Nabble - Apache HTTP Server

Re: 2.2.10 T&R on Oct 7

2008-10-06T14:30:44Z

On Mon, Oct 6, 2008 at 4:34 PM, Ruediger Pluem <rpluem@...> wrote:

Thanks for reviewing. First of all I guess you should increase the KeepAliveTimeout
to a large value like 5 minutes to make observations easier. Furthermore I would increase
the ttl parameter of your BalancerMember to something like 30.
The above configuration makes only sense if you are using a threaded MPM like worker / event / WINNT
with more than 2 threads per process.
Then start your httpd with a limitation to one process (-X or ServerLimit 1) and try to do
3 requests to /proxy in parallel e.g. with telnet or nc. Afterwards you should
have 3 backend connections of which one should vanish about 30 seconds after your requests.

ok, KeepAliveTimeout 300 makes a big difference. But I haven't been able to observe smax and ttl working. WIth this,

<Proxy balancer://mycluster>
BalancerMember http://localhost:8093 keepalive=on smax=2 ttl=30
</Proxy>
ProxyPass /proxy balancer://mycluster/

KeepAliveTimeout 300

...and using ab -c 4 to drive it, I now see 4 back end connections. The problem is that they all stay ESTABLISHED for KeepAliveTimeout seconds. I was expecting to see 2 of them drop after 30 seconds. Any suggestions?

thanks,
Greg

From forum: Apache HTTP Server - Dev

DO NOT REPLY [Bug 45834] Stale LDAP connections take 15+ minutes to finish queries

2008-10-06T14:03:13Z

https://issues.apache.org/bugzilla/show_bug.cgi?id=45834

--- Comment #9 from Lucas <lucas@...> 2008-10-06 14:03:13 PST ---
Follow-up, I built from source Apache 2.2.9 with APR 1.3.3 and APR-Util 1.3.4
and the problem persists. For this test I was using the default ttl value.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@...
For additional commands, e-mail: bugs-help@...

From forum: Apache HTTP Server - Bugs

Re: 2.2.10 T&R on Oct 7

2008-10-06T13:34:45Z

On 10/06/2008 10:18 PM, Greg Ames wrote:

> On Mon, Oct 6, 2008 at 3:13 PM, Ruediger Pluem <rpluem@...> wrote:
>
>>
>> On 10/06/2008 04:42 PM, Jim Jagielski wrote:
>>> Subj says it all...
>> Thanks for doing RM Jim. So c'mon guys. There must be someone
>> out there that reviews the remaining patch that misses only
>> *one* vote.
>>
>
> what do I need for a minimal config to test it and see a behavior change? I
> tried this, proxying to a different port on the same server, but couldn't
> get the back end connections to stay alive for more than a few seconds with
> the old code.
>
> <Proxy balancer://mycluster>
> BalancerMember http://localhost:8093 keepalive=on smax=2 ttl=1
> </Proxy>
> ProxyPass /proxy balancer://mycluster/

Thanks for reviewing. First of all I guess you should increase the KeepAliveTimeout
to a large value like 5 minutes to make observations easier. Furthermore I would increase
the ttl parameter of your BalancerMember to something like 30.
The above configuration makes only sense if you are using a threaded MPM like worker / event / WINNT
with more than 2 threads per process.
Then start your httpd with a limitation to one process (-X or ServerLimit 1) and try to do
3 requests to /proxy in parallel e.g. with telnet or nc. Afterwards you should
have 3 backend connections of which one should vanish about 30 seconds after your requests.

Regards

Rüdiger

From forum: Apache HTTP Server - Dev

RE: Wrapping an existing hook (2.0)

2008-10-06T13:18:26Z

Whether this is actually correct or not (remember, I'm a newbie Apache
module programmer), I had assumed the correct behavior would be to
handle the password reset logic in a separate phase (or at least a
second call within the same phase) to allow other modules a chance to
catch the result in-between. So, I was expecting something like a
DECLINED from the check_user_id phase with a request note indicating an
expired password, which would then be read and the password reset logic
handled via a second hook in a later phase.

Even if I could successfully make a case for IBM to add this
functionality, it would take a long time (likely months) to get the
updated functionality. I really like the current solution of trapping
the entire check_user_id phase, and manipulating the results after the
saf module take's it's turn. It certainly wouldn't run as fast as just
replacing the saf module's call with my own, but it's certainly
effective.

Thank you as well, Eric,

Rick Houser
Auto-Owners Insurance
Systems Support
(517)703-2580

-----Original Message-----
From: Eric Covener [mailto:covener@...]
Sent: Friday, October 03, 2008 3:54 PM
To: modules-dev@...
Subject: Re: Wrapping an existing hook (2.0)

On Fri, Oct 3, 2008 at 11:11 AM, Houser, Rick <Houser.Rick@...>
wrote:
> I'm relatively new to module development, but I have a need to wrap a
> function in a proprietary module (no source) registered via a
> check_user_id hook in a proprietary module (mod_auth_saf). Basically,

> I need to detect an expired password condition. I've already tried to

> use the normal pre/post hook registration, but that function returns
> an HTTP_UNAUTHORIZED (some internal basic auth password change
> feature) instead of DECLINE, so Apache never runs my call.

If you ask Apache to run your code first, the proprietary module
shouldn't be able to prevent yours from being run. You should be able to
make sure that your own logic runs for the expired password case and
just DECLINE for everything else.

IMO an auth_checker probably shouldn't return DECLINED if it can lookup
a user and specifically find they have an expired password -- could you
make a case to IBM for the behavior you ultimately want?

--
Eric Covener
covener@...

From forum: Apache HTTP Server - Module Writers

Re: 2.2.10 T&R on Oct 7

2008-10-06T13:18:18Z

On Mon, Oct 6, 2008 at 3:13 PM, Ruediger Pluem <rpluem@...> wrote:

On 10/06/2008 04:42 PM, Jim Jagielski wrote:
> Subj says it all...

Thanks for doing RM Jim. So c'mon guys. There must be someone
out there that reviews the remaining patch that misses only
*one* vote.

what do I need for a minimal config to test it and see a behavior change? I tried this, proxying to a different port on the same server, but couldn't get the back end connections to stay alive for more than a few seconds with the old code.

<Proxy balancer://mycluster>
BalancerMember http://localhost:8093 keepalive=on smax=2 ttl=1
</Proxy>
ProxyPass /proxy balancer://mycluster/

Greg

From forum: Apache HTTP Server - Dev

RE: Wrapping an existing hook (2.0)

2008-10-06T13:04:19Z

Thanks a lot Sorin!

That got me well on my way. I set my module to run first, skip itself
after the first run, and then re-run the entire check_user_id phase
under it's control. I then inspect the return codes, manipulate the
result in the expired case (based on the saf module's output headers),
and otherwise return the same code provided.

For the record, auth_type appears to stay null until sometime following
a successful user_id checked, then it becomes something like "Basic" (or
presumably Digest, etc.). I had needed that module to run, as I must
check against SAF for an expired password.

Thanks,

Rick Houser
Auto-Owners Insurance
Systems Support
(517)703-2580

-----Original Message-----
From: Sorin Manolache [mailto:sorinm@...]
Sent: Friday, October 03, 2008 11:40 AM
To: modules-dev@...
Subject: Re: Wrapping an existing hook (2.0)

Normally, the check_user_id of the proprietary module should return
DECLINE if the AuthType does not match its auth type. Let us assume that
the auth type of the proprietary module is "saf". The auth type is set
with the AuthType directive.

So, what you could do is to change the auth type in the configuration
from "saf" to your auth type, say "rick". Then, in your check_user_id,
you write

r->auth_type = "saf";
code = ap_run_check_user_id(r); // this will call the check_user_id hook
of the proprietary module. This is a re-entrant call switch (code) { //
your actions }

But this works only if you can afford to replace "saf" with "rick" in
the configuration and if the proprietary module declines non-saf
authentication types. Hopefully you're lucky, I have never tried the
solution I'm proposing.

--
S

On Fri, Oct 3, 2008 at 17:11, Houser, Rick <Houser.Rick@...>
wrote:
> I'm relatively new to module development, but I have a need to wrap a
> function in a proprietary module (no source) registered via a
> check_user_id hook in a proprietary module (mod_auth_saf). Basically,

> I need to detect an expired password condition. I've already tried to

> use the normal pre/post hook registration, but that function returns
> an HTTP_UNAUTHORIZED (some internal basic auth password change
> feature) instead of DECLINE, so Apache never runs my call.
>
> I think my best option is to locate the check_user_id function pointer

> and replace it with a new function. This new function would still
> make the call to the proprietary function, but would allow inspection
> of the results instead of terminating the request.
>
> Does this sound reasonable? Any hints as to how I could obtain the
> function pointer I'd need to make this all work?
>
>
> Thanks,
>
>
> Rick Houser
> Auto-Owners Insurance
> Systems Support
> (517)703-2580
>
>

From forum: Apache HTTP Server - Module Writers

Re: 2.2.10 T&R on Oct 7

2008-10-06T12:13:15Z

On 10/06/2008 04:42 PM, Jim Jagielski wrote:
> Subj says it all...

Thanks for doing RM Jim. So c'mon guys. There must be someone
out there that reviews the remaining patch that misses only
*one* vote.

Regards

Rüdiger

From forum: Apache HTTP Server - Dev

Re: AuthzMergeRules blocks everything in default configuration

2008-10-06T12:06:28Z

On 10/06/2008 03:59 PM, Eric Covener wrote:
> On Mon, Oct 6, 2008 at 9:34 AM, Dan Poirier <poirier@...> wrote:
>> One other idea occurs to me. Would it seem more intuitive if a
>> context that had no authz directives inherited the settings from its
>> predecessor, but as soon you added authz directives, it behaved as if
>> you were starting from scratch?
>
> FWIW: Isn't that the current non-trunk behavior?

I think so. So this looks like a good idea.

Regards

Rüdiger

From forum: Apache HTTP Server - Dev

Re: Address rewriting with mod_rewrite

2008-10-06T11:04:13Z

Il lunedì 6 ottobre 2008 19:14:02 hai scritto:
> None of the examples in the manual match against the protocol or
> hostname part of the URL.
> I previously described that you also can't match the query string in
> the rewriterule.
> You also probably need a trailing slash on the 2nd argument.
> Note that this rule redirects from the index.php page _to_ the "/"
> page which seems to be the opposite of what you want.

To optimize the page for search motors, I neet to have always
a (pseudo)-static address in home. But I proceed for trials & errors
(moreover errors...). So I tried this (still not working):

Options +FollowSymLinks
RewriteEngine on
RewriteCond %{HTTP_HOST} ^giovannifornero.net [NC]
RewriteRule (.*) http://www.giovannifornero.net/$1 [L,R=301]
RewriteCond %{QUERY_STRING} pagina=home
RewriteRule ^$ http://www.giovannifornero.net [R=301,L]

I think more other syntactical mistakes...

Thax a lot

MS

--
linux user no.: 353546

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@...
" from the digest: users-digest-unsubscribe@...
For additional commands, e-mail: users-help@...

Nabble - Apache HTTP Server

Re: 2.2.10 T&R on Oct 7

DO NOT REPLY [Bug 45834] Stale LDAP connections take 15+ minutes to finish queries

Re: 2.2.10 T&R on Oct 7

RE: Wrapping an existing hook (2.0)

Re: 2.2.10 T&R on Oct 7

RE: Wrapping an existing hook (2.0)

Re: 2.2.10 T&R on Oct 7

Re: AuthzMergeRules blocks everything in default configuration

Re: Address rewriting with mod_rewrite

Re: Address rewriting with mod_rewrite

Re: Address rewriting with mod_rewrite

RE: Apache Conf. Issue - SVN

Re: Apache Conf. Issue - SVN

RE: Apache Conf. Issue - SVN

Re: Address rewriting with mod_rewrite

Re: mod_ssl, SSL_CLIENT_CERT_CHAIN, mod_proxy_ajp and full chain of client certificates

Re: Address rewriting with mod_rewrite

Re: Apache Conf. Issue - SVN

RE: RPM build error: File not found: /usr/local/apr-util-httpd/lib/libexpat.a

RE: Apache Conf. Issue - SVN

2.2.10 T&R on Oct 7

Re: Protecting a Directory

Re: mod_ssl, SSL_CLIENT_CERT_CHAIN, mod_proxy_ajp and full chain of client certificates

Re: Apache Conf. Issue - SVN

DO NOT REPLY [Bug 45333] Header directive deletes multiple headers

Re: AuthzMergeRules blocks everything in default configuration

Re: Address rewriting with mod_rewrite

Re: Address rewriting with mod_rewrite