You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Mal Goris <ma...@gmail.com> on 2020/04/15 10:35:05 UTC
[users@httpd] Faulty logic in Require directive
Hi,
I'm having trouble with the speed of execution of authorization for a
webdav site. After a lot of trial and error I think there are two parts to
this problem. This email is addressing just the first part. The problem,
as I describe it, may sound trivial but I have cut the configuration down
as far as I can to get at the root of the problem. In its cut down state
there is no noticeable response delay, but in the normal state of operation
it can take 10 seconds to get a response from the server. If anyone can
point out what I might be doing wrong that would be great.
As is evident in the error log, with LogLevel set to trace 8, authorization
checks are being executed twice when they should be executed only once.
The first execution fails with the message "authorization result of Require
valid-user : denied (no authenticated user yet)". That isn't correct
because the Authorization header has been sent by the browser. Indeed, the
same check succeeds on the second execution of the authorization. Here are
the authorization directives:
# To begin, allow read access to all valid users on the local network.
<Limit GET OPTIONS PROPFIND>
<RequireAll>
Require ip 192.168 10
Require valid-user
</RequireAll>
</Limit>
# Deny write access to all folders.
<LimitExcept GET OPTIONS PROPFIND>
Require all denied
</LimitExcept>
And here is the trace8 output for a single request
[Wed Apr 15 19:31:54.899702 2020] [mpm_event:notice] [pid 24958:tid
139697261241472] AH00494: SIGHUP received. Attempting to restart
[Wed Apr 15 19:31:54.910688 2020] [mpm_event:notice] [pid 24958:tid
139697261241472] AH00489: Apache/2.4.43 (Unix) configured -- resuming
normal operations
[Wed Apr 15 19:31:54.910754 2020] [core:notice] [pid 24958:tid
139697261241472] AH00094: Command line: '/usr/local/apache2/bin/httpd'
[Wed Apr 15 19:31:57.870021 2020] [authz_core:debug] [pid 25551:tid
139697242527488] mod_authz_core.c(818): [client 192.168.1.3:56123] AH01626:
authorization result of Require ip 192.168 10: granted
[Wed Apr 15 19:31:57.870121 2020] [authz_core:debug] [pid 25551:tid
139697242527488] mod_authz_core.c(818): [client 192.168.1.3:56123] AH01626:
authorization result of Require valid-user : denied (no authenticated user
yet)
[Wed Apr 15 19:31:57.870142 2020] [authz_core:debug] [pid 25551:tid
139697242527488] mod_authz_core.c(818): [client 192.168.1.3:56123] AH01626:
authorization result of <RequireAll>: denied (no authenticated user yet)
[Wed Apr 15 19:31:57.870159 2020] [authz_core:debug] [pid 25551:tid
139697242527488] mod_authz_core.c(737): [client 192.168.1.3:56123] AH01625:
authorization result of Require all denied: neutral (directive limited to
other methods)
[Wed Apr 15 19:31:57.870175 2020] [authz_core:debug] [pid 25551:tid
139697242527488] mod_authz_core.c(818): [client 192.168.1.3:56123] AH01626:
authorization result of <RequireAny>: denied (no authenticated user yet)
[Wed Apr 15 19:31:57.871234 2020] [authz_core:debug] [pid 25551:tid
139697242527488] mod_authz_core.c(818): [client 192.168.1.3:56123] AH01626:
authorization result of Require ip 192.168 10: granted
[Wed Apr 15 19:31:57.871302 2020] [authz_core:debug] [pid 25551:tid
139697242527488] mod_authz_core.c(818): [client 192.168.1.3:56123] AH01626:
authorization result of Require valid-user : granted
[Wed Apr 15 19:31:57.871346 2020] [authz_core:debug] [pid 25551:tid
139697242527488] mod_authz_core.c(818): [client 192.168.1.3:56123] AH01626:
authorization result of <RequireAll>: granted
[Wed Apr 15 19:31:57.871362 2020] [authz_core:debug] [pid 25551:tid
139697242527488] mod_authz_core.c(818): [client 192.168.1.3:56123] AH01626:
authorization result of <RequireAny>: granted
[Wed Apr 15 19:31:57.872029 2020] [http:trace3] [pid 25551:tid
139697242527488] http_filters.c(1127): [client 192.168.1.3:56123] Response
sent with status 200, headers:
If I change the "Require valid-user" directive to "Require all granted" the
authorization is executed only once, which makes sense, but this is what I
would expect in the case above. For completeness, here is the entire
configuration.
# Configure a webdav folder at /webdav on our server.
# This is where the webdav directory is served from on the local file
# system.
ServerName skyler
Define ROOT /home/webdav
Alias /webdav ${ROOT}
# Configure the webdav directory.
<Directory ${ROOT}>
LogLevel trace8
Options MultiViews Indexes
AllowOverride AuthConfig
DAV On
# Authentication is done by the Basic method using the postgres
# database. Webdav access generates a lot of requests so
# mod_authn_socache is added for performance.
AuthType Basic
AuthName "henka"
AuthBasicProvider file
AuthUserFile htpasswd
AuthGroupFile htgroup
# To begin, allow read access to all valid users on the local
# network.
<Limit GET OPTIONS PROPFIND>
<RequireAll>
Require ip 192.168 10
Require valid-user
</RequireAll>
</Limit>
# Deny write access to all folders.
<LimitExcept GET OPTIONS PROPFIND>
Require all denied
</LimitExcept>
</Directory>
And this is the request
192.168.1.3 - mal [15/Apr/2020:19:31:57 +1000] "GET /webdav/ HTTP/1.1" 200
324
Thanks in advance
Mal
Re: [users@httpd] Faulty logic in Require directive
Posted by Mal Goris <ma...@gmail.com>.
Hi Eric,
Thanks for your reply. It is good to eliminate that from the possible
causes of the slow response. I'll investigate further and see what else I
can learn about the problem.
Regards
Mal
On Wed, Apr 15, 2020 at 8:54 PM Eric Covener <co...@gmail.com> wrote:
> On Wed, Apr 15, 2020 at 6:34 AM Mal Goris <ma...@gmail.com> wrote:
> >
> > Hi,
> >
> > I'm having trouble with the speed of execution of authorization for a
> webdav site. After a lot of trial and error I think there are two parts to
> this problem. This email is addressing just the first part. The problem,
> as I describe it, may sound trivial but I have cut the configuration down
> as far as I can to get at the root of the problem. In its cut down state
> there is no noticeable response delay, but in the normal state of operation
> it can take 10 seconds to get a response from the server. If anyone can
> point out what I might be doing wrong that would be great.
>
> This is expected. Apache uses the Require directive in two phases, and
> in the earliest phase checks that require authentication to have been
> performed are not evaluated.
> I doubt either phase eats significant time out of 10 seconds, it's
> just noisy while tracing.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] Faulty logic in Require directive
Posted by Eric Covener <co...@gmail.com>.
On Wed, Apr 15, 2020 at 6:34 AM Mal Goris <ma...@gmail.com> wrote:
>
> Hi,
>
> I'm having trouble with the speed of execution of authorization for a webdav site. After a lot of trial and error I think there are two parts to this problem. This email is addressing just the first part. The problem, as I describe it, may sound trivial but I have cut the configuration down as far as I can to get at the root of the problem. In its cut down state there is no noticeable response delay, but in the normal state of operation it can take 10 seconds to get a response from the server. If anyone can point out what I might be doing wrong that would be great.
This is expected. Apache uses the Require directive in two phases, and
in the earliest phase checks that require authentication to have been
performed are not evaluated.
I doubt either phase eats significant time out of 10 seconds, it's
just noisy while tracing.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org