Martin Kraemer [Fri, 22 Jul 2005 12:11:55 +0000 (12:11 +0000)]
Allow extraction of the values of SSL certificate extensions into
environment variables, so that their value can be used by any
module that is aware of environment variables, as in:
SetEnvIf OID("2.16.840.1.113730.1.13") "(.*) Generated (Certificate)" ca=$1
sets
ca=TinyCA
if the cert was issued by TinyCA.
Similarly,
SetenvIf OID("2.16.840.1.113730.1.13") "(.*)" NetscapeComment=$1
will set $NetscapeComment to the whole string.
It is technically allowed to have multiple instances of an extension
field, all with the same oid. In this case, the environment variable
will be set to the list of all fields, separated by commas.
The [PATCH] uses a cross-module call from mod_setenvif to
mod_ssl (the latter may also be missing: in this case the
variable will never be set). It calls a common function
in the ssl module that is also used for the SSLRequire
directive's test.
Using the user nobody (or similar accounts on other systems like
nouser) violates the purpose of that user. User nobody exists
specifically as a user that no process runs as and that owns no files
on disk. Same for nogroup.
The user and group daemon are the generic system services user and
group. Use those instead.
Martin Kraemer [Wed, 20 Jul 2005 16:42:58 +0000 (16:42 +0000)]
Collaborative work: (Thanks, dreid!)
Implement OID checking for mod_ssl. This code allows for checking of arbitrary client
certificate extensions by OID, in a syntax like:
SSLRequire "BaDCA Generated Certificate" in Oid("2.16.840.1.113730.1.13") \
|| "committers" in Oid("1.3.6.1.4.1.18060.1")
Note the following:
* A given OID can occur multiple times in one cert, with different values. Therefore
the OID function compares the left-hand string against each of the OID values,
until a complete match is found. If none patches, the result is FALSE
* The left hand side can be another expression, so can be a reference to a variable
or an file() invocation etc.
* The OID is also just a reference to a string, or function, or whatever.
* My manual description is very short. Someone else please help improve the description
The arguments to require are case-sensitive, so that "Require User" and
"Require Valid-User" don't work. This makes those comparisons
case-insensitive.
Paul Querna [Wed, 20 Jul 2005 11:20:33 +0000 (11:20 +0000)]
Check an alternative return value for when a file or directory does not exist. Previously this would return a forbidden on the documentation website for any URL ending in .html.
Yet another snafu in body handling. We need to clearly avoid any
ap_get_brigade or request body processing in every *subrequest*
proxy action. The new code introduced more chaos because we read
the request body irrespective of any bogus header handling bugs.
This requires a goto, and yes, that sucks :) But this is one of those
oddball cases where jumping away makes more sense than tons of indented
code, IMHO. And if you count the number of goto's I've committed to
httpd, you know I avoid them like the plague.
I woulda' suggestd to jorton to take a flying carnal act, except that
each time he points me back to the 2.0 patch, I catch another entirely
bogus choice within the old/new httpd-2.x request body code :)
I've bumped the 2.0 patch to correspond; see
http://people.apache.org/~wrowe/httpd-2.0-proxy-request-4.patch
Fix broken while () {} loops (lingering code from the old logic),
closes an infinite loop in the most recent version. Init the cl_val
to prevent failure of zero length bodies in the most recent version.
Use 'request body' instead of 'data' to describe any errors.
Finally, loop around ap_get_brigade to grab multiple chunks that still
fall below our MAX_MEM_SPOOL threshold, since the chunk decoding from
the client will pass up just one small chunk per ap_get_brigade call.
Ian Holsman [Sun, 17 Jul 2005 05:12:10 +0000 (05:12 +0000)]
This patch adds a new hook (request_status) that gets ran in proxy_handler
just before the final return. This gives modules an opportunity to do
something based on the proxy status.
A couple of examples where this is useful:
-You are using a caching module and would rather return stale content rather
than an error to the client if the origin is down.
-you proxy some subrequests (using SSI - mod_include) and do not want SSI
errors when the backend is down. If you would normally return
HTTP_BAD_GATEWAY, you may have a module that serves some other content.
new hook -- so mmn bump.. i made it a major one, hope thats ok
On Roy's suggestion; why wait to try to clear out the input
stream if it is smaller than MAX_MEM_SPOOL? Do this upfront
before dispatching to a body handler.
This means changing each of the three body pumps to presume
a preexisting input_brigade was already loaded, so turn around
their loop conditions.
Missed an edge case; once we know the C-L didn't match, it's
time to shut down the body already. Finish reading from the
client but do nothing else, returning an error.
send_request_body and indentation made it very difficult to follow
all the mistakes in this code. Fold send_request_body into reindent
to make the pattern clear and skip some extra string handling.
Little functional change, that comes next.
End abuse of apr_strnat[case]cmp - it isn't str[case]cmp.
Unsure if apr_strnatcasecmp(conf_ip, uri_ip) was intentional, on the
off chance that the left or right hand ip string happens to contain
leading zeros.
Joe strongly objected to this outgoing style; use this incoming
style for const modifiers so the reader can still follow that
the data is [const] unsigned char *
Paul Querna [Wed, 6 Jul 2005 23:15:34 +0000 (23:15 +0000)]
Add the httxt2dbm utility to create DBM files for RewriteMap. This replaces the txt2dbm script in the manual, and allows the use of any available DBM format.
Dev Studio automatically adds the intermediate and final directory
paths to each custom build target. However, the time stamps of these
directories will trigger a rebuild in bison where sources haven't
changed. These targets are not necessary, as these generated files
reside in the current directory (which, obviously, already exists.)
Plug AllowTrace extended|on|off into proxy and http core.
It still is not 'correct' until REQUEST_CHUNKED_PASS is reimplemented
and passes some chunk headers, since we aren't echoing the entire
request. But it gets me further on testing 1.3 -> 2.0 -> 2.1 -> 2.0 -> 1.3
proxy behaviors.
Paul Querna [Mon, 27 Jun 2005 18:40:56 +0000 (18:40 +0000)]
*) server/mpm_common.c: Send a simple HTTP 1.0 request to every listener socket, instead of just closing the socket. This fixes shutdown of the Worker MPM on FreeBSD, when Accept Filters are enabled.
In the future, we need a method to send a simple request for all protocols. Currently this is very specific to HTTP and FreeBSD's Accept Filter.
Jeff Trawick [Thu, 23 Jun 2005 19:20:29 +0000 (19:20 +0000)]
proxy HTTP: If a response contains both Transfer-Encoding and a
Content-Length, remove the Content-Length and don't reuse the
connection, stopping some HTTP Request smuggling attacks.
Joe Orton [Thu, 23 Jun 2005 10:27:27 +0000 (10:27 +0000)]
* modules/aaa/mod_auth_digest.c: Another gcc 4 "structure field may be
used uninitialized" warning; fix validation of digest-uri for CONNECT
requests:
(copy_uri_components): Copy the hostinfo field.
(authenticate_digest_user): Don't pass NULL (or, previously, a random
pointer) to strcmp if a digest-uri is provided which doesn't match the
request-uri in a CONNECT request.
Joe Orton [Thu, 23 Jun 2005 09:10:09 +0000 (09:10 +0000)]
* modules/proxy/mod_proxy_balancer.c (proxy_balancer_pre_request): Fix
another valid variable-may-be-used-uninitialized warning from GCC 4
(in the !balancer->sticky case, find_session_route returns NULL
without setting route).
projects / apache / log