Re: TTLimit directive
Hey Nick, anything else is missing from me regarding this patch? On Tue, Jun 13, 2017 at 2:20 PM, Donatas Abraitis < donatas.abrai...@gmail.com> wrote: > Hey Nick, > > it must be 0, not 255. I updated it in patch attached > > Sent from my iPhone > > > On 13 Jun 2017, at 13:52, Nick Kew <n...@apache.org> wrote: > > > >> On Tue, 2017-06-13 at 11:41 +0300, Donatas Abraitis wrote: > >> > >> I would like to propose this patchset allowing to set maximum TTL value > for incoming requests. This is not a usual use case, but I'm interested > (maybe others too) to have this in place. The real use case would be like > this one http://blog.donatas.net/blog/2017/04/20/http-request-validation/. > > > > Thanks! I'm not sure I follow your exact scenario, but it > > looks like a modest enhancement at very low cost or risk! > > > >> TL;DR: if you want to deny requests bypassing proxy layer (in this case > Apache operates as a backend). Hence set TTLimit to 1 and Apache will be > able to handle requests coming almost from the local network, because > packets with TTL usually come from local networks. > >> > >> > >> I don't know which place is the right place to put patches, but > >> original patch is here: > >> https://bz.apache.org/bugzilla/show_bug.cgi?id=61179 > >> https://bz.apache.org/bugzilla/attachment.cgi?id=35048 > > > > That's exactly the right place. > > > > At first glance, patch looks interesting, and I'm minded to > > adopt (some version of) it for trunk. Though I think I'd > > default it to 0 (off) rather than your 255. Any other views? > > > > -- > > Nick Kew > > > > > -- Donatas
Re: TTLimit directive
Hey Nick, it must be 0, not 255. I updated it in patch attached Sent from my iPhone > On 13 Jun 2017, at 13:52, Nick Kew <n...@apache.org> wrote: > >> On Tue, 2017-06-13 at 11:41 +0300, Donatas Abraitis wrote: >> >> I would like to propose this patchset allowing to set maximum TTL value for >> incoming requests. This is not a usual use case, but I'm interested (maybe >> others too) to have this in place. The real use case would be like this one >> http://blog.donatas.net/blog/2017/04/20/http-request-validation/. > > Thanks! I'm not sure I follow your exact scenario, but it > looks like a modest enhancement at very low cost or risk! > >> TL;DR: if you want to deny requests bypassing proxy layer (in this case >> Apache operates as a backend). Hence set TTLimit to 1 and Apache will be >> able to handle requests coming almost from the local network, because >> packets with TTL usually come from local networks. >> >> >> I don't know which place is the right place to put patches, but >> original patch is here: >> https://bz.apache.org/bugzilla/show_bug.cgi?id=61179 >> https://bz.apache.org/bugzilla/attachment.cgi?id=35048 > > That's exactly the right place. > > At first glance, patch looks interesting, and I'm minded to > adopt (some version of) it for trunk. Though I think I'd > default it to 0 (off) rather than your 255. Any other views? > > -- > Nick Kew > >
TTLimit directive
Hi, I would like to propose this patchset allowing to set maximum TTL value for incoming requests. This is not a usual use case, but I'm interested (maybe others too) to have this in place. The real use case would be like this one http://blog.donatas.net/blog/2017/04/20/http-request-validation/. TL;DR: if you want to deny requests bypassing proxy layer (in this case Apache operates as a backend). Hence set TTLimit to 1 and Apache will be able to handle requests coming almost from the local network, because packets with TTL usually come from local networks. I don't know which place is the right place to put patches, but original patch is here: https://bz.apache.org/bugzilla/show_bug.cgi?id=61179 https://bz.apache.org/bugzilla/attachment.cgi?id=35048 -- Donatas
Re: HTTP_FORBIDDEN and sub-requests
By the way, how it can happen, that r->hostname is (null)? On Fri, Apr 14, 2017 at 5:24 PM, Donatas Abraitis < donatas.abrai...@gmail.com> wrote: > What would be the best way to iterate over sub-requests? For instance: > > while (r->prev) { > ... > r = r->prev; > } > > On Fri, Apr 14, 2017 at 1:41 PM, Donatas Abraitis < > donatas.abrai...@gmail.com> wrote: > >> What do you mean by `you just leave a "been here" breadcrumb.`? >> >> On Fri, Apr 14, 2017 at 1:31 PM, Nick Kew <n...@apache.org> wrote: >> >>> On Fri, 2017-04-14 at 12:55 +0300, Donatas Abraitis wrote: >>> > Hi folks! >>> > >>> > I have a such code snippet: >>> > >>> > char *proxy_ts = (char *) apr_table_get(r->headers_in, >>> conf->deny_header); >>> > if (!proxy_ts) >>> > return HTTP_FORBIDDEN; >>> > apr_table_unset(r->headers_in, conf->deny_header); >>> > >>> > This unsets the arbitrary header properly in application (phpinfo()), >>> but >>> > if the site is non-single page (with many images, css, js, etc.) it >>> always >>> > returns 403. It looks like there is some kind of sub-requests for those >>> > resources. >>> > >>> > How do you solve such cases with requests? >>> >>> Well, I should start by figuring out where and why that's happening. >>> On the server side, gdb works as fallback tool for that if you have >>> no better ideas. >>> >>> If, once you've figured out, you're happy that it's not a symptom >>> of some deeper bug, you just leave a "been here" breadcrumb. >>> >>> -- >>> Nick Kew >>> >>> >> >> >> -- >> Donatas >> > > > > -- > Donatas > -- Donatas
HTTP_FORBIDDEN and sub-requests
Hi folks! I have a such code snippet: char *proxy_ts = (char *) apr_table_get(r->headers_in, conf->deny_header); if (!proxy_ts) return HTTP_FORBIDDEN; apr_table_unset(r->headers_in, conf->deny_header); This unsets the arbitrary header properly in application (phpinfo()), but if the site is non-single page (with many images, css, js, etc.) it always returns 403. It looks like there is some kind of sub-requests for those resources. How do you solve such cases with requests? -- Donatas
sequence of request
Hello guys, is it possible to know the sequence of request is handled? I mean which module takes precedence? Because I need to debug why r-filename becomes not so as I expected. Thank you! -- Donatas
apache sql module with suexec
Hello, I'm trying to write a module which would work with httpd.worker. It will per-request fetch row from mysql returning documentroot, servername, user, group. How can I setuid(), setgid()? I have fetched these user/group from DB using mod_dbd module and now want to set using suEXEC these user/group. apr_uid_t _uid; apr_gid_t _gid; apr_uid_current(_uid, _gid, r-pool); ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r, apt_user/group: %d/%d, _uid, _gid); if(setuid(500)) { ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r, apt_user: %d, getuid()); } Apache log gives: [Wed Nov 06 10:16:42 2013] [crit] [client X] user: ton [Wed Nov 06 10:16:42 2013] [crit] [client X] apt_user/group: 48/48 [Wed Nov 06 10:16:42 2013] [crit] [client X] apt_user: 48 [Wed Nov 06 10:16:42 2013] [crit] [client X] group: group-ton -- Donatas