You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by "Chen, Karen" <KC...@WhiteRockNetworks.com> on 2003/01/24 18:13:13 UTC

RE: [users@httpd] How to make Apache server to send request to an other web server

Sorry, I might be confusing anyone.  "4.1.7.1" is a private IP and IE on my
laptop has no knowledge at all. 

What I am trying to ask is how to manange the connection on the Apache
server. 
It need to translate the incoming url to this private ip, send the request
to
to "4.1.7.1" and gather the response back in a buffer and write it from the 
Apache web server and back to the Internet Explorer on my laptop.

Thanks again.

-----Original Message-----
From: Bob Ramsey [mailto:robert-ramsey@uiowa.edu]
Sent: Friday, January 24, 2003 11:06 AM
To: KChen@WhiteRockNetworks.com
Subject: Re: [users@httpd] How to make Apache server to send request to
another web server

At 10:52 AM 1/24/2003,  Chen, Karen wrote:
>What I am trying to accomplish is when I start a Internet Explorer on my
>laptop and
>specify a URL as mydomain:80(this is where Apache server runs), I want
>something
>can convert this mydomain to a ip address e.g. "4.1.7.1" and send http
>request to that
>host.

What you seem to be talking about here is a dns entry for 4.1.7.1.  A 
Domain Name Service (dns) entry is what converts www.google.com to 
216.239.51.101.  You would apply to one of the many registration companies 
for the domain name you want, assuming it isn't already in use.  That will 
let anyone in the world type in http://www.mydomain.com and get to your 
webserver.  If you don't want everyone in the world to be able to do this, 
then you can alter the hosts file on your computer.  With a windows 
computer this can be in several different places and names depending on 
what version of windows you are running.  Do a search for hosts*.* and see 
what comes up.  XP has an actual hosts file, older versions have 
lmhosts.sam or something like that.  Most linux computers just use 
/etc/hosts.  There are instructions in the file for what to do

bob

======================================================================
Bob Ramsey                                      Computer Consultant II
ph:  1(319)335-9956                              216 Boyd Law Building
fax: 1(319)335-9019                  University of Iowa College of Law
mailto:robert-ramsey@uiowa.edu                Iowa City, IA 52242-1113
For Hardware and Software questions, call 5-9124
======================================================================

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] The "Limit" Directive and TRACE

Posted by Sander Holthaus - Orange XL <in...@orangexl.com>.

I use this on all my vhosts

    <LimitExcept GET HEAD POST>
    Order deny,allow
    Deny from all
    </LimitExcept>

Don't know if it'll help you out.

----- Original Message -----
From: "Ben Ricker" <br...@wellinx.com>
To: <us...@httpd.apache.org>
Sent: Friday, January 24, 2003 9:46 PM
Subject: [users@httpd] The "Limit" Directive and TRACE


> I am trying to fortify a web server running Apache 1.3.27 against
> cross-site scripting (see
> http://www.extremetech.com/article2/0,3973,841047,00.asp for more
> information).
>
> The problem is that I am trying to disallow the use of TRACE using the
> LIMIT directive. Here is a 'Limit' directives snippet from the Apache
> docs (http://httpd.apache.org/docs/mod/core.html#limit).
>
> When I put the following in the httpd.conf:
>
> <Limit TRACE>
> Deny from All
> </Limit>
>
> I get the following error:
>
> ../bin/apachectl configtest
> Syntax error on line 395 of /usr/local/apache/conf/httpd.conf:
> TRACE cannot be controlled by <Limit>
>
> Am I missing something here?
>
> Ben Ricker
> Wellinx.com
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] The "Limit" Directive and TRACE

Posted by Richard Pyne <rp...@kinfolk.org>.

Before you spend too much time on it, read:

http://online.securityfocus.com/archive/1/307778

--Richard

On Friday 24 January 2003 01:46 pm, Ben Ricker wrote:
> I am trying to fortify a web server running Apache 1.3.27 against
> cross-site scripting (see
> http://www.extremetech.com/article2/0,3973,841047,00.asp for more
> information).
>
> The problem is that I am trying to disallow the use of TRACE using
> the LIMIT directive. Here is a 'Limit' directives snippet from the
> Apache docs (http://httpd.apache.org/docs/mod/core.html#limit).
>
> When I put the following in the httpd.conf:
>
> <Limit TRACE>
> Deny from All
> </Limit>
>
> I get the following error:
>
> ../bin/apachectl configtest
> Syntax error on line 395 of /usr/local/apache/conf/httpd.conf:
> TRACE cannot be controlled by <Limit>
>
> Am I missing something here?
>
> Ben Ricker
> Wellinx.com
>
>
> -------------------------------------------------------------------
>-- The official User-To-User support forum of the Apache HTTP Server
> Project. See <URL:http://httpd.apache.org/userslist.html> for more
> info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " 
>  from the digest: users-digest-unsubscribe@httpd.apache.org For
> additional commands, e-mail: users-help@httpd.apache.org

-- 
Richard B. Pyne
rpyne@kinfolk.org

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] The "Limit" Directive and TRACE

Posted by Joshua Slive <jo...@slive.ca>.

On Fri, 24 Jan 2003, Ben Ricker wrote:
> > I suspect (though I haven't tested) you could also use
> > SetEnvIf Request_Method TRACE trace_request
> > Order allow,deny
> > allow from all
> > deny from env=trace_request
>
> Hmmm....Apache does not like the Order directive scoped under SetEnvIf.
> It does not work in 1.3.27. I looked over the docs but could not find
> anything that shows an example if using the Order directives under SetEnvIf.

It isn't the SetEnvIf that is the problem.  It is the context of Order.
It can't be placed in the main server context, it must be inside a
container, as in

SetEnvIf ....
<Location />
Order allow,deny
allow from all
deny from env="trace_request
</Location>

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] The "Limit" Directive and TRACE

Posted by Ben Ricker <br...@wellinx.com>.

Joshua Slive wrote:
> On Fri, 24 Jan 2003, Ben Ricker wrote:
> 
> 
>>I am trying to fortify a web server running Apache 1.3.27 against
>>cross-site scripting (see
>>http://www.extremetech.com/article2/0,3973,841047,00.asp for more
>>information).
>>
>>The problem is that I am trying to disallow the use of TRACE using the
>>LIMIT directive.
> 
> 
> See:
> http://www.apacheweek.com/issues/03-01-24#news

That was a helpful article and it makes sense that the vulnerability is 
not SO huge as Whitehatsec makes it out to be, in the sense that it is 
not necessarily Apache's issue.

> I suspect (though I haven't tested) you could also use
> SetEnvIf Request_Method TRACE trace_request
> Order allow,deny
> allow from all
> deny from env=trace_request

Hmmm....Apache does not like the Order directive scoped under SetEnvIf. 
It does not work in 1.3.27. I looked over the docs but could not find 
anything that shows an example if using the Order directives under SetEnvIf.

I guess I can stick with the mod_rewrite trick on the ApacheWeek 
article, although I am not sure I have mod_rewrite setup....

Thanks,

Ben Ricker
Wellinx.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] The "Limit" Directive and TRACE

Posted by Joshua Slive <jo...@slive.ca>.

On Fri, 24 Jan 2003, Ben Ricker wrote:

> I am trying to fortify a web server running Apache 1.3.27 against
> cross-site scripting (see
> http://www.extremetech.com/article2/0,3973,841047,00.asp for more
> information).
>
> The problem is that I am trying to disallow the use of TRACE using the
> LIMIT directive.

See:
http://www.apacheweek.com/issues/03-01-24#news

I suspect (though I haven't tested) you could also use
SetEnvIf Request_Method TRACE trace_request
Order allow,deny
allow from all
deny from env=trace_request

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[users@httpd] The "Limit" Directive and TRACE

Posted by Ben Ricker <br...@wellinx.com>.

I am trying to fortify a web server running Apache 1.3.27 against 
cross-site scripting (see 
http://www.extremetech.com/article2/0,3973,841047,00.asp for more 
information).

The problem is that I am trying to disallow the use of TRACE using the 
LIMIT directive. Here is a 'Limit' directives snippet from the Apache 
docs (http://httpd.apache.org/docs/mod/core.html#limit).

When I put the following in the httpd.conf:

<Limit TRACE>
Deny from All
</Limit>

I get the following error:

../bin/apachectl configtest
Syntax error on line 395 of /usr/local/apache/conf/httpd.conf:
TRACE cannot be controlled by <Limit>

Am I missing something here?

Ben Ricker
Wellinx.com


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] FAQ & .htaccess allow from internal domain, prompt for auth from everywhere else

Posted by "James R. Marcus" <jm...@mvalent.com>.

Thanks so much.  That did it.

James

-----Original Message-----
From: Joshua Slive [mailto:joshua@slive.ca] 
Sent: Friday, January 24, 2003 3:18 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] FAQ & .htaccess allow from internal domain,
prompt for auth from everywhere else


On Fri, 24 Jan 2003, James R. Marcus wrote:
> I am using SSL.  I get the following error in the logs: [Fri Jan 24
> 14:21:35 2003] [alert] [client 10.0.0.114]
> /usr/local/apache2/htdocs/.htaccess: deny not allowed here
> This is set in the httpd.conf AllowOverride AuthConfig

If you look here:
http://httpd.apache.org/docs-2.0/mod/mod_access.html#deny
you'll see that the correct "override" for Deny is "Limit", so you need
at
least
AllowOverride AuthConfig Limit

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] FAQ & .htaccess allow from internal domain, prompt for auth from everywhere else

Posted by Joshua Slive <jo...@slive.ca>.

On Fri, 24 Jan 2003, James R. Marcus wrote:
> I am using SSL.  I get the following error in the logs: [Fri Jan 24
> 14:21:35 2003] [alert] [client 10.0.0.114]
> /usr/local/apache2/htdocs/.htaccess: deny not allowed here
> This is set in the httpd.conf AllowOverride AuthConfig

If you look here:
http://httpd.apache.org/docs-2.0/mod/mod_access.html#deny
you'll see that the correct "override" for Deny is "Limit", so you need at
least
AllowOverride AuthConfig Limit

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[users@httpd] FAQ & .htaccess allow from internal domain, prompt for auth from everywhere else

Posted by "James R. Marcus" <jm...@mvalent.com>.

I read the FAQ at
http://httpd.apache.org/docs/misc/FAQ.html#remote-auth-only to get
Apache2 to prompt users from outside of our local domain for a password.
I am using SSL.  I get the following error in the logs: [Fri Jan 24
14:21:35 2003] [alert] [client 10.0.0.114]
/usr/local/apache2/htdocs/.htaccess: deny not allowed here
This is set in the httpd.conf AllowOverride AuthConfig
Here is the .htaccess file
Deny from all
Allow from .mvalent.local
AuthType Basic
AuthUserFile /usr/local/apache2/passwd/passwd
AuthName "Restricted Files"
Require valid-user
Satisfy any
 
Thanks,
James



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] How to make Apache server to send request to another web server

Posted by Jeff Cohen <ap...@gej-it.com>.

I think you're talking about Intranet web server, which means that you want
to make this web server to be serve html pages for the local lan with a
domain name. Am I right?

Jeff Cohen

> -----Original Message-----
> From: Chen, Karen [mailto:KChen@WhiteRockNetworks.com]
> Sent: Friday, January 24, 2003 12:13 PM
> To: 'users@httpd.apache.org'
> Subject: RE: [users@httpd] How to make Apache server to send request to
> another web server
> 
> 
> Sorry, I might be confusing anyone.  "4.1.7.1" is a private IP and IE on
> my
> laptop has no knowledge at all.
> 
> What I am trying to ask is how to manange the connection on the Apache
> server.
> It need to translate the incoming url to this private ip, send the request
> to
> to "4.1.7.1" and gather the response back in a buffer and write it from
> the
> Apache web server and back to the Internet Explorer on my laptop.
> 
> Thanks again.
> 
> -----Original Message-----
> From: Bob Ramsey [mailto:robert-ramsey@uiowa.edu]
> Sent: Friday, January 24, 2003 11:06 AM
> To: KChen@WhiteRockNetworks.com
> Subject: Re: [users@httpd] How to make Apache server to send request to
> another web server
> 
> 
> At 10:52 AM 1/24/2003,  Chen, Karen wrote:
> >What I am trying to accomplish is when I start a Internet Explorer on my
> >laptop and
> >specify a URL as mydomain:80(this is where Apache server runs), I want
> >something
> >can convert this mydomain to a ip address e.g. "4.1.7.1" and send http
> >request to that
> >host.
> 
> What you seem to be talking about here is a dns entry for 4.1.7.1.  A
> Domain Name Service (dns) entry is what converts www.google.com to
> 216.239.51.101.  You would apply to one of the many registration companies
> for the domain name you want, assuming it isn't already in use.  That will
> let anyone in the world type in http://www.mydomain.com and get to your
> webserver.  If you don't want everyone in the world to be able to do this,
> then you can alter the hosts file on your computer.  With a windows
> computer this can be in several different places and names depending on
> what version of windows you are running.  Do a search for hosts*.* and see
> what comes up.  XP has an actual hosts file, older versions have
> lmhosts.sam or something like that.  Most linux computers just use
> /etc/hosts.  There are instructions in the file for what to do
> 
> 
> bob
> 
> 
> 
> 
> ======================================================================
> Bob Ramsey                                      Computer Consultant II
> ph:  1(319)335-9956                              216 Boyd Law Building
> fax: 1(319)335-9019                  University of Iowa College of Law
> mailto:robert-ramsey@uiowa.edu                Iowa City, IA 52242-1113
> For Hardware and Software questions, call 5-9124
> ======================================================================
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org