ap_process_request_internal, unescape_url, reverse proxy and %00

Hi, When apache is used with mod_proxy as reverse proxy and not proxy, and when there is a %00 in the url, the request is directly refused by the reverse proxy. In the code, in ap_process_request_internal function (server/request.c): /* Ignore embedded %2F's in path for proxy requests */ if

Re: Httpd 3.0 or something else

Woow =) Very nice and interesting thread =) It's very hard to think how to design httpd 3.0 before knowing what is the real aim of this new webserver. Many feedback here are from very spoted problems. I've started at the end of 1.3 and the beta release of 2.0, and i must say that applicative archi

Re: Mitigating the Slowloris DoS attack

I totally agree with you. This first point the lack of tunning of httpd.conf, this kind of attack crash default setup of httpd.conf but a well setup server is harder to kill, specially if you have decreased timeout. With 5 seconds as timeout and a good tuning, slowloris fail... More granular time

Re: Mitigating the Slowloris DoS attack

The problem could happen also if a CL is sent and not enough data is posted. So i don't think control for complete headers will solve the entire problem. I'm actually playing with dynamic timeout considering time between request line and first header to adapt future timeout of the socket, but it wi

Re: Mitigating the Slowloris DoS attack

Hi, How about coding a module looking how many bytes are read and if there is too little chunk of data, close the connection. Something like a MinDataReadSize. If the read() function read too little data, close() the socket... Dunno if it's possible to hook directly in connection hook to do this..

Re: ProxyIOBufferSize wrong behavior

Takashi Sato wrote: On Fri, 07 Mar 2008 12:13:14 +0100 Matthieu Estrade <[EMAIL PROTECTED]> wrote: I actually need this directive to work better with some stream data. Can somebody confirm the modification must be done in the code and not in the documentation ? ProxyIOBufferSi

ProxyIOBufferSize wrong behavior

Hello, I've found something strange in the mod_proxy (httpd 2.0.63) setup: The following directive says: http://httpd.apache.org/docs/2.0/mod/mod_proxy.html#proxyiobuffersize The |ProxyIOBufferSize| directive adjusts the size of the internal buffer, which is used as a scratchpad for the data b

Re: RFC: extracting the mod_ssl session cache interface

Joe Orton wrote: The session cache interface in mod_ssl on the trunk is now mostly SSL- and mod_ssl-agnostic with respect to the data storage and configuration. There is still some tight coupling between the session cache and the ssl_mutex interface, but that's next on my hit list. Is there

Re: Vote: Support of OCSP in mod_ssl - bug 41123

We are using this patch in production on many platform for one year now, and we don't have problem.+1 for integration in trunk.MatthieuMarc Stern <[EMAIL PROTECTED]> wrote: > > > >>> > > I ported the patch to 2.2.4, including the doc. > These are exactly the modification that are incl

Re: httpd 2.2 cache - disable and enable

Bart van der Schans a écrit : Matthieu Estrade wrote: Colm MacCarthaigh a écrit : I agree on this point, but people using this directive choose to loose time on this regexp check. The problem i have is many people wants to enable cache on .gif and .jpeg and .pdf, but they don't kno

Re: httpd 2.2 cache - disable and enable

Colm MacCarthaigh a écrit : On Wed, Oct 11, 2006 at 05:04:21PM +0200, Matthieu Estrade wrote: Hi, I would like to make disable and enable work with regular expression. Something like CacheDisableMatch and CacheEnableMatch or working with location tags. Does somebody have more preferences

httpd 2.2 cache - disable and enable

Hi, I would like to make disable and enable work with regular expression. Something like CacheDisableMatch and CacheEnableMatch or working with location tags. Does somebody have more preferences to one method ? Matthieu

Re: [PATCH] setenvif filter

Brian Akins wrote: Francois PESCE wrote: I've discussed about a patch for mod_setenvif 2 years ago, and have coded it at that time, it is successfully used on various host in production since. You need to handle content type specially by checking r->content_type. For some reason, just doing

Re: Apache proxy behaviour...

The reverse proxy read a brigade, then forward it to the client. It should not buffer the response but forward block of data. Maybe it's because of deflate or mod_security... But this behaviour is not normal imho. Matthieu On Thursday 02 February 2006 16:13, CASTELLE Thomas wrote: > Hi there,

Re: What do you want in HTTPD 2.4/3.0/X/GREEN?

Paul Querna wrote: > My intention is for this to be a wide open brainstorming thread. > > I expect that we will be able to discuss several ideas in much more > detail at the Hackathon next week, but I really want to get all ideas > 'on the table'. > > I have a few things I would like to see, but I

Re: Initial mod_smtpd code.

Rian Hunter wrote: On Jul 19, 2005, at 6:51 AM, Nick Kew wrote: the problem i found when i did my poc is when there is in the command, different destination email. It's difficult here to keep the virtualHost scheme. It would be nice to keep a conf file like ServerName mail.bla.com

Re: Initial mod_smtpd code.

Hi Rian, I like how the code is done. I am not sure a hook for each smtp command is the good solution. Adding a new command here is very simple and quick. the problem i found when i did my poc is when there is in the command, different destination email. It's difficult here to keep the virtualH

Re: mod_smtpd design.

I agree with you, but when i tried to do this in the module you can find in www.apache.org/~mestrade/ , i found many dependencies in some *http* files. request_rec is defined in httpd.h and i think it will not be clean to handle some smtp data in a file with a name containing http, that's why i am

Re: more mod_smtpd stuff [was Summer of Code]

Jem Berkes wrote: To address one of the points brought up on IRC, if there is actually a non-experimental target for this software any time soon it would make more sense to support the 2.0 server as I think few production servers would be running 2.1? I am not sure all of this smtp stuff wil

Re: Post-2.2 Thoughts

Paul Querna wrote: 2) Add a major Protocol Module. I would like to add a major protocol module, besides http, into the mainline distribution. I believe adding a FTP Server Module would be the best one to start with. Many of the paradigms are the same, but it is different enough to help with Goal

Re: SSL error trapping

Could you look how the reason is put in this variable ? | SSL_CLIENT_VERIFY| string |NONE|, |SUCCESS|, |GENEROUS| or |FAILED:|/reason/ - Original Message - *From:* [EMAIL PROTECTED] *To:* dev@httpd.apache.org *Se

Re: Mod_MEM_cache doesn't use Pools to allocate cache objects???

luca regini wrote: Taking a look at mod_mem_cache source code i have seen that it doesn't use pools to allocate cache objects but i does so by means of reference counting and simple calloc/free calls. I have also seen that this module requires a Threaded apr to work. If you use prefork, each child

Re: [VOTE] 2.1.3 as beta

Justin Erenkrantz wrote: --On Wednesday, February 23, 2005 5:55 PM +0200 Graham Leggett <[EMAIL PROTECTED]> wrote: As soon as you install httpd + APR in a system location, you no longer can install subversion + APR in a system location. This was the basis of getting vendor packaging files (like

modssl - ocsp - crl

I'm close to finish the ocsp feature on mod_ssl, but when i look the entire client auth system, there is some little point not really clean. For example, when somebody today setup a SSLVerifyClient require and put CA and CRL, with SSLCARevocationPath, if no CRL is correct inside the path, mod_ss

netscape 4.x and SSL

Hi, Does somebody know old issues with Netscape 4.x and SSL keepalive ? I actually have an httpd-2.0 reverse proxy, and an IIS backend. Netscape connected directly on IIS is runnig well, keepalive is ok. Netscape connected throught a netscape proxy is running well, keepalive is ok. Netscape connec

Re: mod_dumpio

I did a module like mod_dumpio, called mod_log_data, working with brigade and bucket, where you can setup number of brigade and bucket to display, len of log line, and also dump outgoing and incoming headers. It has been added in freebsd ports, and in some linux distrib. If you are interested to

OCSP Support #31383

Hi, I've just posted on bugzilla (http://issues.apache.org/bugzilla/show_bug.cgi?id=31383) a new version of the patch provided by marc stern about ocsp support. I added 3 directives: 2 to use another responder url than the one (if present) inside the certificate. 1 to choose if you want verify

Re: 2.1.1 tarballs posted...

Justin Erenkrantz wrote: Grab the 2.1.1 tarballs while they're fresh. Please start testing these releases - they should have the intent of becoming the beginning of the 2.2.x series modulo all of the cleanup work we'll have to do after we branch. For now, 2.

Re: People still using v1.3 - finding out why

Brett Lentz (Excell Data Corporation) wrote: Please don't forget: 1. Solaris 10 is shipping with 1.3.31 Redhat is shipping 2.0 for long time now 2. OpenBSD's fork of 1.3 openbsd and the theocracy ?? hahaha cool let them continue with 1.3 --Brett. Systems Administrator, RHCE -Original Mess

Re: People still using v1.3 - finding out why

I think people rely on apache 1.3 stability and security. many people consider httpd-2.0 as too young and don't try to understand why it's better. Does somebody have some percentage about 1.3 use and 2.0 ? I don't think 1.3 is still here because of modules, there is too many modules and too many

Re: Fwd: [PROPOSAL-VOTE] Adopt lazy consensus for backports...

IMHO, I am not sure we need lazy backport on stable 2.0. Lazy backport on 2.0 make it less stable, working for 2.1 is not really exciting because nobody or really few people use it. The new auth layer in 2.1 is better than 2.0, inside 2.1 for a long time now, but not popular as it should be. I t

Re: Removing the Experimental MPMs in 2.2?

Jim Jagielski wrote: On Sep 2, 2004, at 11:25 PM, Paul Querna wrote: Do we want to include the experimental MPMs in the 2.2 GA Branch? Currently the MPMs in server/mpm/experimental are: - leader - perchild - threadpool My personal feeling is to *not* include them in the 2.2 branch at this time.

Re: mod_cache: allowing urls ending in "/" to be cached

Pier Fumagalli wrote: On 16 Jul 2004, at 15:13, Graham Leggett wrote: Brian Akins wrote: If it works, I say commit the patch. Can think of no reason why we should not cache an URL ending is /. Because the cache_in filter gets added in the quick_handler. The fast_internal_redirect in mod_dir wh

Re: util_ldap [Bug 29217] - Remove references to calloc() and free()

mod_ssl mutex are totally different. global mutex are used. Actually, the mutex is in the module_conf, so i think when apache fork childs, this mutex is no more valid, and each child will have a value for it. There is also in util_ldap.c, apr_thread_mutex_create(&st->mutex, APR_THREAD_MUTEX_DEFA

Re: util_ldap [Bug 29217] - Remove references to calloc() and free()

Hi, I am not sure about what i will say, but i think all these mutex are broken. when i did that, i think i used apr_thread_mutex_create which use a pool (st->pool) which is the server pool. This function is to use in a child, not between all forked child. When it create the mutex, it do a apr_pc

Re: mod_ldap/util_ldap Issues...

Hi, About ldap cache + shm: I tested all these patch on linux and it was working well, seems it work well too on FreeBSD. I heard problem on solaris (PR #18756) but i am not sure these bugs are from ldap cache, but more from the changes done with ldap lib and TLS. Considering the module is stil

Re: [PATCH] bug #18756 ldap cache and shared memory - cache init

alid because due to non SHM plateform, bnicholes changed the alloc function util_ald_alloc to receive now util_ald_cache_t and no more apr_rmm_t. As we are just before the cache alloc, it's impossible to give util_ald_alloc a cache object, that's why there, i did a basic alloc functions.

Re: [PATCH] bug #18756 ldap cache and shared memory - cache init

here, i did a basic alloc functions. Jeff Trawick wrote: Matthieu Estrade wrote: Here is a little patch, fixing the ldap cache using shared memory. After the fix for plateform using SHM or not, it was a problem with cache init, unable to get it's rmm address to alloc memory. why is st->

[PATCH] bug #18756 ldap cache and shared memory - cache init

Hi, Here is a little patch, fixing the ldap cache using shared memory. After the fix for plateform using SHM or not, it was a problem with cache init, unable to get it's rmm address to alloc memory. I modified the cache alloc for the two cases, with and without SHM, now not using more util_ald_

Re: Bug in mod_cache?

mod_cache is not caching / because of negotiate problem, if i remember well. We discuss many times to why not caching, and never find really a good reason to not cache /. Brian Akins wrote: mod_cache never caches anything ending in / (ie, www.cnn.com/) but will cache /index.html. Is this on p

Re: consider reopening 1.3

You are right, apache 2.0 pre fork is < apache 1.3 prefork... But one nice feature of apache 2.0 is to provide other mpm more powerfull. worker mpm is > apache 1.3. If you look all benchmark of web server, you will see that all are now providing threaded architectures because it's more stable and

Re: consider reopening 1.3

Hi, I understand many people still are with 1.3 and don't want to change because it's stable. But Coding modules with 1.3 is definitively not easy and require many time core patch. Apache 2.0 was design to give many really good features like threaded mpm, filters etc... When you look others web s

Re: the wheel of httpd-dev life is surely slowing down, solutions please

MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1) wrote: Disclaimer : Not targetting any one individual I don't think there is target here, i consider it more as an open discussion. I have a question to the people have lots of time to write such long mails and responses - why can't you instead spend

Re: the wheel of httpd-dev life is surely slowing down, solutionsplease

Hi, I would like to speak a little about all this slow answer or review problems. i will take example of my last patch about ldap-cache. I started doing it 5 month ago, and posted few patch many times on [EMAIL PROTECTED] Nobody answered on the list, i posted about 4 or 5 times the same subject

Re: mod_ldap SEGV while caching on FreeBSD 4.8-STABLE

hou -Original Message- From: Matthieu Estrade [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 12:37 AM To: [EMAIL PROTECTED] Subject: Re: mod_ldap SEGV while caching on FreeBSD 4.8-STABLE Hi Albert, Could you try this little patch posted on bugzilla: http://nagoya.apache.org

Re: mod_ldap SEGV while caching on FreeBSD 4.8-STABLE

Hi Albert, Could you try this little patch posted on bugzilla: http://nagoya.apache.org/bugzilla/showattachment.cgi?attach_id=8185 It works under linux but still not work with solaris... i never tested it on FreeBSD. You can also find information about the bug which is #18756. Albert Chin wrot

Re: Can't use handler + reverse proxy

authentication form to the client. if the user is authenticated, then i return declined and all is working normally. I did exactly like mod_cache is working. Cliff Woolley wrote: On Tue, 21 Oct 2003, Matthieu Estrade wrote: I have to look what this quick handler do exactly, but i work well and

Re: Can't use handler + reverse proxy

I have to look what this quick handler do exactly, but i work well and seems to be able to act as normal handler. ap_hook_quick_handler(cache_url_handler, NULL, NULL, APR_HOOK_FIRST); Cliff Woolley wrote: On Tue, 21 Oct 2003, Cliff Woolley wrote: What exactly are you trying to do, and with w

Re: Can't use handler + reverse proxy

I am using Apache 2.0 and what i want to do is a applicative authentication using a form i wanted sent by the reverse proxy. But i think i will do another way, looking into mod_mem_cache how it's disable mod_proxy when it want to serve data directly from his cache... Cliff Woolley wrote: On Tue

Can't use handler + reverse proxy

Hi, I am actually using apache as a reverse proxy, and i am trying to use a handler with... and it doesn't work. When i setup my SetHandler on a local virtualhost, it works well, but when i setup it on a virtualhost doing reverse proxy, it's never called. any ideas ? Matthieu

Re: mod_ldap Cache Issues

Hi Jess, Did you used the patch i did and i posted here and on bugzilla for bug #18756 ? For your first issue, the problem should be that all memory allocation are not controlled in the code, i mean if it return NULL or an address to the memory, it's the same. So maybe when you are at user 3

Re: [PATCH] Bug #18756: fix many problems about ldap cache using shared memory

(new comment on bugzilla), but i haven't a solaris box to test and debug... And i don't know if i will be able to reproduce the bug if i install a sol9 x86. Matthieu Jeff Trawick a écrit: Matthieu Estrade wrote: This is my second and new patch for ldap cache using shared memory. I am u

[PATCH] Bug #18756: fix many problems about ldap cache using shared memory

Hi, This is my second and new patch for ldap cache using shared memory. I am using ldap cache with linux redhat and worker mpm. The problems i found: 1) All shm cache information (shm addr, rmm addr, lock) are declared as global. --> in worker mpm, many strange problems happen. 2) shm initialis

Re: Problem with cache+proxy and multiple brigade

Graham Leggett wrote: > Matthieu Estrade wrote: > >> I found a problem with mod_cache and mod_proxy... >> >> when cache is storing the data + headers in memory, it doesn't care >> about Transfert-Encoding... > > > AFAIK proxy should always dechunck an

Problem with cache+proxy and multiple brigade

Hi, I found a problem with mod_cache and mod_proxy... when cache is storing the data + headers in memory, it doesn't care about Transfert-Encoding... So if reverse proxy receive a response by multiple brigade, with the header Transfert-Encoding=chunked, mod_cache store it in mobj->header_out.

Re: Mod_cache and multiple brigade problem.

Hi, I worked more on debug in mod_cache. what i found is: when the bug is happening, and it's not all the time: the request are served from cache 1/2 times so: first request is cached, the second one served from the cache, the third one is cached. find_entry function in cache_hash is unable t

RE : mod_proxy support for exchange 2000

Hi, I had this problem (proxying Exchange) few month ago, when apache 2.0 was just released... I was unable with apache 1.3 to proxy my OWA (outlook web access). When i sniffed the connection, i saw that for the login/pass process, Exchange was sending a 401 until he found a valid authentificat

Re: mod_cache and brigade

attached diff instead of > the entire file. Your version of the file has changed the spacing of most > of the file so I can't easily determine what you changed. > > Thanks, > > Paul J. Reder > > Matthieu Estrade wrote: > >> Hi again, >> >> Just to say

Re: mod_cache and brigade

Hi again, Just to say when i put my mozilla/netscape in HTTP/1.0, i don't have the bug i speak about in my last mail. Matthieu

Re: Patch mod_proxy: mod_proxy + mod_cache problem

e before the next filter were allowed > access, then proxy could potentially buffer a *huge* amount of > data. > > The answer is that the cache code currently only caches responses > that arrive in one brigade. Proxy isn't the problem. > > Matthieu Estrade wrote: > &

Re: Patch mod_proxy: mod_proxy + mod_cache problem

backend server. regards, Matthieu Graham Leggett wrote: > Matthieu Estrade wrote: > >> I agree with you about the proxy... >> Do you think it's possible to force the cache filter, be runned after >> all the proxy filters ? > > > The cache filter is supposed to

Re: Patch mod_proxy: mod_proxy + mod_cache problem

hi bill, I agree with you about the proxy... Do you think it's possible to force the cache filter, be runned after all the proxy filters ? Matthieu Bill Stoddard wrote: >>Hi again :) >> >>I did a patch modifiying mod_proxy to pass the entire data (response >>from backend server) to output_fil

Patch mod_proxy: mod_proxy + mod_cache problem

Hi again :) I did a patch modifiying mod_proxy to pass the entire data (response from backend server) to output_filter, unstead of brigade per brigade. it seems to work well... Matthieu Matthieu Estrade wrote: > > Hi again, > > the problem seems to be in the proxy. > > W

Re: mod_proxy + mod_cache problem, loosing EOS bucket

the first brigade with a part of data. Do you think it's better to modify how proxy is passing data to the output_filter or to modify the way mod_cache is getting his data from bucket_brigade ? Matthieu Matthieu Estrade wrote: > Hi, > > i'am working on mod_cache and mod_mem_

mod_proxy + mod_cache problem, loosing EOS bucket

Hi, i'am working on mod_cache and mod_mem_cache + mod_proxy i found a problem with EOS Bucket. mod_cache is inserting his cache_in filter in output_filter when he wants to insert data in the cache. when mod_cache is used with mod_proxy, the cache_in filter is called after mod_proxy call ap_pas

Some mod_cache + Reverse proxy problems

Hi, I'am trying to use the cache module with reverse proxy, and i have few problems. When i'am using a browser with data in cache, like the file test.gif. If the picture is in my browser cache before my first try with the reverse proxy, mod_cache is unable to cache the data, because on the fir