You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Marc Slemko <ma...@znep.com> on 1998/08/07 21:30:01 UTC
Re: other/2805: Apache won't start with syntactically incorrect
< (fwd)
The following reply was made to PR other/2805; it has been noted by GNATS.
From: Marc Slemko <ma...@znep.com>
To: apbugs@apache.org
Cc: Subject: Re: other/2805: Apache won't start with syntactically incorrect
<virtual hosts>< (fwd)
Date: Fri, 7 Aug 1998 12:19:50 -0700 (PDT)
---------- Forwarded message ----------
Date: Fri, 7 Aug 1998 20:17:45 +0100
From: Malcolm Hutty <ma...@ivision.co.uk>
To: apache-bugdb@apache.org,
marc@apache.org,
marc@hyperreal.org
Subject: Re: other/2805: Apache won't start with syntactically incorrect
<virtual hosts><
> Synopsis: Apache won't start with syntactically incorrect <virtual hosts>
> in httpd.conf
> It is a very bad thing to magically ignore settings that
> are incorrect. There is no way to tell if it is just
> an unimportant vhost that can be ignored or if it is
> a very important directive that will result in major
> problems (eg. huge security hole) if not done properly.
My bug report is a serious ISP situation.
There is a big difference between ignoring an incorrect directive and not setting
up one of the several virtual servers: Apache is commonly run with many
independent IP based virtual servers. You cannot tell if a directive is important,
but it is always true is that one less virtual server is better than none at all.
If a directive for a virtual host is malformed it could result in that server being
compromised, and so that virtual host should not be started. However that
malformed directive would only have affected a single virtual host if it had
succeeded, so it should only affect that one if it fails. Of course, my bug report
does not apply to global directives.
Example:
<virtualhost 10.1.1.1>
# This works
DocumentRoot /usr/httpd/htdocs1
RewriteRule ^/private/(.*) /cgi-bin/private.cgi?$1
</virtualhost>
<virtualhost 10.1.1.2>
# This fails
DocumentRoot /usr/httpd/htdocs2
ReriteRul ^/private/(.*) /cgi-bin/private.cgi?$1
</virtualhost>
I can't see why 10.1.1.1 should not start, with 10.1.1.2 failing.
> You can't let just anyone edit your *.conf files anyway, so
> I really don't see the point of ignoring errors. If you
> want, you can run "httpd -t" (or apachectl configtest) to
> test config files before restarting.
As an ISP we give each of our customers their own virtualhost.
We would like to be able to give them an interface to insert their own
directives, at their own risk.
We can make our own interface so that they can only edit their own bit of
httpd.conf. Obviously they won't get direct access, but figure:
....
<virtualhost 10.1.1.1>
#### PERL MATCH ME
#### INSERT FILE : /home/10.1.1.1/Apache.conf
#### END PERL MATCH
</virtualhost>
Then Perl script generates a new httpd.conf and a Suid program simply restarts
server.
However we can't give let our customers insert their own directives if screwing
up their own server would also screw everyone else's.
--------------------------------------------------------------------------
Internet Vision Internet Consultancy Tel: 0171 589 4500
60 Albert Court & Web development Fax: 0171 589 4522
Prince Consort Road E-mail:vision@ivision.co.uk
London SW7 2BE Web: http://www.ivision.co.uk