You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Tom Browder <to...@gmail.com> on 2022/02/01 18:12:46 UTC

[users@httpd] Re: Latest version: should I use openssl 3+

On Tue, Feb 1, 2022 at 11:06 AM Tom Browder <to...@gmail.com> wrote:
> I am upgrading from Apache 2.4.43 to 2.4.52 and using openssl from
> source. I currently use 1.1.1.k and would normally go to the latest
> LTS  version1.1.1.m; however, would it be better to move to version
> 3+ now?

Well, the obvious answer is "no," at least for my other
configurations. I got all kinds of compilation warnings and errors.

Version 1.1.1m seems to build fine and install with Apache 2.4.52, though.

-Tom

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Dynamic authentication rules

Posted by Marc SCHAEFER <sc...@alphanet.ch>.

On Fri, Feb 11, 2022 at 06:21:50PM -0500, stormy wrote:
> Maybe I'm missing something that you refer to as "tricks" and "presumably"?
> Proof of concept?  Context?

If the dynamic way does not work, I will simply generate about 100
different configurations and merge them in Apache, it's not complicated
to do, just a bit silly IF there is some support dynamicity that
I missed in the documentation.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Dynamic authentication rules

Posted by stormy <st...@stormy.ca>.

On 2022-02-11 2:52 p.m., Marc SCHAEFER wrote:
> Hello,
> 
> In general, I would handle that kind of authentification tricks in a
> perl script, however in this case I would need to protect a script
> directly in Apache.
> 
> What presumably would work:
> 
> <If "%{QUERY_STRING} =~ /^someapp\/\?domain=testing;/">
>         AuthType Basic
>         AuthName "Login Required for testing"
>         AuthUserFile /shared/testing/htpasswd
>         Require valid-user
> </If>

Maybe I'm missing something that you refer to as "tricks" and 
"presumably"?  Proof of concept?  Context?

To "protect a script" is normally at system level.  Why do you "need" to 
do this "directly in Apache"?  Users?  Permissions?  It doesn't really 
matter whether you write in perl or my favourites fortran and cobol.

Best -- Paul
Tired old sys-admin.

> 
> What I would like to do:
> 
> <If "%{QUERY_STRING} =~ /^someapp\/\?domain=([a-z]+);/">
>         AuthType Basic
>         AuthName "Login Required for $1"
>         AuthUserFile /shared/$1/htpasswd
>         Require valid-user
> </If>
> 
> Is there a way to do something dynamic like this ?
> 
> Thank you for any pointer.
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[users@httpd] Dynamic authentication rules

Posted by Marc SCHAEFER <sc...@alphanet.ch>.

Hello,

In general, I would handle that kind of authentification tricks in a
perl script, however in this case I would need to protect a script
directly in Apache.

What presumably would work:

<If "%{QUERY_STRING} =~ /^someapp\/\?domain=testing;/">
       AuthType Basic
       AuthName "Login Required for testing"
       AuthUserFile /shared/testing/htpasswd
       Require valid-user
</If>

What I would like to do:

<If "%{QUERY_STRING} =~ /^someapp\/\?domain=([a-z]+);/">
       AuthType Basic
       AuthName "Login Required for $1"
       AuthUserFile /shared/$1/htpasswd
       Require valid-user
</If>

Is there a way to do something dynamic like this ?

Thank you for any pointer.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Re: Latest version: should I use openssl 3+

Posted by Tom Browder <to...@gmail.com>.

On Sat, Feb 5, 2022 at 12:42 PM Christophe JAILLET
<ch...@wanadoo.fr> wrote:
> >> I am upgrading from Apache 2.4.43 to 2.4.52 and using openssl from
> >> source. I currently use 1.1.1.k and would normally go to the latest
> >> LTS  version1.1.1.m; however, would it be better to move to version
> > Well, the obvious answer is "no," at least for my other
> > configurations. I got all kinds of compilation warnings and errors.

> Hi Tom,
> sharing the errors you got could be interesting.
> AFAIK, httpd 2.4.52 should work fine with openssl 3.

Thanks, Christophe, I will do that. Now that I have that server
working fine, I'm soon going to upgrade my other server.

BTW, one oddity I saw on the working install is inexplicable to me,
but then I have had to work hard with much trial and error with both
OpenSSL and httpd to get the installation procedures I have used now
for over five years and don't really understand it all--maybe you can
explain it.

Normally I install OpenSSL in its own named directory under '/opt'.
For example, '/opt/openssl-1.1.1m' for the one I successfully
installed. I normally  leave the old library in place when I install a
new one.  This time, when I configured and installed the new httpd, I
saw in the configuration log that it was using bothe the old and the
new OPenSSL directories!

Then I deleted the old OpenSSL directory, executed 'make clean'  (not
'make distclean', which I don't think is a valid target), but, to my
surprise the link reference showed up again!  Note I did not uninstall
the old httpd installation (I'm not sure it's an option in the
Makefile), so there may be old files lying around causing the problem.

On the next installation I will try harder to watch each step (and
take better notes) for the source of the problem, including removing
the old installation.

Best regards,

-Tom

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[users@httpd] Re: Latest version: should I use openssl 3+

Posted by Christophe JAILLET <ch...@wanadoo.fr>.

Le 01/02/2022 à 19:12, Tom Browder a écrit :
> On Tue, Feb 1, 2022 at 11:06 AM Tom Browder <to...@gmail.com> wrote:
>> I am upgrading from Apache 2.4.43 to 2.4.52 and using openssl from
>> source. I currently use 1.1.1.k and would normally go to the latest
>> LTS  version1.1.1.m; however, would it be better to move to version
>> 3+ now?
> 
> Well, the obvious answer is "no," at least for my other
> configurations. I got all kinds of compilation warnings and errors.
> 
> Version 1.1.1m seems to build fine and install with Apache 2.4.52, though.
> 
> -Tom

Hi Tom,

sharing the errors you got could be interesting.
AFAIK, httpd 2.4.52 should work fine with openssl 3.

It is built and tested with one of our configuration on travis CI.
(latest run: https://app.travis-ci.com/github/apache/httpd/jobs/558387457

Several other configurations are also built+tested on trunk.

CJ

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org