Re: TTLimit directive

2017-06-22 Thread Donatas Abraitis 
Hey Nick,

anything else is missing from me regarding this patch?

On Tue, Jun 13, 2017 at 2:20 PM, Donatas Abraitis <
donatas.abrai...@gmail.com> wrote:

> Hey Nick,
>
> it must be 0, not 255. I updated it in patch attached 
>
> Sent from my iPhone
>
> > On 13 Jun 2017, at 13:52, Nick Kew <n...@apache.org> wrote:
> >
> >> On Tue, 2017-06-13 at 11:41 +0300, Donatas Abraitis wrote:
> >>
> >> I would like to propose this patchset allowing to set maximum TTL value
> for incoming requests. This is not a usual use case, but I'm interested
> (maybe others too) to have this in place. The real use case would be like
> this one http://blog.donatas.net/blog/2017/04/20/http-request-validation/.
> >
> > Thanks!  I'm not sure I follow your exact scenario, but it
> > looks like a modest enhancement at very low cost or risk!
> >
> >> TL;DR: if you want to deny requests bypassing proxy layer (in this case
> Apache operates as a backend). Hence set TTLimit to 1 and Apache will be
> able to handle requests coming almost from the local network, because
> packets with TTL usually come from local networks.
> >>
> >>
> >> I don't know which place is the right place to put patches, but
> >> original patch is here:
> >> https://bz.apache.org/bugzilla/show_bug.cgi?id=61179
> >> https://bz.apache.org/bugzilla/attachment.cgi?id=35048
> >
> > That's exactly the right place.
> >
> > At first glance, patch looks interesting, and I'm minded to
> > adopt (some version of) it for trunk.  Though I think I'd
> > default it to 0 (off) rather than your 255.  Any other views?
> >
> > --
> > Nick Kew
> >
> >
>



-- 
Donatas

Re: TTLimit directive

2017-06-13 Thread Donatas Abraitis 
Hey Nick,

it must be 0, not 255. I updated it in patch attached 

Sent from my iPhone

> On 13 Jun 2017, at 13:52, Nick Kew <n...@apache.org> wrote:
> 
>> On Tue, 2017-06-13 at 11:41 +0300, Donatas Abraitis wrote:
>> 
>> I would like to propose this patchset allowing to set maximum TTL value for 
>> incoming requests. This is not a usual use case, but I'm interested (maybe 
>> others too) to have this in place. The real use case would be like this one 
>> http://blog.donatas.net/blog/2017/04/20/http-request-validation/. 
> 
> Thanks!  I'm not sure I follow your exact scenario, but it
> looks like a modest enhancement at very low cost or risk!
> 
>> TL;DR: if you want to deny requests bypassing proxy layer (in this case 
>> Apache operates as a backend). Hence set TTLimit to 1 and Apache will be 
>> able to handle requests coming almost from the local network, because 
>> packets with TTL usually come from local networks.
>> 
>> 
>> I don't know which place is the right place to put patches, but
>> original patch is here:
>> https://bz.apache.org/bugzilla/show_bug.cgi?id=61179
>> https://bz.apache.org/bugzilla/attachment.cgi?id=35048
> 
> That's exactly the right place.
> 
> At first glance, patch looks interesting, and I'm minded to
> adopt (some version of) it for trunk.  Though I think I'd
> default it to 0 (off) rather than your 255.  Any other views?
> 
> -- 
> Nick Kew
> 
>

TTLimit directive

2017-06-13 Thread Donatas Abraitis 
Hi,

I would like to propose this patchset allowing to set maximum TTL
value for incoming requests. This is not a usual use case, but I'm
interested (maybe others too) to have this in place. The real use case
would be like this one
http://blog.donatas.net/blog/2017/04/20/http-request-validation/.

TL;DR: if you want to deny requests bypassing proxy layer (in this
case Apache operates as a backend). Hence set TTLimit to 1 and Apache
will be able to handle requests coming almost from the local network,
because packets with TTL usually come from local networks.

I don't know which place is the right place to put patches, but original
patch is here: https://bz.apache.org/bugzilla/show_bug.cgi?id=61179
https://bz.apache.org/bugzilla/attachment.cgi?id=35048

-- 
Donatas

Re: HTTP_FORBIDDEN and sub-requests

2017-04-15 Thread Donatas Abraitis 
By the way, how it can happen, that r->hostname is (null)?

On Fri, Apr 14, 2017 at 5:24 PM, Donatas Abraitis <
donatas.abrai...@gmail.com> wrote:

> What would be the best way to iterate over sub-requests? For instance:
>
> while (r->prev) {
> ...
> r = r->prev;
> }
>
> On Fri, Apr 14, 2017 at 1:41 PM, Donatas Abraitis <
> donatas.abrai...@gmail.com> wrote:
>
>> What do you mean by `you just leave a "been here" breadcrumb.`?
>>
>> On Fri, Apr 14, 2017 at 1:31 PM, Nick Kew <n...@apache.org> wrote:
>>
>>> On Fri, 2017-04-14 at 12:55 +0300, Donatas Abraitis wrote:
>>> > Hi folks!
>>> >
>>> > I have a such code snippet:
>>> >
>>> > char *proxy_ts = (char *) apr_table_get(r->headers_in,
>>> conf->deny_header);
>>> > if (!proxy_ts)
>>> > return HTTP_FORBIDDEN;
>>> > apr_table_unset(r->headers_in, conf->deny_header);
>>> >
>>> > This unsets the arbitrary header properly in application (phpinfo()),
>>> but
>>> > if the site is non-single page (with many images, css, js, etc.) it
>>> always
>>> > returns 403. It looks like there is some kind of sub-requests for those
>>> > resources.
>>> >
>>> > How do you solve such cases with requests?
>>>
>>> Well, I should start by figuring out where and why that's happening.
>>> On the server side, gdb works as fallback tool for that if you have
>>> no better ideas.
>>>
>>> If, once you've figured out, you're happy that it's not a symptom
>>> of some deeper bug, you just leave a "been here" breadcrumb.
>>>
>>> --
>>> Nick Kew
>>>
>>>
>>
>>
>> --
>> Donatas
>>
>
>
>
> --
> Donatas
>



-- 
Donatas

HTTP_FORBIDDEN and sub-requests

2017-04-14 Thread Donatas Abraitis 
Hi folks!

I have a such code snippet:

char *proxy_ts = (char *) apr_table_get(r->headers_in, conf->deny_header);
if (!proxy_ts)
return HTTP_FORBIDDEN;
apr_table_unset(r->headers_in, conf->deny_header);

This unsets the arbitrary header properly in application (phpinfo()), but
if the site is non-single page (with many images, css, js, etc.) it always
returns 403. It looks like there is some kind of sub-requests for those
resources.

How do you solve such cases with requests?

-- 
Donatas

sequence of request

2014-07-23 Thread Donatas Abraitis 
Hello guys,

is it possible to know the sequence of request is handled? I mean which
module takes precedence? Because I need to debug why r-filename becomes
not so as I expected.

Thank you!

-- 
Donatas

apache sql module with suexec

2013-11-06 Thread Donatas Abraitis 
Hello,

I'm trying to write a module which would work with httpd.worker. It will
per-request fetch row from mysql returning documentroot, servername, user,
group.

How can I setuid(), setgid()?

I have fetched these user/group from DB using mod_dbd module and now want
to set using suEXEC these user/group.

   apr_uid_t _uid;
   apr_gid_t _gid;
   apr_uid_current(_uid, _gid, r-pool);
   ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r, apt_user/group:
%d/%d, _uid, _gid);

   if(setuid(500)) {
  ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r, apt_user:
%d, getuid());
   }

Apache log gives:

[Wed Nov 06 10:16:42 2013] [crit] [client X] user: ton
[Wed Nov 06 10:16:42 2013] [crit] [client X] apt_user/group: 48/48
[Wed Nov 06 10:16:42 2013] [crit] [client X] apt_user: 48
[Wed Nov 06 10:16:42 2013] [crit] [client X] group: group-ton

-- 
Donatas