Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize
On 11/06/2020 07:51, jean-frederic clere wrote: > On 10/06/2020 11:53, Ruediger Pluem wrote: >> >> >> On 6/9/20 12:05 PM, jean-frederic clere wrote: >>> Hi, >>> >>> Basically it adds servletnormalizecheck to mod_proxy for >>> ProxyPass/ProxyPassMatch and mod_rewrite when using P >>> I have tested the following uses: >>> #ProxyPass /docs ajp://localhost:8009/docs secret=%A1b2!@ >>> servletnormalizecheck >>> >>> #ProxyPassMatch "^/docs(.*)$" "ajp://localhost:8009/docs$1" >>> secret=%A1b2!@ servletnormalizecheck >>> >>> #RewriteEngine On >>> #RewriteRule "^/docs(.*)$" "ajp://localhost:8009/docs$1" [P,SNC] >>> # >>> #ProxySet connectiontimeout=5 timeout=30 secret=%A1b2!@ >>> # >>> >>> # >>> # ProxyPass ajp://localhost:8009/docs secret=%A1b2!@ >>> servletnormalizecheck >>> # >>> >>> What is not supported is >>> curl -v --path-as-is >>> "http://localhost:8000/docs/..;foo=bar/;foo=bar/test/index.jsp; >>> >>> that could be remapped to >>> ProxyPass /test ajp://localhost:8009/test secret=%A1b2!@ >>> servletnormalizecheck >>> or a >>> >>> Comments? >> >> I understood from Mark that the request you do above with curl should >> not be denied but just mapped to /test. >> But rethinking that, it becomes real fun: For mapping we should use >> the URI stripped off path parameters and then having done the >> shrinking operation (servlet normalized) but we should use the >> original URI having done the shrinking operation with path >> parameters to sent to the backend. That might work for a simple prefix >> matching, but it seems to be very difficult for regular >> expression scenarios where you might use complex captures from the >> matching to build the result. But if the matching was done >> against the servlet normalized URI the captures might be different, >> than the ones you would have got when doing the same against >> not normalized URI. So I am little bit lost here. I can see how this gets complicated for regular expression scenarios. Since the servlet specification doesn't have the concept of regular expression mapping, I don't think the rationale for servletnormalize applies in that case. There is no expectation of how the mapping will occur from a servlet perspective so the httpd behaviour cannot be unexpected. Coming from a servlet perspective I have no view on what the 'correct' behaviour is in this case. I'll happily support whatever the httpd community thinks is best. >> What if we just have an option on virtual host base to drop path >> parameters of the following kind >> >> s#/([.]{0,2})(;[^/]*)/#/$1/g >> >> do the usual shrinking operation afterwards and just process them >> afterwards as usual. > > I think it makes sense to have it there but separated from the > servletnormalizecheck because that changes the whole mapping > So I will add something like MergeSlashes which will map > http://localhost:8000/docs/..;foo=bar/;foo=bar/test/index.jsp > to /test > And arrange the proxy so that /docs/..;foo=bar/;foo=bar/test/index.jsp > is sent to the back-end. That sounds good to me. That is the expected mapping from a servlet perspective. Thanks for all your efforts on this. Mark
Re: http workshop
On 14/02/2019 19:52, William A Rowe Jr wrote: > On Mon, Jan 28, 2019 at 9:22 AM Stefan Eissing > wrote: >> The HTTP WS organisers expressed the wish to have someone from "Apache" >> present. Anyone interested? Could also be someone from another HTTP related >> Apache project, of course. It appears that the deadline to submit a statement of interest in attending was a month ago. Has it been extended? Mark
Re: Fwd: [Bug 53579] httpd looping writing on a pipe and unresponsive (httpd )
Hi all, Your project's Bugzilla database suffered some minor abuse earlier today when a new user - ithanr...@gmail.com - started removing entries from CC lists and replacing them with just themselves. This is just a quick note to let you know that: - The idiot concerned has had their account disabled. - They have been removed from any CC list they added themselves to - Any CC list they edited has been restored to its original value. The corrective action has all been performed directly in the database partly because it was a lot easier than going via the UI and partly so your lists aren't spammed as each of the CC's was restored. Mark On 06/01/2019 15:23, Mark Thomas wrote: > On 06/01/2019 13:28, Eric Covener wrote: >> Some kind of weird abusive behavior this morning from >> ithanr...@gmail.com hitting many bugs. > > Seen it on Tomcat as well. I'm on it. > > Mark > > >> >> -- Forwarded message - >> From: >> Date: Sun, Jan 6, 2019 at 8:24 AM >> Subject: [Bug 53579] httpd looping writing on a pipe and unresponsive >> (httpd ) >> To: >> >> >> https://bz.apache.org/bugzilla/show_bug.cgi?id=53579 >> >> ithan changed: >> >>What|Removed |Added >> >> CC|ar...@maven.pl, |ithanr...@gmail.com >>|loic.etienne@tech.swisssign | >>|.com, mahud...@gmail.com, | >>|mark_a_ev...@dell.com, | >>|santhoshmukka...@gmail.com, | >>|stix...@gmail.com, | >>|szg0...@freemail.hu | >> >> -- >> You are receiving this mail because: >> You are the assignee for the bug. >> - >> To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org >> For additional commands, e-mail: bugs-h...@httpd.apache.org >> >> >> >
Re: reverse proxy wishlist
On 2015-12-03 14:59, Jim Jagielskiwrote: > I put out a call on Twitter regarding this, but wanted to > close the loop here as well. > > What would *you* like to see as new features or enhancements > w/ mod_proxy, esp reverse proxy. I was thinking about some > sort of active backend monitoring, utilizing watchdog, which > could also maybe, eventually, pull in performance and load > data for the backend for a more accurate LB provider. But > what about new LB methods? Any ideas there? > > tia. With my Tomcat hat on: HTTP/2 support for mod_proxy_http HTTP upgrade support for mod_proxy_ajp (we'll need to do work on the Tomcat side as well) Improved WebSocket support in mod_proxy_wstunnel [1]. I'm happy to help out on the Tomcat side of things where required. Mark [1] The mod_wstunnel assumes (at least it did the last time I looked at it) that all requests under a given URL space will be WebSocket requests. That doesn't seem to be the way many apps are being implemented. It would be great if mod_proxy would allow both mod_proxy_[ajp|http] and mod_proxy_wstunnel to be mapped to the same URL space with the 'right' one being selected based on the request. -- Sent via Pony Mail for dev@httpd.apache.org. View this email online at: https://pony-poc.apache.org/list.html?dev@httpd.apache.org
Re: New Module - Needs approving
On 11/08/2011 10:55, Mads Toftum wrote: On Thu, Aug 11, 2011 at 10:51:27AM +0100, Mark Thomas wrote: So, who in the httpd community is going to take on the task of approving new modules? I can do that although it'd probably be good to have one more on board. You'll need access to modules.zones.apache.org to do this. I see infra already has your public key. I'll set you up with access shortly. Mark
Re: New Module - Needs approving
On 11/08/2011 11:01, Mark Thomas wrote: On 11/08/2011 10:55, Mads Toftum wrote: On Thu, Aug 11, 2011 at 10:51:27AM +0100, Mark Thomas wrote: So, who in the httpd community is going to take on the task of approving new modules? I can do that although it'd probably be good to have one more on board. You'll need access to modules.zones.apache.org to do this. I see infra already has your public key. I'll set you up with access shortly. Opps wrong host name. Hey ho. Instructions (with the correct hostname) sent off-list. Mark
Fwd: Change to Module DB
Note: Manually edited to mask e-mail addresses. Original Message Subject: Change to Module DB Date: Fri, 15 Jul 2011 07:57:04 + (UTC) From: Apache Module Site modules-dev@httpd.apache.org Reply-To: modules-dev@httpd.apache.org To: modules-dev@httpd.apache.org Modified by author UPDATE module SET title='mod_fortune', version='0.1', descr='Apache module for the famous linux game fortune.', author='Soojin Nam', authoremail='***removed***', maintainer='Soojin Nam', maintemail='***removed***', url='http://people.ktug.or.kr/~sjnam/mod_fortune.html', requires='n/a', copypolicy='n/a', keywords='n/a', modified='1310716624', apacheversion='' where entry = 2585