Re: Question about RemoteIPInternalProxyList (PR 62220)
I've tested the patch, it works great! -- Best regards, Martynas Bendorius > On 31 May 2018, at 01:02, Yann Ylavic wrote: > > Hi Christophe, > > responding here rather than in your latest "Bug 62220" thread because > it relates to your below debugging. > > On Fri, Apr 6, 2018 at 9:56 PM, Marion et Christophe JAILLET > wrote: >> >> Le 06/04/2018 à 20:23, Eric Covener a écrit : >>> >>> is it broken w/o vhosts? I am not sure cmd->server is right for >>> EXEC_ON_READ? Maybe something in this neighborhood? >> >> at least the 'config' used in 'proxies_set()' is not the same when parsing >> RemoteIPInternalProxyList and RemoteIPInternalProxy directives. >> And yes, according to my test, it seems to work without vhosts. > > I tried to comment/disable remoteip_hook_pre_config() and got the same > server config for both directives. > Does it work better with the attached patch (not sure about the real > test to be done)? > > Regards, > Yann. >
ATS: [VOTE] Release APR 1.5.2
Si Best regards, Martynas Bendorius Jeff Trawick rašė Tarballs/zipfiles are at http://apr.apache.org/dev/dist/ Shortcut to CHANGES: http://apr.apache.org/dev/dist/CHANGES-APR-1.5.2 autoconf version: 2.69 (same as apr 1.5.1) libtool version: 2.4.2 (same as apr 1.5.1) +/-1 [ ] Release APR 1.5.2 as GA I'll hold the vote open for 72 hours unless something out of the ordinary occurs. Thanks in advance for testing!
ATS: [VOTE] Release APR 1.5.2
Rarr Best regards, Martynas Bendorius Jeff Trawick rašė Tarballs/zipfiles are at http://apr.apache.org/dev/dist/ Shortcut to CHANGES: http://apr.apache.org/dev/dist/CHANGES-APR-1.5.2 autoconf version: 2.69 (same as apr 1.5.1) libtool version: 2.4.2 (same as apr 1.5.1) +/-1 [ ] Release APR 1.5.2 as GA I'll hold the vote open for 72 hours unless something out of the ordinary occurs. Thanks in advance for testing!
ATS: [VOTE] Release APR 1.5.2
:$ :-SS ,bbbhjb 098!('':- c
Best regards,
Martynas Bendorius
Jeff Trawick rašė
Tarballs/zipfiles are at http://apr.apache.org/dev/dist/
Shortcut to CHANGES:
http://apr.apache.org/dev/dist/CHANGES-APR-1.5.2
autoconf version: 2.69 (same as apr 1.5.1)
libtool version: 2.4.2 (same as apr 1.5.1)
+/-1
[ ] Release APR 1.5.2 as GA
I'll hold the vote open for 72 hours unless something out of the ordinary
occurs.
Thanks in advance for testing!
ATS: [VOTE] Release APR 1.5.2
Ef Best regards,Na:- Martynas Bendorius Jeff Trawick rašė Tarballs/zipfiles are at http://apr.apache.org/dev/dist/ Shortcut to CHANGES: http://apr.apache.org/dev/dist/CHANGES-APR-1.5.2 autoconf version: 2.69 (same as apr 1.5.1) libtool version: 2.4.2 (same as apr 1.5.1) +/-1 [ ] Release APR 1.5.2 as GA I'll hold the vote open for 72 hours unless something out of the ordinary occurs. Thanks in advance for testing!
Re: ATS: [VOTE] Release APR 1.5.2
I'm very sorry, that was sent from my phone, which was in my pocket... Turning the auto-unlock feature off right now. Thank you. Best regards, Martynas Bendorius On 4/25/15 4:22 PM, Martynas Bendorius wrote: Rarr Best regards, Martynas Bendorius Rarr Best regards, Martynas Bendorius Jeff Trawick rašė Tarballs/zipfiles are at http://apr.apache.org/dev/dist/ Shortcut to CHANGES: http://apr.apache.org/dev/dist/CHANGES-APR-1.5.2 autoconf version: 2.69 (same as apr 1.5.1) libtool version: 2.4.2 (same as apr 1.5.1) +/-1 [ ] Release APR 1.5.2 as GA I'll hold the vote open for 72 hours unless something out of the ordinary occurs. Thanks in advance for testing! smime.p7s Description: S/MIME Cryptographic Signature
ATS: [VOTE] Release APR 1.5.2
Best regards, Martynas Bendorius Jeff Trawick rašė Tarballs/zipfiles are at http://apr.apache.org/dev/dist/ Shortcut to CHANGES: http://apr.apache.org/dev/dist/CHANGES-APR-1.5.2 autoconf version: 2.69 (same as apr 1.5.1) libtool version: 2.4.2 (same as apr 1.5.1) +/-1 [ ] Release APR 1.5.2 as GA I'll hold the vote open for 72 hours unless something out of the ordinary occurs. Thanks in advance for testing!
Re: Time for 2.4.11
And what about https://issues.apache.org/bugzilla/show_bug.cgi?id=37564 ? :) Best regards, Martynas Bendorius On 1/9/15 4:45 PM, Eric Covener wrote: On Fri, Jan 9, 2015 at 9:41 AM, Jacob Perkins jacob.perk...@cpanel.net wrote: Any chance we could get this back ported into 2.4 for the 2.4.11 release? https://issues.apache.org/bugzilla/show_bug.cgi?id=55910 This is causing us some headaches with our mod_security rollouts. This one is proposed but needs two more votes.
Systemd support in 2.4
Hello, Is there any special reason why mod_systemd and mod_journald (available in trunk) are not backported to 2.4 yet? As we have a lot of distributions already using systemd by default (CentOS/RHEL 7, Fedora, Arch Linux, CoreOS, openSUSE), and more of them are going to use systemd by default (Debian 8 (Jessie), Ubuntu), it requires manual patching of apache for the support of systemd/journald. Thank you! -- Best regards, Martynas Bendorius
Re: Systemd support in 2.4
Reindl, thank you for your input :) mod_journald was just an addition to this letter, because it's available on RHEL7/CentOS7 and many other distros, the main thing in question in mod_systemd, which is really useful, and distributions supporting systemd already provide mod_systemd by default, even though it's not backported to 2.4 yet. Best regards, Martynas Bendorius On 9/14/14 2:35 PM, Reindl Harald wrote: Am 14.09.2014 um 13:21 schrieb Martynas Bendorius: Is there any special reason why mod_systemd and mod_journald (available in trunk) are not backported to 2.4 yet? As we have a lot of distributions already using systemd by default (CentOS/RHEL 7, Fedora, Arch Linux, CoreOS, openSUSE), and more of them are going to use systemd by default (Debian 8 (Jessie), Ubuntu), it requires manual patching of apache for the support of systemd/journald in most setups you have access logs for each virtual host for log-analyzers and sometimes the customer itself has access to this logs - not sure why you would have that in the systemlogs
mod_status: Apache 2.4 incorrect IP (proxy, not useragent_ip) on server-status page
Hello, Would it be possible to change the documentation of mod_remoteip for 2.4 (http://httpd.apache.org/docs/2.4/mod/mod_remoteip.html), and get is reported by mod_status removed from the page? As it leds Apache customers to believe that it will report a real (useragent) IP instead of a proxy one in server-status page. useragent_ip is not even available in scoreboard, which is used by mod_status, so it's not available for mod_status. This has been already discussed here: https://issues.apache.org/bugzilla/show_bug.cgi?id=55886 Thank you! Best regards, Martynas Bendorius
Re: mod_status: Apache 2.4 incorrect IP (proxy, not useragent_ip) on server-status page
Yes, we may re-phrase it like that, if we'd like to fix it in apache source (and not documentation) :) Currently ap_get_remote_host in server/core.c doesn't return useragent_ip, and instead of it we get conn-client_ip. Best regards, Martynas Bendorius On 9/11/14 4:21 PM, Jim Jagielski wrote: isn't the question rather What should ap_get_remote_host() return?? On Sep 11, 2014, at 8:17 AM, Martynas Bendorius marty...@martynas.it wrote: Hello, Would it be possible to change the documentation of mod_remoteip for 2.4 (http://httpd.apache.org/docs/2.4/mod/mod_remoteip.html), and get is reported by mod_status removed from the page? As it leds Apache customers to believe that it will report a real (useragent) IP instead of a proxy one in server-status page. useragent_ip is not even available in scoreboard, which is used by mod_status, so it's not available for mod_status. This has been already discussed here: https://issues.apache.org/bugzilla/show_bug.cgi?id=55886 Thank you! Best regards, Martynas Bendorius
Re: mod_proxy: PHP SCRIPT_FILENAME (PHP-FPM using UDS) and Apache documentation
Yes, I've tried their latest versions from GIT (with the #65641 fix (PHP-FPM incorrectly defines the SCRIPT_NAME variable when using Apache)). It still has the same problem with SCRIPT_FILENAME. Is there a special reason why / is required at the end? As it doesn't seem to break anything when the trailing slash is omitted from the end. Thank you! Best regards, Martynas Bendorius On 9/10/14 8:17 PM, Jim Jagielski wrote: I know that PHP is current doing a LOT of fixes on hPHP-FPM... On Sep 10, 2014, at 12:00 PM, Martynas Bendorius marty...@martynas.it wrote: Hello, http://httpd.apache.org/docs/current/mod/mod_proxy.html#handler breaks PHP-FPM SCRIPT_FILENAME. It contains double // at the beginning of it like: SCRIPT_FILENAME: //home/admin/domains/testing.tld/public_html/test.php While it should be: SCRIPT_FILENAME: /home/admin/domains/testing.tld/public_html/test.php Replacing localhost/ to just localhost fixes the problem (removing / from the end). I mean: SetHandler proxy:unix:/path/to/app.sock|fcgi://localhost Instead of: SetHandler proxy:unix:/path/to/app.sock|fcgi://localhost/ Should it be considered a typo in Apache documentation or a bug in the way PHP-FPM SAPI translates the path? Thank you! -- Best regards, Martynas Bendorius
Re: SuexecUserGroup inside Directory context
I've created a patch for it, as I didn't have my question answered :)
From my point of view it's still secure, as it doesn't allow to set
SuexecUserGroup in .htaccess. I tested it and had no problems with it.
Please include it into the trunk if you think it's okay to add it.
=
--- httpd-2.4.10/modules/generators/mod_suexec.c.old 2011-12-05
01:08:01.0 +0100
+++ httpd-2.4.10/modules/generators/mod_suexec.c 2014-09-11
00:16:21.44409 +0200
@@ -59,7 +59,7 @@
const char *uid, const char *gid)
{
suexec_config_t *cfg = (suexec_config_t *) mconfig;
-const char *err = ap_check_cmd_context(cmd, NOT_IN_DIR_LOC_FILE);
+const char *err = ap_check_cmd_context(cmd,
NOT_IN_LOCATION|NOT_IN_FILES);
if (err != NULL) {
return err;
@@ -116,7 +116,7 @@
{
/* XXX - Another important reason not to allow this in .htaccess
is that
* the ap_[ug]name2id() is not thread-safe */
-AP_INIT_TAKE2(SuexecUserGroup, set_suexec_ugid, NULL, RSRC_CONF,
+AP_INIT_TAKE2(SuexecUserGroup, set_suexec_ugid, NULL,
RSRC_CONF|ACCESS_CONF,
User and group for spawned processes),
{ NULL }
};
=
Best regards,
Martynas Bendorius
On 8/1/14 1:36 PM, Martynas Bendorius wrote:
Just bringing the email up, it’s likely that mod_suexec developers missed the
email. Thank you! :)
—
Best Regards,
Martynas Bendorius
On Jul 18, 2014, at 12:53 AM, Martynas Bendorius marty...@martynas.it wrote:
Hello,
The following question hasn’t been answered in the dev list, so I’m trying to
ask it again here:
http://mail-archives.apache.org/mod_mbox/httpd-dev/201205.mbox/%3cca+-xxsfms0yrmzzitl0x-sgvgzbvxfzvrt57hh163dabrz_...@mail.gmail.com%3E
:)
Would it be secure to use SuexecUserGroup inside Directory context? And is
there any reason why that is still not available? From our point of view, that
would provide more security, however, there might have been other
technical/security reasons why it is not available/supported yet. I’ve found
requests for that in 2005’s
https://issues.apache.org/bugzilla/show_bug.cgi?id=37564 and a patch written in
2003 https://www.mail-archive.com/dev@httpd.apache.org/msg17561.html.
Thank you for the answers!
—
Best Regards,
Martynas Bendorius
Apache 2.4 - incorrect (proxy, but not user) IP on server-status page
Hello, Would anyone be willing to review https://issues.apache.org/bugzilla/attachment.cgi?id=31706action=diff and merge it to the trunk if it looks fine? It changes connection-client_ip to useragent_ip in scoreboard, so it might affect some other things, however that seems to be the only smart way for now to fix the bug. Thank you! -- Best regards, Martynas Bendorius
Re: SuexecUserGroup inside Directory context
Just bringing the email up, it’s likely that mod_suexec developers missed the email. Thank you! :) — Best Regards, Martynas Bendorius On Jul 18, 2014, at 12:53 AM, Martynas Bendorius marty...@martynas.it wrote: Hello, The following question hasn’t been answered in the dev list, so I’m trying to ask it again here: http://mail-archives.apache.org/mod_mbox/httpd-dev/201205.mbox/%3cca+-xxsfms0yrmzzitl0x-sgvgzbvxfzvrt57hh163dabrz_...@mail.gmail.com%3E :) Would it be secure to use SuexecUserGroup inside Directory context? And is there any reason why that is still not available? From our point of view, that would provide more security, however, there might have been other technical/security reasons why it is not available/supported yet. I’ve found requests for that in 2005’s https://issues.apache.org/bugzilla/show_bug.cgi?id=37564 and a patch written in 2003 https://www.mail-archive.com/dev@httpd.apache.org/msg17561.html. Thank you for the answers! — Best Regards, Martynas Bendorius
SuexecUserGroup inside Directory context
Hello, The following question hasn’t been answered in the dev list, so I’m trying to ask it again here: http://mail-archives.apache.org/mod_mbox/httpd-dev/201205.mbox/%3cca+-xxsfms0yrmzzitl0x-sgvgzbvxfzvrt57hh163dabrz_...@mail.gmail.com%3E :) Would it be secure to use SuexecUserGroup inside Directory context? And is there any reason why that is still not available? From our point of view, that would provide more security, however, there might have been other technical/security reasons why it is not available/supported yet. I’ve found requests for that in 2005’s https://issues.apache.org/bugzilla/show_bug.cgi?id=37564 and a patch written in 2003 https://www.mail-archive.com/dev@httpd.apache.org/msg17561.html. Thank you for the answers! — Best Regards, Martynas Bendorius
