You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@couchdb.apache.org by Anthony Ananich <an...@inpun.com> on 2013/03/20 13:13:01 UTC
_session + vhost + rewrites
Hi!
I'm trying to make _session handler accessible via url like
http://mysite.com/_session while using rewrite rules. I get the
following error:
{"error":"insecure_rewrite_rule","reason":"too many ../.. segments"}
I found that it could be fixed with adding this to an ini file:
[httpd]
secure_rewrites = false
Is there a way to allow _session without disabling secure_rewrites?
Thanks,
Anthony
Re: _session + vhost + rewrites
Posted by Robert Newson <rn...@apache.org>.
Ah, sure, that makes sense :)
On 20 March 2013 12:26, Anthony Ananich <an...@inpun.com> wrote:
> I think I've found an answer. It seems that while using vhost
> /_session handler is available in the root of vhost independent on if
> there are any rewrite rules or not.
>
> I was not able to find any documentation about that, so I'm not sure
> if it is bug or feature :)
>
> On Wed, Mar 20, 2013 at 3:18 PM, Robert Newson <rn...@apache.org> wrote:
>> Hm, not without a code change, I think. The secure rewrites setting is
>> to prevent a rewrite jumping between databases. At first glance it
>> does seem an overreach to block a rewrite to _session (and presumably
>> anything else at the top level).
>>
>> B.
>>
>> On 20 March 2013 12:13, Anthony Ananich <an...@inpun.com> wrote:
>>> Hi!
>>>
>>> I'm trying to make _session handler accessible via url like
>>> http://mysite.com/_session while using rewrite rules. I get the
>>> following error:
>>> {"error":"insecure_rewrite_rule","reason":"too many ../.. segments"}
>>>
>>> I found that it could be fixed with adding this to an ini file:
>>> [httpd]
>>> secure_rewrites = false
>>>
>>> Is there a way to allow _session without disabling secure_rewrites?
>>>
>>> Thanks,
>>> Anthony
Re: _session + vhost + rewrites
Posted by Jeff Charette <io...@yahoo.com>.
+1
Jeff Charette | Principal
We Are Charette
web / identity / packaging
m 415.298.2707
w wearecharette.com
e jeffrey@wearecharette.com
On Mar 20, 2013, at 9:21 AM, Anthony Ananich <an...@inpun.com> wrote:
> Good to know this. Thanks!
>
> On Wed, Mar 20, 2013 at 3:50 PM, Benoit Chesneau <bc...@gmail.com> wrote:
>> On Wed, Mar 20, 2013 at 5:26 AM, Anthony Ananich
>> <an...@inpun.com> wrote:
>>> I think I've found an answer. It seems that while using vhost
>>> /_session handler is available in the root of vhost independent on if
>>> there are any rewrite rules or not.
>>>
>>> I was not able to find any documentation about that, so I'm not sure
>>> if it is bug or feature :)
>>
>> It's a feature, see in the section [httpd] of default.ini:
>>
>> vhost_global_handlers = _utils, _uuids, _session, _oauth, _users
>>
>> - benoît
>>
>>
>>>
>>> On Wed, Mar 20, 2013 at 3:18 PM, Robert Newson <rn...@apache.org> wrote:
>>>> Hm, not without a code change, I think. The secure rewrites setting is
>>>> to prevent a rewrite jumping between databases. At first glance it
>>>> does seem an overreach to block a rewrite to _session (and presumably
>>>> anything else at the top level).
>>>>
>>>> B.
>>>>
>>>> On 20 March 2013 12:13, Anthony Ananich <an...@inpun.com> wrote:
>>>>> Hi!
>>>>>
>>>>> I'm trying to make _session handler accessible via url like
>>>>> http://mysite.com/_session while using rewrite rules. I get the
>>>>> following error:
>>>>> {"error":"insecure_rewrite_rule","reason":"too many ../.. segments"}
>>>>>
>>>>> I found that it could be fixed with adding this to an ini file:
>>>>> [httpd]
>>>>> secure_rewrites = false
>>>>>
>>>>> Is there a way to allow _session without disabling secure_rewrites?
>>>>>
>>>>> Thanks,
>>>>> Anthony
Re: _session + vhost + rewrites
Posted by Anthony Ananich <an...@inpun.com>.
Good to know this. Thanks!
On Wed, Mar 20, 2013 at 3:50 PM, Benoit Chesneau <bc...@gmail.com> wrote:
> On Wed, Mar 20, 2013 at 5:26 AM, Anthony Ananich
> <an...@inpun.com> wrote:
>> I think I've found an answer. It seems that while using vhost
>> /_session handler is available in the root of vhost independent on if
>> there are any rewrite rules or not.
>>
>> I was not able to find any documentation about that, so I'm not sure
>> if it is bug or feature :)
>
> It's a feature, see in the section [httpd] of default.ini:
>
> vhost_global_handlers = _utils, _uuids, _session, _oauth, _users
>
> - benoît
>
>
>>
>> On Wed, Mar 20, 2013 at 3:18 PM, Robert Newson <rn...@apache.org> wrote:
>>> Hm, not without a code change, I think. The secure rewrites setting is
>>> to prevent a rewrite jumping between databases. At first glance it
>>> does seem an overreach to block a rewrite to _session (and presumably
>>> anything else at the top level).
>>>
>>> B.
>>>
>>> On 20 March 2013 12:13, Anthony Ananich <an...@inpun.com> wrote:
>>>> Hi!
>>>>
>>>> I'm trying to make _session handler accessible via url like
>>>> http://mysite.com/_session while using rewrite rules. I get the
>>>> following error:
>>>> {"error":"insecure_rewrite_rule","reason":"too many ../.. segments"}
>>>>
>>>> I found that it could be fixed with adding this to an ini file:
>>>> [httpd]
>>>> secure_rewrites = false
>>>>
>>>> Is there a way to allow _session without disabling secure_rewrites?
>>>>
>>>> Thanks,
>>>> Anthony
Re: _session + vhost + rewrites
Posted by Benoit Chesneau <bc...@gmail.com>.
On Wed, Mar 20, 2013 at 5:26 AM, Anthony Ananich
<an...@inpun.com> wrote:
> I think I've found an answer. It seems that while using vhost
> /_session handler is available in the root of vhost independent on if
> there are any rewrite rules or not.
>
> I was not able to find any documentation about that, so I'm not sure
> if it is bug or feature :)
It's a feature, see in the section [httpd] of default.ini:
vhost_global_handlers = _utils, _uuids, _session, _oauth, _users
- benoît
>
> On Wed, Mar 20, 2013 at 3:18 PM, Robert Newson <rn...@apache.org> wrote:
>> Hm, not without a code change, I think. The secure rewrites setting is
>> to prevent a rewrite jumping between databases. At first glance it
>> does seem an overreach to block a rewrite to _session (and presumably
>> anything else at the top level).
>>
>> B.
>>
>> On 20 March 2013 12:13, Anthony Ananich <an...@inpun.com> wrote:
>>> Hi!
>>>
>>> I'm trying to make _session handler accessible via url like
>>> http://mysite.com/_session while using rewrite rules. I get the
>>> following error:
>>> {"error":"insecure_rewrite_rule","reason":"too many ../.. segments"}
>>>
>>> I found that it could be fixed with adding this to an ini file:
>>> [httpd]
>>> secure_rewrites = false
>>>
>>> Is there a way to allow _session without disabling secure_rewrites?
>>>
>>> Thanks,
>>> Anthony
Re: _session + vhost + rewrites
Posted by Anthony Ananich <an...@inpun.com>.
I think I've found an answer. It seems that while using vhost
/_session handler is available in the root of vhost independent on if
there are any rewrite rules or not.
I was not able to find any documentation about that, so I'm not sure
if it is bug or feature :)
On Wed, Mar 20, 2013 at 3:18 PM, Robert Newson <rn...@apache.org> wrote:
> Hm, not without a code change, I think. The secure rewrites setting is
> to prevent a rewrite jumping between databases. At first glance it
> does seem an overreach to block a rewrite to _session (and presumably
> anything else at the top level).
>
> B.
>
> On 20 March 2013 12:13, Anthony Ananich <an...@inpun.com> wrote:
>> Hi!
>>
>> I'm trying to make _session handler accessible via url like
>> http://mysite.com/_session while using rewrite rules. I get the
>> following error:
>> {"error":"insecure_rewrite_rule","reason":"too many ../.. segments"}
>>
>> I found that it could be fixed with adding this to an ini file:
>> [httpd]
>> secure_rewrites = false
>>
>> Is there a way to allow _session without disabling secure_rewrites?
>>
>> Thanks,
>> Anthony
Re: _session + vhost + rewrites
Posted by Robert Newson <rn...@apache.org>.
Hm, not without a code change, I think. The secure rewrites setting is
to prevent a rewrite jumping between databases. At first glance it
does seem an overreach to block a rewrite to _session (and presumably
anything else at the top level).
B.
On 20 March 2013 12:13, Anthony Ananich <an...@inpun.com> wrote:
> Hi!
>
> I'm trying to make _session handler accessible via url like
> http://mysite.com/_session while using rewrite rules. I get the
> following error:
> {"error":"insecure_rewrite_rule","reason":"too many ../.. segments"}
>
> I found that it could be fixed with adding this to an ini file:
> [httpd]
> secure_rewrites = false
>
> Is there a way to allow _session without disabling secure_rewrites?
>
> Thanks,
> Anthony