You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Daniel Stefaniuk <da...@gmail.com> on 2013/10/23 18:07:08 UTC
[users@httpd] Filtering incoming request with mod_ext_filter
I try to filter incoming HTTP request. Here is configuration of my filter:
LoadModule ext_filter_module modules/mod_ext_filter.so
ExtFilterDefine myFilter ftype=30 mode=input \
cmd="c:/tools/perl/bin/perl.exe c:/temp/dump.pl c:/temp/dump.out"
<Directory "c:/Apache24/htdocs">
SetOutputFilter myFilter
</Directory>
and Perl script I'm using:
use strict;
open(SAVE, ">$ARGV[0]")
or die "can't open $ARGV[0]: $?";
while (<STDIN>) {
print SAVE $_;
print $_;
}
close(SAVE);
Apache version = httpd-2.4.6-win32-VC11
This doesn't work at all giving me an error "*AH00082: an unknown filter
was not added: myFilter*". However, when I set 'mode' to 'output' it work
as expected. Any clue on this?
Thanks
Daniel
Re: [users@httpd] Filtering incoming request with mod_ext_filter
Posted by Nick Kew <ni...@webthing.com>.
On 23 Oct 2013, at 22:08, Daniel Stefaniuk wrote:
> Thanks Nick.
>
> Yes, it looks like mod_security provides dynamic collections that I
> could use to match header parameters against a whitelist and change
> that list on demand (for example by hitting defined URL address).
>
> Does Ironbee provide any similar functionality?
I'm not a salesman, but I am affiliated with ironbee, so I'd be
at risk of bias if I try to advise you. I expect either of them
would do what you need.
FWIW, the same folks who originally developed mod_security
are now at the heart of the Ironbee project!
--
Nick Kew
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Filtering incoming request with mod_ext_filter
Posted by Daniel Stefaniuk <da...@gmail.com>.
Thanks Nick.
Yes, it looks like mod_security provides dynamic collections that I
could use to match header parameters against a whitelist and change
that list on demand (for example by hitting defined URL address).
Does Ironbee provide any similar functionality?
Daniel
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Filtering incoming request with mod_ext_filter
Posted by Nick Kew <ni...@webthing.com>.
On 23 Oct 2013, at 20:53, Daniel Stefaniuk wrote:
> Is this doable with filters?
Yes and no.
Yes, it can be done.
No, it can easily be done wrong, so it might pass your tests then
be bypassed in operation. For example, the filter encounters
something that should abort the request, but the proxy has
already started the request to the backend.
However, what you're asking sounds something like a WAF.
Chances are, you can do what you want with an existing WAF
such as Ironbee (www.ironbee..com) or mod_security.
--
Nick Kew
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Filtering incoming request with mod_ext_filter
Posted by Daniel Stefaniuk <da...@gmail.com>.
Ok, thanks Jeff. I think I can work around that problem.
What about this scenario:
1) Filter incoming request based on content (HTTP POST)
2) Stop further processing of a request if content matches (or
doesn't match) dynamic criteria (Perl script is aware of these
criteria)
3) do not pass request to mod_proxy_ but send 4xx response back to the client
Is this doable with filters? If not is there any alternative solution?
It has to be simple, I'm not considering writing a module for that
purpose.
Thanks
Daniel
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Filtering incoming request with mod_ext_filter
Posted by Jeff Trawick <tr...@gmail.com>.
On Wed, Oct 23, 2013 at 3:18 PM, Daniel Stefaniuk <
daniel.stefaniuk@gmail.com> wrote:
> That's a good question. I don't set it at all. Thanks for pointing that
> out Jeff.
>
> Now, I face another problem. I want to modify header parameters of
> incoming request from the Perl script. Is this possible at all?
>
Maybe if your Perl script runs via mod_perl ;)
mod_ext_filter only provides access to the request and response *bodies*.
> I can see headers in the output file but the input file contains just the
> request body but no header.
>
> Configuration:
>
> ExtFilterDefine myFilterIn ftype=20 mode=input \
> cmd="c:/tools/perl/bin/perl.exe c:/temp/dump.pl c:/temp/dump.in"
> ExtFilterDefine myFilterOut ftype=30 mode=output \
> cmd="c:/tools/perl/bin/perl.exe c:/temp/dump.pl c:/temp/dump.out"
> <Directory "c:/Apache24/htdocs">
> SetInputFilter myFilterIn
> SetOutputFilter myFilterOut
> </Directory>
>
> Request:
>
> curl -X POST -H "Content-Type: application/json" -H "custom: 1234567890"
> -d '{"username":"xyz","password":"xyz"}' http://localhost/api/login
>
> Thanks
>
> Daniel
>
>
> On 23 October 2013 17:28, Jeff Trawick <tr...@gmail.com> wrote:
>
>> On Wed, Oct 23, 2013 at 12:07 PM, Daniel Stefaniuk <
>> daniel.stefaniuk@gmail.com> wrote:
>>
>>> I try to filter incoming HTTP request. Here is configuration of my
>>> filter:
>>>
>>> LoadModule ext_filter_module modules/mod_ext_filter.so
>>> ExtFilterDefine myFilter ftype=30 mode=input \
>>> cmd="c:/tools/perl/bin/perl.exe c:/temp/dump.pl c:/temp/dump.out"
>>> <Directory "c:/Apache24/htdocs">
>>> SetOutputFilter myFilter
>>> </Directory>
>>>
>>> and Perl script I'm using:
>>>
>>> use strict;
>>> open(SAVE, ">$ARGV[0]")
>>> or die "can't open $ARGV[0]: $?";
>>> while (<STDIN>) {
>>> print SAVE $_;
>>> print $_;
>>> }
>>> close(SAVE);
>>>
>>> Apache version = httpd-2.4.6-win32-VC11
>>>
>>> This doesn't work at all giving me an error "*AH00082: an unknown
>>> filter was not added: myFilter*". However, when I set 'mode' to
>>> 'output' it work as expected. Any clue on this?
>>>
>>
>> Were you using "SetInputFilter myFilter" when you had "mode=input"?
>>
>>
>>>
>>> Thanks
>>>
>>> Daniel
>>>
>>
>>
>>
>> --
>> Born in Roswell... married an alien...
>> http://emptyhammock.com/
>>
>
>
--
Born in Roswell... married an alien...
http://emptyhammock.com/
Re: [users@httpd] Filtering incoming request with mod_ext_filter
Posted by Daniel Stefaniuk <da...@gmail.com>.
That's a good question. I don't set it at all. Thanks for pointing that out
Jeff.
Now, I face another problem. I want to modify header parameters of incoming
request from the Perl script. Is this possible at all? I can see headers in
the output file but the input file contains just the request body but no
header.
Configuration:
ExtFilterDefine myFilterIn ftype=20 mode=input \
cmd="c:/tools/perl/bin/perl.exe c:/temp/dump.pl c:/temp/dump.in"
ExtFilterDefine myFilterOut ftype=30 mode=output \
cmd="c:/tools/perl/bin/perl.exe c:/temp/dump.pl c:/temp/dump.out"
<Directory "c:/Apache24/htdocs">
SetInputFilter myFilterIn
SetOutputFilter myFilterOut
</Directory>
Request:
curl -X POST -H "Content-Type: application/json" -H "custom: 1234567890" -d
'{"username":"xyz","password":"xyz"}' http://localhost/api/login
Thanks
Daniel
On 23 October 2013 17:28, Jeff Trawick <tr...@gmail.com> wrote:
> On Wed, Oct 23, 2013 at 12:07 PM, Daniel Stefaniuk <
> daniel.stefaniuk@gmail.com> wrote:
>
>> I try to filter incoming HTTP request. Here is configuration of my filter:
>>
>> LoadModule ext_filter_module modules/mod_ext_filter.so
>> ExtFilterDefine myFilter ftype=30 mode=input \
>> cmd="c:/tools/perl/bin/perl.exe c:/temp/dump.pl c:/temp/dump.out"
>> <Directory "c:/Apache24/htdocs">
>> SetOutputFilter myFilter
>> </Directory>
>>
>> and Perl script I'm using:
>>
>> use strict;
>> open(SAVE, ">$ARGV[0]")
>> or die "can't open $ARGV[0]: $?";
>> while (<STDIN>) {
>> print SAVE $_;
>> print $_;
>> }
>> close(SAVE);
>>
>> Apache version = httpd-2.4.6-win32-VC11
>>
>> This doesn't work at all giving me an error "*AH00082: an unknown filter
>> was not added: myFilter*". However, when I set 'mode' to 'output' it
>> work as expected. Any clue on this?
>>
>
> Were you using "SetInputFilter myFilter" when you had "mode=input"?
>
>
>>
>> Thanks
>>
>> Daniel
>>
>
>
>
> --
> Born in Roswell... married an alien...
> http://emptyhammock.com/
>
Re: [users@httpd] Filtering incoming request with mod_ext_filter
Posted by Jeff Trawick <tr...@gmail.com>.
On Wed, Oct 23, 2013 at 12:07 PM, Daniel Stefaniuk <
daniel.stefaniuk@gmail.com> wrote:
> I try to filter incoming HTTP request. Here is configuration of my filter:
>
> LoadModule ext_filter_module modules/mod_ext_filter.so
> ExtFilterDefine myFilter ftype=30 mode=input \
> cmd="c:/tools/perl/bin/perl.exe c:/temp/dump.pl c:/temp/dump.out"
> <Directory "c:/Apache24/htdocs">
> SetOutputFilter myFilter
> </Directory>
>
> and Perl script I'm using:
>
> use strict;
> open(SAVE, ">$ARGV[0]")
> or die "can't open $ARGV[0]: $?";
> while (<STDIN>) {
> print SAVE $_;
> print $_;
> }
> close(SAVE);
>
> Apache version = httpd-2.4.6-win32-VC11
>
> This doesn't work at all giving me an error "*AH00082: an unknown filter
> was not added: myFilter*". However, when I set 'mode' to 'output' it work
> as expected. Any clue on this?
>
Were you using "SetInputFilter myFilter" when you had "mode=input"?
>
> Thanks
>
> Daniel
>
--
Born in Roswell... married an alien...
http://emptyhammock.com/