Re: Proxy mode with Cert Auth

* Luis Daniel Lucio Quiroz <luis.daniel.lucio <at> gmail.com> [2009-07-01 00:55]:
> I need that final server sees agents certificate.  
> I was reading this link:
> http://www.zeitoun.net/articles/client-certificate-x509-authentication-behind-reverse-proxy/start
> 
> But i dont know sure if that is what i need

Well, you posted a complete copy-and-paste config that seemingly does
what you say you want. Where is the problem with that?
Did you try it, it doesn't work and you want to know why? Or do you
prefer spending days (or months, given that you asked about this back
in May) asking strangers whether you should try that config or not?
You really need to be more specific.
-peter

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe <at> httpd.apache.org
   "   from the digest: users-digest-unsubscribe <at> httpd.apache.org
For additional commands, e-mail: users-help <at> httpd.apache.org

Re: rewrite and proxy question

Re: Internal Recursion with mod_rewrite

----- Original Message ----

> From: Eric Covener <covener <at> gmail.com>
> To: users <at> httpd.apache.org
> Sent: Tuesday, June 30, 2009 5:24:44 PM
> Subject: Re: [users <at> httpd] Internal Recursion with mod_rewrite
> 
> On Tue, Jun 30, 2009 at 5:24 PM, Eric Covenerwrote:
> > On Tue, Jun 30, 2009 at 2:14 PM, Peter Kaywrote:
> >> Is adding another RewriteCond %{THE_REQUEST} !/Main/Gallery the canonical way 
> to go?  Or is there some way to turn off the re-injection?
> >
> > That's the normal pattern (but with %{REQUEST_URI} more carefully
> > anchored maybe)

!=/Main/Gallery, as it turns out (slash required) to get:

    RewriteCond %{THE_REQUEST} /Main/Gallery/([^?]+)(\?.|\ .)
    RewriteCond %{REQUEST_URI} !=/Main/Gallery
    RewriteRule .   /Main/Gallery?g2_path=%1   [QSA,L]

> Meant to include http://wiki.apache.org/httpd/RewriteLooping

They don't mention on that page that arguments (?g2_path=etc) don't count as URI...  I read the page, and
never thought that /Main/Gallery?g2_path=test1/ would match!  I know better now.

Thanks,

--Peter Kay

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe <at> httpd.apache.org
   "   from the digest: users-digest-unsubscribe <at> httpd.apache.org
For additional commands, e-mail: users-help <at> httpd.apache.org

Re: mod_proxy_ajp

biju.blore wrote:
> 
> I am facing a issue with this. Not all the time but at certain times
> 
> Usually if someone tires to connect to
> http://testingpublish.testint.com/publish/  this will work fine.
> But sometimes it will give a 503 error. 
> Once this error comes I need to reload apache so as to make this site
> function again.
> Again after 10 hours or 12 hours (there is no exact time gap between the
> apache reload and the error)
> again the 503 error happens and again i need to reload the apache to
> rectify this issue.
> 
> I check the apache error logs and found the following error.
> 
> [Thu Nov 20 07:31:18 2008] [error] (70007)The timeout specified has
> expired: ajp_ilink_receive() can't receive header
> [Thu Nov 20 07:32:18 2008] [error] (70007)The timeout specified has
> expired: ajp_ilink_receive() can't receive header
> [Thu Nov 20 07:37:18 2008] [error] (70007)The timeout specified has
> expired: ajp_ilink_receive() can't receive header
> 
> When i reload apache the site functions again perfectly. 
> 
Not sure if you were able to figure this out - but I was having a simlar
issue and it was killing me - at least I think its a similar issue. For me,
I would get this error page when I restarted tomcat. If I hit the apache
before the restart happened, I would get the error page and it would NEVER
go away. I finally had some time to do some digging and found the answer for
me with retry=0 or return=10 or some value in seconds that tells apache how
long to wait before testing the proxy:

ProxyPass / ajp://localhost:8009/ retry=2

This helped me out and thought I would share, just in case.

Russ
--

-- 
View this message in context: http://www.nabble.com/mod_proxy_ajp-tp20593791p24283497.html
Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe <at> httpd.apache.org
   "   from the digest: users-digest-unsubscribe <at> httpd.apache.org
For additional commands, e-mail: users-help <at> httpd.apache.org

I want a file can be accessed by some ip only, how to do that?

Re: I want a file can be accessed by some ip only, how to do that?

Re: I want a file can be accessed by some ip only, how to do that?

Re: I want a file can be accessed by some ip only, how to do that?

OR do the same thing except instead of using the <directory> directive use
<Files run.log>

  Order deny,allow
    Allow from 10.5.0.0/255.255.0.0
    Allow from 127.0.0.1
    Deny from all

</Files>

On Wed, Jul 1, 2009 at 1:49 AM, JingTian<jingtian.seu217 <at> gmail.com> wrote:
> i think you should put the two file in different dirs,and use Allow,Deny
> dictate to do the access control,
>
> for example:
>
> <Directory "/index1">
>     Order deny,allow
>     Allow from 10.5.0.0/255.255.0.0
>     Allow from 127.0.0.1
>     Deny from all
> </Directory>
>
> hope this help.
>
>
> 2009/7/1 Yi Zhao <zhao_yi707 <at> yahoo.com.cn>
>>
>> hi, all:
>> I have 2 file(index.html, run.log) in directory: index/, now both can be
>> accessed by all people, but I want do that:
>> run.log can be accessed by some specified ip only, how to do that?
>>
>>
>> thanks
>
>
>
> --
> Tianjing
>
> MSN:tianjing217 <at> hotmail.com
>

--

-- 
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe <at> httpd.apache.org
   "   from the digest: users-digest-unsubscribe <at> httpd.apache.org
For additional commands, e-mail: users-help <at> httpd.apache.org

Re: [users <at> httpd] Wrong charset convert

Re: Wrong charset convert

ejirkae <at> seznam.cz wrote:
> This is that problem: http://sgo.happyforever.com/test.php
> (http://sgo.happyforever.com/test.php)
> Try it please, thanks.
> 
> ------------ Původní zpráva ------------
> Od: <ejirkae <at> seznam.cz>
> Předmět: [users <at> httpd] Wrong charset convert
> Datum: 01.7.2009 00:03:06
> ---------------------------------------------
> I have installed Apache 2.2.11 with PHP 5.2.8 on Windows XP SP3. 
> Windows are using Windows-1250 charset (Czech localization). I want 
> to install MediaWiki software which uses utf-8 charset.
> 
> When I upload a file with non-english characters in its name, then 
> its name is saved in utf-8 format. When I try to open such file in 
> web browser it sends 404 not found status.
> 
> Example:
> 
> Upload a file by using simple html upload form, which is encoded in 
> utf-8:
> 
> <!-- this is only part of whole code --!>
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
> </head>
> <body>
> 
> <form enctype="multipart/form-data" action="uploader.php" method=
> "POST">
> <input type="hidden" name="MAX_FILE_SIZE" value="100000" />
> Choose a file to upload: <input name="uploadedfile" type="file" /><
> br />
> <input type="submit" value="Upload File" />
> 
> </form>
> </body>
> </html>
> 
> File named for example "složka.png" is saved to hard drive with name
> "sloĹľka.png" in Windows-1250 encoding.
(This is not true, see below)

  If that upload form was
> encoded with charset=Windows-1250 then it'll be right named "složka.
> png", but charset must be utf-8.
> 
> So suppose that we have server with uploaded file: http://something.
> com/složka.png. On linux it is working fine. But on Windows server 
> you must use address like that: http://something.com/sloĹľka.png and
> that's not good for MediaWiki.
> 
> I don't know if it's understandably enough, I need set up Apache to 
> ignore windows-1250 charset and use original utf-8 for decoding URL.
> httpd.conf is original (with php installation).
> 
> Thanks for help
> Jiri Eichler
> 
Jiri,
the issue you are explaining above is not an easy one.
It will really be solved only, whenever the powers-that-be on the 
Internet, finally decide to move to an HTTP version 2.0, where 
everything by default would be Unicode, UTF-8 encoded.
Until then, there will be confusion and difficulties for whoever does 
not use English as his main language.

--- Part I -------

First, about your last paragraph :
Apache will not use UTF-8 to decode a URL, because that would be wrong 
according to the current RFCs that specifiy how the WWW is working.
The "law" in that respect is defined here :
http://www.ietf.org/rfc/rfc2396.txt
See section : 1.5. URI Transcribability

It is all a bit obscure, but basically what it boils down to is :
when a server receives a URL :
- it first decodes the URL, to convert the "percent-escaped" characters 
back into single characters.  That means, for instance, that a "%20" is 
decoded into a space.
- then it does *no further decoding*, it takes the bytes *as they are*.
They are *not supposed* to be decoded any further, using iso-8859-1, 
cp-1250, UTF-8 or whatever.
(If Apache did that, then Apache would not respect the RFC).

Now, let's say that in this URL, is a path pointing to some resource, 
which in this case is a file on disk.
Well then, the webserver should take this path exactly as received, and 
look for a file on disk whose name matches exactly that path, byte by byte.

But, between the webserver and the disk, there is an operating system.
The webserver does not read the disk directly. It does that through the 
OS I/O interface calls.  So, it is possible that when the webserver 
looks for a file called "xyz123.html", the OS interface translates that 
to "XYZ123.HTML" for example, and returns /that/ file.
That is for example the case for Windows. For "xyz123.html", Windows 
will return any file that is named "Xyz123.html", or "yYz123.html", or 
"XYZ123.html" etc.. because when looking for files, Windows is 
case-insensitive. If the webserver does not double-check this (some do), 
then it may thus return the wrong file.
The same kind of thing can happen with "diacritic" characters, such as 
your "složka.png".

--------- Part II -----------

Uploading files and writing them to disk.
This is a separate issue.

The script that handles the <form> which is used to upload the file, 
knows that the filename is Unicode, encoded as UTF-8.
(It knows that, because you wrote the <form> and the script, and in your 
<form>, you have told the browser to send information in UTF-8).

In the UTF-8 encoding, the filename "složka.png", consists of *10 
characters*, but of *11 bytes*.  That is because the "ž" in the middle, 
is encoded using 2 bytes in UTF-8.
If you look at this filename with an editor which understands UTF-8, you 
will see this as "složka.png".
If you look at this same filename with an editor which does not 
understand UTF-8 (or is set to iso-8859-2), then you will see this same 
string as something like "sloĹľka.png" (or something else like that, I 
have not really checked).

But back to your upload script.

It has this uploaded file name, in Unicode UTF-8, as "složka.png".
Now it wants to create this file on disk.
For that, it tells the OS : create file "složka.png".
The OS takes this file name, and depending on several conditions (**), 
understands this name literally as either a series of *bytes* (11 of 
them), or as a series of *characters* (10 of them) in UTF-8 encoding.
And the OS, according to its understanding, creates a directory entry on 
disk for this filename.
In your case, it creates an entry in the disk directory, containing the 
/bytes/ (or /characters/) "sloĹľka.png".

It does that, because your script does it wrong :
The script "knows" that this filename is encoded in UTF-8.
But the OS does not know that.
The script /should know/ how the OS is going to understand that, and 
should, if needed, re-encode this filename in the proper encoding, so 
that the OS understands it correctly, and creates a file named "složka.png".

It is not that a file named "sloĹľka.png" is wrong.  It is, in itself, a 
perfectly valid filename.
But the problem is that, considering Part I above :
- your users are going to type a URL in the location bar of their browser
- for that, they are going to use the keyboard that they have, on their 
workstation, with their OS and their browser etc...
(for example, I could never type it, because I don't have a key for "ž" 
on my keyboard; so I have to cut and paste from your email )
- So they are going to type, for example :
http://yourhost.yourcompany.com/uploadedfiles/složka.png

- The browser is going to URL-encode that, probably replacing the "ž" by 
a 3-character "percent-sequence" like %B3 (or even 2 3-character 
sequences, if the browser thinks it must encode the URL as UTF-8).
- the browser is then going to "send this URL" to Apache.
- Apache will receive this URL, decode the %-sequences into *bytes*, and 
ask the OS for this file.

------ Part III ----

Now, IF the two translations match (the one which happened when you 
uploaded the file, and the one which happens between the user and the 
server disk), then the file will be found.
And otherwise, it will not be.

Your case is that the two translations do not match.

----- Part IV : how to resolve this --------

My suggestion :
do /not/ allow the users to decide under which name the file is really 
stored on the disk.
Create an "alias" for the filename, containing only US-ASCII characters, 
and store the file under that name.
And then, arrange that when the users ask for the file "složka.png" 
(this name appears for example on an index page that you create), in 
reality your webserver is looking for this alias name. (*)

This is the only way to make your application really portable, because 
in the end, on the WWW, you never know who or where the user is, what 
his workstation is, what his OS is, etc..
So the user could upload a file under a name that gives you a lot of 
trouble on your server (as you have discovered already, but not entirely).
For example, one user could upload a file named "složka.png", and 
another user could upload a file called "Složka.png". If your server is 
Windows, and if you are not careful, the second file will overwrite the 
first.
There are many other such problematic cases.

And if MediaWiki does not do that, then MediaWiki is not a portable 
application, sorry.  The problem is not the webserver, the problem is 
the application.

(and, in part, HTTP 1.x)

(*) you show for example an index page like :
<a href="/files/20090630-180667-123456.png">složka.png</a>

(**) which can be, for example, the "locale" under which the Apache 
process is running.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe <at> httpd.apache.org
   "   from the digest: users-digest-unsubscribe <at> httpd.apache.org
For additional commands, e-mail: users-help <at> httpd.apache.org