Stand-alone negation on Require (was: Quick 2.4 question)

[Philip Prindeville <ph...@redfish-solutions.com>]

I’ve not heard back so I’m going to go ahead and file a bug as a placekeeper.

-Philip


> On Mar 29, 2017, at 7:04 PM, Philip Prindeville <ph...@redfish-solutions.com> wrote:
> 
> We weren’t able to figure out the way to do this, and we’re both wondering if this isn’t a bug.
> 
> If you can say:
> 
> <Location />
>    Require env is_local_client
> </Location>
> 
> to allow access contingent on the presence of a flag, it should also be possible to do the inverse: allow access contingent on the absence of a flag:
> 
> <Location />
>    Require not env is_a_bogon
> </Location>
> 
> Where is_a_bogon gets set via:
> 
> LoadModule setenvif_module modules/mod_setenvif.so
> 
> BrowserMatch “^$” is_a_bogon
> BrowserMatch “^ZmEu$” is_a_bogon
> BrowserMatch “^Morfeus “ is_a_bogon
> …
> 
> <IfModule mod_geopi.c>
>    SetEnvIf GEOIP_COUNTRY_CODE CN is_a_bogon
>    SetEnvIf GEOIP_COUNTRY_CODE IR is_a_bogon
>    SetEnvIf GEOIP_COUNTRY_CODE RU is_a_bogon
>    SetEnvIf GEOIP_COUNTRY_CODE VN is_a_bogon
>    …
> </IfModule>
> 
> etc.
> 
> So is_a_bogon only gets set if we’re seeing a User-Agent which is suspect, or if the traffic is originating from hacker havens.
> 
> But this doesn’t seem to be doable in any obvious way.
> 
> This looks a bit like BZ 53069.
> 
> For what it’s worth, though, I also tried:
> 
> <Location />
>    <RequireAll>
>        Require all granted
>        Require not env is_a_bogon
>    </RequireAll>
> </Location>
> 
> but that results in:
> 
> --b4972c7d-A--
> [29/Mar/2017:18:47:29 --0600] WNxVoSGJcKzTWLcEbdzNJgAAAAA 192.168.1.38 50909 192.168.1.3 443
> --b4972c7d-B--
> GET /downloads/powercodebmu-r3813-964ba7a-x86-xeon-combined-squashfs.img HTTP/1.1
> User-Agent: Wget/1.14 (darwin12.3.0)
> Accept: */*
> Host: www.redfish-solutions.com
> Connection: Keep-Alive
> 
> --b4972c7d-F--
> HTTP/1.1 403 Forbidden
> Content-Length: 276
> Keep-Alive: timeout=5, max=100
> Connection: Keep-Alive
> Content-Type: text/html; charset=iso-8859-1
> 
> --b4972c7d-E--
> 
> --b4972c7d-H--
> Apache-Error: [file "mod_authz_core.c"] [line 873] [level 3] AH01630: client denied by server configuration: %s%s
> Stopwatch: 1490834849214254 1971 (- - -)
> Stopwatch2: 1490834849214254 1971; combined=850, p1=725, p2=0, p3=1, p4=86, p5=38, sr=452, sw=0, l=0, gc=0
> Response-Body-Transformed: Dechunked
> Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); OWASP_CRS/2.2.8.
> Server: Apache/2.4.25 (Fedora) OpenSSL/1.0.2k-fips mod_nss/1.0.12 NSS/3.23 Basic ECC mod_perl/2.0.10 Perl/v5.22.3
> Engine-Mode: "ENABLED"
> 
> --b4972c7d-Z—
> 
> so it’s not clear to me if there’s any way to achieve what I’m trying to do, or why the solution in BZ 53069 wouldn’t be applicable (by analogy) here.
> 
> More broadly on a philosophical level, looking at Comment 3 by Daniel Gruno:
> 
> https://bz.apache.org/bugzilla/show_bug.cgi?id=53069#c3
> 
> He writes:
> 
> “[…] I have made some changes to the access howto to emphasize that a negation cannot stand on its own.”
> 
> Just out of curiosity, why can’t it stand on its own?
> 
> I don’t see anything intrinsically wrong about gating on the _absence_ of _negative factors_.
> 
> Can someone please set me straight?
> 
> Thanks,
> 
> -Philip
> 
> 
> 
>> Begin forwarded message:
>> 
>> From: Philip Prindeville <ph...@redfish-solutions.com>
>> Subject: Quick 2.4 question
>> Date: March 28, 2017 at 2:32:03 PM MDT
>> To: "William A. Rowe Jr." <wr...@rowe-clan.net>
>> 
>> Hi William,
>> 
>> Sorry to bother you with a triviality, but I’ve been wracking my brain with this one for a couple of hours now.
>> 
>> I had an httpd-2.4 server that’s been humming for years, but recently (like 2 days ago following a Fedora 24 update) it started balking at ALL requests.
>> 
>> Yes, I had been using Allow/Deny and mod_access_compat…  I’ll turn that off momentarily.
>> 
>> The culprit (and it took me a long time to find it!) was:
>> 
>> <Location />
>>   Deny from env=is_a_bogon
>> </Location>
>> 
>> which I tried to rewrite as:
>> 
>> <Location />
>>   Require not env is_a_bogon
>> </Location>
>> 
>> but that complains about:
>> 
>> Mar 28 14:04:49 mail httpd[2964]: AH00526: Syntax error on line 81 of /etc/httpd/conf.d/mod_setenvif.conf:
>> Mar 28 14:04:49 mail httpd[2964]: negative Require directive has no effect in <RequireAny> directive
>> 
>> I’ve also tried:
>> 
>>   Require env !is_a_bogon
>> 
>> but that gets me a syntax error.
>> 
>> I looked at the 2.4 mod_setenvif pages but unfortunately it doesn’t go into a lot of detail of how to tie the tests together in with the actual Require directives.
>> 
>> Can you set me straight here?
>> 
>> Thanks,
>> 
>> -Philip
>> 
> 

Re: Stand-alone negation on Require (was: Quick 2.4 question)

[Philip Prindeville <ph...@redfish-solutions.com>]

Just created it.  Put Jacob, Daniel, and yourself on Cc.


> On Mar 30, 2017, at 4:32 PM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
> 
> On Thu, Mar 30, 2017 at 3:02 PM, Philip Prindeville
> <ph...@redfish-solutions.com> wrote:
>> I’ve not heard back so I’m going to go ahead and file a bug as a placekeeper.
> 
> +1 (I'm not seeing this yet.)
> 
>>> On Mar 29, 2017, at 7:04 PM, Philip Prindeville <ph...@redfish-solutions.com> wrote:
>>> 
>>> to allow access contingent on the presence of a flag, it should also be possible to do the inverse: allow access contingent on the absence of a flag:
>>> 
>>> <Location />
>>>   Require not env is_a_bogon
>>> </Location>
>>> 
>>> More broadly on a philosophical level, looking at Comment 3 by Daniel Gruno:
>>> 
>>> https://bz.apache.org/bugzilla/show_bug.cgi?id=53069#c3
>>> 
>>> He writes:
>>> 
>>> “[…] I have made some changes to the access howto to emphasize that a negation cannot stand on its own.”
>>> 
>>> Just out of curiosity, why can’t it stand on its own?
>>> 
>>> I don’t see anything intrinsically wrong about gating on the _absence_ of _negative factors_.
> 
> This is complete nonsense IMO, a basic CS 101 failure. Can any
> of the authors or maintainers explain?

Re: Stand-alone negation on Require (was: Quick 2.4 question)

[William A Rowe Jr <wr...@rowe-clan.net>]

On Thu, Mar 30, 2017 at 3:02 PM, Philip Prindeville
<ph...@redfish-solutions.com> wrote:
> I’ve not heard back so I’m going to go ahead and file a bug as a placekeeper.

+1 (I'm not seeing this yet.)

>> On Mar 29, 2017, at 7:04 PM, Philip Prindeville <ph...@redfish-solutions.com> wrote:
>>
>> to allow access contingent on the presence of a flag, it should also be possible to do the inverse: allow access contingent on the absence of a flag:
>>
>> <Location />
>>    Require not env is_a_bogon
>> </Location>
>>
>> More broadly on a philosophical level, looking at Comment 3 by Daniel Gruno:
>>
>> https://bz.apache.org/bugzilla/show_bug.cgi?id=53069#c3
>>
>> He writes:
>>
>> “[…] I have made some changes to the access howto to emphasize that a negation cannot stand on its own.”
>>
>> Just out of curiosity, why can’t it stand on its own?
>>
>> I don’t see anything intrinsically wrong about gating on the _absence_ of _negative factors_.

This is complete nonsense IMO, a basic CS 101 failure. Can any
of the authors or maintainers explain?