fied to comment on security-critical
code.
Tim
--
Tim Bannister – is...@c8h10n4o2.org.uk
> On 8 Mar 2016, at 18:13, William A Rowe Jr <wr...@rowe-clan.net> wrote:
>>
>> On Tue, Mar 8, 2016 at 11:38 AM, Tim Bannister <is...@c8h10n4o2.org.uk>
>> wrote:
>> On 8 Mar 2016, at 10:43, Jan Kaluža <jkal...@redhat.com> wrote:
>> > On 03/
is socket). Using the second model, the Listen
directive needs a way for the admin to specify multiple protocols. Maybe the
answer is for that to be set in the Protocols directive only?
What should the Listen directive look like, ideally, for a freebind-enabled
socket that can be either HT
he
listening TCP socket (and send the FD to httpd over an AF_UNIX socket*), ending
up with the same "options=freebind,backlog:4095,reuseport,..." concept.
I'm presuming that “options=protocol:https” would be fine too, and “https” on
its own would be taken to be a deprecated shorthand?
* similar to how https://github.com/JiriHorky/privbind works
--
Tim Bannister – is...@c8h10n4o2.org.uk
tpd $OPTIONS -k graceful
>Restart=always
>RestartSec=1
>
Maybe add an ExecStop as well which calls graceful-stop? This is more reliable
than a signal.
After DefaultTimeoutStopSec seconds, systemd will intervene regardless.
--
Tim Bannister – is...@c8h10n4o2.org.uk
” guide. I think the topics could
be:
• forward proxy (and access control) with or without cacheing
• reverse proxy with or without cacheing
• balancing and high availability for reverse proxies
I think this is me volunteering to at least draft some text, if people agree
this approach makes sense.
--
Tim Bannister – is...@c8h10n4o2.org.uk
On 3 February 2016 12:25:21 GMT, Jim Jagielski wrote:
>
>Maybe we can just say that STOPPED is there for potential
>3rd party uses and be done w/ it :)
+1 to that philosophy
--
Tim Bannister – is...@c8h10n4o2.org.uk
out is going to be worth documenting (I think?) to avoid
that risk of confusion.
--
Tim Bannister – is...@c8h10n4o2.org.uk
arently
healthy backend (2xx status) which is actually serving the wrong page, eg “this
domain is for sale!”
--
Tim Bannister – is...@c8h10n4o2.org.uk
t;client_addr to obtain the
>REMOTE_HOST.
>>
>> what about "Require ip ..."?
“ip” is a minimal and doesn't explain much.
How about, maybe:
Require remote-ip-host 192.0.2.42/30?
I'm assuming that this would succeed if the TCP peer is in the specified range
OR if mod_remoteip makes a similar declaration.
--
Tim Bannister – is...@c8h10n4o2.org.uk
This kind of rule ought to live outside the HTTP/1.x
implementation as it has more to do with WebSocket than HTTP.
--
Tim Bannister – is...@c8h10n4o2.org.uk
ervene.
The application could signal to httpd that its response has a user-friendly
body via a special header.
I don't think httpd can do what I have in mind yet (maybe with mod_lua, but
that's too much for many webmasters).
Tim
--
Tim Bannister – is...@c8h10n4o2.org.uk
rable. I'm not sure what the default should be. I think
the safe option, at least for trunk, is to remove those headers in the proxy
code as well.
--
Tim Bannister – is...@c8h10n4o2.org.uk
those should stay
consensual and democratic - but often leads discussions and moves things on.
Comments very welcome.
--
Tim Bannister – is...@c8h10n4o2.org.uk
interested.
I can attempt a patch for this if other people think it'd be useful.
--
Tim Bannister – is...@c8h10n4o2.org.uk
data is available on the
> other connection. In the process, mod_proxy becomes asynchronous.
Also super cool mojo.
--
Tim Bannister – is...@c8h10n4o2.org.uk
enefit from stapling, either because networking filters would block
a conversation between the client and the CA's OCSP responder, or the extra
latency from using conventional OCSP is a problem.
For another example of a non-interactive application implementing OCSP, look at
the Exim mail transfer agent (which can be both client and server).
--
Tim Bannister – is...@c8h10n4o2.org.uk
find the info in the manual.
I think that suggestion is a good approach if the SSLCertificateChainFile
directive can remain available for the full lifespan of 2.4.x
--
Tim Bannister – is...@c8h10n4o2.org.uk
Now that even stability-loving Debian is providing 2.4.x with full security
support, moving on from 2.2 seems to make sense.
--
Tim Bannister – is...@c8h10n4o2.org.uk
to be a better how-to-FOO
that uses httpd 2.4 ;) (I don't even think 2.2 is an issue here)
…same with forward- and reverse-proxying (Squid, Pound, Varnish, etc)
Is the httpd wiki a good place to publish these?
--
Tim Bannister – is...@c8h10n4o2.org.uk
auto
(that last case – I'm imagining that httpd generates the D-H parameters at each
startup, blocking use of ECDH until generation is complete).
--
Tim Bannister – is...@c8h10n4o2.org.uk
How about asking IANA to assign a port?
--
Tim Bannister – is...@c8h10n4o2.org.uk
.
Any joint interest in maintaining a guide to implementing SSL/TLS best
practices in the documentation for those that don't normally see our
latest/greatest default configuration and/or need some extra prose around it?
I can help with this.
--
Tim Bannister - is...@c8h10n4o2.org.uk
that. In that case, 'SSLProtocol all' should be just the
remaining supported TLSv1.1 and TLSv1.2 protocols, or TLSv1.2-only.
FWIW, I agree.
--
Tim Bannister – is...@c8h10n4o2.org.uk
be
able to serve stale responses from its cache.
The sysadmin contacts the vendor “ACME Proxy”; the vendor asserts that their
product is conforming to HTTP 1.1 and that the incorrect behaviour is in Apache
httpd. Which, in my view, it would be.
--
Tim Bannister – is...@c8h10n4o2.org.uk
deprecated by IETF, how about allowing any
field name provided it's prefixed with “x-”?
--
Tim Bannister – is...@c8h10n4o2.org.uk
would be a boon, even if the daemon listening on port
443 is different.
--
Tim Bannister – is...@c8h10n4o2.org.uk
be changed.
Another unused character could be used, like §
There aren't many suitable symbols left unused.
To make interpolation not clash with Define I'd prefer “${macro:var}”, or
something like that, to “§{var}”.
--
Tim Bannister – is...@c8h10n4o2.org.uk
: header iff it is compliant
with the relevant RFC?
With this, modules that want a Date: header automatically added need only to
ensure they don't assert an apparently valid Date header.
--
Tim Bannister – +44 7980408788 – is...@c8h10n4o2.org.uk
IMO this is one for packagers (as well as anyone wishing to contribute
packaging patches).
How did Traffic Server disable SSL – just an edit to the default configuration,
or code changes as well?
--
Tim Bannister - is...@c8h10n4o2.org.uk
On 2 Jan 2015, at 19:38, Leif Hedstrom zw
disabled SSLv3. It's easy to configure
httpd not to offer SSLv3 (and this makes a good default for new installs).
--
Tim Bannister – is...@c8h10n4o2.org.uk
odd, though:
Location /gone
Redirect 410
/Location
…so how about adding one new directive e.g. ForceStatus:
Location /gone
ForceStatus 410
/Location
--
Tim Bannister – is...@c8h10n4o2.org.uk
of the
OpenSSL folks to come for that? Anyone have any contacts there?
A day on SSL/TLS could and perhaps should cover both OpenSSL and GnuTLS.
--
Tim Bannister – is...@c8h10n4o2.org.uk
has fewer dependencies.
Commercial support sounds nice. I think firms who'd pay for it would really
like to get a commercially-supported web server bundled with their “enterprise”
operating system. In that sense, Oracle and Red Hat are already offering
commercial support for httpd.
--
Tim
}
--
Tim Bannister – is...@c8h10n4o2.org.uk
thinking
about (and I don't know enough about). Changing the meaning of “empty brigade”
also has compatibility issues but they will show up much later than build time.
--
Tim Bannister – is...@jellybaby.net
for CacheEnable to be valid within
If?
Tim
--
Tim Bannister – is...@jellybaby.net
names or description text will alternate between
left-to-right and right-to-left reading order”
Changing the default IndexOptions (e.g. to include “XHTML HTMLtable
FancyIndexing”) would mitigate this.
I wouldn't change the default behaviour for 2.2.x / 2.4.x though.
--
Tim Bannister
]
and for another label %[bar]:
LogFormat %{sec}t%{msec_frac}t %s %[bar] %L %{REQUEST_STATUS} -strcmatch
'5*'
--
Tim Bannister – is...@jellybaby.net
)
The Cordova website project is
https://issues.apache.org/jira/browse/CB/component/12320562/
The README for Cordova's website is at
https://svn.apache.org/repos/asf/cordova/site/README.md
It's a different CMS using, AFAICT, hastings.
--
Tim Bannister – is...@jellybaby.net
On 17 Jun 2014, at 14:24, Rich Bowen rbo...@rcbowen.com wrote:
On 06/17/2014 05:19 AM, Daniel Gruno wrote:
On 06/17/2014 12:46 AM, Tim Bannister wrote:
On 16 Jun 2014, at 22:23, Rich Bowen wrote:
In addition, I have some comments about your design proposal:
- The apache.org design might
/alpn.html is enough
reason not to backport, but I'll mention it.
--
Tim Bannister – is...@jellybaby.net
(empty string).
PS. I'd be tempted to call it AuthType Expr.
--
Tim Bannister - is...@jellybaby.net
I'm afraid I don't understand this particular part from
httpd_trunk_so_reuseport.patch:
#ifndef SO_REUSEPORT
#define SO_REUSEPORT 15
#endif
Why 15? Is this going to be portable across different platforms?
--
Tim Bannister – is...@jellybaby.net
.
--
Tim Bannister – is...@jellybaby.net
On 2 Mar 2014, at 16:46, Tim Bannister is...@jellybaby.net wrote:
On 1 Mar 2014, at 12:20, Eric Covener cove...@gmail.com wrote:
If the RewriteMap Program fails, the code within mod_rewrite returns an
empty string rather than NULL. In my tests this caused /index.htm to be
returned
be done.
--
Tim Bannister – is...@jellybaby.net
if preventative measures should be taken.
---cut here---
s/outweighed by/balanced against/ ?
--
Tim Bannister – is...@jellybaby.net
,chunked
transfer-encodings ⇦ [origin server]
(I'm assuming that the client doesn't negotiate gzip transfer encoding)
Of course, this still won't help with a badly-configured origin server.
--
Tim Bannister – is...@jellybaby.net
configuration, so maybe
the way to handle this is via a change to documentation / default
configuration, rather than code.
Any thoughts?
--
Tim Bannister – is...@jellybaby.net
. It's not reasonable to expect the proxy server to know
the private key for remote.host.example
--
Tim Bannister – is...@jellybaby.net
for it
then I will have a go at providing a patch.
--
Tim Bannister – is...@jellybaby.net
…and by analogy, these could be valid too:
ErrorLog syslog 127.0.0.1:user
ErrorLog syslog [::1]:user
ErrorLog console
ErrorLog relp remotehost.example
ErrorLog compresslog /var/log/apache2/error.log.gz
--
Tim Bannister – is...@jellybaby.net
How about implementing XHTML → JSON as a filter? Either with existing modules
or with something dedicated to autoindex.
TimOn 05/08/2013 7:26 Sven Dowideit wrote:
Hello Everyone,
I'm scratching an itch to make mod_autoindex output what I want, and
would love to know what, if anything would make
On 31 Jul 2013, at 00:18, Mikhail T. wrote:
Hello!
I realize, configurations questions aren't meant for this list, but I'm
beginning to suspect a bug...
I'd try the users list first. The server might be working properly and it's
just the documentation that has fallen short.
Tim
--
Tim
ugly to consider committing:
https://issues.apache.org/bugzilla/show_bug.cgi?id=52860
Any help is definitely welcome.
--
Tim Bannister – is...@jellybaby.net
On 9 Jul 2013, at 15:56, Tim Bannister is...@jellybaby.net wrote:
On 9 Jul 2013, at 15:49, Eric Covener cove...@gmail.com wrote:
What to do in 2.4? Maybe still early enough to still change 2.4 behavior?
Roy Fielding links this to bug #39727…
I still want to push for gzip Transfer
be defined in the same place as
the Forbid is set.
Forbid
ForbidExemption /srv/web /nfs/foo/bar
/Directory
# Require HTTPS except from IPv4 localhost
If %{REQUEST_SCHEME} != HTTPS (! -R 127.0.0.0/8 )
# Expression evaluation doesn't need exemptions
Forbid
/Directory
--
Tim Bannister
#merging
--
Tim Bannister – is...@jellybaby.net
'
in the serverroot directory. That's why I thought it would make a good
no-pid sentinel value.
How about as a non-sane name? /dev might be /Devices on some arcane
Unix-like system but isn't a valid filename anywhere I've ever seen.
--
Tim Bannister – is...@jellybaby.net
not to store it). The origin doesn't have to mention
that header in the 304 response.
--
Tim Bannister – is...@jellybaby.net
but only if you haven't lost an update?
ETags are used to avoid lost updates; checking that cached data are fresh is
just a common special case.
--
Tim Bannister – is...@jellybaby.net
smime.p7s
Description: S/MIME cryptographic signature
the moon on a stick please.
Maybe there could be a very simple lbmethod that isn't byrequests, and is
always available? For example, purely random allocation using a poor quality
PRNG?
--
Tim Bannister – is...@jellybaby.net
smime.p7s
Description: S/MIME cryptographic signature
On 15 Nov 2012, at 07:01, Issac Goldstand wrote:
On 15/11/2012 00:48, Tim Bannister wrote:
On 14 Nov 2012, at 22:19, Ask Bjørn Hansen wrote:
The backend should/can know if it can take more requests. When it can't it
shouldn't and the load balancer shouldn't pass that back to the end-user
to use a backend that is reporting a lower load.
--
Tim Bannister – is...@jellybaby.net
smime.p7s
Description: S/MIME cryptographic signature
handling multiple concurrent requests. SPARQL sometimes means POST
requests; a subset of these are safely repeatable but determining which ones is
too complex for any HTTP proxy.
--
Tim Bannister – is...@jellybaby.net
smime.p7s
Description: S/MIME cryptographic signature
*”, and will of course remember when a connection goes
bad either via a TCP close or a 5xx response.
--
Tim Bannister – is...@jellybaby.net
smime.p7s
Description: S/MIME cryptographic signature
it.
--
Tim Bannister – is...@jellybaby.net
smime.p7s
Description: S/MIME cryptographic signature
expr %{HTTP_PROTOCOL} -gt 1.1
I realise that won't work as things stand, because -gt only handles integers.
Maybe another binary operator could allow decimals?
NB. SERVER_PROTOCOL would not be suitable because the initial “HTTP/” makes it
harder to do math.
--
Tim Bannister
a
suggestion.
--
Tim Bannister – is...@jellybaby.net
smime.p7s
Description: S/MIME cryptographic signature
. The message to Microsoft, such as it is, suffers
because of that.
s/administrators/packagers/ ?
--
Tim Bannister – is...@jellybaby.net
smime.p7s
Description: S/MIME cryptographic signature
On 23 Aug 2012, at 11:45, Daniel Gruno rum...@cord.dk wrote:
On 08/23/2012 12:02 AM, Tim Bannister wrote:
I don't know if this is another way of phrasing Nick's question or not, but
would I be able to implement gzip Transfer-Encoding: just using Lua and this
new directive?
I found (bug
to achieve in C, so I think it could be
harder still with the extra limitations of the Lua environment. My C code uses
AP_FTYPE_TRANSCODE which I think is the right choice but few modules get
involved at this filtering stage.
--
Tim Bannister – is...@jellybaby.net
smime.p7s
Description: S/MIME
clear. I realise the
release is done but I thought I'd mention it anyway… maybe the same note will
go in the next release announcement.
--
Tim Bannister – +44 7980408788 – is...@jellybaby.net
to differ from the other.
How will the new httpd handle this kind of situation? I think what I'd expect
is a warning and then for one of them to take precedence and the other to be
ignored.
--
Tim Bannister – is...@jellybaby.net
smime.p7s
Description: S/MIME cryptographic signature
or a UID mismatch
between the previous and current request.
--
Tim Bannister - +44 7980408788 - is...@jellybaby.net
smime.p7s
Description: S/MIME cryptographic signature
to retry in the
keepalive-disconnect case, whereas a 500 response usually gets displayed to the
user. Very different experiences.
I think there's a case for leaving itk separate, a bit like mod_fcgid. It is a
bit unusual and troubleshooting won't be straightforward.
--
Tim Bannister
PowerShell used here. I think httpd contributors are more
likely to know / learn PowerShell than alternatives like WSH.
--
Tim Bannister – is...@jellybaby.net
smime.p7s
Description: S/MIME cryptographic signature
.
As a user: I already have a configuration file with a UTF-8 ServerAlias
defined, that's just waiting for httpd to implement this feature … and until
then, I have the punycoded version in there as well.
--
Tim Bannister – is...@jellybaby.net
smime.p7s
Description: S/MIME cryptographic signature
crypto driver error: %s instead?
--
Tim Bannister – is...@jellybaby.net
enabled. I think TRACE is more like ICMP echo than tcp/7 echo.
If a distribution wants to ship a default configuration that disables TRACE,
isn't that enough? The issue is naïve / lazy server admins, and almost all of
those will install httpd from a distribution.
--
Tim Bannister
sent from the reverse proxy to the end-point.
The same may apply to Via: … and in both cases the answer may be to disable or
restrict the TRACE method.
But isn't this more a documentation issue than an argument for changing the
compiled-in default?
--
Tim Bannister – is...@jellybaby.net
?
https://issues.apache.org/bugzilla/show_bug.cgi?id=52860
--
Tim Bannister – is...@jellybaby.net
smime.p7s
Description: S/MIME cryptographic signature
Gone status? The red block would
contain an error message after all.
--
Tim Bannister – is...@jellybaby.net
smime.p7s
Description: S/MIME cryptographic signature
think the first one is worthwhile and the second one is not worth the extra
effort.
--
Tim Bannister – is...@jellybaby.net
smime.p7s
Description: S/MIME cryptographic signature
and admins who can't or won't upgrade. Taking
the documents offline altogether is a bit strong … and it won't persuade those
laggards to upgrade. Anyone who hasn't upgraded yet is going to take a lot more
persuasion.
--
Tim Bannister – is...@jellybaby.net
smime.p7s
Description: S/MIME
,
that's really great.
--
Tim Bannister – is...@jellybaby.net
smime.p7s
Description: S/MIME cryptographic signature
On 16 Jan 2012, at 22:31, Stefan Fritsch wrote:
On Monday 16 January 2012, Tim Bannister wrote:
$ ./configure --with-included-apr
…
Configuring Apache Portable Runtime library ...
configuring package in srclib/apr now
/bin/sh: /home/isoma/src/httpd-2.4.0/srclib/apr/configure: No such file
and ways to
deal with it?
--
Tim Bannister – is...@jellybaby.net
smime.p7s
Description: S/MIME cryptographic signature
, but for a release
my understanding is that APR should be bundled with httpd and “just work” with
that command line. With httpd 2.2.21 the same command line completes I as
expected.
--
Tim Bannister – is...@jellybaby.net
smime.p7s
Description: S/MIME cryptographic signature
as they stand.
--
Tim Bannister – is...@jellybaby.net
smime.p7s
Description: S/MIME cryptographic signature
to INSTALL and/or README?
Finally, I spotted that INSTALL refers to
http://httpd.apache.org/docs/2.3/install.html which should perhaps be bumped to
2.4
--
Tim Bannister - +44 7980408788 - is...@jellybaby.net
smime.p7s
Description: S/MIME cryptographic signature
mentioning these early on in the discussion.
--
Tim Bannister – is...@jellybaby.net
circumstances where mismatch is
required / sent by a current client?
Some tolerance might be required, for example if the request line specifies a
port but the Host: header does not.
--
Tim Bannister — is...@jellybaby.net
On Wed, Aug 31, 2011 at 6:28 PM, Roy T. Fielding wrote:
On Aug 31, 2011, at 6:10 PM, William A. Rowe Jr. wrote:
The presumption here is that the client requests bytes=0- to begin the
transmission, and provided it sees a 206, restarting somewhere in the
stream results in aborting the
single-range response.
Naive coding could have the client believe that it is seeing the whole entity
rather than just a range.
…yes, such a client is badly written but badly written clients can and do
exist. If httpd punishes their users unduly, httpd itself may attract some
blame.
--
Tim
.
A client that knows about any server-side limit could make multiple
requests each with a small number of ranges, but discovering that limit
will add latency and take more code.
Tim Bannister
anyone see why returning 200 for these complex requests (by ignoring Range
/ If-Range) is a bad idea?
--
Tim Bannister – is...@jellybaby.net
I wouldn't want to get 416 from requesting a satisfiable but
complex range (maliciously or otherwise).
Ignoring Range on (ranges = X) is simple to implement and easy to document, so
why not do that?
--
Tim Bannister – is...@jellybaby.net
on whether the document is modified.
But it's a pretty odd case. I can't imagine any published client or proxy
that would make such a request. It would in any case be acceptable to
return a 200 response instead; RFC 2616 states that A server MAY ignore
the Range header
Tim Bannister
1 - 100 of 101 matches
Mail list logo