> Hi Andrei,
>>>
>>> On Mon, Mar 6, 2017 at 10:15 AM, Andrei Ivanov <andrei.iva...@gmail.com>
>>> wrote:
>>>
>>>> On Thu, Mar 2, 2017 at 12:40 PM, Andrei Ivanov <andrei.iva...@gmail.com
>>>> > wrote:
>>>>
>>>>> On Tue, Feb 28, 2017 at 12:09 PM, Andrei Ivanov <
>>>>> andrei.iva...@gmail.com> wrote:
>>>>>
>>>>>> On Mon, Feb 27, 2017 at 11:58 AM, Andrei Ivanov <
>>>>>> andrei.iva...@gmail.com> wrote:
>>>>>>
>>>>>>> On Fri, Feb 24, 2017 at 10:58 PM, Andrei Ivanov <
>>>>>>> andrei.iva...@gmail.com> wrote:
>>>>>>>
>>>>>>>> On Feb 24, 2017 22:54, "Yann Ylavic" <ylavic@gmail.com> wrote:
>>>>>>>>
>>>>>>>> On Fri, Feb 24, 2017 at 6:50 PM, Andrei Ivanov <
>>>>>>>> andrei.iva...@gmail.com> wrote:
>>>>>>>> >
>>>>>>>> > I've managed to apply your patch and rebuild Apache and now I
>>>>>>>> have:
>>>>>>>> > Header set Client-IP "expr=%{REMOTE_ADDR}"
>>>>>>>> > Header set Client-SAN "expr=%{PeerExtList:2.5.29.17}"
>>>>>>>> > Header set Client-DN "expr=%{SSL_CLIENT_S_DN}"
>>>>>>>>
>>>>>>>> Could you please add:
>>>>>>>>   Header set Expr "'IP Address:'.%{REMOTE_ADDR} -in
>>>>>>>> PeerExtList('2.5.29.17')"
>>>>>>>> ?
>>>>>>>>
>>>>>>>> If it outputed "Expr: IP Addressfalse" that'd be issue with
>>>>>>>> operators'
>>>>>>>> precedence.
>>>>>>>> I'll try on my side, but you may beat me to it since you have the
>>>>>>>> environment...
>>>>>>>>
>>>>>>>>
>>>>>>>> Ugh, it's my work environment, I'll be able to access it only on
>>>>>>>> Monday.
>>>>>>>>
>>>>>>>>
>>>>>>> Tried now, I've adapted your suggestion a bit as it doesn't seem
>>>>>>> correct:
>>>>>>>
>>>>>>> Header set Expr "expr='IP Address:'.%{REMOTE_ADDR} -in
>>>>>>> %{PeerExtList:2.5.29.17}"
>>>>>>>
>>>>>>> This results in:
>>>>>>> Expr: 'IP Address:'.159.107.78.127 -in email:,
>>>>>>> email:, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, IP
>>>>>>> Address:159.107.78.127, IP Address:FE80:0:0:0:6D03:4CE1:C15F:5A44
>>>>>>>
>>>>>>> As far as I understand, it doesn't perform the concatenation
>>>>>>> properly.
>>>>>>> I've tried
>>>>>>> Header set Expr "expr='%{IP Address:'
>>>>>>> ​​
>>>>>>> .%{REMOTE_ADDR}} -in %{PeerExtList:2.5.29.17}"
>>>>>>>
>>>>>>> But I get a parse error at startup:
>>>>>>> Can't parse value expression : syntax error, unexpected T_ERROR,
>>>>>>> expecting T_VAR_END or ':': Invalid character in variable name ' '
>>>>>>>
>>>>>>> But I think mod_headers has some different way of interpreting
>>>>>>> expressions, because this doesn't work:
>>>>>>>
>>>>>>> Header set matched false
>>>>>>> >>>>>> ​​
>>>>>>> %{PeerExtList:2.5.29.17}">
>>>>>>> Header set matched true
>>>>>>> 
>>>>>>>
>>>>>>> Cannot parse condition clause: syntax error, unexpected T_VAR_BEGIN,
>>>>>>> expecting T_ID or '{
>>>>>>>
>>>>>>
>>>>>> Yann? Any clues? :-)
>>>>>>
>>>>>
>>>>> Ping 
>>>>>
>>>>
>>>> Hello?
>>>>

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

On Tue, Mar 7, 2017 at 7:08 PM, Andrei Ivanov <andrei.iva...@gmail.com>
wrote:

> On Mon, Mar 6, 2017 at 12:57 PM, Yann Ylavic <ylavic@gmail.com> wrote:
>
>> Hi Andrei,
>>
>> On Mon, Mar 6, 2017 at 10:15 AM, Andrei Ivanov <andrei.iva...@gmail.com>
>> wrote:
>>
>>> On Thu, Mar 2, 2017 at 12:40 PM, Andrei Ivanov <andrei.iva...@gmail.com>
>>> wrote:
>>>
>>>> On Tue, Feb 28, 2017 at 12:09 PM, Andrei Ivanov <
>>>> andrei.iva...@gmail.com> wrote:
>>>>
>>>>> On Mon, Feb 27, 2017 at 11:58 AM, Andrei Ivanov <
>>>>> andrei.iva...@gmail.com> wrote:
>>>>>
>>>>>> On Fri, Feb 24, 2017 at 10:58 PM, Andrei Ivanov <
>>>>>> andrei.iva...@gmail.com> wrote:
>>>>>>
>>>>>>> On Feb 24, 2017 22:54, "Yann Ylavic" <ylavic@gmail.com> wrote:
>>>>>>>
>>>>>>> On Fri, Feb 24, 2017 at 6:50 PM, Andrei Ivanov <
>>>>>>> andrei.iva...@gmail.com> wrote:
>>>>>>> >
>>>>>>> > I've managed to apply your patch and rebuild Apache and now I have:
>>>>>>> > Header set Client-IP "expr=%{REMOTE_ADDR}"
>>>>>>> > Header set Client-SAN "expr=%{PeerExtList:2.5.29.17}"
>>>>>>> > Header set Client-DN "expr=%{SSL_CLIENT_S_DN}"
>>>>>>>
>>>>>>> Could you please add:
>>>>>>>   Header set Expr "'IP Address:'.%{REMOTE_ADDR} -in
>>>>>>> PeerExtList('2.5.29.17')"
>>>>>>> ?
>>>>>>>
>>>>>>> If it outputed "Expr: IP Addressfalse" that'd be issue with
>>>>>>> operators'
>>>>>>> precedence.
>>>>>>> I'll try on my side, but you may beat me to it since you have the
>>>>>>> environment...
>>>>>>>
>>>>>>>
>>>>>>> Ugh, it's my work environment, I'll be able to access it only on
>>>>>>> Monday.
>>>>>>>
>>>>>>>
>>>>>> Tried now, I've adapted your suggestion a bit as it doesn't seem
>>>>>> correct:
>>>>>>
>>>>>> Header set Expr "expr='IP Address:'.%{REMOTE_ADDR} -in
>>>>>> %{PeerExtList:2.5.29.17}"
>>>>>>
>>>>>> This results in:
>>>>>> Expr: 'IP Address:'.159.107.78.127 -in email:,
>>>>>> email:, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, IP
>>>>>> Address:159.107.78.127, IP Address:FE80:0:0:0:6D03:4CE1:C15F:5A44
>>>>>>
>>>>>> As far as I understand, it doesn't perform the concatenation properly.
>>>>>> I've tried
>>>>>> Header set Expr "expr='%{IP Address:'
>>>>>> ​​
>>>>>> .%{REMOTE_ADDR}} -in %{PeerExtList:2.5.29.17}"
>>>>>>
>>>>>> But I get a parse error at startup:
>>>>>> Can't parse value expression : syntax error, unexpected T_ERROR,
>>>>>> expecting T_VAR_END or ':': Invalid character in variable name ' '
>>>>>>
>>>>>> But I think mod_headers has some different way of interpreting
>>>>>> expressions, because this doesn't work:
>>>>>>
>>>>>> Header set matched false
>>>>>> >>>>> ​​
>>>>>> %{PeerExtList:2.5.29.17}">
>>>>>> Header set matched true
>>>>>> 
>>>>>>
>>>>>> Cannot parse condition clause: syntax error, unexpected T_VAR_BEGIN,
>>>>>> expecting T_ID or '{
>>>>>>
>>>>>
>>>>> Yann? Any clues? :-)
>>>>>
>>>>
>>>> Ping 
>>>>
>>>
>>> Hello?
>>>
>>
>> ​Yes sorry, was busy these days ;)
>>
>
> I understand, who isn't? :-)
>
> ​
>> ​Mixing different types (string, boolean, list) of expressions is not
>> working currently, and requires changes in the parser (I'll try to work on
>> this soon).
>>
>> In the meantime, maybe with my patch you could try to (uglily) match
>> "%{PeerExtList:2.5.29.17}" (as a string, hence with the operator "~=")
>> against something like "IP Address:".​%{REMOTE_ADDR}(,|$) ?
>>
>> I've experimented a bit more with your suggestion, still doesn't work :-(
>
> Header set Expr1 "expr='IP Address:'.%{REMOTE_ADDR} -in
> %{PeerExtList:2.5.29.17}"
> Header set Expr2 "expr=%{PeerExtList:2.5.29.17} =~ /%{REMOTE_ADDR}/"
> Header set Expr3 "expr=%{PeerExtList:2.5.29.17} =~ /159.107.78.131/"
>
> Expr1: 'IP Address:'.159.107.78.131 -in email:,
> email:, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, IP
> Address:159.107.78.131, IP Address:FE80:0:0:0:6D03:4CE1:C15F:5A44
> Expr2: email:, email:, IP Address:127.0.0.1, IP
> Address:0:0:0:0:0:0:0:1, IP Address:159.107.78.131, IP
> Address:FE80:0:0:0:6D03:4CE1:C15F:5A44 =~ /159.107.78.131/
> Expr3: email:, email:, IP Address:127.0.0.1, IP
> Address:0:0:0:0:0:0:0:1, IP Address:159.107.78.131, IP
> Address:FE80:0:0:0:6D03:4CE1:C15F:5A44 =~ /159.107.78.131/
>
> So for mod_headers the expression isn't fully evaluated...
>
> Header set matched-dynamic false
> 
> Header set matched-dynamic true
> 
> Header set matched-static false
> 
> Header set matched-static true
> 
>
> matched-dynamic: false
> matched-static: true
>
> The match against a dynamic expression fails.
>
> Require expr "PeerExtList('2.5.29.17') =~ /'IP
> Address:'.%{REMOTE_ADDR}(,|$)/"
> Require expr "PeerExtList('2.5.29.17') =~ /'IP
> Address:159.107.78.131'(,|$)/"
>
> These both fail :-(
>
> Thank you for your patience.
>

Hello?

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

On Mon, Mar 6, 2017 at 12:57 PM, Yann Ylavic <ylavic@gmail.com> wrote:

> Hi Andrei,
>
> On Mon, Mar 6, 2017 at 10:15 AM, Andrei Ivanov <andrei.iva...@gmail.com>
> wrote:
>
>> On Thu, Mar 2, 2017 at 12:40 PM, Andrei Ivanov <andrei.iva...@gmail.com>
>> wrote:
>>
>>> On Tue, Feb 28, 2017 at 12:09 PM, Andrei Ivanov <andrei.iva...@gmail.com
>>> > wrote:
>>>
>>>> On Mon, Feb 27, 2017 at 11:58 AM, Andrei Ivanov <
>>>> andrei.iva...@gmail.com> wrote:
>>>>
>>>>> On Fri, Feb 24, 2017 at 10:58 PM, Andrei Ivanov <
>>>>> andrei.iva...@gmail.com> wrote:
>>>>>
>>>>>> On Feb 24, 2017 22:54, "Yann Ylavic" <ylavic@gmail.com> wrote:
>>>>>>
>>>>>> On Fri, Feb 24, 2017 at 6:50 PM, Andrei Ivanov <
>>>>>> andrei.iva...@gmail.com> wrote:
>>>>>> >
>>>>>> > I've managed to apply your patch and rebuild Apache and now I have:
>>>>>> > Header set Client-IP "expr=%{REMOTE_ADDR}"
>>>>>> > Header set Client-SAN "expr=%{PeerExtList:2.5.29.17}"
>>>>>> > Header set Client-DN "expr=%{SSL_CLIENT_S_DN}"
>>>>>>
>>>>>> Could you please add:
>>>>>>   Header set Expr "'IP Address:'.%{REMOTE_ADDR} -in
>>>>>> PeerExtList('2.5.29.17')"
>>>>>> ?
>>>>>>
>>>>>> If it outputed "Expr: IP Addressfalse" that'd be issue with operators'
>>>>>> precedence.
>>>>>> I'll try on my side, but you may beat me to it since you have the
>>>>>> environment...
>>>>>>
>>>>>>
>>>>>> Ugh, it's my work environment, I'll be able to access it only on
>>>>>> Monday.
>>>>>>
>>>>>>
>>>>> Tried now, I've adapted your suggestion a bit as it doesn't seem
>>>>> correct:
>>>>>
>>>>> Header set Expr "expr='IP Address:'.%{REMOTE_ADDR} -in
>>>>> %{PeerExtList:2.5.29.17}"
>>>>>
>>>>> This results in:
>>>>> Expr: 'IP Address:'.159.107.78.127 -in email:,
>>>>> email:, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, IP
>>>>> Address:159.107.78.127, IP Address:FE80:0:0:0:6D03:4CE1:C15F:5A44
>>>>>
>>>>> As far as I understand, it doesn't perform the concatenation properly.
>>>>> I've tried
>>>>> Header set Expr "expr='%{IP Address:'
>>>>> ​​
>>>>> .%{REMOTE_ADDR}} -in %{PeerExtList:2.5.29.17}"
>>>>>
>>>>> But I get a parse error at startup:
>>>>> Can't parse value expression : syntax error, unexpected T_ERROR,
>>>>> expecting T_VAR_END or ':': Invalid character in variable name ' '
>>>>>
>>>>> But I think mod_headers has some different way of interpreting
>>>>> expressions, because this doesn't work:
>>>>>
>>>>> Header set matched false
>>>>> >>>> ​​
>>>>> %{PeerExtList:2.5.29.17}">
>>>>> Header set matched true
>>>>> 
>>>>>
>>>>> Cannot parse condition clause: syntax error, unexpected T_VAR_BEGIN,
>>>>> expecting T_ID or '{
>>>>>
>>>>
>>>> Yann? Any clues? :-)
>>>>
>>>
>>> Ping 
>>>
>>
>> Hello?
>>
>
> ​Yes sorry, was busy these days ;)
>

I understand, who isn't? :-)

​
> ​Mixing different types (string, boolean, list) of expressions is not
> working currently, and requires changes in the parser (I'll try to work on
> this soon).
>
> In the meantime, maybe with my patch you could try to (uglily) match
> "%{PeerExtList:2.5.29.17}" (as a string, hence with the operator "~=")
> against something like "IP Address:".​%{REMOTE_ADDR}(,|$) ?
>
> I've experimented a bit more with your suggestion, still doesn't work :-(

Header set Expr1 "expr='IP Address:'.%{REMOTE_ADDR} -in
%{PeerExtList:2.5.29.17}"
Header set Expr2 "expr=%{PeerExtList:2.5.29.17} =~ /%{REMOTE_ADDR}/"
Header set Expr3 "expr=%{PeerExtList:2.5.29.17} =~ /159.107.78.131/"

Expr1: 'IP Address:'.159.107.78.131 -in email:,
email:, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, IP
Address:159.107.78.131, IP Address:FE80:0:0:0:6D03:4CE1:C15F:5A44
Expr2: email:, email:, IP Address:127.0.0.1, IP
Address:0:0:0:0:0:0:0:1, IP Address:159.107.78.131, IP
Address:FE80:0:0:0:6D03:4CE1:C15F:5A44 =~ /159.107.78.131/
Expr3: email:, email:, IP Address:127.0.0.1, IP
Address:0:0:0:0:0:0:0:1, IP Address:159.107.78.131, IP
Address:FE80:0:0:0:6D03:4CE1:C15F:5A44 =~ /159.107.78.131/

So for mod_headers the expression isn't fully evaluated...

Header set matched-dynamic false

Header set matched-dynamic true

Header set matched-static false

Header set matched-static true


matched-dynamic: false
matched-static: true

The match against a dynamic expression fails.

Require expr "PeerExtList('2.5.29.17') =~ /'IP
Address:'.%{REMOTE_ADDR}(,|$)/"
Require expr "PeerExtList('2.5.29.17') =~ /'IP
Address:159.107.78.131'(,|$)/"

These both fail :-(

Thank you for your patience.

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

On Thu, Mar 2, 2017 at 12:40 PM, Andrei Ivanov <andrei.iva...@gmail.com>
wrote:

> On Tue, Feb 28, 2017 at 12:09 PM, Andrei Ivanov <andrei.iva...@gmail.com>
> wrote:
>
>> On Mon, Feb 27, 2017 at 11:58 AM, Andrei Ivanov <andrei.iva...@gmail.com>
>> wrote:
>>
>>> On Fri, Feb 24, 2017 at 10:58 PM, Andrei Ivanov <andrei.iva...@gmail.com
>>> > wrote:
>>>
>>>> On Feb 24, 2017 22:54, "Yann Ylavic" <ylavic@gmail.com> wrote:
>>>>
>>>> On Fri, Feb 24, 2017 at 6:50 PM, Andrei Ivanov <andrei.iva...@gmail.com>
>>>> wrote:
>>>> >
>>>> > I've managed to apply your patch and rebuild Apache and now I have:
>>>> > Header set Client-IP "expr=%{REMOTE_ADDR}"
>>>> > Header set Client-SAN "expr=%{PeerExtList:2.5.29.17}"
>>>> > Header set Client-DN "expr=%{SSL_CLIENT_S_DN}"
>>>>
>>>> Could you please add:
>>>>   Header set Expr "'IP Address:'.%{REMOTE_ADDR} -in
>>>> PeerExtList('2.5.29.17')"
>>>> ?
>>>>
>>>> If it outputed "Expr: IP Addressfalse" that'd be issue with operators'
>>>> precedence.
>>>> I'll try on my side, but you may beat me to it since you have the
>>>> environment...
>>>>
>>>>
>>>> Ugh, it's my work environment, I'll be able to access it only on
>>>> Monday.
>>>>
>>>>
>>> Tried now, I've adapted your suggestion a bit as it doesn't seem correct:
>>>
>>> Header set Expr "expr='IP Address:'.%{REMOTE_ADDR} -in
>>> %{PeerExtList:2.5.29.17}"
>>>
>>> This results in:
>>> Expr: 'IP Address:'.159.107.78.127 -in email:,
>>> email:, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, IP
>>> Address:159.107.78.127, IP Address:FE80:0:0:0:6D03:4CE1:C15F:5A44
>>>
>>> As far as I understand, it doesn't perform the concatenation properly.
>>> I've tried
>>> Header set Expr "expr='%{IP Address:'.%{REMOTE_ADDR}} -in
>>> %{PeerExtList:2.5.29.17}"
>>>
>>> But I get a parse error at startup:
>>> Can't parse value expression : syntax error, unexpected T_ERROR,
>>> expecting T_VAR_END or ':': Invalid character in variable name ' '
>>>
>>> But I think mod_headers has some different way of interpreting
>>> expressions, because this doesn't work:
>>>
>>> Header set matched false
>>> 
>>> Header set matched true
>>> 
>>>
>>> Cannot parse condition clause: syntax error, unexpected T_VAR_BEGIN,
>>> expecting T_ID or '{
>>>
>>
>> Yann? Any clues? :-)
>>
>
> Ping 
>

Hello?

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

On Tue, Feb 28, 2017 at 12:09 PM, Andrei Ivanov <andrei.iva...@gmail.com>
wrote:

> On Mon, Feb 27, 2017 at 11:58 AM, Andrei Ivanov <andrei.iva...@gmail.com>
> wrote:
>
>> On Fri, Feb 24, 2017 at 10:58 PM, Andrei Ivanov <andrei.iva...@gmail.com>
>> wrote:
>>
>>> On Feb 24, 2017 22:54, "Yann Ylavic" <ylavic....@gmail.com> wrote:
>>>
>>> On Fri, Feb 24, 2017 at 6:50 PM, Andrei Ivanov <andrei.iva...@gmail.com>
>>> wrote:
>>> >
>>> > I've managed to apply your patch and rebuild Apache and now I have:
>>> > Header set Client-IP "expr=%{REMOTE_ADDR}"
>>> > Header set Client-SAN "expr=%{PeerExtList:2.5.29.17}"
>>> > Header set Client-DN "expr=%{SSL_CLIENT_S_DN}"
>>>
>>> Could you please add:
>>>   Header set Expr "'IP Address:'.%{REMOTE_ADDR} -in
>>> PeerExtList('2.5.29.17')"
>>> ?
>>>
>>> If it outputed "Expr: IP Addressfalse" that'd be issue with operators'
>>> precedence.
>>> I'll try on my side, but you may beat me to it since you have the
>>> environment...
>>>
>>>
>>> Ugh, it's my work environment, I'll be able to access it only on Monday.
>>>
>>>
>> Tried now, I've adapted your suggestion a bit as it doesn't seem correct:
>>
>> Header set Expr "expr='IP Address:'.%{REMOTE_ADDR} -in
>> %{PeerExtList:2.5.29.17}"
>>
>> This results in:
>> Expr: 'IP Address:'.159.107.78.127 -in email:,
>> email:, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, IP
>> Address:159.107.78.127, IP Address:FE80:0:0:0:6D03:4CE1:C15F:5A44
>>
>> As far as I understand, it doesn't perform the concatenation properly.
>> I've tried
>> Header set Expr "expr='%{IP Address:'.%{REMOTE_ADDR}} -in
>> %{PeerExtList:2.5.29.17}"
>>
>> But I get a parse error at startup:
>> Can't parse value expression : syntax error, unexpected T_ERROR,
>> expecting T_VAR_END or ':': Invalid character in variable name ' '
>>
>> But I think mod_headers has some different way of interpreting
>> expressions, because this doesn't work:
>>
>> Header set matched false
>> 
>> Header set matched true
>> 
>>
>> Cannot parse condition clause: syntax error, unexpected T_VAR_BEGIN,
>> expecting T_ID or '{
>>
>
> Yann? Any clues? :-)
>

Ping 

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

On Tue, Feb 28, 2017 at 2:02 PM, Eric Covener <cove...@gmail.com> wrote:

> On Mon, Feb 27, 2017 at 4:58 AM, Andrei Ivanov <andrei.iva...@gmail.com>
> wrote:
> > But I think mod_headers has some different way of interpreting
> expressions,
> > because this doesn't work:
>
> The grammar has different starting points for expressions that resolve
> to boolean values vs. strings. I think that's what's biting some of
> your experiments.
>

That's probably true and seems very unfortunate, every module interprets
expressions differently :-(
That's why I hope Yann can provide more patches to get this working :-)

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

On Mon, Feb 27, 2017 at 11:58 AM, Andrei Ivanov <andrei.iva...@gmail.com>
wrote:

> On Fri, Feb 24, 2017 at 10:58 PM, Andrei Ivanov <andrei.iva...@gmail.com>
> wrote:
>
>> On Feb 24, 2017 22:54, "Yann Ylavic" <ylavic@gmail.com> wrote:
>>
>> On Fri, Feb 24, 2017 at 6:50 PM, Andrei Ivanov <andrei.iva...@gmail.com>
>> wrote:
>> >
>> > I've managed to apply your patch and rebuild Apache and now I have:
>> > Header set Client-IP "expr=%{REMOTE_ADDR}"
>> > Header set Client-SAN "expr=%{PeerExtList:2.5.29.17}"
>> > Header set Client-DN "expr=%{SSL_CLIENT_S_DN}"
>>
>> Could you please add:
>>   Header set Expr "'IP Address:'.%{REMOTE_ADDR} -in
>> PeerExtList('2.5.29.17')"
>> ?
>>
>> If it outputed "Expr: IP Addressfalse" that'd be issue with operators'
>> precedence.
>> I'll try on my side, but you may beat me to it since you have the
>> environment...
>>
>>
>> Ugh, it's my work environment, I'll be able to access it only on Monday.
>>
>>
> Tried now, I've adapted your suggestion a bit as it doesn't seem correct:
>
> Header set Expr "expr='IP Address:'.%{REMOTE_ADDR} -in
> %{PeerExtList:2.5.29.17}"
>
> This results in:
> Expr: 'IP Address:'.159.107.78.127 -in email:,
> email:, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, IP
> Address:159.107.78.127, IP Address:FE80:0:0:0:6D03:4CE1:C15F:5A44
>
> As far as I understand, it doesn't perform the concatenation properly.
> I've tried
> Header set Expr "expr='%{IP Address:'.%{REMOTE_ADDR}} -in
> %{PeerExtList:2.5.29.17}"
>
> But I get a parse error at startup:
> Can't parse value expression : syntax error, unexpected T_ERROR, expecting
> T_VAR_END or ':': Invalid character in variable name ' '
>
> But I think mod_headers has some different way of interpreting
> expressions, because this doesn't work:
>
> Header set matched false
> 
> Header set matched true
> 
>
> Cannot parse condition clause: syntax error, unexpected T_VAR_BEGIN,
> expecting T_ID or '{
>

Yann? Any clues? :-)

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

On Fri, Feb 24, 2017 at 10:58 PM, Andrei Ivanov <andrei.iva...@gmail.com>
wrote:

> On Feb 24, 2017 22:54, "Yann Ylavic" <ylavic@gmail.com> wrote:
>
> On Fri, Feb 24, 2017 at 6:50 PM, Andrei Ivanov <andrei.iva...@gmail.com>
> wrote:
> >
> > I've managed to apply your patch and rebuild Apache and now I have:
> > Header set Client-IP "expr=%{REMOTE_ADDR}"
> > Header set Client-SAN "expr=%{PeerExtList:2.5.29.17}"
> > Header set Client-DN "expr=%{SSL_CLIENT_S_DN}"
>
> Could you please add:
>   Header set Expr "'IP Address:'.%{REMOTE_ADDR} -in
> PeerExtList('2.5.29.17')"
> ?
>
> If it outputed "Expr: IP Addressfalse" that'd be issue with operators'
> precedence.
> I'll try on my side, but you may beat me to it since you have the
> environment...
>
>
> Ugh, it's my work environment, I'll be able to access it only on Monday.
>
>
Tried now, I've adapted your suggestion a bit as it doesn't seem correct:

Header set Expr "expr='IP Address:'.%{REMOTE_ADDR} -in
%{PeerExtList:2.5.29.17}"

This results in:
Expr: 'IP Address:'.159.107.78.127 -in email:,
email:, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, IP
Address:159.107.78.127, IP Address:FE80:0:0:0:6D03:4CE1:C15F:5A44

As far as I understand, it doesn't perform the concatenation properly.
I've tried
Header set Expr "expr='%{IP Address:'.%{REMOTE_ADDR}} -in
%{PeerExtList:2.5.29.17}"

But I get a parse error at startup:
Can't parse value expression : syntax error, unexpected T_ERROR, expecting
T_VAR_END or ':': Invalid character in variable name ' '

But I think mod_headers has some different way of interpreting expressions,
because this doesn't work:

Header set matched false

Header set matched true


Cannot parse condition clause: syntax error, unexpected T_VAR_BEGIN,
expecting T_ID or '{

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

On Feb 24, 2017 22:54, "Yann Ylavic" <ylavic@gmail.com> wrote:

On Fri, Feb 24, 2017 at 6:50 PM, Andrei Ivanov <andrei.iva...@gmail.com>
wrote:
>
> I've managed to apply your patch and rebuild Apache and now I have:
> Header set Client-IP "expr=%{REMOTE_ADDR}"
> Header set Client-SAN "expr=%{PeerExtList:2.5.29.17}"
> Header set Client-DN "expr=%{SSL_CLIENT_S_DN}"

Could you please add:
  Header set Expr "'IP Address:'.%{REMOTE_ADDR} -in
PeerExtList('2.5.29.17')"
?

If it outputed "Expr: IP Addressfalse" that'd be issue with operators'
precedence.
I'll try on my side, but you may beat me to it since you have the
environment...


Ugh, it's my work environment, I'll be able to access it only on Monday.

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

On Wed, Feb 22, 2017 at 5:10 PM, Yann Ylavic <ylavic@gmail.com> wrote:

> On Wed, Feb 22, 2017 at 3:19 PM, Andrei Ivanov <andrei.iva...@gmail.com>
> wrote:
> > On Wed, Feb 22, 2017 at 3:36 PM, Yann Ylavic <ylavic@gmail.com>
> wrote:
> >>
> >> My bad, please try without the parentheses:
> >>
> >> Require expr "'IP Address:' . %{REMOTE_ADDR} -in
> >> PeerExtList('2.5.29.17')
> >
> > Did that too, Apache starts but the expression always returns false :-(
> >
> > And I can't find a way to debug it, to see what PeerExtList('2.5.29.17')
> > returns for my client certificate.
>
> My proposed patch (to be applied to 2.4.25) and:
> Header set Client-SAN "expr=%{PeerExtList:2.5.29.17}"
> does it.
>

I've managed to apply your patch and rebuild Apache and now I have:
Header set Client-IP "expr=%{REMOTE_ADDR}"
Header set Client-SAN "expr=%{PeerExtList:2.5.29.17}"
Header set Client-DN "expr=%{SSL_CLIENT_S_DN}"

Header set matched false

Header set matched true


results:
Client-IP: 159.107.78.119
Client-SAN: email:, email:, IP Address:127.0.0.1, IP
Address:0:0:0:0:0:0:0:1, IP Address:159.107.78.119, IP
Address:FE80:0:0:0:6D03:4CE1:C15F:5A44
Client-DN: CN=client-with-subjectAltName-with-IPs-4
matched: false

And with:

Require expr "'IP Address:'.%{REMOTE_ADDR} -in PeerExtList('2.5.29.17')"


I still get a 403 Forbidden :-(
AH01626: authorization result of Require expr "'IP Address:'.%{REMOTE_ADDR}
-in PeerExtList('2.5.29.17')": denied

What is wrong with it?

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

On Wed, Feb 22, 2017 at 3:36 PM, Yann Ylavic <ylavic@gmail.com> wrote:

> On Wed, Feb 22, 2017 at 11:19 AM, Andrei Ivanov <andrei.iva...@gmail.com>
> wrote:
> > On Wed, Feb 22, 2017 at 12:02 PM, Yann Ylavic <ylavic@gmail.com>
> wrote:
> >>
> >> On Wed, Feb 22, 2017 at 10:58 AM, Andrei Ivanov <
> andrei.iva...@gmail.com>
> >> wrote:
> >> >
> >> > So... do I have a chance to get it running on RHEL 7.3 which ships
> with
> >> > 2.4.6?
> >>
> >> That may work in 2.4.6, I just didn't try ;)
> >> "Require expr ... -in" exists (as far as I can tell), and so is
> >> PeerExtList I think.
> >> Did you try it?
> >
> >
> > I didn't try on 2.4.6 because it fails even on 2.4.25:
> > 
> > Require expr "('IP Address:' . %{REMOTE_ADDR}) -in
> > PeerExtList('2.5.29.17')"
> > 
> >
> > Cannot parse expression in require line: syntax error, unexpected ')'
>
> My bad, please try without the parentheses:
>
> Require expr "'IP Address:' . %{REMOTE_ADDR} -in
> PeerExtList('2.5.29.17')


Did that too, Apache starts but the expression always returns false :-(

And I can't find a way to debug it, to see what PeerExtList('2.5.29.17')
returns for my client certificate.

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

On Wed, Feb 22, 2017 at 12:02 PM, Yann Ylavic <ylavic@gmail.com> wrote:

> On Wed, Feb 22, 2017 at 10:58 AM, Andrei Ivanov <andrei.iva...@gmail.com>
> wrote:
> >
> > So... do I have a chance to get it running on RHEL 7.3 which ships with
> > 2.4.6?
>
> That may work in 2.4.6, I just didn't try ;)
> "Require expr ... -in" exists (as far as I can tell), and so is
> PeerExtList I think.
> Did you try it?
>

I didn't try on 2.4.6 because it fails even on 2.4.25:

Require expr "('IP Address:' . %{REMOTE_ADDR}) -in
PeerExtList('2.5.29.17')"


Cannot parse expression in require line: syntax error, unexpected ')'

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

On Wed, Feb 22, 2017 at 2:13 AM, Yann Ylavic <ylavic@gmail.com> wrote:

> On Wed, Feb 22, 2017 at 1:09 AM, Yann Ylavic <ylavic@gmail.com> wrote:
> > On Tue, Feb 21, 2017 at 5:43 PM, Andrei Ivanov <andrei.iva...@gmail.com>
> wrote:
> >> On Tue, Feb 21, 2017 at 6:32 PM, Yann Ylavic <ylavic@gmail.com>
> wrote:
> >>>
> >>> On Tue, Feb 21, 2017 at 4:50 PM, Andrei Ivanov <
> andrei.iva...@gmail.com>
> >>> wrote:
> >>> >>>
> >>> >>> Header set Client-SAN "%{PeerExtList('2.5.29.17')}s"
> >>>
> >>> The syntax may be rather:
> >>>
> >>> Header set Client-SAN "expr=%{PeerExtList:2.5.29.17}"
> >>>
> >>> Does it work better?
> >>
> >>
> >> Uf, no :-(
> >
> > I've got it to work in (in 2.4.25), with a patch (attached), and for
> > me it outputs:
> > Client-SAN: DNS:www1.domain.tld, DNS:www2.domain.tld,
> > DNS:www3.domain.tld, IP Address:192.168.150.80, IP
> > Address:192.168.150.145, IP Address:172.25.25.100
> >
> > So I guess something like:
> > Require expr "('IP Address:' . %{REMOTE_ADDR}) -in
> PeerExtList('2.5.29.17')"
> > should work (at least with 2.4.5).
>
> I meant 2.4.25 here...
>

So... do I have a chance to get it running on RHEL 7.3 which ships with
2.4.6?
Not sure I'll be able to convince a telecom company to patch the sources
and rebuild it themselves :-(

Thank you very much for your help and patience :-)

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

On Tue, Feb 21, 2017 at 6:43 PM, Andrei Ivanov <andrei.iva...@gmail.com>
wrote:

> On Tue, Feb 21, 2017 at 6:32 PM, Yann Ylavic <ylavic@gmail.com> wrote:
>
>> On Tue, Feb 21, 2017 at 4:50 PM, Andrei Ivanov <andrei.iva...@gmail.com>
>> wrote:
>> >>>
>> >>> Header set Client-SAN "%{PeerExtList('2.5.29.17')}s"
>>
>> The syntax may be rather:
>>
>> Header set Client-SAN "expr=%{PeerExtList:2.5.29.17}"
>>
>> Does it work better?
>>
>
> Uf, no :-(
> I've mentioned above, this is with Apache/2.4.6 (Red Hat Enterprise Linux)
> OpenSSL/1.0.1e-fips
> I was also trying the Header with expr=value, but then I noticed it's
> available in 2.4.10 and later
>
>

Trying with the latest Apache/2.4.25 and switching to expression values:
- These work:
Header set Client-IP "expr=%{REMOTE_ADDR}"
Header set Client-DN "expr=%{SSL_CLIENT_S_DN}"

- These do not work, even after I adapted the expression following the
documentation,
   "Function calls use the %{funcname:arg} syntax rather than
funcname(arg).":

   Header set Client-SAN "expr=%{PeerExtList:2.5.29.17}"
   Can't parse value expression : Function 'PeerExtList' does not exist

What should I do?
At least the standard expressions ("%{PeerExtList('2.5.29.17')}s") had a
modifier that indicated it's an SSL
expression and knew how to invoke it... even if it didn't work :-/

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

On Tue, Feb 21, 2017 at 6:32 PM, Yann Ylavic <ylavic@gmail.com> wrote:

> On Tue, Feb 21, 2017 at 4:50 PM, Andrei Ivanov <andrei.iva...@gmail.com>
> wrote:
> >>>
> >>> Header set Client-SAN "%{PeerExtList('2.5.29.17')}s"
>
> The syntax may be rather:
>
> Header set Client-SAN "expr=%{PeerExtList:2.5.29.17}"
>
> Does it work better?
>

Uf, no :-(
I've mentioned above, this is with Apache/2.4.6 (Red Hat Enterprise Linux)
OpenSSL/1.0.1e-fips
I was also trying the Header with expr=value, but then I noticed it's
available in 2.4.10 and later

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

On Mon, Feb 20, 2017 at 11:31 AM, Andrei Ivanov <andrei.iva...@gmail.com>
wrote:

> On Fri, Feb 17, 2017 at 12:18 PM, Andrei Ivanov <andrei.iva...@gmail.com>
> wrote:
>
>>
>> On Thu, Feb 16, 2017 at 9:26 PM, Eric Covener <cove...@gmail.com> wrote:
>>
>>> On Thu, Feb 16, 2017 at 11:16 AM, Andrei Ivanov <andrei.iva...@gmail.com>
>>> wrote:
>>> > Is there a way to debug this? To print the values from the expression
>>> in the
>>> > logs maybe?
>>>
>>> One simple way to debug is to use the same [sub-]expressions in
>>> mod_headers conditions or header values
>>>
>>
>> Great idea, thanks :-)
>>
>> Header set Client-IP "%{REMOTE_ADDR}e"
>> Header set Client-SAN "%{PeerExtList('2.5.29.17')}s"
>> Header set Client-DN "%{SSL_CLIENT_S_DN}s"
>>
>> Client-IP: 159.107.78.110
>> Client-SAN: (null)
>> Client-DN: CN=client-with-subjectAltName-with-just-IPs-2
>>
>> Unfortunately, I don't get the Client SAN :-(
>>
>> Btw, this is with Apache/2.4.6 (Red Hat Enterprise Linux)
>> OpenSSL/1.0.1e-fips
>> I was also trying the Header with expr=value, but then I noticed it's
>> available in 2.4.10 and later.
>>
>
> Can anybody understand why this doesn't work? :-(
> Please help.
>

Yan? Any thoughts please?

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

On Fri, Feb 17, 2017 at 12:18 PM, Andrei Ivanov <andrei.iva...@gmail.com>
wrote:

>
> On Thu, Feb 16, 2017 at 9:26 PM, Eric Covener <cove...@gmail.com> wrote:
>
>> On Thu, Feb 16, 2017 at 11:16 AM, Andrei Ivanov <andrei.iva...@gmail.com>
>> wrote:
>> > Is there a way to debug this? To print the values from the expression
>> in the
>> > logs maybe?
>>
>> One simple way to debug is to use the same [sub-]expressions in
>> mod_headers conditions or header values
>>
>
> Great idea, thanks :-)
>
> Header set Client-IP "%{REMOTE_ADDR}e"
> Header set Client-SAN "%{PeerExtList('2.5.29.17')}s"
> Header set Client-DN "%{SSL_CLIENT_S_DN}s"
>
> Client-IP: 159.107.78.110
> Client-SAN: (null)
> Client-DN: CN=client-with-subjectAltName-with-just-IPs-2
>
> Unfortunately, I don't get the Client SAN :-(
>
> Btw, this is with Apache/2.4.6 (Red Hat Enterprise Linux)
> OpenSSL/1.0.1e-fips
> I was also trying the Header with expr=value, but then I noticed it's
> available in 2.4.10 and later.
>

Can anybody understand why this doesn't work? :-(
Please help.

Re: [users@httpd] filtering by IP SAN entries in the client certificate

[Andrei Ivanov]

On Thu, Feb 16, 2017 at 11:38 AM, Andrei Ivanov <andrei.iva...@gmail.com>
wrote:

> On Wed, Feb 15, 2017 at 12:46 PM, Daniel Gruno <humbed...@apache.org>
> wrote:
>
>> On 02/15/2017 11:31 AM, Andrei Ivanov wrote:
>> > Hi,
>> > I have a requirement to check incoming requests, something that would be
>> > succinctly expressed this way:
>> >
>> > 
>> > Require expr "%{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}"
>> > 
>> >
>> > This would check that the request IP address is among the IP addresses
>> > in the client certificate.
>> >
>> > Unfortunately, this doesn't work:
>> > 1. SSL_CLIENT_SAN_IPaddr is not exposed by mod_ssl, but I've switched to
>> > mod_nss, which exports it
>> > 2. The expression evaluation engine doesn't know how to evaluate this
>> > kind of expression
>> > 3. I've tried using mod_lua for the expression, but it can't access this
>> > kind of environment variables (and the SSL specific only if exposed by
>> > mod_ssl, not other modules, like mod_nss)
>>
>> Have you tried using a rewriterule hack to pass the var?
>> RewriteRule .* - [E=sanip:%{SSL:SSL_CLIENT_SAN_IPaddr}]
>>
>> that would expose it in mod_lua as r.subprocess_env['sanip'], provided
>> mod_nss actually exposes it.
>>
>
> Good idea, it... almost works (btw, I'm also discussing this topic on the
> mod_nss list):
>
> Did a quick index.php with a phpinfo() inside it and this is what I get
> for variables:
>
> _SERVER["SSL_CLIENT_SAN_IPaddr_0"]=127.0.0.1
> _SERVER["SSL_CLIENT_SAN_IPaddr_1"]=::1
> _SERVER["SSL_CLIENT_SAN_IPaddr_2"]=159.107.78.116
> _SERVER["SSL_CLIENT_SAN_IPaddr_3"]=fe80::6d03:4ce1:c15f:5a44
> _SERVER["SSL_CLIENT_SAN_Email_0"]=
> _SERVER["SSL_CLIENT_SAN_Email_1"]=
>
> So they are present.
>
> But this still only works for emails, not IPs:
> RewriteRule .* - [E=san_email:%{SSL:SSL_CLIENT_SAN_Email_0}]
> RewriteRule .* - [E=san_ip:%{SSL:SSL_CLIENT_SAN_IPaddr_0}]
>
> And the Lua part:
> r:emerg("san_ip: " .. (r.subprocess_env['san_ip'] or "N/A"));
> r:emerg("san_email: " .. (r.subprocess_env['san_email'] or "N/A"));
>
> With the associated log:
> [Wed Feb 15 18:54:10.357313 2017] [lua:emerg] [pid 19109] [client
> 159.107.78.116:63474] san_ip:
> [Wed Feb 15 18:54:10.357504 2017] [lua:emerg] [pid 19109] [client
> 159.107.78.116:63474] san_email: 
>
> Just an empty string for san_ip :-(
>
> I don't know what else to do to debug this and understand why the IP
> doesn't get there.
>
>

Following the debugging suggestion with mod_header, things are getting
weirder:
NSSOptions +StdEnvVars
RewriteEngine On
RewriteRule .* - [E=san_email_0:%{SSL:SSL_CLIENT_SAN_Email_0}]
RewriteRule .* - [E=san_email_1:%{SSL:SSL_CLIENT_SAN_Email_1}]
RewriteRule .* - [E=san_ip_0:%{SSL:SSL_CLIENT_SAN_IPaddr_0}]
RewriteRule .* - [E=san_ip_1:%{SSL:SSL_CLIENT_SAN_IPaddr_1}]
RewriteRule .* - [E=c_verify:%{SSL:SSL_CLIENT_VERIFY}]
RewriteRule .* - [E=c_s_dn:%{SSL:SSL_CLIENT_S_DN}]
RewriteRule .* - [E=ssl_ver_if:%{SSL:SSL_VERSION_INTERFACE}]
RewriteRule .* - [E=ssl_ver_lib:%{SSL:SSL_VERSION_LIBRARY}]
Header set Client-IP "%{REMOTE_ADDR}e"
Header set Client-SAN-Email-0 "%{SSL_CLIENT_SAN_Email_0}e"
Header set Client-SAN-Email-1 "%{SSL_CLIENT_SAN_Email_1}e"
Header set Client-SAN-IP-0 "%{SSL_CLIENT_SAN_IPaddr_0}e"
Header set Client-SAN-IP-1 "%{SSL_CLIENT_SAN_IPaddr_1}e"
Header set Client-DN "%{SSL_CLIENT_S_DN}s"

I've enabled StdEnvVars unconditionally, with the following results:
1. The Header expression work properly, the values are correct using
the 'e' specifier and not the 's' for SSL

2. The RewriteRule expression are broken, as can be seen from the Lua
script log output:
[Fri Feb 17 16:21:31.021141 2017] [lua:emerg] [pid 6510] [client
159.107.78.110:65399] san_ip_0:
[Fri Feb 17 16:21:31.021178 2017] [lua:emerg] [pid 6510] [client
159.107.78.110:65399] san_ip_1:
[Fri Feb 17 16:21:31.021215 2017] [lua:emerg] [pid 6510] [client
159.107.78.110:65399] san_email_0: 
[Fri Feb 17 16:21:31.021251 2017] [lua:emerg] [pid 6510] [client
159.107.78.110:65399] san_email_1: 

The IP addresses are not found at all while the Email addresses are
duplicated.
Removing the SSL: prefix from the expressions doesn't change
anything.

Note: mod_ssl is not loaded at all, I've seen some of the modifiers mention
that they'll read data from it.
Maybe there's a bug regarding the RewriteRule expressions? I'm using
Apache/2.4.6 (Red Hat Enterprise Linux)


>> >
>> > I have ran out of ideas on what to try.
>> >
>> > Please help.
>> >
>> > Thank you.
>>
>>

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

On Thu, Feb 16, 2017 at 9:26 PM, Eric Covener <cove...@gmail.com> wrote:

> On Thu, Feb 16, 2017 at 11:16 AM, Andrei Ivanov <andrei.iva...@gmail.com>
> wrote:
> > Is there a way to debug this? To print the values from the expression in
> the
> > logs maybe?
>
> One simple way to debug is to use the same [sub-]expressions in
> mod_headers conditions or header values
>

Great idea, thanks :-)

Header set Client-IP "%{REMOTE_ADDR}e"
Header set Client-SAN "%{PeerExtList('2.5.29.17')}s"
Header set Client-DN "%{SSL_CLIENT_S_DN}s"

Client-IP: 159.107.78.110
Client-SAN: (null)
Client-DN: CN=client-with-subjectAltName-with-just-IPs-2

Unfortunately, I don't get the Client SAN :-(

Btw, this is with Apache/2.4.6 (Red Hat Enterprise Linux)
OpenSSL/1.0.1e-fips
I was also trying the Header with expr=value, but then I noticed it's
available in 2.4.10 and later.


> --
> Eric Covener
> cove...@gmail.com
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

On Thu, Feb 16, 2017 at 5:20 PM, Yann Ylavic <ylavic@gmail.com> wrote:

> On Thu, Feb 16, 2017 at 2:46 PM, Andrei Ivanov <andrei.iva...@gmail.com>
> wrote:
> >
> > I gave it a try, but seems to reach the same limitation of the expression
> > engine :-(
> > NSSRequire %{REMOTE_ADDR} in PeerExtList('2.5.29.17')
> > or
> > Require expr "%{REMOTE_ADDR} in PeerExtList('2.5.29.17')"
> >
> > AH00526: Syntax error on line 229 of /etc/httpd/conf.d/nss.conf:
> > Cannot parse expression in require line: syntax error, unexpected $end
>
> This (PeerExtList), for once, is a mod_ssl (and possibly not mod_nss?)
> extension...
>
> Hmm, indeed.

This one still doesn't work:
Require expr "%{REMOTE_ADDR} in PeerExtList('2.5.29.17')"
AH00526: Syntax error on line 145 of /etc/httpd/conf.d/ssl.conf:
Cannot parse expression in require line: syntax error, unexpected $end

But this one passes the configuration check:
SSLRequire %{REMOTE_ADDR} in PeerExtList('2.5.29.17')

The problem now is that I can't get it to pass when testing it with
requests :-(
[Thu Feb 16 18:12:38.928842 2017] [ssl:info] [pid 29931] [client
159.107.78.128:60511] AH02266: Access to /var/www/html/index.php denied for
159.107.78.128 (requirement expression not fulfilled)
[Thu Feb 16 18:12:38.928961 2017] [ssl:info] [pid 29931] [client
159.107.78.128:60511] AH02228: Failed expression: %{REMOTE_ADDR} in
PeerExtList('2.5.29.17')
[Thu Feb 16 18:12:38.928972 2017] [ssl:error] [pid 29931] [client
159.107.78.128:60511] AH02229: access to /var/www/html/index.php failed,
reason: SSL requirement expression not fulfilled

The client certificate gets validated, but the expression fails.
Is there a way to debug this? To print the values from the expression in
the logs maybe?


>
> Regards,
> Yann.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

On Thu, Feb 16, 2017 at 2:49 PM, Yann Ylavic <ylavic@gmail.com> wrote:

> On Tue, Feb 14, 2017 at 1:24 PM, Andrei Ivanov <andrei.iva...@gmail.com>
> wrote:
> >
> > I'm using mod_nss exactly because mod_ssl doesn't expose that variable
> and
> > my issue that requests that is sitting ignored for 2 months now :-(
>
> Did you try something with SSLRequire or a  expression like
> "'' -in PeerExtList('2.5.29.17')" ?
>
> I never tested it, but since '2.5.29.17' is the OID for the
> certificate's SAN, and PeerExtList() may return the list of the inner
> strings, it could possibly work...
>
>
I gave it a try, but seems to reach the same limitation of the expression
engine :-(
NSSRequire %{REMOTE_ADDR} in PeerExtList('2.5.29.17')
or
Require expr "%{REMOTE_ADDR} in PeerExtList('2.5.29.17')"

AH00526: Syntax error on line 229 of /etc/httpd/conf.d/nss.conf:
Cannot parse expression in require line: syntax error, unexpected $end


>
> Regards,
> Yann.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] filtering by IP SAN entries in the client certificate

[Andrei Ivanov]

On Wed, Feb 15, 2017 at 12:46 PM, Daniel Gruno <humbed...@apache.org> wrote:

> On 02/15/2017 11:31 AM, Andrei Ivanov wrote:
> > Hi,
> > I have a requirement to check incoming requests, something that would be
> > succinctly expressed this way:
> >
> > 
> > Require expr "%{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}"
> > 
> >
> > This would check that the request IP address is among the IP addresses
> > in the client certificate.
> >
> > Unfortunately, this doesn't work:
> > 1. SSL_CLIENT_SAN_IPaddr is not exposed by mod_ssl, but I've switched to
> > mod_nss, which exports it
> > 2. The expression evaluation engine doesn't know how to evaluate this
> > kind of expression
> > 3. I've tried using mod_lua for the expression, but it can't access this
> > kind of environment variables (and the SSL specific only if exposed by
> > mod_ssl, not other modules, like mod_nss)
>
> Have you tried using a rewriterule hack to pass the var?
> RewriteRule .* - [E=sanip:%{SSL:SSL_CLIENT_SAN_IPaddr}]
>
> that would expose it in mod_lua as r.subprocess_env['sanip'], provided
> mod_nss actually exposes it.
>

Good idea, it... almost works (btw, I'm also discussing this topic on the
mod_nss list):

Did a quick index.php with a phpinfo() inside it and this is what I get for
variables:

_SERVER["SSL_CLIENT_SAN_IPaddr_0"]=127.0.0.1
_SERVER["SSL_CLIENT_SAN_IPaddr_1"]=::1
_SERVER["SSL_CLIENT_SAN_IPaddr_2"]=159.107.78.116
_SERVER["SSL_CLIENT_SAN_IPaddr_3"]=fe80::6d03:4ce1:c15f:5a44
_SERVER["SSL_CLIENT_SAN_Email_0"]=
_SERVER["SSL_CLIENT_SAN_Email_1"]=

So they are present.

But this still only works for emails, not IPs:
RewriteRule .* - [E=san_email:%{SSL:SSL_CLIENT_SAN_Email_0}]
RewriteRule .* - [E=san_ip:%{SSL:SSL_CLIENT_SAN_IPaddr_0}]

And the Lua part:
r:emerg("san_ip: " .. (r.subprocess_env['san_ip'] or "N/A"));
r:emerg("san_email: " .. (r.subprocess_env['san_email'] or "N/A"));

With the associated log:
[Wed Feb 15 18:54:10.357313 2017] [lua:emerg] [pid 19109] [client
159.107.78.116:63474] san_ip:
[Wed Feb 15 18:54:10.357504 2017] [lua:emerg] [pid 19109] [client
159.107.78.116:63474] san_email: 

Just an empty string for san_ip :-(

I don't know what else to do to debug this and understand why the IP
doesn't get there.


>
> >
> > I have ran out of ideas on what to try.
> >
> > Please help.
> >
> > Thank you.
>
>

[users@httpd] filtering by IP SAN entries in the client certificate

[Andrei Ivanov]

Hi,
I have a requirement to check incoming requests, something that would
be succinctly
expressed this way:


Require expr "%{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}"


This would check that the request IP address is among the IP addresses in
the client certificate.

Unfortunately, this doesn't work:
1. SSL_CLIENT_SAN_IPaddr is not exposed by mod_ssl, but I've switched to
mod_nss, which exports it
2. The expression evaluation engine doesn't know how to evaluate this kind
of expression
3. I've tried using mod_lua for the expression, but it can't access this
kind of environment variables (and the SSL specific only if exposed by
mod_ssl, not other modules, like mod_nss)

I have ran out of ideas on what to try.

Please help.

Thank you.

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

On Tue, Feb 14, 2017 at 2:19 PM, Daniel Gruno <humbed...@apache.org> wrote:

> On 02/14/2017 01:16 PM, Andrei Ivanov wrote:
> > On Tue, Feb 14, 2017 at 1:59 PM, Daniel Gruno <humbed...@apache.org
> > <mailto:humbed...@apache.org>> wrote:
> >
> > On 02/14/2017 12:38 PM, Andrei Ivanov wrote:
> > > Hi,
> > > I'm trying to create a lua authorization script but I can't seem to
> > > access the request environment:
> > >
> > > require 'apache2'
> > >
> > > function authz_check_remote_ip_in_client_san(r)
> > > r:err("remote_ip_in_client_san running...");
> > > r:alert("uri: " .. r.uri);
> > > r:alert("useragent_ip: " .. r.useragent_ip);
> > > local ip = r.subprocess_env["REMOTE_ADDRESS"];
> > > r:crit("REMOTE_ADDRESS: " .. (ip or "N/A"));
> > > r:emerg("SSL_CLIENT_SAN_IPaddr: " ..
> > > (r.subprocess_env["SSL_CLIENT_SAN_IPaddr"] or "N/A"));
> >
> >
> > What about r.subprocess_env["REMOTE_ADDRESS"]? Shouldn't that work at
> least?
>
> Not exactly, this isn't CGI - the remote IP is exposed through
> r.useragent_ip. Getting environment variables is tricky since the Lua VM
> is sort of detached from the actual thread handling the request.
>

I was using the REMOTE_ADDRESS since it was used as an example in a post :-)
http://lua-users.org/lists/lua-l/2010-07/msg00671.html
Is subprocess_env working at all?


> >
> >
> > use r:ssl_var_lookup("SSL_CLIENT_SAN_IPaddr") instead.
> > r:ssl_var_lookup does the special SSL vars.
> >
> >
> > I don't get a nil now anymore, but I seem to get back an empty string :-(
> > SSL_CLIENT_SAN_IPaddr should be exposed by mod_nss, activated in this
> > virtual host.
>
> If it's not exposed by mod_ssl, then it may not be available through
> that call. You should try finding the corresponding mod_ssl variable if
> possible.
>
> I'm using mod_nss exactly because mod_ssl doesn't expose that variable and
my issue that requests that is sitting ignored for 2 months now :-(
I was hoping this would help:

NSSOptions +StdEnvVars




> >
> >
> >
> > With regards,
> > Daniel.
> >
> > >
> > > return apache2.AUTHZ_GRANTED
> > > end
> > >
> > > The logs show entries like this for the values accessed from
> > > r.subprocess_env:
> > > REMOTE_ADDRESS: N/A
> > > SSL_CLIENT_SAN_IPaddr: N/A
> > >
> > >
> > > LuaScope thread
> > > LuaAuthzProvider remote_ip_in_client_san
> > > /etc/httpd/authz/authz_check_remote_ip_in_client_san.lua
> > > authz_check_remote_ip_in_client_san
> > > 
> > > Require remote_ip_in_client_san
> > >
> > > # these don't seem to work so I'm trying to implement them in
> a LUA
> > > script
> > > #NSSRequire %{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}
> > > #Require expr "%{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}"
> > > 
> > >
> > > What am I doing wrong?
> > >
> > > Thank you in advance.
> >
> >
> > 
> -
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > <mailto:users-unsubscr...@httpd.apache.org>
> > For additional commands, e-mail: users-h...@httpd.apache.org
> > <mailto:users-h...@httpd.apache.org>
> >
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

On Tue, Feb 14, 2017 at 1:59 PM, Daniel Gruno <humbed...@apache.org> wrote:

> On 02/14/2017 12:38 PM, Andrei Ivanov wrote:
> > Hi,
> > I'm trying to create a lua authorization script but I can't seem to
> > access the request environment:
> >
> > require 'apache2'
> >
> > function authz_check_remote_ip_in_client_san(r)
> > r:err("remote_ip_in_client_san running...");
> > r:alert("uri: " .. r.uri);
> > r:alert("useragent_ip: " .. r.useragent_ip);
> > local ip = r.subprocess_env["REMOTE_ADDRESS"];
> > r:crit("REMOTE_ADDRESS: " .. (ip or "N/A"));
> > r:emerg("SSL_CLIENT_SAN_IPaddr: " ..
> > (r.subprocess_env["SSL_CLIENT_SAN_IPaddr"] or "N/A"));
>
>
> What about r.subprocess_env["REMOTE_ADDRESS"]? Shouldn't that work at
least?


> use r:ssl_var_lookup("SSL_CLIENT_SAN_IPaddr") instead.
> r:ssl_var_lookup does the special SSL vars.
>

I don't get a nil now anymore, but I seem to get back an empty string :-(
SSL_CLIENT_SAN_IPaddr should be exposed by mod_nss, activated in this
virtual host.


>
> With regards,
> Daniel.
>
> >
> > return apache2.AUTHZ_GRANTED
> > end
> >
> > The logs show entries like this for the values accessed from
> > r.subprocess_env:
> > REMOTE_ADDRESS: N/A
> > SSL_CLIENT_SAN_IPaddr: N/A
> >
> >
> > LuaScope thread
> > LuaAuthzProvider remote_ip_in_client_san
> > /etc/httpd/authz/authz_check_remote_ip_in_client_san.lua
> > authz_check_remote_ip_in_client_san
> > 
> > Require remote_ip_in_client_san
> >
> > # these don't seem to work so I'm trying to implement them in a LUA
> > script
> > #NSSRequire %{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}
> > #Require expr "%{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}"
> > 
> >
> > What am I doing wrong?
> >
> > Thank you in advance.
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

[users@httpd] mod_lua and subprocess_env

[Andrei Ivanov]

Hi,
I'm trying to create a lua authorization script but I can't seem to access
the request environment:

require 'apache2'

function authz_check_remote_ip_in_client_san(r)
r:err("remote_ip_in_client_san running...");
r:alert("uri: " .. r.uri);
r:alert("useragent_ip: " .. r.useragent_ip);
local ip = r.subprocess_env["REMOTE_ADDRESS"];
r:crit("REMOTE_ADDRESS: " .. (ip or "N/A"));
r:emerg("SSL_CLIENT_SAN_IPaddr: " ..
(r.subprocess_env["SSL_CLIENT_SAN_IPaddr"] or "N/A"));

return apache2.AUTHZ_GRANTED
end

The logs show entries like this for the values accessed from
r.subprocess_env:
REMOTE_ADDRESS: N/A
SSL_CLIENT_SAN_IPaddr: N/A


LuaScope thread
LuaAuthzProvider remote_ip_in_client_san
/etc/httpd/authz/authz_check_remote_ip_in_client_san.lua
authz_check_remote_ip_in_client_san

Require remote_ip_in_client_san

# these don't seem to work so I'm trying to implement them in a LUA
script
#NSSRequire %{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}
#Require expr "%{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}"


What am I doing wrong?

Thank you in advance.

Re: [users@httpd] SSL_CLIENT_SAN IP addr validation

[Andrei Ivanov]

I think the nicest way would be like mod_ssl does with PeerExtList:

Example
SSLRequire "foobar" in PeerExtList("1.2.3.4.5.6")

So at least it's nice to know Apache Httpd already does this in some cases.

I guess I'll update my ticket, or maybe create a new one for all
the subjectAltName variables.

Thanks for the help.

On Mon, Dec 19, 2016 at 7:48 PM, Marat Khalili  wrote:

> As additional benefit, when you will be able to issue certificates with
> regular expressions matching whole subnets! :)
>
> --
>
> With Best Regards,
> Marat Khalili
>
>
> On 19/12/16 20:41, Marat Khalili wrote:
>
>> Are you suggesting to put the IP address with the DNS prefix instead of
>>> the proper IP prefix?
>>>
>> Actually, I was not aware of official possibility of having an IP address
>> in subjectAltName until 5 minutes ago :) But since Apache developers also
>> didn't provide for this, using DNS prefix is definitely an option.
>>
>> Also what about the possibility of having a variable number of addresses
>>> there?
>>>
>> Provided you are not going to have too many SANs, quick and dirty
>> solution would be:
>>
>>> Require expr "%{REMOTE_ADDR} =~ /^(%{SSL_CLIENT_SAN_DNS_1}|%{S
>>> SL_CLIENT_SAN_DNS_2}|%{SSL_CLIENT_SAN_DNS_3}|%{SSL_CLIENT_
>>> SAN_DNS_4}|...)$/"
>>>
>> (Missing variables will expand to empty strings). I hope  I know it's
>> ugly as hell, but so are client certificates with multiple IP address
>> aliases.
>>
>> --
>>
>> With Best Regards,
>> Marat Khalili
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>>
>>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] SSL_CLIENT_SAN IP addr validation

[Andrei Ivanov]

Hmm,
Are you suggesting to put the IP address with the DNS prefix instead of the
proper IP prefix?

Also what about the possibility of having a variable number of addresses
there?
It would have been nice to have something like "%{REMOTE_ADDR} in %{
SSL_CLIENT_SAN_IPaddrs}",
where SSL_CLIENT_SAN_IPaddrs would be an array with the addresses and 'in'
would be the 'array contains' operator.


On Mon, Dec 19, 2016 at 6:09 PM, Marat Khalili <m...@rqc.ru> wrote:

> If you really put IP address in domain subjectAltName and want to verify
> it, I suppose expression should be something like this:
>
> Require expr "%{SSL_CLIENT_SAN_DNS_1} == %{REMOTE_ADDR}"
>
>
> --
>
> With Best Regards,
> Marat Khalili
>
> On 19/12/16 18:48, Andrei Ivanov wrote:
>
> Hi,
> Yes, I did notice the suggestion of using Require expr, the problem is
> that I don't know what expression I could use, with the details explained
> bellow.
>
> Anyway to do this without a variable containing the subjectAltName IP
> address?
>
> Regarding if this actually makes sense or not is a different story, as
> this was decided by other people... :-)
>
>
> On Mon, Dec 19, 2016 at 5:41 PM, Marat Khalili <m...@rqc.ru> wrote:
>
>> Docs suggest
>> <https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslrequire> using
>> Require expr in place of SSLRequire. Require expr supports such variables
>> as REMOTE_ADDR and CONN_REMOTE_ADDR. In any case, I do not see much sense
>> in issuing or verifying certificates with IP address in subjectAltName.
>>
>> What you probably want is accepting clients belonging to particular
>> group. Issue them certificates with the same organizational unit and verify
>> SSL_CLIENT_S_DN_OU as well as SSL_CLIENT_S_DN_O.
>> --
>>
>> With Best Regards,
>> Marat Khalili
>>
>> On 15/12/16 13:46, Andrei Ivanov wrote:
>>
>> Hi,
>> I'm trying to validate incoming requests by comparing the request IP to
>> the IP addresses provided in the client certificate subjectAltName.
>>
>> Searching around, I found
>> <http://wiki.cacert.org/ApacheServerClientCertificateAuthentication>
>> http://wiki.cacert.org/ApacheServerClientCertificateAuthentication,
>> which gives an example using the email address:
>>
>> SSLRequire %{SSL_CLIENT_S_DN_Email} =~ m/^[^@]*@example\.com$/  or 
>> %{SSL_CLIENT_S_DN_Email_0} =~ m/^[^@]*@example\.com$/  or 
>> %{SSL_CLIENT_S_DN_Email_1} =~ m/^[^@]*@example\.com$/  or 
>> %{SSL_CLIENT_S_DN_Email_2} =~ m/^[^@]*@example\.com$/  or 
>> %{SSL_CLIENT_S_DN_Email_3} =~ m/^[^@]*@example\.com$/
>>
>>
>> But there 2 problems:
>> 1. the IP addresses are not exported as a variables by mod_ssl (see
>> <https://bz.apache.org/bugzilla/show_bug.cgi?id=60456>
>> https://bz.apache.org/bugzilla/show_bug.cgi?id=60456)
>> 2. The number of IP addresses is variable, not sure how I could do the
>> check with an expression
>>
>> The Apache Httpd is a frontend for a PHP and a Python application, so it
>> would be nice to be able to do this filtering in one place instead of doing
>> it at the applications level.
>>
>> Any suggestions?
>>
>> Thank you.
>>
>>
>>
>
>

Re: [users@httpd] SSL_CLIENT_SAN IP addr validation

[Andrei Ivanov]

Hi,
Yes, I did notice the suggestion of using Require expr, the problem is that
I don't know what expression I could use, with the details explained bellow.

Anyway to do this without a variable containing the subjectAltName IP
address?

Regarding if this actually makes sense or not is a different story, as this
was decided by other people... :-)


On Mon, Dec 19, 2016 at 5:41 PM, Marat Khalili <m...@rqc.ru> wrote:

> Docs suggest
> <https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslrequire> using
> Require expr in place of SSLRequire. Require expr supports such variables
> as REMOTE_ADDR and CONN_REMOTE_ADDR. In any case, I do not see much sense
> in issuing or verifying certificates with IP address in subjectAltName.
>
> What you probably want is accepting clients belonging to particular group.
> Issue them certificates with the same organizational unit and verify
> SSL_CLIENT_S_DN_OU as well as SSL_CLIENT_S_DN_O.
> --
>
> With Best Regards,
> Marat Khalili
>
> On 15/12/16 13:46, Andrei Ivanov wrote:
>
> Hi,
> I'm trying to validate incoming requests by comparing the request IP to
> the IP addresses provided in the client certificate subjectAltName.
>
> Searching around, I found http://wiki.cacert.org/
> ApacheServerClientCertificateAuthentication, which gives an example using
> the email address:
>
> SSLRequire %{SSL_CLIENT_S_DN_Email} =~ m/^[^@]*@example\.com$/  or 
> %{SSL_CLIENT_S_DN_Email_0} =~ m/^[^@]*@example\.com$/  or 
> %{SSL_CLIENT_S_DN_Email_1} =~ m/^[^@]*@example\.com$/  or 
> %{SSL_CLIENT_S_DN_Email_2} =~ m/^[^@]*@example\.com$/  or 
> %{SSL_CLIENT_S_DN_Email_3} =~ m/^[^@]*@example\.com$/
>
>
> But there 2 problems:
> 1. the IP addresses are not exported as a variables by mod_ssl (see
> https://bz.apache.org/bugzilla/show_bug.cgi?id=60456)
> 2. The number of IP addresses is variable, not sure how I could do the
> check with an expression
>
> The Apache Httpd is a frontend for a PHP and a Python application, so it
> would be nice to be able to do this filtering in one place instead of doing
> it at the applications level.
>
> Any suggestions?
>
> Thank you.
>
>
>

[users@httpd] Re: SSL_CLIENT_SAN IP addr validation

[Andrei Ivanov]

Anybody? :-/

On Thu, Dec 15, 2016 at 12:46 PM, Andrei Ivanov <andrei.iva...@gmail.com>
wrote:

> Hi,
> I'm trying to validate incoming requests by comparing the request IP to
> the IP addresses provided in the client certificate subjectAltName.
>
> Searching around, I found http://wiki.cacert.org/
> ApacheServerClientCertificateAuthentication, which gives an example using
> the email address:
>
> SSLRequire %{SSL_CLIENT_S_DN_Email} =~ m/^[^@]*@example\.com$/  or 
> %{SSL_CLIENT_S_DN_Email_0} =~ m/^[^@]*@example\.com$/  or 
> %{SSL_CLIENT_S_DN_Email_1} =~ m/^[^@]*@example\.com$/  or 
> %{SSL_CLIENT_S_DN_Email_2} =~ m/^[^@]*@example\.com$/  or 
> %{SSL_CLIENT_S_DN_Email_3} =~ m/^[^@]*@example\.com$/
>
> But there 2 problems:
> 1. the IP addresses are not exported as a variables by mod_ssl (see
> https://bz.apache.org/bugzilla/show_bug.cgi?id=60456)
> 2. The number of IP addresses is variable, not sure how I could do the
> check with an expression
>
> The Apache Httpd is a frontend for a PHP and a Python application, so it
> would be nice to be able to do this filtering in one place instead of doing
> it at the applications level.
>
> Any suggestions?
>
> Thank you.
>

[users@httpd] SSL_CLIENT_SAN IP addr validation

[Andrei Ivanov]

Hi,
I'm trying to validate incoming requests by comparing the request IP to the
IP addresses provided in the client certificate subjectAltName.

Searching around, I found
http://wiki.cacert.org/ApacheServerClientCertificateAuthentication, which
gives an example using the email address:

SSLRequire %{SSL_CLIENT_S_DN_Email} =~ m/^[^@]*@example\.com$/
 or %{SSL_CLIENT_S_DN_Email_0} =~ m/^[^@]*@example\.com$/  or
%{SSL_CLIENT_S_DN_Email_1} =~ m/^[^@]*@example\.com$/  or
%{SSL_CLIENT_S_DN_Email_2} =~ m/^[^@]*@example\.com$/  or
%{SSL_CLIENT_S_DN_Email_3} =~ m/^[^@]*@example\.com$/

But there 2 problems:
1. the IP addresses are not exported as a variables by mod_ssl (see
https://bz.apache.org/bugzilla/show_bug.cgi?id=60456)
2. The number of IP addresses is variable, not sure how I could do the
check with an expression

The Apache Httpd is a frontend for a PHP and a Python application, so it
would be nice to be able to do this filtering in one place instead of doing
it at the applications level.

Any suggestions?

Thank you.