You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Colm MacCarthaigh <co...@stdlib.net> on 2005/10/06 22:46:01 UTC
Re: DO NOT REPLY [Bug 36937] New: - mod_cache not respecting mod_access
I propose that we fix this bug by documenting, very very loudly, that
using mod_cache simply breaks mod_authz_host. A Large warning in the
mod_cache documentation, the Caching User Guide, the output of configure
when mod_cache is enabled, and the error log when mod_cache is loaded is
what I'm thinking.
This issue has been known about for a while now, and in that time I've
looked at seeing if it is possible to add logic to mod_authz_host to
figure out the cases in which we have a tautalogical allow from all, but
I don't see a way of accomplish this, and it's problem ridden anyway.
Moving mod_cache to being an ordinary handler, instead of a quick
handler has been brought up here before, and I don't think that's going
anywhere. I can't see a way to fix this problem :/
On Wed, Oct 05, 2005 at 03:57:07PM +0200, bugzilla@apache.org wrote:
> DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
> RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
> <http://issues.apache.org/bugzilla/show_bug.cgi?id=36937>.
> ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
> INSERTED IN THE BUG DATABASE.
>
> http://issues.apache.org/bugzilla/show_bug.cgi?id=36937
>
> Summary: mod_cache not respecting mod_access
> Product: Apache httpd-2.0
> Version: 2.0.54
> Platform: Other
> OS/Version: other
> Status: NEW
> Severity: normal
> Priority: P2
> Component: mod_cache
> AssignedTo: bugs@httpd.apache.org
> ReportedBy: wilfelipe@yahoo.com
>
>
> our environment:
>
> SetEnvIfNoCase Referer ^http://host validreferer
>
> <Directory />
> Order deny,allow
> Deny from all
> Allow from env=validreferer
> </Directory>
>
> if the object is not cached, using mod_cache and mod_mem_cache, it's returned
> 403, however, if the object is already cached, it does not respect mod_access
> and the object is served right away.
>
> example below
>
> - first request, invalid referer
> GET /probe.gif HTTP/1.0
> Host: host
> Referer: http://invalidhost
>
> HTTP/1.1 403 Forbidden
> Date: Wed, 05 Oct 2005 13:47:24 GMT
> Server: Apache/2.0.54 (Unix)
> Connection: close
> Content-Type: text/html; charset=iso-8859-1
>
> - second request, valid referer
> GET /algo.gif HTTP/1.0
> Host: host
> Referer: http://host
>
> HTTP/1.1 200 OK
> Date: Wed, 05 Oct 2005 13:52:40 GMT
> Server: Apache/2.0.54 (Unix)
> Last-Modified: Wed, 05 Oct 2005 13:52:37 GMT
> ETag: "31-402621f003340"
> Accept-Ranges: bytes
> Content-Length: 49
> Cache-Control: max-age=315360000
> Expires: Sat, 03 Oct 2015 13:52:40 GMT
> Connection: close
> Content-Type: image/gif
>
> - third request, invalid referer
> GET /algo.gif HTTP/1.0
> Host: host
> Referer: http://invalidhost
>
> HTTP/1.1 200 OK
> Date: Wed, 05 Oct 2005 13:54:27 GMT
> Server: Apache/2.0.54 (Unix)
> Content-Type: text/plain; charset=ISO-8859-1
> Last-Modified: Wed, 05 Oct 2005 13:54:20 GMT
> ETag: "31-402622523db00"
> Accept-Ranges: bytes
> Content-Length: 49
> Cache-Control: max-age=315360000
> Expires: Sat, 03 Oct 2015 13:54:22 GMT
> Age: 4
> Connection: close
>
> mod_cache configuration:
> CacheEnable mem /
> CacheDefaultExpire 21600
> CacheMaxExpire 21600
> CacheIgnoreCacheControl On
> CacheIgnoreNoLastMod On
> CacheDisable /nocache
> MCacheSize 262144
> MCacheMaxObjectCount 4096
> MCacheMinObjectSize 1
> MCacheMaxObjectSize 100000
> MCacheRemovalAlgorithm LRU
>
> I already tried to change mod_access and mod_cache load order, but with no results
>
> --
> Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
> ------- You are receiving this mail because: -------
> You are the assignee for the bug, or are watching the assignee.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
> For additional commands, e-mail: bugs-help@httpd.apache.org
>
>
--
Colm MacCárthaigh Public Key: colm+pgp@stdlib.net
Re: DO NOT REPLY [Bug 36937] New: - mod_cache not respecting mod_access
Posted by Colm MacCarthaigh <co...@stdlib.net>.
On Thu, Oct 06, 2005 at 02:00:35PM -0700, Paul Querna wrote:
> >No :) We'd have to have two handlers in order to do that, and it should
> >be noted that creating a non-quick handler for mod_cache is itself a
> >reasonable amount of effort.
>
> No it isn't.
I should pay more attention.
> Here is the patch:
> http://marc.theaimsgroup.com/?l=apache-httpd-dev&m=111597814015667&w=2
Looks like it should still work. It got a veto at the time (wrowe),
seemingly because it didn't fix the issue at hand, at the time. Now it
looks like this approach may be the only way of fixing this problem.
An altnernative would be to replicate the core logic (mapping to
storage, checking access status and so on) within mod_cache, using a
subrequest lookup, but this would be near-equivalent to being an
ordinary handler, from a what-gets=run point of view.
--
Colm MacCárthaigh Public Key: colm+pgp@stdlib.net
Re: DO NOT REPLY [Bug 36937] New: - mod_cache not respecting mod_access
Posted by Paul Querna <ch...@force-elite.com>.
Colm MacCarthaigh wrote:
> On Thu, Oct 06, 2005 at 04:50:34PM -0400, Joshua Slive wrote:
>> Colm MacCarthaigh wrote:
>>> Moving mod_cache to being an ordinary handler, instead of a quick
>>> handler has been brought up here before, and I don't think that's going
>>> anywhere. I can't see a way to fix this problem :/
>> Let me demonstrate my lack of knowledge of the cache code:
>>
>> Would it be possible to make the ordinary/quick handler decision
>> configurable?
>
> No :) We'd have to have two handlers in order to do that, and it should
> be noted that creating a non-quick handler for mod_cache is itself a
> reasonable amount of effort.
>
No it isn't.
Here is the patch:
http://marc.theaimsgroup.com/?l=apache-httpd-dev&m=111597814015667&w=2
-Paul
Re: DO NOT REPLY [Bug 36937] New: - mod_cache not respecting mod_access
Posted by Colm MacCarthaigh <co...@stdlib.net>.
On Thu, Oct 06, 2005 at 04:50:34PM -0400, Joshua Slive wrote:
>
> Colm MacCarthaigh wrote:
> >Moving mod_cache to being an ordinary handler, instead of a quick
> >handler has been brought up here before, and I don't think that's going
> >anywhere. I can't see a way to fix this problem :/
>
> Let me demonstrate my lack of knowledge of the cache code:
>
> Would it be possible to make the ordinary/quick handler decision
> configurable?
No :) We'd have to have two handlers in order to do that, and it should
be noted that creating a non-quick handler for mod_cache is itself a
reasonable amount of effort.
--
Colm MacCárthaigh Public Key: colm+pgp@stdlib.net
Re: DO NOT REPLY [Bug 36937] New: - mod_cache not respecting mod_access
Posted by Joshua Slive <jo...@slive.ca>.
Colm MacCarthaigh wrote:
> Moving mod_cache to being an ordinary handler, instead of a quick
> handler has been brought up here before, and I don't think that's going
> anywhere. I can't see a way to fix this problem :/
Let me demonstrate my lack of knowledge of the cache code:
Would it be possible to make the ordinary/quick handler decision
configurable?
Joshua.