You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Michael Mattsson <ap...@phrenetic.to> on 2004/09/27 20:07:33 UTC
[users@httpd] mod_ext_filter on win32
Hi!
I've been scratching my head for a while now and can't seem to get
mod_ext_filter to work properly on the win32 platform.
When I do like:
ExtFilterDefine replacehostname mode=output cmd="C:/bin/sed.exe
s/www.foobar.com/www.barfoo.com/g"
sed.exe just hangs there when I try:
SetOutputFilter replacehostname
I've tried numerous executables to "pipe" to, but everything just hangs. I'm
doing a qualified guess that Apache is unable to provide STDIN to these
programs. I'm running Apache-2.0.50 (no ssl) from httpd.apache.org on Windows
2000 SP3. According to the error log the executable is indeed executed. If I do
like:
ExtFilterDefine foobar mode=output cmd="C:/cygwin/bin/echo.exe foobar"
I get the expected results: foobar
I this a bug or do mod_ext_filter have some undocumented feature?
Would be really grateful if someone could shed some light over this.
BR, Michael
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] AWStats and security
Posted by Mark McCulligh <mm...@visualtech.ca>.
Yes your way will work, but you will have a fairly long Vhost setup for
each customer now.
You can also using /"SetEnv AWSTATS_FORCE_CONFIG customerA" in your
Vhost to make it so customers can't overwrite the config filename. in
the URL
I have been just reading the security doc on awstats website:
http://awstats.sourceforge.net/docs/awstats_security.html
To me you have 2 different options that will work.
Method 1:
One common .htaccess with all your customers then in each awstats config
file you use /AllowAccessFromWebToAuthenticatedUsersOnly = 1 and
AllowAccessFromWebToFollowingAuthenticatedUsers = customerA to protect
the config file other customer.
Method 2:
In each vhost you have their own .htaccess and use /SetEnv
AWSTATS_FORCE_CONFIG customerA OR your method of mod_rewrite.
I have not tested this out but both look like they will get the job
done. It is up to the webmaster what method they like better. I think
Method 1 for me would work better, only one .htaccess file to manage and
set the customer config file right the first time you make it.
/
Just my two cents.
Mark.
Aman Raheja wrote:
> You can configure apache's VH setting for each host to disallow
> anything in the query string other than config=CustomerA
> http://www.customerA.com/awstats/awstats.pl?config=CustomerA
>
> How about if the put
> http://www.customerA.com/awstats/awstats.pl?config=CustomerB - such
> that now the domain name part does not match the config= parameter -
> you do a rewrite (using mod_rewrite) and display an error page. That's
> easy to do.
>
> RewriteEngine On
> RewriteCond %{QUERYSTRING} !^config=customerA$
> RewriteRule /awstats/awstats.pl <some-error-page-url>? [R,L]
>
> I have not tried the above - correction are welcome - though there
> might be some other way of restricting - this is the one I could think
> on the top of my head.
>
> Btw, don't forget to Load and add the mod_rewrite, if you choose to do
> this.
> Aman Raheja
>
>
> Mark McCulligh wrote:
>
>> Aman Raheja wrote:
>>
>>> Mark McCulligh wrote:
>>>
>>>> I have a question for anyone else using awstats for their website
>>>> stats.
>>>>
>>>> I have it installed and running ok. But want to protect the stats
>>>> so only valid users can access their stats. I have created a
>>>> .htaccess file to make sure only valid users can get in but how are
>>>> people protecting valid users from looking at other valid users
>>>> website stats. I don't want customer A looking at customers B stats.
>>>>
>>>> I see that you can have awstats make static web pages using
>>>> "staticlinks" but I want to keep it dynamic.
>>>>
>>>> How are other people protecting their awstats.
>>>>
>>>> Thanks,
>>>> Mark.
>>>>
>>> I have used awstats before i switched to webalizer which gives more
>>> useful info for me.
>>> Well protecting is no big issue i think - esp if you are enabling
>>> .htaccess control then how can users know each other's user/pass
>>> info to look at someone else's stats!
>>>
>>> Aman Raheja
>>>
>> I am doing the opposite from you. I have used webalizer for years but
>> find awstats just looks nicer. Both give about the same information.
>> But customers are in to looks. I have even looked at Urchin or
>> WebTrends to do stats but I don't want to spend the money right now
>> on stats when both webalizer an awstats are good enough for most
>> customers.
>>
>> Now about your .htacess question. It only makes sure valid customers
>> with username/pwd have access to the cgi-bin folder. But once a
>> customer in logged in they can change their config file parameter and
>> get another customer's stats.
>>
>> Example:
>> http://www.customerA.com/awstats/awstats.pl?config=CustomerA
>> User asked for username/pwd, then log in. Then change their URL to
>> http://www.customerA.com/awstats/awstats.pl?config=CustomerB
>> Their how can see CustomerB stats. DOH
>>
>> Mark.
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
--
___________________________________________
Mark McCulligh, Web Consultant
VisualTech Components www.VisualTech.ca
mmcculli@visualtech.ca
(519)318-7905
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] AWStats and security
Posted by Aman Raheja <ar...@techquotes.com>.
You can configure apache's VH setting for each host to disallow anything
in the query string other than config=CustomerA
http://www.customerA.com/awstats/awstats.pl?config=CustomerA
How about if the put
http://www.customerA.com/awstats/awstats.pl?config=CustomerB - such that
now the domain name part does not match the config= parameter - you do a
rewrite (using mod_rewrite) and display an error page. That's easy to do.
RewriteEngine On
RewriteCond %{QUERYSTRING} !^config=customerA$
RewriteRule /awstats/awstats.pl <some-error-page-url>? [R,L]
I have not tried the above - correction are welcome - though there might
be some other way of restricting - this is the one I could think on the
top of my head.
Btw, don't forget to Load and add the mod_rewrite, if you choose to do this.
Aman Raheja
Mark McCulligh wrote:
> Aman Raheja wrote:
>
>> Mark McCulligh wrote:
>>
>>> I have a question for anyone else using awstats for their website
>>> stats.
>>>
>>> I have it installed and running ok. But want to protect the stats so
>>> only valid users can access their stats. I have created a .htaccess
>>> file to make sure only valid users can get in but how are people
>>> protecting valid users from looking at other valid users website
>>> stats. I don't want customer A looking at customers B stats.
>>>
>>> I see that you can have awstats make static web pages using
>>> "staticlinks" but I want to keep it dynamic.
>>>
>>> How are other people protecting their awstats.
>>>
>>> Thanks,
>>> Mark.
>>>
>> I have used awstats before i switched to webalizer which gives more
>> useful info for me.
>> Well protecting is no big issue i think - esp if you are enabling
>> .htaccess control then how can users know each other's user/pass info
>> to look at someone else's stats!
>>
>> Aman Raheja
>>
> I am doing the opposite from you. I have used webalizer for years but
> find awstats just looks nicer. Both give about the same information.
> But customers are in to looks. I have even looked at Urchin or
> WebTrends to do stats but I don't want to spend the money right now on
> stats when both webalizer an awstats are good enough for most customers.
>
> Now about your .htacess question. It only makes sure valid customers
> with username/pwd have access to the cgi-bin folder. But once a
> customer in logged in they can change their config file parameter and
> get another customer's stats.
>
> Example:
> http://www.customerA.com/awstats/awstats.pl?config=CustomerA
> User asked for username/pwd, then log in. Then change their URL to
> http://www.customerA.com/awstats/awstats.pl?config=CustomerB
> Their how can see CustomerB stats. DOH
>
> Mark.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] AWStats and security
Posted by Mark McCulligh <mm...@visualtech.ca>.
Aman Raheja wrote:
> Mark McCulligh wrote:
>
>> I have a question for anyone else using awstats for their website stats.
>>
>> I have it installed and running ok. But want to protect the stats so
>> only valid users can access their stats. I have created a .htaccess
>> file to make sure only valid users can get in but how are people
>> protecting valid users from looking at other valid users website
>> stats. I don't want customer A looking at customers B stats.
>>
>> I see that you can have awstats make static web pages using
>> "staticlinks" but I want to keep it dynamic.
>>
>> How are other people protecting their awstats.
>>
>> Thanks,
>> Mark.
>>
> I have used awstats before i switched to webalizer which gives more
> useful info for me.
> Well protecting is no big issue i think - esp if you are enabling
> .htaccess control then how can users know each other's user/pass info
> to look at someone else's stats!
>
> Aman Raheja
>
I am doing the opposite from you. I have used webalizer for years but
find awstats just looks nicer. Both give about the same information. But
customers are in to looks. I have even looked at Urchin or WebTrends to
do stats but I don't want to spend the money right now on stats when
both webalizer an awstats are good enough for most customers.
Now about your .htacess question. It only makes sure valid customers
with username/pwd have access to the cgi-bin folder. But once a
customer in logged in they can change their config file parameter and
get another customer's stats.
Example:
http://www.customerA.com/awstats/awstats.pl?config=CustomerA
User asked for username/pwd, then log in. Then change their URL to
http://www.customerA.com/awstats/awstats.pl?config=CustomerB
Their how can see CustomerB stats. DOH
Mark.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] AWStats and security
Posted by Aman Raheja <ar...@techquotes.com>.
Mark McCulligh wrote:
> I have a question for anyone else using awstats for their website stats.
>
> I have it installed and running ok. But want to protect the stats so
> only valid users can access their stats. I have created a .htaccess
> file to make sure only valid users can get in but how are people
> protecting valid users from looking at other valid users website
> stats. I don't want customer A looking at customers B stats.
>
> I see that you can have awstats make static web pages using
> "staticlinks" but I want to keep it dynamic.
>
> How are other people protecting their awstats.
>
> Thanks,
> Mark.
>
I have used awstats before i switched to webalizer which gives more
useful info for me.
Well protecting is no big issue i think - esp if you are enabling
.htaccess control then how can users know each other's user/pass info to
look at someone else's stats!
Aman Raheja
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] AWStats and security
Posted by Mark McCulligh <mm...@visualtech.ca>.
I have a question for anyone else using awstats for their website stats.
I have it installed and running ok. But want to protect the stats so
only valid users can access their stats. I have created a .htaccess
file to make sure only valid users can get in but how are people
protecting valid users from looking at other valid users website stats.
I don't want customer A looking at customers B stats.
I see that you can have awstats make static web pages using
"staticlinks" but I want to keep it dynamic.
How are other people protecting their awstats.
Thanks,
Mark.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_ext_filter on win32
Posted by Michael Mattsson <ap...@phrenetic.to>.
Hi!
Thanks for your reply! That module of yours sure looks helpful in this case. I
found my bug in the apache bugzilla.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=20695
I've not decided how to proceed but will probably end up compiling apache on
win32, as described in the above bug, which will be a whole new experience. ;-)
Cheerz!
//Michael
Quoting Nick Kew <ni...@webthing.com>:
> On Mon, 27 Sep 2004, Michael Mattsson wrote:
>
> > I've been scratching my head for a while now and can't seem to get
> > mod_ext_filter to work properly on the win32 platform.
>
> Can't help with that ...
>
> > When I do like:
> > ExtFilterDefine replacehostname mode=output cmd="C:/bin/sed.exe
> > s/www.foobar.com/www.barfoo.com/g"
>
> If that kind of substitution is what you need from the filter, see
> http://apache.webthing.com/mod_proxy_html/
>
> > sed.exe just hangs there when I try:
>
> Does windows sed have an option to run I/O unbuffered? If so, does
> that fix it? And if not, perhaps try AN Other tool that does have
> the option.
>
> --
> Nick Kew
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_ext_filter on win32
Posted by Nick Kew <ni...@webthing.com>.
On Mon, 27 Sep 2004, Michael Mattsson wrote:
> I've been scratching my head for a while now and can't seem to get
> mod_ext_filter to work properly on the win32 platform.
Can't help with that ...
> When I do like:
> ExtFilterDefine replacehostname mode=output cmd="C:/bin/sed.exe
> s/www.foobar.com/www.barfoo.com/g"
If that kind of substitution is what you need from the filter, see
http://apache.webthing.com/mod_proxy_html/
> sed.exe just hangs there when I try:
Does windows sed have an option to run I/O unbuffered? If so, does
that fix it? And if not, perhaps try AN Other tool that does have
the option.
--
Nick Kew
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org