Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

2020-06-11 Thread Mark Thomas 
On 11/06/2020 07:51, jean-frederic clere wrote:
> On 10/06/2020 11:53, Ruediger Pluem wrote:
>>
>>
>> On 6/9/20 12:05 PM, jean-frederic clere wrote:
>>> Hi,
>>>
>>> Basically it adds servletnormalizecheck to mod_proxy for
>>> ProxyPass/ProxyPassMatch and mod_rewrite when using P
>>> I have tested the following uses:
>>> #ProxyPass  /docs ajp://localhost:8009/docs secret=%A1b2!@
>>> servletnormalizecheck
>>>
>>> #ProxyPassMatch  "^/docs(.*)$" "ajp://localhost:8009/docs$1"
>>> secret=%A1b2!@ servletnormalizecheck
>>>
>>> #RewriteEngine On
>>> #RewriteRule "^/docs(.*)$" "ajp://localhost:8009/docs$1" [P,SNC]
>>> #
>>> #ProxySet connectiontimeout=5 timeout=30 secret=%A1b2!@
>>> #
>>>
>>> #
>>> #  ProxyPass  ajp://localhost:8009/docs secret=%A1b2!@
>>> servletnormalizecheck
>>> #
>>>
>>> What is not supported is
>>> curl -v --path-as-is
>>> "http://localhost:8000/docs/..;foo=bar/;foo=bar/test/index.jsp;
>>>
>>> that could be remapped to
>>> ProxyPass  /test ajp://localhost:8009/test secret=%A1b2!@
>>> servletnormalizecheck
>>> or a 
>>>
>>> Comments?
>>
>> I understood from Mark that the request you do above with curl should
>> not be denied but just mapped to /test.
>> But rethinking that, it becomes real fun: For mapping we should use
>> the URI stripped off path parameters and then having done the
>> shrinking operation (servlet normalized) but we should use the
>> original URI having done the shrinking operation with path
>> parameters to sent to the backend. That might work for a simple prefix
>> matching, but it seems to be very difficult for regular
>> expression scenarios where you might use complex captures from the
>> matching to build the result. But if the matching was done
>> against the servlet normalized URI the captures might be different,
>> than the ones you would have got when doing the same against
>> not normalized URI. So I am little bit lost here.

I can see how this gets complicated for regular expression scenarios.

Since the servlet specification doesn't have the concept of regular
expression mapping, I don't think the rationale for servletnormalize
applies in that case. There is no expectation of how the mapping will
occur from a servlet perspective so the httpd behaviour cannot be
unexpected.

Coming from a servlet perspective I have no view on what the 'correct'
behaviour is in this case. I'll happily support whatever the httpd
community thinks is best.

>> What if we just have an option on virtual host base to drop path
>> parameters of the following kind
>>
>> s#/([.]{0,2})(;[^/]*)/#/$1/g
>>
>> do the usual shrinking operation afterwards and just process them
>> afterwards as usual.
> 
> I think it makes sense to have it there but separated from the
> servletnormalizecheck because that changes the whole  mapping
> So I will add something like MergeSlashes which will map
> http://localhost:8000/docs/..;foo=bar/;foo=bar/test/index.jsp
> to /test
> And arrange the proxy so that /docs/..;foo=bar/;foo=bar/test/index.jsp
> is sent to the back-end.

That sounds good to me. That is the expected mapping from a servlet
perspective.

Thanks for all your efforts on this.

Mark

Re: http workshop

2019-02-14 Thread Mark Thomas 
On 14/02/2019 19:52, William A Rowe Jr wrote:
> On Mon, Jan 28, 2019 at 9:22 AM Stefan Eissing 
> wrote:



>> The HTTP WS organisers expressed the wish to have someone from "Apache"
>> present. Anyone interested? Could also be someone from another HTTP related
>> Apache project, of course.

It appears that the deadline to submit a statement of interest in
attending was a month ago.

Has it been extended?

Mark

Re: Fwd: [Bug 53579] httpd looping writing on a pipe and unresponsive (httpd )

2019-01-06 Thread Mark Thomas 
Hi all,

Your project's Bugzilla database suffered some minor abuse earlier today
when a new user - ithanr...@gmail.com - started removing entries from CC
lists and replacing them with just themselves.

This is just a quick note to let you know that:

- The idiot concerned has had their account disabled.
- They have been removed from any CC list they added themselves to
- Any CC list they edited has been restored to its original value.

The corrective action has all been performed directly in the database
partly because it was a lot easier than going via the UI and partly so
your lists aren't spammed as each of the CC's was restored.

Mark


On 06/01/2019 15:23, Mark Thomas wrote:
> On 06/01/2019 13:28, Eric Covener wrote:
>> Some kind of weird abusive behavior this morning from
>> ithanr...@gmail.com hitting many bugs.
> 
> Seen it on Tomcat as well. I'm on it.
> 
> Mark
> 
> 
>>
>> -- Forwarded message -
>> From: 
>> Date: Sun, Jan 6, 2019 at 8:24 AM
>> Subject: [Bug 53579] httpd looping writing on a pipe and unresponsive
>> (httpd )
>> To: 
>>
>>
>> https://bz.apache.org/bugzilla/show_bug.cgi?id=53579
>>
>> ithan  changed:
>>
>>What|Removed |Added
>> 
>>  CC|ar...@maven.pl, |ithanr...@gmail.com
>>|loic.etienne@tech.swisssign |
>>|.com, mahud...@gmail.com,   |
>>|mark_a_ev...@dell.com,  |
>>|santhoshmukka...@gmail.com, |
>>|stix...@gmail.com,  |
>>|szg0...@freemail.hu |
>>
>> --
>> You are receiving this mail because:
>> You are the assignee for the bug.
>> -
>> To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: bugs-h...@httpd.apache.org
>>
>>
>>
>

Re: reverse proxy wishlist

2015-12-03 Thread Mark Thomas 


On 2015-12-03 14:59, Jim Jagielski  wrote: 
> I put out a call on Twitter regarding this, but wanted to
> close the loop here as well.
> 
> What would *you* like to see as new features or enhancements
> w/ mod_proxy, esp reverse proxy. I was thinking about some
> sort of active backend monitoring, utilizing watchdog, which
> could also maybe, eventually, pull in performance and load
> data for the backend for a more accurate LB provider. But
> what about new LB methods? Any ideas there?
> 
> tia.

With my Tomcat hat on:

HTTP/2 support for mod_proxy_http
HTTP upgrade support for mod_proxy_ajp (we'll need to do work on the Tomcat 
side as well)
Improved WebSocket support in mod_proxy_wstunnel [1].

I'm happy to help out on the Tomcat side of things where required.

Mark

[1] The mod_wstunnel assumes (at least it did the last time I looked at it) 
that all requests under a given URL space will be WebSocket requests. That 
doesn't seem to be the way many apps are being implemented. It would be great 
if mod_proxy would allow both mod_proxy_[ajp|http] and mod_proxy_wstunnel to be 
mapped to the same URL space with the 'right' one being selected based on the 
request.
--
Sent via Pony Mail for dev@httpd.apache.org. 
View this email online at:
https://pony-poc.apache.org/list.html?dev@httpd.apache.org

Re: New Module - Needs approving

2011-08-11 Thread Mark Thomas 
On 11/08/2011 10:55, Mads Toftum wrote:
 On Thu, Aug 11, 2011 at 10:51:27AM +0100, Mark Thomas wrote:
 So, who in the httpd community is going to take on the task of approving
 new modules?

 I can do that although it'd probably be good to have one more on board.

You'll need access to modules.zones.apache.org to do this. I see infra
already has your public key. I'll set you up with access shortly.

Mark

Re: New Module - Needs approving

2011-08-11 Thread Mark Thomas 
On 11/08/2011 11:01, Mark Thomas wrote:
 On 11/08/2011 10:55, Mads Toftum wrote:
 On Thu, Aug 11, 2011 at 10:51:27AM +0100, Mark Thomas wrote:
 So, who in the httpd community is going to take on the task of approving
 new modules?

 I can do that although it'd probably be good to have one more on board.
 
 You'll need access to modules.zones.apache.org to do this. I see infra
 already has your public key. I'll set you up with access shortly.

Opps wrong host name. Hey ho.

Instructions (with the correct hostname) sent off-list.

Mark

Fwd: Change to Module DB

2011-07-15 Thread Mark Thomas 
Note: Manually edited to mask e-mail addresses.

 Original Message 
Subject: Change to Module DB
Date: Fri, 15 Jul 2011 07:57:04 + (UTC)
From: Apache Module Site modules-dev@httpd.apache.org
Reply-To: modules-dev@httpd.apache.org
To: modules-dev@httpd.apache.org

Modified by author

UPDATE module SET
title='mod_fortune',
version='0.1',
descr='Apache module for the famous linux game fortune.',
author='Soojin Nam',
authoremail='***removed***',
maintainer='Soojin Nam',
maintemail='***removed***',
url='http://people.ktug.or.kr/~sjnam/mod_fortune.html',
requires='n/a',
copypolicy='n/a',
keywords='n/a',
modified='1310716624',
apacheversion=''
where entry = 2585