Recognition of local / remote request
Dear developers, I would like to ask you how can I recognize whether request is performed from local PC or from remote PC? Is it possible to use ServerName where I will define remote IP address? My situation is the when user is connected from the local PC over 127.0.0.1 or 192.168.*.* than URL will be allowed. Otherwise URL will be permitted for user. Thank you in advance -- Best Regards / S pozdravem Petr Hracek
How to call one module from the another module
Dear users, I have one simple question. Is there any possibility how to call module from the another module? Let's say that my module is used for checking whether user is logged, session is expired, etc. When all those tests are satisfied then URL which was checked by my module is redirect to another module e.g proxy? https://IP_address/APPL1 should be authenticated by my own proprietary module and when this is successed then it is redirect to proxy defined in /etc/apache/conf/my_conf.conf file VirtualHost _default_:443 SSLEngine on SSLProxyEngine on ProxyRequests Off TraceEnable Off Proxy * AuthType SEC_CHECK require valid-user satisfy Any /Proxy /VirtualHost ProxyPass /APPL1 http://192.0.2.20:8080/APPLONE ProxyPassReverse /APPL1 http://192.0.2.20:8080/APPLONE AuthType in my module SEC_CHECK is defined so: #defined SECURITY_AUTH_CHECK SEC_CHECK r-ap_auth_type = SECURITY_AUTH_CHECK Is this behaviour possible? -- Best Regards / S pozdravem Petr Hracek
Re: How to call one module from the another module
I have solve that by more virtual hosts. Now it is working but another problem occurs: When URL is entered like: https://IP_address/APPL1/index.html and it is redirecting to https://IP_address/APPL1/index.jsp then is returns me HTTP 404 because of https://IP_Address/APPL1indexjsp. WITHOUT /. Do you know where can be a problem? Can that be solved by ProxyHTMLURLMap? Thank you in advance Dne 27. července 2011 15:46 Eric Covener cove...@gmail.com napsal(a): On Wed, Jul 27, 2011 at 9:35 AM, Stefan Fritsch s...@sfritsch.de wrote: On Wednesday 27 July 2011, Petr Hracek wrote: Dear users, I have one simple question. Is there any possibility how to call module from the another module? Let's say that my module is used for checking whether user is logged, session is expired, etc. When all those tests are satisfied then URL which was checked by my module is redirect to another module e.g proxy? https://IP_address/APPL1 should be authenticated by my own proprietary module and when this is successed then it is redirect to proxy defined in /etc/apache/conf/my_conf.conf file VirtualHost _default_:443 SSLEngine on SSLProxyEngine on ProxyRequests Off TraceEnable Off Proxy * AuthType SEC_CHECK require valid-user satisfy Any /Proxy /VirtualHost ProxyPass /APPL1 http://192.0.2.20:8080/APPLONE ProxyPassReverse /APPL1 http://192.0.2.20:8080/APPLONE AuthType in my module SEC_CHECK is defined so: #defined SECURITY_AUTH_CHECK SEC_CHECK r-ap_auth_type = SECURITY_AUTH_CHECK Is this behaviour possible? mod_proxy should handle the request with you having to do anything in your module. Have you tried replacing your auth module with basic auth and checked if that works? If no, there is likely some other problem in your config. If it wasn't already intended to be reverse proxied, or successful auth in your mod changes where it's destined for, see how mod_rewrite implements the [P] flag to pass along a request to mod_proxy. -- Eric Covener cove...@gmail.com -- Best Regards / S pozdravem Petr Hracek
Authentication and ReverseProxy to more servers
Dear developers,
sorry for bother you with that question but I could not imagine where
I have made a problem?
Situation have to be following:
I have MAIN server connected to the intranet. To that MAIN server are
connected some other servers.
In the MAIN server is buildup proprietary authentication module which
is used for authorization and authentication.
When the user write down in URL somethink like:
https://MAIN_server_IP/application1 then this should be reversed
proxied to the http://192.168.0.20:8080/appl1
https://MAIN_server_IP/application2 then this should be reversed
proxied to the http://192.168.0.30:8080/appl2
Both applications like application1 and application2 have to be
authorized first in the MAIN server and than proxied to
the relevant servers.
Authentication works fine but it is not proxied.
In the /var/log/apache2/error_log file is not mentioned and log from
mod_proxy.c module
and ReverseProxy is not working at all.
In the log is mentioned only:
File does not exists: /srv/www/htdocs/ssldocs/application1
But this is true because of it has to be proxied.
Handlers in my modules are:
static void register_hooks(apr_pool_t * p)
{
static const char * const
aszPre[]={mod_proxy.c,mod_proxy_http.c,mod_proxy_ajp.c,NULL};
ap_hook_auth_checker(access_handler,NULL,NULL,APR_HOOK_FIRST);
ap_hook_check_user_id(auth_handler,NULL,NULL,APR_HOOK_FIRST);
}
Should be there add ap_hook_map_to_storage?
Could you please let me know how to do it?
Configuration file in MAIN server looks like:
VirtualHost _default_: 443
DocumentRoot /srv/www/htdocs/ssldocs
SSLEngine on
SSLProxyEngine on
ProxyRequests Off
Directory proxy:*
AuthType OwnSec
require valid-user
Order Allow,deny
Allow from all
/Directory
ProxyPass /application1 http://192.168.0.20:8080/appl1
ProxyPassReverse /application1 http://192.168.0.20:8080/appl1
ProxyPass /application2 http://192.168.0.30:8080/appl1
ProxyPassReverse /application2 http://192.168.0.30:8080/appl2
/VirtualHost
--
Best Regards / S pozdravem
Petr Hracek
Proxy authentication
Dear users,
I have problems with proxy authorization and I could not image where
is a problem.
Configuration in my VirtualHost section is:
VirtualHost _default_:443
SSLEngine on
SSLProxyEngine on
ProxyRequests off
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteMap pages txt:/opt/httpd2/conf/pages.txt
RewriteRule ^/([^/]+)${pages:$1|/$1} $
RewriteRule ^/([^/]+)/(.*)${pages:$1|/opt/httpd2/htdocs/ssldocs/$1}/$2 [L]
Directory /
Options Includes Multiviews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
/Directory
Directory /opt/httpd2/htdocs/ssldocs/
AuthType SECURE_USER
require valid-user
Satisfy Any
/Directory
IfModule mod_authz_host.c
Directory /
Options + Indexes +Multiviews
AuthType SECURE_USER
require valid-user
satisfy Any
/Directory
Location /ATS/
AuthType SECURE_USER
require valid-user
ProxyPass http://192.2.0.25:8080/ATSAdmin
ProxyPassReverse http://192.2.0.25:8080/ATSAdmin
satisfy Any
/Location
/IfModule
/VirtualHost
In the module is mentioned:
r-ap_auth_type = SECURE_USER;
Format of the file pages.txt is:
App1 /opt/App1/htdocs App1
App2 /opt/App2/htdocs App2
App3 /opt/App3/htdocs App3
https://IP_Address/App1 showing my own authorization.
When I will enter https://ip_address/ATS/ I want to authorized over
my module and when the authorization is done the it is proxied to the
http://192.2.0.25:8080/ATSAdmin.
Could you please let me know where I have made a mistake?
My module have following hooks:
static void register_hooks(apr_pool_t *p)
{
ap_hook_post_config(init_Module,NULL,NULL,APR_HOOK_MIDDLE);
ap_hook_auth_checker(auth_handler,NULL,NULL,APR_HOOK_MIDDLE);
ap_hook_check_user_id(access_handler,NULL,NULL,APR_HOOK_MIDDLE);
ap_hook_handler(notification_handler,NULL,NULL,APR_HOOK_MIDDLE);
ap_hook_fixups(fixups,NULL,NULL,APR_HOOK_MIDDLE);
ap_hook_child_init(init_Child,NULL,NULL,APR_HOOK_MIDDLE);
ap_hook_handler(secure_handler,NULL,NULL,APR_HOOK_MIDDLE);
ap_hook_handler(login_handler,NULL,NULL,APR_HOOK_MIDDLE);
ap_hook_handler(single_login_handler,NULL,NULL,APR_HOOK_MIDDLE);
ap_hook_handler(logout_handler,NULL,NULL,APR_HOOK_MIDDLE);
}
When the access_checker return value is OK than it shown me page 404.
When the access_checker return value is DECLINED that it shown me page
unauthorized access.
Shal I use some http redirection to the proxy pages?
When I will do that so that configuration is:
Location /wbm1
ProxyPass http://192.2.0.25/
Order deny,allow
Allow from all
AuthType Basic
AuthName Password Required
AuthUserFile password.file
AuthGroupFile group.file
Require group usergroup
/Location
Than all works fine.
--
Best Regards / S pozdravem
Petr Hracek
Succeed compilation with FIPS
Dear developers, I have tried to find out on the web what is the correct way how to compile http2 so that it will be compliance with FIPS 140-2. I have already build up OpenSSL libraries with FIPS and development files as well. I have try to run ./configure --with-ssl=path_to_openSSL_FIPS_libraries and it seems to be good but how can I call make? like: make CC=fipsld FIPSLD_CC=gcc ? thank you in advance -- Best Regards / S pozdravem Petr Hracek
SSLFIPS from which version
Dear users, sorry for bother you with that issue but I have try to find out from which version is Directive SSLFIPS available in apache2. I have found in source code that SSLFIPS is available from apache2 2.2.16. Is this information correct? Are there any steps how to build up apache2 together with FIPS 140-2? Best regards / S pozdravem Petr Hracek
graceful restart detection in prefork mode
Dear developers, My situation is following: In my Apache2 running in prefork mode I have following situation. Whole pages (except loging page) are run over https (port 443) and authentication is done over my own module. When the most users are looking on the pages (https) then I would like to reload configuration of my apache over command apache2ctl -k graceful I suggest that new users will see new configuration and old users will have their session till they will not logout. But unfortunatelly all sessions are closed and as new as old users have to login again for other work. Is there any solution for that like detection for gracefull restart? Do you now any idea how to do that? My apache2 which is delivered by SUSE is pretty old (I know). linux:~ # httpd2 -l Compiled in modules: core.c prefork.c http_core.c mod_so.c linux:~ # httpd2 -V Server version: Apache/2.2.3 Server built: Apr 14 2010 11:41:47 Server's Module Magic Number: 20051115:3 Server loaded: APR 1.2.2, APR-Util 1.2.2 Compiled using: APR 1.2.2, APR-Util 1.2.2 Architecture: 32-bit Server MPM: Prefork threaded: no forked: yes (variable process count) Server compiled with -D APACHE_MPM_DIR=server/mpm/prefork -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_SYSVSEM_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D DYNAMIC_MODULE_LIMIT=128 -D HTTPD_ROOT=/srv/www -D SUEXEC_BIN=/usr/sbin/suexec2 -D DEFAULT_PIDLOG=/var/run/httpd2.pid -D DEFAULT_SCOREBOARD=logs/apache_runtime_status -D DEFAULT_LOCKFILE=/var/run/accept.lock -D DEFAULT_ERRORLOG=/var/log/apache2/error_log -D AP_TYPES_CONFIG_FILE=/etc/apache2/mime.types -D SERVER_CONFIG_FILE=/etc/apache2/httpd.conf linux:~ # Thank you in advance. -- Best Regards / S pozdravem Petr Hracek
Re: graceful restart detection in prefork mode
It is not configured yet. I suggest that GracefulShutdownTimeout 0 as default is OK, right? 2011/5/26 MATSUMOTO Ryosuke matsu1...@gmail.com: Hi, How do you configure GracefulShutdownTimeout? 2011/5/26 Petr Hracek phrac...@gmail.com Dear developers, My situation is following: In my Apache2 running in prefork mode I have following situation. Whole pages (except loging page) are run over https (port 443) and authentication is done over my own module. When the most users are looking on the pages (https) then I would like to reload configuration of my apache over command apache2ctl -k graceful I suggest that new users will see new configuration and old users will have their session till they will not logout. But unfortunatelly all sessions are closed and as new as old users have to login again for other work. Is there any solution for that like detection for gracefull restart? Do you now any idea how to do that? My apache2 which is delivered by SUSE is pretty old (I know). linux:~ # httpd2 -l Compiled in modules: core.c prefork.c http_core.c mod_so.c linux:~ # httpd2 -V Server version: Apache/2.2.3 Server built: Apr 14 2010 11:41:47 Server's Module Magic Number: 20051115:3 Server loaded: APR 1.2.2, APR-Util 1.2.2 Compiled using: APR 1.2.2, APR-Util 1.2.2 Architecture: 32-bit Server MPM: Prefork threaded: no forked: yes (variable process count) Server compiled with -D APACHE_MPM_DIR=server/mpm/prefork -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_SYSVSEM_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D DYNAMIC_MODULE_LIMIT=128 -D HTTPD_ROOT=/srv/www -D SUEXEC_BIN=/usr/sbin/suexec2 -D DEFAULT_PIDLOG=/var/run/httpd2.pid -D DEFAULT_SCOREBOARD=logs/apache_runtime_status -D DEFAULT_LOCKFILE=/var/run/accept.lock -D DEFAULT_ERRORLOG=/var/log/apache2/error_log -D AP_TYPES_CONFIG_FILE=/etc/apache2/mime.types -D SERVER_CONFIG_FILE=/etc/apache2/httpd.conf linux:~ # Thank you in advance. -- Best Regards / S pozdravem Petr Hracek -- Best Regards / S pozdravem Petr Hracek
Re: graceful restart detection in prefork mode
No KeepAliveTimeout is 5 2011/5/26 MATSUMOTO Ryosuke matsu1...@gmail.com: How do you configure KeepAliveTimeout? KeepAliveTimeout value is 15(sec) as default. The number of seconds Apache will wait for a subsequent request before closing the connection. 2011/5/26 MATSUMOTO Ryosuke matsu1...@gmail.com GracefulShutdownTimeout valiue is zero as defualt. Setting this value to zero means that the server will wait indefinitely until all remaining requests have been fully served. 2011/5/26 Petr Hracek phrac...@gmail.com It is not configured yet. I suggest that GracefulShutdownTimeout 0 as default is OK, right? 2011/5/26 MATSUMOTO Ryosuke matsu1...@gmail.com: Hi, How do you configure GracefulShutdownTimeout? 2011/5/26 Petr Hracek phrac...@gmail.com Dear developers, My situation is following: In my Apache2 running in prefork mode I have following situation. Whole pages (except loging page) are run over https (port 443) and authentication is done over my own module. When the most users are looking on the pages (https) then I would like to reload configuration of my apache over command apache2ctl -k graceful I suggest that new users will see new configuration and old users will have their session till they will not logout. But unfortunatelly all sessions are closed and as new as old users have to login again for other work. Is there any solution for that like detection for gracefull restart? Do you now any idea how to do that? My apache2 which is delivered by SUSE is pretty old (I know). linux:~ # httpd2 -l Compiled in modules: core.c prefork.c http_core.c mod_so.c linux:~ # httpd2 -V Server version: Apache/2.2.3 Server built: Apr 14 2010 11:41:47 Server's Module Magic Number: 20051115:3 Server loaded: APR 1.2.2, APR-Util 1.2.2 Compiled using: APR 1.2.2, APR-Util 1.2.2 Architecture: 32-bit Server MPM: Prefork threaded: no forked: yes (variable process count) Server compiled with -D APACHE_MPM_DIR=server/mpm/prefork -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_SYSVSEM_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D DYNAMIC_MODULE_LIMIT=128 -D HTTPD_ROOT=/srv/www -D SUEXEC_BIN=/usr/sbin/suexec2 -D DEFAULT_PIDLOG=/var/run/httpd2.pid -D DEFAULT_SCOREBOARD=logs/apache_runtime_status -D DEFAULT_LOCKFILE=/var/run/accept.lock -D DEFAULT_ERRORLOG=/var/log/apache2/error_log -D AP_TYPES_CONFIG_FILE=/etc/apache2/mime.types -D SERVER_CONFIG_FILE=/etc/apache2/httpd.conf linux:~ # Thank you in advance. -- Best Regards / S pozdravem Petr Hracek -- Best Regards / S pozdravem Petr Hracek -- Best Regards / S pozdravem Petr Hracek
How to restore HTTP settings/sessions during GRACEFUL restart
Dear apache2 users, sorry for bother you with this issue but I need help from the apache2 developers. In my module I am setting some HTTP settings like sessions and HTTP Title etc. When I am calling sending SIGHUP or restarting apache2 over apache2ctl then setting are lost. That's correct behaviour. But when I am sending SIGUSR1 or apache2ctl -k graceful HTTP settings and sessions are lost as well and that's not correct behaviour. Is there any interface how to catch sessions and HTTP Title during apache2 graceful restart so that after restarting apache2 sessions and HTTP Title will be still existing and working? Is there any simple module/ example where is this situation described? Thank you in advance -- Best Regards / S pozdravem Petr Hracek
Authentication of proxy over own module
Hello apache users,
I would like to explain my problem.
I have developed the module which is used for authorization to web pages.
It works fine without problem but I would like to use that module for
authorization
of proxy requests as well.
Proxy requests are not defined in settings of browser (in Firefox
Tools-Options-LAN settings - Manual configuration of proxy).
In apache conf. file I have following:
VirtualHost _default_:443
SSLEngine on
SSLProxyEngine on
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
RewriteMap foo txt:/opt/apache/conf/foo.map
RewriteRule ^/PAC$ http://192.168.0.23:8080/PACAdmin [P]
RewriteRule ^/PAC/(.*) http://192.168.0.23:8080/PACAdmin/$1 [P]
RewriteRule ^/([^/]+)$ ${foo:$1|/$1} [L]
RewriteRule ^/([^/]+)/(.*) ${foo:$1|/opt/apache/htdocs/ssldocs/$1}/$2
[L]
IfModule mod_authz_host.c
Directory /
Options +Indexes +Multiviews
AuthType FOOM
require valid-user
satisfy Any
/Directory
/IfModule
Location /PAC/
ProxyPass http://192.168.0.23:8080/PACAdmin
ProxyPassReverse http://192.168.0.23:8080/PACAdmin
ProxyPassReverseCookie /PACAdmin /PAC
Order Allow,deny
Allow from all
/Location
How I can used own module for authorization location /PAC/?
When user will enter URL http://192.168.0.23:8080/PAC
then firstly my own module will authorized that page and afterwards location
/PAC will be shown.
Is it possible to do it somehow?
Thanks for your help.
--
Best Regards / S pozdravem
Petr Hracek
type_checker
Dear apache users, sorry for bother you with this question but I have a little problem with multilanguage support in FF or IE. My module does not handler like type_checker yet. in the configuration file of Apache2 I have following: AddLanguage en .en_US AddLanguage en-us .en_US AddLanguage en-gb .en_GB AddLanguage de .de AddLanguage de-at .de AddLanguage de-DE .de AddLanguage pt-br .pt_BR AddLanguage pt .pt AddLanguage es .es AddLanguage fr .fr AddLanguage it .it AddLanguage nl .nl LanguagePriority en-us en en-gb de fr it es nl pt On the system I have only HTML pages like index.en_US and index.de, foo.en_US and foo.de FIRST CASE: Unfortunatelly when in the browser I set two languages first de-at second en-us then page is always shown in English language. SECOND CASE: When browser is so that languages are: first de-at second de third en_us then page is always shown in German language. How I should implement type_checker in my module which will modify request so that in FIRST CASE will work correctly. Thank you in advance -- Best Regards / S pozdravem Petr Hracek
Re: type_checker
Could you please help me what spelling is wrong? I want to add type_checker to my module as last step of course if there will be no other option. 2010/6/10 Nick Kew n...@webthing.com On 10 Jun 2010, at 09:37, Petr Hracek wrote: Dear apache users, This is the developers list. Users are us...@. My module does not handler like type_checker yet. Your module? As opposed to mod_negotiation? How I should implement type_checker in my module which will modify request so that in FIRST CASE will work correctly. See the content negotiation docs. And check your spelling. -- Nick Kew -- Best Regards / S pozdravem Petr Hracek
Re: My own module and catching Proxy Request
2010/4/22 Petr Hracek phrac...@gmail.com
Hello *,
I hope that I am sending those question to the correct discussion list.
In my Apache2 (2.2.3) configuration file I have:
VirtualHost _default_:443
SSLEngine on
DocumentRoot /opt/apache/htdocs/ssldocs
ProxyPass /PAC/ http://192.168.187.101:8080/PACCBAdmin
ProxyPassReverse/PAC/ http://192.168.187.150:8080/PACCBAdmin/
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
RewriteMap unity txt:/opt/apache/conf/unity.map
RewriteRule ^/([^/]+)$ ${unity:$1|/$1} [L]
RewriteRule ^/([^/]+)/(.*) ${unity:$1|/opt/apache/htdocs/ssldocs/$1}/$2
[L]
RewriteLog /var/log/apache2/rewrite_log
RewriteLogLevel 3
Location /PAC/
ProxyPassReverseCookiePath /PACCBAdmin /PAC
Order Allow,Deny
Allow from all
/Location
/VirtualHost
In the my modules which takes care about AAA, Security issues, etc.
I would like to catch in my module when URL contains /PAC/ (which means
that this is proxy) than it tell to module that this request is not a
bussiness for them.
Is it possible to do that somehow?
I have found that r-proxyreq contains if the Request is Proxy or not.
Thank you in advance
--
Best Regards / S pozdravem
Petr Hracek
Hello *,
May be I have asked wrongly.
How can I detect if the request from browser if Proxy or not?
How should I configure apache for that case?
--
Best Regards / S pozdravem
Petr Hracek
My own module and catching Proxy Request
Authorization is based on username/password stored in database.
First of all I authenticate user and afterwards redirection is done.
I have following RewriteRule but it does not work at all.
RewriteRule ^/([^/]+)$ ${unity:$1|/$1} [L]
RewriteRule ^/([^/]+)/(.*) ${unity:$1|/opt/apache/htdocs/ssldocs/$1}/$2 [L]
which is used for my module and
in location is:
Location /PAC/
ProxyPass http://192.168.187.150:8080/PACCBAdmin
ProxyPassReversehttp://192.168.187.150:8080/PACCBAdmin/
ProxyPassReverseCookiePath /PACCBAdmin/PAC
Order Allow,Deny
Allow from all
/Location
I hope that it is correct.
BR
Petr
2010/4/23 Jeffrey E Burgoyne burgo...@keenuh.com
I think that would require two modules as the authorization and redirect
hooks happen at different phases. I've actually written modules for both
of these phases, it is pretty easy as far as modules go. And remember, the
authorization module will ALWAYS be called before the redirection modules,
so you already know if you hit your redirection module that authorization
was correct.
You may not, however, have to write a module. You may be able to use one
of the already provided auth modules plus mod_rewrite to do this.
Now your authorization, is it based on a username/password, or some other
restriction (i.e. connecting IP)?
If username/password, is it basic authentication controlled? If not, I've
no experience in that area. If it is, then what is the DB used?
Thanks but I forgott to mentioned that my module makes an authorization
against database and I would like to catch that if user access some proxy
than first of all he has to be authorized by my module and afterwards it
will be redirect to the proxy. Is it possible to do that somehow?
Thanks
2010/4/23 Jeffrey E Burgoyne burgo...@keenuh.com
I'm not using it in a specific module, although you easily could.
I'm not at work today, but it goes something like this :
I want to force all hits to go through our front end web server which
acts
as a reverse proxy to the back end apache server. The logic is if there
is
no X_FORWARDED_FOR (meaning it was not proxied), then redirect the hit
to
the front end reverse proxy server. I used the logic that if the
X_FORWARDED_FOR did not start with 1-9 then it was not a valid proxied
request :
RewriteCond %{X_FORWARDED_FOR} !^[1-9]
RewriteRule /(.*) http://proxiedhost.ca/$1 [R,L]
For your module you can access the headers from the request pool and
look
for X_FORWARDED_FOR.
Note it may be more complicated depending on your setup. Some load
balancers put that value into the HTTP stream, so you may have to
account
for that. If it runs through multiple proxies (perhaps including a load
balancer), the IP's will be list form comma seperated.
Note too I have DNS lookups off, so if you have them on I suspect you
would get the DNS name, not the IP, but I cannot say with 100%
certainty.
for example,
if a client from 192.168.2.10 access 10.10.10.10, the web server sees :
connecting IP - 192.168.2.10
X_FORWARDED_HEADER - blank
If the server at 10.10.10.10 proxies to 10.20.20.20 the web server at
the
.20 address sees :
connecting IP - 10.10.10.01
X_FORWARDED_HEADER - 192.168.2.10
How do you have configured RewriteRule together with your own module?
Could you please send me more details or example?
Thanks
Petr
2010/4/23 Jeffrey E Burgoyne burgo...@keenuh.com
I use the environment variable X_FORWARDED_FOR
http://en.wikipedia.org/wiki/X-Forwarded-For
with mod_rewrite to determine if it came via a proxy or not.
It may be of use to you.
2010/4/22 Petr Hracek phrac...@gmail.com
Hello *,
I hope that I am sending those question to the correct discussion
list.
In my Apache2 (2.2.3) configuration file I have:
VirtualHost _default_:443
SSLEngine on
DocumentRoot /opt/apache/htdocs/ssldocs
ProxyPass /PAC/ http://192.168.187.101:8080/PACCBAdmin
ProxyPassReverse/PAC/
http://192.168.187.150:8080/PACCBAdmin/
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
RewriteMap unity txt:/opt/apache/conf/unity.map
RewriteRule ^/([^/]+)$ ${unity:$1|/$1} [L]
RewriteRule ^/([^/]+)/(.*)
${unity:$1|/opt/apache/htdocs/ssldocs/$1}/$2
[L]
RewriteLog /var/log/apache2/rewrite_log
RewriteLogLevel 3
Location /PAC/
ProxyPassReverseCookiePath /PACCBAdmin /PAC
Order Allow,Deny
Allow from all
/Location
/VirtualHost
In the my modules which takes care about AAA, Security issues,
etc.
I would like to catch in my module when URL contains /PAC/ (which
means
that this is proxy) than it tell to module that this request is
not a
bussiness for them.
Is it possible to do
My own module and catching Proxy Request
Hello *,
I hope that I am sending those question to the correct discussion list.
In my Apache2 (2.2.3) configuration file I have:
VirtualHost _default_:443
SSLEngine on
DocumentRoot /opt/apache/htdocs/ssldocs
ProxyPass /PAC/ http://192.168.187.101:8080/PACCBAdmin
ProxyPassReverse/PAC/ http://192.168.187.150:8080/PACCBAdmin/
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
RewriteMap unity txt:/opt/apache/conf/unity.map
RewriteRule ^/([^/]+)$ ${unity:$1|/$1} [L]
RewriteRule ^/([^/]+)/(.*) ${unity:$1|/opt/apache/htdocs/ssldocs/$1}/$2 [L]
RewriteLog /var/log/apache2/rewrite_log
RewriteLogLevel 3
Location /PAC/
ProxyPassReverseCookiePath /PACCBAdmin /PAC
Order Allow,Deny
Allow from all
/Location
/VirtualHost
In the my modules which takes care about AAA, Security issues, etc.
I would like to catch in my module when URL contains /PAC/ (which means that
this is proxy) than it tell to module that this request is not a bussiness
for them.
Is it possible to do that somehow?
I have found that r-proxyreq contains if the Request is Proxy or not.
Thank you in advance
--
Best Regards / S pozdravem
Petr Hracek
Re: Problem with compiling module
Problem was within the makefile. All C files has been compiled alone and I wanted to run apxs -o my_module.la but it failed. Finally I have my_module.la. How can I convert my_module.la to my_module.so? best regards -- Petr Hracek 2010/4/7 Jeff Trawick traw...@gmail.com On Wed, Apr 7, 2010 at 10:03 AM, Petr Hracek phrac...@gmail.com wrote: Unfortunatelly I do not have apr on the system. Do you know where I can get them? since you have a working httpd 2.2.14, you have apr already what happens when you try to build your module with apxs?
Re: Problem with compiling module
Sorry for that mail. I have found that my_module.so is stored in directory .libs. -- Petr Hracek 2010/4/8 Petr Hracek phrac...@gmail.com Problem was within the makefile. All C files has been compiled alone and I wanted to run apxs -o my_module.la but it failed. Finally I have my_module.la. How can I convert my_module.la to my_module.so? best regards -- Petr Hracek 2010/4/7 Jeff Trawick traw...@gmail.com On Wed, Apr 7, 2010 at 10:03 AM, Petr Hracek phrac...@gmail.com wrote: Unfortunatelly I do not have apr on the system. Do you know where I can get them? since you have a working httpd 2.2.14, you have apr already what happens when you try to build your module with apxs?
Re: Problem with compiling module
2010/4/8 Petr Hracek phrac...@gmail.com Sorry for that mail. I have found that my_module.so is stored in directory .libs. -- Petr Hracek 2010/4/8 Petr Hracek phrac...@gmail.com Problem was within the makefile. All C files has been compiled alone and I wanted to run apxs -o my_module.la but it failed. Finally I have my_module.la. How can I convert my_module.la to my_module.so? best regards -- Petr Hracek 2010/4/7 Jeff Trawick traw...@gmail.com On Wed, Apr 7, 2010 at 10:03 AM, Petr Hracek phrac...@gmail.com wrote: Unfortunatelly I do not have apr on the system. Do you know where I can get them? since you have a working httpd 2.2.14, you have apr already what happens when you try to build your module with apxs? I have found another strange thing: During the compilation I have found that it failed because of XtOffsetOf is missing and on the UnixWare I did not find any header where it could be mentioned. Could you please help me with that issue as well? -- Petr Hracek
Problem with compiling module
Hello all, I would like to compile my module under UnixWare 7.1.4 but it shows me following error: UX:cc: WARNING: -Kthread and -Kpthread both supplied; -Kpthread used Undefined symbol ap_get_server_version ap_log_error UX:ld: ERROR: Symbol referencing errors. Version of apache which is used is 2.2.14. Libraries which were used during the compilation were: */usr/ccs/bin/cc* *-DRT_OS_UW=714* -DUSE_SYSVSEM_SERIALIZED_ACCEPT -DNEED_UNION_SEMUN -Kthread -lapr-1 -laprutil-1 -lsocket -ljoyin -lpthread -o module.la list of objects Thank you in advance Petr
Re: Problem with compiling module
Unfortunatelly I do not have apr on the system. Do you know where I can get them? Thank you in advance -- Petr Hracek 2010/4/7 Nick Kew n...@webthing.com On Wed, 7 Apr 2010 14:46:03 +0200 Petr Hracek phrac...@gmail.com wrote: Hello all, I would like to compile my module under UnixWare 7.1.4 but it shows me following error: UX:cc: WARNING: -Kthread and -Kpthread both supplied; -Kpthread used Undefined symbol You shouldn't try to link the module! Use apxs to get the right build options for your platform (though on a minority platform, there might be issues to sort). -- Nick Kew
Re: Data are send in reverse order
In my module I do not modify any data sended from server to client.
Unfortunatelly when I am using ap_r* then firstly are sended data and then
HTTP relevant code.
Sample code is:
/*
* Procedure for sending data from server to client side
* Instead of ap_rvputs like functions should be used following procedure
* especially for SecMCJ issue
*/
apr_status_t send_data_to_client(request_rec *r, char * data_to_send, int
length_data)
{
//apr_status_t rv;
apr_bucket_brigade * bb =
apr_brigade_create(r-pool,r-connection-bucket_alloc);
apr_bucket * b =
apr_bucket_immortal_create(data_to_send,length_data,r-connection-bucket_alloc);
APR_BRIGADE_INSERT_TAIL(bb,b);
ap_pass_brigade(r-connection-output_filters,bb);
//apr_bucket_destroy(b);
//apr_brigade_destroy(bb);
return OK;
}
/*
* Location /USSW/secmcj
* SetHandler ussw-secmcj
* allow from all
* Satisfy any
* /Location
*/
int udsc_secmcj_handler(request_rec *r)
{
secmcj_body = apr_pstrcat(r-pool,
sessionID=,
apr_psprintf(r-pool, %lu, pSession-us.udsc_sessionid),
requestNr=, pSession-session_id,
*request_body == '' ? : ,
request_body,
NULL);
/* now post the data to usmw /secmcj */
ap_log_error(APLOG_MARK, APLOG_NOERRNO | APLOG_DEBUG, 0, r-server,
secmcj body: %s,secmcj_body);
/* now return the response to the client (secmcj class) */
ap_log_error(APLOG_MARK, APLOG_NOERRNO | APLOG_DEBUG, 0, r-server,
secmcj body receive: %s,response_body);
r-content_type = text/plain;
/* added because of JRE 1.4 SE SSL problem */
bodylen = strlen(response_body);
ap_set_content_length(r, bodylen);
ap_send_http_header(r);
if (r-header_only)
{
ap_log_error(APLOG_MARK,APLOG_NOERRNO | APLOG_DEBUG, 0, r-server,
HEADER ONLY);
return OK;
}
ap_log_error(APLOG_MARK, APLOG_NOERRNO | APLOG_DEBUG, 0, r-server,
before any sending. Length is:%d,bodylen);
send_data_to_client(r,response_body, bodylen);
return OK;
}
best regards
Petr
Nick Kew napsal(a):
Petr Hracek wrote:
I have found mod_nntp_like where is mention in
ap_pass_brigade(c-output_filters,bb);
and in smtp_core is usage the same.
Those are protocol modules. So anything-HTTP is not relevant to them.
Unfortunatelly when I am using ap_pass_brigade(r-output_filter,bb);
then it is not working. Web page is not show.
Do you need to use anything more complex than the ap_r* family
(ap_rputs, etc)? If so (and if what Graham already told you isn't
enough) you might want my book - details at http://www.apachetutor.org/
Re: Data are send in reverse order
Sorry it was my fault. I have corrected them to r-output_filters now. But situation is the same. Data are send but java aplication which receiving data sended over ap_pass_brigade does not receive anything. It seems that between apache and java aplication are lost is there any posibility how to track if that hasa been really send via ap_pass_brigade? 2009/9/16 Graham Leggett minf...@sharp.fm Petr Hracek wrote: In my module I do not modify any data sended from server to client. Unfortunatelly when I am using ap_r* then firstly are sended data and then HTTP relevant code. That's because you've made the same mistake in this code that you made in the previous code you posted: ap_pass_brigade(r-connection-output_filters,bb); ^ Regards, Graham --
Data are send in reverse order
Hello *,
in my apache module (written in C) are sended data to the client side over
buckets and brigades.
Function for send these date is:
apr_status_t send_data_to_client(request_rec *r, char * data_to_send, int
length_data)
{
apr_bucket_brigade * bb =
apr_brigade_create(r-pool,r-connection-bucket_alloc);
apr_bucket * b =
apr_bucket_immortal_create(data_to_send,length_data,r-connection-bucket_alloc);
APR_BRIGADE_INSERT_TAIL(bb,b);
ap_pass_brigade(r-connection-output_filters,bb);
return OK;
}
It is working but in the traces of application which receive the data from
apache module the HTTP data are in reverse order.
First are received data and then is received HTTP header. Do you know how to
switch this order to the normal state, first is sended HTTP header and
afterwards are sended data?
Before when the data are send is following code:
r-content_type = text/plain;
bodylen = strlen(response_body);
ap_set_content_length(r, bodylen);
ap_send_http_header(r);
if (r-header_only)
{
ap_log_error(APLOG_MARK,APLOG_NOERRNO | APLOG_DEBUG, 0, r-server,
HEADER ONLY);
return OK;
}
send_data_to_client(r,response_body, bodylen);
best regards
Petr
Re: Data are send in reverse order
I do not understand of this thing.
Could you please tell me if I have already connection between browser and
apache server why I should use request_rec-output_filters instead of
request_rec-connection-output_filters?
I thought that if connection is established than request_rec-connection
should be used, right?
regards
Petr
2009/9/15 Graham Leggett minf...@sharp.fm
Petr Hracek wrote:
in my apache module (written in C) are sended data to the client side
over buckets and brigades.
Function for send these date is:
apr_status_t send_data_to_client(request_rec *r, char * data_to_send,
int length_data)
{
apr_bucket_brigade * bb =
apr_brigade_create(r-pool,r-connection-bucket_alloc);
apr_bucket * b =
apr_bucket_immortal_create(data_to_send,length_data,r-connection-bucket_alloc);
APR_BRIGADE_INSERT_TAIL(bb,b);
ap_pass_brigade(r-connection-output_filters,bb);
^
return OK;
}
It is working but in the traces of application which receive the data
from apache module the HTTP data are in reverse order.
At a quick glance, I would blame the line highlighted above - you are
trying to write your data directly to the connection filters, rather
than to the request filters. By doing that, your data is sent before the
request, not after, and so you see your data before the headers, not after.
Regards,
Graham
--
Re: Data are send in reverse order
I have found mod_nntp_like where is mention in ap_pass_brigade(c-output_filters,bb); and in smtp_core is usage the same. Unfortunatelly when I am using ap_pass_brigade(r-output_filter,bb); then it is not working. Web page is not show. Is it neccessary to configure Apache for using brigade and buckets? regards Petr 2009/9/15 Graham Leggett minf...@sharp.fm Petr Hracek wrote: I do not understand of this thing. Could you please tell me if I have already connection between browser and apache server why I should use request_rec-output_filters instead of request_rec-connection-output_filters? I thought that if connection is established than request_rec-connection should be used, right? Unfortunately not, no. The HTTP protocol allows many requests to occur over the same connection, and httpd models this by having a connection filter stack, in which is created a per-request filter stack, one for each request. The connection filter stack knows virtually nothing about HTTP, all the filters that do know about HTTP - most specifically the filter that writes headers - are part of the request filter stack. If you write to the connection filter stack, you are bypassing all the HTTP filters, and what you wrote appears on the socket immediately. Later on in your code, something else is writing to the request filter stack, and this causes the headers filter to output the headers, after the data you've just written. Regards, Graham --
Re: Catching graceful restart in apache2 module
I have found in following link: (http://wiki.apache.org/httpd/ModuleLife)
Race conditions during graceful restart
During a graceful restart, old children are still serving old requests while
new children are serving new requests. If the same lock must be used by old
and new children, then the lock name must be the same and cannot be
generated with tmpnam() or similar functions in the post_config hook.
Which lock is means there. I have already found the in the post_config I
have cleanuped procedure, but in the post_config is already mentioned
function for killing all session.
Is there any way how to detect if the restart of apache has been done as
gracefull or as hard restart?
best regards
Petr Hracek
2009/8/1 Petr Hracek phrac...@gmail.com
As you mentioned:
The request pool is no good, because that's cleaned up at the end of the
request. The connection pool is also no good, because that gets cleaned
up after the connection dies. You're probably after the pool you're
given during the post_config hook, which gets destroyed on server
shutdown (graceful or otherwise).
It means that in post_config can be handled the server has been shutdown
with either restart or graceful command for specific pool?
If I understand right then if pool is opened then it would not end because
of apache2 has been restarted with option graceful, right?
Is it behaviour the same when the server is going down in shel with the
gracefull command?
Is there any example how to implement in the post_config handler?
Best regards
Petr
2009/7/31 Graham Leggett minf...@sharp.fm
Petr Hracek wrote:
Thank for the answer.
Could you please explain in details how to do register save-sessions as
a pool cleanup.
You call a function that looks like this to register your cleanup:
apr_pool_cleanup_register(pool, (void *) foo, foo_cleanup,
foo_cleanup);
The function foo_cleanup() is a function you write yourself, that does
whatever you want the cleanup to do:
static apr_status_t foo_cleanup(void *dummy) {
foo_t *foo = (foo_t *)dummy;
... do stuff using foo ...
return APR_SUCCESS;
}
The variable foo is a void pointer that points to whatever you want your
cleanup to operate on, such as a pointer to your session config, or
whatever you want.
The cleanup gets run when the pool is deleted, ie when someone calls
apr_pool_destroy() on that pool.
What you need to do at this point is decide which pool you attach your
cleanup to.
The request pool is no good, because that's cleaned up at the end of the
request. The connection pool is also no good, because that gets cleaned
up after the connection dies. You're probably after the pool you're
given during the post_config hook, which gets destroyed on server
shutdown (graceful or otherwise).
Regards,
Graham
--
Re: Catching graceful restart in apache2 module
That's true. I have some changes and this function returns always.
In my post_config handler function I have following code:
if(!ap_graceful_stop_signalled())
{
ap_log_error(APLOG_MARK, APLOG_NOERRNO | APLOG_DEBUG, 0,
base_server, !!! Graceful has not been called therefor kill all sessions
!!!);
udsc_usmw_killsessions(base_server);
}
Unfortunatelly it does not work.
Best regards
Petr
2009/8/4 Graham Dumpleton graham.dumple...@gmail.com
2009/8/4 Graham Dumpleton graham.dumple...@gmail.com:
2009/8/4 Ruediger Pluem rpl...@apache.org:
On 08/04/2009 09:02 AM, Graham Dumpleton wrote:
2009/8/4 Petr Hracek phrac...@gmail.com:
I have found in following link: (
http://wiki.apache.org/httpd/ModuleLife)
Race conditions during graceful restart
During a graceful restart, old children are still serving old requests
while
new children are serving new requests. If the same lock must be used
by old
and new children, then the lock name must be the same and cannot be
generated with tmpnam() or similar functions in the post_config hook.
Which lock is means there. I have already found the in the post_config
I
have cleanuped procedure, but in the post_config is already mentioned
function for killing all session.
Is there any way how to detect if the restart of apache has been done
as
gracefull or as hard restart?
/**
* predicate indicating if a graceful stop has been requested ...
* used by the connection loop
* @return 1 if a graceful stop has been requested, 0 otherwise
* @deffunc int ap_graceful_stop_signalled(*void)
*/
AP_DECLARE(int) ap_graceful_stop_signalled(void);
Is this also true for graceful restarts?
The comment only talks about graceful stops.
Hmmm, I presumed that the server child process wouldn't know the
difference and that 'stop' here meant 'stop' of an individual process
and not the server as a whole. I guess a bit of digging through code
is necessary to verify what actually happens.
I could also possibly be wrong in assuming they were wanting to know
about detecting in a server child process and not Apache parent
process. I haven't exactly been following the discussion in detail.
In prefork that function returns false all the time anyway. :-(
Graham
Re: Catching graceful restart in apache2 module
As you mentioned:
The request pool is no good, because that's cleaned up at the end of the
request. The connection pool is also no good, because that gets cleaned
up after the connection dies. You're probably after the pool you're
given during the post_config hook, which gets destroyed on server
shutdown (graceful or otherwise).
It means that in post_config can be handled the server has been shutdown
with either restart or graceful command for specific pool?
If I understand right then if pool is opened then it would not end because
of apache2 has been restarted with option graceful, right?
Is it behaviour the same when the server is going down in shel with the
gracefull command?
Is there any example how to implement in the post_config handler?
Best regards
Petr
2009/7/31 Graham Leggett minf...@sharp.fm
Petr Hracek wrote:
Thank for the answer.
Could you please explain in details how to do register save-sessions as
a pool cleanup.
You call a function that looks like this to register your cleanup:
apr_pool_cleanup_register(pool, (void *) foo, foo_cleanup,
foo_cleanup);
The function foo_cleanup() is a function you write yourself, that does
whatever you want the cleanup to do:
static apr_status_t foo_cleanup(void *dummy) {
foo_t *foo = (foo_t *)dummy;
... do stuff using foo ...
return APR_SUCCESS;
}
The variable foo is a void pointer that points to whatever you want your
cleanup to operate on, such as a pointer to your session config, or
whatever you want.
The cleanup gets run when the pool is deleted, ie when someone calls
apr_pool_destroy() on that pool.
What you need to do at this point is decide which pool you attach your
cleanup to.
The request pool is no good, because that's cleaned up at the end of the
request. The connection pool is also no good, because that gets cleaned
up after the connection dies. You're probably after the pool you're
given during the post_config hook, which gets destroyed on server
shutdown (graceful or otherwise).
Regards,
Graham
--
Re: Catching graceful restart in apache2 module
Thank for the answer. Could you please explain in details how to do register save-sessions as a pool cleanup. Some example whould be enought. Where to do that (in which hook)? During the initialization of the my module I am calling the function for killing all sessions but If I will know how to detect that gracefull restart which has been occured than this function will not be called. Thank you in advance. Petr 2009/7/30 Nick Kew n...@webthing.com Petr Hracek wrote: Is there any way how to detect that gracefull restart has been started and where should I place the code for detection in our module. I can't think of anything OTTOMH. Normal practice would be for the client to hold a session token, which the server can use as a database key to the full session. Likeliest suggestion would be to put restore-sessions in a post-config hook, and register save-sessions as a pool cleanup. But that doesn't make very much sense, either: if your application relies on sessions that would be affected by a server restart, then you're also relying on client behavior that isn't mandated by HTTP. -- Nick Kew
Catching graceful restart in apache2 module
Hello all, sorry for bother you with this question, but I do not know how to handle graceful restart in apache2 module. I will try to explain the situation: To the our apache2 configuration file are dynamically added directives Directory/Directory with the authorizations, options, etc. When the apache2 is running than all web pages are visible and work correctly, All applications are running over HTTPS therefore our module handled sessions with clients. When I am adding some directive Directory I would like to tell to the apache2 to reuse/reopen changed configuration file. When I am calling /usr/sbin/apache2ctl -k graceful then apache2 is restarted gracefully unfortunatelly all sessions with clients are deleted during the stopping case. Is there any way how to detect that gracefull restart has been started and where should I place the code for detection in our module. Thank you in advance best regards Petr Hracek
