Bu Xiaobing | 21 Nov 08:48 2014

Access control with source IP addresses

Hi All,

I want to do the httpd URL access control through visitors' IP addresses 
as the following :

all source IP address can visit  ^/action.php?login
and only specified IP addresses can visit ^/action.php?manage

Anyone can give me some advises?

Thanks.
Don Cohen | 20 Nov 19:31 2014

questions and suggestions related to authentication


Looking at http://httpd.apache.org/docs/current/howto/auth.html
I am able to at least use file authentication.
I tried using dbd with DBDriver mysql but that reports
 Can't load driver file apr_dbd_mysql.so 
and it's not obvious where to get that (using fedora 19).

So one question is where to find that, or how to find out.
Yum whatprovides is not helping so far.

In any case it's not really what I want.
What I really wanted seems to have been in mod_auth_mysql but that
seems to be no longer supported.

So another question is whether there's some other way to get that
functionality that I'm just not seeing.

This could have been supported by dbd if the user query were not 
required to produce the password.  It would have made more sense to me
for the query to accept both the user and password and return at least
one row possibly containing other data if the user and password "match".
Then the query could have been something like
 select 1 from mysql.user where user=x and password=password(y)

So my next question is why that is not supported.
Alternatively, my first suggestion is that dbd should support that.

However, I also am surprised that I don't see some more general module
that allows the user to write his own script for authentication.
For instance, one could simply replace the dbd query with a url to 
(Continue reading)

Ulrich.Herbst | 19 Nov 09:28 2014

Load balancing with load detection on backend servers ?

Hi all,
 
I know the load_balancing-policies bybusyness, byrequests, bytraffic and heartbeat.
 
We have a frontend apache, that acts as forwarding proxy to 8 backend servers.
BUT: We want do route the next request to that backend server with least load.
 
Is there any apache module, that can do this ?
(We use linux and apache 2.4)
 
Heartbeat is not usable, because our backends do not run apache, but something else.
 
Uli
 
H Plato | 19 Nov 02:38 2014
Picon

Proxy problems when using subdirectory

I’m having problems getting a reverse proxy to work as a subdirectory. Using the following
configuration, Apache can full proxy an internal site:

<VirtualHost 192.168.0.50:80>
	ServerName www.domain.com
 	DocumentRoot /data/www/www
 	ErrorLog /var/log/apache2/www_error_log
 	TransferLog /var/log/apache2/www_access_log

	<Directory "/">
		Options Indexes FollowSymLinks ExecCGI
	 	AllowOverride AuthConfig
                Order allow,deny
		Allow from all
		AllowOverride All
		Require all granted
	</Directory> 

       ProxyRequests Off
       ProxyPass / http://192.168.0.51:80/ 
       ProxyPassReverse / http://192.168.0.51:80/ 
       ServerAlias www.proxy.domain.com
       ServerName proxy.domain.com
	
</VirtualHost>

However, when I change the proxy statements to use a subdomain:

       ProxyPass /a/ http://192.168.0.51:80/ 
       ProxyPassReverse /a/ http://192.168.0.51:80/ 

 then I get inconsistent results. Any link on the internal site that has root link (i.e.. href=“/docs” )
none of these are proxied to /a/docs. Any link with a relative link (i.e. href=“docs”) works.

I’m using Ubuntu 14.04.1 with  Apache/2.4.7 (Ubuntu) Server built:   Jul 22 2014 14:36:38

I’ve been struggling with this for days, so any ideas or help would be greatly appreciated.
Ishan Thakur | 18 Nov 10:48 2014
Picon

Any way to build using nmake in apache 2.4.10

Hi ,
I want to  build apache httpd 2.4.10 in win32 platform using USEMAK=1 in Makefile.win.
But it requires some ".MAK" files. Can you tell me how build using this or where to find the MAK files.

Thanks & Regards,
Ishan
 
Rajalakshmi Iyer | 17 Nov 13:14 2014

mod_rewrite use case

Hello,

I have an Apache module based application server (A) that handles requests. Some of these requests based on a cache hit / miss need to go to another server (B) to be handled.

Would this make a use case for mod_rewrite / mod_proxy where we forward the requests to another server (B) based on a cache lookup in a module inside the first server (A)?

Note that the response from the second server (B) needs to be sent back to the client that sent the request to the first server (A).

Thanks
Raj






This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of BlisMedia Ltd, a company registered in England and Wales with registered number 06455773. Its registered office is 3rd Floor, 101 New Cavendish St, London, W1W 6XH, United Kingdom.

If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. 
Jussi Hakkila | 14 Nov 09:34 2014
Picon

Selective authentication based on QUERY_STRING on 2.2

I want to achieve selective authentication based on QUERY_STRING on Apache 2.2. using a .htaccess file.

So that eg. http://domain.com/index.php would require authentication, but .../index.php?authentication=0 would not.

The challenge that I have is that QUERY_STRING does not appear to be visible to the directives that are processed before the Allow and Deny directives, such as SetEnvIf. Setting the environment variable via RewriteRule happens too late for authentication purposes, if I have understood correctly. Apache 2.4. provides the If clause which has access to QUERY_STRING, and probably would be useful, but unfortunately I am locked to 2.2. I understand that using the [F] flag of RewriteRule I could block access entirely to index.php while allowing access to index.php?authentication=0, but I am unaware of how to do the same with authentication.

Any ideas on how to achieve this would be greatly appreciated. Thanks!
Blomme Dieter | 13 Nov 18:13 2014
Picon

Problem with mod_proxy and chunked content

Hi,

We have a problem with mod_proxy and chunked content.
We use mod_proxy to selectively request pages from a second site, the ProxyPass and ProxyPassReverse
statements are in the vhost file. Nearly all requests are OK, Except for one type of request which can't be
handled properly. We use SAML SSO and upon logging out, the response from a simplesaml service provider is
not correct. It is chunked, but is not parseable. The problem is the chunk part within the SAML Response.
This is also visible in the response (see below). I have googled this and searched Apache's bugzilla, but
there is no solution I've tried that works.
Not forcing http1.0, sendcl, ...

Can anybody please help with this issue?

Thanks very much in advance!

HTTP/1.1 200 OK
Date: Thu, 13 Nov 2014 16:23:02 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
X-Robots-Tag: noindex,noarchive
Content-Type: text/html; charset=UTF-8
X-Robots-Tag: noindex,noarchive
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Vary: Accept-Encoding
Content-Length: 7460

132
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
	<meta http-equiv="content-type" content="text/html; charset=utf-8" /><script type="text/javascript">
36d
window.NREUM||(NREUM={}),__nr_require=function(t,e,n){function r(n){if(!e[n]){var
o=e[n]={exports:{}};t[n][0].call(o.exports,function(e){var o=t[n][1][e];return
r(o?o:e)},o,o.exports)}return e[n].exports}if("function"==typeof __nr_require)return
__nr_require;for(var o=0;o<n.length;o++)r(n[o]);return r}({QJf3ax:[function(t,e){function
n(t){function e(e,n,a){t&&t(e,n,a),a||(a={});for(var
c=u(e),f=c.length,s=i(a,o,r),p=0;f>p;p++)c[p].apply(s,n);return s}function
a(t,e){f[t]=u(t).concat(e)}function u(t){return f[t]||[]}function c(){return n(e)}var
f={};return{on:a,emit:e,create:c,listeners:u,_events:f}}function r(){return{}}var
o="nr <at> context",i=t("gos");e.exports=n()},{gos:"7eSDFh"}],ee:[function(t,e){e.exports=t("QJf3ax")},{}],gos:[function(t,e){e.exports=t("7eSDFh")},{}],"7eSDFh":[function(t,e){function
n(t,e,n){if(r.call(t,e))return t[e];var o=n();if(Object.definePr
5a8
operty&&Object.keys)try{return
Object.defineProperty(t,e,{value:o,writable:!0,enumerable:!1}),o}catch(i){}return
t[e]=o,o}var
r=Object.prototype.hasOwnProperty;e.exports=n},{}],D5DuLP:[function(t,e){function
n(t,e,n){return r.listeners(t).length?r.emit(t,e,n):(o[t]||(o[t]=[]),void o[t].push(e))}var
r=t("ee").create(),o={};e.exports=n,n.ee=r,r.q=o},{ee:"QJf3ax"}],handle:[function(t,e){e.exports=t("D5DuLP")},{}],XL7HBI:[function(t,e){function
n(t){var e=typeof
t;return!t||"object"!==e&&"function"!==e?-1:t===window?0:i(t,o,function(){return r++})}var
r=1,o="nr <at> id",i=t("gos");e.exports=n},{gos:"7eSDFh"}],id:[function(t,e){e.exports=t("XL7HBI")},{}],loader:[function(t,e){e.exports=t("G9z0Bl")},{}],G9z0Bl:[function(t,e){function
n(){var
t=l.info=NREUM.info;if(t&&t.agent&&t.licenseKey&&t.applicationID&&c&&c.body){l.proto="https"===p.split(":")[0]||t.sslForHttp?"https://":"http://",a("mark",["onload",i()]);var
e=c.createElement("script");e.src=l.proto+t.agent,c.body.appendChild(e)}}function
r(){"complete"===c.readyState&&o()}function o(){a("mark",["domContent",i()])}function
i(){return(new Date).getTime()}var a=t("handle"),u=window,c=u.document,f="addEventListener",s="attachEvent",p=(""+location).split("?")[0],l=e.exports={offset:i(),origin:p,features:{}};c[f]?(c[f]("DOMContentLoaded",o,!1),u[f]("load",n,!1)):(c[s]("onreadystatechange",r),u[s]("onload",n)),a("mark",["firstbyte",i()])},{handle:"D5DuLP"}]},{},["G9z0Bl"]);</script>
	<t
27c
itle>POST data</title>
</head>
<body onload="document.getElementsByTagName('input')[0].click();">

	<noscript>
		<p><strong>Note:</strong> Since your browser does not support JavaScript, you must press the button
below once to proceed.</p> 
	</noscript> 
	
	<form method="post" action="https://qa.aether.gent.be/saml/idp/profile/post/slr">
	<!-- Need to add this element and call click method, because calling submit()
	on the form causes failed submission if the form has another element with name or id of submit.
	See: https://developer.mozilla.org/en/DOM/form.submit#Specification -->
	<input type="submit" style="display:none;" />

8d4
<input type="hidden" name="SAMLResponse" value="
<<<First part of samlresponse>>>>
75e
<<<Second part of samlresponse>>>>
" />
		<noscript>
			<input type="submit" value="Submit" />
		</noscript>
	</form>

<<<<removed content>>>>>
0
Christoph Gröver | 13 Nov 16:25 2014

index.php ist used (internally) when /index.php/ is requested


Hello list,

Strange thing.

If a request is made for a directory URL where the directory contains
a .php then this request is translated to just the php file and php is
executed. (/index.php/  -->  /index.php)

In my opinion this should not happen. Since a directory is requested
and index.php is not a directory but a file, there should be a default
predefined directory index appended to it (index.php or index.html) and
this should be delivered (if it exists) or a 404 should be sent back.
( /index.php/  --> /index.php/index.php )

Does anybody know why this is happening and what is causing
this behaviour?

This at least happens with
Apache 2.4.7 (distribution Mageia 4.1).

I presume it is somewhere in the translation phase.

Greetings,

--

-- 
Christoph Gröver
Zoltán Halassy | 13 Nov 14:13 2014
Picon

VirtualHost conditionless HSTS

Hello!

Working with Apache 2.4.

I wanted to configure an https host with HSTS:

<VirtualHost *:443>
    [...]
    Header set Strict-Transport-Security "max-age=31556952"
    <Directory "/var/www/...">
        Require all granted
        [...]
    </Directory>
    [...]
</VirtualHost>

This works fine. However as soon as I require HTTP authentication on
apache level, the Header directive stops working for unauthenticated
users. Even if I provide "early" after the directive:

    Header set Strict-Transport-Security "max-age=31556952"
    <Directory "/var/www/...">
        Require valid-user
        AuthType ...
        [...]
    </Directory>

or

    Header set Strict-Transport-Security "max-age=31556952" early
    <Directory "/var/www/...">
        Require valid-user
        AuthType ...
        [...]
    </Directory>

Neither provides the HSTS header to an unauthenticated user. Is there
a simple way to inject the HSTS (or any) header to unauthenticated
users?
Stefan Magnus Landrø | 13 Nov 14:06 2014
Picon

Weird access logs

Hi there,

We're seeing some weird behaviour in our access logs. 

For around 13 minutes we see entries from requests received several minutes before it actually gets logged (the two timestamps on the same line are up to 13 minutes apart! ). 
The number to the far right is %D - the response time (microseconds)

Also, we're using big ip as a load balancer in front of this server, and the big ip health check considers this apache as down during this timeframe. 

BTW, in total there are exactly 200 weird entries like this. Are we hitting some crazy default?

What could be going on?

Cheers

Stefan

Nov 13 02:02:22 alq-kronos httpd[32388]: 139.116.14.253 - - [13/Nov/2014:02:02:22 +0100] "GET /bigip.txt HTTP/1.0" 200 10 "-" "-" statisk 505
Nov 13 02:02:22 alq-kronos httpd[32388]: 139.116.14.254 - - [13/Nov/2014:02:02:22 +0100] "GET /bigip.txt HTTP/1.0" 200 10 "-" "-" statisk 563
Nov 13 02:02:23 alq-kronos httpd[32388]: 139.116.14.253 - - [13/Nov/2014:02:02:23 +0100] "GET /bigip.txt HTTP/1.0" 200 10 "-" "-" statisk 466
Nov 13 02:02:23 alq-kronos httpd[32388]: 139.116.14.254 - - [13/Nov/2014:02:02:23 +0100] "GET /bigip.txt HTTP/1.0" 200 10 "-" "-" statisk 469
Nov 13 02:02:23 alq-kronos httpd[32388]: 139.116.14.254 - - [13/Nov/2014:02:02:23 +0100] "GET /bigip.txt HTTP/1.0" 200 10 "-" "-" statisk 612
Nov 13 02:02:24 alq-kronos httpd[32388]: 139.116.14.254 - - [13/Nov/2014:02:02:24 +0100] "GET /bigip.txt HTTP/1.0" 200 10 "-" "-" statisk 413
Nov 13 02:02:25 alq-kronos httpd[32388]: 139.116.14.253 - - [13/Nov/2014:02:02:25 +0100] "GET /bigip.txt HTTP/1.0" 200 10 "-" "-" statisk 408
Nov 13 02:15:44 alq-kronos httpd[32388]: 139.116.14.254 - - [13/Nov/2014:02:03:15 +0100] "GET /bigip.txt HTTP/1.0" 200 10 "-" "-" statisk 509
Nov 13 02:15:44 alq-kronos httpd[32388]: 139.116.14.253 - - [13/Nov/2014:02:03:16 +0100] "GET /bigip.txt HTTP/1.0" 200 10 "-" "-" statisk 2138
Nov 13 02:15:44 alq-kronos httpd[32388]: 139.116.14.254 - - [13/Nov/2014:02:03:16 +0100] "GET /bigip.txt HTTP/1.0" 200 10 "-" "-" statisk 735
Nov 13 02:15:44 alq-kronos httpd[32388]: 139.116.14.254 - - [13/Nov/2014:02:03:16 +0100] "GET /bigip.txt HTTP/1.0" 200 10 "-" "-" statisk 2262
Nov 13 02:15:44 alq-kronos httpd[32388]: 139.116.14.253 - - [13/Nov/2014:02:03:17 +0100] "GET /bigip.txt HTTP/1.0" 200 10 "-" "-" statisk 549
Nov 13 02:15:44 alq-kronos httpd[32388]: 139.116.14.254 - - [13/Nov/2014:02:03:17 +0100] "GET /bigip.txt HTTP/1.0" 200 10 "-" "-" statisk 2356
Nov 13 02:15:44 alq-kronos httpd[32388]: 139.116.14.253 - - [13/Nov/2014:02:03:18 +0100] "GET /bigip.txt HTTP/1.0" 200 10 "-" "-" statisk 698
Nov 13 02:15:44 alq-kronos httpd[32388]: 139.116.14.253 - - [13/Nov/2014:02:03:18 +0100] "GET /bigip.txt HTTP/1.0" 200 10 "-" "-" statisk 673
Nov 13 02:15:44 alq-kronos httpd[32388]: 139.116.14.254 - - [13/Nov/2014:02:03:18 +0100] "GET /bigip.txt HTTP/1.0" 200 10 "-" "-" statisk 523
...
Nov 13 02:15:44 alq-kronos httpd[32388]: 139.116.14.254 - - [13/Nov/2014:02:04:39 +0100] "GET /bigip.txt HTTP/1.0" 200 10 "-" "-" statisk 568
Nov 13 02:15:44 alq-kronos httpd[32388]: 139.116.14.253 - - [13/Nov/2014:02:04:40 +0100] "GET /bigip.txt HTTP/1.0" 200 10 "-" "-" statisk 2354
Nov 13 02:15:44 alq-kronos httpd[32388]: 139.116.14.254 - - [13/Nov/2014:02:04:40 +0100] "GET /bigip.txt HTTP/1.0" 200 10 "-" "-" statisk 840
Nov 13 02:15:44 alq-kronos httpd[32388]: 139.116.14.254 - - [13/Nov/2014:02:04:40 +0100] "GET /bigip.txt HTTP/1.0" 200 10 "-" "-" statisk 1941
Nov 13 02:15:44 alq-kronos httpd[32388]: 139.116.14.253 - - [13/Nov/2014:02:04:41 +0100] "GET /bigip.txt HTTP/1.0" 200 10 "-" "-" statisk 778
Nov 13 02:15:44 alq-kronos httpd[32388]: 139.116.14.254 - - [13/Nov/2014:02:04:41 +0100] "GET /bigip.txt HTTP/1.0" 200 10 "-" "-" statisk 3106
Nov 13 02:15:44 alq-kronos httpd[32388]: 139.116.14.253 - - [13/Nov/2014:02:04:42 +0100] "GET /bigip.txt HTTP/1.0" 200 10 "-" "-" statisk 440
Nov 13 02:15:44 alq-kronos httpd[32388]: 139.116.14.253 - - [13/Nov/2014:02:04:42 +0100] "GET /bigip.txt HTTP/1.0" 200 10 "-" "-" statisk 599
Nov 13 02:15:50 alq-kronos httpd[32388]: 139.116.14.253 - - [13/Nov/2014:02:15:50 +0100] "GET /bigip.txt HTTP/1.0" 200 10 "-" "-" statisk 646
Nov 13 02:15:51 alq-kronos httpd[32388]: 139.116.14.253 - - [13/Nov/2014:02:15:51 +0100] "GET /bigip.txt HTTP/1.0" 200 10 "-" "-" statisk 586
Nov 13 02:15:51 alq-kronos httpd[32388]: 139.116.14.253 - - [13/Nov/2014:02:15:51 +0100] "GET /bigip.txt HTTP/1.0" 200 10 "-" "-" statisk 2248
Nov 13 02:15:51 alq-kronos httpd[32388]: 139.116.14.254 - - [13/Nov/2014:02:15:51 +0100] "GET /bigip.txt HTTP/1.0" 200 10 "-" "-" statisk 624
Nov 13 02:15:52 alq-kronos httpd[32388]: 139.116.14.253 - - [13/Nov/2014:02:15:52 +0100] "GET /bigip.txt HTTP/1.0" 200 10 "-" "-" statisk 2562
Nov 13 02:15:52 alq-kronos httpd[32388]: 139.116.14.254 - - [13/Nov/2014:02:15:52 +0100] "GET /bigip.txt HTTP/1.0" 200 10 "-" "-" statisk 519
Nov 13 02:15:52 alq-kronos httpd[32388]: 139.116.14.254 - - [13/Nov/2014:02:15:52 +0100] "GET /bigip.txt HTTP/1.0" 200 10 "-" "-" statisk 2411
Nov 13 02:15:53 alq-kronos httpd[32388]: 139.116.14.253 - - [13/Nov/2014:02:15:53 +0100] "GET /bigip.txt HTTP/1.0" 200 10 "-" "-" statisk 403
Nov 13 02:15:53 alq-kronos httpd[32388]: 139.116.14.254 - - [13/Nov/2014:02:15:53 +0100] "GET /bigip.txt HTTP/1.0" 200 10 "-" "-" statisk 2517

Gmane