You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "William A. Rowe Jr." <wr...@rowe-clan.net> on 2012/01/31 23:35:11 UTC
[users@httpd] Apache HTTP Server 2.2.22 Released
Apache HTTP Server 2.2.22 Released
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release of version 2.2.22 of the Apache HTTP
Server ("Apache"). This version of Apache is principally a security
and bug fix release, including the following significant security fixes:
* SECURITY: CVE-2011-3368 (cve.mitre.org)
Reject requests where the request-URI does not match the HTTP
specification, preventing unexpected expansion of target URLs in
some reverse proxy configurations.
* SECURITY: CVE-2011-3607 (cve.mitre.org)
Fix integer overflow in ap_pregsub() which, when the mod_setenvif module
is enabled, could allow local users to gain privileges via a .htaccess
file.
* SECURITY: CVE-2011-4317 (cve.mitre.org)
Resolve additional cases of URL rewriting with ProxyPassMatch or
RewriteRule, where particular request-URIs could result in undesired
backend network exposure in some configurations.
* SECURITY: CVE-2012-0021 (cve.mitre.org)
mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format
string is in use and a client sends a nameless, valueless cookie, causing
a denial of service. The issue existed since version 2.2.17.
* SECURITY: CVE-2012-0031 (cve.mitre.org)
Fix scoreboard issue which could allow an unprivileged child process
could cause the parent to crash at shutdown rather than terminate
cleanly.
* SECURITY: CVE-2012-0053 (cve.mitre.org)
Fixed an issue in error responses that could expose "httpOnly" cookies
when no custom ErrorDocument is specified for status code 400.
The Apache HTTP Project thanks halfdog, Context Information Security Ltd,
Prutha Parikh of Qualys, and Norman Hippert for bringing these issues to
the attention of the security team.
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
Apache HTTP Server 2.2.22 is available for download from:
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.2 file, linked from the download page, for a
full list of changes. A condensed list, CHANGES_2.2.22 includes only
those changes introduced since the prior 2.2 release. A summary of all
of the security vulnerabilities addressed in this and earlier releases
is available:
http://httpd.apache.org/security/vulnerabilities_22.html
This release includes the Apache Portable Runtime (APR) version 1.4.5
and APR Utility Library (APR-util) version 1.4.2, bundled with the tar
and zip distributions. The APR libraries libapr and libaprutil (and
on Win32, libapriconv version 1.2.1) must all be updated to ensure
binary compatibility and address many known security and platform bugs.
APR-util version 1.4 represents a minor version upgrade from earlier
httpd source distributions, which previously included version 1.3.
Apache 2.2 offers numerous enhancements, improvements, and performance
boosts over the 2.0 codebase. For an overview of new features
introduced since 2.0 please see:
http://httpd.apache.org/docs/2.2/new_features_2_2.html
This release builds on and extends the Apache 2.0 API. Modules written
for Apache 2.0 will need to be recompiled in order to run with Apache
2.2, and require minimal or no source code changes.
http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING
When upgrading or installing this version of Apache, please bear in mind
that if you intend to use Apache with one of the threaded MPMs (other
than the Prefork MPM), you must ensure that any modules you will be
using (and the libraries they depend on) are thread-safe.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: Apache HTTP Server 2.2.22 Released
Posted by DW <xf...@hotmail.com>.
Any ideas if there is any official distribution point for Win 64-bit?
William A. Rowe Jr. wrote:
> Apache HTTP Server 2.2.22 Released
>
>
> Apache HTTP Server 2.2.22 is available for download from:
>
> http://httpd.apache.org/download.cgi
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Logging ALL cookies on requests from specific IP address range?
Posted by J LANCE WILKINSON <jl...@psu.edu>.
Igor Cicimov wrote:
> Maybe ssldump can help you to some level.
I'll pass that on. We're now past that, we know what may be causing
the issues, and I've got another query in to this august community in
the hopes I can get a solution -- mod_remoteip (retrofit to Apache 2.2)
doesn't seem to be working properly, ignoring X-Forwarded-For headers
when the forwarded address is a 172.16.0.0/12 network.
>
> On Feb 24, 2012 11:22 PM, "J LANCE WILKINSON" <jlw12@psu.edu
> <ma...@psu.edu>> wrote:
>
> Wow. Thanks. I'll share that w/ my network colleagues. One of
> them has wanted to use WireShark against this problem, but
> complained that since much of the dialog is SSL encrypted, WireShark
> has some issues with this apparently. Any guidance on that?
>
> --
> J.Lance Wilkinson ("Lance") InterNet: Lance.Wilkinson@psu.edu
> <ma...@psu.edu>
> Systems Design Specialist - Lead Phone: (814) 865-4870
> <tel:%28814%29%20865-4870>
> Digital Library Technologies FAX: (814) 863-3560
> <tel:%28814%29%20863-3560>
> E3 Paterno Library
> Penn State University
> University Park, PA 16802
>
> ----- Original Message -----
> From: "Tom Evans" <tevans.uk@googlemail.com
> <ma...@googlemail.com>>
> To: users@httpd.apache.org <ma...@httpd.apache.org>
> Sent: Friday, February 24, 2012 7:17:11 AM
> Subject: Re: [users@httpd] Logging ALL cookies on requests from
> specific IP address range?
>
> On Thu, Feb 23, 2012 at 9:09 PM, J.Lance Wilkinson <jlw12@psu.edu
> <ma...@psu.edu>> wrote:
> > Apache 2.2.6 on Solaris.
> >
> > We've encountered an issue where cookies seem to be disappearing.
> We think
> > it has something to do with a Load Balancer the traffic is
> passing through.
> >
> > We want to log the cookies being received to try to find out
> what's going
> > on.
> >
> > I tried adding the following to my configuration to try to see if
> I *could*
> > capture all the cookies.
> >
> > LogFormat "%h %l %u %t \"%r\" %>s %b "%{the-cookie-name}C\"" cookies
> >
> > CustomLog cookies.log cookies
> >
> >
> > What's showing up in this log file is (<ip> & <tstamp> to save
> wrapping of
> > line) :
> >
> > <ip> - - [<tstamp>] "GET /images/twitter.jpg HTTP/1.0" 200 1014 "-"
> >
> > Does this mean the cookie named "the-cookie-name" did not appear
> in the
> > request?
>
> Yes.
>
> >
> > I tried getting ALL cookies by using %{*}C and got the same
> results. I'd
> > like to get ALL the cookies, since we don't know *exactly* what's
> being
> > dropped.
> >
>
> I wouldn't do it like that. Instead, I would use tcpdump to look at
> the request coming in to the balancer, the request going out of the
> balancer to the backend, the response coming from the backend back to
> the balancer, and the response from the balancer to the client.
>
> However...
>
> You can use the format %{FOO}i and %{FOO}o to examine input and output
> headers respectively, and use that to log the "Cookie" request header,
> and the "Set-Cookie" response header. The downside to this is that
> there are also Cookie2 and Set-Cookie2 headers, so you may need to
> check those also.
>
> Using tcpdump would allow you to generate a dump file which could be
> imported into wireshark, which would completely decode the packets and
> show you the requests and timeline in a clear and easy to understand
> format.
>
> Something like this would produce an appropriate dump in the file
> dump.pcap:
>
> tcpdump -s 0 -i eth0 -w dump.pcap 'tcp port 80 and (((ip[2:2] -
> ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
>
> If it is a busy server, you could filter further to just look at one
> client, check out tcpdump man page.
>
> Cheers
>
> Tom
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> <ma...@httpd.apache.org>
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> <ma...@httpd.apache.org>
> For additional commands, e-mail: users-help@httpd.apache.org
> <ma...@httpd.apache.org>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> <ma...@httpd.apache.org>
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> <ma...@httpd.apache.org>
> For additional commands, e-mail: users-help@httpd.apache.org
> <ma...@httpd.apache.org>
>
--
J.Lance Wilkinson ("Lance") InterNet: Lance.Wilkinson@psu.edu
Systems Design Specialist - Lead Phone: (814) 865-4870
Digital Library Technologies FAX: (814) 863-3560
E3 Paterno Library
Penn State University
University Park, PA 16802
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Logging ALL cookies on requests from specific IP
address range?
Posted by Igor Cicimov <ic...@gmail.com>.
Maybe ssldump can help you to some level.
On Feb 24, 2012 11:22 PM, "J LANCE WILKINSON" <jl...@psu.edu> wrote:
> Wow. Thanks. I'll share that w/ my network colleagues. One of them has
> wanted to use WireShark against this problem, but complained that since
> much of the dialog is SSL encrypted, WireShark has some issues with this
> apparently. Any guidance on that?
>
> --
> J.Lance Wilkinson ("Lance") InterNet: Lance.Wilkinson@psu.edu
> Systems Design Specialist - Lead Phone: (814) 865-4870
> Digital Library Technologies FAX: (814) 863-3560
> E3 Paterno Library
> Penn State University
> University Park, PA 16802
>
> ----- Original Message -----
> From: "Tom Evans" <te...@googlemail.com>
> To: users@httpd.apache.org
> Sent: Friday, February 24, 2012 7:17:11 AM
> Subject: Re: [users@httpd] Logging ALL cookies on requests from specific
> IP address range?
>
> On Thu, Feb 23, 2012 at 9:09 PM, J.Lance Wilkinson <jl...@psu.edu> wrote:
> > Apache 2.2.6 on Solaris.
> >
> > We've encountered an issue where cookies seem to be disappearing. We
> think
> > it has something to do with a Load Balancer the traffic is passing
> through.
> >
> > We want to log the cookies being received to try to find out what's going
> > on.
> >
> > I tried adding the following to my configuration to try to see if I
> *could*
> > capture all the cookies.
> >
> > LogFormat "%h %l %u %t \"%r\" %>s %b "%{the-cookie-name}C\"" cookies
> >
> > CustomLog cookies.log cookies
> >
> >
> > What's showing up in this log file is (<ip> & <tstamp> to save wrapping
> of
> > line) :
> >
> > <ip> - - [<tstamp>] "GET /images/twitter.jpg HTTP/1.0" 200 1014 "-"
> >
> > Does this mean the cookie named "the-cookie-name" did not appear in the
> > request?
>
> Yes.
>
> >
> > I tried getting ALL cookies by using %{*}C and got the same results. I'd
> > like to get ALL the cookies, since we don't know *exactly* what's being
> > dropped.
> >
>
> I wouldn't do it like that. Instead, I would use tcpdump to look at
> the request coming in to the balancer, the request going out of the
> balancer to the backend, the response coming from the backend back to
> the balancer, and the response from the balancer to the client.
>
> However...
>
> You can use the format %{FOO}i and %{FOO}o to examine input and output
> headers respectively, and use that to log the "Cookie" request header,
> and the "Set-Cookie" response header. The downside to this is that
> there are also Cookie2 and Set-Cookie2 headers, so you may need to
> check those also.
>
> Using tcpdump would allow you to generate a dump file which could be
> imported into wireshark, which would completely decode the packets and
> show you the requests and timeline in a clear and easy to understand
> format.
>
> Something like this would produce an appropriate dump in the file
> dump.pcap:
>
> tcpdump -s 0 -i eth0 -w dump.pcap 'tcp port 80 and (((ip[2:2] -
> ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
>
> If it is a busy server, you could filter further to just look at one
> client, check out tcpdump man page.
>
> Cheers
>
> Tom
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
[users@httpd] RemoteIP and private networks (was: Logging ALL cookies on requests
from specific IP address range?)
Posted by "J.Lance Wilkinson" <jl...@psu.edu>.
J LANCE WILKINSON wrote:
> Wow. Thanks. I'll share that w/ my network colleagues. One of them has
> wanted to use WireShark against this problem, but complained that since much
> of the dialog is SSL encrypted, WireShark has some issues with this
> apparently. Any guidance on that?
>
Further research has shown that the requests in question, as they come thru our
load balancer, all have the requisite X-Forwarded-For: header that we depend on
to associate the request with the "REAL" IP address of the browser making the
request.
We use mod_remoteip to honor this header.
The requests which are failing to be processed correctly are coming thru a VPN
connection which assigns a 172... private non-routable address. Observation
suggests that when requests come from those addresses, the substitution of the
load balancer's IP address with the X-Forwarded-For: header is failing to
happen. Access log entries show the request with the load balancer's IP address.
We have another VPN which imposes a 146... address. These log the 146...
address just fine.
And requests that don't use a VPN of course are logging with the browser's, not
the load balancer's address.
So I found what I *think* is the source code online (somebody else complied
the .so file we use so I can't check the source he actually used), and sure
enough there's code that limits its function for private IP addresses in lines
348 thru 380. The implication to ME is that if the proxy is an INTERNAL one,
the private IPs are allowed, while for non-internal trusted proxies are
ignored. So I added RemoteIPInternalProxy directive to my existing
RemoteIPTrustedProxy, both specifying my load balancer's address.
Turning on debugging, the error log contains documentation to support this too:
[Fri Feb 24 10:52:27 2012] [debug] mod_remoteip.c(368): [client 128.118.12.34]
RemoteIP: Header X-Forwarded-For value of 172.25.2.162 appears to be a private
IP or nonsensical. Ignored, referer:
http://daytripper.libraries.psu.edu/psul/home.html?
Now, this is in effect with
RemoteIPHeader X-Forwarded-For
RemoteIPTrustedProxy 128.118.12.34
RemoteIPInternalProxy 128.118.12.34
in place...
Tried with only RemoteIPInternalProxy specified as well, same results.
Thoughts?
--
J.Lance Wilkinson ("Lance") InterNet: Lance.Wilkinson@psu.edu
Systems Design Specialist - Lead Phone: (814) 865-4870
Digital Library Technologies FAX: (814) 863-3560
E3 Paterno Library
Penn State University
University Park, PA 16802
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Logging ALL cookies on requests from specific IP address range?
Posted by J LANCE WILKINSON <jl...@psu.edu>.
Wow. Thanks. I'll share that w/ my network colleagues. One of them has wanted to use WireShark against this problem, but complained that since much of the dialog is SSL encrypted, WireShark has some issues with this apparently. Any guidance on that?
--
J.Lance Wilkinson ("Lance") InterNet: Lance.Wilkinson@psu.edu
Systems Design Specialist - Lead Phone: (814) 865-4870
Digital Library Technologies FAX: (814) 863-3560
E3 Paterno Library
Penn State University
University Park, PA 16802
----- Original Message -----
From: "Tom Evans" <te...@googlemail.com>
To: users@httpd.apache.org
Sent: Friday, February 24, 2012 7:17:11 AM
Subject: Re: [users@httpd] Logging ALL cookies on requests from specific IP address range?
On Thu, Feb 23, 2012 at 9:09 PM, J.Lance Wilkinson <jl...@psu.edu> wrote:
> Apache 2.2.6 on Solaris.
>
> We've encountered an issue where cookies seem to be disappearing. We think
> it has something to do with a Load Balancer the traffic is passing through.
>
> We want to log the cookies being received to try to find out what's going
> on.
>
> I tried adding the following to my configuration to try to see if I *could*
> capture all the cookies.
>
> LogFormat "%h %l %u %t \"%r\" %>s %b "%{the-cookie-name}C\"" cookies
>
> CustomLog cookies.log cookies
>
>
> What's showing up in this log file is (<ip> & <tstamp> to save wrapping of
> line) :
>
> <ip> - - [<tstamp>] "GET /images/twitter.jpg HTTP/1.0" 200 1014 "-"
>
> Does this mean the cookie named "the-cookie-name" did not appear in the
> request?
Yes.
>
> I tried getting ALL cookies by using %{*}C and got the same results. I'd
> like to get ALL the cookies, since we don't know *exactly* what's being
> dropped.
>
I wouldn't do it like that. Instead, I would use tcpdump to look at
the request coming in to the balancer, the request going out of the
balancer to the backend, the response coming from the backend back to
the balancer, and the response from the balancer to the client.
However...
You can use the format %{FOO}i and %{FOO}o to examine input and output
headers respectively, and use that to log the "Cookie" request header,
and the "Set-Cookie" response header. The downside to this is that
there are also Cookie2 and Set-Cookie2 headers, so you may need to
check those also.
Using tcpdump would allow you to generate a dump file which could be
imported into wireshark, which would completely decode the packets and
show you the requests and timeline in a clear and easy to understand
format.
Something like this would produce an appropriate dump in the file dump.pcap:
tcpdump -s 0 -i eth0 -w dump.pcap 'tcp port 80 and (((ip[2:2] -
((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
If it is a busy server, you could filter further to just look at one
client, check out tcpdump man page.
Cheers
Tom
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Logging ALL cookies on requests from specific IP
address range?
Posted by Tom Evans <te...@googlemail.com>.
On Thu, Feb 23, 2012 at 9:09 PM, J.Lance Wilkinson <jl...@psu.edu> wrote:
> Apache 2.2.6 on Solaris.
>
> We've encountered an issue where cookies seem to be disappearing. We think
> it has something to do with a Load Balancer the traffic is passing through.
>
> We want to log the cookies being received to try to find out what's going
> on.
>
> I tried adding the following to my configuration to try to see if I *could*
> capture all the cookies.
>
> LogFormat "%h %l %u %t \"%r\" %>s %b "%{the-cookie-name}C\"" cookies
>
> CustomLog cookies.log cookies
>
>
> What's showing up in this log file is (<ip> & <tstamp> to save wrapping of
> line) :
>
> <ip> - - [<tstamp>] "GET /images/twitter.jpg HTTP/1.0" 200 1014 "-"
>
> Does this mean the cookie named "the-cookie-name" did not appear in the
> request?
Yes.
>
> I tried getting ALL cookies by using %{*}C and got the same results. I'd
> like to get ALL the cookies, since we don't know *exactly* what's being
> dropped.
>
I wouldn't do it like that. Instead, I would use tcpdump to look at
the request coming in to the balancer, the request going out of the
balancer to the backend, the response coming from the backend back to
the balancer, and the response from the balancer to the client.
However...
You can use the format %{FOO}i and %{FOO}o to examine input and output
headers respectively, and use that to log the "Cookie" request header,
and the "Set-Cookie" response header. The downside to this is that
there are also Cookie2 and Set-Cookie2 headers, so you may need to
check those also.
Using tcpdump would allow you to generate a dump file which could be
imported into wireshark, which would completely decode the packets and
show you the requests and timeline in a clear and easy to understand
format.
Something like this would produce an appropriate dump in the file dump.pcap:
tcpdump -s 0 -i eth0 -w dump.pcap 'tcp port 80 and (((ip[2:2] -
((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
If it is a busy server, you could filter further to just look at one
client, check out tcpdump man page.
Cheers
Tom
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Logging ALL cookies on requests from specific IP address range?
Posted by "J.Lance Wilkinson" <jl...@psu.edu>.
Apache 2.2.6 on Solaris.
We've encountered an issue where cookies seem to be disappearing. We think it
has something to do with a Load Balancer the traffic is passing through.
We want to log the cookies being received to try to find out what's going on.
I tried adding the following to my configuration to try to see if I *could*
capture all the cookies.
LogFormat "%h %l %u %t \"%r\" %>s %b "%{the-cookie-name}C\"" cookies
CustomLog cookies.log cookies
What's showing up in this log file is (<ip> & <tstamp> to save wrapping of line) :
<ip> - - [<tstamp>] "GET /images/twitter.jpg HTTP/1.0" 200 1014 "-"
Does this mean the cookie named "the-cookie-name" did not appear in the request?
I tried getting ALL cookies by using %{*}C and got the same results. I'd like
to get ALL the cookies, since we don't know *exactly* what's being dropped.
--
J.Lance Wilkinson ("Lance") InterNet: Lance.Wilkinson@psu.edu
Systems Design Specialist - Lead Phone: (814) 865-4870
Digital Library Technologies FAX: (814) 863-3560
E3 Paterno Library
Penn State University
University Park, PA 16802
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Dynamic selection of mod_authnz_ldap's 'require
ldap-group' object?
Posted by Eric Covener <co...@gmail.com>.
On Thu, Mar 22, 2012 at 2:03 PM, Eric Covener <co...@gmail.com> wrote:
>> So, how to supply the information parsed from the URI as part of the
>> argument to the require ldap-group directive *at REQUEST time*. Is
>> that %{xxx} resolution something that takes place at the time the
>> request is being serviced and honored, or is it something that only
>> applies as the configuration is being processed?
>>
>> I'm already using mod_define.so as a loaded module, if that makes
>> any difference (to my advantage or disadvantage...)...
>
> I'm pretty sure you'd need to teach the guts of mod_authnz_ldap to
> parse its configuration like that. mod_proxy has code for this
> already and a flag to turn the interpolation on and off. I don't
> think there's a config-only solution.
Please open an enhancement in bugzilla and add me to CC.
Any detail helps. You'd have to capture it with setenvif, not LocationMatch.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Dynamic selection of mod_authnz_ldap's 'require
ldap-group' object?
Posted by Eric Covener <co...@gmail.com>.
> So, how to supply the information parsed from the URI as part of the
> argument to the require ldap-group directive *at REQUEST time*. Is
> that %{xxx} resolution something that takes place at the time the
> request is being serviced and honored, or is it something that only
> applies as the configuration is being processed?
>
> I'm already using mod_define.so as a loaded module, if that makes
> any difference (to my advantage or disadvantage...)...
I'm pretty sure you'd need to teach the guts of mod_authnz_ldap to
parse its configuration like that. mod_proxy has code for this
already and a flag to turn the interpolation on and off. I don't
think there's a config-only solution.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Dynamic selection of mod_authnz_ldap's 'require
ldap-group' object?
Posted by "J.Lance Wilkinson" <jl...@psu.edu>.
J.Lance Wilkinson wrote:
> I don't believe I ever got a reply to this, so since it's been a month I'll
> repeat it...
>
> the story so far: I have a need to be able to parse into an
> environment variable (using Rewrite rules or some such) a value
> that then can be used in a *require* directive like
>
> require ldap-group
> or require ldap-filter
>
> Using Apache v2.2.6 on Solaris 10, Apache 2.2.15 on Linux RHEL 6,
> pretty much the same Apache configurations on both.
>
> Is this something possible NOW using stock modules, or is this
> something that I will have with Apache 2.4 and its stock modules,
> or is this something I would need to implement new or modified
> code to achieve?
I'll further clarify what I WANT to do...
<Location ~ "^/(.*)/member.(.*)(.html|/(.*)?)$">
SetEnvIf Request_URI "^/(.*)/member.(.*)(.html|/(.*)?)$" MBRSHP=$2
...
require ldap-group cn=umg/%{MBRSHP},dc=xxx,dc=yyy:
...
</Location>
So, how to supply the information parsed from the URI as part of the
argument to the require ldap-group directive *at REQUEST time*. Is
that %{xxx} resolution something that takes place at the time the
request is being serviced and honored, or is it something that only
applies as the configuration is being processed?
I'm already using mod_define.so as a loaded module, if that makes
any difference (to my advantage or disadvantage...)...
--
J.Lance Wilkinson ("Lance") InterNet: Lance.Wilkinson@psu.edu
Systems Design Specialist - Lead Phone: (814) 865-4870
Digital Library Technologies FAX: (814) 863-3560
E3 Paterno Library
Penn State University
University Park, PA 16802
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Dynamic selection of mod_authnz_ldap's 'require
ldap-group' object?
Posted by "J.Lance Wilkinson" <jl...@psu.edu>.
I don't believe I ever got a reply to this, so since it's been a month I'll
repeat it...
the story so far: I have a need to be able to parse into an
environment variable (using Rewrite rules or some such) a value
that then can be used in a *require* directive like
require ldap-group
or require ldap-filter
Using Apache v2.2.6 on Solaris 10, Apache 2.2.15 on Linux RHEL 6,
pretty much the same Apache configurations on both.
Is this something possible NOW using stock modules, or is this
something that I will have with Apache 2.4 and its stock modules,
or is this something I would need to implement new or modified
code to achieve?
Eric Covener wrote:
> LDAP attributes can be loaded into AUTHENTICATE_* vars and can be
> queried, but you might not be able to express the rules you need using
> attributes only.
Not sure exactly what you're saying here... "AUTHENTICATE_* vars"
are those environment variables or something? I've never seen them
in the environment presented to a CGI script or a PHP script. Are
they environment variables that can be used in other Apache directives?
As I currently use things like %{REQUEST_URI} in a rewrite rule or
rewrite condition? If that's the case, what gets substituted for
the "*"? Is it AUTHENTICATE_attribute like AUTHENTICATE_UID or
AUTHENTICATE_MAIL, substituting LDAP attributes for the wildcard,
or is there some specific vocabulary of substitutions for the
wildcard? Is there a listing or documentation someplace that
specifically addresses this that I've missed?
>
> Some directory servers allow group membership to be read as a "magic"
> attribute in LDAP. Notably, tivoli directory server allows an
> ibm-allGroups element to be used (result only, not filtered on) which
> you could them find a way to check more dynamically (setenvif, allow
> from env=...).
I think we may be using those features on our university-wide
LDAP server here, but not in that manner. I have used at least one
ibm-* attribute in other capacities, but with custom developed
code in a CGI script, not at the Apache authentication/authorization
level.
--
J.Lance Wilkinson ("Lance") InterNet: Lance.Wilkinson@psu.edu
Systems Design Specialist - Lead Phone: (814) 865-4870
Digital Library Technologies FAX: (814) 863-3560
E3 Paterno Library
Penn State University
University Park, PA 16802
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Dynamic selection of mod_authnz_ldap's 'require
ldap-group' object?
Posted by "J.Lance Wilkinson" <jl...@psu.edu>.
Eric Covener wrote:
> LDAP attributes can be loaded into AUTHENTICATE_* vars and can be
> queried, but you might not be able to express the rules you need using
> attributes only.
Not sure exactly what you're saying here... "AUTHENTICATE_* vars"
are those environment variables or something? I've never seen them
in the environment presented to a CGI script or a PHP script. Are
they environment variables that can be used in other Apache directives?
As I currently use things like %{REQUEST_URI} in a rewrite rule or
rewrite condition? If that's the case, what gets substituted for
the "*"? Is it AUTHENTICATE_attribute like AUTHENTICATE_UID or
AUTHENTICATE_MAIL, substituting LDAP attributes for the wildcard,
or is there some specific vocabulary of substitutions for the
wildcard? Is there a listing or documentation someplace that
specifically addresses this that I've missed?
>
> Some directory servers allow group membership to be read as a "magic"
> attribute in LDAP. Notably, tivoli directory server allows an
> ibm-allGroups element to be used (result only, not filtered on) which
> you could them find a way to check more dynamically (setenvif, allow
> from env=...).
I think we may be using those features on our university-wide
LDAP server here, but not in that manner. I have used at least one
ibm-* attribute in other capacities, but with custom developed
code in a CGI script, not at the Apache authentication/authorization
level.
--
J.Lance Wilkinson ("Lance") InterNet: Lance.Wilkinson@psu.edu
Systems Design Specialist - Lead Phone: (814) 865-4870
Digital Library Technologies FAX: (814) 863-3560
E3 Paterno Library
Penn State University
University Park, PA 16802
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Dynamic selection of mod_authnz_ldap's 'require
ldap-group' object?
Posted by Eric Covener <co...@gmail.com>.
On Fri, Feb 24, 2012 at 8:59 AM, J.Lance Wilkinson <jl...@psu.edu> wrote:
> Eric Covener wrote:
>>
>> IIRC, there was a patch contributed that allowed the filter to be set
>> dynamically [but not the require]. Might turn something up in
>> bugzilla.
>
>
> Shoot. Don't really like to be selectively patching things
> like that. But will look into it. Setting the filter dynamically
> would probably do the trick. Thanks.
>
LDAP attributes can be loaded into AUTHENTICATE_* vars and can be
queried, but you might not be able to express the rules you need using
attributes only.
Some directory servers allow group membership to be read as a "magic"
attribute in LDAP. Notably, tivoli directory server allows an
ibm-allGroups element to be used (result only, not filtered on) which
you could them find a way to check more dynamically (setenvif, allow
from env=...).
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Dynamic selection of mod_authnz_ldap's 'require
ldap-group' object?
Posted by "J.Lance Wilkinson" <jl...@psu.edu>.
Eric Covener wrote:
> IIRC, there was a patch contributed that allowed the filter to be set
> dynamically [but not the require]. Might turn something up in
> bugzilla.
Shoot. Don't really like to be selectively patching things
like that. But will look into it. Setting the filter dynamically
would probably do the trick. Thanks.
--
J.Lance Wilkinson ("Lance") InterNet: Lance.Wilkinson@psu.edu
Systems Design Specialist - Lead Phone: (814) 865-4870
Digital Library Technologies FAX: (814) 863-3560
E3 Paterno Library
Penn State University
University Park, PA 16802
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Dynamic selection of mod_authnz_ldap's 'require
ldap-group' object?
Posted by Eric Covener <co...@gmail.com>.
IIRC, there was a patch contributed that allowed the filter to be set
dynamically [but not the require]. Might turn something up in
bugzilla.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Dynamic selection of mod_authnz_ldap's 'require
ldap-group' object?
Posted by "J.Lance Wilkinson" <jl...@psu.edu>.
I'd said:
>
> I'm presuming that there's some way, using a mod_rewrite rule, to
> extract the desired information from the URI and stash it, say, in
> an environment variable. The task then is to somehow use that
> extracted value to impose the appropriate restrictions in the
> require directive. Thus, website authors create a directory path
> ..../restricted/THIS.LDAP.__GROUP/content.that.is
> <http://content.that.is>.__restricted.html and the required group
> would automatically be cn=THIS.LDAP.GROUP for that directory and below.
Igor Cicimov wrote:
> Have a look at SetEnvIf and mod_rewrite where you can set enviroment
> variable based on something in the headers, uri and/or request string.
> Not sure if yo can use that var inside mod_authz_ldap though.
And there's the rub -- as I'd already guessed, you're confirming
there is a way to extract the desired value for a group name or filter
specification from the presented URI.
The issue remains whether I can USE that value in the REQUIRE directive
effective while satisfying the request implied by that presented URI
without somehow enhancing the functionality of the REQUIRE directive
and the extention that mod_authnz_ldap (or maybe it's util_ldap or
some other module?) provides when is adds ldap-group and ldap-filter
as potential objects to the directive.
--
J.Lance Wilkinson ("Lance") InterNet: Lance.Wilkinson@psu.edu
Systems Design Specialist - Lead Phone: (814) 865-4870
Digital Library Technologies FAX: (814) 863-3560
E3 Paterno Library
Penn State University
University Park, PA 16802
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Dynamic selection of mod_authnz_ldap's 'require
ldap-group' object?
Posted by Igor Cicimov <ic...@gmail.com>.
Have a look at SetEnvIf and mod_rewrite where you can set enviroment
variable based on something in the headers, uri and/or request string. Not
sure if yo can use that var inside mod_authz_ldap though.
On Feb 24, 2012 5:48 AM, "J.Lance Wilkinson" <jl...@psu.edu> wrote:
> I've just been asked to implement in Apache HTTPD a restricted access area
> that drives off membership in an LDAP group.
>
> I have production services running on Solaris 10 using Apache/2.2.6.Eventually these will be replaced with servers running on RHEL 6 using
> Apache/2.2.15, but that's not likely to be availble before mid-year, while
> this need to control access to some directories by LDAP group membership
> exists NOW.
>
> I already have this kind of setup that allows me to simplify my access
> control:
>
> <Location ~ "^/(.*)/intranet(.html|/(.*)?)**$">
> CosignProtected On
> AuthType Cosign
> AuthLDAPURL ldap://a.b.c.d/ou=People,dc=c,**dc=d
> AuthLDAPBindDN "uid=FullAccess,ou=bindings,**dc=c,dc=d"
> AuthLDAPBindPassword "password56789"
> require ldap-filter uid=*
> Order allow,deny
> Allow from all
> </Location>
>
> Any request that ends with "/intranet.html" or contains "/intranet/" in
> the path has our single signon solution Cosign forced upon it. This forces
> any attempted access to any path containing "intranet" to provide
> credentials authenticated by the institution as a whole.
>
> Further, it then enforces that the authenticated User ID be found matching
> a uid entry in an LDAP server.
>
> Now I know that I can restrict a given explicit path to a specific LDAP
> group,
> but as the feature becomes more widely recognized by my website authors, I
> can see departments left and right asking for the feature, and I don't want
> to be writing a new custom stanza for each department every week or so.
> I'd like to make it dynamic, so one stanza will cover the current need and
> all similar needs in the future just by creating the a new directory that
> matches the LOCATION pattern:
>
>
> <Location ~ "^/(.*)/restricted(.html|/(.*)**?)$">
> CosignProtected On
> AuthType Cosign
> AuthLDAPURL ldap://a.b.c.d/ou=People,dc=c,**dc=d
> AuthLDAPBindDN "uid=FullAccess,ou=bindings,**dc=c,dc=d"
> AuthLDAPBindPassword "password56789"
> ## somehow get the value for the group from the URI supplied
> require ldap-group cn=A.DYNAMICALLY.IDENTIFIED.**LDAP.GROUP
> Order allow,deny
> Allow from all
> </Location>
>
> Where the LDAP group required is driven by something in the URI. What's
> desired is a way to caputre the desired LDAP GROUP from the URI, so all
> the website authors need to do is to create content with a path that
> contains "/restricted/THIS.LDAP.GROUP/"**, and then USE that piece of the
> URI as the group to require.
>
> I'm presuming that there's some way, using a mod_rewrite rule, to extract
> the desired information from the URI and stash it, say, in an environment
> variable. The task then is to somehow use that extracted value to impose
> the appropriate restrictions in the require directive. Thus, website
> authors create a directory path ..../restricted/THIS.LDAP.**GROUP/
> content.that.is.**restricted.html and the required group would
> automatically be cn=THIS.LDAP.GROUP for that directory and below.
>
> Is there any way to do this without having to rewrite or add on to
> mod_authnz_ldap ? Maybe some way to inject the desired group into the
> ldap-filter format of the require directive?
>
> --
> J.Lance Wilkinson ("Lance") InterNet: Lance.Wilkinson@psu.edu
> Systems Design Specialist - Lead Phone: (814) 865-4870
> Digital Library Technologies FAX: (814) 863-3560
> E3 Paterno Library
> Penn State University
> University Park, PA 16802
>
> ------------------------------**------------------------------**---------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/**userslist.html<http://httpd.apache.org/userslist.html>>
> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.**apache.org<us...@httpd.apache.org>
> " from the digest: users-digest-unsubscribe@**httpd.apache.org<us...@httpd.apache.org>
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
[users@httpd] Dynamic selection of mod_authnz_ldap's 'require ldap-group' object?
Posted by "J.Lance Wilkinson" <jl...@psu.edu>.
I've just been asked to implement in Apache HTTPD a restricted access area
that drives off membership in an LDAP group.
I have production services running on Solaris 10 using Apache/2.2.6.
Eventually these will be replaced with servers running on RHEL 6 using
Apache/2.2.15, but that's not likely to be availble before mid-year, while this
need to control access to some directories by LDAP group membership exists NOW.
I already have this kind of setup that allows me to simplify my access control:
<Location ~ "^/(.*)/intranet(.html|/(.*)?)$">
CosignProtected On
AuthType Cosign
AuthLDAPURL ldap://a.b.c.d/ou=People,dc=c,dc=d
AuthLDAPBindDN "uid=FullAccess,ou=bindings,dc=c,dc=d"
AuthLDAPBindPassword "password56789"
require ldap-filter uid=*
Order allow,deny
Allow from all
</Location>
Any request that ends with "/intranet.html" or contains "/intranet/" in the
path has our single signon solution Cosign forced upon it. This forces any
attempted access to any path containing "intranet" to provide credentials
authenticated by the institution as a whole.
Further, it then enforces that the authenticated User ID be found matching a
uid entry in an LDAP server.
Now I know that I can restrict a given explicit path to a specific LDAP group,
but as the feature becomes more widely recognized by my website authors, I can
see departments left and right asking for the feature, and I don't want to be
writing a new custom stanza for each department every week or so. I'd like to
make it dynamic, so one stanza will cover the current need and all similar
needs in the future just by creating the a new directory that matches the
LOCATION pattern:
<Location ~ "^/(.*)/restricted(.html|/(.*)?)$">
CosignProtected On
AuthType Cosign
AuthLDAPURL ldap://a.b.c.d/ou=People,dc=c,dc=d
AuthLDAPBindDN "uid=FullAccess,ou=bindings,dc=c,dc=d"
AuthLDAPBindPassword "password56789"
## somehow get the value for the group from the URI supplied
require ldap-group cn=A.DYNAMICALLY.IDENTIFIED.LDAP.GROUP
Order allow,deny
Allow from all
</Location>
Where the LDAP group required is driven by something in the URI. What's
desired is a way to caputre the desired LDAP GROUP from the URI, so all the
website authors need to do is to create content with a path that contains
"/restricted/THIS.LDAP.GROUP/", and then USE that piece of the URI as the group
to require.
I'm presuming that there's some way, using a mod_rewrite rule, to extract the
desired information from the URI and stash it, say, in an environment variable.
The task then is to somehow use that extracted value to impose the
appropriate restrictions in the require directive. Thus, website authors
create a directory path
..../restricted/THIS.LDAP.GROUP/content.that.is.restricted.html and the
required group would automatically be cn=THIS.LDAP.GROUP for that directory and
below.
Is there any way to do this without having to rewrite or add on to
mod_authnz_ldap ? Maybe some way to inject the desired group into the
ldap-filter format of the require directive?
--
J.Lance Wilkinson ("Lance") InterNet: Lance.Wilkinson@psu.edu
Systems Design Specialist - Lead Phone: (814) 865-4870
Digital Library Technologies FAX: (814) 863-3560
E3 Paterno Library
Penn State University
University Park, PA 16802
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org