Setting a handler within a configuration directive

[Sam Carleton <sc...@miltonstreet.com>]

Is there any way to *hide* configuration?  I would like to set a
handler within a configuration directive.  Can it be done?

I have posted a number of questions along these lines and never get a
response, is this because folks simply don't know the answer?  If
folks here don't know the answer, where might I go to find the answer?

Sam

Re: Setting a handler within a configuration directive

[Sam Carleton <sc...@miltonstreet.com>]

On Mon, Nov 24, 2008 at 11:56 AM, Houser, Rick <Ho...@aoins.com> wrote:
> Contract, as in the piece of paper you get someone to sign in order to
> license your software.  It would spell out the responsibilities of both
> parties for support, penalties for violating those terms (ex. running at
> levels above the paid entitlement), etc.  I mean the exact same meaning
> of the word as used in higher-end desktop software.  EULAs don't really
> hold much legal standing, specifically because they are NOT contracts.
> You need a signature of some kind from both you and your customer
> agreeing to the terms.

Oh, I am a little slow sometimes;)  I am a one man shop with no funds
and I am targeting small business owners, we are a very informal
group.  Even if there was a contact, I don't have the resources to go
after them and they aren't really going to have the funds to make it
worth going after:)

The honest truth is that 99% of my market doesn't even know what
Apache is, let alone that there is a conf file that could be changed
to get different behavior.

Sam

RE: Setting a handler within a configuration directive

["Houser, Rick" <Ho...@aoins.com>]

Contract, as in the piece of paper you get someone to sign in order to
license your software.  It would spell out the responsibilities of both
parties for support, penalties for violating those terms (ex. running at
levels above the paid entitlement), etc.  I mean the exact same meaning
of the word as used in higher-end desktop software.  EULAs don't really
hold much legal standing, specifically because they are NOT contracts.
You need a signature of some kind from both you and your customer
agreeing to the terms.



Thanks,

Rick Houser
Auto-Owners Insurance
Systems Support
(517)703-2580

-----Original Message-----
From: scarleton@gmail.com [mailto:scarleton@gmail.com] On Behalf Of Sam
Carleton
Sent: Monday, November 24, 2008 11:23 AM
To: modules-dev@httpd.apache.org
Subject: Re: Setting a handler within a configuration directive

On Mon, Nov 24, 2008 at 10:52 AM, Houser, Rick <Ho...@aoins.com>
wrote:
> Don't things like SSL client auth (pre-HTTP connection) internally 
> show as basic auth?  Isn't it just as trivial to make a module that 
> does nothing more than set the auth-type string to basic?  A simple 
> contract (real contract, not EULA garbage), should give you far more 
> protection than any of this.

Rick,

What do you mean by contract?  I am coming from a desktop application
development background, so there are some basics about web development
that I simply don't know;)

Sam

Re: Setting a handler within a configuration directive

[Sam Carleton <sc...@miltonstreet.com>]

On Mon, Nov 24, 2008 at 10:52 AM, Houser, Rick <Ho...@aoins.com> wrote:
> Don't things like SSL client auth (pre-HTTP connection) internally show
> as basic auth?  Isn't it just as trivial to make a module that does
> nothing more than set the auth-type string to basic?  A simple contract
> (real contract, not EULA garbage), should give you far more protection
> than any of this.

Rick,

What do you mean by contract?  I am coming from a desktop application
development background, so there are some basics about web development
that I simply don't know;)

Sam

RE: Setting a handler within a configuration directive

["Houser, Rick" <Ho...@aoins.com>]

Don't things like SSL client auth (pre-HTTP connection) internally show
as basic auth?  Isn't it just as trivial to make a module that does
nothing more than set the auth-type string to basic?  A simple contract
(real contract, not EULA garbage), should give you far more protection
than any of this.



Thanks,

Rick Houser
Auto-Owners Insurance
Systems Support
(517)703-2580

-----Original Message-----
From: scarleton@gmail.com [mailto:scarleton@gmail.com] On Behalf Of Sam
Carleton
Sent: Monday, November 24, 2008 9:43 AM
To: modules-dev@httpd.apache.org
Subject: Re: Setting a handler within a configuration directive

Rick,

You are absolutely right on all accounts.  The only problem is that I am
a one man shop and I simply don't have the resources to have multiple
distributable.  I prefer taking the risk of folks hacking my software
then have multiple distributable.

What is that saying, a lock only keeps the honest man honest.  Those
that are going to steal my code are going to steal it no matter what I
do, well I could go to extremes to protect my code, it just isn't that
widely used to be worth the effort.

I did find what appears to be a good workaround last night after posting
the question:  My handler checks to see if the authentication is set to
basic, if not, my handler is declined, thus, in theory stopping my
handler from running if the user removes the AuthType from the location
where the hander is set.  I would still prefer to hide the setting, but
if there is a even better way, I am all ears!

Sam

Re: Setting a handler within a configuration directive

[Sam Carleton <sc...@miltonstreet.com>]

Rick,

You are absolutely right on all accounts.  The only problem is that I
am a one man shop and I simply don't have the resources to have
multiple distributable.  I prefer taking the risk of folks hacking my
software then have multiple distributable.

What is that saying, a lock only keeps the honest man honest.  Those
that are going to steal my code are going to steal it no matter what I
do, well I could go to extremes to protect my code, it just isn't that
widely used to be worth the effort.

I did find what appears to be a good workaround last night after
posting the question:  My handler checks to see if the authentication
is set to basic, if not, my handler is declined, thus, in theory
stopping my handler from running if the user removes the AuthType from
the location where the hander is set.  I would still prefer to hide
the setting, but if there is a even better way, I am all ears!

Sam

Re: Setting a handler within a configuration directive

[Sam Carleton <sc...@miltonstreet.com>]

On Mon, Nov 24, 2008 at 10:49 AM, William A. Rowe, Jr.
<wr...@rowe-clan.net> wrote:
>
> Sam Carleton wrote:
> >
> > I am a small one man ISV.  My software has different versions which
> > have different features.  I want to hide the fact that I am setting a
> > handler and authtype in the http.conf so my customer cannot hack the
> > module into providing features in which they did not purchase.
>
> Start the server with -f real.conf.  Within real.conf, Include httpd.conf
>
> Otherwise no, and if you review server_info, these will show up.  Consider
> the POV of other Administrators, you certainly wouldn't want such things
> hidden from your purview as the admin, right?  So there's no such facility

Actually, there is no "administrator" of the web server, it is a
packaged solution where I am distributing the pieces of Apache that
are needed to run my app and I have a desktop application that creates
the httpd.conf and starts the web server.  Ultimately I am going for
security by way of obfuscation.  I know there are better ways and
maybe with time I will move that direction, but one step at a time;)

I was going to use SSL until I remembered there are export laws to
worry about, so being a one man shop, it simply isn't worth it:)

Sam

Re: Setting a handler within a configuration directive

["William A. Rowe, Jr." <wr...@rowe-clan.net>]

Sam Carleton wrote:
> 
> I am a small one man ISV.  My software has different versions which
> have different features.  I want to hide the fact that I am setting a
> handler and authtype in the http.conf so my customer cannot hack the
> module into providing features in which they did not purchase.

Start the server with -f real.conf.  Within real.conf, Include httpd.conf

Otherwise no, and if you review server_info, these will show up.  Consider
the POV of other Administrators, you certainly wouldn't want such things
hidden from your purview as the admin, right?  So there's no such facility

RE: Setting a handler within a configuration directive

["Houser, Rick" <Ho...@aoins.com>]

Sam,

With all due respect, it sounds like you are trying to implement a DRM
scheme.  It is not technically possible to provide a customer/user all
the portions needed to use a feature and absolutely prevent them from
fixing the broken code preventing it's access.  If you don't want
someone to have a specific capability, don't ship them the tools
implementing that feature.



Thanks,

Rick Houser
Auto-Owners Insurance
Systems Support
(517)703-2580

-----Original Message-----
From: scarleton@gmail.com [mailto:scarleton@gmail.com] On Behalf Of Sam
Carleton
Sent: Monday, November 24, 2008 8:46 AM
To: modules-dev@httpd.apache.org
Subject: Re: Setting a handler within a configuration directive

On Sun, Nov 23, 2008 at 11:00 PM, William A. Rowe, Jr.
<wr...@rowe-clan.net> wrote:

>> I have posted a number of questions along these lines and never get a

>> response, is this because folks simply don't know the answer?  If 
>> folks here don't know the answer, where might I go to find the
answer?
>
> You are looking for someone who owes you an instant answer?  There are

> various companies out there you can pay for that privilege.

forgive me, I never meant to come across rude, I was simply perplexed at
why after a couple of days nobody had answered.  It had not dawned on me
that folks might not understand my question;)

> Otherwise, if you keep the questions civil, and reply to them yourself

> with further explanation so that folks understand exactly what it is 
> you are asking, you are more likely to get a response, although it may

> not be as fast as you were hoping.
>
> http://www.catb.org/~esr/faqs/smart-questions.html

Thank you, the link has some very good ensight, the real trick for me
know is not forgetting what I just learned from reading it.  I will try
to make it a point to refer back to it from time to time.

> Sam Carleton wrote:
>> Is there any way to *hide* configuration?  I would like to set a 
>> handler within a configuration directive.  Can it be done?
>
> Perhaps you can explain what you are asking?

I am a small one man ISV.  My software has different versions which have
different features.  I want to hide the fact that I am setting a handler
and authtype in the http.conf so my customer cannot hack the module into
providing features in which they did not purchase.

Sam

Re: Setting a handler within a configuration directive

[Sam Carleton <sc...@miltonstreet.com>]

On Sun, Nov 23, 2008 at 11:00 PM, William A. Rowe, Jr.
<wr...@rowe-clan.net> wrote:

>> I have posted a number of questions along these lines and never get a
>> response, is this because folks simply don't know the answer?  If
>> folks here don't know the answer, where might I go to find the answer?
>
> You are looking for someone who owes you an instant answer?  There are
> various companies out there you can pay for that privilege.

forgive me, I never meant to come across rude, I was simply perplexed
at why after a couple of days nobody had answered.  It had not dawned
on me that folks might not understand my question;)

> Otherwise, if you keep the questions civil, and reply to them yourself
> with further explanation so that folks understand exactly what it is
> you are asking, you are more likely to get a response, although it may
> not be as fast as you were hoping.
>
> http://www.catb.org/~esr/faqs/smart-questions.html

Thank you, the link has some very good ensight, the real trick for me
know is not forgetting what I just learned from reading it.  I will
try to make it a point to refer back to it from time to time.

> Sam Carleton wrote:
>> Is there any way to *hide* configuration?  I would like to set a
>> handler within a configuration directive.  Can it be done?
>
> Perhaps you can explain what you are asking?

I am a small one man ISV.  My software has different versions which
have different features.  I want to hide the fact that I am setting a
handler and authtype in the http.conf so my customer cannot hack the
module into providing features in which they did not purchase.

Sam

Re: Setting a handler within a configuration directive

["William A. Rowe, Jr." <wr...@rowe-clan.net>]

Sam Carleton wrote:
> Is there any way to *hide* configuration?  I would like to set a
> handler within a configuration directive.  Can it be done?

Perhaps you can explain what you are asking?

> I have posted a number of questions along these lines and never get a
> response, is this because folks simply don't know the answer?  If
> folks here don't know the answer, where might I go to find the answer?

You are looking for someone who owes you an instant answer?  There are
various companies out there you can pay for that privilege.

Otherwise, if you keep the questions civil, and reply to them yourself
with further explanation so that folks understand exactly what it is
you are asking, you are more likely to get a response, although it may
not be as fast as you were hoping.

http://www.catb.org/~esr/faqs/smart-questions.html