You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Philip Prindeville <ph...@redfish-solutions.com> on 2017/03/30 20:02:37 UTC
Stand-alone negation on Require (was: Quick 2.4 question)
I’ve not heard back so I’m going to go ahead and file a bug as a placekeeper.
-Philip
> On Mar 29, 2017, at 7:04 PM, Philip Prindeville <ph...@redfish-solutions.com> wrote:
>
> We weren’t able to figure out the way to do this, and we’re both wondering if this isn’t a bug.
>
> If you can say:
>
> <Location />
> Require env is_local_client
> </Location>
>
> to allow access contingent on the presence of a flag, it should also be possible to do the inverse: allow access contingent on the absence of a flag:
>
> <Location />
> Require not env is_a_bogon
> </Location>
>
> Where is_a_bogon gets set via:
>
> LoadModule setenvif_module modules/mod_setenvif.so
>
> BrowserMatch “^$” is_a_bogon
> BrowserMatch “^ZmEu$” is_a_bogon
> BrowserMatch “^Morfeus “ is_a_bogon
> …
>
> <IfModule mod_geopi.c>
> SetEnvIf GEOIP_COUNTRY_CODE CN is_a_bogon
> SetEnvIf GEOIP_COUNTRY_CODE IR is_a_bogon
> SetEnvIf GEOIP_COUNTRY_CODE RU is_a_bogon
> SetEnvIf GEOIP_COUNTRY_CODE VN is_a_bogon
> …
> </IfModule>
>
> etc.
>
> So is_a_bogon only gets set if we’re seeing a User-Agent which is suspect, or if the traffic is originating from hacker havens.
>
> But this doesn’t seem to be doable in any obvious way.
>
> This looks a bit like BZ 53069.
>
> For what it’s worth, though, I also tried:
>
> <Location />
> <RequireAll>
> Require all granted
> Require not env is_a_bogon
> </RequireAll>
> </Location>
>
> but that results in:
>
> --b4972c7d-A--
> [29/Mar/2017:18:47:29 --0600] WNxVoSGJcKzTWLcEbdzNJgAAAAA 192.168.1.38 50909 192.168.1.3 443
> --b4972c7d-B--
> GET /downloads/powercodebmu-r3813-964ba7a-x86-xeon-combined-squashfs.img HTTP/1.1
> User-Agent: Wget/1.14 (darwin12.3.0)
> Accept: */*
> Host: www.redfish-solutions.com
> Connection: Keep-Alive
>
> --b4972c7d-F--
> HTTP/1.1 403 Forbidden
> Content-Length: 276
> Keep-Alive: timeout=5, max=100
> Connection: Keep-Alive
> Content-Type: text/html; charset=iso-8859-1
>
> --b4972c7d-E--
>
> --b4972c7d-H--
> Apache-Error: [file "mod_authz_core.c"] [line 873] [level 3] AH01630: client denied by server configuration: %s%s
> Stopwatch: 1490834849214254 1971 (- - -)
> Stopwatch2: 1490834849214254 1971; combined=850, p1=725, p2=0, p3=1, p4=86, p5=38, sr=452, sw=0, l=0, gc=0
> Response-Body-Transformed: Dechunked
> Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); OWASP_CRS/2.2.8.
> Server: Apache/2.4.25 (Fedora) OpenSSL/1.0.2k-fips mod_nss/1.0.12 NSS/3.23 Basic ECC mod_perl/2.0.10 Perl/v5.22.3
> Engine-Mode: "ENABLED"
>
> --b4972c7d-Z—
>
> so it’s not clear to me if there’s any way to achieve what I’m trying to do, or why the solution in BZ 53069 wouldn’t be applicable (by analogy) here.
>
> More broadly on a philosophical level, looking at Comment 3 by Daniel Gruno:
>
> https://bz.apache.org/bugzilla/show_bug.cgi?id=53069#c3
>
> He writes:
>
> “[…] I have made some changes to the access howto to emphasize that a negation cannot stand on its own.”
>
> Just out of curiosity, why can’t it stand on its own?
>
> I don’t see anything intrinsically wrong about gating on the _absence_ of _negative factors_.
>
> Can someone please set me straight?
>
> Thanks,
>
> -Philip
>
>
>
>> Begin forwarded message:
>>
>> From: Philip Prindeville <ph...@redfish-solutions.com>
>> Subject: Quick 2.4 question
>> Date: March 28, 2017 at 2:32:03 PM MDT
>> To: "William A. Rowe Jr." <wr...@rowe-clan.net>
>>
>> Hi William,
>>
>> Sorry to bother you with a triviality, but I’ve been wracking my brain with this one for a couple of hours now.
>>
>> I had an httpd-2.4 server that’s been humming for years, but recently (like 2 days ago following a Fedora 24 update) it started balking at ALL requests.
>>
>> Yes, I had been using Allow/Deny and mod_access_compat… I’ll turn that off momentarily.
>>
>> The culprit (and it took me a long time to find it!) was:
>>
>> <Location />
>> Deny from env=is_a_bogon
>> </Location>
>>
>> which I tried to rewrite as:
>>
>> <Location />
>> Require not env is_a_bogon
>> </Location>
>>
>> but that complains about:
>>
>> Mar 28 14:04:49 mail httpd[2964]: AH00526: Syntax error on line 81 of /etc/httpd/conf.d/mod_setenvif.conf:
>> Mar 28 14:04:49 mail httpd[2964]: negative Require directive has no effect in <RequireAny> directive
>>
>> I’ve also tried:
>>
>> Require env !is_a_bogon
>>
>> but that gets me a syntax error.
>>
>> I looked at the 2.4 mod_setenvif pages but unfortunately it doesn’t go into a lot of detail of how to tie the tests together in with the actual Require directives.
>>
>> Can you set me straight here?
>>
>> Thanks,
>>
>> -Philip
>>
>
Re: Stand-alone negation on Require (was: Quick 2.4 question)
Posted by Philip Prindeville <ph...@redfish-solutions.com>.
Just created it. Put Jacob, Daniel, and yourself on Cc.
> On Mar 30, 2017, at 4:32 PM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
>
> On Thu, Mar 30, 2017 at 3:02 PM, Philip Prindeville
> <ph...@redfish-solutions.com> wrote:
>> I’ve not heard back so I’m going to go ahead and file a bug as a placekeeper.
>
> +1 (I'm not seeing this yet.)
>
>>> On Mar 29, 2017, at 7:04 PM, Philip Prindeville <ph...@redfish-solutions.com> wrote:
>>>
>>> to allow access contingent on the presence of a flag, it should also be possible to do the inverse: allow access contingent on the absence of a flag:
>>>
>>> <Location />
>>> Require not env is_a_bogon
>>> </Location>
>>>
>>> More broadly on a philosophical level, looking at Comment 3 by Daniel Gruno:
>>>
>>> https://bz.apache.org/bugzilla/show_bug.cgi?id=53069#c3
>>>
>>> He writes:
>>>
>>> “[…] I have made some changes to the access howto to emphasize that a negation cannot stand on its own.”
>>>
>>> Just out of curiosity, why can’t it stand on its own?
>>>
>>> I don’t see anything intrinsically wrong about gating on the _absence_ of _negative factors_.
>
> This is complete nonsense IMO, a basic CS 101 failure. Can any
> of the authors or maintainers explain?
Re: Stand-alone negation on Require (was: Quick 2.4 question)
Posted by William A Rowe Jr <wr...@rowe-clan.net>.
On Thu, Mar 30, 2017 at 3:02 PM, Philip Prindeville
<ph...@redfish-solutions.com> wrote:
> I’ve not heard back so I’m going to go ahead and file a bug as a placekeeper.
+1 (I'm not seeing this yet.)
>> On Mar 29, 2017, at 7:04 PM, Philip Prindeville <ph...@redfish-solutions.com> wrote:
>>
>> to allow access contingent on the presence of a flag, it should also be possible to do the inverse: allow access contingent on the absence of a flag:
>>
>> <Location />
>> Require not env is_a_bogon
>> </Location>
>>
>> More broadly on a philosophical level, looking at Comment 3 by Daniel Gruno:
>>
>> https://bz.apache.org/bugzilla/show_bug.cgi?id=53069#c3
>>
>> He writes:
>>
>> “[…] I have made some changes to the access howto to emphasize that a negation cannot stand on its own.”
>>
>> Just out of curiosity, why can’t it stand on its own?
>>
>> I don’t see anything intrinsically wrong about gating on the _absence_ of _negative factors_.
This is complete nonsense IMO, a basic CS 101 failure. Can any
of the authors or maintainers explain?