Re: [Mod-fcgid-users] mod_fcgi and Digest Authorization
Hi! Mod_fcgid is a nice substitute for mod_fastcgi, however, it really fails, when we talk about FastCgiAuthentication or AccessChecking. It just won't work.. We had interesting protection engine built and enabled using mod_fastcgi and it worked fine. With Mod_fcgid however it didnot :( So, if you need to setup custom Authentication/Access checking software, go for mod_fastcgi. Regards On Jul 21, 2009, at 10:28 AM, drf wrote: > Hi, > > 1) Is mod_fcgi still being developed?I see mention of patches but > they > obviously didn't get into the official source code - I have set up > things > using CPanel's EasyApache and it downloaded the latest 2.2 but the > source > does not show evidence of these patches > > 2) After mod_fcgi got installed, some directories being protected with > Apache / Digest authorization etc are no longer. As far as I can > tell, > mod_fcgi does not play nicely with the Apache modules for > authorization and > so I am now running around in circles trying to figure out how to > fix things. > > I've added the PassHeader directive, I've tried > FastCgiAuthenticatorAuthoritative off... I am forced to admit I've > bumped > up against the limits of my knowledge about Apache and how it works > internally. I'm not enthused about applying patches to mod_fcgi - > it bugs > me that authentication tasks don't seem to be passed to the other > modules... > > So I'm wondering if there is a easy fix to things I am missing, if I > ought > to just switch to mod_fastcgi b/c they have dealt with this problem > already, or if I'm just flat out of luck in thinking the Apache > authorization modules can be used with fastcgi anything and so i'd > have to > write my own stuff to handle it > > thanks for any help, guidance, urls... > > doug > > > -- > Enter the BlackBerry Developer Challenge > This is your chance to win up to $100,000 in prizes! For a limited > time, > vendors submitting new applications to BlackBerry App World(TM) will > have > the opportunity to enter the BlackBerry Developer Challenge. See > full prize > details at: http://p.sf.net/sfu/Challenge > ___ > Mod-fcgid-users mailing list > Mod-fcgid-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/mod-fcgid-users -- Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limited time, vendors submitting new applications to BlackBerry App World(TM) will have the opportunity to enter the BlackBerry Developer Challenge. See full prize details at: http://p.sf.net/sfu/Challenge ___ Mod-fcgid-users mailing list Mod-fcgid-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-fcgid-users
Re: [Mod-fcgid-users] Zero CONTENT_LENGTH in POST segfaults Apache
If you get Zero CONTENT_LENGTH, make sure you're passing proper apache headers and content type header before any real content. On Oct 18, 2007, at 1:10 PM, 潘庆峰 wrote: Hi, It's fine to me...here is how i test vi cgi-bin/test #!/bin/sh echo "Content-type: text/html" echo "" echo "Hello!" echo "" vi nc.txt POST /cgi-bin/test HTTP/1.1 Host: fastcgi.coremail.cn Connection: Close Content-Length: 0 cat nc.txt | nc 127.0.0.1 80 HTTP/1.1 200 OK Date: Thu, 18 Oct 2007 10:07:25 GMT Server: Apache/2.2.2 (Unix) Content-Length: 30 Connection: close Content-Type: text/html Hello! 在2007-10-18,"Ross Thomas" 写道: Hi Folks, Is this list alive? Ross. -- http://www.fastmail.fm - Faster than the air-speed velocity of an unladen european swallow - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ Mod-fcgid-users mailing list Mod-fcgid-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-fcgid-users 把爱心注入牛奶,共同凝聚这份力量 快来参加蒙牛免费赠奶爱心行动 - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/___ Mod-fcgid-users mailing list Mod-fcgid-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-fcgid-users -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H___ Mod-fcgid-users mailing list Mod-fcgid-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-fcgid-users
Re: [Mod-fcgid-users] security problem, possible DoS : fcgid large file uploading and input buffering
On May 9, 2007, at 10:54 AM, Gabriel Barazer wrote: > On 05/08/2007 21:41:41 +0200, Janis Volbergs <[EMAIL PROTECTED]> wrote: > >> Why not limit maximum size of the data to be uploaded? This should be >> an easy patch to mod_fcgi. And about buffering, it would be more safe >> to have temporary files. However, this might get insecure, if the >> server has multiuser environment. E.g. other users might easily steal >> those files. So, it seems that there simply is no ultimate solution. >> > > I don't think limiting the input data size is a good workaround, > because > FastCGI has to manage only the transport and communication between the > FastCGI application server and the web server. Thus > filtering/limiting/buffering has to be done by the FastCGI server, not > the process manager (mod_fcgid in our case). I don't think the > transport > layer has anything to do other than queuing up connections, then > transmitting data over sockets. Hence my proposal of completely > disabling the FastCGI buffering system, or replacing it by a REAL > buffering system which buffers chunks of data (8192 bytes is a good > average buffer size). CGI works like this. > I understand your point, but what I proposed would be a quick and simple patch that would resolve the security issue. Though, your proposal would be more logic and would give more value added in future. > And this is the right way to handle data : let the application server > create temp file is his secured environment/jail/user rights, just as > PHP or some other scripting langages do. > perhaps create a patch and propose for it's inclusion in the next release ;) cheers, j. - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Mod-fcgid-users mailing list Mod-fcgid-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-fcgid-users
Re: [Mod-fcgid-users] security problem, possible DoS : fcgid large file uploading and input buffering
Hi! Why not limit maximum size of the data to be uploaded? This should be an easy patch to mod_fcgi. And about buffering, it would be more safe to have temporary files. However, this might get insecure, if the server has multiuser environment. E.g. other users might easily steal those files. So, it seems that there simply is no ultimate solution. So, to sum up, directive for limiting maximum upload would be great. j. p.s. we don't have multiuser environment, so, temporary files would ease up life, as we are having c program as fcgid client - and that program now creates temp files itself. On May 8, 2007, at 5:02 PM, Gabriel Barazer wrote: > Hello, > > BTW, no one other than me is worried by the security problem due to > large file uploading I described below ? > > On 04/30/2007 15:21:29 +0200, Gabriel Barazer <[EMAIL PROTECTED]> > wrote: > >> Hello, >> >> I experienced recently some problmes since a customer is doing large >> file uploads with PHP (which is run by mod_fcgid, of course) : It >> seems >> mod_fcgid is consuming much memory when uploading a file to PHP. I >> found >> in the source file fcgid_bridge.c:473 the problem : as said in the >> source, the entire request (stdin/post input) is loaded into memory >> before sending it to the fastcgi Application Server (PHP in our >> case). >> Although it's a well workaround for dealing with slow clients, I >> think >> this is not the good behavior to implement, here are the points >> highlighted : >> - Uploading files is becoming a major security problem, since a >> DoS can >> be triggered by uploading a very large file (I experienced some >> attacks >> with 1/2GB over a fast connection) >> - Additionnally, Video (=large) file uploading is becoming more >> and more >> popular, increasing the memory consumption. >> - Dealing with slow clients must be done by the appliction server, >> which >> can take any appropriate measure (e.g. having a special queue >> processing >> for slow clients) >> - Upload progress meter is not possible if all the input data is >> buffered before sent to the fastcgi process. (see RFC1867 : File >> Upload >> Progress hook handler) >> - Upload of large files is better handled by the fast cgi AS, >> because of >> various method used to store the upload data during progress (at the >> application level , not the communication level that fastcgi is). >> e.g. >> PHP handles file upload by creating temporary files, which >> location of >> these can be customised by a php.ini directive. I think this task has >> not to be handled by the fastcgi layer (which serves as a comm./ >> bridge >> protocol, not a input processor) >> - There is no need for the fastcgi process manager to handle and >> buffer >> slow clients : A FastCGI application designed to handle load can >> handle >> multiple connections AND the mod_fcgid process manager already does >> multiple connection management with the adaptive spawning feature for >> application which are not multi-tasked/threaded. (I even know fastcgi >> applications which embed a process manager themselves) >> >> >> What are the problems with slow clients : >> - Sending input is very long, not constant : e.g. with shaped >> connections : data flow is sent by "peaks" foloowed by no data >> input for >> a variable time. >> - Connection is longer busy at the Apache level, but at the fastcgi >> application level too (the workaround of buffering all the input >> prevent >> the fastcgi app from being busy buring the input loading). >> >> How to deal with this, my proposal : >> - What about buffering input like the output buffer, by chunks of, >> say, >> 8Kbytes ? The major problem is the time to fill the buffer : if >> the time >> required to fill the buffer is too long, application can timeout, >> but I >> think this is the normal behavior of an application to manage >> communication timeout. What about don't buffering the input at all ? >> This way the data flow AND the data flow rate can by processed by the >> application (such as measuring the data flow rate to put a slow >> request >> in a special queue). >> - Because maybe some users prefer the current behavior of >> buffering all >> the input data, a compatibility switch would be a nice thing (e.g. >> InputBuffering Off / On) >> >> What do you think about it ? >> >> BTW: who are the current maintainer(s) of this project ? The >> documentation of this project is not very up-to-date and I had to >> read >> the source code to know all the directives... Maybe can I be of >> some help ? >> >> Regards, >> >> Gabriel >> >> >> >> - >> >> This SF.net email is sponsored by DB2 Express >> Download DB2 Express C - the FREE version of DB2 express and take >> control of your XML. No limits. Just data. Click to get it now. >> http://sourceforge.net/powerbar/db2/ >> ___ >> Mod-fcgid-
Re: [Mod-fcgid-users] FastCgiAccessChecker
Hi there, find below the previous discussion which then resulted in nothing :( From: Janis Volbergs <[EMAIL PROTECTED]> Date: March 2, 2007 2:26:14 PM GMT+02:00 To: mod-fcgid-users@lists.sourceforge.net Subject: Re: [Mod-fcgid-users] Problem with FastCgiAccessChecker Hi! Thanks for prompt answer. This did not quite help. Authorizer works (?), but the files under authorizer upon returning have lost their content types.. Let me share more details about app.fcg It's a C application and for test purpose I basically left following ... #include ... int main(){ ... while (FCGI_Accept() >= 0){ printf("Status: 200\r\n\r\n"); } } Upon compilation I use "-lfcgi". Everything compiles and seems to be running smoothly. Now, if I have the configuration, as you suggested, very strange result we get: 1) It seems that Status 200 is processed correctly, but if to open e.g. test.html not the test.html is shown but some piece of binary code is returned.. :( 2) Also, it's not display on page, but browser offers to save that output as a file - it gives a feeling that "Options ExecCGI" just leads to "executing" of the "test.html".. Any further clues? Stucked :( Thanks, j. Ryan Pan wrote: Hi, Try AddHandler fcgid-script .fcg Options ExecCGI FastCgiAccessChecker /..path_to../app.fcg Thanks - Original Message - From: "Janis Volbergs" <[EMAIL PROTECTED]> To: Sent: Friday, March 02, 2007 4:51 PM Subject: [Mod-fcgid-users] Problem with FastCgiAccessChecker Hello! We are migrating from mod_fastcgi to mod_fcgid. Everything was fine until we needed to set up FastCgiAccessChecker (with apache2) We tried to do it two ways: 1. FastCgiAccessChecker /..path_to../app.fcg It seemed that app.fcg was never treated as fcg file (even though, SetHandler fcgid-script Options ExecCGI were present in directory where app.fcg was 2. SetHandler fcgid-script Options ExecCGI FastCgiAccessChecker /..path_to../app.fcg Now app.fcg worked fine, but problem is that everything else seemed to be also treated as "cgi" e.g. all the pictures, html's, php.. everything.. So, question, that i'm bringing up, is, how to make this work :) With mod_fastcgi everything worked smooothly as in the "1" approach. Thanks a lot. Janis Volbergs p.s. We are using: www-apache/mod_fcgid-2.0 net-www/apache-2.0.58-r2 All on gentoo platform. - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/___ Mod-fcgid-users mailing list Mod-fcgid-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-fcgid-users
[Mod-fcgid-users] FastCgiAccessChecker
Hi guys, wrote you previously about this particular problem. Though, nobody did share any related useful information, so I'm turning this question on again, as we face even higher need for this service.. Will there be any updates/patches in future for this one? Thanks, j. - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Mod-fcgid-users mailing list Mod-fcgid-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-fcgid-users
Re: [Mod-fcgid-users] Problem with FastCgiAccessChecker
Hi! Thanks for prompt answer. This did not quite help. Authorizer works (?), but the files under authorizer upon returning have lost their content types.. Let me share more details about app.fcg It's a C application and for test purpose I basically left following ... #include ... int main(){ ... while (FCGI_Accept() >= 0){ printf("Status: 200\r\n\r\n"); } } Upon compilation I use "-lfcgi". Everything compiles and seems to be running smoothly. Now, if I have the configuration, as you suggested, very strange result we get: 1) It seems that Status 200 is processed correctly, but if to open e.g. test.html not the test.html is shown but some piece of binary code is returned.. :( 2) Also, it's not display on page, but browser offers to save that output as a file - it gives a feeling that "Options ExecCGI" just leads to "executing" of the "test.html".. Any further clues? Stucked :( Thanks, j. Ryan Pan wrote: >Hi, >Try > > AddHandler fcgid-script .fcg > Options ExecCGI > FastCgiAccessChecker /..path_to../app.fcg > > > >Thanks > >- Original Message - >From: "Janis Volbergs" <[EMAIL PROTECTED]> >To: >Sent: Friday, March 02, 2007 4:51 PM >Subject: [Mod-fcgid-users] Problem with FastCgiAccessChecker > > > > >>Hello! >> >>We are migrating from mod_fastcgi to mod_fcgid. Everything was fine >>until we needed to set up FastCgiAccessChecker (with apache2) >> >>We tried to do it two ways: >>1. >> >> FastCgiAccessChecker /..path_to../app.fcg >> >> >>It seemed that app.fcg was never treated as fcg file (even though, >>SetHandler fcgid-script >>Options ExecCGI >>were present in directory where app.fcg was >> >> >>2. >> >> SetHandler fcgid-script >> Options ExecCGI >> FastCgiAccessChecker /..path_to../app.fcg >> >> >>Now app.fcg worked fine, but problem is that everything else seemed to >>be also treated as "cgi" e.g. all the pictures, html's, php.. everything.. >> >>So, question, that i'm bringing up, is, how to make this work :) >>With mod_fastcgi everything worked smooothly as in the "1" approach. >> >>Thanks a lot. >>Janis Volbergs >> >>p.s. >>We are using: >> www-apache/mod_fcgid-2.0 >> net-www/apache-2.0.58-r2 >>All on gentoo platform. >> >> >> >> >>- >>Take Surveys. Earn Cash. Influence the Future of IT >>Join SourceForge.net's Techsay panel and you'll get the chance to share your >>opinions on IT & business topics through brief surveys-and earn cash >>http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV >>___ >>Mod-fcgid-users mailing list >>Mod-fcgid-users@lists.sourceforge.net >>https://lists.sourceforge.net/lists/listinfo/mod-fcgid-users >> >> >> >- >Take Surveys. Earn Cash. Influence the Future of IT >Join SourceForge.net's Techsay panel and you'll get the chance to share your >opinions on IT & business topics through brief surveys-and earn cash >http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV >___ >Mod-fcgid-users mailing list >Mod-fcgid-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/mod-fcgid-users > > - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Mod-fcgid-users mailing list Mod-fcgid-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-fcgid-users
[Mod-fcgid-users] Problem with FastCgiAccessChecker
Hello! We are migrating from mod_fastcgi to mod_fcgid. Everything was fine until we needed to set up FastCgiAccessChecker (with apache2) We tried to do it two ways: 1. FastCgiAccessChecker /..path_to../app.fcg It seemed that app.fcg was never treated as fcg file (even though, SetHandler fcgid-script Options ExecCGI were present in directory where app.fcg was 2. SetHandler fcgid-script Options ExecCGI FastCgiAccessChecker /..path_to../app.fcg Now app.fcg worked fine, but problem is that everything else seemed to be also treated as "cgi" e.g. all the pictures, html's, php.. everything.. So, question, that i'm bringing up, is, how to make this work :) With mod_fastcgi everything worked smooothly as in the "1" approach. Thanks a lot. Janis Volbergs p.s. We are using: www-apache/mod_fcgid-2.0 net-www/apache-2.0.58-r2 All on gentoo platform. - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Mod-fcgid-users mailing list Mod-fcgid-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-fcgid-users